Abstract
We investigate the feasibility of permissionless consensus (aka Byzantine agreement) under standard assumptions. A number of protocols have been proposed to achieve permissionless consensus, most notably based on the Bitcoin protocol; however, to date no protocol is known that can be provably instantiated outside of the random oracle model.
In this work, we take the first steps towards achieving permissionless consensus in the standard model. In particular, we demonstrate that worst-case conjectures in fine-grained complexity, in particular the orthogonal vectors conjecture (implied by the Strong Exponential Time Hypothesis), imply permissionless consensus in the random beacon model—a setting where a fresh random value is delivered to all parties at regular intervals. This gives a remarkable win-win result: either permissionless consensus exists relative to a random beacon, or there are non-trivial worst-case algorithmic speed-ups for a host of natural algorithmic problems (including \(\textsf{SAT}\)).
Our protocol achieves resilience against adversaries that control an inverse-polynomial fraction of the honest computational power, i.e., adversarial power \(A=T^{1-\epsilon }\) for some constant \(\epsilon >0\), where T denotes the honest computational power. This relatively low threshold is a byproduct of the slack in the fine-grained complexity conjectures.
One technical highlight is the construction of a Seeded Proof of Work: a Proof of Work where many (correlated) challenges can be derived from a single short public seed, and yet still no non-trivial amortization is possible.
The full version of this paper appears in the Cryptology ePrint Archive [3].
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
And in some cases, such as randomized protocols in the information-theoretic setting, also private.
- 2.
The reader may wonder why the PoW scheme presented in [5] doesn’t directly give a permissionless consensus protocol. The reason is that in Nakamoto’s protocol the PoW proving time must follow a geometric distribution, and it is not clear how to get this property from the scheme in [5] without an RO while retaining hardness. On the other hand, our (classical) approach to consensus directly benefits from deterministic-time PoW provers, as all parties are expected to produce a PoW by the end of the round deadline.
- 3.
In contrast to a RO, a beacon has a feasibly short description.
- 4.
Dwork and Naor themselves gave some candidates, for example assuming that existing attacks on the Ong-Schnorr-Shamir signature scheme could not be improved.
- 5.
- 6.
A proof system is said to be doubly-efficient if the prover runs in polynomial time and the verifier runs in quasilinear time. We require the stronger property that the prover runs in the same time as performing the computation in the clear, up to subpolynomial factors.
- 7.
More generally, a non-interactive proof system where the \(\textsf{Prover}\) runs in time \(\tilde{O}(n^k)\) and \(\textsf{Verifier}\) runs in time \(\tilde{O}(n^{k/2})\) is possible.
- 8.
We note that other methods are possible, however we believe our robust direct sum theorem to be interesting in its own right.
- 9.
Looking ahead, the simulator will be used in the reduction from an attacker against the consensus protocol to an attacker against PoW hardness in order to simulate the work of honest parties. Thus, an efficient simulator is important to prove our protocol secure.
- 10.
Furthermore, in this approach digital signatures are also used, and thus the existence of one-way functions must be assumed, an assumption that as we show is not necessary.
- 11.
d is a function n such that \(d=\omega (\log n)\) (for hardness) and \(d=\tilde{O}(1)\) (for efficiency). Typically we fix the choice of \(d=\log ^2 n\) for concreteness.
- 12.
Note that this distribution is not pseudorandom in the traditional cryptographic sense: it is easy to distinguish from uniform (and moveover the adversary is given the seed describing a sample); it is only pseudorandom for the purposes of proving a Threshold Direct Sum theorem for \(f{\textsf{OV}}^k\).
- 13.
If it is not the case that \(t(n)>>m(n)\), imagine that A outputs \((i,\hat{y}_i)_{i\in S}\) for some \(S\subseteq [n]\).
- 14.
This choice is made in [2] to avoid deniable-of-service (DoS) attacks that may deplete the round-bounded computational power of the honest parties. We remark that handling DoS attacks this way is not the only option. For instance, one could block invalid PoW dissemination at the \(\mathcal {F}_{\textsc {diff}} \) level, but this is a strictly weaker option, as it actually allows verifying PoWs for free! On the other hand, one could opt for assuming even less about \(\mathcal {F}_{\textsc {diff}} \) and instead relying entirely on computational constraints/modeling to handle DoS. In such a setting it would be advantageous to have a PoW where the time to verify a “proof” scales directly with the work invested in producing the “proof.” We note that such PoW can be built from standard PoWs by simply generating parallel proofs for exponential tower of security parameters \((1,2,...,2^{\log \lambda })\) and verifying them in ascending order, yielding relative-cost verification. We believe our presentation in the simpler setting is more instructive.
