1 / 24

Proofs of Work (POWs) and Bread Pudding Protocols

POW. Proofs of Work (POWs) and Bread Pudding Protocols. with Markus Jakobsson Bell Laboratories. Ari Juels RSA Laboratories. Prover. Verifier. w = g e. c. s = cx +e. Cryptography: About proofs of mathematical relations. g s =y c w?. Some proofs. Proof of Identity.

march
Download Presentation

Proofs of Work (POWs) and Bread Pudding Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. POW Proofs of Work (POWs) and Bread Pudding Protocols with Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories

  2. Prover Verifier w = ge c s = cx +e Cryptography: About proofs of mathematical relations gs=ycw?

  3. Some proofs Proof of Identity = Cryptographic Authentication Protocol

  4. Some proofs Proof of Authorization (Signed Document) = Digital signature

  5. 1 ounce sweat = 1 hour of work Proof of work? We can make precise in cryptographic world

  6. Prover Verifier POW Query Response Proof of work (POW) Prover did at least 106 cycles of work

  7. Prover Verifier t = h(s) [k bits] s Example of a POW (Hash inversion) random secret s Prover computed an expected 2k-1hashes

  8. POW POW Service Request What are POWs good for? • Spam deterrent (DN94), “Hash cash” • Defense against denial-of-service attacks (JB99)

  9. POW Query Response What are POWs good for? • Benchmarking Server Client

  10. Formal notion of POW

  11. Breadpudding • Idea: Re-use the ``stale’’ computation in a POW to perform useful task • Achieve privacy in useful task • Example: Hash inversion POW for distributed MicroMint

  12. MicroMint Want a scheme that mimics economics of physical mint • Verifying validity of a coin is easy • Base minting cost is high so... • Forgery is expensive

  13. The minting process • .Throw balls into bins using “random” function h • . Any bin with two balls is a coin

  14. Minting in MicroMint h Collision = Coin Bin 1 Bin 3 Bin 2 Bin 4 Bin 5 Bin 6 Bin 9 Bin 7 Bin 8

  15. Checking a coin h Valid coin? Bin 2

  16. Features • Many bins, so need to throw many balls to mint successfully • Minting requires very intensive computation

  17. Minting requires special, e.g., $250,000 computer “Deep Crack”

  18. Another characteristic: Most balls are invalid h Bin 1 Bin 3 Bin 2 Bin 4 Bin 5 Bin 6 Bin 9 Bin 7 Bin 8 In fact, >99% of work goes to missed balls!

  19. Idea: Make three stage process • . Create “valid” balls, i.e., balls that won’t miss (>99% of work) • . Throw balls into bins using “random” function h (<1% of work) • . Any bin with two balls is a coin

  20. Have many other (untrusted) people do Step 1

  21. Now... • 99%+ of work is done for minter • No participant will get enough balls to do minting himself/herself (or else participants know “validity”h but not “throwing”h) • Minting is cheap for minter!

  22. Minter can use ordinary server

  23. + Questions? ?

More Related