Indistinguishable Proofs of Work or Knowledge

Baldimtsi, Foteini; Kiayias, Aggelos; Zacharias, Thomas; Zhang, Bingsheng

doi:10.1007/978-3-662-53890-6_30

Foteini Baldimtsi¹⁵,
Aggelos Kiayias¹⁶,
Thomas Zacharias¹⁶ &
…
Bingsheng Zhang¹⁷

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10032))

Included in the following conference series:

International Conference on the Theory and Application of Cryptology and Information Security

2694 Accesses
7 Citations

Abstract

We introduce a new class of protocols called Proofs of Work or Knowledge (PoWorKs). In a PoWorK, a prover can convince a verifier that she has either performed work or that she possesses knowledge of a witness to a public statement without the verifier being able to distinguish which of the two has taken place. We formalize PoWorK in terms of three properties, completeness, f-soundness and indistinguishability (where f is a function that determines the tightness of the proof of work aspect) and present a construction that transforms 3-move HVZK protocols into 3-move public-coin PoWorKs. To formalize the work aspect in a PoWorK protocol we define cryptographic puzzles that adhere to certain uniformity conditions, which may also be of independent interest. We instantiate our puzzles in the random oracle (RO) model as well as via constructing “dense” versions of suitably hard one-way functions.

We then showcase PoWorK protocols by presenting a number of applications. We first show how non-interactive PoWorKs can be used to reduce spam email by forcing users sending an e-mail to either prove to the mail server they are approved contacts of the recipient or to perform computational work. As opposed to previous approaches that applied proofs of work to this problem, our proposal of using PoWorKs is privacy-preserving as it hides the list of the receiver’s approved contacts from the mail server. Our second application, shows how PoWorK can be used to compose cryptocurrencies that are based on proofs of work (“Bitcoin-like”) with cryptocurrencies that are based on knowledge relations (these include cryptocurrencies that are based on “proof of stake”, and others). The resulting PoWorK-based cryptocurrency inherits the robustness properties of the underlying two systems while PoWorK-indistinguishability ensures a uniform population of miners. Finally, we show that PoWorK protocols imply straight-line quasi-polynomial simulatable arguments of knowledge and based on our construction we obtain an efficient straight-line concurrent 3-move statistically quasi-polynomial simulatable argument of knowledge.

F. Baldimtsi et al.—Work performed while at the National and Kapodistrian University of Athens. Research supported by ERC project CODAMODA, #259152 and H2020 Project Panoramix #653497. Baldimtsi also did part of this work while at Boston University supported by NSF #1012910.

You have full access to this open access chapter, Download conference paper PDF

Unified Proof of Work: Delegating and Solving Customized Computationally Bounded Problems in a Privacy-Preserving Way

The Hunting of the SNARK

Article 03 October 2016

Generalized Proofs of Knowledge with Fully Dynamic Setup

Keywords

1 Introduction

We introduce a new class of prover verifier protocols where the prover wishes to convince the verifier that it is either in possession of a witness to a publicly known statement or that it has invested a certain amount of computational effort. A Proof of Work or Knowledge (PoWorK) enables the prover to achieve this objective while at the same time ensuring that the verifier is incapable of distinguishing which way the prover has followed: performing the work or exploiting her knowledge of the witness.

At an intuitive level a PoWorK protocol is a disjunction of a proof of work and a proof of knowledge. Proofs of knowledge are a fundamental notion in cryptography [GMR85] with a very wide array of applications in the design of cryptographic protocols. They have been studied extensively, both in terms of efficient constructions, e.g., [Sch89], as well as in terms of their composability with themselves or within larger protocols, see e.g., [CDS94, DNS98, CGGM00, Can01, CF01, Pas03, Pas04]. Proofs of work on the other hand, were first introduced in [DN92], further studied in [RSW96, Bac97, JB99, DGN03, CMSW09], and were primarily applied as a denial of service network or spam protection mechanism; recently they have also found important applications in building decentralized cryptocurrencies (notably Bitcoin [Nak08] but also many others).

In an interactive proof protocol, we are interested primarily in two basic properties, soundness and zero-knowledge, that represent the adversarial objectives of the prover and the verifier respectively: the prover must not be able to convince the verifier of false statements while the verifier should not extract any knowledge from interacting with the prover beyond what can be inferred by the public statement. An important class of prover verifier protocols is the 3-move honest-verifier zero knowledge (HVZK) protocols. They are three-move protocols that are “public-coin”, i.e., the verifier in the second move merely selects a random value (that is drawn independently to the statement of the prover’s first move) and submits it to the prover. 3-move HVZK protocols capture a very wide class of practical proofs of knowledge (including Schnorr’s identification scheme [Sch89]) but also all languages in $\mathcal {NP}$ can be shown with a (computational) HVZK protocol via reduction to e.g., the Hamilton cycle protocol [Blu87]. The class of $\varSigma $-protocols possesses very useful properties including being closed under conjunction and disjunction operations [CDS94].

Given the above, one may construct a PoWorK protocol for a language $\mathcal {L}$ as follows: the verifier samples a cryptographic puzzle, $\mathsf {puz}$, and submits it to the prover. The prover provides a commitment $\psi $ and shows that she either possesses a witness w showing that the statement x belongs to $\mathcal {L}$ or that the commitment $\psi $ contains a solution to $\mathsf {puz}$. It is easy to prove that this is a general four-move protocol that implements a PoWorK for any language $\mathcal {L}$ and any cryptographic puzzle. On the other hand, it is known that for zero-knowledge proofs, two-round protocols do not exist for non-trivial languages [GO94] and this result remains true even if the zero-knowledge property is relaxed to $O(\lambda ^{\log ^c(\lambda )})$-simulatability [Pas03], in the sense that only languages decidable in quasi-polynomial time may have two-round quasi-polynomial-time simulatable protocols.

1.1 Our Results

We define and construct efficient three-move PoWorK protocols as well as relevant cryptographic puzzles. Morerover, we demonstrate how PoWorK can instantiate systems that reduce email spam while preserving user privacy, how they are useful in composition of cryptocurrency systems and how they can give rise to concurrent simulatable protocols. In more details:

Definition of PoWorKs. Our formalization entails two definitions, f-soundness and (statistical) indistinguishability. In f-soundness we require that any prover that has running time (in number of steps) less than a specified parameter calibrated according to the function f of the running time of the puzzle solver, it is guaranteed to lead to a knowledge extractor. The importance of the function f is to provide a safe running time upper bound under which the complete protocol execution is successful only via an (a-priori) knowledge of the witness. Indistinguishability on the other hand, ensures that a malicious verifier is incapable of discerning whether the prover performs the proof of work or possesses the knowledge of the witness. We note that timing issues are not taken into account in our model (i.e., we assume that the prover always takes the same amount of time to finish no matter which one of the two strategies it follows). What we do care about though, is that the prover who performs a proof of work spends at least a certain amount of computational resources. Note that indistinguishability easily implies witness indistinguishability [FS90], and thus any PoWorK is also a witness indistinguishable protocol.

PoWorK Constructions. We present a three-move public-coin protocol instantiating a PoWorK given any 3-move HVZK protocol with special soundness. Our protocol transformation preserves the structure and round complexity of the given 3-move HVZK protocol. Observe that the verifier cannot simply provide a puzzle challenge since this would violate the public-coin characteristic of the protocol. To achieve our construction we require puzzle generation algorithms that have a suitable uniformity characteristics, specifically, we require that the domain of puzzles (the “puzzle space”) and the challenge space of the 3-move HVZK protocol are statistically very close (in terms of the distributions induced by the puzzle sample algorithm and the verifier in the protocol). Given such suitable puzzle distribution we present a protocol where the prover is capable of generating a puzzle solution on the fly (utilizing the verifier’s public coins) and solve it, if she wishes. To establish the practicality of our approach we also construct puzzles that are “dense” within $\{0,1\}^l$ and hence consistent with the challenge space of many natural 3-move HVZK protocols. Our dense puzzle based PoWorK construction has the characteristic that is black-box with respect to the underlying puzzle system (which is suitable for puzzles whose security is argued, say, in the RO model).

Definition and Instantiations of Puzzles. We give formal definitions of cryptographic puzzle systems $\mathsf {PuzSys}$ that are easy to generate, hard to solve, and easy to verify. We define additional properties like density and amortization resistance and we give two instantiations. Our first instantiation utilizes the random oracle model [BR93] while the second relies on complexity assumptions. More specifically, we use Universal One Way Hash Function families (UOWHF) [NY89] to build extractors with special properties, invoking a variant of leftover hash lemma [Dod05]. We then combine this special extractor with suitably hard one-way functions to obtain our second puzzle instantiation; we present an instantiation of this methodology for the discrete-logarithm problem. As an intermediate result, which may be of independent interest, we show how to convert any arbitrary oneway function to a “dense” oneway function over $\left\{ 0,1\right\} ^{\ell (\lambda )}$ for some $\ell (\cdot )$ and security parameter $\lambda \in \mathbb {Z}^+$ (cf. Theorem 3).

Our puzzle definitions are close in spirit to previous formalizations [RSW96, WJHF04, CMSW09, MMV11, BGJ+16] with the following distinctions. In [CMSW09] the hardness of a puzzle is defined as a monotonically increasing function that maps the running time of an adversary to the success rate of solving the puzzle. Contrary to this, our definition, motivated by our proof of knowledge application, imposes a sharp time threshold, below which the success rate of solving a puzzle becomes negligible. Also, contrary to time-lock puzzles [RSW96, WJHF04, MMV11, BGJ+16], we do not restrict the parallelizability of our puzzles as such feature does not hurt (and may even be desirable) in the PoWorK context. Parallelizable puzzles, like the ones we are focusing on here, have become very popular by their applications to cryptocurrencies. The requirement there is that the puzzle solver should spend a minimum of computational resources to find a solution to the puzzle (and may or may not choose to parallelize).

Applications. Generally speaking, PoWorKs can be used in applications where we would like to allow access to either “registered” or “approved” users (who know a witness) or to every user who is willing to invest computational effort. The key property of PoWorKs is that they enhance privacy since they do not leak the type of user (i.e. approved or not) to the entity that verifies access. A nice illustration of this type of application of PoWorKs is in regard to reducing spam email. Dwork and Naor proposed using proofs of work to control spam e-mails [DN92]. The gist of the idea is that every non-approved contact of a receiver would have to perform some work (i.e. invest computational effort) in order to send her an email. A downside of the method is that the mail server has to maintain an updated list of “approved-contacts” for every user; this can be a privacy concern for the users (not to mention the cost of updating the approved contacts database). We show how by using PoWorK’s, one can still enforce the non-approved senders to perform work while preserving user privacy, since the mail server (who acts as a PoWorK verifier) will not be able to distinguish between approved and non-approved contacts because of PoWorK indistinguishability property.

Our second application is related to cryptocurrencies based on blockchains to maintain the ledger of transactions. These systems can be naturally divided by the mechanism they use to produce the next block in the blockchain as follows: first there are “puzzle-based” ones, (e.g., Bitcoin [Nak08] and many others that followed^{Footnote 1}), and then there are “knowledge-based” ones, that include those^{Footnote 2} that use “proof-of-stake”, “proof-of-activity” or other type of consensus mechanism that relies e.g., on a public-key infrastructure, e.g., [BLMR14, DM16, Maz15]). We demonstrate how given two cryptocurrencies $\mathtt {C}_1,\mathtt {C}_2$ of each type, one can use PoWorK to fuse them into a single cryptocurrency $\mathtt {C}$ with the following properties: (i) in $\mathtt {C}$, the miners that perform $\mathtt {C}_1$-type of mining are indistinguishable from those that perform $\mathtt {C}_2$-type of mining, (ii) $\mathtt {C}$ would reach consensus in the sense of persistence of transactions in the ledger under the conjunction of the conditions that systems $\mathtt {C}_1,\mathtt {C}_2$ would do, (iii) $\mathtt {C}$ would satisfy liveness under the disjunction of the conditions that systems $\mathtt {C}_1,\mathtt {C}_2$ would do.^{Footnote 3} PoWorK-based cryptocurrencies that fuse the knowledge-based and the puzzle-based approach have novel features in the context of cryptocurrencies: for instance, by composing a regular Bitcoin-like cryptocurrency $\mathtt {C}_1$ with a centralized cryptocurrency $\mathtt {C}_2$ supported by a single authority, we get a cryptocurrency $\mathtt {C}$ that resembles Bitcoin but has a trusted authority with a trapdoor that enables it to regulate and normalize the block production rate. Such systems may offer a more attractive solution for nation-states or central banks that wish to issue centralized cryptocurrencies, however they do not want to be constantly involved with block production and they prefer to leave ledger maintenance to the public, while retaining the ability to issue blocks in case of an emergency situation (e.g., many miners go offline due to a software problem). The PoWorK indistinguishability property is critically useful in this setting, since it enables the regulation of the block production rate made by the trusted party to be indistinguishable to everyone, thus ensuring that the trusted party’s involvement will be unnoticed and hence will have no impact to the economy that the cryptocurrency supports.

