Abstract
Since the formalization of Verifiable Delay Functions (VDF) by Boneh et al. in 2018, VDFs have been adopted for use in blockchain consensus protocols and random beacon implementations. However, the impending threat to VDF-based applications comes in the form of Shor’s algorithm running on quantum computers in the future which can break the discrete logarithm and integer factorization problems that existing VDFs are based on. Clearly, there is a need for quantum-secure VDFs. In this paper, we propose ZKBdf, which makes use of ZKBoo, a zero-knowledge proof system for verifiable computation, as the basis for realizing a quantum-secure VDF. We describe the algorithm, provide the security proofs, implement the scheme and measure the execution and size requirements. In addition, as ZKBdf extends the standard VDF with an extra “Prover-secret” feature, new VDF use-cases are also explored.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Source codes at https://github.com/tanteikg/zkbdf.
- 2.
We define \(ZKBdf.VerifyPseudo(H(e_k),Res,\)z\(,Cha,T) \rightarrow (result \in \{1,0\})\) as a function run by the Verifier. The difference with zkbdf.Verify is that the input proof is the entire set of zkboo proofs z instead of the PCP proofs \(\pi \). As a reference, zkbdf.VerifyPseudo achieves the same completeness, soundness, sequentiality, uniqueness, and quantum-secure properties. It only does not achieve the efficient-verifiability property to make it a VDF.
- 3.
The quantum-secure VDF by Chavez-Saab et al. [13] lacks published implementation details for comparison.
References
Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_7
Arora, S., Safra, S.: Probabilistic checking of proofs: a new characterization of NP. J. ACM (JACM) 45(1), 70–122 (1998)
Aura, T., Nikander, P., Leiwo, J.: DOS-resistant authentication with client puzzles. In: Christianson, B., Malcolm, J.A., Crispo, B., Roe, M. (eds.) Security Protocols 2000. LNCS, vol. 2133, pp. 170–177. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44810-1_22
Babai, L., Fortnow, L., Levin, L.A., Szegedy, M.: Checking computations in polylogarithmic time. In: Proceedings of the Twenty-Third Annual ACM Symposium on Theory of Computing, pp. 21–32 (1991)
Bellare, M.: New proofs for NMAC and HMAC: security without collision-resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_36
Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_1
Boneh, D., Bonneau, J., Bünz, B., Fisch, B.: Verifiable delay functions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 757–788. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_25
Boneh, D., Bünz, B., Fisch, B.: A survey of two verifiable delay functions. IACR Cryptol. ePrint Arch. 2018, 712 (2018)
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Buterin, V.: STARKs, Part 3: Into the Weeds (2018). https://vitalik.ca/general/2018/07/21/starks_part_3.html. Accessed Apr 2023
Castryck, W., Decru, T.: An efficient key recovery attack on SIDH (preliminary version). Cryptology ePrint Archive (2022)
Chase, M., et al.: Post-quantum zero-knowledge and signatures from symmetric-key primitives. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1825–1842 (2017)
Chavez-Saab, J., Henríquez, F.R., Tibouchi, M.: Verifiable isogeny walks: towards an isogeny-based postquantum VDF. Cryptology ePrint Archive (2021)
Chiesa, A., Ma, F., Spooner, N., Zhandry, M.: Post quantum succinct arguments. Electronic Colloquium on Computational Complexity, (38) (2021). https://eccc.weizmann.ac.il//eccc-reports/2021/TR21-038/index.html
Cohen, B., Pietrzak, K.: Simple proofs of sequential work. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 451–467. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_15
De Feo, L., Masson, S., Petit, C., Sanso, A.: Verifiable delay functions from supersingular isogenies and pairings. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 248–277. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_10
Don, J., Fehr, S., Majenz, C., Schaffner, C.: Security of the fiat-Shamir transformation in the quantum random-oracle model. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 356–383. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_13
Douceur, J.R.: The Sybil attack. In: Druschel, P., Kaashoek, F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 251–260. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45748-8_24
Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_10
Eastlake 3rd, D., Hansen, T.: US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF) (2011), https://tools.ietf.org/html/rfc6234. Accessed Apr 2023
Ephraim, N., Freitag, C., Komargodski, I., Pass, R.: Continuous verifiable delay functions. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 125–154. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_5
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: Proceedings of the Forty-Third Annual ACM Symposium on Theory of Computing, pp. 99–108 (2011)
Giacomelli, I., Madsen, J., Orlandi, C.: ZKBoo: faster zero-knowledge for Boolean circuits. In: 25th \(\{\)usenix\(\}\) Security Symposium (\(\{\)usenix\(\}\) Security 16), pp. 1069–1083 (2016)
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM (JACM) 33(4), 792–807 (1986)
Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)
Hosoyamada, A., Sasaki, Y.: Quantum collision attacks on reduced SHA-256 and SHA-512. Cryptology ePrint Archive, Report 2021/292 (2021). https://eprint.iacr.org/2021/292
Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: Proceedings of the Thirty-Ninth Annual ACM Symposium on Theory of Computing, pp. 21–30 (2007)
