 Hey everyone, welcome to today's Protocol Labs Readers Seminar. Today we are joined by Pratush Tavari, who is a third year PhD student at Johns Hopkins University under the supervision of both Matthew Green and Abhishek Jain. His research focus is on problems at the intersection of cryptography with privacy and verifiable computation. He has also collaborated with the Ethereum research team to build, attack, and study practical verifiable delay functions, and with the PSE team as a grantee where he went down the zero knowledge proofs rabbit hole working on verifiable machine learning. Today he's here to talk to us about his paper on algorithm substitution attacks on cryptographic puzzles over to you Pratush. Thanks a lot Liam. Hi everyone, I'm Pratush. Today we will be talking about algorithm substitution attacks on cryptographic puzzles and this is a joint work with my advisor Matthew Green. So let's get started. Backdoors are not something that's new. They've been around for many years now in the early 2000s. They were backdoors which were put in by computer worms such as Sobik and MyDoom and what they would do is they would install a certain piece of software which you would not know about on your computer and the goal was that the spammers then who installed this software can send junk emails from the infected machines. This actually led to a crazy uptake in email traffic in the early 2000s and it would work so that as soon as you received an email from an infected machine your machine would get infected itself. Other than software backdoors there are also hardware backdoors that we've heard about where manufacturers of hardware devices have messed up the design somehow or put in some root access that they shouldn't have ideally because they don't own the machine once they sell it to a certain degree. Then there's also cryptography backdoors which is kind of the focus of this talk and how it affects certain puzzle problems in the real world and these puzzle problems are very relevant to blockchains. A few years ago there was a big backdoor that was discovered in Primitive for deterministic random bit generation called Dual EC that was approved by the NSA but later people found backdoor attacks which were possible right so very exciting stuff. So are there different ways in which people can backdoor cryptography? There are many ways so in cryptography we have these keys which are sensitive objects similar for cryptocurrency wallets as well if you lose your keys then you lose access to secret information or access to a wallet and so this information has to be protected and the keys need to be strong. What that means is that if the key space is too small people can brute force and find attacks. There might be other sophisticated attacks depending on the cryptographic primitive you're using but if the key gene algorithm is weakened then that doesn't help at all right. Furthermore if you are using a cryptographic primitive and it has certain fixed backdoors fixed parameters they can lead to a backdoor and this is what happened in the instance of Dual EC. If you knew the backdoor then you could very easily find out more information than you're supposed to about keys which might apparently seem to be randomly generated but for someone with a backdoor they can predict that key much easier than just sampling randomly and trying to find a collision. This sort of malicious design of algorithms leads to apparent security where someone using it might think that the algorithm that they're using is perfectly secure and there's no problems but the person with the backdoor meanwhile can read their messages or break the security of the protocol. All these objects in cryptography which give us security come from the fact that there is a lot of entropy in cryptographic systems which means that your keys let's say like a long bit string if it's long enough and it's actually random which means it has high quality entropy then no one can just guess and find out what their key is right but if you reduce this entropy then you get in trouble. So our goal in this work is to see with the uptake in hardware devices used being used for cryptography we have certain manufacturers which are manufacturing these hardware devices or puzzle solving devices as we will call it and these devices can be thought of as mining devices now people are looking at zero knowledge provers which would be hardware waste and verifiable delay function hardware these are all puzzle primitives and we group them as such and we want to look at whether these hardware manufacturers can backdoor these devices so that they sell these devices to a certain honest party and then the honest party invests resources to solve the puzzles but the malicious manufacturer who backdoor these devices reaps the rewards. So let's look at what these cryptographic puzzles are. So the concept is very similar to puzzles in general right in any puzzle instance you you get the input or whatever the puzzle is you solve it and if you solve the puzzle you get a reward so cryptographic puzzles are very similar but they have a resource requirement which is kind of guaranteed right so if you're someone who's solving the puzzle and you don't invest the amount of resources as specified by the puzzle maker then the probability that you will solve the puzzle successfully is negligible. As an example if you look at proof of work this is computation so this means that on average you need to calculate a certain number of hash functions before you find a proof of work solution then we have verifiable delay functions which say that if you solve this puzzle then it must take you a certain number of seconds and the way this is emulated in a protocol is using computational cycles right so each device can have certain number of computational cycles in a second and if your protocol takes a set number of computational cycles to complete then you can emulate wall clock time using it right similarly if you look at proof of space then you need certain amount of disk space to be able to find a proof of space solution right and certain puzzle protocols are back for the environment so if you look at proof of work it uses a lot of electricity almost as much as a small-ish or medium-sized nation at this point so slowly we can see different protocols moving away from proof of work as it's here I'm dead recently. More formally and