Abstract
We initiate the study of verifiable capacity-bound function (VCBF). The main VCBF property imposes a strict lower bound on the number of bits read from memory during evaluation (referred to as minimum capacity). No adversary, even with unbounded computational resources, should produce an output without spending this minimum memory capacity. Moreover, a VCBF allows for an efficient public verification process: Given a proof of correctness, checking the validity of the output takes significantly fewer memory resources, sublinear in the target minimum capacity. Finally, it achieves soundness, i.e., no computationally bounded adversary can produce a proof that passes verification for a false output. With these properties, we believe a VCBF can be viewed as a “space” analog of a verifiable delay function. We then propose the first VCBF construction relying on evaluating a degree-\(d\) polynomial f from \(\mathbb {F}_p[x]\) at a random point. We leverage ideas from Kolmogorov complexity to prove that sampling f from a large set (i.e., for high-enough d) ensures that evaluation must entail reading a number of bits proportional to the size of its coefficients. Moreover, our construction benefits from existing verifiable polynomial evaluation schemes to realize our efficient verification requirements. In practice, for a field of order \(O(2^\lambda )\) our VCBF achieves \(O((d+1)\lambda )\) minimum capacity, whereas verification requires just \(O(\lambda )\). The minimum capacity of our VCBF construction holds against adversaries that perform a constant number of random memory accesses during evaluation. This poses the natural question of whether a VCBF with high minimum capacity guarantees exists when dealing with adversaries that perform non-constant (e.g., polynomial) number of random accesses.
The authors are listed alphabetically.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
We stress that, in the setting of memory-hard functions, the term “memory” is used to denote the number of memory blocks required to correctly evaluate (in a given time) the function. This differs from the VCBF objective of forcing the evaluator to read a fixed number of distinct bits (requiring n memory blocks of size w on evaluation does not imply reading nw distinct bits since multiple memory blocks may present a redundant pattern that may be compressed).
- 2.
- 3.
- 4.
For example, a particular (hard to guess) compressible pattern may be revealed after the polynomial coefficients are chosen. Note that this may happen (with a certain probability) even if the polynomial is sampled at random.
- 5.
This can also be seen by observing that the Rényi family of entropies is equivalent to Shannon entropy when considering uniform distributions (as considered in this work, e.g., polynomial’s coefficients are sampled at random).
- 6.
The challenge \(x= \textsf{H}(s,t)\) has this format since smart contracts cannot generate secret randomness to sample a random challenge.
- 7.
We explicitly detached y from its proof \(\pi _y\). Several works define the output of the computation algorithm \(\textsf{Compute}\) as a singleton \(\sigma _y\) (the encoding of the output y) defined as \(\sigma _y = (y, \pi _y)\).
- 8.
As we will discuss later, Kolmogorov Complexity considers constant-size Turing machines. This requires the use of a self-delimiting code to encode multiple inputs.
- 9.
Note that not all binary strings are valid Turing machines.
- 10.
The constant \(c_\textsf{T}\) corresponds to the self-delimiting description of the Turing machine \(\textsf{T}\).
- 11.
Observe that \(\tau _{x,r}\) can be fetched from \(\tau \) in an adaptive fashion according to the challenge x and randomness r.
- 12.
Without loss of generality, we assume the adversary reads exactly \(m\) bits since the higher the number of bits read, the higher the probability to compute the correct output \(y = \textsf{Eval}(\textsf{ek}, x)\).
- 13.
Without loss of generality, we assume that reading the first \(m\) bits of \(\tau \) requires the adversary to perform a random access to the first index of \(\tau \).
- 14.
Observe that \(|\textsf{vk}| + |x| + |y| + |\pi | \in o(m)\) (i.e., \(\textsf{vk},\pi ,y,x\) are “succinct”) is necessary to obtain a capacity-efficient verification of \(o(m)\). This is because \(\textsf{vk},\pi ,y,x\) are part of the verification algorithm \(\textsf{Verify}\) of VCBF.
- 15.
In the verification, \(O(\lambda )\) is for reading a constant number of group elements of order p of size at most \(\lambda +1\). In the evaluation, \(O((d+1)\lambda ) = O(\lambda ^{c+1})\) is for the \(d\) coefficients \((a_0, \ldots , a_d) \in \mathbb {F}^{d+1}_p\) of the polynomial \(f(X)\in \mathbb {F}_p[x]\).
- 16.
- 17.
We stress that the memory size n does not need to be super-polynomial (in the security parameter) in order to consider a VCBF secure. Indeed, in a scenario in which a machine has at most \(n = \lambda ^s \in \textsf{poly}\) bits of free memory (for a positive constant s), it is enough to show that the VCBF satisfies \((\epsilon , m, {\ell _{rnd}}, \lambda ^s)\)-min-capacity where \(\epsilon \) is the target advantage.