- 15.
We overload the term “round” here, and assume that in a round of duration x each party can take up to \(x\cdot c\) computational steps.
References
Abboud, A., Williams, R.R., Yu, H.: More applications of the polynomial method to algorithm design. In: Indyk, P. (ed.) Proceedings of the Twenty-Sixth Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2015, San Diego, CA, USA, January 4–6, 2015, pp. 218–230. SIAM (2015)
Andrychowicz, M., Dziembowski, S.: Distributed cryptography based on the proofs of work. Cryptology ePrint Archive, Report 2014/796 (2014). http://eprint.iacr.org/
Ball, M., Garay, J.A., Hall, P., Kiayias, A., Panagiotakos, G.: Towards permissionless consensus in the standard model via fine-grained complexity. IACR Cryptol. ePrint Arch., p. 637 (2024)
Ball, M., Rosen, A., Sabin, M., Vasudevan, P.N.: Average-case fine-grained hardness. In: Hatami, H., McKenzie, P., King, V. (eds.) Proceedings of the 49th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2017, Montreal, QC, Canada, June 19–23, 2017, pp. 483–496. ACM (2017)
Ball, M., Rosen, A., Sabin, M., Vasudevan, P.N.: Proofs of work from worst-case assumptions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 789–819. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_26
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: CCS ’93, Proceedings of the 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, November 3–5, 1993, pp. 62–73 (1993)
Bitcoinwiki. Genesis block. https://en.bitcoin.it/wiki/Genesis_block
Boix-Adserà, E., Brennan, M.S., Bresler, G.: The average-case complexity of counting cliques in erdős-rényi hypergraphs. In: Zuckerman, D. (ed.) 60th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2019, Baltimore, Maryland, USA, November 9–12, 2019, pp. 1256–1280. IEEE Computer Society (2019)
Cai, J.-Y., Pavan, A., Sivakumar, D.: On the hardness of permanent. In: Meinel, C., Tison, S. (eds.) STACS 1999. LNCS, vol. 1563, pp. 90–99. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-49116-3_8
Calabro, C., Impagliazzo, R., Paturi, R.: The complexity of satisfiability of small depth circuits. In: Chen, J., Fomin, F.V. (eds.) IWPEC 2009. LNCS, vol. 5917, pp. 75–85. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-11269-0_6
Calabro, C., Impagliazzo, R., Paturi, R.: On the exact complexity of evaluating quantified k-CNF. In: Raman, V., Saurabh, S. (eds.) IPEC 2010. LNCS, vol. 6478, pp. 50–59. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17493-3_7
Canetti, R., et al.: Fiat-shamir: from practice to theory. In: STOC, pp. 1082–1090 (2019)
Canetti, R., Chen, Y., Holmgren, J., Lombardi, A., Rothblum, G.N., Rothblum, R.D.: Fiat-shamir from simpler assumptions. Cryptology ePrint Archive, Paper 2018/1004 (2018). https://eprint.iacr.org/2018/1004
Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. In: STOC, pp. 209–218 (1998)
Canetti, R., Lombardi, A., Wichs, D.: Fiat-shamir: from practice to theory, part ii (nizk and correlation intractability from circular-secure fhe). In: STOC (2019)
Canetti, R., Pass, R., Shelat, A.: Cryptography from sunspots: how to use an imperfect reference string. In: 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2007), October 20-23, 2007, Providence, RI, USA, Proceedings, pp. 249–259. IEEE Computer Society (2007)
Chan, T.M., Williams, R.: Deterministic apsp, orthogonal vectors, and more: quickly derandomizing razborov-smolensky. In: Krauthgamer, R. (eds.) Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2016, Arlington, VA, USA, January 10–12, 2016, pp. 1246–1255. SIAM (2016)
Choudhuri, A.R., Garg, S., Jain, A., Jin, Z., Zhang, J.: Correlation intractability and SNARGS from sub-exponential DDH. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023. LNCS, vol. 14084, pp 635–668. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38551-3_20
Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_19
Damgård, I., Pfitzmann, B.: Sequential iteration of interactive arguments and an efficient zero-knowledge argument for NP. In: Larsen, K.G., Skyum, S., Winskel, G. (eds.) ICALP 1998. LNCS, vol. 1443, pp. 772–783. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055101
De Santis, A., Di Crescenzo, G., Ostrovsky, R., Persiano, G., Sahai, A.: Robust non-interactive zero knowledge. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 566–598. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_33
Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_10
