Sei sulla pagina 1di 47

Overcoming Cryptographic

Impossibility Results using


Blockchains

Rishab Goyal Vipul Goyal


A Change of Perspective
• Blockchains traditionally considered a
“cryptographic goal”
• Way to decentralized digital currency

• Blockchains as a “cryptographic primitive”


• Way to bypass impossibility results
Results

• Non-Interactive Zero Knowledge (NIZK) w/o CRS

• One-Time Programs (OTPs) w/o hardware assumptions

• Pay-Per-Use Services

• General Framework for using Blockchains


 
NIZKs [G oldwasserMicaliRackoff89,GoldreichOren94]

Generated by
Common
Trusted Party
Reference String

I know w such Using Blockchains


that (x, w)  Statement x ϵ L
RL

Proof 𝜋

I don’t want to Statement must


reveal w be true
NIZKs [G oldwasserMicaliRackoff89,GoldreichOren94]

• Impossible in the standard model


• Constructed in ROM and CRS

• Our Result
• NIZKs from NIWIs using blockchain
One-Time Programs [G oldwasserKalaiRothblum08]

• Can only be executed on single input


• Input chosen at run-time

x
x f f(x) + f

x x
y f ⟂ + f
OTPs: Prior Work
f
One-Time
Compiler f

• Prior constructions based on “tamper-proof


hardware tokens”
• Tokens useless after single execution

• Our Result
• OTPs from extractable-WE using blockchain
Outline

• Part I: Blockchain Overview

• Part II: Framework

• Part III: Applications


Part I:
Blockchain 101
What are Blockchains?

… …… ……

…… ……

Distributed
Consensus
…… ……
…… ……

…… ……
What are Blockchains?
What are Blockchains?

…… ……

“Header” “Records”

to connect to
previous block
Applications: Cryptocurrencies
• Decentralized, no trusted server

Central Trusted
Authority

Public
Ledger
Applications: Cryptocurrencies

“Stake”

“A transfers 2 coins to B.”


SKA

……
“Records”
How to Generate New Blocks?
• Block generation is like election/ puzzle-solving race

• Different ideologies
Solve moderately
• Proof-Of-Work (POW) hard “puzzles”
• Proof-Of-Stake (POS)
•…
How to Generate New Blocks?
• Block generation is like election/ puzzle-solving race

• Different ideologies Vote ∝ compute


• Proof-Of-Work (POW) power
• Proof-Of-Stake (POS)
•…
Vote ∝ stake
Part II:
Our Abstractions and
Definitions
Existing Properties
[GarayKiayiasLeonardos15,PassSeemanShelat16]

• Chain Consistency: Honest parties agree on all but


last ℓ blocks

……

Last ≤ ℓ
inconsistent

……
Existing Properties
[GarayKiayiasLeonardos15,PassSeemanShelat16]

• Chain Consistency: Honest parties agree on all but


last ℓ blocks

• Chain Quality: # of blocks mined by honest parties


∝ to their voting power (any ℓ consecutive blocks)
New POS Specific
Abstractions
Defining Stake Fraction
• Measure of combined difficulty of POS puzzles
solved

……

Mined by A Mined by B Mined by A Mined by C


Proved 10% stake Proved 5% stake Proved 10% stake Proved 15% stake
Defining Stake Fraction
• Measure of combined difficulty of POS puzzles
solved

……

Mined by A Mined by B Mined by A Mined by C


Proved 10% stake Proved 5% stake Proved 10% stake Proved 15% stake
Stake Fraction = 30%
(𝛽, ℓ)-Sufficient Stake Contribution

• Total ‘stake-fraction’ in last ℓ blocks is a (fairly) high


fraction (≥ 𝛽)

……

Stake Fraction ≥ 𝛽
(𝛼, ℓ)-Bounded Stake Forking

• No adversary can create a valid fork (length ≥ ℓ)


with high stake-fraction (≥ 𝛼)
Stake Fraction ≤ 𝛼

……
(𝛼, 𝛽, ℓ)-Distinguishable Forking

• Honest chain of blocks can be distinguished from


adversarial fork
Stake Fraction ≤ 𝛼

𝜶<𝜷

……

Stake Fraction ≥ 𝛽
Connecting to Existing Notions

Theorem. (Informal)
If blockchain protocol satisfies chain
consistency and quality properties, then it
also satisfies − sufficient (honest-)stake
contribution, bounded stake forking,
distinguishable forking properties.

