### Precomputation

parent 0fcca978
NEW.tex 0 → 100644
This diff is collapsed.
 %\documentclass[]{llncs} \documentclass[a4paper,12pt]{article} % \def \lncs {} %\input{Macros.tex} %\usepackage{rotating} \usepackage{amssymb,amsmath,wasysym,dsfont,bm,relsize,amsbsy} \usepackage{amsthm} \usepackage{color} % Controlling the margin % \usepackage[margin=1.25in]{geometry} % \linespread{0.9} \bibliographystyle{alpha} \pagestyle{plain} %Local macros %\DeclareAlgorithms{in,out,level,ind,sibling} % \DeclareLanguages{} \newtheorem{theorem}{Theorem} \newtheorem{definition}{Definition} \newtheorem{lemma}{Lemma} \newtheorem{Xlemma}{Lemma}[theorem] \newtheorem{corollary}{Corollary} \newtheorem{observation}{Observation} \newtheorem{claim}{Claim}[theorem] \newtheorem{conjecture}{Conjecture} \newtheorem{fact}{Fact} \newtheorem{remark}{Remark} %Notes \newcommand{\kknote}{\textcolor{red}{KK: #1}} \newcommand{\out}{\leftarrow} \newcommand{\bin}{\{0,1\}} \newcommand{\negl}{\operatorname{negl}} \newcommand{\poly}{\operatorname{poly}} \newcommand{\tpre}{T_{\operatorname{pre}}} \newcommand{\state}{\mathsf{state}} %opening \title{Sequential Squaring with Precomputation} %\author{ %} %\institute{ % IST Austria\\ \email{\{ckamath,karen.klein,pietrzak,michael.walter\}@ist.ac.at} %} \begin{document} \maketitle \section{Introduction} Verifiable delay functions (VDFs) are functions whose evaluation requires a prescribed number of sequential operations (a \emph{delay}), but at the same time are \emph{verifiable} in the sense that they offer an efficient way of proving the correctness of the output: Given an input $x$, the prover does not only compute the output $y$ of the function but also provides a proof $\pi$, which allows the verifier to verify that $y$ is indeed the correct output of the function much more efficiently than evaluating the function himself.\\ The design and implementation of VDFs have become a hot topic in cryptography especially due to their application in several decentralized cryptocurrencies such as Ethereum (ethereum.org) and Chia (chia.net). The two most practical proposals are those by Pietrzak \cite{P18} and Wesolowski \cite{W18}. Both of them are inspired by the timelock puzzle of Rivest, Shamir and Wagner \cite{RSW96} and rely on the assumption that, given a description of a group of unknown order of size exponential in the security parameter $\lambda$ and a uniformly random group element $x$, the fastest algorithm to compute $x^{2^T}$ for some time parameter $T=\poly(\lambda)$ requires $T$ sequential squarings.\\ Unfortunately, without a trusted setup it seems to be a quite challenging task to efficiently generate groups of unknown order. Currently, there are two different approaches: The first one is to use an RSA group, where the modulus $N$ is generated as the product of two safe primes via multi-party computation. The second, on the other hand, is to use the class group of an imaginary quadratic number field, which can be uniquely defined by choosing its discriminant and also allows efficient group operations, while efficiently computing its order (i.e., the class number) has been a longstanding open problem in computational algebraic number theory. No matter which of these two option is used, it would be much more convenient to generate a group once and forever than choosing a fresh one for each application of the VDF.