Foundations, Properties, and Security Applications of Puzzles: A Survey

Cryptographic algorithms have been used not only to create robust ciphertexts but also to generate cryptograms that, contrary to the classic goal of cryptography, are meant to be broken. These cryptograms, generally called puzzles, require the use of a certain amount of resources to be solved, hence introducing a cost that is often regarded as a time delay---though it could involve other metrics as well, such as bandwidth. These powerful features have made puzzles the core of many security protocols, acquiring increasing importance in the IT security landscape. The concept of a puzzle has subsequently been extended to other types of schemes that do not use cryptographic functions, such as CAPTCHAs, which are used to discriminate humans from machines. Overall, puzzles have experienced a renewed interest with the advent of Bitcoin, which uses a CPU-intensive puzzle as proof of work. In this paper, we provide a comprehensive study of the most important puzzle construction schemes available in the literature, categorizing them according to several attributes, such as resource type, verification type, and applications. We have redefined the term puzzle by collecting and integrating the scattered notions used in different works, to cover all the existing applications. Moreover, we provide an overview of the possible applications, identifying key requirements and different design approaches. Finally, we highlight the features and limitations of each approach, providing a useful guide for the future development of new puzzle schemes.Comment: This article has been accepted for publication in ACM Computing Survey

Pseudonymous Broadcast and Secure Computation from Cryptographic Puzzles

In standard models of distributed computation, point-to-point channels between parties are assumed to be authenticated by some pre-existing means. In other cases, even stronger pre-existing setup—e.g., a public-key infrastructure (PKI)—is assumed. These assumptions are too strong for open, peer-to-peer networks, where parties do not necessarily have any prior relationships and can come and go as they please. Nevertheless, these assumptions are made due to the prevailing belief that nothing “interesting” can be achieved without them. Taking inspiration from Bitcoin, we show that precise bounds on computational power can be used in place of pre-existing setup to achieve weaker (but nontrivial) notions of security. Specifically, under the assumption that each party can solve cryptographic puzzles only at a bounded rate (and the existence of digital signatures), we show that without prior setup and with no bound on the number of corruptions, a group of parties can agree on a PKI with which they can then realize pseudonymous notions of authenticated communication, broadcast, and secure computation. Roughly, “pseudonymous” here means that parties are identified by pseudoynms rather than by their true identities

Cryptographic timestamping through Sequential Work

We present a definition of an ideal timestamping functionality that maintains a timestamped record of bitstrings. The functionality can be queried to certify the record and the age of each entry at the current time. An adversary can corrupt the timestamping functionality, in which case the adversary can output its own certifications of the record and age of entries under strict limitations. Most importantly, the adversary initially cannot falsify any part of the record, but the maximum age of entries the adversary can falsify grows linearly over time. We introduce a single-prover non-interactive cryptographic timestamping protocol based on proofs of sequential work. The protocol securely implements the timestamping functionality in the random-oracle model and universal-composability framework against an adversary that can compute proofs of sequential work faster by a certain factor. Because of the computational effort required, such adversaries have the same strict limitations under which they can falsify the record as under the ideal functionality. This protocol trivially extends to a multi-prover protocol where the adversary can only generate malicious proofs when it has corrupted at least half of all provers. As an attractive feature, we show how any party can efficiently borrow proofs by interacting with the protocol and generate its own certification of records and their ages with only a constant loss in age. The security guarantees of our timestamping protocol only depend on how long ago the adversary corrupted parties and on how fast honest parties can compute proofs of sequential work relative to an adversary, in particular these guarantees are not affected by how many proofs of sequential work honest or adversarial parties run in parallel

Provable Security for Cryptocurrencies

The past several years have seen the surprising and rapid rise of Bitcoin and other “cryptocurrencies.” These are decentralized peer-to-peer networks that allow users to transmit money, tocompose financial instruments, and to enforce contracts between mutually distrusting peers, andthat show great promise as a foundation for financial infrastructure that is more robust, efficientand equitable than ours today. However, it is difficult to reason about the security of cryptocurrencies. Bitcoin is a complex system, comprising many intricate and subtly-interacting protocol layers. At each layer it features design innovations that (prior to our work) have not undergone any rigorous analysis. Compounding the challenge, Bitcoin is but one of hundreds of competing cryptocurrencies in an ecosystem that is constantly evolving. The goal of this thesis is to formally reason about the security of cryptocurrencies, reining in their complexity, and providing well-defined and justified statements of their guarantees. We provide a formal specification and construction for each layer of an abstract cryptocurrency protocol, and prove that our constructions satisfy their specifications. The contributions of this thesis are centered around two new abstractions: “scratch-off puzzles,” and the “blockchain functionality” model. Scratch-off puzzles are a generalization of the Bitcoin “mining” algorithm, its most iconic and novel design feature. We show how to provide secure upgrades to a cryptocurrency by instantiating the protocol with alternative puzzle schemes. We construct secure puzzles that address important and well-known challenges facing Bitcoin today, including wasted energy and dangerous coalitions. The blockchain functionality is a general-purpose model of a cryptocurrency rooted in the “Universal Composability” cryptography theory. We use this model to express a wide range of applications, including transparent “smart contracts” (like those featured in Bitcoin and Ethereum), and also privacy-preserving applications like sealed-bid auctions. We also construct a new protocol compiler, called Hawk, which translates user-provided specifications into privacy-preserving protocols based on zero-knowledge proofs

