 Ok, dziękuję. To joint work z Sebastian Faust, Wodimil Komogorow i Krzysztof Pietrzak. Generalne idea jest... ...we introduce a new concept, which we call proof of space. It's a type of a proof of effort, where effort will be measured in terms of wasted memory. It's sort of an alternative to the proofs of work. I was talking about proofs of work yesterday, but let me just briefly go through these definitions again. For the purpose of this talk, we will look at proof of work as a tool for dealing with the civil attacks. So civil attacks are popular attacks. There's a popular term in systems community, but what they mean by this term is simply situation when you have some resource and you have lots of people who want to use it. And if you don't have anything like a public infrastructure or a way to distinguish people, then one dishonest guy can create lots of fake identities and do something better. Ok, so this is what they call a civil attack and the proof of work can be viewed as a tool to combat these attacks. They were introduced by Dwork and Noor at this conference in 1992. Their initial motivation was countermeasure against spam, but as I said they can be used for other purposes. So the basic idea is to force the users to do some computational work which is like moderately hard. So it's a moderately hard puzzle and the correctness of this puzzle should be quick. So how they are used, they can be used in many different ways, but let's think about the following. So let's say there is some identifier ID, so it's an email address of some user and you want to make sure that someone doesn't create like one million different email addresses or something. And suppose that they are different for each execution, so there would be a verifier in this proof and suppose that for example this ID somehow contains some nouns generated by the verifier, so you have a verifier and a prover and they both know this ID and now prover computes some solution of the proof of work on the ID and sends it to the verifier and the verifier checks correctness, outputs accept or reject and this should be slow, so it takes like one minute and this should be very fast. So these are proof of work and they have many different applications, so you can say that for example you have some cloud computing and you want to prevent people from abusing it, you can prevent people from launching Nial of Service attacks and the recent application is Bitcoin cryptocurrency syndrome. Ok, so how to measure computational difficulty? Well the original method was the number of computing steps, some later works actually also defines the computing difficulty in terms of the time so the memory is accessed. I'm mentioning these papers here because it may sound like it's similar to what we do because it also somehow measures memory or something else because they were just measuring the numbers of steps, the number of times the memory was accessed. So something else, although the techniques are sometimes similar. Ok, so what is the drawback of this proof of work? So one is high energy consumption, so it's visible in Bitcoin and some people even call Bitcoin environmental disaster because using proof of work consumes energy and it costs money and for example in Bitcoin the problem is that it gives advantage to people with dedicated hardware. Sometimes people think it's a problem, sometimes not, but anyway it's a feature that sometimes may be undesirable. So it's much faster to solve proof of work if you do it on hardware, you know, do it on ASICS. That's why everybody is mining on hardware. Ok, so what to do? So this problem seems to be something unavoidable because to prove that you invested a lot of computing power you need to do this computation, right? It's almost atological, right? So that's the only way you prove that you do work, you actually do this work. And the question is, is there any other resources you could use? And that's where our new concepts comes. We suggest to use space, ok? So we call it proof of space and instead of CPU we'll use disk space. So an example of an application just to fix something. So suppose we have a cloud service like email system, whatever, Gmail, something like this. And the goal is to prevent malicious users from opening lots of fake accounts. So let's say we will force each account owner to waste a large part of his local space, ok? So whenever you open a Gmail account you have to allocate 100 gigabytes on your hard disk or you have to fill it in some data. And what's very important, this is one of the most important features of this primitive, is this space needs to be allocated for the whole duration of the period where the user is using the system, ok? So as long as I want to use the system I will have to waste 100 megabytes, ok? So it's not enough that I... 100 gigabytes, it's not enough that I do it once, ok? It will have to stay there. So what's the main difference from this and the proof of work? You can look like this way. So as I said, to prove that you dedicated NCPU cycles you have to really perform these cycles while to prove that you wasted n bytes for this proof you will not need to touch all these bytes, ok? So it will be more efficient and I will show you in a moment what I mean by this. But our main motivation is that it should be more efficient than the proof of work. So what are the advantages? Well, as I said, it's more energy efficient. There is no hardware acceleration because we will be just storing bytes, so storing bits. So there's nothing like dedicated hardware for storing particular bits, right? And should be cheaper because well, actually for this first, for the second reason here this is implied by this. So it's cheaper because people can really use their unused disk space for this, ok? Problem z proof of work for Bitcoin was the initial motivation for Bitcoin was that people can use unused CPU cycles but first of all it costs energy and second it's now not profitable because everybody mines in hardware, ok? So hopefully with proof of space this will be different. Ok, so let's think a little bit about what would be security definition or something like this. And well, the first natural question to measure time and space. So here we will measure time in terms of the number of calls to the random miracle, ok? So