Our third application relates to zero-knowledge protocols and concerns quasi-polynomial time straight-line simulatable arguments of knowledge. This class of protocols was introduced by [Pas03] and was motivated by the construction of concurrent zero-knowledge proofs in the plain model (as opposed to using a “setup” assumption). In [Pas03] a four-move argument of knowledge was presented that is quasi-polynomial time simulatable. We show that any suitable PoWorK protocol (see Theorem 1 for the precise formulation) implies quasi-polynomial time straight-line simulatable arguments of knowledge. Given our 3-move PoWorK construction, this immediately yields a 3-round protocol in this setting which is optimal in terms of efficiency (round complexity is optimal and computational overhead is just two exponentiations for prover and verifier in total when using the elliptic curves from [BHKL13]); we note that a similar result in terms of rounds can be obtained via a different route, specifically, via the efficient OR composition with an input-delayed $\varSigma $-protocol as recently observed in [CPS+16], however the resulting complexity overhead would be at least 5 exponentiations for prover and verifier in total when instantiated using discrete logarithms.

Roadmap.The rest of this paper is organized as follows. In Sect. 2, we provide basic notation, and formalize cryptographic puzzles, the additional properties of dense samplable puzzles and the property of amortization resistance, as well as the notion of PoWorKs by defining completeness, f-soundness and indistinguishability. In Sect. 3, we present our efficient dense puzzle based construction built upon an arbitrary 3-move special sound HVZK protocol for a language $\mathcal {L}$ and some puzzle system, and prove that our construction achieves f-soundness and indistinguishability. In the same section, we present two dense puzzle instantiations. Finally, in Sect. 4, we describe the applications of PoWorKs. Namely, (i) a method to reduce the amount of spam email while preserving the privacy of the receiver, (ii) the composition of knowledge-based and puzzle-based cryptocurrencies that gives rise to PoWorK-based cryptocurrencies, (iii) an efficient 3-move straight-line concurrent statistically $\lambda ^{\mathrm {poly}(\log \lambda )}$-simulatable argument of knowledge as defined in [Pas03, Pas04].

Alternative PoWorK Constructions. In the full version of this work [BKZZ15] we provide a second PoWorK construction based on the Lapidot-Shamir 3-move special sound computationally special HVZK protocol [LS90], which is less efficient than the dense puzzle based construction but works for all puzzle systems; note that this construction is not black-box with respect to the puzzle and depending on the puzzle may not be public-coin. A third way to construct PoWorK’s can be derived from the recent efficient OR composition technique that was introduced in [CPS+16] that can be used with “input-delayed” $\varSigma $-protocols, where the statement need not be determined ahead of time. It is easy to see that in the case a puzzle accepts an “input-delayed” $\varSigma $ proof of knowledge of the puzzle solution (e.g., a puzzle based on discrete-logarithms), a third possible construction method for PoWorK’s is facilitated. We stress however that these alternative methods for constructing PoWorK’s do not combine well with puzzles based on hash functions and thus may be of only theoretical interest in the context of our primitive.

2 Definitions

We start by setting the notation to be used in the rest of the paper. By $\lambda $ we denote the security parameter and by $\mathsf {negl}(\cdot )$ the property that a function is negligible in some parameter. Let $z\overset{\$}{\leftarrow }\mathcal {Z}$ denote the uniformly at random selection of z from space $\mathcal {Z}$ and $\varDelta [\mathbf {X},\mathbf {Y}]$ the statistical distance of random variables (or distributions) $\mathbf {X},\mathbf {Y}$. Composition of functions is denoted by $\circ $.

Let $\langle \mathcal {P}(y)\leftrightarrow \mathcal {V}\rangle (x,z)$ denote the interaction between a prover $\mathcal {P}$ and a verifier $\mathcal {V}$ on common input x, auxiliary input z, and $\mathcal {P}$’s private input y. For an algorithm $\mathcal {B}$ that is part of an interactive protocol let $view_\mathcal {B}$ and $output_\mathcal {B}$ denote the views and the output of $\mathcal {B}$ respectively. Let $\mathsf {Steps}_\mathcal {B}(x)$ be the number of steps (i.e. machine/operation cycles) executed by algorithm $\mathcal {B}$ on input x, and $\mathsf {Steps}_\mathcal {P}(\langle \mathcal {P}(y)\leftrightarrow \mathcal {V}\rangle (x,z))$ be the number of steps of $\mathcal {P}$, when interacting on inputs x, y, z ^{Footnote 4}. If $R_\mathcal {L}$ is a witness relation for the language $\mathcal {L}\in $ $\mathcal {NP}$ (i.e. $R_\mathcal {L}$ polynomial-time-decidable and $(x,w) \in R_L$ implies that $|w| \le \text {poly}(|x|)$), we define the set of witnesses for the membership $x \in L$ as $R_L(x) = \left\{ w: (x,w) \in R_L\right\} $.

2.1 Cryptographic Puzzles

Roughly speaking, a cryptographic puzzle should be easy to generate, hard to solve, and easy to verify. Given a specific security parameter $\lambda $, we denote the puzzle space as $\mathcal {PS}_\lambda $, the solution space as $\mathcal {SS}_\lambda $, and the hardness space as $\mathcal {HS}_\lambda $. We first define puzzles with a minimum set of properties, and then add extra properties that are useful in our constructions.

Definition 1

A puzzle system $\mathsf {PuzSys}=(\mathsf {Sample},\mathsf {Solve},\mathsf {Verify})$ consists of the following four algorithms:

$\mathsf {Sample}(1^\lambda ,h)$ is a probabilistic puzzle instance sampling algorithm. On input the security parameter $1^\lambda $ and a hardness factor $h \in \mathcal {HS}_\lambda $, it outputs a puzzle instance $\mathsf {puz}\in \mathcal {PS}_\lambda $.
$\mathsf {Solve}(1^\lambda ,h, \mathsf {puz})$ is a probabilistic puzzle solving algorithm. On input the security parameter $1^\lambda $, a hardness factor $h \in \mathcal {HS}_\lambda $ and a puzzle instance $\mathsf {puz}\in \mathcal {PS}_\lambda $, it outputs a potential solution $\mathsf {soln}\in \mathcal {SS}_\lambda $.
$\mathsf {Verify}(1^\lambda ,h,\mathsf {puz},\mathsf {soln})$ is a deterministic puzzle verification algorithm. On input the security parameter $1^\lambda $, a hardness factor $h \in \mathcal {HS}_\lambda $, a puzzle instance $\mathsf {puz}\in \mathcal {PS}_\lambda $ and a potential solution $\mathsf {soln}\in \mathcal {SS}_\lambda $ it outputs $\mathsf {true}$ or $\mathsf {false}$.

Subsequently, we define the following properties for a puzzle system.

Completeness: We say that a puzzle system $\mathsf {PuzSys}$ is complete, if for every $ h\in \mathcal {HS}_\lambda $:

$$ \Pr \left[ \begin{array} {l} \mathsf {puz}\leftarrow \mathsf {Sample}(1^\lambda ,h); \mathsf {soln}\leftarrow \mathsf {Solve}(1^\lambda ,h,\mathsf {puz}):\\ \mathsf {Verify}(1^\lambda ,h,\mathsf {puz},\mathsf {soln})=\mathsf {false}\\ \end{array} \right] =\mathsf {negl}(\lambda ). $$

Note that the number of steps that $\mathsf {Solve}$ takes to run is monotonically decreasing in the hardness factor h and may exponentially depend on $\lambda $, while $\mathsf {Verify}$ should run in polynomial time in $\lambda $.

g-Hardness: We say that a puzzle system $\mathsf {PuzSys}$ is g-hard for some function g, if for every adversary $\mathcal {A}$, for every auxiliary tape $z\in \left\{ 0,1\right\} ^{*}$ and for every $ h\in \mathcal {HS}_\lambda $:

$$ \Pr \left[ \begin{array} {l} \mathsf {puz}\leftarrow \mathsf {Sample}(1^\lambda ,h); \mathsf {soln}\leftarrow \mathcal {A}(z,1^\lambda ,h,\mathsf {puz}): \\ \mathsf {Verify}(1^\lambda ,h,\mathsf {puz},\mathsf {soln})=\mathsf {true}\wedge \\ \wedge \mathsf {Steps}_\mathcal {A}(z,1^\lambda ,h,\mathsf {puz})\le g(\mathsf {Steps}_\mathsf {Solve}(1^\lambda ,h,\mathsf {puz}))\\ \end{array} \right] =\mathsf {negl}(\lambda ). $$

Dense Samplable Puzzles. In addition to the standard puzzle definition, for our PoWorK construction in Sect. 3 we need puzzles that can be sampled by just generating random strings (i.e. the puzzle instances should be “dense” over $\left\{ 0,1\right\} ^{\ell (\lambda ,h)}$ for some function $\ell $ and $\lambda ,h\in \mathbb {Z}^+$). Formally it holds that for some function $\ell $ in $\lambda $ and h,

$$\begin{aligned} \varDelta [\mathsf {Sample}(1^\lambda , h), \mathbf {U}_{\ell (\lambda ,h)} ] = \mathsf {negl}(\lambda ), \end{aligned}$$

where $\mathbf {U}_{\ell (\lambda ,h)}$ stands for the uniform distribution over $\{0,1\}^{\ell (\lambda ,h)}$. For such puzzles we will require some additional properties. First there should be a puzzle sampler that outputs a valid solution together with $\mathsf {puz}$:

$\mathsf {SampleSol}(1^\lambda ,h)$ is a probabilistic solved puzzle instance sampling algorithm. On input the security parameter $1^\lambda $ and a hardness factor $h \in \mathcal {HS}_\lambda $, it outputs a puzzle instance and solution pair $(\mathsf {puz},\mathsf {soln})\in \mathcal {PS}_\lambda \times \mathcal {SS}_\lambda $.

Correctness of Sampling: We say that a puzzle system $\mathsf {PuzSys}$ is correct with respect to sampling, if for every $ h\in \mathcal {HS}_\lambda $, we have that:

$$ \Pr \left[ \begin{array} {l} (\mathsf {puz},\mathsf {soln}) \leftarrow \mathsf {SampleSol}(1^\lambda ,h): \mathsf {Verify}(1^\lambda ,h,\mathsf {puz},\mathsf {soln})=\mathsf {false}\\ \end{array} \right] = \mathsf {negl}(\lambda ). $$

Efficiency of Sampling: We say $\mathsf {SampleSol}$ is efficient with respect to the puzzle g-hardness, if for every $\lambda \in \mathbb {Z}^+$, $h\in \mathcal {HS}_\lambda $ and $\mathsf {puz}\in \mathcal {PS}_\lambda $, we have that:

$$\mathsf {Steps}_\mathsf {SampleSol}(1^\lambda ,h) < g(\mathsf {Steps}_\mathsf {Solve}(1^\lambda ,h,\mathsf {puz})).$$

Statistical Indistinguishability: We define the following two probability distributions

$$\mathbf {D}_{s,\lambda ,h} \overset{def}{=}\left\{ (\mathsf {puz},\mathsf {soln}) \leftarrow \mathsf {SampleSol}(1^\lambda ,h)\right\} \quad \text {and}$$

$$\mathbf {D}_{p,\lambda ,h} \overset{def}{=}\left\{ \mathsf {puz}\leftarrow \mathsf {Sample}(1^\lambda ,h),\mathsf {soln}\leftarrow \mathsf {Solve}(1^\lambda ,h,\mathsf {puz}):(\mathsf {puz},\mathsf {soln})\right\} .$$

We say a $\mathsf {PuzSys}$ is statistically indistinguishable, if for every $\lambda \in \mathbb {Z}^+$ and $h\in \mathcal {HS}_\lambda $:

$$\varDelta [\mathbf {D}_{s,\lambda ,h},\mathbf {D}_{p,\lambda ,h}]=\mathsf {negl}(\lambda ).$$

$(\tau ,k)$ -Amortization Resistance. For certain applications it is important that the puzzle is not amenable to amortization. We say that a g-hard puzzle system, $\mathsf {PuzSys}$, is $(\tau ,k)$ -amortization resistant if for every adversary $\mathcal {A}$, for every auxiliary tape $z\in \left\{ 0,1\right\} ^{*}$ and for every $ h\in \mathcal {HS}_\lambda $:

$$\begin{aligned} \Pr \left[ \begin{array} {l} \forall 1 \le i \le k:\mathsf {puz}_i \leftarrow \mathsf {Sample}(1^\lambda ,h); \\ \{\mathsf {soln}_1,\ldots ,\mathsf {soln}_k\}\leftarrow \mathcal {A}(z,1^\lambda ,h,\{\mathsf {puz}_1,\dots ,\mathsf {puz}_k\}): \\ \big ( \forall 1 \le i \le k:\quad \mathsf {Verify}(1^\lambda ,h,\mathsf {puz}_i,\mathsf {soln}_i)=\mathsf {true}\quad \big )\wedge \\ \wedge \Big ( \mathsf {Steps}_\mathcal {A}(z,1^\lambda ,h,\{\mathsf {puz}_1\}_{i=1}^k) \le \tau \big (\sum \nolimits _{i=1}^kg(\mathsf {Steps}_\mathsf {Solve}(1^\lambda ,h,\mathsf {puz}_i)) \big )\Big )\\ \end{array} \right] =\mathsf {negl}(\lambda ). \end{aligned}$$

Informally, $(\tau ,k)$-amortization resistance implies a lower bound on the hardness preservation against adversaries that attempt to benefit from solving vectors of puzzles of length k.

