Limits on the security of coin flips when half the processors are faulty
STOC '86 Proceedings of the eighteenth annual ACM symposium on Theory of computing
How to prove yourself: practical solutions to identification and signature problems
Proceedings on Advances in cryptology---CRYPTO '86
A note on efficient zero-knowledge proofs and arguments (extended abstract)
STOC '92 Proceedings of the twenty-fourth annual ACM symposium on Theory of computing
Random oracles are practical: a paradigm for designing efficient protocols
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
One-way accumulators: a decentralized alternative to digital signatures
EUROCRYPT '93 Workshop on the theory and application of cryptographic techniques on Advances in cryptology
Rigorous Time/Space Trade-offs for Inverting Functions
SIAM Journal on Computing
SIAM Journal on Computing
Improving the Availability of Time-Stamping Services
ACISP '01 Proceedings of the 6th Australasian Conference on Information Security and Privacy
CRYPTO '00 Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology
Pricing via Processing or Combatting Junk Mail
CRYPTO '92 Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology
Time-Stamping with Binary Linking Schemes
CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
Optimally Efficient Accountable Time-Stamping
PKC '00 Proceedings of the Third International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
Entropy waves, the zig-zag graph product, and new constant-degree expanders and extractors
FOCS '00 Proceedings of the 41st Annual Symposium on Foundations of Computer Science
Entropy Waves, the Zig-Zag Graph Product, and New Constant-Degree Expanders and Extractors
Entropy Waves, the Zig-Zag Graph Product, and New Constant-Degree Expanders and Extractors
Time-lock Puzzles and Timed-release Crypto
Time-lock Puzzles and Timed-release Crypto
On the (In)security of the Fiat-Shamir Paradigm
FOCS '03 Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science
The random oracle methodology, revisited
Journal of the ACM (JACM)
SFCS '83 Proceedings of the 24th Annual Symposium on Foundations of Computer Science
Non-interactive Timestamping in the Bounded-Storage Model
Journal of Cryptology
Universal Arguments and their Applications
SIAM Journal on Computing
Toward non-parallelizable client puzzles
CANS'07 Proceedings of the 6th international conference on Cryptology and network security
Are PCPs Inherent in Efficient Arguments?
Computational Complexity - Selected papers from the 24th Annual IEEE Conference on Computational Complexity (CCC 2009)
Time space tradeoffs for attacks against one-way functions and PRGs
CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
Low-cost client puzzles based on modular exponentiation
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Offline Submission with RSA Time-Lock Puzzles
CIT '10 Proceedings of the 2010 10th IEEE International Conference on Computer and Information Technology
Time-lock puzzles in the random oracle model
CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
Non-Parallelizable and Non-Interactive Client Puzzles from Modular Square Roots
ARES '11 Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
A cryptanalytic time-memory trade-off
IEEE Transactions on Information Theory
| Hi-index | 0.00 |
We construct a publicly verifiable protocol for proving computational work based on collision-resistant hash functions and a new plausible complexity assumption regarding the existence of "inherently sequential" hash functions. Our protocol is based on a novel construction of time-lock puzzles. Given a sampled "puzzle" P getsr Dn, where $n$ is the security parameter and Dn is the distribution of the puzzles, a corresponding "solution" can be generated using N evaluations of the sequential hash function, where Nn is another parameter, while any feasible adversarial strategy for generating valid solutions must take at least as much time as Ω(N) serial evaluations of the hash function after receiving $P$. Thus, valid solutions constitute a "proof" that Ω(N) parallel time elapsed since p was received. Solutions can be publicly and efficiently verified in time poly(n) ⋅ polylog(N). Applications of these "time-lock puzzles" include noninteractive timestamping of documents (where the distribution over the possible documents corresponds to the puzzle distribution Dn) and universally verifiable CPU benchmarks. Our construction is secure in the standard model under complexity assumptions (collision-resistant hash functions and inherently sequential hash functions), and makes black-box use of the underlying primitives. Consequently, the corresponding construction in the random oracle model is secure unconditionally. Moreover, as it is a public-coin protocol, it can be made non-interactive in the random oracle model using the Fiat-Shamir Heuristic. Our construction makes a novel use of "depth-robust" directed acyclic graphs---ones whose depth remains large even after removing a constant fraction of vertices---which were previously studied for the purpose of complexity lower-bounds. The construction bypasses a recent lower-bound of Mahmoody, Moran, and Vadhan (CRYPTO '11) for time-lock puzzles in the random oracle model, which showed that it is impossible to have time-lock puzzles like ours in the random oracle model if the puzzle generator also computes a solution together with the puzzle.