that's basically the only thing you can do here if you want to have some formal proofs you have to use a random miracle model and the space will be measured in blocks of length L which think of it as the output of a hash function, ok? So say, 256 bits or something like this. Ok, so and again the proof will be done with respect to some identifier ID and you have proof and the verifier they both know this ID. So say this is an email address of this guy and the ID is an email address of this guy and this is a Gmail. So well first there will be some initial phase during which we will fill in the memory of the user with some random data but they will not really be random but think of it as random and like n blocks n is a parameter of length L and then after this is done this can take a while to self-tep then every now and then the verifier will check if this data is still there So there will be this proof phase and in the proof phase the prover will look on some blocks on R look at the entire R but he will look at some so essentially the verifier will ask him to provide some blocks for you and so on and this can be done periodically for example once a day Gmail will check if the user still stores this data and then the verifier says accept or reject so how to define security so first of all it would like some kind of completeness but it's a simple requirement that if everybody is honest then the verifier accepts then soundness and efficiency and this is a little bit less trivial to define so I will have it on the next slides but first let's start with efficiency and to tell you what is the tricky part in this definition jest to sample of an efficient of a not efficient proof of space like a trivial one and of course I haven't defined security yet so it will stay on the intuitive level but it should be clear that it is secure and just inefficient so a trivial proof of space works like this so in the initial phase the server sends random data to the user the user simply stores it and then the server will be asking for some subset of indices should be capital N of size K and the user will be replying so basically the verifier just asks for a couple of random blocks and the user has to reply and the verifier checks if the answer is correct and of course the verifier can actually store r randomly so he doesn't need to store r himself he can just store the seed so this works but it should be kind of obvious to pass this verification the prover needs to store a significant fraction of r otherwise he would not be able to answer the questions and the only problem with the solution is that this initialization phase requires to do a lot of work in particular it requires the server to send the whole string to the prover of course he cannot send the seed because then they will not be secure so we acquire our efficiency requirements are like this that basically everything should be very efficient except of maybe the initialization phase for the prover so this of course this imposes limits also on the communication complexity so efficient way we mean to polynomial in the logarithm of n and the security parameter and only here where obviously the prover needs to work at least linear time in n because he needs to fill in his memory so this is normal and actually these constants are small in our results so it would be like this poly here would be actually in most of cases it would be just k times log n okay so now we are back to the definition of security and the reason why I have it in this order is that actually we will see this in a moment so informally we would like to treat the prover to constantly waste a lot of memory so what would be his goal if he is cheating his goal would be to compress r so instead of storing r he would store some shorter x or of some like n zero blocks which is much less than n and then each time he needs to prove the he needs to execute this this proving phase he would for a he would just look at x and probably just expand x to recover r or do something else i he would try to respond to the questions in this proof phase by looking under compressed r which is x and so on so somehow well here the problem that it's easy to see that a cheating prover if you formulate the problem like this the cheating prover has a simple but not necessarily efficient winning strategy so what he can do is in this initial phase he can just simulate the user the honest prover and then erase r and store only messages that he received from the server and it's actually a variant of this what i said a moment ago well obviously it's not correct if only see this set so think of it like if this is just one way communication adversary here he could simply store what was sent in general it can be more rounds so let's say he just stores the entire transcript of communication and then we said that we want this x we want this communication to be short so so the messages that come from the server are short which means that he can store them in a small space and then of course you can see what's happening so before each proof starts the adversary would just expand x back to r by simulating the proof so he would simulate for the honest prover from his conversation with the server and then once the prover faces over he erases it again compresses his memory to x so to this is a problem and moral is that we need somehow to restrict the power of a cheating prover so the computing power here that's why also this this phase here the initial phase will require to has to require the prover honest prover to do some work ok so we can restrict his operating time or space we say that dishonest prover p dash is n0 n1 t cheating prover if the following holds so this is n0 is the size of his storage after the initial phase ok so this is what he remembers after this in it this would be the length of x n1 is space used by an dishonest prover during the proof t is time used during the proof so basically there are two ways to restrict two basic ways to restrict efficiency of an algorithm one is to limit space another one is to limit time so we have both we can restrict space or time and we don't actually need to restrict his power during the initial phase so he can as long as he is not like exponential so that he can simply break the random error ok so in fact in our paper