With suitable And minimal


parameters assumptions
Part III:
Applications
Applications

• Non-Interactive Zero Knowledge (NIZK)

• One-Time Programs (OTPs)

• Pay-Per-Use Services
NIZKs: Intuition
• Feige-Lapidot-Shamir (FLS) paradigm
• Prover proves that either the statement is true
‘OR’ it knows a long valid fork w.r.t. blockchain
Either I know w such that (x, w)  RL
OR
a long valid fork with very high stake
fraction w.r.t. blockchain
Statement x ϵ L
NIZKs: Outline

Statement x ∈ L
w s.t. (x, w)  RL • Compute c1  Com(w)
• Compute c2  Com(0)

c1 commits to valid witness


• NIWI.Prove OR
…… ……

c2 commits to valid fork


with high stake fraction
NIZKs: Outline

Statement x ∈ L
w s.t. (x, w)  RL • Compute c1  Com(w)
• Compute c2  Com(0)
Zero-Knowledge
• Simulator controls honest c1 commits to valid witness

 parties, thus their •keys


NIWI.Prove OR
……
• Generates a valid fork privately
……

c2 commits to valid fork


• Uses fork as witness with high stake fraction
NIZKs: Outline

Statement x ∈ L
w s.t. (x, w)  RL • Compute c1  Com(w)
• Compute c2  Com(0)
Zero-Knowledge
• Simulator controls honest c1 commits to valid witness


Soundness
parties, thus their •keys OR
NIWI.Prove
• Need extraction,
• Generates but no CRS!?
a valid fork privately
…… ……

c2 commits to valid fork


• Uses fork as witness with high stake fraction
NIZKs: Share and Conquer

Statement x ∈ L
w s.t. (x, w)  RL • Extract all public key and stake info
Weights

A 𝑝𝑘𝐴 𝑠𝑡𝑎𝑘𝑒𝐴
…… ……

fork = 0 B 𝑝𝑘𝐵 𝑠𝑡𝑎𝑘𝑒𝐵

……

……
Weighted

……
Threshold
Secret Sharing
NIZKs: Share and Conquer

Statement x ∈ L
w s.t. (x, w)  RL • Extract all public key and stake info
Weights

A 𝑝𝑘𝐴 𝑠𝑡𝑎𝑘𝑒𝐴
Encrypt
…… ……

fork = 0 B 𝑝𝑘𝐵 𝑠𝑡𝑎𝑘𝑒𝐵

……

……
Weighted

……
Threshold
Secret Sharing
NIZKs: Share and Conquer

Statement x ∈ L
w s.t. (x, w)  RL • Extract all public key and stake info
• Commit: w  𝑐1
• Share and Encrypt: fork (= 0)  {𝑐𝑡𝑖 }
Soundness
If adversary provesc false
1 commits to valid witness
statement, fork can be OR
…… ……

• NIWI.Prove
extracted and reconstructed
{𝑐𝑡𝑖 } reconstruct to valid fork
Breaks bounded stakewith high stake fraction
forking property
NIZKs: Challenges, Fixes and More
• Proof size ∝ # of parties
• Encrypt to last ℓ blocks only
• Sufficient honest-stake contribution
• Inconsistent sharing due to small forks etc
• Prune last few blocks …
• Different stake bounds on adversary, simulator and
extractor
• Can be made Argument of Knowledge
• Share and encrypt witness
• ...
Result 1

Theorem. (Informal)

If blockchain protocol satisfies sufficient


honest-stake contribution, bounded stake
forking properties, and NIWI scheme is secure,
then our proof system is a secure NIZK
Argument of Knowledge.
OTPs: Outline

Compilation
Garble
Garbled Ckt G
Ckt C
Key pairs
Hardware
(wi,0 wi,1)

Witness
Encryption Encrypted
Key pairs
(cti,0 cti,1)
OTPs: Outline

{
Garbled Ckt G
Garbling
Compilation Ckt C +
WE
Encrypted Key
pairs (cti,0 cti,1)

Evaluation Use this as witness Stake Fraction ≥ 12


--------------------

… Last New Next …… Next


Block Block Block Block

Present Post input x Extending Blockchain


Blockchain
Result 2

Theorem. (Informal)

If blockchain protocol satisfies distinguishable


forking property, garbling scheme is secure
and WE scheme is extractable secure,
then our one-time compilers is also secure.
Pay-Per-Use Service (Simplified)
Service

• Service provider starts a service


Pay-Per-Use Service (Simplified)
Service

• Service provider starts a service


• Customers pay to use it
Pay-Per-Use Service (Simplified)
Service

• Service provider starts a service


• Customers pay to use it
• Provider doesn’t need to interact
Pay-Per-Use Service: Idea
Computes
keyed-OTP f

Use this as witness


--------------------

… Last New Next …… Next


Block Block Block Block

Present Send Coins Extending Blockchain


Blockchain to Provider
Conclusion: A Change of Perspective
• Blockchains traditionally considered a
“cryptographic goal”
• Way to decentralized digital currency

• Blockchains as a “cryptographic primitive”


• Way to bypass impossibility results
Thank you! Questions?

Potrebbero piacerti anche