Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
• Pay-Per-Use Services
Generated by
Common
Trusted Party
Reference String
Proof 𝜋
• Our Result
• NIZKs from NIWIs using blockchain
One-Time Programs [G oldwasserKalaiRothblum08]
x
x f f(x) + f
x x
y f ⟂ + f
OTPs: Prior Work
f
One-Time
Compiler f
• Our Result
• OTPs from extractable-WE using blockchain
Outline
… …… ……
…… ……
Distributed
Consensus
…… ……
…… ……
…… ……
What are Blockchains?
What are Blockchains?
…… ……
“Header” “Records”
to connect to
previous block
Applications: Cryptocurrencies
• Decentralized, no trusted server
Central Trusted
Authority
Public
Ledger
Applications: Cryptocurrencies
“Stake”
……
“Records”
How to Generate New Blocks?
• Block generation is like election/ puzzle-solving race
• Different ideologies
Solve moderately
• Proof-Of-Work (POW) hard “puzzles”
• Proof-Of-Stake (POS)
•…
How to Generate New Blocks?
• Block generation is like election/ puzzle-solving race
……
Last ≤ ℓ
inconsistent
……
Existing Properties
[GarayKiayiasLeonardos15,PassSeemanShelat16]
……
……
……
Stake Fraction ≥ 𝛽
(𝛼, ℓ)-Bounded Stake Forking
……
(𝛼, 𝛽, ℓ)-Distinguishable Forking
𝜶<𝜷
……
Stake Fraction ≥ 𝛽
Connecting to Existing Notions
Theorem. (Informal)
If blockchain protocol satisfies chain
consistency and quality properties, then it
also satisfies − sufficient (honest-)stake
contribution, bounded stake forking,
distinguishable forking properties.
• Pay-Per-Use Services
NIZKs: Intuition
• Feige-Lapidot-Shamir (FLS) paradigm
• Prover proves that either the statement is true
‘OR’ it knows a long valid fork w.r.t. blockchain
Either I know w such that (x, w) RL
OR
a long valid fork with very high stake
fraction w.r.t. blockchain
Statement x ϵ L
NIZKs: Outline
Statement x ∈ L
w s.t. (x, w) RL • Compute c1 Com(w)
• Compute c2 Com(0)
Statement x ∈ L
w s.t. (x, w) RL • Compute c1 Com(w)
• Compute c2 Com(0)
Zero-Knowledge
• Simulator controls honest c1 commits to valid witness
Statement x ∈ L
w s.t. (x, w) RL • Compute c1 Com(w)
• Compute c2 Com(0)
Zero-Knowledge
• Simulator controls honest c1 commits to valid witness
Soundness
parties, thus their •keys OR
NIWI.Prove
• Need extraction,
• Generates but no CRS!?
a valid fork privately
…… ……
Statement x ∈ L
w s.t. (x, w) RL • Extract all public key and stake info
Weights
A 𝑝𝑘𝐴 𝑠𝑡𝑎𝑘𝑒𝐴
…… ……
……
……
Weighted
……
Threshold
Secret Sharing
NIZKs: Share and Conquer
Statement x ∈ L
w s.t. (x, w) RL • Extract all public key and stake info
Weights
A 𝑝𝑘𝐴 𝑠𝑡𝑎𝑘𝑒𝐴
Encrypt
…… ……
……
……
Weighted
……
Threshold
Secret Sharing
NIZKs: Share and Conquer
Statement x ∈ L
w s.t. (x, w) RL • Extract all public key and stake info
• Commit: w 𝑐1
• Share and Encrypt: fork (= 0) {𝑐𝑡𝑖 }
Soundness
If adversary provesc false
1 commits to valid witness
statement, fork can be OR
…… ……
• NIWI.Prove
extracted and reconstructed
{𝑐𝑡𝑖 } reconstruct to valid fork
Breaks bounded stakewith high stake fraction
forking property
NIZKs: Challenges, Fixes and More
• Proof size ∝ # of parties
• Encrypt to last ℓ blocks only
• Sufficient honest-stake contribution
• Inconsistent sharing due to small forks etc
• Prune last few blocks …
• Different stake bounds on adversary, simulator and
extractor
• Can be made Argument of Knowledge
• Share and encrypt witness
• ...
Result 1
Theorem. (Informal)
Compilation
Garble
Garbled Ckt G
Ckt C
Key pairs
Hardware
(wi,0 wi,1)
Witness
Encryption Encrypted
Key pairs
(cti,0 cti,1)
OTPs: Outline
{
Garbled Ckt G
Garbling
Compilation Ckt C +
WE
Encrypted Key
pairs (cti,0 cti,1)
Theorem. (Informal)