SoK: Delay-based Cryptography

In this work, we provide a systematisation of knowledge of delay-based cryptography, in which we discuss and compare the existing primitives within cryptography that utilise a time-delay. We start by considering the role of time within cryptography, explaining broadly what a delay aimed to achieve at its inception and now, in the modern age. We then move on to describing the underlying assumptions used to achieve these goals, and analyse topics including trust, decentralisation and concrete methods to implement a delay. We then survey the existing primitives, discussing their security properties, instantiations and applications. We make explicit the relationships between these primitives, identifying a hierarchy and the theoretical gaps that exist. We end this systematisation of knowledge by highlighting relevant future research directions within the field of delay-based cryptography, from which this area would greatly benefit

Applications of the Blockchain using cryptography

PhD ThesisWe have witnessed the rise of cryptocurrencies in the past eight years. Bitcoin and Ethereum are the world’s most successful cryptocurrencies with market capitalisations of $37bn and$21bn respectively in June 2017. The innovation behind these cryptocurrencies is the blockchain which is an immutable and censorship resistant public ledger. Bitcoin introduced the blockchain to trade a single asset (i.e. bitcoins), whereas Ethereum adopted the blockchain to store and execute expressive smart contracts. In this thesis, we consider cryptographic protocols that bootstrap trust from the blockchain. This includes secure end-to-end communication between two pseudonymous users, payment protocols, payment networks and decentralised internet voting. The first three applications rely on Bitcoin, whereas the final e-voting application is realised using Ethereum. First, it is important to highlight that Bitcoin was designed to protect the anonymity (or pseudonymity) for financial transactions. Nakamoto proposed that financial privacy is achievable by storing each party’s pseudonym (and not their real-world identity) in a transaction. We highlight that this approach for privacy has led to real-world authentication issues as merchants are failing to re-authenticate customers in post-transaction correspondence. To alleviate these issues, we propose an end-to-end secure communication protocol for Bitcoin users that does not require any trusted third party or public-key infrastructure. Instead, our protocol leverages the Blockchain as an additional layer of authentication. Furthermore, this insight led to the discovery of two attacks in BIP70: Payment Protocol which is a community-accepted standard used by more than 100,000 merchants. Our attacks were acknowledged by the leading payment processors including Coinbase, BitPay and Bitt. As well, we have proposed a revised Payment Protocol that prevents both attacks. Second, Bitcoin as deployed today does not scale. Scalability research has focused on two directions: 1) redesigning the Blockchain protocol, and 2) facilitating ‘off-chain transactions’ and only consulting the Blockchain if an adjudicator is required. We focus on the latter and provide an overview of Bitcoin payment networks. These consist of two components: payment channels to facilitate off-chain transactions between two parties, and the capability to fairly exchange bitcoins across multiple channels. We compare Duplex Micropayment Channels and Lightning Channels, before discussing Hashed Time Locked Contracts which viii enable Bitcoin-based payment networks. Furthermore, we highlight challenges in routing and path-finding that need to be overcome before payment networks are practically feasible. Finally, we study the feasibility of executing cryptographic protocols on Ethereum. We provide the first implementation of a decentralised and self-tallying internet voting protocol with maximum voter privacy as a smart contract. The Open Vote Network is suitable for boardroom elections and is written as a smart contract for Ethereum. Unlike previously proposed Blockchain e-voting protocols, this is the first implementation that does not rely on any trusted authority to compute the tally or to protect the voter’s privacy. Instead, the Open Vote Network is a self-tallying protocol, and each voter is in control of the privacy of their own vote such that it can only be breached by a full collusion involving all other voters. The execution of the protocol is enforced using the consensus mechanism that also secures the Ethereum blockchain. We tested the implementation on Ethereum’s official test network to demonstrate its feasibility. Also, we provide a financial and computational breakdown of its execution cost