concretely we can look at cryptographic puzzles as the following algorithms right so you have a setup algorithm and where does it it decides the puzzle difficulty what your resource requirement is what your resources it also decides an input domain for the puzzles right so let's say I want to make a puzzle what I'm going to do is I'm going to run the setup algorithm according to my choices and then it's going to give me an input domain to select my puzzle instances from right and once I have this input domain I can sample puzzle instances randomly then of course you have the evaluation algorithm in which the puzzle solvers generates a solution and a proof certain protocols split this apart into two different parts so it's the evaluation itself and the proving and so but we group them just together so you you take a puzzle instance you solve it you get a solution and a proof which you can verify through the verify algorithm so the verify algorithm would take the solution the proof and the input and other public parameters and it'll check whether the solution is correct or not let's look at different applications of puzzles like why should we care about these right so in the beginning client puzzles were first used to solve denial of service attacks so if you have a server which performs a certain high quality activity or you want to prevent a service from running for properly what you can do is you can just overload them with connection requests and as at a certain point the server will get overwhelmed and the service won't be able to run properly anymore to solve this problem Jules and Brainard and at NDSS in 1999 propose something called client puzzles this means that if you want to send a connection request to a server first you have to do a certain amount of work or solve a puzzle and once you do that then you can send the request successfully and then what it meant is that to run a denial of service attacks the cost to run any such attack now increases massively right and so it kind of prevents these attacks or at least it increases the overhead of the attacker so that the attacker would need a lot of resources to run such an attack the most relevant application of puzzles to the audience here would be consensus in blockchains right and in consensus we just we have a certain high reward task and we want to perform we have different parties which are ready to perform it and we don't know how to select which one right and so for this we have various consensus algorithms which are basically utilizing certain type of puzzle constructions right so if you again like like we talked about there's a resource requirement to solve the puzzle and that changes so in proof of work it requires electricity or computational steps proof of space requires disk space etc right and a lot of these puzzle solvers are hardware based so whether this be ASICs or FPGAs or ZPUs so a lot of bitcoin mining is done on ASICs yeah and there's other other like things like litecoin and I think dogecoin they also use ASICs there's different proof of works which use GPUs and FPGAs so the key issue here is that you have a very high state application right you're engaging in this puzzle solving process and the first party that solves the puzzle it reaps a lot of rewards right so the goal for any such attacker comes sort of naturally right to attack such a protocol and we will look at what this means later right so algorithm substitution and tax on cryptographic puzzles right so what is the first part the algorithm substitution and tax or ASA means right so the setting here is that you are using a certain cryptographic algorithm it has some security and privacy properties right but the hardware or software implementation that was provided to you was provided by a potentially malicious party right and so can this malicious party break your crypto so whether it is breaking the security or privacy or some other guarantees relevant to your protocol and can they go undetected while they do so right and so a similar concept was first introduced as kleptography by Young and Young at the crypto conference in 1996 and in the seminal paper by Bilare Patterson and Rogovi they they looked at symmetric encryption and backdouring symmetric encryption using ASAs and different game-based definitions for this and a lot of the follow-up works actually build on these game-based definitions so now there have been ASA papers where people have looked at different secure messaging applications like signal and they study whether algorithms substitution and tax are possible on signal there's been at least five to ten very solid papers in the space now which deal with different scenarios there's also the crypto 2018 paper on correcting subverted random oracles by I think Russell et al and and they look at the fact that given a subverted hash function can you convert it into an implementation which is actually not subverted this is kind of similar to our work but we aim at a general puzzle-based definition and we'll show some interesting analysis uh attack techniques et cetera and also countermeasures soon so let's take an example from the BPR paper from 2014 and this is for symmetric encryption right so for the cryptographers here you have your symmetric encryption scheme which has it has like a certain key and you're trying to communicate to another party and they call the malicious party who's providing the implementation the big brother so that's what the BB is here so in the normal operation you are communicating using symmetric encryption you have a certain key and anyone who sees the cipher text which is the thing that you're transferred to whoever you're trying to communicate to they won't be able to find out any information about the content of your message right but in the subverted operation what happens is that since your implementation is provided by a malicious party what they do is they add the hard wire and extra key inside it and what this does is this malicious operation now seems benign to any other party other than the big brother but when the big brother sees the cipher text only they can actually find out what your message is so they find out what the content of the message is while both the communicating parties think that they're using a secure protocol and the big brother can go undetected right but puzzles are different right it kind of seems like there's no