\\ However, if the group (and potentially also the time parameter $T$) is known ahead of time, we need to make a (seemingly) stronger assumption, namely, that even after doing some precomputation of time $\tpre=\poly(\lambda)$ computing $x^{2^T}$ for a fresh uniformly random group element $x$ still requires $T$ sequential group operations. In this work we prove that the latter assumption is actually implied by the former one and, thus, justify the choice of recent proposals to reuse the setup parameters. \section{Preliminaries} \subsection{The Assumptions} In the following we state our assumptions for arbitrary groups. \begin{definition}[Sequential Squaring Assumption]\label{ssa} Let $\lambda$ be a security parameter. The \emph{sequential squaring assumption} holds in a group $\cal G$ if for all time parameters $T\in\mathbb{N}$, $T=\poly(\lambda)$ and all algorithms $\cal A$ running in time $\tau\tpre$ outputs $y'=(x')^{2^{T'}}$ within time less than $T'$ (with the same probability $\epsilon$). \end{lemma} \begin{proof} Let $\mathcal{A}=(\mathcal{A}_0,\mathcal{A}_1)$ be such an algorithm, where $\mathcal{A}_0$ denotes the partial algorithm which runs the precomputation and $\mathcal{A}_1$ denotes the algorithm run after $x$ is given to $\cal A$. We construct an algorithm $\mathcal{B}$ that on input $(N,x',T')$ %$(\mathcal{G},x',T')$ runs in time less than $T'$ and outputs $y'=(x')^{2^{T'}}$ as follows: On receipt of $(N,x',T')$%$(\mathcal{G},x',T')$ , $\cal B$ runs $\mathcal{A}_0(N,T)$ %$\mathcal{A}_0(\mathcal{G},T)$ with $T:=T'-\tpre$ and simultaneously computes $x:=(x')^{2^{\tpre}}$. This takes time $\tpre$; let $\state$ be the output of $\mathcal{A}_0$. Next, $\cal B$ invokes $\mathcal{A}_1$ on input $(N,x,T,\state)$. %$(\mathcal{G},x,T,\state)$. %%%%% Note that $x$ is indeed uniformly random in $QR_N$ since the function $.^{2^{T'}}:QR_N\to QR_N$, $x\mapsto x^{2^{T'}}$ is 1-to-1 for this choice of modulus $N$ (see e.g. \cite[Lemma 1]{BBS86}). %%%% Thus, by assumption, $\mathcal{A}_1(N,x,T,\state)$ runs in time \$\tau
VDF.bib 0 → 100644
 ﻿@inproceedings{P18, author = {Krzysztof Pietrzak}, title = {Simple Verifiable Delay Functions}, booktitle = {10th Innovations in Theoretical Computer Science Conference, {ITCS} 2019, January 10-12, 2019, San Diego, California, {USA}}, pages = {60:1--60:15}, year = {2019}, crossref = {DBLP:conf/innovations/2019}, url = {https://doi.org/10.4230/LIPIcs.ITCS.2019.60}, doi = {10.4230/LIPIcs.ITCS.2019.60}, timestamp = {Mon, 27 May 2019 15:36:31 +0200}, biburl = {https://dblp.org/rec/bib/conf/innovations/Pietrzak19a}, bibsource = {dblp computer science bibliography, https://dblp.org} } @inproceedings{W18, author = {Benjamin Wesolowski}, title = {Efficient Verifiable Delay Functions}, booktitle = {Advances in Cryptology - {EUROCRYPT} 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Darmstadt, Germany, May 19-23, 2019, Proceedings, Part {III}}, pages = {379--407}, year = {2019}, crossref = {DBLP:conf/eurocrypt/2019-3}, url = {https://doi.org/10.1007/978-3-030-17659-4\_13}, doi = {10.1007/978-3-030-17659-4\_13}, timestamp = {Tue, 14 May 2019 14:02:25 +0200}, biburl = {https://dblp.org/rec/bib/conf/eurocrypt/Wesolowski19}, bibsource = {dblp computer science bibliography, https://dblp.org} } @TECHREPORT{RSW96, author = {Ronald L. Rivest and Adi Shamir and David A. Wagner}, title = {Time-lock puzzles and timed-release crypto}, institution = {}, year = {1996} } @article{BBS86, author = {Lenore Blum and Manuel Blum and Mike Shub}, title = {A Simple Unpredictable Pseudo-Random Number Generator}, journal = {{SIAM} J. Comput.}, volume = {15}, number = {2}, pages = {364--383}, year = {1986}, url = {https://doi.org/10.1137/0215025}, doi = {10.1137/0215025}, timestamp = {Wed, 14 Nov 2018 10:45:07 +0100}, biburl = {https://dblp.org/rec/bib/journals/siamcomp/BlumBS86}, bibsource = {dblp computer science bibliography, https://dblp.org} } \ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!