2.2 Definition of PoWorK

In a PoWorK, the prover $\mathcal {P}$ may interact with the verifier $\mathcal {V}$ by running in either of the two following modes: (a) the Proof of Knowledge (PoK) mode, where $\mathcal {P}$ convinces $\mathcal {V}$ that she knows a witness for some statement x, or (b) the Proof of WorK (PoW) mode, where $\mathcal {P}$ makes calls to the puzzle solving algorithm to solve a certain puzzle. For some language in $\mathcal {NP}$ and a fixed puzzle system $\mathsf {PuzSys}$, we define PoWorK to satisfy: (i) completeness, (ii) f-soundness (for some “computation-scaling” function f) and (iii) indistinguishability, as follows:

Definition 2

(PoWorK). Let $\mathcal {L}$ be a language in $\mathcal {NP}$ and $R_\mathcal {L}$ be a witness relation for $\mathcal {L}$. Let $\mathsf {PuzSys}=(\mathsf {Sample},\mathsf {Solve},\mathsf {Verify})$ be a puzzle system anf f be a function. We say that $(\mathcal {P},\mathcal {V})$ is an f-sound Proof of Work or Knowledge (PoWorK) for $\mathcal {L}$ and $\mathsf {PuzSys}$, if the following properties are satisfied:

(i).
Completeness: for every $x\in \mathcal {L}\cap \left\{ 0,1\right\} ^{\mathrm {poly}(\lambda )},w\in R_\mathcal {L}(x),z\in \left\{ 0,1\right\} ^*$ and every hardness factor $h\in \mathcal {HS}_\lambda $, it holds that
1. (i.a)
  $ \Pr [out_\mathcal {V}\leftarrow \langle \mathcal {P}(w)\leftrightarrow \mathcal {V}\rangle (x,z,h):out_\mathcal {V}=\mathrm {accept}] > 1-1/\mathrm {poly}(\lambda )$ and
2. (i.b)
  $\Pr [out_\mathcal {V}\leftarrow \langle \mathcal {P}^{\mathsf {Solve}(1^\lambda ,h,\cdot )}\leftrightarrow \mathcal {V}\rangle (x,z,h):out_\mathcal {V}=\mathrm {accept}] > 1-1/\mathrm {poly}(\lambda )$.
(ii).
f -Soundness: For every $x\in \{0,1\}^{\mathrm {poly}(\lambda )}, y,z\in \left\{ 0,1\right\} ^*$, every hardness factor $h\in \mathcal {HS}_\lambda $ and prover $\mathcal {P}^*$ define by $\pi _{x,y,z,h,\lambda }$ the probability
$$ \Pr \left[ \begin{array}{l} \mathsf {puz}\leftarrow \mathsf {Sample}(1^\lambda ,h);out_\mathcal {V}\leftarrow \langle \mathcal {P}^*(y)\leftrightarrow \mathcal {V}\rangle (x,z,h): (out_\mathcal {V}=\mathrm {accept}\big ) \\ \wedge \mathsf {Steps}_{\mathcal {P}^*}(\langle \mathcal {P}^*(y)\leftrightarrow \mathcal {V}\rangle (x,z,h))\le f(\mathsf {Steps}_\mathsf {Solve}(1^\lambda ,h,\mathsf {puz})) \end{array} \right] . $$
f-Soundness holds if there are non-negligible functions s, q such that for any $ \mathcal {P}^*$, there exists a PPT witness-extraction algorithm $\mathcal {K}$ such that for any $\lambda \in \mathbb {N}, x\in \{0,1\}^{\mathrm {poly}(\lambda )},y,z\in \{0,1\}^*, h\in \mathcal {HS}_\lambda $, if $\pi _{x,y,z,h,\lambda } \ge s(\lambda )$ (representing the knowledge error), then
$$\begin{aligned} \Pr [\mathcal {K}^{\mathcal {P}^*}(x,y,z,h)\in R_\mathcal {L}(x)] \ge q(\lambda )\;. \end{aligned}$$
(iii)
Statistical (resp. Computational) Indistinguishability: for every $x\in \mathcal {L}\cap \{0,1\}^{\mathrm {poly}(\lambda )}$, $w\in R_\mathcal {L}(x),$ $z\in \left\{ 0,1\right\} ^*$, for every hardness factor $h\in \mathcal {HS}_\lambda $ and for every verifier (resp. PPT verifier) $\mathcal {V}^*$, the following two random variables are statistically (resp. computationally) indistinguishable:

Intuitively, soundness is related to the hardness of solving a presumably hard cryptographic puzzle. The hardness threshold T is set to be the (probabilistic) computational complexity (in number of steps) of the puzzle solver, when the latter is provided some output of the puzzle sampling algorithm, scaled to some function f. According to Definition 2, any prover who does not know a witness, cannot convince the verifier in less than f(T) steps with some good probability. Observe that in the definition of f-soundness, the convincing capability of the prover is limited by the hardness of solving puzzle challenges. This implies that in an f-sound protocol, provers who do not know (per the knowledge extractor) are forced to “work” in order to convince the verifier. The indistinguishability property of PoWorKs implies that a (potentially malicious) verifier cannot distinguish the running mode (PoK or PoW) that $\mathcal {P}$ follows.

3 The Dense Puzzle Based PoWorK Construction

In this section, we show how to transform an arbitrary 3-move, public coin, special sound, honest verifier zero-knowledge (SS-HVZK) into a 3-move public-coin PoWorK. Our construction is lightweight and requires dense samplable puzzle systems that we formalized in Sect. 2.1. In our full version [BKZZ15] we provide a second construction which is less efficient, non-black-box on the puzzle, but it works for all puzzle systems and may not be public-coin (depending on the puzzle). For both constructions, we consider a puzzle system $\mathsf {PuzSys}$ that achieves completeness and g-hardness for some function $g:\mathbb {N}\longrightarrow \mathbb {R}^+$. In addition, for dense samplable puzzle systems, we require correctness, efficient samplability, and statistical indistinguishability.

3.1 Preliminaries

The puzzle, solution and hardness spaces are denoted by $\mathcal {PS}_\lambda ,\mathcal {SS}_\lambda ,\mathcal {HS}_\lambda $, as in Sect. 2.1. Our PoWorK protocols are interactive proofs between a prover $\mathcal {P}$ and a verifier $\mathcal {V}$, denoted by $(\mathcal {P},\mathcal {V})$.

The challenge space of our dense puzzle based construction $(\mathcal {P},\mathcal {V})$, denoted by $\mathcal {CS}_\lambda $, is determined by the security parameter $\lambda $. From an algebraic point of view, $\mathcal {CS}_\lambda $ is set to be a group with operation $\oplus $, where performing $\oplus $ and inverting an element should be efficient. For the first construction, we require that $\mathcal {PS}_\lambda \subseteq \mathcal {CS}_\lambda $. For instance, we may set $\mathcal {CS}_\lambda $ as the group $\big (\mathbb {GF}(2^{\ell (\lambda )},\oplus \big )$, where $\ell (\lambda )$ is the length of the challenges and $\oplus $ is the bitwise XOR operation. Of course, one may select a different setting which could be tailor made to the algebraic properties of the underlying primitives.

Let $\mathsf {ChSampler}$ be the algorithm that samples a challenge from $\mathcal {CS}_\lambda $. For a fixed security parameter, we define the following random variables (r.v.):

The challenge sampling r.v. $\mathbf {C}_{\lambda ,h}\overset{def}{=}\mathsf {ChSampler}(1^\lambda ,h)$.
The puzzle sampling r.v. $\mathbf {P}_{\lambda ,h}\overset{def}{=}\{\mathsf {puz}\leftarrow \mathsf {Sample}(1^\lambda ,h):\mathsf {puz}\}$.

Finally, we denote by $x\oplus \mathbf {D}$ (resp. $\mathbf {D}^{\mathsf {Inv}}) $ the r.v. of performing $\oplus $ on some fixed $x\in \mathcal {CS}_\lambda $ and an element y sampled from r.v. $\mathbf {D}$ (resp. inverting an element sampled from $\mathbf {D}$). The r.v. $\mathbf {D}\oplus x$ is defined similarly. Formally,

$$\begin{array}{c} x\oplus \mathbf {D}\overset{def}{=}\{y\leftarrow \mathbf {D}:x\oplus y\},\mathbf {D}\oplus x\overset{def}{=}\{y\leftarrow \mathbf {D}:y\oplus x\}, \mathbf {D}^{\mathsf {Inv}}\overset{def}{=}\{y\leftarrow \mathbf {D}:-y\}. \end{array}$$

3.2 The Dense Puzzle Based Compiler

We now provide a detailed description of our protocol $(\mathcal {P},\mathcal {V})$, which can be viewed as a compiler that can transform a SS-HVZK protocol $\varPi =(\mathsf {P1}_\varPi ,\mathsf {P2}_\varPi ,\mathsf {Ver}_\varPi )$ for $\mathcal {L}\in \mathcal {NP}$ and a g-hard puzzle system $\mathsf {PuzSys}$ into a 3-move PoWorK. The resulting PoWorK protocol achieves $\varTheta (g)$-hardness and statistical indistiguishability. From a syntax point of view, our compiler will set the challenge space of the PoWorK $\mathcal {CS}_\lambda $ to be equal to $\mathcal {CS}_\varPi $. We denote by $\mathsf {Sim}_{\varPi }$ the HVZK simulator of $\varPi $.

The protocol $(\mathcal {P},\mathcal {V})$ can be executed in either of the two following modes:

1.
Proof of Knowledge (PoK) mode: $\mathcal {P}$ has a witness $w\in \mathcal {R}_\mathcal {L}(x)$ as private input. In order to prove knowledge of w to $\mathcal {V}$, $\mathcal {P}$ runs $\mathsf {P1}_\varPi $ and $\mathsf {P2}_\varPi $ as described by the original SS-HVZK protocol, with the difference that instead of providing $\mathsf {P2}_\varPi $ with the challenge c from $\mathcal {V}$ directly, $\mathcal {P}$ runs the puzzle sampler algorithm to receive a pair of a puzzle and its solution, $(\mathsf {puz},\mathsf {soln})$, computes the value $\tilde{c}=c\oplus \mathsf {puz}$ and runs $\mathsf {P2}_\varPi $ with challenge $\tilde{c}$.
2.
Proof of Work (PoW) mode: $\mathcal {P}$ has no private input and tries to convince $\mathcal {V}$ that it has performed a minimum amount of computational “work” (i.e. at least some expected number of steps). To achieve this, $\mathcal {P}$ runs $ \mathsf {Sim}_{\varPi }$ to simulate a transcript of the original SS-HVZK protocol. Then, it receives the challenge c from $\mathcal {V}$ and computes the value $\mathsf {puz}=(-c)\oplus \tilde{c}$. It runs the $\mathsf {Solve}$ algorithm on input $\mathsf {puz}$, and if $\mathsf {puz}$ is a puzzle in $\mathcal {PS}_\lambda $ (which, as we argue later, must occur with high probability), then it obtains a solution $\mathsf {soln}$ of $\mathsf {puz}$, except for some negligible error.

The verification mechanism, must be the same for both modes, so that indistinguishability can be achieved. Namely, the verifier checks that: (i) the relation $\tilde{c}=c\oplus \mathsf {puz}$ holds, (ii) the transcript of the SS-HVZK protocol is accepting and (iii) the prover has output a correct pair of a puzzle $\mathsf {puz}$ and some solution $\mathsf {soln}$ of $\mathsf {puz}$. The protocol $(\mathcal {P},\mathcal {V})$ is presented in detail in Fig. 1.

3.3 Security of the Dense Puzzle Based Construction

In order to prove that our protocol satisfies soundness and indistinguishability, we need to assume that the challenge and puzzle distributions satisfy some plausible properties and that the presumed g-hardness of the puzzle system dominates the step complexity of the group operation and challenge sampling algorithms. In detail, we require that:

(A).:: The challenge and puzzle sampling distributions are statistically close.
(B).:: The challenge sampling distribution is (statistically) invariant to any group operation, i.e. (a) inverting a challenge sampled from $\mathcal {CS}_\lambda $ and (b) performing $\oplus $ operations on some element x in $\mathcal {CS}_\lambda =\mathcal {CS}_\varPi $ and a sampled challenge. Observe that these two assumptions imply that the puzzle sampling distribution is also (statistically) $\oplus $-invariant.
(C).:: With high probability, the number of steps needed for $\mathsf {Steps}_{\mathsf {Solve}}(1^\lambda ,h,\mathsf {puz})$ to solve a g-hard puzzle $\mathsf {puz}$ according to $\mathbf {P}_{\lambda ,h}$, scaled to the puzzle hardness function g, is more than the number of steps of performing group operations (inversion and $\oplus $ operation), or sampling from $\mathcal {CS}_\lambda $.

The assumptions described are stated formally in Fig. 2. Assumptions (A) and (B) can be met for meaningful distributions, widely used in cryptographic protocols. For example, when $\mathbf {C}_{\lambda ,h}$ and $\mathbf {P}_{\lambda ,h}$ are close to uniform, it is straightforward that assumption (A) holds. Moreover, since the uniform distribution is invariant under group operations, we have that assumption (B) also holds. The assumption (C) is expected to hold for any meaningful cryptographic puzzle construction. Indeed, if solving a puzzle is believed to be hard (on average) within a bounded amount of steps T, then performing efficient tasks, such as group operations or sampling a challenge in the space where this puzzle belongs must be feasible in a number of steps much less than T.

