diff --git a/VDF.pdf b/VDF.pdf
index 2224f951888d341856ae9dfdd35b0697c2810757..3bc8319a7b2610575243c94f7f7b4012dfd5b11e 100644
Binary files a/VDF.pdf and b/VDF.pdf differ
diff --git a/VDF.tex b/VDF.tex
index 66143886d0c180db535c768602e90c60700179c2..cab8b0f089e201b0e602dbe3c3445d92172298bb 100644
--- a/VDF.tex
+++ b/VDF.tex
@@ -83,42 +83,45 @@ The modified protocol is unique.
\subsection*{Zero-knowledge PoSW}
-In many applications, it might be useful to proof that one computed $y=x^{2^T}$ without actually reveiling $y$ and the corresponding proof $\pi=\{\mu'_i\}_{i\in[\lceil\log T\rceil-2]}$. In the following we define a notion of computational zero-knowledge proof of knowledge that captures this idea in our context. Note, that we allow the simulator to do some precomputation of time $T$.
+In many applications, it might be useful to proof that one computed $y=x^{2^T}$ without actually reveiling $y$ and the corresponding proof $\pi=\{\mu'_i\}_{i\in[\lceil\log T\rceil-2]}$. In the following we define a notion of computational zero-knowledge proof of knowledge that captures this idea in our context. We will show that both constructions of simple and efficient verifiable delay functions from [P18] and [W18] can be extended to proof the knowledge of statement $x^{2^T}$ in zero-knowledge. \kknote{Unfortunately, so far we can't prove them zero-knowledge under the same definition: For [P18] we need precomputation, for [W18] we need $\sqrt{T}$ parallelism.}
+
+{\color{cyan}WITH PRECOMPUTATION: We allow the simulator to do some precomputation of time $T$.}
-{\color{cyan}OLD:
\begin{definition}
-Let $\lambda$ be a security parameter and $T$ a time parameter. Let $\Pi$ be a two-party protocol between a prover $\mathcal{P}$ and a verifier $\mathcal{V}$, and $(x,y)$ an instance to the protocol. Then $\Pi$ is \emph{computational zero-knowledge} (for time parameter $T$) if the following properties hold:
+Let $\lambda$ be a security parameter, $T$ a time parameter and $f:\mathbb{N}\to\mathbb{R}$ some sublinear function. Let $\Pi$ be a two-party protocol between a prover $\mathcal{P}$ and a verifier $\mathcal{V}$, and $(x,y,\nu)$ an instance to the protocol, where $x$ is the common input, $y$ the secret the prover wants to prove knowledge of, and $\nu$ comprises some additional values that allow $\mathcal{P}$ to compute a proof of correctness of $y$. Then $\Pi$ is $(T,f(T))$-\emph{computational zero-knowledge} (for time parameter $T$) if the following properties hold:
\begin{itemize}
-\item \textbf{Correctness: }For honest parties $\mathcal{P}$ and $\mathcal{V}$, the protocol accepts within time $\poly(\log T)$ with probability $1$.
-\item \textbf{Soundness: }For any instance $(x,y)$ and any deterministic prover $\hat {\mathcal{P}}$ that runs in time $\poly(\log T)$ and succeeds with probability $p>\negl(\lambda)$, one can extract $y$ from $\hat{P}(x,y)$ in time $1/p\cdot\poly(\log T)$ with probability $1-\negl(\lambda)$.
-\item \textbf{Computational zero-knowledge: }There exists a simulator $\mathcal{S}$ who runs some precomputation of time $T$ and after receipt of $x$ outputs a transcript $\mathcal{S}(x)$ in time $\poly(\log T)$ such that no algorithm running in time $\poly(\lambda)$ can distinguish between $\mathcal{V}$'s view on the protocol $\Pi(x,y)$ (including $\mathcal{V}$'s random coins) and $\mathcal{S}(x)$.
+\item \textbf{Correctness: }For honest parties $\mathcal{P}$ and $\mathcal{V}$, the protocol accepts within time $f(T)$ with probability $1$.
