Ari Juels RSA Laboratories

Proofs of Work (POWs) and Bread Pudding Protocols

with Markus Jakobsson Bell Laboratories

Cryptography: About proofs of mathematical relations

w = ge

c

s = cx +egs=ycw?

Prover Verifier

Some proofs

Proof of Identity

= Cryptographic Authentication Protocol

Some proofs

Proof of Authorization (Signed Document)

= Digital signature

Proof of work?

We can make precise in cryptographic world

1 ounce sweat = 1 hour of work

Proof of work (POW)

Prover Verifier

Query

Response

Prover did at least

106 cycles of work

Example of a POW (Hash inversion)

Prover Verifier

t = h(s) [k bits]

Prover computed an

expected 2k-1 hashes

random secret s

s

What are POWs good for? Spam deterrent (DN94), “Hash cash”

Defense against denial-of-service attacks (JB99)

Service Request

What are POWs good for? Benchmarking

Server

Query

ResponseClient

Formal notion of POW

Breadpudding

Idea: Re-use the ``stale’’ computation in a POW to perform useful task

Achieve privacy in useful task Example: Hash inversion POW for distributed MicroMint

MicroMint

Want a scheme that mimics economics of physical mint

Verifying validity of a coin is easy Base minting cost is high so... Forgery is expensive

The minting process

. Throw balls into bins using “random” function h

. Any bin with two balls is a coin

Minting in MicroMint

Bin 1 Bin 2 Bin 3 Bin 4 Bin 5 Bin 6 Bin 7 Bin 8 Bin 9

Collision = Coin

h

Checking a coin

Bin 2

h

Valid coin?

Features

Many bins, so need to throw many balls to mint successfully

Minting requires very intensive computation

Minting requires special, e.g., $250,000 computer

“Deep Crack”

Another characteristic: Most balls are invalid

Bin 1 Bin 2 Bin 3 Bin 4 Bin 5 Bin 6 Bin 7 Bin 8 Bin 9

h

In fact, >99% of work goes to missed balls!

Idea: Make three stage process

. Create “valid” balls, i.e., balls that won’t miss (>99% of work)

. Throw balls into bins using “random” function h (<1% of work)

. Any bin with two balls is a coin

Have many other (untrusted) people do Step 1

Now...

99%+ of work is done for minter No participant will get enough balls

to do minting himself/herself (or else participants know “validity” h but not

“throwing” h) Minting is cheap for minter!

Minter can use ordinary server

Questions?

+?