We prove that our dense puzzle based construction is a PoWorK, assuming (A), (B) and (C), the g-hardness of $\mathsf {PuzSys}$ and the soundness and ZK properties of the original SS-HVZK protocol. The soundness of our protocol is in constant relation with the hardness of $\mathsf {PuzSys}$.

Theorem 1

Let $\mathcal {L}$ be a language in $\mathcal {NP}$ and let $\varPi = (\mathsf {P1}_\varPi ,\mathsf {P2}_\varPi ,\mathsf {Ver}_{\varPi })$ be a special-sound 3-move statistical HVZK protocol for $\mathcal {L}$, where the challenge sampling distribution is uniform. Let $\mathsf {PuzSys}=(\mathsf {Sample}, \mathsf {SampleSol},\mathsf {Solve},\mathsf {Verify})$ be a dense samplable puzzle system that satisfies g-hardness for some function g. Define $(\mathcal {P},\mathcal {V})$ as the protocol described in Fig. 1 when built upon $\varPi ,\mathsf {PuzSys}$ and assume that (A), (B), (C) in Fig. 2 hold. Then, $(\mathcal {P},\mathcal {V})$ is a $\big ((1-\kappa )/2\big )\cdot g$ -sound PoWorK for $\mathcal {L}$ and $\mathsf {PuzSys}$ with statistical indistiguishability, where $\kappa $ is the constant defined in assumption (C).

Proof

Completeness: By the completeness of $\varPi $ and the correctness of $\mathsf {PuzSys}$, the dense puzzle based PoWorK construction is complete in the case that $\mathcal {P}$ executes the PoK mode of the protocol. Regarding the PoW mode, an honest execution of $\mathsf {PuzSys}$ is incorrect, only if either of the two following cases is true:

(i).
$\mathsf {puz}=(-c)\oplus \tilde{c}\in \mathcal {CS}_{\lambda }\setminus \mathcal {PS}_\lambda $, i.e. $\mathsf {puz}$ is not a puzzle. By assumptions (A), (B) in Fig. 2, this happens with negligible probability, since
where we applied (B) two times (one for inversion and one for $\oplus $ operation).
(ii).
$\mathsf {puz}$ is a puzzle, but the puzzle solver algorithm $\mathsf {Solve}$ does not output a solution for $\mathsf {puz}$. Namely, we have that $\mathsf {Verify}(1^\lambda ,h,\mathsf {puz},\mathsf {soln})=\mathsf {false}$. By the completeness property of $\mathsf {PuzSys}$, this also happens with negligible probability.

Therefore, $(\mathcal {P},\mathcal {V})$ achieves completeness with high probability, as required in Definition 2.

$\big ((1-\kappa )/2\big )\cdot g$-Soundness. First, we make use of the special soundness PPT extractor $\mathsf {K}_\varPi $ of $\varPi $ to construct a knowledge extractor $\mathcal {K}$ that on input (x, y, z, h) and given the code of an arbitrary prover $\hat{\mathcal {P}}$, executes the following steps:

1.
By applying standard rewinding, $\mathcal {K}$ interacts with $\hat{\mathcal {P}}(y)$ for statement x and auxiliary input z, using two challenges $c_1,c_2$ sampled from $\mathbf {C}_{\lambda ,h}$ and receives two protocol transcripts $\langle \tilde{a}_1,c_1,(\tilde{c}_1,\tilde{r}_1,\mathsf {puz}_1,\mathsf {soln}_1)\rangle $ and $\langle \tilde{a}_1,c_2,(\tilde{c}_2,\tilde{r}_2,\mathsf {puz}_2,\mathsf {soln}_2)\rangle $.
2.
$\mathcal {K}$ runs $\mathcal {K}_\varPi $ on input $(x,\langle \tilde{a}_1,\tilde{c}_1,\tilde{r}_1\rangle $, $\langle \tilde{a}_1,\tilde{c}_2,\tilde{r}_2\rangle )$.
3.
$\mathcal {K}$ returns the output of $\mathcal {K}_\varPi $.

Since $\mathsf {K}_\varPi $ is a PPT algorithm, $\mathcal {K}$ also runs in polynomial time.

Assume that for some $x\in \{0,1\}^{\mathrm {poly}(\lambda )}$, $y\in \{0,1\}^{*}, z\in \left\{ 0,1\right\} ^*$, $h\in \mathcal {HS}_\lambda $, there exists a prover $\mathcal {P}^*$ and a non-negligible function $s(\cdot )$ s.t

$$\begin{aligned} {\begin{aligned}&\Pr [\mathsf {puz}\leftarrow \mathsf {Sample}(1^\lambda ,h);out_\mathcal {V}\leftarrow \langle \mathcal {P}^*(y)\leftrightarrow \mathcal {V}\rangle (x,z,h): (out_\mathcal {V}=\mathrm {accept})\wedge \\ {}&\wedge \mathsf {Steps}_{\mathcal {P}^*}(\langle \mathcal {P}^*(y)\leftrightarrow \mathcal {V}\rangle (x,z,h))\le \big ((1-\kappa )/2\big )\cdot g(\mathsf {Steps}_\mathsf {Solve}(1^\lambda ,h,\mathsf {puz}))]\ge s(\lambda ). \end{aligned}} \end{aligned}$$

We construct an algorithm $\mathcal {W}$ that makes use of $\mathcal {P}^*$ to break the g-hardness of $\mathsf {PuzSys}$. The input that $\mathcal {W}$ receives is $\langle (x,y,z),1^\lambda ,h,\mathsf {puz}\rangle $, where (x, y, z) is the auxiliary input and $\mathsf {puz}$ sampled from $\mathsf {Sample}(1^\lambda ,h)$. Then, $\mathcal {W}$ executes the following steps:

1.
It samples $c_1$ by running $\mathsf {ChSampler}(1^\lambda ,h)$.
2.
It interacts with $\mathcal {P}^*(y)$ for statement x, auxiliary input z, hardness factor h and challenge $c_1$. It receives the transcript $\langle \tilde{a}_1,c_1,(\tilde{c}_1,\tilde{r}_1,\mathsf {puz}_1,\mathsf {soln}_1)\rangle $.
3.
It computes the inverse of $\mathsf {puz}$, denoted by $(-\mathsf {puz})$.
4.
It computes $c_2=\tilde{c}_1\oplus (-\mathsf {puz})$.
5.
It rewinds $\mathcal {P}^*$ at the challenge phase and provides $\mathcal {P}^*$ with challenge $c_2$. It receives a second transcript $\langle \tilde{a}_1,c_2,(\tilde{c}_2,\tilde{r}_2,\mathsf {puz}_2,\mathsf {soln}_2)\rangle $.
6.
It returns the value $\mathsf {soln}_2$.

By the assumption for $\mathcal {P^*}$ and the splitting Lemma, we have that when $\mathcal {P}^*$ is challenged with two honestly selected $c_1,c_2$, it outputs two accepting transcripts by running in no more than $\big ((1-\kappa )/2\big )\cdot g(\mathsf {Steps}_\mathsf {Solve}(1^\lambda ,h,\mathsf {puz}))$ steps with at least $(s(\lambda )/2)^2$ probability. By $\mathrm {Equal}$ we denote the event that this happens and $\tilde{c}_1=\tilde{c}_2$ holds. Obviously, either $\mathrm {Equal}$, or $\lnot \mathrm {Equal}$ will occur with probability at least $(s(\lambda )/2)^2/2=s(\lambda )^2/8$.

Assume that $\mathrm {Equal}$ happens with at least $s(\lambda )^2/8$ probability. We will show that this case leads to a contradiction; namely, $\mathcal {W}$ will output a solution of $\mathsf {puz}$ while running in no more than $g(\mathsf {Steps}_\mathsf {Solve}(1^\lambda ,h,\mathsf {puz}))$ steps, hence breaking the g-hardness of $\mathsf {PuzSys}$.

We observe that for any $\mathsf {puz}$, if both transcripts generated by the interaction with $\mathcal {P}^*$ are accepting and the values $\tilde{c}_1,\tilde{c}_2$ are equal, then we have that

$$\big (c_2=\tilde{c}_1\oplus (-\mathsf {puz})\big )\wedge (\tilde{c}_2=c_2\oplus \mathsf {puz}_2)\wedge (\tilde{c}_1=\tilde{c}_2)\Rightarrow \mathsf {puz}_2=\big (-(-\mathsf {puz})\big )=\mathsf {puz},$$

where the second equality holds due to verification step 1. Therefore, it holds that

$$\begin{aligned} \mathsf {Verify}(1^\lambda ,h, \mathsf {puz}_2,\mathsf {soln}_2) =\mathsf {true}\Leftrightarrow \mathsf {Verify}(1^\lambda ,h,\mathsf {puz},\mathsf {soln}_2) =\mathsf {true}. \end{aligned}$$

(1)

By the assumptions (A), (B) in Fig. 2, we have that there are negligible functions $\epsilon _1(\lambda ),\epsilon _2(\lambda )$ s.t. for any $\tilde{c}_1$ that $\mathcal {P}^*$ returns,

$$\begin{aligned} \begin{array}{c} \varDelta [\tilde{c}_1\oplus \mathbf {C}^{\mathsf {Inv}}_{\lambda ,h},\tilde{c}_1\oplus \mathbf {P}^{\mathsf {Inv}}_{\lambda ,h}]<2\epsilon _1(\lambda )\quad \text{ and } \quad \varDelta [\mathbf {C}_{\lambda ,h},\tilde{c}_1\oplus \mathbf {C}^{\mathsf {Inv}}_{\lambda ,h}]<2\epsilon _2(\lambda ), \end{array} \end{aligned}$$

where in the first and second inequality, we applied assumptions (A) and (B) respectively two times (one for inversion and one for $\oplus $ operation). Therefore, by the triangular inequality we have that

$$\begin{aligned} \varDelta [\mathbf {C}_{\lambda ,h},\tilde{c}_1\oplus \mathbf {P}^{\mathsf {Inv}}_{\lambda ,h}]<2\epsilon _1(\lambda )+2\epsilon _2(\lambda ). \end{aligned}$$

(2)

Eq. (2) implies that the probability distribution of $c_2=\tilde{c}_1\oplus (-\mathsf {puz})$ that $\mathcal {W}$ computes is $[2\epsilon _1(\cdot )+2\epsilon _2(\cdot )]$-statistically close to the challenge sampling distribution of $\mathcal {V}$.

By construction, the running time of $\mathcal {W}$ (in number of steps) is at most

$$ \begin{array}{ll} 2\cdot \mathsf {Steps}_{\mathcal {P}^*} &{} (\langle \mathcal {P^*}(y)\leftrightarrow \mathcal {V}\rangle (x,z,h))+\mathsf {Steps}\big (((-\mathsf {puz})))+\\ &{} + \mathsf {Steps}(\tilde{c}_1\oplus (-\mathsf {puz})) + \mathsf {Steps}_\mathsf {ChSampler}(1^\lambda ,h). \end{array} $$

By assumption (C) in Fig. 2, there is a negligible function $\epsilon _3(\cdot )$ and a constant $\kappa <1$ s.t.

(3)

When $\mathrm {Equal}$ occurs, then it holds that

$$\mathsf {Steps}_{\mathcal {P}^*}(\langle \mathcal {P^*}(y)\leftrightarrow \mathcal {V}\rangle (x,z,h))\le \big ((1-\kappa )/2\big )\cdot g(\mathsf {Steps}_\mathsf {Solve}(1^\lambda ,h,\mathsf {puz})),$$

hence by the assumption for $\mathcal {P}^*$ and Eqs. (2) and (3), the probability that the running time of $\mathcal {W}$ is bounded by

is at least $\Pr [\mathrm {Equal}]-\big (2\epsilon _1(\lambda )+2\epsilon _2(\lambda )+\epsilon _3(\lambda )\big )$. By Eqs. (1), (2) and (3), and the assumption $\Pr [\mathrm {Equal}]\ge s(\lambda )^2/8$, we have that for auxiliary tape (x, y, z) and hardness factor h:

$$ \Pr \left[ \begin{array} {l} \mathsf {puz}\leftarrow \mathsf {Sample}(1^\lambda ,h);\\ \mathsf {soln}_*\leftarrow \mathcal {W}(1^\lambda ,(x,y,z),h,\mathsf {puz}): \\ \mathsf {Verify}(1^\lambda ,h,\mathsf {puz},\mathsf {soln}_*)=\mathsf {true}\quad \wedge \\ \wedge \mathsf {Steps}_\mathcal {W}(1^\lambda ,(x,y,z),h,\mathsf {puz}) \\ \le g(\mathsf {Steps}_\mathsf {Solve}(1^\lambda ,h,\mathsf {puz}))\\ \end{array} \right] \ge s(\lambda )^2/8-\big (2\epsilon _1(\lambda )+2\epsilon _2(\lambda )+\epsilon _3(\lambda )\big ), $$

which contradicts to the g-hardness of $\mathsf {PuzSys}$, as $s(\lambda )^2/8-\big (2\epsilon _1(\lambda )+2\epsilon _2(\lambda )+\epsilon _3(\lambda )\big )$ is a non-negligible function. Therefore, it holds that $\Pr [\mathrm {Equal}]\le s(\lambda )^2/8$ which implies

$$\begin{aligned} \Pr [\lnot \mathrm {Equal}]\ge s(\lambda )^2/8. \end{aligned}$$

(4)

By the construction of $\mathcal {K}$ and the special soundness property of $\varPi $, we have that $\mathcal {K}$ will return a witness for x whenever $\mathcal {K}_\varPi $ is provided with different $\tilde{c}_1,\tilde{c}_2$. Define $q(\lambda )=s(\lambda )^2/8$. By Eq. (4), when $\mathcal {K}$ is given oracle access to $\mathcal {P}^*$ it holds that

$$\begin{aligned} \Pr [\mathcal {K}^{\mathcal {P}^*}(x,y,z,h)\in R_\mathcal {L}(x)]=\Pr [\lnot \mathrm {Equal}]\ge q(\lambda ). \end{aligned}$$

Thus, we conclude that our protocol is $\big ((1-\kappa )/2\big )\cdot g$-sound.

