19,295 research outputs found
Efficient verifiable delay functions
We construct a verifiable delay function (VDF). A VDF is a function whose evaluation requires running a given number of sequential steps, yet the result can be efficiently verified. They have applications in decentralised systems, such as the generation of trustworthy public randomness in a trustless environment, or resource-efficient blockchains. To construct our VDF, we actually build a trapdoor VDF. A trapdoor VDF is essentially a VDF which can be evaluated efficiently by parties who know a secret (the trapdoor). By setting up this scheme in a way that the trapdoor is unknown (not even by the party running the setup, so that there is no need for a trusted setup environment), we obtain a simple VDF. Our construction is based on groups of unknown order such as an RSA group, or the class group of an imaginary quadratic field. The output of our construction is very short (the result and the proof of correctness are each a single element of the group), and the verification of correctness is very efficient
Simple and Efficient Batch Verification Techniques for Verifiable Delay Functions
We study the problem of batch verification for verifiable delay functions (VDFs), focusing on proofs of correct exponentiation (PoCE), which underlie recent VDF constructions. We show how to compile any PoCE into a batch PoCE, offering significant savings in both communication and verification time. Concretely, given any PoCE with communication complexity , verification time and soundness error , and any pseudorandom function with key length and evaluation time , we construct:
-- A batch PoCE for verifying instances with communication complexity , verification time and soundness error , where is the security parameter, is an adjustable parameter that can take any integer value, and is the time required to evaluate the group operation in the underlying group.
This should be contrasted with the naive approach, in which the communication complexity and verification time are and , respectively. The soundness of this compiler relies only on the soundness of the underlying PoCE and the existence of one-way functions.
-- An improved batch PoCE based on the low order assumption. For verifying instances, the batch PoCE requires communication complexity and verification time , and has soundness error . The parameter can take any integer value, as long as it is hard to find group elements of order less than in the underlying group.
We discuss instantiations in which can be exponentially large in the security parameter .
If the underlying PoCE is constant round and public coin (as is the case for existing protocols), then so are all of our batch PoCEs. This implies that they can be made non-interactive using the Fiat-Shamir transform.
Additionally, for RSA groups with moduli which are the products of two safe primes, we show how to efficiently verify that certain elements are not of order . This protocol, together with the second compiler above and any (single-instance) PoCE in these groups, yields an efficient batch PoCE in safe RSA groups. To complete the picture, we also show how to extend Pietrzak\u27s protocol (which is statistically sound in the group when is the product of two safe primes) to obtain a statistically-sound PoCE in safe RSA groups
Recommended from our members
Simple Efficient Contracts in Complex Environments
The paper studies a general model of hold-up in a setting encompassing the models of Segal (1999) and Che and Hausch (1999) among others. It is shown that if renegotiation is modelled as an infinite-horizon non-cooperative bargaining game then, with a simple initial contract, an efficient equilibrium will generally exist. The contract gives authority to one party to set the terms of trade and gives the other party a non-expiring option to trade at these terms. The difference from standard results arises because the existing contract ensures that the renegotiation game has multiple equilibria; the multiplicity of continuation equilibria can be used to enforce efficient investment
Recommended from our members
Mechanism Design with Renegotiation and Costly Messages
The paper studies a general model of hold-up in a setting encompassing the models of Segal (1999) and Che and Hausch (1999) among others. It is shown that if renegotiation is modelled as an infinite-horizon non-cooperative bargaining game then, with a simple initial contract, an efficient equilibrium will generally exist. The contract gives authority to one party to set the terms of trade and gives the other party a non-expiring option to trade at these terms. The difference from standard results arises because the existing contract ensures that the renegotiation game has multiple equilibria; the multiplicity of continuation equilibria can be used to enforce efficient investment
Finding Safety in Numbers with Secure Allegation Escrows
For fear of retribution, the victim of a crime may be willing to report it
only if other victims of the same perpetrator also step forward. Common
examples include 1) identifying oneself as the victim of sexual harassment,
especially by a person in a position of authority or 2) accusing an influential
politician, an authoritarian government, or ones own employer of corruption. To
handle such situations, legal literature has proposed the concept of an
allegation escrow: a neutral third-party that collects allegations anonymously,
matches them against each other, and de-anonymizes allegers only after
de-anonymity thresholds (in terms of number of co-allegers), pre-specified by
the allegers, are reached.
An allegation escrow can be realized as a single trusted third party;
however, this party must be trusted to keep the identity of the alleger and
content of the allegation private. To address this problem, this paper
introduces Secure Allegation Escrows (SAE, pronounced "say"). A SAE is a group
of parties with independent interests and motives, acting jointly as an escrow
for collecting allegations from individuals, matching the allegations, and
de-anonymizing the allegations when designated thresholds are reached. By
design, SAEs provide a very strong property: No less than a majority of parties
constituting a SAE can de-anonymize or disclose the content of an allegation
without a sufficient number of matching allegations (even in collusion with any
number of other allegers). Once a sufficient number of matching allegations
exist, the join escrow discloses the allegation with the allegers' identities.
We describe how SAEs can be constructed using a novel authentication protocol
and a novel allegation matching and bucketing algorithm, provide formal proofs
of the security of our constructions, and evaluate a prototype implementation,
demonstrating feasibility in practice.Comment: To appear in NDSS 2020. New version includes improvements to writing
and proof. The protocol is unchange
KeyForge: Mitigating Email Breaches with Forward-Forgeable Signatures
Email breaches are commonplace, and they expose a wealth of personal,
business, and political data that may have devastating consequences. The
current email system allows any attacker who gains access to your email to
prove the authenticity of the stolen messages to third parties -- a property
arising from a necessary anti-spam / anti-spoofing protocol called DKIM. This
exacerbates the problem of email breaches by greatly increasing the potential
for attackers to damage the users' reputation, blackmail them, or sell the
stolen information to third parties.
In this paper, we introduce "non-attributable email", which guarantees that a
wide class of adversaries are unable to convince any third party of the
authenticity of stolen emails. We formally define non-attributability, and
present two practical system proposals -- KeyForge and TimeForge -- that
provably achieve non-attributability while maintaining the important protection
against spam and spoofing that is currently provided by DKIM. Moreover, we
implement KeyForge and demonstrate that that scheme is practical, achieving
competitive verification and signing speed while also requiring 42% less
bandwidth per email than RSA2048
- ā¦