240 likes | 401 Views
POW. Proofs of Work (POWs) and Bread Pudding Protocols. with Markus Jakobsson Bell Laboratories. Ari Juels RSA Laboratories. Prover. Verifier. w = g e. c. s = cx +e. Cryptography: About proofs of mathematical relations. g s =y c w?. Some proofs. Proof of Identity.
E N D
POW Proofs of Work (POWs) and Bread Pudding Protocols with Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories
Prover Verifier w = ge c s = cx +e Cryptography: About proofs of mathematical relations gs=ycw?
Some proofs Proof of Identity = Cryptographic Authentication Protocol
Some proofs Proof of Authorization (Signed Document) = Digital signature
1 ounce sweat = 1 hour of work Proof of work? We can make precise in cryptographic world
Prover Verifier POW Query Response Proof of work (POW) Prover did at least 106 cycles of work
Prover Verifier t = h(s) [k bits] s Example of a POW (Hash inversion) random secret s Prover computed an expected 2k-1hashes
POW POW Service Request What are POWs good for? • Spam deterrent (DN94), “Hash cash” • Defense against denial-of-service attacks (JB99)
POW Query Response What are POWs good for? • Benchmarking Server Client
Breadpudding • Idea: Re-use the ``stale’’ computation in a POW to perform useful task • Achieve privacy in useful task • Example: Hash inversion POW for distributed MicroMint
MicroMint Want a scheme that mimics economics of physical mint • Verifying validity of a coin is easy • Base minting cost is high so... • Forgery is expensive
The minting process • .Throw balls into bins using “random” function h • . Any bin with two balls is a coin
Minting in MicroMint h Collision = Coin Bin 1 Bin 3 Bin 2 Bin 4 Bin 5 Bin 6 Bin 9 Bin 7 Bin 8
Checking a coin h Valid coin? Bin 2
Features • Many bins, so need to throw many balls to mint successfully • Minting requires very intensive computation
Minting requires special, e.g., $250,000 computer “Deep Crack”
Another characteristic: Most balls are invalid h Bin 1 Bin 3 Bin 2 Bin 4 Bin 5 Bin 6 Bin 9 Bin 7 Bin 8 In fact, >99% of work goes to missed balls!
Idea: Make three stage process • . Create “valid” balls, i.e., balls that won’t miss (>99% of work) • . Throw balls into bins using “random” function h (<1% of work) • . Any bin with two balls is a coin
Now... • 99%+ of work is done for minter • No participant will get enough balls to do minting himself/herself (or else participants know “validity”h but not “throwing”h) • Minting is cheap for minter!
+ Questions? ?