Statistical Indistinguishability. Assume that the protocol described in Fig. 1 does not satisfy the PoWorK indistinguishability property in Definition 2. Then, for some (x, z, h) there exists a verifier $\mathcal {V}^*$ that w.l.o.g. outputs a single bit and can distinguish between:

$$\begin{aligned} \mathbf {D}_{ PoK }^{\mathcal {V}^*}= & {} \left\{ view_{\mathcal {V}^*}\leftarrow \langle \mathcal {P}(w)\leftrightarrow \mathcal {V}^*\rangle (x,z,h)\right\} \quad \text{ and }\\ \mathbf {D}_{ PoW }^{\mathcal {V}^*}= & {} \left\{ view_{\mathcal {V}^*}\leftarrow \langle \mathcal {P}^{\mathsf {Solve}(1^\lambda ,h,\cdot )}\leftrightarrow \mathcal {V}^*\rangle (x,z,h)\right\} . \end{aligned}$$

with non-negligible advantage $\eta (\lambda )$.

In the following, we will show that if such a $\mathcal {V}^*$ exists, then we can construct an adversary $\mathcal {B}$ who breaks the statistical (auxiliary input) HVZK property of the underlying 3-move protocol $\varPi =(\mathsf {P1}_\varPi ,\mathsf {P2}_\varPi ,\mathsf {Ver}_\varPi )$. This means that $\mathcal {B}$ can distinguish between:

with some non-negligible advantage $\eta '(\lambda )$, where (z, h) is the auxiliary input. Namely, $\mathcal {B}$ takes as input $(x,(z,h),(\tilde{a},\tilde{c},\tilde{r}))$, and works as follows:

1.
Invokes $\mathcal {V}^*$ with input x, z, h and first move message $\tilde{a}$.
2.
$\mathcal {V}^*$ responds back with his challenge c.
3.
$\mathcal {B}$ computes $\mathsf {puz}= (-c) \oplus \tilde{c}$ and runs $\mathsf {Solve}$ on input $(1^\lambda ,h, \mathsf {puz})$ to receive back $\mathsf {soln}$.
4.
$\mathcal {B}$ sends $(\tilde{c},\tilde{r},\mathsf {puz},\mathsf {soln})$ to $\mathcal {V}^*$.
5.
$\mathcal {B}$ returns $\mathcal {V}^*$’s output $b^*$.

By construction of $\mathcal {B}$, what is left to argue is that $\mathsf {puz}= (-c) \oplus \tilde{c}$ and $\mathsf {soln}\leftarrow \mathsf {Solve}(1^\lambda ,h, \mathsf {puz})$ are indistinguishable from a pair $(\mathsf {puz}',\mathsf {soln}')$ that was picked by $\mathsf {SampleSol}(1^\lambda , h)$. We stusy the following two cases:

1.
$\underline{\mathcal {B}'s \,\, input \,\, is\,\, sampled \,\, according \,\, to \,\, \mathbf {D}_\varPi }$: By the assumption (B) in Fig. 2 and for any c returned by $\mathcal {V}^*$, we have that:
$$ \varDelta [\mathbf {C}_{\lambda ,h}, \mathbf {C}^{\mathsf {Inv}}_{\lambda ,h} \oplus \tilde{c} ] < 2 \epsilon _2(\lambda ),$$
where we applied (B) two times (one for inversion and one for $\oplus $ operation). By assumption (A), we have that
$$ \varDelta [\mathbf {C}_{\lambda ,h},\mathbf {P}_{\lambda ,h}] < \epsilon _1(\lambda ). $$
By the triangular inequality, we have that for the distribution of $\mathsf {puz}= (-c) \oplus \tilde{c}$, it holds that
$$\begin{aligned} \varDelta [\mathbf {P}_{\lambda ,h}, \mathbf {C}^{\mathsf {Inv}}_{\lambda ,h} \oplus \tilde{c}]<\epsilon _1(\lambda )+2\epsilon _2(\lambda ). \end{aligned}$$
By the statistical indistinguishability property of $\mathsf {PuzSys}$ (Definition 1), we have that the distribution $\{\mathsf {soln}\leftarrow \mathsf {Solve}(1^\lambda ,h,\mathsf {puz}):\mathsf {soln}\}$ is $\epsilon _4(\lambda )$-statistically close to the distribution $\{(\mathsf {soln}',\mathsf {puz}')\leftarrow \mathsf {SampleSol}(1^\lambda ,h):\mathsf {soln}'\}$, for some negligible function $\epsilon _4$. Consequently, the probability distribution of $\mathsf {puz}$ that $\mathcal {B}$ computes is $[\epsilon _1(\lambda ) + 2\epsilon _2(\lambda ) + \epsilon _4(\lambda )]$-statistically close to the puzzle sampling distribution.
2.
$\underline{\mathcal {B}'s \,\, input \,\, is\,\, sampled \,\, according \,\, to \,\, \mathbf {D}_\mathsf {Sim}}$: in this case, it is straightforward that $\mathcal {B}$ simulates perfectly the $ PoW $ mode of the PoWorK protocol.

By the above and given that the probability of success of $\mathcal {V}^*$ is at least $\eta (\lambda )$, we have that

Therefore, $\mathcal {B}$ is successful in breaking the statistical HVZK property of the underlying 3-move SS-HVZK protocol with non-negligible advantage $\eta '(\lambda )=\eta (\lambda ) - \big (\epsilon _1(\lambda ) + 2\epsilon _2(\lambda )+ \epsilon _4(\lambda )\big )$. This leads us to the conclusion that the protocol in Fig. 1 is a PoWorK with statistical indistinguishability. $\square $

Remark. Theorem 1 can be extended to encompass the case where the protocol $\varPi $ to be compiled in the construction described in Fig. 1 achieves $T(\lambda )$-computational HVZK, i.e. it is HVZK for every verifier $\mathcal {B}$ which runs in $T(\lambda )$ steps. Specifically, in the indistinguishability proof the running time of the HVZK adversary $\mathcal {B}$ is (in number of steps) bounded by:

$$ \begin{array}{ll} \mathsf {Steps}_{\mathcal {V}^*}(\langle (\mathsf {P1}_\varPi ,\mathsf {P2}_\varPi )(w), &{} \mathsf {Ver}_\varPi (\tilde{c})\rangle (x,z,h)) +\\ &{}+\mathsf {Steps}_\mathsf {Inv}(c)+\mathsf {Steps}_\oplus ((-c),\tilde{c})+ \mathsf {Steps}_\mathsf {Solve}(1^\lambda ,h,\mathsf {puz}). \end{array} $$

Therefore, we can prove that if $T(\lambda )$ is an asymptotically larger function than the time of the puzzle solving algorithm, then our dense puzzle based construction achieves computational indistinguishability.

3.4 Dense Puzzle Instantiation in the Random Oracle Model

We now instantiate a dense puzzle system in the random oracle model. For a given security parameter $\lambda $, let $\mathcal {O}:\left\{ 0,1\right\} ^{*}\mapsto \left\{ 0,1\right\} ^{m}$ be a random oracle, where $m\ge \lambda /2$. Our dense puzzle system is described in Fig. 3.

Theorem 2

Let $\lambda \in \mathbb {Z}^+$ be the security parameter. Define $\mathcal {PS}_\lambda = \left\{ 0,1\right\} ^{\lambda }$, $\mathcal {SS}_\lambda = \left\{ 0,1\right\} ^{\lambda }$, and $\mathcal {HS}_\lambda =[\log ^2\lambda , \lambda /4]$. Let $\mathcal {O}$ be a random oracle mapping from $\left\{ 0,1\right\} ^*$ to $\left\{ 0,1\right\} ^{m}$, where $m\ge \lambda /2$. For any $h\in \mathcal {HS}_\lambda $, the puzzle system $\mathsf {PuzSys}$ described in Fig. 3 is correct, complete with $\mathsf {Solve}$’s running time $2^{h+2\log \lambda }$, efficiently samplable, statistically indistinguishable, and g-hard, where $g(T)=T^{1/c}$, for any constant $c>2$. In addition, for any k that is $O(2^{\lambda /8})$, $\mathsf {PuzSys}$ is $(\mathsf {id}(\cdot ),k)$-amortization resistant, where $\mathsf {id}(\cdot )$ is the identity function.

Proof

Please see the full version [BKZZ15].

3.5 Dense Puzzle Instantiation from Complexity Assumptions

In this section, we show how to construct a puzzle system whose puzzle instance distribution is statistically close to the uniform distribution (over $\left\{ 0,1\right\} ^{m(\lambda )}$) without random oracles. The main challenge is, given an arbitrary oneway function $\psi :\mathcal {X}\mapsto \mathcal {Y}$, to build another oneway function with uniform output distribution (on random inputs) while still maintaining its onewayness. As an intuition, we would like to first map the output of the given oneway function from $\mathcal {Y}$ to $\left\{ 0,1\right\} ^\ell $ using an efficient injective map (which is usually the bit representation of $y\in \mathcal {Y}$), and then apply a strong extractor on it. Let $\mathsf {Ext}: \left\{ 0,1\right\} ^\ell \times \left\{ 0,1\right\} ^d \mapsto \left\{ 0,1\right\} ^m$ be a strong extractor as defined at Definition 3.

Definition 3

Function $\mathsf {Ext}: \left\{ 0,1\right\} ^\ell \times \left\{ 0,1\right\} ^d \mapsto \left\{ 0,1\right\} ^m$ is $(t,\epsilon )$-strong extractor if for any t-source X (over $\left\{ 0,1\right\} ^\ell $), we have $\varDelta [(S,\mathsf {Ext}(X,S)), (S,\mathbf {U}_m)] \le \epsilon $, where $S\leftarrow \left\{ 0,1\right\} ^d$ and $\mathbf {U}_m\leftarrow \left\{ 0,1\right\} ^m$ are drawn uniformly and independently of X.

The new oneway function $\psi ^U:\mathcal {X}\times \left\{ 0,1\right\} ^d\mapsto \left\{ 0,1\right\} ^m\times \left\{ 0,1\right\} ^d$ is defined as $\psi ^U(x,s) = (\mathsf {Ext}(\psi (x),s),s)$. According to LHL [HILL93], if $H_{\infty }(x)\ge m+2\log (1/\epsilon )$, then the output of $\psi ^U$ is at most $\epsilon $-far from the uniform distribution over $\left\{ 0,1\right\} ^{m+d}$. However, in order to maintain its onewayness, we need an extra property of the strong extractor – Target Collision Resistance (TCR), i.e. given x and s, it is computationally infeasible to find $x'$ such that $x\ne x'$ and $\mathsf {Ext}(x,s) = \mathsf {Ext}(x',s)$. We construct TCR strong extractors from regular universal oneway hash functions (UOWHFs), initially proposed by Naor and Yung [NY89]. We first formally define the TCR property for a strong extractor in Definition 4.

Definition 4

Let $\mathsf {Ext}: \left\{ 0,1\right\} ^{\ell (\lambda )} \times \left\{ 0,1\right\} ^{d(\lambda )} \mapsto \left\{ 0,1\right\} ^{m(\lambda )}$ be a strong extractor. We say $\mathsf {Ext}$ is target collision resistant if for all PPT adversary $\mathcal {A}$, the following probability:

$$ \Pr \left[ \begin{array} {l} x\leftarrow \mathcal {A}(1^\lambda ); s\leftarrow \left\{ 0,1\right\} ^{d(\lambda )}:x'\leftarrow \mathcal {A}(s):\\ x,x'\in \left\{ 0,1\right\} ^{\ell (\lambda )}\wedge x\ne x'\wedge \mathsf {Ext}(x,s) = \mathsf {Ext}(x',s) \\ \end{array} \right] =\mathsf {negl}(\lambda ). $$

A stronger notion, collision resistant extractors, was introduced by Dodis [Dod05]. Collision resistant extractors were applied to construct perfectly oneway probabilistic hash functions proposed [CMR98] in 2005. The construction of such collision resistant extractors relies on a variant of leftover hash lemma proved by Dodis and Smith [DS05]. Our observation is that in the same way that [Dod05] employ regular collision resistant hash functions (CRHF) to derive collision resistant strong extractors, we can use regular universal oneway hash function (UOWHF), to obtain TCR strong extractor. The notion of UOWHF was initially proposed by Naor and Yung [NY89] where they showed that UOWHFs can be constructed by composing oneway permutations with (weakly) pairwise independent hash functions. Since then, many constructions of UOWHFs have been proposed, assuming the existence of regular oneway functions [SY90] or any oneway functions [Rom90, HHR+10].^{Footnote 5}

We would like to use $\mathcal {H}_{2n}=\left\{ H_{(a,b)}(x)= ax+b | \forall a\ne 0 ,a, b \in \mathbb {GF}(2^n)\right\} $ as the family of pairwise independent permutations and a regular UOWHF family $\mathcal {F}_\lambda $ to construct our TCR strong extractors. Define $\hat{F}_i(\cdot ):=(F_i(\cdot ),i)$, where $F_i\in \mathcal {F}_\lambda $. Our TCR strong extractor is constructed as $\mathsf {Ext}(x,(i,s)) = \hat{F}_i\circ H_s(x)$. Note that regularity of the UOWHFs is important to ensure that the output distribution of such strong extractors is close to the uniform distribution, as $F_i(U_{\ell _1(\lambda )})\equiv U_{\ell _2(\lambda )}$. On the other hand, some UOWHF constructions give regular UOWHFs by default (i.e., the UOWHFs constructed by the oneway permutation based approach [NY89]).