References
Abadi, M., Burrows, M., Manasse, M., Wobber, T.: Moderately hard, memory-bound functions. ACM Trans. Internet Technol. (TOIT) 5(2), 299–327 (2005)
Alwen, J., Blocki, J.: Efficiently computing data-independent memory-hard functions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 241–271. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_9
Alwen, J., Blocki, J., Harsha, B.: Practical graphs for optimal side-channel resistant memory-hard functions. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1001–1017 (2017)
Alwen, J., Blocki, J., Pietrzak, K.: Sustained space complexity. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 99–130. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_4
Alwen, J., Chen, B., Pietrzak, K., Reyzin, L., Tessaro, S.: Scrypt is maximally memory-hard. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 33–62. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_2
Alwen, J., Serbinenko, V.: High parallel complexity graphs and memory-hard functions. In: Proceedings of the Forty-seventh Annual ACM Symposium on Theory of Computing, pp. 595–603 (2015)
Ateniese, G., Bonacina, I., Faonio, A., Galesi, N.: Proofs of space: when space is of the essence. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 538–557. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10879-7_31
Aura, T.: DOS-resistant authentication with client puzzles. In: Christianson, B., Malcolm, J.A., Crispo, B., Roe, M. (eds.) Security Protocols 2000. LNCS, vol. 2133, pp. 178–181. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44810-1_23
Back, A.: Hashcash-a denial of service counter-measure (2002)
Bellare, M., Kane, D., Rogaway, P.: Big-key symmetric encryption: resisting key exfiltration. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 373–402. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_14
Biryukov, A., Bouillaguet, C., Khovratovich, D.: Cryptographic schemes based on the ASASA structure: Black-Box, White-Box, and Public-Key (Extended Abstract). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 63–84. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_4
Biryukov, A., Khovratovich, D.: Egalitarian computing. In: Holz, T., Savage, S. (eds.) USENIX Security 2016, pp. 315–326. USENIX Association, August 2016
Biryukov, A., Perrin, L.: Symmetrically and asymmetrically hard cryptography. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 417–445. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_15
Bitmain: Antminer s9 (2020). https://shop.bitmain.com/product/detail?pid=00020200306153650096S2W5mY1i0661
Blocki, J., Ren, L., Zhou, S.: Bandwidth-hard functions: reductions and lower bounds. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1820–1836 (2018)
Bogdanov, A., Isobe, T.: White-box cryptography revisited: space-hard ciphers. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1058–1069 (2015)
Bogdanov, A., Isobe, T., Tischhauser, E.: Towards practical whitebox cryptography: optimizing efficiency and space hardness. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 126–158. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_5
Boneh, D., Bonneau, J., Bünz, B., Fisch, B.: Verifiable delay functions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 757–788. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_25
Boneh, D., Corrigan-Gibbs, H., Schechter, S.E.: Balloon hashing: a memory-hard function providing provable protection against sequential attacks. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 220–248. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_8
Canetti, R., Halevi, S., Steiner, M.: Hardness amplification of weakly verifiable puzzles. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 17–33. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_2
Chen, B., Tessaro, S.: Memory-hard functions from cryptographic primitives. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 543–572. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_19
Chen, L., Morrissey, P., Smart, N.P., Warinschi, B.: Security notions and generic constructions for client puzzles. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 505–523. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_30
Cohen, B., Pietrzak, K.: Simple proofs of sequential work. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 451–467. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_15
Dean, D., Stubblefield, A.: Using client puzzles to protect TLS. In: USENIX Security Symposium, vol. 42 (2001)
Döttling, N., Lai, R.W.F., Malavolta, G.: Incremental proofs of sequential work. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 292–323. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_11
Dwork, C., Goldberg, A., Naor, M.: On memory-bound functions for fighting spam. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 426–444. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_25
Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_10
Dwork, C., Naor, M., Wee, H.: Pebbling and proofs of work. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 37–54. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_3
Dziembowski, S., Faust, S., Kolmogorov, V., Pietrzak, K.: Proofs of space. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 585–605. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_29
Elkhiyaoui, K., Önen, M., Azraoui, M., Molva, R.: Efficient techniques for publicly verifiable delegation of computation. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 119–128. ACM (2016)
Ephraim, N., Freitag, C., Komargodski, I., Pass, R.: SPARKs: succinct parallelizable arguments of knowledge. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part I. LNCS, vol. 12105, pp. 707–737. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-45721-1_25
