后量子世界中顺序工作证明的安全性研究

Jeremiah Blocki, Seunghoon Lee, Samson Zhou
{"title":"后量子世界中顺序工作证明的安全性研究","authors":"Jeremiah Blocki, Seunghoon Lee, Samson Zhou","doi":"10.4230/LIPIcs.ITC.2021.22","DOIUrl":null,"url":null,"abstract":"A proof of sequential work allows a prover to convince a resource-bounded verifier that the prover invested a substantial amount of sequential time to perform some underlying computation. Proofs of sequential work have many applications including time-stamping, blockchain design, and universally verifiable CPU benchmarks. Mahmoody, Moran, and Vadhan (ITCS 2013) gave the first construction of proofs of sequential work in the random oracle model though the construction relied on expensive depth-robust graphs. In a recent breakthrough, Cohen and Pietrzak (EUROCRYPT 2018) gave a more efficient construction that does not require depth-robust graphs. In each of these constructions, the prover commits to a labeling of a directed acyclic graph $G$ with $N$ nodes and the verifier audits the prover by checking that a small subset of labels are locally consistent, e.g., $L_v = H(L_{v_1},\\ldots,L_{v_\\delta})$, where $v_1,\\ldots,v_\\delta$ denote the parents of node $v$. Provided that the graph $G$ has certain structural properties (e.g., depth-robustness), the prover must produce a long $\\mathcal{H}$-sequence to pass the audit with non-negligible probability. An $\\mathcal{H}$-sequence $x_0,x_1\\ldots x_T$ has the property that $H(x_i)$ is a substring of $x_{i+1}$ for each $i$, i.e., we can find strings $a_i,b_i$ such that $x_{i+1} = a_i \\cdot H(x_i) \\cdot b_i$. In the parallel random oracle model, it is straightforward to argue that any attacker running in sequential time $T-1$ will fail to produce an $\\mathcal{H}$-sequence of length $T$ except with negligible probability -- even if the attacker submits large batches of random oracle queries in each round. (See the paper for the full abstract.)","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"1 1","pages":"22:1-22:27"},"PeriodicalIF":0.0000,"publicationDate":"2020-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"16","resultStr":"{\"title\":\"On the Security of Proofs of Sequential Work in a Post-Quantum World\",\"authors\":\"Jeremiah Blocki, Seunghoon Lee, Samson Zhou\",\"doi\":\"10.4230/LIPIcs.ITC.2021.22\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"A proof of sequential work allows a prover to convince a resource-bounded verifier that the prover invested a substantial amount of sequential time to perform some underlying computation. Proofs of sequential work have many applications including time-stamping, blockchain design, and universally verifiable CPU benchmarks. Mahmoody, Moran, and Vadhan (ITCS 2013) gave the first construction of proofs of sequential work in the random oracle model though the construction relied on expensive depth-robust graphs. In a recent breakthrough, Cohen and Pietrzak (EUROCRYPT 2018) gave a more efficient construction that does not require depth-robust graphs. In each of these constructions, the prover commits to a labeling of a directed acyclic graph $G$ with $N$ nodes and the verifier audits the prover by checking that a small subset of labels are locally consistent, e.g., $L_v = H(L_{v_1},\\\\ldots,L_{v_\\\\delta})$, where $v_1,\\\\ldots,v_\\\\delta$ denote the parents of node $v$. Provided that the graph $G$ has certain structural properties (e.g., depth-robustness), the prover must produce a long $\\\\mathcal{H}$-sequence to pass the audit with non-negligible probability. An $\\\\mathcal{H}$-sequence $x_0,x_1\\\\ldots x_T$ has the property that $H(x_i)$ is a substring of $x_{i+1}$ for each $i$, i.e., we can find strings $a_i,b_i$ such that $x_{i+1} = a_i \\\\cdot H(x_i) \\\\cdot b_i$. In the parallel random oracle model, it is straightforward to argue that any attacker running in sequential time $T-1$ will fail to produce an $\\\\mathcal{H}$-sequence of length $T$ except with negligible probability -- even if the attacker submits large batches of random oracle queries in each round. (See the paper for the full abstract.)\",\"PeriodicalId\":6403,\"journal\":{\"name\":\"2007 IEEE International Test Conference\",\"volume\":\"1 1\",\"pages\":\"22:1-22:27\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2020-06-19\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"16\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2007 IEEE International Test Conference\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.4230/LIPIcs.ITC.2021.22\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2007 IEEE International Test Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.4230/LIPIcs.ITC.2021.22","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 16

