Date post: | 23-Dec-2015 |
Category: |
Documents |
Upload: | dulcie-tate |
View: | 215 times |
Download: | 0 times |
Ari Juels RSA Laboratories
Proofs of Work (POWs) and Bread Pudding Protocols
with Markus Jakobsson Bell Laboratories
Cryptography: About proofs of mathematical relations
w = ge
c
s = cx +egs=ycw?
Prover Verifier
Some proofs
Proof of Identity
= Cryptographic Authentication Protocol
Some proofs
Proof of Authorization (Signed Document)
= Digital signature
Proof of work?
We can make precise in cryptographic world
1 ounce sweat = 1 hour of work
Proof of work (POW)
Prover Verifier
Query
Response
Prover did at least
106 cycles of work
Example of a POW (Hash inversion)
Prover Verifier
t = h(s) [k bits]
Prover computed an
expected 2k-1 hashes
random secret s
s
What are POWs good for? Spam deterrent (DN94), “Hash cash”
Defense against denial-of-service attacks (JB99)
Service Request
What are POWs good for? Benchmarking
Server
Query
ResponseClient
Formal notion of POW
Breadpudding
Idea: Re-use the ``stale’’ computation in a POW to perform useful task
Achieve privacy in useful task Example: Hash inversion POW for distributed MicroMint
MicroMint
Want a scheme that mimics economics of physical mint
Verifying validity of a coin is easy Base minting cost is high so... Forgery is expensive
The minting process
. Throw balls into bins using “random” function h
. Any bin with two balls is a coin
Minting in MicroMint
Bin 1 Bin 2 Bin 3 Bin 4 Bin 5 Bin 6 Bin 7 Bin 8 Bin 9
Collision = Coin
h
Checking a coin
Bin 2
h
Valid coin?
Features
Many bins, so need to throw many balls to mint successfully
Minting requires very intensive computation
Minting requires special, e.g., $250,000 computer
“Deep Crack”
Another characteristic: Most balls are invalid
Bin 1 Bin 2 Bin 3 Bin 4 Bin 5 Bin 6 Bin 7 Bin 8 Bin 9
h
In fact, >99% of work goes to missed balls!
Idea: Make three stage process
. Create “valid” balls, i.e., balls that won’t miss (>99% of work)
. Throw balls into bins using “random” function h (<1% of work)
. Any bin with two balls is a coin
Have many other (untrusted) people do Step 1
Now...
99%+ of work is done for minter No participant will get enough balls
to do minting himself/herself (or else participants know “validity” h but not
“throwing” h) Minting is cheap for minter!
Minter can use ordinary server
Questions?
+?