secret here to leak right so what would an attack here even mean in terms of encryption it's very clear that if the whatever your message is if that information is found out by an adversarial party then you're in trouble or if your secret is leaked then your protocol completely breaks down but how is this relevant to puzzles right so in most puzzle protocols the attacker or the subverting adversary that's the person who's malicious and they design the puzzle solving hardware or software right and let's say the honest party which is called the detector or detecting adversary buys this puzzle solving machine right and now this honest party invests resources to solve the puzzle and the attacker wants to subvert the puzzle solver such that they the subversion actually benefits the attacker right and the detector does not find the subversion and how it actually benefits the attacker we'll see soon right but in the let's look at this in the context of blockchain consensus right so you have a certain task to be performed the party performing the task gets a reward and so we have to decide which party right we have multiple willing parties and most protocols regardless of what consensus algorithm they use they decided in the following way they pick they pick randomly but proportional to investment right so if you look at a solution that use that uses proof of stake plus VRS or VDS people stake a certain amount of token whatever your token is and depending on what their stake is a random lottery is picked where your probability of winning is actually proportional to how much you state right in proof of work this is still true because the more number of mining devices you have the higher your investment and the higher your chance of solving the proof of work right and so in a certain sense that the randomness decides the winner and in most settings the winner there's only one river and winner and they reap the reward right which is the block reward for bitcoin and other proof of work things so the ASA's on puzzles would aim to attack this exact process right so if the process to decide this randomness that picks the winner is if the attacker can affect it then they can reap rewards more than their investment right here's a nice image from ledger.com that tells you how puzzle based consensus works it makes most sense in the proof of work setting so you have your network server right and there is a puzzle which is decided to be the puzzle for that block right and that's sent out to a bunch of parties which are willing to solve the puzzle right and all of them attempt to solve the puzzle they send solutions the party here x2 which solves the puzzle correctly gets rewards right and this puzzle solving actually is done in hardware in many processes as we looked before right let's take proof of work mining as an example here right to solve these puzzles you first need to buy hardware right and here's like an example of what are the different hardware this is just a screenshot from a popular hardware manufacturer this is what these devices look like right so you can see the amount of investment here might be okay for a for a big corporation but for individuals mining it's a pretty high investment these devices also consume a lot of electricity and so they're expensive to keep running and the hope is that you wouldn't reward which are fair right so proportional to your investment before we dig deeper here's a quick overview of the bitcoin proof of work right so there's a proposed block and it has a block header which is the sha256 hash of the block header then any miner would decide the transactions that they want to include in the in a block that they would propose so they would build a market tree using sha256 for these transactions and they take that the previous block header and the proof of work is to with those two inputs find the nonce such that when you hash all of this together you get a hash with a certain number of preceding zeros right and that decides the difficulty for that block and the miner that achieves this successfully and in most times in fastest gets the block reward right so I take the current bitcoin block reward is 6.25 bitcoin which is over a hundred thousand dollars and the hardware consumes a set amount of electricity every hour and it just turns away just keeps incrementing these nonces to find a solution and you can either mine by yourself so you do the whole exhaustion of the nonce by yourself or you do it in a pool so then in the mining pool what happens is there is a pool operator right and they orchestrate this process so let's say your nonce is whatever your nonce space is right whoever is in the mining pool the pool operator would divide the nonce space among the members of the pool and everyone would work on their shares or their work shares right so that's their set amount of puzzle input that they have to exhaust right this is an important statistic right here right so if you look at the hardware manufacturers for bitcoin a few of them there's roughly three or four which manufacture most of the devices right and you will see why this becomes a problem later the main issue is that the biggest the two biggest mining pools are also run by the people who manufacture these devices so they have a lot of control over the device that they may and sell and after they sell the device they're still communicated to the to these devices potentially using their mining pool right so if you look at bitcoin which is the biggest manufacturer they manufacture two thirds of the devices and they control the two historically biggest mining pools as well the situation is changing slowly but it has been the case for at least the last 10 years right okay enough about proof of work right so in in cryptographic puzzle manufacturing let's say there's a malicious manufacturer what are their goals right so you can see that these protocols are being used in consensus and other activities where solving the puzzle gives you a reward and your expected reward is proportional to your puzzle solving activity ability right so as an attacker what I want to do is I want to lower other people's puzzle solving ability right because the puzzle solving ability is always represented as a fraction of the network right so if you own let's say 10% of the network's devices your puzzle solving ability is 10% of the network now if I make let's say half