Indistinguishable Proofs of Work or Knowledge

We introduce a new class of protocols called Proofs of Work or Knowledge PoWorKs. In a PoWorK, a prover can convince a verifier that she has either performed work or that she possesses knowledge of a witness to a public statement without the verifier being able to distinguish which of the two has taken place. We formalize PoWorK in terms of three properties, completeness, f-soundness and indistinguishability where f is a function that determines the tightness of the proof of work aspect and present a construction that transforms 3-move HVZK protocols into 3-move public-coin PoWorKs. To formalize the work aspect in a PoWorKi¾?protocol we define cryptographic puzzles that adhere to certain uniformity conditions, which may also be of independent interest. We instantiate our puzzles in the random oracle RO model as well as via constructing "dense" versions of suitably hard one-way functions. We then showcase PoWorKi¾?protocols by presenting a number of applications. We first show how non-interactive PoWorKs can be used to reduce spam email by forcing users sending an e-mail to either prove to the mail server they are approved contacts of the recipient or to perform computational work. As opposed to previous approaches that applied proofs of work to this problem, our proposal of using PoWorKs is privacy-preserving as it hides the list of the receiver's approved contacts from the mail server. Our second application, shows how PoWorK can be used to compose cryptocurrencies that are based on proofs of work "Bitcoin-like" with cryptocurrencies that are based on knowledge relations these include cryptocurrencies that are based on "proof of stake", and others. The resulting PoWorK-based cryptocurrency inherits the robustness properties of the underlying two systems while PoWorK-indistinguishability ensures a uniform population of miners. Finally, we show that PoWorKi¾?protocols imply straight-line quasi-polynomial simulatable arguments of knowledge and based on our construction we obtain an efficient straight-line concurrent 3-move statistically quasi-polynomial simulatable argument of knowledge.

[1]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[2]  Matthew K. Franklin,et al.  An Efficient Public Key Traitor Tracing Scheme , 1999, CRYPTO.

[3]  Nicolas Thériault,et al.  Solving Discrete Logarithms from Partial Knowledge of the Key , 2007, INDOCRYPT.

[4]  Karl J. O'Dwyer,et al.  Bitcoin mining and its energy footprint , 2014 .

[5]  Ran Canetti,et al.  Resettable zero-knowledge (extended abstract) , 2000, STOC '00.

[6]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[7]  Adi Shamir,et al.  Publicly Verifiable Non-Interactive Zero-Knowledge Proofs , 1990, CRYPTO.

[8]  Nir Bitansky,et al.  Time-Lock Puzzles from Randomized Encodings , 2016, IACR Cryptol. ePrint Arch..

[9]  Aggelos Kiayias,et al.  How to keep a secret: leakage deterring public-key cryptosystems , 2013, CCS.

[10]  Moni Naor,et al.  Concurrent zero-knowledge , 2004, JACM.

[11]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[12]  C. Martin 2015 , 2015, Les 25 ans de l’OMC: Une rétrospective en photos.

[13]  Ran Canetti,et al.  Perfectly one-way probabilistic hash functions (preliminary version) , 1998, STOC '98.

[14]  Stefan A. Brands,et al.  An Efficient Off-line Electronic Cash System Based On The Representation Problem. , 1993 .

[15]  Aaram Yun Generic Hardness of the Multiple Discrete Logarithm Problem , 2015, EUROCRYPT.

[16]  Daniel R. Simon Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? , 1998, EUROCRYPT.

[17]  Moti Yung,et al.  Group Signatures with Almost-for-Free Revocation , 2012, CRYPTO.

[18]  Jeremy Clark,et al.  SoK: Research Perspectives and Challenges for Bitcoin and Cryptocurrencies , 2015, 2015 IEEE Symposium on Security and Privacy.

[19]  David Mazières The Stellar Consensus Protocol : A Federated Model for Internet-level Consensus , 2015 .

[20]  Oded Goldreich,et al.  Definitions and properties of zero-knowledge proof systems , 1994, Journal of Cryptology.

[21]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[22]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[23]  Daniel J. Bernstein,et al.  Elligator: elliptic-curve points indistinguishable from uniform random strings , 2013, IACR Cryptol. ePrint Arch..

[24]  Yevgeniy Dodis On extractors, error-correction and hiding all partial information , 2005, IEEE Information Theory Workshop on Theory and Practice in Information-Theoretic Security, 2005..

[25]  Moni Naor,et al.  On Memory-Bound Functions for Fighting Spam , 2003, CRYPTO.

[26]  Steven D. Galbraith,et al.  Computing discrete logarithms in an interval , 2013, Math. Comput..

[27]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[28]  Vinod Vaikuntanathan,et al.  On Continual Leakage of Discrete Log Representations , 2012, IACR Cryptol. ePrint Arch..

[29]  Rafael Pass,et al.  Alternative variants of zero-knowledge proofs , 2004 .

[30]  Iddo Bentov,et al.  Proof of Activity: Extending Bitcoin's Proof of Work via Proof of Stake [Extended Abstract]y , 2014, PERV.

[31]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[32]  Moti Yung,et al.  On the Design of Provably Secure Cryptographic Hash Functions , 1991, EUROCRYPT.

[33]  Ivan Visconti,et al.  Improved OR Composition of Sigma-Protocols , 2016, IACR Cryptol. ePrint Arch..

[34]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[35]  Aggelos Kiayias,et al.  Resource-based corruptions and the combinatorics of hidden diversity , 2013, ITCS '13.

[36]  Moni Naor,et al.  Zaps and their applications , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[37]  Aggelos Kiayias,et al.  The Bitcoin Backbone Protocol: Analysis and Applications , 2015, EUROCRYPT.

[38]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[39]  Adi Shamir,et al.  Witness indistinguishable and witness hiding protocols , 1990, STOC '90.

[40]  Marc Joye,et al.  A Practical and Provably Secure Coalition-Resistant Group Signature Scheme , 2000, CRYPTO.

[41]  Bogdan Warinschi,et al.  Security Notions and Generic Constructions for Client Puzzles , 2009, ASIACRYPT.

[42]  Ueli Maurer,et al.  The Leakage-Resilience Limit of a Computational Problem Is Equal to Its Unpredictability Entropy , 2011, ASIACRYPT.

[43]  S. Vadhan,et al.  Time-Lock Puzzles in the Random Oracle , 2011 .

[44]  Manuel Blum,et al.  How to Prove a Theorem So No One Else Can Claim It , 2010 .

[45]  Ari Juels,et al.  $evwu Dfw , 1998 .

[46]  Brent Waters,et al.  New client puzzle outsourcing techniques for DoS resistance , 2004, CCS '04.

[47]  Rosario Gennaro,et al.  An Improved Pseudo-random Generator Based on Discrete Log , 2000, CRYPTO.

[48]  A. Kiayias,et al.  Explorer Indistinguishable Proofs of Work or Knowledge , 2016 .

[49]  George Danezis,et al.  Centrally Banked Cryptocurrencies , 2015, NDSS.

[50]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[51]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[52]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[53]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[54]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[55]  Yevgeniy Dodis,et al.  Correcting errors without leaking partial information , 2005, STOC '05.

[56]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[57]  Rafael Pass,et al.  Simulation in Quasi-Polynomial Time, and Its Application to Protocol Composition , 2003, EUROCRYPT.

[58]  Johan Hstad,et al.  Construction of a pseudo-random generator from any one-way function , 1989 .

[59]  Omer Reingold,et al.  Universal One-Way Hash Functions via Inaccessible Entropy , 2010, EUROCRYPT.