+\item \textbf{Soundness: }For any instance $(x,y)$ and any deterministic prover $\hat {\mathcal{P}}$ that runs in time $f(T)$ and succeeds with probability $p>\negl(\lambda)$, one can extract $y$ from $\hat{P}(x,y)$ in time $1/p\cdot f(T)$ with probability $1-\negl(\lambda)$.
+\item \textbf{Computational zero-knowledge: }There exists a simulator $\mathcal{S}$ who
+{\color{cyan} runs some precomputation of time $T$ and}
+ after receipt of $x$ outputs a transcript $\mathcal{S}(x)$ in time $f(T)$ such that no algorithm running in time $\poly(\lambda)$ can distinguish between $\mathcal{V}$'s view on the protocol $\Pi(x,y)$ (including $\mathcal{V}$'s random coins) and $\mathcal{S}(x)$.
\end{itemize}
\end{definition}
+{\color{cyan}
\begin{remark}
-One could also consider a slightly different definition where, instead of allowing all algorithms to do some precomputation of time $T$, they get some additional information. In the construction below this additional information would be $\{(x')^{2^{T/2^i}}\}_{i\in [0,\lceil\log T\rceil]}$ for some uniformly random $x'\out QR_N$, which can be randomized by each party to get arbitrarily many instances $\{(x'')^{2^{T/2^i}}\}_{i\in [0,\lceil\log T\rceil]}$ for uniformly distributed $x''\out QR_N$.
+One could also consider a slightly different definition where, instead of allowing all algorithms to do some precomputation of time $T$, they get some additional information. In the construction below this additional information would be the $\sqrt{T}$ powers $\{\nu_i'\}_{i\in [\sqrt{T}]}$ of $x'$ which the prover would store while computing $y'=(x')^{2^T}$ to be able to compute the proof $\pi$ for $(x',y')$, for some uniformly random $x'\out QR_N$. Note that these additional values $\nu_i'$ can be randomized to get arbitrarily many instances $\{\nu_i''\}_{i\in [\sqrt{T}]}$ for uniformly distributed $x''\out QR_N$.
\end{remark}
}
-{\color{blue}NEW SUGGESTION:
-\begin{definition}\label{zk}
-Let $\lambda$ be a security parameter, $\epsilon\in(0,1)$, and $T$ a time parameter. Let $\Pi$ be a two-party protocol between a prover $\mathcal{P}$ and a verifier $\mathcal{V}$, $x$ an instance to the protocol and $(y,\nu)$ some secret information of the prover. Then $\Pi$ is \emph{$(T,\epsilon)$-computational zero-knowledge} (with respect to $y$) if the following properties hold:
-\begin{itemize}
-\item \textbf{Correctness: }For honest parties $\mathcal{P}$ and $\mathcal{V}$, the protocol accepts within time $T^\epsilon$ with probability $1$.
-\item \textbf{Soundness: }For any instance $(x,y,\nu)$ and any deterministic prover $\hat {\mathcal{P}}$ that runs in time $T^\epsilon$ and succeeds with probability $p>\negl(\lambda)$, one can extract $y$ from $\hat{P}(x,y,\nu)$ in time $1/p\cdot T^\epsilon$ with probability $1-\negl(\lambda)$.
-\item \textbf{Computational zero-knowledge: }There exists a simulator $\mathcal{S}$ who runs in time $T^\epsilon$ and outputs a transcript $\mathcal{S}(x)$ such that no algorithm running in time $T^\epsilon$ can distinguish between $\mathcal{V}$'s view on the protocol $\Pi(x,y,\nu)$ (including $\mathcal{V}$'s random coins) and $\mathcal{S}(x)$.
