ari juels rsa laboratories proofs of work (pows) and bread pudding protocols with markus jakobsson...
TRANSCRIPT
Ari Juels RSA Laboratories
Proofs of Work (POWs) and Bread Pudding Protocols
with Markus Jakobsson Bell Laboratories
Cryptography: About proofs of mathematical relations
w = ge
c
s = cx +egs=ycw?
Prover Verifier
Some proofs
Proof of Identity
= Cryptographic Authentication Protocol
Some proofs
Proof of Authorization (Signed Document)
= Digital signature
Proof of work?
We can make precise in cryptographic world
1 ounce sweat = 1 hour of work
Proof of work (POW)
Prover Verifier
Query
Response
Prover did at least
106 cycles of work
Example of a POW (Hash inversion)
Prover Verifier
t = h(s) [k bits]
Prover computed an
expected 2k-1 hashes
random secret s
s
What are POWs good for? Spam deterrent (DN94), “Hash cash”
Defense against denial-of-service attacks (JB99)
Service Request
What are POWs good for? Benchmarking
Server
Query
ResponseClient
Formal notion of POW
Breadpudding
Idea: Re-use the ``stale’’ computation in a POW to perform useful task
Achieve privacy in useful task Example: Hash inversion POW for distributed MicroMint
MicroMint
Want a scheme that mimics economics of physical mint
Verifying validity of a coin is easy Base minting cost is high so... Forgery is expensive
The minting process
. Throw balls into bins using “random” function h
. Any bin with two balls is a coin
Minting in MicroMint
Bin 1 Bin 2 Bin 3 Bin 4 Bin 5 Bin 6 Bin 7 Bin 8 Bin 9
Collision = Coin
h
Checking a coin
Bin 2
h
Valid coin?
Features
Many bins, so need to throw many balls to mint successfully
Minting requires very intensive computation
Minting requires special, e.g., $250,000 computer
“Deep Crack”
Another characteristic: Most balls are invalid
Bin 1 Bin 2 Bin 3 Bin 4 Bin 5 Bin 6 Bin 7 Bin 8 Bin 9
h
In fact, >99% of work goes to missed balls!
Idea: Make three stage process
. Create “valid” balls, i.e., balls that won’t miss (>99% of work)
. Throw balls into bins using “random” function h (<1% of work)
. Any bin with two balls is a coin
Have many other (untrusted) people do Step 1
Now...
99%+ of work is done for minter No participant will get enough balls
to do minting himself/herself (or else participants know “validity” h but not
“throwing” h) Minting is cheap for minter!
Minter can use ordinary server
Questions?
+?