Presentation is loading. Please wait.

Presentation is loading. Please wait.

Proofs of Space Stefan Dziembowski Symposium on the Work of Ivan Damgård April 1, 2016, Aarhus, Denmark Sebastian Faust Vladimir Kolmogorov Krzysztof Pietrzak.

Published byDonna Black Modified over 8 years ago

Similar presentations

Presentation on theme: "Proofs of Space Stefan Dziembowski Symposium on the Work of Ivan Damgård April 1, 2016, Aarhus, Denmark Sebastian Faust Vladimir Kolmogorov Krzysztof Pietrzak."— Presentation transcript:

1 Proofs of Space Stefan Dziembowski Symposium on the Work of Ivan Damgård April 1, 2016, Aarhus, Denmark Sebastian Faust Vladimir Kolmogorov Krzysztof Pietrzak

2 General idea We introduce Proofs of Space – a type of a “proof of effort”, where the “effort” is measured in terms of “wasted memory” (an alternative to Proofs of Work). We introduce Proofs of Space – a type of a “proof of effort”, where the “effort” is measured in terms of “wasted memory” (an alternative to Proofs of Work).

3 Proofs of Work – a tool for dealing with the Sybil attacks Sybil attack example: 1 identity many identities

4 Proofs of work Introduced by Dwork and Naor [Crypto 1992] as a countermeasure against spam. Basic idea: Force users to do some computational work: solve a moderately difficult “puzzle” (checking correctness of the solution has to be fast)

5 How are the PoWs used? verifer prover fast slow

6 Applications of PoWs 1.Cloud computing services 2.Preventing denial of service attacks 3.Cryptocurrencies...

7 How to measure computational difficulty? Original method of Dwork and Naor: number of computing steps. Some later works [ABW03, DGN03, DNW05]: number of times the memory is accessed.

8 A drawback of PoW systems costs money bad for environment 1. high energy consumption 2.advantage for people with dedicated hardware

9 What to do? This problem seems unavoidable: The only way to prove that one “invested a lot of computing power” is to do a lot of computation. What is the other resource that we could use? Proofs of Space (PoS): instead of CPU use disk space!

10 Example of an application Goal: prevent malicious users from opening lots of fake accounts. Method: force each account owner to “waste” large part of his local space. Important: the space needs to be allocated as long as the user uses the service. cloud computing service (e.g. email system)

11 Main difference from PoWs To prove that one wasted n CPU cycles one needs to perform these cycles. while: To prove that one wasted n bytes one does not need touch all of them.

12 Advantages more energy-efficient no “hardware acceleration” cheaper (user can devote their unused disk space)

13 The security definition

14 How to measure time and space

15 verify prove R R... prove verify prover’s memory verifer prover

16 How to define security of a PoS Properties: completeness, soundness, and efficiency. If the prover is honest then the verifier will always accept the proof. less trivial to define

17 How to define the efficiency? Let us show a very simple (but not efficient) PoS. Note: we have not defined the security yet, so it’s just an “informal example”.

18 A “trivial PoS” R R random

19 Efficiency verifierprover We require that the computing time of the parties is as follows:

20 How to define soundness? Informally: we want to force a cheating prover to constantly waste a lot of memory.

21 What would be the goal of a cheating prover? verify prove... Init(Id) proof verify prove

22 Observation: a cheating prover has a simple (but inefficient) winning strategy. Init(Id) X X answer by simulating expand by simulating R R proof X X Moral: we need to restrict the power of a cheating prover. Moral: we need to restrict the power of a cheating prover.

23 Restrictions on cheating prover

24 In our paper:

25 Security definition P()

26 The constructions

27 Why is constructing the PoS schemes non- trivial? Time-memory tradeoffs  R R X X R R For example:

28 Our main technique 1 1 2 2 3 3 4 4 5 5

29 Very informally A graph that is bad if it can be “quickly” labeled if one stores a “small” number of labels. Example of a bad graph: 1 1 2 2 3 3 N N

30 Our tools

31 How to build a PoS from a good graph?

32 C C

33

34 Our results

35 Spacemint A natural question: how to construct a cryptocurrency based on PoS. Not trivial... A recent paper: Park, Pietrzak, Kwon, Alwen, Fuchsbauer, and Gazi: SpaceMint: A Cryptocurrency Based on Proofs of Space. Cryptology ePrint Archive: Report 2015/528

36 Previous/related/independent work Graph pebbling in context of the Proofs of Work: introduced by Dwork, Naor, and Wee: Pebbling and proofs of work, 2005. Proofs of Secure Erasure introduced by Perito and Tsudik, 2010 other constructions: Karvelas and Kiayias, 2014, and Ateniese, Bonacina, Faonio, and Galesi, 2014. Similar graph techniques (in a context of leakage-resilient crypto): Smith and Zhang, Eprint 2013. A recent paper: Ling Ren and Srinivas Devadas Proof of Space from Stacked Bipartite Graphs, Eprint 2016 weaker notion than the Proofs of Space. Main difference with: lack of two phases. Called “Proofs of Space” there.

37 Thank you!

Download ppt "Proofs of Space Stefan Dziembowski Symposium on the Work of Ivan Damgård April 1, 2016, Aarhus, Denmark Sebastian Faust Vladimir Kolmogorov Krzysztof Pietrzak."

Similar presentations

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
1 9 4 5 1 8 8 6 E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April. 30. 2003 Seo, Seung-Hyun Dept. of Computer Science and.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Cloud Computing Security Monir Azraoui, Kaoutar Elkhiyaoui, Refik Molva, Melek Ӧ nen, Pasquale Puzio December 18, 2013 – Sophia-Antipolis, France.

Cloud Computing Security Monir Azraoui, Kaoutar Elkhiyaoui, Refik Molva, Melek Ӧ nen, Pasquale Puzio December 18, 2013 – Sophia-Antipolis, France.
Individual Position Slides: Jonathan Katz (University of Maryland) (Apologies I can’t be here in person)

Individual Position Slides: Jonathan Katz (University of Maryland) (Apologies I can’t be here in person)
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.

Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Stefan Dziembowski Why do the cryptographic currencies need a solid theory? Forum Informatyki Teoretycznej, Warsaw 30.1.2015.

Stefan Dziembowski Why do the cryptographic currencies need a solid theory? Forum Informatyki Teoretycznej, Warsaw
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
Lecture 40 CSE 331 Dec 11, 2009. Announcements Solutions to HW 10 and graded HW 9 at end of the lecture Review session on Monday: see blog for details.

Lecture 40 CSE 331 Dec 11, Announcements Solutions to HW 10 and graded HW 9 at end of the lecture Review session on Monday: see blog for details.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.
CSE331: Introduction to Networks and Security Lecture 36 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 36 Fall 2002.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Similar presentations

Ads by Google