-\end{itemize}
-\end{definition}
+%{\color{blue}NEW SUGGESTION:
+%\begin{definition}\label{zk}
+%Let $\lambda$ be a security parameter, $\epsilon\in(0,1)$, and $T$ a time parameter. Let $\Pi$ be a two-party protocol between a prover $\mathcal{P}$ and a verifier $\mathcal{V}$, $x$ an instance to the protocol and $(y,\nu)$ some secret information of the prover. Then $\Pi$ is \emph{$(T,\epsilon)$-computational zero-knowledge} (with respect to $y$) if the following properties hold:
+%\begin{itemize}
+%\item \textbf{Correctness: }For honest parties $\mathcal{P}$ and $\mathcal{V}$, the protocol accepts within time $T^\epsilon$ with probability $1$.
+%\item \textbf{Soundness: }For any instance $(x,y,\nu)$ and any deterministic prover $\hat {\mathcal{P}}$ that runs in time $T^\epsilon$ and succeeds with probability $p>\negl(\lambda)$, one can extract $y$ from $\hat{P}(x,y,\nu)$ in time $1/p\cdot T^\epsilon$ with probability $1-\negl(\lambda)$.
+%\item \textbf{Computational zero-knowledge: }There exists a simulator $\mathcal{S}$ who runs in time $T^\epsilon$ and outputs a transcript $\mathcal{S}(x)$ such that no algorithm running in time $T^\epsilon$ can distinguish between $\mathcal{V}$'s view on the protocol $\Pi(x,y,\nu)$ (including $\mathcal{V}$'s random coins) and $\mathcal{S}(x)$. \kknote{Problem: We can not achieve that, since there is an exponential gap between the time needed for computation of y and the assumed lower bound on the time needed for distinguishing y from a random quadratic residue.}
+%\end{itemize}
+%\end{definition}
\begin{remark}
Note, that the additional input $(y,\nu)$ to the prover comprises some additional information $\nu$ that helps the prover to proof correctness of his secret knowledge $y$. In the construction below, this additional information $\nu$ would consist of the $\sqrt{T}$ values stored during computation of $y$ that allow to compute $\pi=\{\mu'_i\}_{i\in[\lceil\log T\rceil-2]}$ within time $T^\epsilon$ with $\epsilon =1/2$.
\end{remark}
-}
Consider the following extension of the protocol from [P18] to prove the knowledge of the solution $y=x^{2^T}$ to a puzzle $(N,x,T)$ without revealing $y$ to the verifier, where we assume that the prover stored $\sqrt{T}$ powers of $x$, denoted by $\nu=\{\nu_i\}_{i\in\sqrt{T}}$, which allow him to compute an accepting proof $\{\mu'_i\}_{i\in[\lceil\log T\rceil-2]}$ for $(N,x,T,y)$ within time $\sqrt{T}$. Let $\mathcal{R}=[0,2^\lambda]$.
-\paragraph*{Zero-Knowledge protocol}
-\begin{itemize}
+\paragraph*{Zero-Knowledge protocol based on [P18].}
+\begin{enumerate}
\item Setup: $\mathcal{P,V}$ receive an instance $(N,x,T)$, $\mathcal{P}$ additionally gets $y=x^{2^T}$ and $\nu=\{\nu_i\}_{i\in[\sqrt{T}]}$.
\item The verifier $\mathcal{V}$ chooses $h\out\mathcal{R}$ uniformly at random, computes a commitment $c=H(h)$ (where $H$ is a collision resistant hash function) and sends it to $\mathcal{P}$.
\item The prover $\mathcal{P}$ chooses $\alpha\out\mathcal{R}$ uniformly at random and sends $x^\alpha$ to the verifier $\mathcal{V}$.
@@ -126,10 +129,11 @@ Consider the following extension of the protocol from [P18] to prove the knowled
\item $\mathcal{P}$ checks whether $c=H(h)$; if not it aborts. Otherwise, $\mathcal{P}$ computes $y^*=y^{\alpha+h}=(x^*)^{2^T}$ and $\nu_i^*=(\nu_i)^{\alpha+h}$ for $i\in[\sqrt{T}]$.