Jakobsson, M., Juels, A.: Proofs of work and bread pudding protocols (extended abstract). In: Preneel, B. (ed.) Secure Information Networks. ITIFIP, vol. 23, pp. 258–272. Springer, Boston, MA (1999). https://doi.org/10.1007/978-0-387-35568-9_18
Katz, J., Kolesnikov, V., Wang, X.: Improved non-interactive zero knowledge with applications to post-quantum signatures. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 525–537 (2018)
Kelly, S., Frankel, S.: Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec (2007). https://www.ietf.org/rfc/rfc4868.txt. Accessed Apr 2023
Khovratovich, D., Rechberger, C., Savelieva, A.: Bicliques for preimages: attacks on skein-512 and the SHA-2 family. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 244–263. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_15
Kilian, J.: A note on efficient zero-knowledge proofs and arguments. In: Proceedings of the Twenty-Fourth Annual ACM Symposium on Theory of Computing, pp. 723–732 (1992)
Landerreche, E., Stevens, M., Schaffner, C.: Non-interactive cryptographic timestamping based on verifiable delay functions. In: Bonneau, J., Heninger, N. (eds.) FC 2020. LNCS, vol. 12059, pp. 541–558. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51280-4_29
Lenstra, A.K., Wesolowski, B.: A random zoo: sloth, unicorn, and trx. IACR Cryptol. ePrint Arch. 2015, 366 (2015)
Mahmoody, M., Moran, T., Vadhan, S.: Publicly verifiable proofs of sequential work. In: Proceedings of the 4th Conference on Innovations in Theoretical Computer Science, pp. 373–388 (2013)
Mahmoody, M., Smith, C., Wu, D.J.: Can verifiable delay functions be based on random oracles? ICALP (2020)
Mendel, F., Nad, T., Schläffer, M.: Improving local collisions: new attacks on reduced SHA-256. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 262–278. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_16
Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_40
Micali, S.: Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000)
Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system (2008). https://bitcoin.org/bitcoin.pdf. Accessed Apr 2023
OWASP: OWASP Top Ten 2017: A2:2017-Broken Authentication (2017). https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication. Accessed Apr 2023
Pass, R., Shi, E.: The sleepy model of consensus. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 380–409. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_14
Pietrzak, K.: Simple verifiable delay functions. In: 10th Innovations in Theoretical Computer Science Conference (ITCS 2019). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2018)
Rescorla, E.: The transport layer security (TLS) protocol version 1.3 (2018). https://tools.ietf.org/html/rfc8446. Accessed Apr 2023
Rivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto (1996)
Roth, A.E., Ockenfels, A.: Last-minute bidding and the rules for ending second-price auctions: evidence from eBay and Amazon auctions on the internet. Am. Econ. Rev. 92(4), 1093–1103 (2002)
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303–332 (1999)
Song, F., Yun, A.: Quantum security of NMAC and related constructions. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 283–309. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_10
Starkware: Presenting: VeeDo a STARK-based VDF Service (2020). https://medium.com/starkware/presenting-veedo-e4bbff77c7ae. Accessed Apr 2023
Unruh, D.: Non-interactive zero-knowledge proofs in the quantum random oracle model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 755–784. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_25
Unruh, D.: Collapse-binding quantum commitments without random oracles. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 166–195. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_6
Unruh, D.: Post-quantum security of Fiat-Shamir. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 65–95. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_3
Wesolowski, B.: Efficient verifiable delay functions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 379–407. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_13
Yang, Z., Qin, B., Wu, Q., Shi, W., Liang, B.: Experimental comparisons of verifiable delay functions. In: Meng, W., Gollmann, D., Jensen, C.D., Zhou, J. (eds.) ICICS 2020. LNCS, vol. 12282, pp. 510–527. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-61078-4_29
Acknowledgement
Jianying Zhou is supported by A*STAR under its RIE2020 Advanced Manufacturing and Engineering (AME) Industry Alignment Fund - Pre Positioning (IAF-PP) Award A19D6a0053. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not reflect the views of A*STAR. Zengpeng Li is supported by the Natural Science Foundation of Shandong Province, China. (grant No. ZR2023MF045) and the Natural Science Foundation of Qingdao, China (grant No. 23-2-1-152-zyyd-jch)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix - ZKBdf Application Areas
Appendix - ZKBdf Application Areas
At present, we see the use of VDFs in consensus protocols for blockchains such as Ethereum (ethereum.org), Tezos (tezos.foundation) and Chia (chia.net) as well as in constructing time-stamping services and random beacons [21, 34, 50]. However, we believe that there is a wider use-case for VDFs if the functionality of a Prover-secret is included. In this appendix, we take an exploratory approach to identify other possible use-cases where applications can use ZKBdf to improve outcomes. These are described below.