Dense Oneway Functions and Dense Puzzles from Complexity Assumptions. We apply a TCR strong extractor for our construction. The key to the construction will be a “dense” oneway function: a oneway function is $\epsilon $ -dense oneway if its output distribution is at most $\epsilon $-far from $\mathbf {U}_m$ for some $m\in \mathbb {Z}^+$. We now present a transformation of a one-way function to a dense one-way function via the application of a TCR-strong extractor. The TCR property will ensure that any attempt to invert the dense one-way function will result to an inversion of the underlying one-way function. Formally we prove the following.

Theorem 3

Let $\lambda _1,\lambda _2\in \mathbb {Z}^+$ be the security parameters. Let $\psi _{\lambda _1}:\mathcal {X}_{\lambda _1}\mapsto \mathcal {Y}_{\lambda _1}$ be an arbitrary oneway function, and define $H_{\lambda _1} = H_{\infty }(\psi _{\lambda _1}(X))$ for random variable X drawn uniformly from $\mathcal {X}_{\lambda _1}$. Assume there exists an efficient injective map $\zeta _{\lambda _1}:\mathcal {Y}_{\lambda _1}\mapsto \left\{ 0,1\right\} ^{\ell (\lambda _2)}$. If

$$\mathsf {Ext}_{\lambda _2}(x,(s_1,s_2)): \left\{ 0,1\right\} ^{\ell (\lambda _2)}\times \left\{ 0,1\right\} ^{\lambda _2 + 2\cdot \ell (\lambda _2)}\mapsto \left\{ 0,1\right\} ^{H_{\lambda _1}-2\log (1/\epsilon )-1}$$

is a $(H_{\lambda _1}, \epsilon )$-TCR strong extractor, then

$$\psi _{\lambda _1,\lambda _2}^{U} (x,s_1,s_2)= (\mathsf {Ext}_{\lambda _2}(\zeta _{\lambda _1}(\psi _{\lambda _1}(x)), (s_1,s_2)),s_2)$$

is an $\epsilon $-dense oneway function with range $ \left\{ 0,1\right\} ^{2\cdot \ell (\lambda _2)+H_{\lambda _1}-2\log (1/\epsilon )-1}$ and domain $\mathcal {X}_{\lambda _1}\times \left\{ 0,1\right\} ^{\lambda _2+2\cdot \ell (\lambda _2)}$.

Proof

Please see the full version [BKZZ15].

The above result paves the way for constructing dense puzzles from complexity assumptions. Essentially, given a function with moderately hard characteristics making it suitable for a puzzle, it is possible to transform it to a dense puzzle by applying a suitably hard TCR extractor (“suitable” here means that breaking the TCR property should be harder than solving the puzzle). We now illustrate this methodology by applying it to the discrete logarithm problem. More generally this methodology transforms any puzzle in the sense of Definition 1 to a dense puzzle (assuming again a suitably hard TCR extractor).

The DLP Based Puzzle and Calibrating Its Hardness. Consider the discrete logarithm problem (DLP) as the candidate oneway function for our puzzle. Let $\mathbb {G}=\langle G \rangle $ be some (multiplicative) cyclic group where the DLP is hard, and G is a generator with order p, which is a $\lambda _1$-bit prime. The oneway function $\psi _{G}: \mathbb {Z}_p \mapsto \mathbb {G}$ is defined as $\psi _{G}(x)=G^x$. It is shown by Shoup [Sho97] that any probabilistic algorithm takes $\varOmega (\sqrt{p})$ steps to solve the DLP over generic groups. Analogously, [GJKY13] shows any probabilistic algorithm must take at least $\sqrt{2p \epsilon }$ steps to solve DLP with probability $\epsilon $ in the generic group model. To build a puzzle, we would like to calibrate the hardness of the DLP by revealing the most significant bits of the pre-image. For example, for a puzzle with hardness factor$h\le \lfloor \frac{\lambda _1-1}{2}\rfloor $, we pick $x\in \left\{ 0,1\right\} ^{h}$ and $y\in \left\{ 0,1\right\} ^{\lfloor (\lambda _1-1)/2\rfloor }$ uniformly at random, and set the puzzle as $(\mathsf {Ext}_{\lambda _2}(\psi _{G}(x+2^{h} \cdot y),(s_1,s_2)),s_2,y)$. We assume the calibrated DLP is still moderately hard with respect to the min-entropy of x. Note that a similar assumption was used by Gennaro to construct a more efficient pseudo-random generator [Gen00]. It is easy to see that this assumption holds for DLP in generic groups, i.e. given $\psi _{G}(x+2^{h} \cdot y)$ and y, the best generic algorithm must take at least $\sqrt{2^{h+1} \epsilon }$ steps to solve DLP with probability $\epsilon $. We note that this problem is closely related to leakage-resilient cryptography [AM11, ADVW13].

On the other hand, due to the out-layer extractor, we cannot directly adopt any known (generic) DLP algorithms, such as [GTY07, GPR13]. Instead, our puzzle solver just exhaustively searches for a valid solution. There is a subtle caveat, namely the expected running time of solving a puzzle with hardness factorh, i.e. $x\leftarrow \left\{ 0,1\right\} ^{h}$ is designed to be $2^{h}$, whereas the TCR property of UOWHF is only guaranteed against PPT adversaries with respect to $\lambda _2$ (the security parameter of the UOWHF). To address this issue, we introduce an additional assumption, that is the expected running time of any adversary $\mathcal {A}$ (in number of steps) can break the TCR property of the underlying UOWHF with non-negligible probability on $x\leftarrow \left\{ 0,1\right\} ^{h}$ is $\omega (2^{h/2})$, (i.e. breaking TCR is expected to happen after the birthday paradox bound). The dense puzzle system from DLP (combining with TCR strong extractors) is depicted in Fig. 4.

Theorem 4

Let $\lambda \in \mathbb {Z}^+$ be the security parameter and $h\in [\log ^4\lambda +\log ^2\lambda +1 , \log ^5\lambda ]$ be the hardness factor. Let $\mathsf {Ext}_{\lambda }:\left\{ 0,1\right\} ^{\lambda }\times \left\{ 0,1\right\} ^{3\lambda } \mapsto \left\{ 0,1\right\} ^{\lambda +\log ^4 \lambda }$ be a TCR strong extractor such that the expected running time of any adversary $\mathcal {A}$ that breaks its TCR property with non-negligible probability on $x\leftarrow \left\{ 0,1\right\} ^{h}$ is $\omega (2^{h/2})$. Assume $\psi _{G}: \mathbb {Z}_p \mapsto \mathbb {G}$ is a hard DLP in generic groups such that the best generic algorithm must take at least $\sqrt{2^{h+1} \varepsilon }$ steps to solve it with probability $\varepsilon $. The puzzle system $\mathsf {PuzSys}=(\mathsf {Sample}, \mathsf {SampleSol},\mathsf {Solve},\mathsf {Verify})$ described in Fig. 4 is correct, complete with $\mathsf {Solve}$’s running time $2^{h}$, efficiently samplable, statistically indistinguishable, and g-hard, where $g(T)=T^{1/c}$ for any constant $c>2$. In addition, for any k that is $O(2^{\log ^3\lambda })$, $\mathsf {PuzSys}$ is $(\mathsf {id}(\cdot ),k)$-amortization resistant, where $\mathsf {id}(\cdot )$ is the identity function.

Proof

Please see the full version [BKZZ15].

Remark. For notation simplicity, we let the puzzle space “independent” of the hardness factor h, therefore we have to limit h within a small interval to ensure (i) $\psi _{G}(x+2^h\cdot y)$ has enough entropy and (ii) it is infeasible to break the TCR property of the underlying UOWHF within $2^{h/2}$ steps. In practice, for any desired h, we can always pick a suitable $\mathsf {Ext}_\lambda :\left\{ 0,1\right\} ^{\lambda }\times \left\{ 0,1\right\} ^{3\lambda } \mapsto \left\{ 0,1\right\} ^{\lambda +h-\log ^2\lambda -1}$.

3.6 Instantiation of the Dense Puzzle Based PoWorK

We instantiate our PoWorK protocol as described in Fig. 1 by building it upon the Schnorr identification scheme [Sch89] and the dense puzzle system instantiation in the RO model^{Footnote 6} (see Sect. 3.4). The description of our instantiation is presented in the full version of this work [BKZZ15].

4 Applications

Below we present some practical and theoretical applications of our PoWorK. When using PoWorK in practice we must ensure that the verifier cannot distinguish between the two types of provers based on their response time. In Sect. 2.2 we argued that for our indistinguishability proofs, $\mathcal {P}(w)$ (i.e. the prover who knows the witness) should perform some idle steps so that his running time will be lower bounded by the time that one would need to solve the puzzle. However, enforcing a real user to wait is not ideal. Luckily though, the time needed for a prover who solves a puzzle (i.e., does not know the witness) depends on his total computational power and on whether the puzzle is parallelizable or not. Provers who own specialized hardware (e.g., based on ASICs) or that have access to powerful computer clusters (in case that a puzzle is parallelizable) might be able to solve the puzzle very fast – paying of course the relevant computation cost. Thus, when applying PoWorK in practice, the time that takes a prover to respond to a challenge is not a distinguishing factor: the prover might have as well solved the puzzle in constant time by fully parallelizing its computation or alternatively, for the case of non-interactive PoWorK’s the receiver may not know when the prover started proof computation. Finally note that in any case, we do care that the prover has paid the corresponding computational cost and he is not able to amortize a previous solution of a puzzle to solve a new one.

4.1 Email Spam Application

Using proofs of work to reduce the amount of spam email was suggested back in 1992 by Dwork and Naor [DN92]. Their idea can be summarized in the following:

“If I don’t know you and you want to send me a message, then you must prove that you spent, say, ten seconds of CPU time, just for me and just for this message” [DN92].

In their proposal there exists some special software^{Footnote 7} that operates on behalf of the receiver and checks whether the sender has properly computed the proof of work or the sender is an approved (by the receiver) contact. The reason that this approach helps to reduce spam is mainly economic: in order for spammers to send high volumes of emails they would have to invest in powerful computational resources which makes spamming non cost-effective.

A disadvantage of the method described above is that the list of the approved contacts (i.e. email addresses) of the receiver has to be given to this special software/mail server in order to check whether the sender belongs in this list or not - in which case she will have to perform additional computation. This violates the privacy of the receiver who needs to reveal which of her contacts she considers to be approved and thus allows them to send emails “for free”. Adopting our PoWorK protocol would give a privacy preserving solution to the spam problem: given the indistinguishability feature of PoWorK, the software/verifier does not need to know the approved list of contacts, in fact it does not even need to know whether the incoming email is from an approved contact or a non-approved user who successfully fulfilled the computational work.

Non-interactive PoWorKs. Sending an email should not require any extra communication between the sender and the mail server. Our 3-move PoWorK is public-coin, thus can be turned into non-interactive by applying the Fiat-Shamir transformation [FS86]. Namely, the prover, instead of receiving a challenge from the verifier, hashes the first move message $\mathbf {a}$ together with the context of the email and the email address of the receiver into $\mathbf {c}$, and provides the verifier with the whole proof, $\pi $, which includes $(\mathbf {a},\mathbf {c},\mathbf {r})$ and the context of the email, in one round.

Multi-witness Hard Relation. In order for a user to approve a list of contacts she will have to provide each one of them with a unique witness for the same statement (in order to ensure indistinguishability). Let $R_\mathcal {L}$ be a multi-witness hard relation with a trapdoor for a language $\{x \mid \exists w : (x,w) \in R_\mathcal {L}\}$. A relation is said to be hard if for $(x,w) \in R_\mathcal {L}$, a PPT adversary given x can only output $w'$ s.t. $(x,w') \in R_\mathcal {L}$ with negligible probability. A multi-witness hard relation with a trapdoor is described by the following algorithms: (a) a trapdoor generation algorithm sets a pair of a statement x and associated trapdoor t: $(x,t) \leftarrow $ GenT($ R_\mathcal {L}$), (b) an efficient algorithm GenW that on input $x \in \mathcal {L}$ and a trapdoor t outputs a witness w such that $(x,w) \in R_\mathcal {L}$ and, (c) a verification algorithm $1/0 \leftarrow \textsf {Ver}(R_\mathcal {L},x,w)$ outputs 1 if $(x,w) \in R_\mathcal {L}$ and 0 otherwise^{Footnote 8}.