\item $\mathcal{P}$ and $\mathcal{V}$ run the PoSW protocol [P18] on $(N,x^*,T)$ to compute a proof $\pi^*=\{(\mu_i^*)'\}_{i\in[\lceil\log T\rceil-2]}$ for $(x^*,y^*)$.
\item $\mathcal{V}$ checks correctness of the proof $(N,x^*,T,y^*,\pi^*)$ as in [P18].
-\end{itemize}
+\end{enumerate}
-\begin{lemma}
-Assuming that given $x\in QR_N$ the fastest algorithm to compute $y=x^{2^T}$ requires $T$ sequential squarings and that no algorithm can distinguish $y$ from a uniform $y'\out QR_N$ in time less than $\exp(\lambda)$, the above protocol is $(T,1/2)$-computational zero-knowledge.
+\begin{lemma}\label{lem:zk}
+{\color{cyan}WITH PRECOMPUTATION:}
+Assuming that given $x\in QR_N$ the fastest algorithm to compute $y=x^{2^T}$ requires $T$ sequential squarings and that no algorithm can distinguish $y$ from a uniform $y'\out QR_N$ in time less than $\exp(\lambda)$, the above protocol is $(T,\sqrt{T})$-computational zero-knowledge.
\end{lemma}
\begin{proof}
The correctness property is naturally satisfied whenever $\mathcal{P,V}$ honestly follow the protocol.\\
@@ -137,8 +141,8 @@ For soundness, consider a deterministic prover $\hat{\mathcal{P}}$ and an extrac
Then there exist integers $\beta_1,\beta_2$ such that $\beta_1(h_1-h_2)+\beta_2(h_1-h_3)=1$, and these are easy to compute (using Euclid's algorithm%?
\kknote{check size of $\beta_1,\beta_2$}
). Thus, after receipt of $y_1^*=y^{h_1+\alpha}$, $y_2^*=y^{h_2+\alpha}$, $y_3^*=y^{h_3+\alpha}$ together with the values $h_1,h_2,h_3\in\mathcal{R}$, the extractor $\mathcal{E}$ can compute $y=\big(y_1^*(y_2^*)^{-1})^{\beta_1}(y_1^*(y_3^*)^{-1}\big)^{\beta_2}$.\\
-{\color{cyan}OLD:
-To proof zero-knowledge, define a simulator $\mathcal{S}$ as follows: First, during the precomputation phase, on input $(N,T)$, $\mathcal{S}$ chooses $\bar{x}\out QR_N$ uniformly at random and computes $\bar{\nu_i}=\bar{x}^{2^{T/2^i-1}}$ for $i\in[\lceil\log T\rceil-2]$ as well as $\bar{y}=\bar{x}^{2^T}$. Upon receipt of $x\in QR_N$, $\mathcal{S}$ chooses uniform $\beta\out\mathcal{R}$, $h\out \mathcal{R}$, and computes $\tilde{x}=\bar{x}^\beta x^{-h}$ and a proof $\bar{\pi}=\{\bar{\mu}'_{i}\}_{i\in[\lceil\log T\rceil-2]}$ for $\bar{y}=(\bar{x}^\beta)^{2^T}$.\footnote{Note, rerandomizing by $\beta$ allows $\mathcal{S}$ to simulate proofs for several instances $x\in QR_N$.} The simulator outputs $\mathcal{S}(N,x,T)=(H(h),\tilde{x},h,\bar{y},\bar{\pi})$, which is indistinguishable from $(H(h),x^\alpha,h,y^*,\pi^*)$ in the honest transcript within time $\poly(\lambda,\log T)$.