Fiore, D., Gennaro, R.: Publicly verifiable delegation of large polynomials and matrix computations, with applications. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) ACM CCS 2012, pp. 501–512. ACM Press, October 2012
Fisch, B.: Tight proofs of space and replication. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part II. LNCS, vol. 11477, pp. 324–348. Springer, Heidelberg (May (2019)
Fouque, P.-A., Karpman, P., Kirchner, P., Minaud, B.: Efficient and provable white-box primitives. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 159–188. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_6
Grunwald, P., Vitányi, P.: Shannon information and Kolmogorov complexity. arXiv preprint cs/0410002 (2004)
Jaeger, J., Tessaro, S.: Tight time-memory trade-offs for symmetric encryption. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 467–497. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_16
Juels, A.: Client puzzles: a cryptographic countermeasure against connection depletion attacks. In: Proceedings of Networks and Distributed System Security Symposium (NDSS) (1999)
Kaliski, B.: Password-based cryptography specification. RFC 2898 (2000)
Kedlaya, K.S., Umans, C.: Fast modular composition in any characteristic. In: 2008 49th Annual IEEE Symposium on Foundations of Computer Science, pp. 146–155. IEEE (2008)
Li, M., Vitányi, P.: An Introduction to Kolmogorov Complexity and Its Applications. TCS. Springer, New York (2008). https://doi.org/10.1007/978-0-387-49820-1
Liu, Y., Pass, R.: On one-way functions and Kolmogorov complexity. In: FOCS 2020, 61st Annual IEEE Symposium on Foundations of Computer Science (2020)
Mahmoody, M., Moran, T., Vadhan, S.: Publicly verifiable proofs of sequential work. In: Proceedings of the 4th Conference on Innovations in Theoretical Computer Science, pp. 373–388 (2013)
Merkle, R.C.: Secure communications over insecure channels. Commun. ACM 21(4), 294–299 (1978)
Moran, T., Orlov, I.: Simple proofs of space-time and rational proofs of storage. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 381–409. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_14
Muchnik, A.A.: Kolmogorov complexity and cryptography. Proc. Steklov Inst. Math. 274(1), 193 (2011)
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)
Neary, T., Woods, D.: Four small universal Turing machines. Fundamenta Informaticae 91(1), 123–144 (2009)
Papamanthou, C., Shi, E., Tamassia, R.: Signatures of correct computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 222–242. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_13
Percival, C.: Stronger key derivation via sequential memory-hard functions (2009)
Pietrzak, K.: Simple verifiable delay functions. In: 10th Innovations in Theoretical Computer Science Conference (ITCS 2019). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2018)
Protocol Labs: Filecoin: a decentralized storage network (2017). https://filecoin.io/filecoin.pdf. Accessed 8 Apr 2023
Provos, N., Mazieres, D.: A future-adaptable password scheme. In: USENIX Annual Technical Conference, FREENIX Track, pp. 81–91 (1999)
Ren, L., Devadas, S.: Proof of space from stacked expanders. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9985, pp. 262–285. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53641-4_11
Ren, L., Devadas, S.: Bandwidth hard functions for ASIC resistance. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 466–492. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_16
Rivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto (1996)
Souto, A., Teixeira, A., Pinto, A.: One-way functions using Kolmogorov complexity. In: Proceedings of the Computability in Europe, pp. 346–356 (2010)
Stebila, D., Kuppusamy, L., Rangasamy, J., Boyd, C., Gonzalez Nieto, J.: Stronger difficulty notions for client puzzles and denial-of-service-resistant protocols. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 284–301. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_19
Vitányi, P.: Personal webpage. https://homepages.cwi.nl/paulv/kolmogorov.html
Wesolowski, B.: Efficient verifiable delay functions. J. Cryptol. 1–35 (2020)
Woods, D., Neary, T.: The complexity of small universal Turing machines: a survey. Theor. Comput. Sci. 410(4–5), 443–450 (2009)
Zhang, Y., Genkin, D., Katz, J., Papadopoulos, D., Papamanthou, C.: vSQL: verifying arbitrary SQL queries over dynamic outsourced databases. In: 2017 IEEE Symposium on Security and Privacy, pp. 863–880. IEEE Computer Society Press, May 2017
Acknowledgments
We thank Irene Giacomelli and Luca Nizzardo for helpful discussions.
The authors were partially supported by Protocol Labs under the RFP-009 on Proof of Space and Useful Space. In addition, the second author was supported by the National Key R &D Program of China 2021YFB3100100 and CAS Project for Young Scientists in Basic Research Grant YSBR-035, the third author was supported by the Carlsberg Foundation under the Semper Ardens Research Project CF18-112 (BCM), and the fourth author was supported by Hong Kong Research Grants Council under grant GRF-16200721.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Ateniese, G., Chen, L., Francati, D., Papadopoulos, D., Tang, Q. (2023). Verifiable Capacity-Bound Functions: A New Primitive from Kolmogorov Complexity. In: Boldyreva, A., Kolesnikov, V. (eds) Public-Key Cryptography – PKC 2023. PKC 2023. Lecture Notes in Computer Science, vol 13941. Springer, Cham. https://doi.org/10.1007/978-3-031-31371-4_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-31371-4_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-31370-7
Online ISBN: 978-3-031-31371-4
eBook Packages: Computer ScienceComputer Science (R0)