摘要

顺序工作的证明允许证明者说服资源有限的验证者,证明者投入了大量的顺序时间来执行一些底层计算。顺序工作的证明有许多应用,包括时间戳、区块链设计和普遍可验证的CPU基准测试。Mahmoody, Moran和Vadhan (ITCS 2013)给出了随机oracle模型中顺序工作证明的第一个构造,尽管该构造依赖于昂贵的深度鲁棒图。在最近的一项突破中,Cohen和Pietrzak (EUROCRYPT 2018)给出了一种更有效的构造,不需要深度鲁棒图。在每一个结构中,证明者提交一个有向无环图$G$的标记,有$N$个节点,验证者通过检查标签的一个小子集是否在局部一致来审计证明者,例如,$L_v = H(L_{v_1},\ldots,L_{v_\delta})$,其中$v_1,\ldots,v_\delta$表示节点$v$的父节点。假设图$G$具有一定的结构性质(例如,深度鲁棒性),证明者必须产生一个长$\mathcal{H}$-序列才能以不可忽略的概率通过审计。$\mathcal{H}$-sequence $x_0,x_1\ldots x_T$具有$H(x_i)$是$x_{i+1}$对于每个$i$的子字符串的性质,即,我们可以找到$a_i,b_i$这样的字符串$x_{i+1} = a_i \cdot H(x_i) \cdot b_i$。在并行随机oracle模型中,可以直接认为,任何在顺序时间$T-1$运行的攻击者都无法产生长度$T$的$\mathcal{H}$-序列,除非概率可以忽略不计——即使攻击者在每轮中提交大量随机oracle查询。(查看全文摘要)
本文章由计算机程序翻译,如有差异,请以英文原文为准。
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
On the Security of Proofs of Sequential Work in a Post-Quantum World
A proof of sequential work allows a prover to convince a resource-bounded verifier that the prover invested a substantial amount of sequential time to perform some underlying computation. Proofs of sequential work have many applications including time-stamping, blockchain design, and universally verifiable CPU benchmarks. Mahmoody, Moran, and Vadhan (ITCS 2013) gave the first construction of proofs of sequential work in the random oracle model though the construction relied on expensive depth-robust graphs. In a recent breakthrough, Cohen and Pietrzak (EUROCRYPT 2018) gave a more efficient construction that does not require depth-robust graphs. In each of these constructions, the prover commits to a labeling of a directed acyclic graph $G$ with $N$ nodes and the verifier audits the prover by checking that a small subset of labels are locally consistent, e.g., $L_v = H(L_{v_1},\ldots,L_{v_\delta})$, where $v_1,\ldots,v_\delta$ denote the parents of node $v$. Provided that the graph $G$ has certain structural properties (e.g., depth-robustness), the prover must produce a long $\mathcal{H}$-sequence to pass the audit with non-negligible probability. An $\mathcal{H}$-sequence $x_0,x_1\ldots x_T$ has the property that $H(x_i)$ is a substring of $x_{i+1}$ for each $i$, i.e., we can find strings $a_i,b_i$ such that $x_{i+1} = a_i \cdot H(x_i) \cdot b_i$. In the parallel random oracle model, it is straightforward to argue that any attacker running in sequential time $T-1$ will fail to produce an $\mathcal{H}$-sequence of length $T$ except with negligible probability -- even if the attacker submits large batches of random oracle queries in each round. (See the paper for the full abstract.)
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Csirmaz's Duality Conjecture and Threshold Secret Sharing Online Mergers and Applications to Registration-Based Encryption and Accumulators Exponential Correlated Randomness Is Necessary in Communication-Optimal Perfectly Secure Two-Party Computation The Cost of Statistical Security in Proofs for Repeated Squaring Tight Estimate of the Local Leakage Resilience of the Additive Secret-Sharing Scheme & Its Consequences
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1