Feldman, P., Micali, S.: An optimal probabilistic protocol for synchronous byzantine agreement. SIAM J. Comput. 26(4), 873–933 (1997)
Fitzi, M.: Generalized communication and security models in Byzantine agreement. Ph.D. thesis, ETH Zurich (2002)
Gao, J., Impagliazzo, R., Kolokolova, A., Williams, R.R.: Completeness for first-order properties on sparse structures with algorithmic applications. In: Klein, P.N. (ed.) Proceedings of the Twenty-Eighth Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2017, Barcelona, Spain, Hotel Porta Fira, January 16–19, pages 2162–2181. SIAM (2017)
Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part II. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_10
Garay, J.A., Kiayias, A., Leonardos, N., Panagiotakos, G.: Bootstrapping the blockchain — directly. Cryptology ePrint Archive, Report 2016/991 (2016). http://eprint.iacr.org/2016/991
Garay, J.A., Kiayias, A., Panagiotakos, G.: Blockchains from non-idealized hash functions. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12550, pp. 291–321. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64375-1_11
Garay, J.A., Kiayias, A., Panagiotakos, G.: Consensus from signatures of work. In: Jarecki, S. (ed.) CT-RSA 2020. LNCS, vol. 12006, pp. 319–344. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-40186-3_14
Goldreich, O.: On counting \$t\$-cliques mod 2. Electron. Colloquium Comput. Complex., TR20-104 (2020)
Goldreich, O., Rothblum, G.N.: Counting t-cliques: worst-case to average-case reductions and direct interactive proof systems. In: Thorup, M. (ed.) 59th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2018, Paris, France, October 7–9, 2018, pp. 77–88. IEEE Computer Society (2018)
Impagliazzo, R., Paturi, R.: On the complexity of k-sat. J. Comput. Syst. Sci. 62(2), 367–375 (2001)
Jain, A., Jin, Z.: Non-interactive zero knowledge from sub-exponential DDH. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 3–32. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_1
Katz, J., Koo, C.-Y.: On expected constant-round protocols for byzantine agreement. J. Comput. Syst. Sci. 75(2), 91–112 (2009)
Lamport, L.: The weak byzantine generals problem. J. ACM 30(3), 668–676 (1983)
Lamport, L., Shostak, R.E., Pease, M.C.: The byzantine generals problem. ACM Trans. Program. Lang. Syst. 4(3), 382–401 (1982)
Lombardi, A., Vaikuntanathan, V.: Correlation-intractable hash functions via shift-hiding. In: ITCS (2022)
Lund, C., Fortnow, L., Karloff, H.J., Nisan, N.: Algebraic methods for interactive proof systems. In; 31st Annual Symposium on Foundations of Computer Science, St. Louis, Missouri, USA, October 22–24, 1990, vol. I, pp. 2–10. IEEE Computer Society (1990)
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2018). http://bitcoin.org/bitcoin.pdf
Pass, R., Shi, E.: Rethinking large-scale consensus. Cryptology ePrint Archive, Paper 2018/302 (2018). https://eprint.iacr.org/2018/302
Pease, M.C., Shostak, R.E., Lamport, L.: Reaching agreement in the presence of faults. J. ACM 27(2), 228–234 (1980)
Rabin, M.O.: Randomized Byzantine Generals. In: FOCS, pp. 403–409. IEEE Computer Society (1983)
Williams, R.: A new algorithm for optimal 2-constraint satisfaction and its implications. Theor. Comput. Sci. 348(2–3), 357–365 (2005)
Williams, R.R.: Strong ETH breaks with merlin and Arthur: short non-interactive proofs of batch evaluation. In: Raz, R. (ed.) 31st Conference on Computational Complexity, CCC 2016, May 29 to June 1, 2016, Tokyo, Japan, volume 50 of LIPIcs, pp. 2:1–2:17. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2016)
Williams, V.V.: On some fine-grained questions in algorithms and complexity. In: Proceedings of the international congress of mathematicians: Rio de janeiro 2018, pp. 3447–3487. World Scientific (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 International Association for Cryptologic Research
About this paper
Cite this paper
Ball, M., Garay, J., Hall, P., Kiayias, A., Panagiotakos, G. (2024). Towards Permissionless Consensus in the Standard Model via Fine-Grained Complexity. In: Reyzin, L., Stebila, D. (eds) Advances in Cryptology – CRYPTO 2024. CRYPTO 2024. Lecture Notes in Computer Science, vol 14921. Springer, Cham. https://doi.org/10.1007/978-3-031-68379-4_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-68379-4_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-68378-7
Online ISBN: 978-3-031-68379-4
eBook Packages: Computer ScienceComputer Science (R0)