PoWorK Based Spam Reducing System. Consider a PoWorK scheme as presented in Fig. 1 for a security parameter $\lambda $, a puzzle system $\mathsf {PuzSys}$ and a multi-witness hard relation with a trapdoor $R_\mathcal {L}$ as described above. A spam reducing system $\mathsf {SRS}$ consists of the following algorithms:

MailServerSetup $(1^{\lambda })$: the mail server $\mathcal {S}_{\textit{mail}}$ on input the security parameter, $\lambda $, selects the hardness of the puzzle system $h\in \mathcal {HS}_\lambda $.
ReceiverSetup $(1^{\lambda },h)$: user $\mathcal {R}$ (i.e. the receiver) runs $(x,t) \leftarrow $ GenT($ R_\mathcal {L}$ and sends x and her email address $ ad _{\mathcal {R}}$ to the mail server (potentially signed together). The trapdoor t is secretly stored by $\mathcal {R}$.
ApproveContact (t, x): in order for $\mathcal {R}$ to approve a sender $\mathcal {S}$, it will run $w \leftarrow \textsf {GenW}(t,x)$ and will give $w\in R_\mathcal {L}(x)$ to the sender (unique witnesses allow for revocation). From now on, $\mathcal {S}$ can use w to send emails to $\mathcal {R}$.
SendEMail(w, h, x): a sender $\mathcal {S}$ with input the public parameters v, statement $x\in \mathcal {L}$ and with a private input $w\in \ R_\mathcal {L}(x)\cup \{\bot \}$, prepares a PoWorK proof $\pi =(\mathbf {a},\mathbf {c},\mathbf {r})$. If $\mathcal {S}$ is an approved contact of $\mathcal {R}$, then she will use the witness w to perform the PoK side of PoWorK, while if $\mathcal {R}$ is not an approved contact (i.e. $w=\bot $) she will have to execute the PoW side. To compute $\pi $ non-interactively she will fix c to be $H(\mathbf {a},m)$, where $\mathbf {a}$ is the first message of PoWorK, m stands for the body of the email^{Footnote 9}, and H is a hash. The rest of PoWorKis computed as before.
ApproveEMail $(h,x, \pi )$: is run by the mail server $\mathcal {S}_{\textit{mail}}$ who verifies $\pi $ and outputs 0 / 1. If proof is $\pi $ valid, then $\mathcal {S}_{\textit{mail}}$ forwards the enclosed email to $\mathcal {R}$.

Note that our proposal, similar to [DN92, DGN03], requires to implement additional protocols between the sender and the recipient (i.e. a change in the internet mail standards would be required). In the full version of this work [BKZZ15] we discuss some interesting extensions of our protocol that address revocation, prevention of witness sharing and solving “useful” puzzles.

Security. Although a formal definition and description of properties of an email system is out of the scope of this paper, we do define and prove spam resistance and privacy. Briefly, spam resistance guarantees that the mail server will allow an email message to reach the recipient if and only if a valid proof (of work or knowledge) has been attached. At the same time for a non-approved contact the number of valid proofs of work prepared should not affect the time required to prepare a new one (similar to puzzle amortization property). Privacy implies that the mail server cannot distinguish whether the sender of a message is an approved contact of the recipient or not.

Definition 5

Let $\mathsf {SRS}$ be a spam reducing system built upon a PoWorK $(\mathcal {P},\mathcal {V})$ for a language $\mathcal {L}\in \mathcal {NP}$ and a puzzle system $\mathsf {PuzSys}=(\mathsf {Sample},\mathsf {Solve},\mathsf {Verify})$. We define spam resistance and privacy of $\mathsf {SRS}$ as follows:

(i).
$(\sigma ,k)$ -Spam Resistance: We say that $\mathsf {SRS}$ is $(\sigma ,k)$-spam resistant if there exists a PPT witness-extraction algorithm $\mathcal {K}$, such that for every hardness factor $h\in \mathcal {HS}_\lambda $, auxiliary tape $z\in \left\{ 0,1\right\} ^{*}$ and every adversary $\mathcal {A}$, if for non-negligible functions $\alpha _1(\cdot ),\alpha _2(\cdot )$:
$$\small { \Pr \left[ \begin{array} {l} (t,x) \leftarrow \textit{ReceiverSetup}(1^{\lambda },h);\forall 1 \le i \le k:\mathsf {puz}_i \leftarrow \mathsf {Sample}(1^\lambda ,h);\\ \{\pi _i = (\mathbf {a}_i,\mathbf {c}_i,\mathbf {r}_i)\}_{i\in [k]} \leftarrow \mathcal {A}(z,1^{\lambda }, h, x):\\ \big ( \forall 1 \le i \le k: \textit{ApproveEMail}(h,x, \pi _i)=1 \big ) \wedge \\ \wedge (\forall i\ne j \in [k]: \pi _i \ne \pi _j) \wedge \\ \wedge \Big ( \mathsf {Steps}_\mathcal {A}(z,1^{\lambda }, h, x) \le \sigma \big (\sum \nolimits _{i=1}^k\mathsf {Steps}_\mathsf {Solve}(1^\lambda ,h,\mathsf {puz}_i) \big )\Big ) \end{array} \right] =\alpha _1(\lambda ),} $$
then $\Pr [\mathcal {K}^{\mathcal {A}}(z,1^{\lambda }, h, x)\in R_\mathcal {L}(x)]=\alpha _2(\lambda )$.
(ii).
Privacy: We say that $\mathsf {SRS}$ is private, if for every hardness factor $h\in \mathcal {HS}_\lambda $, auxiliary tape $z\in \left\{ 0,1\right\} ^{*}$ and every adversarial mail server $\mathcal {A}$, it holds that:

We prove the following theorem for a private spam reducing email system:

Theorem 5

Let $\mathsf {SRS}$ be a spam reducing system built upon dense puzzle-based PoWorK $(\mathcal {P},\mathcal {V})$ for a g-hard and $(\tau ,k)$-amortization resistant dense puzzle system $\mathsf {PuzSys}=(\mathsf {Sample},\mathsf {Solve},\mathsf {Verify})$, where k is polynomial in $\lambda $, $\tau $ is an increasing function and g is a subadditive function. Let H be a hash function with output domain equal to challenge sampling space $\mathcal {CS}_\lambda $ modeled as a random oracle. Assume that the worst-case running time of $\mathsf {Solve}(1^\lambda ,\cdot ,\cdot )$ is $o(|\mathcal {CS}_\lambda |)$ and that $(\sqrt{\tau \circ g}(\mathsf {Solve}(1^\lambda ,\cdot ,\cdot ))$ is super-polynomial in $\lambda $. Then, the email system described above is private and $(\sqrt{\tau \circ g},k)$-spam resistant.

Proof

Please see the full version [BKZZ15].

Intuitively, the privacy holds because of the indistinguishability of PoWorK. The $(\sqrt{\tau \circ g},k)$-spam resistance property holds because of the soundness of PoWorK and the amortization resistance of the underlying $\mathsf {PuzSys}$.

4.2 PoWorK-Based Cryptocurrencies

Proofs of work is the basic primitive used in achieving the type of distributed consensus required in cryptocurrencies, notably Bitcoin [Nak08] and many others that use the same approach. The main idea is that a proof of work operation can be used to calibrate the ability of parties to build a hash chain that contains transaction records, commonly referred to as the blockchain.

An important feature of a blockchain is its decentralized nature. Given the view of a participant (commonly referred to as a miner) that includes its view of the blockchain, a fresh instance of a puzzle of a specified difficulty is created (which itself may depend on the blockchain) and has to be solved in order to add another block in the chain. Formally, the operation of a PoW-based miner as used in Bitcoin and numerous other cryptocurrencies (such as Litecoin, Namecoin, Dogecoin) is as shown in Fig. 5.

Under certain assumptions about the network synchronicity and the hardness of the proof, the above mechanism has been shown to be robust in the sense of satisfying two properties, persistence (transactions remain stable in the “ledger”) and liveness (all transactions are eventually inserted in the ledger) assuming that the honest parties are above majority [GKL15]. Puzzle-based cryptocurrencies have also drawn a lot of criticism due to the fact that they require a lot of natural resources (e.g., in [OM14] it is reported that Bitcoin mining in 2014 already consumed as much energy as the needs of the country of Ireland for electricity).

This lead to the development of a number of systems that circumvent puzzles (including, [DM16, BLMR14, Maz15] as well as Peercoin, DasHCoin, NXT, Nushares, ACHCoin, Faircoin and others). These systems maintain a blockchain as well, however they rely on different mechanisms for producing blocks. We call them, generically, “knowledge-based cryptocurrencies” since the production of a block is associated with the production of a witness for a public-relation relation $\mathcal {R}$ which parameterizes the system. Formally, we present the miner^{Footnote 10} operation in Fig. 6.

A trivial way to construct a knowledge-based cryptocurrency would be to have a a single trusted authority with a public and secret key pair, (pk, sk), acting as the sole miner.^{Footnote 11} At a time-step $n+1$, the function $V(\cdot )$ would set simply $x_{n+1}=(t_{n+1}, T_{n+1}, u_{n+1})$ and $W_{sk}(x_{n+1})$ would produce a signature on $x_{n+1}$ that would serve as $\pi _{n+1}$ (there is no need for a NIZK). Another example of a knowledge-based cryptocurrency is NXT. On a high level, in this system each miner (called forger) has a digital signature public and secret key, (pk, sk), associated with her account. The function $V(B_1,\ldots ,B_{n}, t_{n+1}, T_{n+1})$ (run by each miner), operates as follows: it parses $T_{n+1}$ to recover the public pk of the miner (note that it is always present in the transaction collecting the fees). Then, based on the public-key pk and the blockchain $B_1,\ldots ,B_{n}$ it determines how much currency is associated with the account that corresponds to the public-key pk; this results in a time-window $d\in \mathbb {R}^+$ whose expectation is proportionate to the amount of currency in the account (the more currency, the shorter the expectation of d is; we omit the exact dependency in this high level description). The function $V(\cdot )$ returns $(x_{n+1},\mathsf {aux})$ with $x_{n+1}=(t_{n+1}, T_{n+1}, u_{n})$ and $\mathsf {aux}=d$. The procedure $W_{sk}(x_{n+1},d)$, will produce a signature w on the message $(t_{n+1}, T_{n+1}, u_{n})$ if $t_{n+1}\ge t_{n} + d$; else, it produces $\bot $. Note that in this system no NIZK is employed, one may just set $\pi _{n+1} = w$; however, the system would operate similarly if a NIZK was employed to establish knowledge of a signature w on the message $(t_{n+1}, T_{n+1}, u_{n})$.

We now show how to construct a PoWorK-based cryptocurrency derived from a knowledge-based cryptocurrency $\mathtt {C}_1$ and a puzzle-based cryptocurrency $\mathtt {C}_2$ for a dense puzzle, see Fig. 7. The construction is straightforward: a new block can be added to the blockchain by someone who can efficiently compute a proof $\pi _i$ using some secret key or by someone who is computing a $\pi _i$ by performing computational work.

The properties of the composition are informally stated in the following (meta)-theorem; the proof of the theorem follows from the properties of PoWorK and is similar in spirit to the proof of Theorem 5. The formal statement and proof of the theorem (that should also include a formalization of all relevant underlying properties of cryptocurrencies, both in the puzzle-based and knowledge-based setting, e.g., in the sense of [GKL15]) is out of scope for the present exposition.

Theorem 6

(informally stated) The cryptocurrency $\mathtt {C}$ of Fig. 7 is the composition of a knowledge-based cryptocurrency $\mathtt {C}_1$ and a puzzle-based cryptocurrency $\mathtt {C}_2$ so that (i) the population of miners of $\mathtt {C}_1,\mathtt {C}_2$ becomes a single set that is indistinguishable to any adversary that controls a subset of miners of $\mathtt {C}$, (ii) the persistence property of $\mathtt {C}$ is upheld as long as the conditions for persistence of $\mathtt {C}_1,\mathtt {C}_2$ hold in conjunction. (iii) the liveness property of $\mathtt {C}$ is upheld as long as the conditions for liveness of $\mathtt {C}_1,\mathtt {C}_2$ hold in disjunction.

4.3 PoWorKs as 3-Move Straight-Line Concurrent Simulatable Arguments of Knowledge

In this section, we present a theoretical application of PoWorKs. Namely, we show that any PoWorK protocol that satisfies a couple of reasonable assumptions, implies straight-line concurrent ($\lambda ^{\mathrm {poly}(\log \lambda )}$)-simulatable arguments of knowledge. Our application is described at length in our full version [BKZZ15]. Here, we provide the statement of our main result.

Theorem 7

Let $\mathcal {L}$ be a language in $\mathcal {NP}$ and let $\mathsf {PuzSys}$ be a puzzle system. Let $(\mathcal {P},\mathcal {V})$ be a 3-move f-sound PoWorK for $\mathcal {L}$ and $\mathsf {PuzSys}$ with statistical indistinguishability such that for every hardness factor $h \in \mathcal {HS}_{\lambda }$, it holds that:

(i).
$\Pr [\mathsf {puz}\leftarrow \mathsf {Sample}(1^\lambda ,h):f(\mathsf {Steps}_\mathsf {Solve}(1^\lambda ,h,\mathsf {puz}))\le \lambda ^{\log \lambda }]=\mathsf {negl}(\lambda )$.
(ii).
The worst-case running time of $\mathsf {Solve}(1^\lambda ,h,\cdot )$ is $\lambda ^{\mathrm {poly}(\log \lambda )}$ and $\mathcal {P}$ is a polynomial time algorithm that makes oracle calls to $\mathsf {Solve}(1^\lambda ,h,\cdot )$.

