Proofs of Work POWs and Bread Pudding Protocols
Proofs of Work (POWs) and Bread Pudding Protocols Ari Juels RSA Laboratories with Markus Jakobsson Bell Laboratories
Cryptography: About proofs of mathematical relations Prover Verifier w = ge c s = cx +e s c g =y w?
Some proofs Proof of Identity = Cryptographic Authentication Protocol
Some proofs Proof of Authorization (Signed Document) = Digital signature
Proof of work? 1 ounce sweat = 1 hour of work We can make precise in cryptographic world
Proof of work (POW) Prover Verifier Query Response Prover did at least 106 cycles of work
Example of a POW (Hash inversion) Prover Verifier t = h(s) [k bits] random secret s Prover computed an expected 2 k-1 hashes s
What are POWs good for? u Spam deterrent (DN 94), “Hash cash” u Defense against denial-of-service attacks (JB 99) Service Request
What are POWs good for? u Benchmarking Query Client Response Server
Formal notion of POW
Breadpudding u Idea: Re-use the ``stale’’ computation in a POW to perform useful task u Achieve privacy in useful task u Example: Hash inversion POW for distributed Micro. Mint
Micro. Mint Want a scheme that mimics economics of physical mint u Verifying validity of a coin is easy u Base minting cost is high so. . . u Forgery is expensive
The minting process 1. Throw balls into bins using “random” function h 2. Any bin with two balls is a coin
Minting in Micro. Mint h Collision = Coin Bin 1 Bin 2 Bin 3 Bin 4 Bin 5 Bin 6 Bin 7 Bin 8 Bin 9
Checking a coin h Valid coin? Bin 2
Features u Many bins, so need to throw many balls to mint successfully u Minting requires very intensive computation
Minting requires special, e. g. , $250, 000 computer “Deep Crack”
Another characteristic: balls are invalid Most h Bin 1 Bin 2 Bin 3 Bin 4 Bin 5 Bin 6 Bin 7 Bin 8 Bin 9 In fact, >99% of work goes to missed balls!
Idea: Make three stage process 1. Create “valid” balls, i. e. , balls that won’t miss (>99% of work) 2. Throw balls into bins using “random” function h (<1% of work) 3. Any bin with two balls is a coin
Have many other (untrusted) people do Step 1
Now. . . u 99%+ of work is done for minter u. No participant will get enough balls to do minting himself/herself (or else participants know “validity” h but not “throwing” h) u. Minting is cheap for minter!
Minter can use ordinary server
Questions? ? +
- Slides: 24