of the devices go away which are not mine then my puzzle solving ability certainly doubles right so now it goes from instead of 10% it goes up to a 20% right so it's always respective to the rest of the network right and in the best case scenario what I want to do is like I just want to take other people's solutions so they do all the work they do the investment and I just reap the reward right so there's two main angles for the attacker goals that we're considering here which is you lower other people's puzzle solving ability and increase your fractional puzzle solving ability as a result or you try to exfoliate other people's solutions right so in this in this blockchain based setting let's look at the threat model right what's the threat mean so first one is the direct input model and in the direct input model what happens is you have this malicious pool operator who also made your device right and that's why the image I showed earlier right here becomes very relevant right because the person who's operating your pool also made a lot your device with high probability right so this is a realistic threat setting and it it's happening right now it's been happening for many years the other one is the blockchain input model right here you're sort of either mining individually or you join the mining pool which is not operated by the person who manufactured your device right so in the direct input model they can talk directly to your mining device through the mining software because they made your device and they also run the pool so they made the so they communicate directly with your device in the blockchain input model the malicious party may have made your device but the only way they can communicate with your device is through the blockchain because your device is reading information from the blockchain so they can indirectly try to affect the information on the blockchain and that would affect what goes inside your device right and so why does this become relevant right and the way it becomes relevant is we look at a couple of attack strategies that we have so the first one is the load shedding attack and so what the load shedding attack does is it load sheds attack devices in the network right so what this attack would do is it would lower the puzzle solving ability of the attack devices every once in a while right so you can think of it this way right you have a device that you bought from a malicious manufacturer and there is an input domain of the puzzles that your device tries to solve right now what the manufacturer does it if hard codes certain bad or trigger inputs within the device once the device sees any of these inputs it's just going to perform at it at a puzzle solving ability much lower than advertised and the reason it's interesting to look at it in this way is because if out of the box the devices didn't perform as advertised then people would just be like i received defective device there's an issue with this right but if you have an input trigger which sends the device into bad mode for let's say two days or something like that right what the malicious parties goal then becomes to trigger the device once it's online right so your device is performing perfectly well and then it sees a certain input and after that it its performance declines for a little bit right and so what happens is any person who buys such a device if they try to test it at home it would appear to be working properly there's no issues at all and then the device goes online and every once in a while it performance declines a little bit right and so it gives this sort of like plausible deniability to the manufacturer the effect doesn't seem negative enough for the honest party to cause a big issue they might just be like okay like there was a small issue with the device but it's working fine now and the attacker continues to reap the rewards because for every few blocks every once in a while their puzzle solving ability is just going to grow that much and we'll see a quick analysis for that so in the direct input model this attack is very effective right and the reason for that is in the direct input model the malicious party who made your device can communicate to it directly because they're also a pool operator so if they want your device to go into bad or triggered mode what they would do is they would just send your trigger input because that just looks like a hash for most proof of work right and as soon as you input this information into your device it's going to go into bad mode not puzzle solve with the ability that's advertised but in the blockchain input model this attack is not so effective right because if your input is coming from the blockchain and that's a certain hash then it's very challenging for any attacker to get us exact certain hash to be the next block header right and so we also explore a stateful variant of the attack in the stateful variant of the attack the mining device which is subverted keeps state over let's say 100 consecutive blocks right and so then the goal of the attacker becomes that they have to affect the entropy on the blockchain so that over the 100 consecutive blocks a certain function of the block header is a triggered input right so instead of them trying to get the next block header to be a certain hash now what they do is they try to affect the entropy on the blockchain little by little every block and they if they own a good enough hash rate it doesn't have to be too high even if it's 10% they can mount this attack and the analysis is available in the paper this is an interesting graph that we plotted and this basically on the x-axis you have the percentage of devices subverted by the attacker right so there's two to three different manufacturers which are making over each of them make more than 20% bit main makes two-thirds so it's like somewhere here and they make these devices right and they subvert these devices and let's say they sell them subverted right and let's say they also take part in the mining process themselves and they have a certain hash rate right so if I have a 10% hash rate and I make half of the other devices just go bad my hash rate goes up from 10% to 20% right my effective hash rate and you can see this plotted for different attacker hash rates and different percentages of subverted devices and so what is this selfish mining threshold here selfish mining for those