we just restrict either space or time so we will have either like n0 and 1 infinity cheating prover which means do we just restrict his space in this proof phase or the other way around we just restrict his time ok so what is the security definition well it's now quite straightforward we say that a protocol is n0 n1 t proof of space if it's complete, efficient and sound where like completeness and efficiency was already defined and soundness means what you would expect so that for every n0 n1 t cheating prover the probability that he convinces the verifier is negligible ok so now I have a few minutes to talk about our constructions so why are the constructions non trivial because of time memory trade-offs well known thing in cryptography so sometimes you can well what what happens when you start to like analyze trivial solutions like simple solutions for this problem you will end up with solutions that can be broken with time memory trade-offs so for example like the adversary instead of storing n blocks will store like sorry should not be n should not be in this instead of storing n box he would store square root of n blocks and he will run in time square root of n these are like time space trade-offs where like baby step giant step type of thing so for many easy ideas for solving this problem actually break here ok so what is our main technique we will use something called graph pebling ok so there is not much time to explain detail but I will just go click through it so suppose we have a graph we have a hash function that depends on the identifier so for execution of the protocol is different say hash is also this idea at the beginning concatenize with the rest of the input and we can start this r1 to rn as follows so let's say this is a simple graph and well what we do is like first we level r1 first level vertex 1 and 2 so this is simply hash of 1 hash of 2 and then vertex 3 will be leveled with with the hash of r1, r2 and so on so we should be free ok so and this is a function that takes an id and produces a long string r1 to rn and informally a graph is bad if can be quickly labeled if one stores a small number of labels ok because of labels so example of a bad graph is something like this where like if this is the baby step giant step basically so if the adversary stores every square root of labels like the first the one number square root of n, the number of two square root of n then he can compute every level in square root of n steps this is like a standard thing so we need graphs where this kind of attacks are impossible and we construct them basically we need graphs where this kind of time-space trade-offs are hard and we use techniques from graph paper links and but we use some classical results actually you can see on the list of the authors that one of the authors is not cryptographer and he was mostly responsible for this graph graph part ok so the details are in the paper ok so how to build a proof of space from a good graph so well so it's quite simple so I'm not going to show you like a scheme that is sort of stupid and I will show you how to repair it so you compute r like you expand this id using this this scheme that I showed you and well in this stupid scheme first the prover will send r to the server so you can see why it's stupid because it still requires long communication and then again the simple protocol that we had before so of course as I said the problem is that the entire r needs to be sent to the verifier so our solution is well also quite straightforward so we let the prover to commit to r using Merkel tree those are Merkel trees, we all know them and what the prover will send will be this commitment at the top of the tree and then the verifier will ask randomly to open some commitments, he will check everything was computed correctly and of course the problem is that he can still cheat small number of blocks but we take care of it and the proof is just an additional difficulty in the proof ok so now in the proof phase the prover just opens the Merkel commitments so as a result in the initial phase he doesn't need to send the entire tree it's enough that he sends the commitment and then he proves in the proof phase that it was done correctly ok and these are the results so we have two proof of space schemes so this C1 and C2 are some constants and we have a proof of so this is you remember the parameters so this is the memory bound after the initial phase this is the memory bound during the execution of the proof so in this first one it's like n divided by log n and divided by log n and we don't restrict the time so he can have as much time as he wants during the proof phase and in the second result we have linear and we bound time on space well there is some small additional assumption that we needed to do the details are in the paper natural question and this is what I'm going to like I still have one minute left so natural question is can you build a cryptographic currency on top of it and it's not so trivial because you need this, if you look at bitcoin then there is this notion of a random new block on which everybody minds and somehow it's clear that this doesn't work here but fortunately there is a recent paper by Park et al which so niprit now where they they construct something like this well I should also say this is my last slide, I should also say about some previous related independent work so the graph pub link just that I mentioned the important work so graph pub link was used in the context of the proof of work already before by dwork now and we now there is something like the razor something like similar to what we have but it lacks two phases it's just like one phase thing so you just have to prove that you at some point you spent a lot of memory and then you can compress and this was introduced by Perito and Sudik in 2010 and then you have other constructions like Carvelas and Kajas and where they actually call it proof of space so there was some confusion about the names but basically this proof of space that we have they imply this proof of operations so our notion is stronger and well I should also mention that similar graph techniques were used by paper, by smith and thang in the context of liquid reasoning and krypton's paper was not published on the print thank you