Then, $(\mathcal {P},\mathcal {V})$ is a 3-move straight-line concurrent statistically $\lambda ^{\mathrm {poly}(\log \lambda )}$-simulatable argument of knowledge.

Remark. In practice, we can instantiate the dense puzzle with a DL function over a dense elliptic curve [BHKL13] (without the need of an extractor). This means that we can transform a 3-move proof/argument of knowledge to a concurrent one with minimal computational overhead – 1 exponentiation for the prover and 1 exponentiation for the verifier. (cf. Fig. 1(a).) Note that a similar result in terms of rounds and with similar assumptions (i.e. DL) can be obtained via the efficient OR composition with an input-delayed $\varSigma $-protocol as recently observed in [CPS+16], however the resulting complexity overhead would be at least 3 exponentiations for the prover and 2 exponentiations for the verifier when the underlying Chameleon $\varSigma $-protocol is instantiated from Schnorr’s protocol.

Notes

1.
E.g., Litecoin, Dogecoin, Ethereum, Dashcoin, etc.
2.
E.g., Peercoin, NXT, Nushares, Faircoin etc.
3.
For definitions of properties like liveness and persistence of the ledger we refer to e.g., [GKL15, BMC+15].
4.
In this work we focus on parallelizable puzzles so counting in number steps as opposed to actual running time is more intuitive.
5.
We note that, on the contrary, CR strong extractors cannot be built from arbitrary oneway functions, since Simon [Sim98] gave a black-box separation between CRHFs and oneway functions.
6.
The construction using the DLP based puzzle system is similar. We chose to employ the RO instantiation for simplicity in presentation.
7.
This special software could for example run on the receiver’s mail server or be an independent program running on the receiver’s side.
8.
Examples of multi-witness hard relations with trapdoors are (a) the DL representation problem [Bra94, BF99] over prime order groups, (b) the representation problem in composite modular groups [ACJT00] which has constant size parameters in the number of adversarial parties.
9.
We can assume that the email body also contains a time-stamp (or that the time-stamp is added later by the mail server) and also includes $( ad _{\mathcal {S}}, ad _{\mathcal {R}})$ which are the sender/receiver email addresses.
10.
Note that we use the term “miner” for symmetry. Miners are associated with puzzle based cryptocurrencies and thus different terminology has been introduced in knowledge-based systems including “mintettes”, “forgers” and others.
11.
For instance, this would be a single “mintette” instantiation of [DM16].

References

Ateniese, G., Camenisch, J., Joye, M., Tsudik, G.: A practical and provably secure coalition-resistant group signature scheme. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 255–270. Springer, Heidelberg (2000). doi:10.1007/3-540-44598-6_16
Chapter Google Scholar
Agrawal, S., Dodis, Y., Vaikuntanathan, V., Wichs, D.: On continual leakage of discrete log representations. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 401–420. Springer, Heidelberg (2013). doi:10.1007/978-3-642-42045-0_21
Chapter Google Scholar
Aggarwal, D., Maurer, U.: The leakage-resilience limit of a computational problem is equal to its unpredictability entropy. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 686–701. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25385-0_37
Chapter Google Scholar
Back, A.: Hashcash (1997). http://www.cypherspace.org/hashcash
Boneh, D., Franklin, M.: An efficient public key traitor tracing scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 338–353. Springer, Heidelberg (1999). doi:10.1007/3-540-48405-1_22
Google Scholar
Bitansky, N., Goldwasser, S., Jain, A., Paneth, O., Vaikuntanathan, V., Waters, B.: Time-lock puzzles from randomized encodings. In: ITCS (2016)
Google Scholar
Bernstein, D.J., Hamburg, M., Krasnova, A., Lange, T.: Elligator: elliptic-curve points indistinguishable from uniform random strings. In: CCS (2013)
Google Scholar
Baldimtsi, F., Kiayias, A., Zacharias, T., Zhang, B.: Indistinguishable proofs of work or knowledge. Cryptology ePrint Archive, Report 2015/1230 (2015). http://eprint.iacr.org/2015/1230
Bentov, I., Lee, C., Mizrahi, A., Rosenfeld, M.: Proof of activity: extending bitcoin’s proof of work via proof of stake [extended abstract]. SIGMETRICS Perform. Eval. Rev. 42(3), 34–37 (2014)
Article Google Scholar
Blum, M.: How to prove a theorem so no one else can claim it. In: Proceedings of the International Congress of Mathematicians, pp. 1444–1451 (1987)
Google Scholar
Bonneau, J., Miller, A., Clark, J., Narayanan, A., Kroll, J.A., Felten, E.W.: Sok: research perspectives and challenges for bitcoin and crypto currencies. In: IEEE Symposium on Security and Privacy (2015)
Google Scholar
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: CCS (1993)
Google Scholar
Brands, S.: An efficient off-line electronic cash system based on the representation problem. In: CWI Technical Report CS-R9323 (1994)
Google Scholar
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: FOCS (2001)
Google Scholar
Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994). doi:10.1007/3-540-48658-5_19
Google Scholar
Canetti, R., Fischlin, M.: Universally composable commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 19–40. Springer, Heidelberg (2001). doi:10.1007/3-540-44647-8_2
Chapter Google Scholar
Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable zero-knowledge (extended abstract). In: STOC (2000)
Google Scholar
Canetti, R., Micciancio, D., Reingold, O.: Perfectly one-way probabilistic hash functions (preliminary version). In: STOC (1998)
Google Scholar
Chen, L., Morrissey, P., Smart, N.P., Warinschi, B.: Security notions and generic constructions for client puzzles. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 505–523. Springer, Heidelberg (2009). doi:10.1007/978-3-642-10366-7_30
Chapter Google Scholar
Ciampi, M., Persiano, G., Scafuro, A., Siniscalchi, L., Visconti, I.: Improved OR-composition of sigma-protocols. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 112–141. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49099-0_5
Chapter Google Scholar
Dwork, C., Goldberg, A., Naor, M.: On memory-bound functions for fighting spam. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 426–444. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45146-4_25
Chapter Google Scholar
Danezis, G., Meiklejohn, S.: Centrally banked cryptocurrencies. In: NDSS (2016)
Google Scholar
Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993). doi:10.1007/3-540-48071-4_10
Google Scholar
Dwork, C., Naor, M., Sahai, A.: Concurrent zero-knowledge. In: STOC (1998)
Google Scholar
Dodis, Y.: On extractors, error-correction and hiding all partial information. In: ITW (2005)
Google Scholar
Dodis, Y., Smith, A.: Correcting errors without leaking partial information. In: STOC (2005)
Google Scholar
Fiat, A., Shamir, A.: How To Prove Yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). doi:10.1007/3-540-47721-7_12
Google Scholar
Feige, U., Shamir, A.: Witness indistinguishable and witness hiding protocols. In: STOC (1990)
Google Scholar
Gennaro, R.: An improved pseudo-random generator based on discrete log. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 469–481. Springer, Heidelberg (2000). doi:10.1007/3-540-44598-6_29
Chapter Google Scholar
Garay, J.A., Johnson, D.S., Kiayias, A., Yung, M.: Resource-based corruptions and the combinatorics of hidden diversity. In: ITCS (2013)
Google Scholar
Garay, J., Kiayias, A., Leonardos, N.: The Bitcoin Backbone Protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46803-6_10
Google Scholar
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems (extended abstract). In: STOC (1985)
Google Scholar
Goldreich, O., Oren, Y.: Definitions and properties of zero-knowledge proof systems. J. Cryptology 7(1), 1–32 (1994)
Article MathSciNet MATH Google Scholar
Galbraith, S.D., Pollard, J.M., Ruprai, R.S.: Computing discrete logarithms in an interval. Math. Comput. 82(282), 1181–1195 (2013)
Article MathSciNet MATH Google Scholar
Gopalakrishnan, K., Thériault, N., Yao, C.Z.: Solving discrete logarithms from partial knowledge of the key. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 224–237. Springer, Heidelberg (2007). doi:10.1007/978-3-540-77026-8_17
Chapter Google Scholar
Haitner, I., Holenstein, T., Reingold, O., Vadhan, S., Wee, H.: Universal one-way hash functions via inaccessible entropy. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 616–637. Springer, Heidelberg (2010). doi:10.1007/978-3-642-13190-5_31
Chapter Google Scholar
Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: Construction of a pseudo-random generator from any one-way function. SIAM J. Comput. 28, 12–24 (1993)
Google Scholar
Juels, A., Brainard, J.G.: Client puzzles: A cryptographic countermeasure against connection depletion attacks. In: NDSS (1999)
Google Scholar
Lapidot, D., Shamir, A.: Publicly verifiable non-interactive zero-knowledge proofs. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 353–365. Springer, Heidelberg (1991). doi:10.1007/3-540-38424-3_26
Chapter Google Scholar
Mazieres, D.: The stellar consensus protocol: A federated model for internet-levelconsensus (2015).https://www.stellar.org/papers/stellar-consensus-protocol.pdf
Mahmoody, M., Moran, T., Vadhan, S.: Time-lock puzzles in the random oracle model. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 39–50. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22792-9_3
Chapter Google Scholar
Nakamoto, S.: Report (2008). https://bitcoin.org/bitcoin.pdf. Accessed 7 Oct. 2015
Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: STOC (1989)
Google Scholar
ODwyer, K.J., Malone, D.: Bitcoin mining and its energy footprint. In: ISSC 2014/CIICT 2014 (2014)
Google Scholar
Pass, R.: Simulation in quasi-polynomial time, and its application to protocol composition. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 160–176. Springer, Heidelberg (2003). doi:10.1007/3-540-39200-9_10
Chapter Google Scholar
Pass, R.: Alternative variants of zero-knowledge proofs. In: Licentiate (Master’s) Thesis, ISBN 91-7283-933-3 (2004)
Google Scholar
Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: STOC (1990)
Google Scholar
Rivest, R., Shamir, A., Wagner, D.: Time-lock puzzles and timed-release crypto. Technical report (1996)
Google Scholar
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 688–689. Springer, Heidelberg (1990). doi:10.1007/3-540-46885-4_68
Google Scholar
Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). doi:10.1007/3-540-69053-0_18
Google Scholar
Simon, D.R.: Finding collisions on a one-way street: can secure hash functions be based on general assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998). doi:10.1007/BFb0054137
Google Scholar
Santis, A., Yung, M.: On the design of provably-secure cryptographic hash functions. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 412–431. Springer, Heidelberg (1991). doi:10.1007/3-540-46877-3_37
Google Scholar
Waters, B., Juels, A., Halderman, J.A., Felten, E.W.: New client puzzle outsourcing techniques for dos resistance. In: CCS (2004)
Google Scholar

Download references

Author information

Authors and Affiliations

George Mason University, Fairfax, USA
Foteini Baldimtsi
University of Edinburgh, Edinburgh, UK
Aggelos Kiayias & Thomas Zacharias
Security Lancaster Research Centre, Lancaster University, Lancaster, UK
Bingsheng Zhang

Authors

Foteini Baldimtsi
View author publications
You can also search for this author in PubMed Google Scholar
Aggelos Kiayias
View author publications
You can also search for this author in PubMed Google Scholar
Thomas Zacharias
View author publications
You can also search for this author in PubMed Google Scholar
Bingsheng Zhang
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Foteini Baldimtsi .

Editor information

Editors and Affiliations

Seoul National University, Seoul, Korea (Republic of)
Jung Hee Cheon
Kyushu University, Fukuoka, Japan
Tsuyoshi Takagi

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Baldimtsi, F., Kiayias, A., Zacharias, T., Zhang, B. (2016). Indistinguishable Proofs of Work or Knowledge. In: Cheon, J., Takagi, T. (eds) Advances in Cryptology – ASIACRYPT 2016. ASIACRYPT 2016. Lecture Notes in Computer Science(), vol 10032. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-53890-6_30

Download citation

DOI: https://doi.org/10.1007/978-3-662-53890-6_30
Published: 09 November 2016
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-53889-0
Online ISBN: 978-3-662-53890-6
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Indistinguishable Proofs of Work or Knowledge

Abstract

Similar content being viewed by others

Unified Proof of Work: Delegating and Solving Customized Computationally Bounded Problems in a Privacy-Preserving Way

The Hunting of the SNARK

Generalized Proofs of Knowledge with Fully Dynamic Setup

Keywords

1 Introduction

1.1 Our Results

2 Definitions

2.1 Cryptographic Puzzles

Definition 1

2.2 Definition of PoWorK

Definition 2

3 The Dense Puzzle Based PoWorK Construction

3.1 Preliminaries

3.2 The Dense Puzzle Based Compiler

3.3 Security of the Dense Puzzle Based Construction

Theorem 1

Proof

3.4 Dense Puzzle Instantiation in the Random Oracle Model

Theorem 2

Proof

3.5 Dense Puzzle Instantiation from Complexity Assumptions

Definition 3

Definition 4

Theorem 3

Proof

Theorem 4

Proof

3.6 Instantiation of the Dense Puzzle Based PoWorK

4 Applications

4.1 Email Spam Application

Definition 5

Theorem 5

Proof

4.2 PoWorK-Based Cryptocurrencies

Theorem 6

4.3 PoWorKs as 3-Move Straight-Line Concurrent Simulatable Arguments of Knowledge

Theorem 7

Notes

References

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation