Designing Proofs of Human Work for Cryptocurrency and Beyond

Slides:

Advertisements

Similar presentations

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Advertisements

Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

CIS 5371 Cryptography 3b. Pseudorandomness.

Digital Signatures and Hash Functions. Digital Signatures.

Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.

Computability and Complexity 13-1 Computability and Complexity Andrei Bulatov The Class NP.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Complexity and Cryptography

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.

Human Computable Passwords

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi

1 CIS 5371 Cryptography 3. Private-Key Encryption and Pseudorandomness B ased on: Jonathan Katz and Yehuda Lindel Introduction to Modern Cryptography.

Ragesh Jaiswal Indian Institute of Technology Delhi Threshold Direct Product Theorems: a survey.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.

Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme

On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005.

Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.

Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University.

1 4.1 Hash Functions and Data Integrity A cryptographic hash function can provide assurance of data integrity. ex: Bob can verify if y = h K (x) h is a.

Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007.

多媒體網路安全實驗室 Variations of Diffie-Hellman Problem Proceedings of ICICS 2003, LNCS 2836, Springer-Verlag, 2003, pp. 301–312 Feng Bao, Robert H. Deng, Huafei.

Pseudorandomness: New Results and Applications Emanuele Viola IAS April 2007.

Proofs of Space Stefan Dziembowski Symposium on the Work of Ivan Damgård April 1, 2016, Aarhus, Denmark Sebastian Faust Vladimir Kolmogorov Krzysztof Pietrzak.

Block Chain 101 May 2017.

Topic 36: Zero-Knowledge Proofs

Towards Human Computable Passwords

On the Size of Pairing-based Non-interactive Arguments

Attacking Data Independent Memory Hard Functions

Cryptographic Hash Function

Bitcoin - a distributed virtual currency system

TCC 2016-B Composable Security in the Tamper-Proof Hardware Model under Minimal Complexity Carmit Hazay Bar-Ilan University, Israel Antigoni Ourania.

MPC and Verifiable Computation on Committed Data

Zero Knowledge Anupam Datta CMU Fall 2017

Efficient Public-Key Distance Bounding

Topic 14: Random Oracle Model, Hashing Applications

Human Computable Passwords

Digital Signature Schemes and the Random Oracle Model

Cryptographic Hash Functions Part I

Background: Lattices and the Learning-with-Errors problem

Topic 5: Constructing Secure Encryption Schemes

Cryptography Lecture 19.

Digital Signature Schemes and the Random Oracle Model

Topic 7: Pseudorandom Functions and CPA-Security

Vadim Lyubashevsky IBM Research -- Zurich

Hash Functions Motivation Hash Functions: collision, pre-images SHA-1

Fiat-Shamir for Highly Sound Protocols is Instantiable

Cryptographic Hash Functions Part I

Cryptography Lecture 4.

Cryptography Lecture 8.

Cryptography Lecture 14.

Topic 13: Message Authentication Code

Kai Bu 04 Blockchain Kai Bu

One Way Functions Motivation Complexity Theory Review, Motivation

Impossibility of SNARGs

Faculty Seminar Series Blockchain Technology

Cryptography Lecture 15.

Presentation transcript:

Designing Proofs of Human Work for Cryptocurrency and Beyond Jeremiah Blocki (Purdue) Hong-Sheng Zhou (VCU) TCC 2016 B

Designing Proofs of Human Work for Cryptocurrency and Beyond

Proofs of Work (PoW) [DN92] Fight Spam Mitigate Sybil Attacks Distributed Consensus Cryptocurrency Honest Parties control 51% of work-capacity

Hashcash Proof of Work Public Challenge: x Goal: Find nonce s s.t H(x,s)= 0 𝜔 ______ 𝐏𝐫 𝒔 First 𝜔 bits of H 𝒙,𝒔 are zero = 𝟏 𝟐 𝜔 SHA256

Hashcash Proof of Work Honest Party: m hashes 𝐏𝐫 𝑆𝑜𝑙𝑣𝑒𝑑 = 1− 1− 1 2 𝜔 𝑚 ≈ 𝑚 2 𝜔 Desirable Features No Shortcuts to create PoW Efficient Verification without Interaction Tunable Hardness Parameter 𝜔

Undesirable Features: Environment Energy Intensive

Undesirable Features: Inequitable Cost(SHA256) varies by a factor of 106

Bitcoin currency could have been destroyed by '51%' attack ... www.theguardian.com › Technology › Bitcoin Bitcoin currency could have been destroyed by '51% ... mining pool Ghash.io controlled 51% of all the processing power being used to perform the calculations that ...

Designing Proofs of Human Work for Cryptocurrency and Beyond

Proof of Human Work Convincing non-interactive proof that a human invested effort to validate some string x “Create Account: _____” “Authenticate: ____” “Validate Transaction: _____” Verifiable by computer without human effort Sounds a bit like a CAPTCHA…

CAPTCHAs Convincing non-interactive proof that a human invested effort to validate some string x Create Account: username Answer: KWTER Random bits Answer: KWTER CAPTCHA

CAPTCHAs Convincing non-interactive proof that a human invested effort to validate some string x Create Account: username Random bits Answer: KWTER Answer: KWTER CAPTCHA

Proof of Human Work (PoH) Usability: Honest Human can produce PoH with probability ≈ 𝑚 2 𝜔 by investing human work units Security: Adversary with m human work units cannot do better Efficient Verification without Human Breeding humans with super-CAPTCHA solving powers is a bit more difficult

PoH Advantages M A N Equitable: Eco-Friendly We conjecture, but do not prove, that it is difficult to breed humans with superhuman CAPTCHA solving ability… Unlike Bitcoin solving a PoH does not require massive electircity consumption