1.1 A.1 Limiting Authentication Retries
We find a use-case where a delay function is needed during the authentication process to limit a brute-force attack against a backend authentication service. Broken Authentication is amongst the top 10 security risks highlighted by OWASP (Open Web Application Security Project) [42] where one of the ways to address such risks is to introduce an increasing delay for repeated failed authentication attempts. Such a setup, however, requires the backend authentication service to maintain failed authentication states for every user which inadvertently adds resource overheads and complexity especially in distributed systems. There are also many protocols such as Bitcoin [41], Transport Layer Security [45] and Wi-FI Protected Access (IEEE 802.11-2020) which do not require tracking of failed authentication attempts. A stateless delay mechanism using client-side puzzles is presented by Aura et al [3] where every authentication is preceded with a PoW challenge which the authentication client needs to solve, before the server verifies the solution. Similar mechanisms are also used to prevent brute-force denial-of-service network attacks and limiting peer-to-peer sybil attacks [18].
The advantage of using ZKBdf instead of a client-side PoW puzzle is that the number of authentication retries that a hacker can make is deterministic and no longer dependent on the amount of resources available to the hacker. Increasing the amount of CPU/memory resources at the hacker’s end does not increase the number of authentication retries, and this will serve to deter hackers while not increasing the carbon footprint caused by ever-more complex puzzles.
1.2 A.2 Improving Auction Liveliness
In a classical English auction, an item is put on offer for participants to bid in an open outcry manner. The auctioneer asks for participants to place bids higher than the previous bid, and when an elapsed period has occurred without any participants placing any higher bids, the auction is closed with the winner being the participant who submitted the latest (and highest) bid. Online auctions that happen on the Internet, on the other hand, mostly do not have a concept of an elapsed time since the last bid. Instead, there is auction end-time whereby the highest bid received before the end-time is the winning bid. This has given rise to situations where participants are passive throughout most of the auction period and are only active at the closing moments of the auction where bid sniping [47] occurs.
The ZKBdf protocol could be used to allow honest participants to determine the end of the auction prior to the end-time. When a participant submits a valid highest bid, the participant is issued with a VDF challenge which effectively starts the elapsed time computation. If no higher bid is received prior to the participant completing the VDF challenge and submitting the response, then the participant would have won the auction, thus ending the auction. The advantage of using the VDF here is that we expect participants will no longer wait till the closing moments before bidding. Another possible positive outcome would be the detection of shill bidding (an agent working for a corrupt seller to bid up the price without any intention to buy) since the seller’s agent is unlikely to submit the VDF response to close the auction.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Tan, T.G., Sharma, V., Li, Z.P., Szalachowski, P., Zhou, J. (2023). ZKBdf: A ZKBoo-Based Quantum-Secure Verifiable Delay Function with Prover-Secret. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2023. Lecture Notes in Computer Science, vol 13907. Springer, Cham. https://doi.org/10.1007/978-3-031-41181-6_29
Download citation
DOI: https://doi.org/10.1007/978-3-031-41181-6_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-41180-9
Online ISBN: 978-3-031-41181-6
eBook Packages: Computer ScienceComputer Science (R0)