+{\color{cyan}WITH PRECOMPUTATION:
+To proof zero-knowledge, define a simulator $\mathcal{S}$ as follows: First, during the precomputation phase, on input $(N,T)$, $\mathcal{S}$ chooses $\bar{x}\out QR_N$ uniformly at random and computes $\bar{\nu_i}$ for $i\in[\sqrt{T}]$ as well as $\bar{y}=\bar{x}^{2^T}$. Upon receipt of $x\in QR_N$, $\mathcal{S}$ chooses uniform $\beta\out\mathcal{R}$, $h\out \mathcal{R}$, and computes $\tilde{x}=\bar{x}^\beta x^{-h}$ and a proof $\bar{\pi}=\{\bar{\mu}'_{i}\}_{i\in[\lceil\log T\rceil-2]}$ for $\bar{y}=(\bar{x}^\beta)^{2^T}$.\footnote{Note, rerandomizing by $\beta$ allows $\mathcal{S}$ to simulate proofs for several instances $x\in QR_N$.} The simulator outputs $\mathcal{S}(N,x,T)=(H(h),\tilde{x},h,\bar{y},\bar{\pi})$, which is indistinguishable from $(H(h),x^\alpha,h,y^*,\pi^*)$ in the honest transcript within time $\poly(\lambda,\log T)$.
}
\end{proof}
@@ -146,8 +150,28 @@ To proof zero-knowledge, define a simulator $\mathcal{S}$ as follows: First, dur
We can also consider a non-interactive version of the above protocol which can be proven secure in the random oracle model.
\end{remark}
+\paragraph*{Zero-Knowledge protocol based on [W18].}
+
+We can also extend the VDF from [W18] to a zero-knowledge protocol in a similar manner as above. To this aim, note that the proof $\pi=x^{\lfloor 2^T/B\rfloor}$ for a statement $(x,y=x^{2^T})$ can be computed in time $\log{T}$ when $\sqrt{T}$ space as well as $\sqrt{T}$ parallelism is available.
+
+\begin{claim}
+Using $\sqrt{T}$ stored values $\{\nu_i\}_{i\in[\sqrt{T}]}$, all being powers of $x$ obtained during the computation of $y=x^{2^T}$, one can compute a proof $\pi=x^{\lfloor 2^T/B\rfloor}$ for $(x,y)$ in time $\log{T}$ with $\sqrt{T}$ parallelism. \kknote{To be proved in detail}
+\end{claim}
+
+If we run the protocol from [W18] as a subroutine in step 6 of the above construction, we obtain a $(T,\log T)$-computational zero-knowledge proof of knowledge of $y=x^{2^T}$. Unfortunately, the improved bound $\log T$ can only be achieved when using $\sqrt{T}$ parallelism. This is in contrast to the construction based on [P18] where proofs can be computed in time $\sqrt{T}$ using $\sqrt{T}$ space but no parallelism. \kknote{Unlike for [P18], here we do not need to allow precomputation.}
+
+\begin{lemma}
+Assuming that given $x\in QR_N$ the fastest algorithm to compute $y=x^{2^T}$ requires $T$ sequential squarings and that no algorithm can distinguish $y$ from a uniform $y'\out QR_N$ in time less than $\exp(\lambda)$, the above protocol is $(T,\log T)$-computational zero-knowledge.
+\end{lemma}
+\begin{proof}
+Clearly, correctness follows immediately and soundness similarly to the proof of Lemma \ref{lem:zk}.
+To proof zero-knowledge, define a simulator $\mathcal{S}$ as follows: On input $(N,x,T)$, $\mathcal{S}$ samples $h,\alpha\out\mathcal{R}$ and computes $x^*=x^{\alpha+h}$, just as in the real protocol. Then it samples a large prime $B$ \kknote{uniformly from the domain of $H_{prime}$} and $c\out\mathcal{R}$, computes $y^*=(x^*)^{cB+r}$, where $r=2^T\mod B$, and sets $\pi^*=(x^*)^c$. Finally, $\mathcal{S}$ outputs $(H(h),x^\alpha,h,y^*,\pi^*)$.
+\end{proof}
+
+As in the case of [P18], the non-interactive version of the above zero-knowledge protocol can be proven secure in the random oracle model using the programmability of random oracles.
+
%%%references
-%AngluinLecturenotes, BlumBlumShub86, Pietrzak18
+%AngluinLecturenotes, BlumBlumShub86, Pietrzak18, Wesolowsi18
\end{document}
\ No newline at end of file