Waste of Human Effort? Fun CAPTCHAs/Educational CAPTCHAs Maybe we are wasting human effort instead of electricity? NEW (July 19, 2016): Humans won the 2016 Man vs Machine Challenge. Now that Go is solved, Angry Birds is the next big AI Challenge! (Source: www.aibirds.org)

Construction requires iO PoH in Practice ????? ????? Construction requires iO

Our PoH Construction: Assumptions Crypto: iO, OWF, Random Oracles iO+OWF  Universal Samplers in the Random Oracle Model [Hofheinz et al. ASIACRYPT 2016] AI: Any (known) adversary with m human work units and n random CAPTCHAs z1,…,zn (n > m) can solve at most m CAPTCHAs with high probability Even if puzzle zi includes hash of solution ai + SHA1(CAPTCHA) = 2d91cbf686b351676576ac028972d6cfd03500fe

Will we ever have secure/practical iO construction? Is the AI assumption valid?

Hardness-amplification theorem Weakly-verifiable puzzle system, Z=(G,V) Let e, n be functions of security parameter n polynomially bounded [Thm] If Z is e-hard then Zn is en-hard i.e., is no efficient S solves Z better than e+negl, then no efficient S solves Zn better than en+negl 100 character CAPTCHA could be acceptable for HumanCoin since solution to each puzzle is just a lottery ticket Slide Credit: Hardness Amplification of Weakly-Verifiable Puzzles[CHS]

Key Tool: Universal Sampler [Hofheinz et al. 2016] d( R 𝑑,𝛽 ) R 𝑑,𝛽 =F(d,𝛽) Circuit: d 𝜷 𝑈𝑛𝑘𝑛𝑜𝑤𝑛 R 𝑑,𝛽 𝑇𝑟𝑢𝑠𝑡𝑒𝑑 𝑃𝑎𝑟𝑡𝑦 Univ.Sample 𝐼𝑑𝑒𝑎𝑙 𝑊𝑜𝑟𝑙𝑑:𝐹 𝑖𝑠 𝑡𝑟𝑢𝑙𝑦 𝑟𝑎𝑛𝑑𝑜𝑚

Key Tool: Universal Sampler Setup Input: 1 𝜆 (e.g., size of crypo keys) and Output: U (e.g., an obfuscated program) Sample Input: U, d, 𝛽 d a polynomial size circuit 𝛽 randomness index Output: 𝑑 𝑟 𝛽 Ideal World: Secret random string chosen once and for all for each given 𝛽

Universal Sampler [Hofheinz et al. 2016] Construction in Random Oracle Model Crypto Assumptions: iO + OWF Random Oracle not queried inside iO Adaptive Security “delayed backdoor programming” via Random Oracle

PoH Construction Circuit d Instance: x Nonce: s 𝛽=(x,s) d Sample U OWF(KWTER) Answer: KWTER d 𝛽=(x,s) r Sample CAPTCHA r U Random Oracle Circuit d d( R 𝑑,𝛽 )

PoH Construction Instance: x Goal: Find nonce s and answer a such that 1. (Z,h)  Sample(U,d, 𝛽=(x,s)), 2. h=H(a) and 3. SHA256(x,s,a) = 0 𝜔 ______ (tunable hardness) Automatic Verification: Just check above

Security Reduction Main Theorem: Blackbox reduction transforms any ppt algorithm breaking PoH security into a ppt algorithm breaking CAPTCHA security. (Assuming security of Universal Sampler) Statement about human ignorance

PoH for Password Storage X=“Authenticate: jblocki, 123456” Answer: KWTER Username jblocki Salt 89d978034a3f6 Hash 1f88ecdcb0c25e8ae1ed1c9ce6f2e2e6dcfb0e21 x +H(KWTER) SHA1(123456KWTER89d978034a3f6)=1f88ecdcb0c25e8ae1ed1c9ce6f2e2e6dcfb0e21 Universal Sampler CAPTCHA

Security Analysis Thm (Informal): If UNI is adaptively secure universal sampler and CAPT is computer uncrackable CAPTCHA then password authentication scheme is costly to crack. Costly to Crack: An adversary with m human work units can crack users password with probability at most 𝜆 𝑚 = 𝑖=1 𝑚 𝑝 𝑖 +𝑛𝑒𝑔𝑙𝑖𝑔𝑖𝑏𝑙𝑒

Security Analysis Standard CAPTCHA assumption: Adversary not given hashes answers to puzzles. Thm (Informal): If UNI is adaptively secure universal sampler and CAPT is computer uncrackable CAPTCHA then password authentication scheme is costly to crack. Costly to Crack: An adversary with m `human work units’ can crack users password with probability at most 𝜆 𝑚 = 𝑖=1 𝑚 𝑝 𝑖 +𝑛𝑒𝑔𝑙𝑖𝑔𝑖𝑏𝑙𝑒

Security Analysis Standard CAPTCHA assumption: Adversary not given hashes answers to puzzles. Thm (Informal): If UNI is adaptively secure universal sampler and CAPT is computer uncrackable CAPTCHA then password authentication scheme is costly to crack. Costly to Crack: An adversary with m `human work units’ can crack users password with probability at most 𝜆 𝑚 = 𝑖=1 𝑚 𝑝 𝑖 +𝑛𝑒𝑔𝑙𝑖𝑔𝑖𝑏𝑙𝑒 ** Actually show blackbox reduction from ppt adversary breaking security of password scheme to ppt adversary breaking CAPTCHA security

PoH for E-mails Answer: KWTER E-mail: x x +H(KWTER) Universal Sampler CAPTCHA x Universal Sampler CAPTCHA

Future Challenges Make iO efficient again For targeted applications? What other applications are possible? How could efficient obfuscation shape human-computer interaction?

Thanks for Listening