who don't know is is an attack where let's say in proof of work you are one of the miners and you find the next proof of work solution but you don't advertise it the reason you don't advertise it is that you just keep working on this proof of next proof of work solution to build the fork of the chain and if you have enough of the network's hash rate you can actually build a successful fork so that you mine a bunch of consecutive blocks and other people's solution which might be a little bit behind are never chosen at all so they waste their effort and you mine consecutive block rewards and the other people don't have a shot at all because you keep your chain private until you know for sure that your chain would be the fork that is selected right and so from the work of y'all and I mean we know that the selfish mining threshold is one third so you need to own one third of the network's hash rate to mount a selfish mining attack but now what we get from low shedding is that if you sell subverted devices even if you have 20% if you have 20% of the hash rate and you subvert let's say 40% of the devices then you cross the selfish mining threshold and you can selfish mine and this is actually the case possibly in the real world because there is a manufacturer which has roughly 20% of the hash rate and they make more than 40% of the devices so we cannot say for certain if this is happening already but it is certainly possible the second attack strategy is leaching attack right so in the leaching attack the goal of the attacker is to exfiltrate puzzle solutions every once in a while right so you can think of this again as an input based trigger where the attacker tries to send a bad or trigger input to the device and once the device sees this trigger input the next few solutions it finds they'll try to exfiltrate them right but what does this exfiltration even mean the device is not not always directly talking to the attacker right so there is actually an exfiltration channel here so look at the setting where your pool and your pool operator also made your device and they're malicious and what the communication that happens between the mining device and the pool operator is certain lower level difficulty proof of work solutions as well right so let's say like the real world difficulties to find a solution for proof of work is 64 bits of preceding zeros in the hash right when you're in the pool only one of the members of the pool is potentially going to find a solution every once in a while right so how do you give people rewards for mining how do you like spread them sort of democratically what pool operators do is they consider these lower level difficulty solutions so while you're trying to find a hash with 64 preceding zeros you'll find a lot of them with 30 40 50 preceding zeros so what pool operators do is they select one of this lower level difficulty as the as the work reward kind of thing and then depending on how many of these you find they find out what fraction of the hash rate is owned by you and how much work you're contributing to your pool right what you can do here is the attacker would hardware the device with the secret key right and it then it's going to try to input a trigger to it and in the attack state the device will try to exfiltrate the ciphertext of the actual solution that it found at the actual difficulty level and the way it would do it is that it's going to encrypt that solution first and then it's going to submit low level difficulty puzzles so that at a certain bit for each puzzle you get the cipher text bit right and it works in both settings so you can either do one by one submission of lower difficulty solutions and in this case you would rejection sample so you are going to only send the lower level difficulty solution where let's say the fifth bit is zero right and you rejection sample until you find such a solution and if you're submitting low level difficulty solutions per block then yours is going to order them so that let's say a certain bit the ordering basically communicates the ciphertext of the actual solution right we also model the security games for something like this so what would that look like because having provable security is important right we have these attack strategies but are they do these attacks actually work so first we'll need to consider what security even means for algorithm substitution attacks right so we look at this subversion game first right so in the subversion game the malicious manufacturer or the attacker is talking to a certain device and the goal is for the manufacturer to figure out whether the device it's talking to a subverted or not right and it knows that if the device is subverted then it's going to run a certain subverted evaluation algorithm which is known to the attacker right so the attacker is allowed to query the device on some polynomial the security parameter number of inputs adaptively and then the attacker outputs its guess for whether it thinks the device is subverted or not right so if you look in the case of any input trigger based attacks what the attacker would do is just it's just going to send a trigger to the device and if the device is subverted then it's going to start performing at a lower efficiency or lower puzzle solving ability and the malicious party would be able to find out if the device is subverted right the other security game that's important is where the detector the honest party also needs to figure out the same thing right so the detector buys a device and they want to find out whether this device is subverted or not right so it's the same setting as before but the detector does not know what algorithm the subverted device would run it don't it only knows the the correct evaluation algorithm right so the detector tries to talk to the device on query it on a bunch of puzzle inputs and adaptively and then strike then it guesses whether the device is subverted or not right and so the if the subversion triggers are like a negligibly small fraction of the entire input space then the detector would never be able to figure out by random testing right especially with polynomial number of queries so this we call this the offline detection game as you can think of it as you buy the device and you're testing it at home right but another interesting setting is the online detection game so you say okay like my device works fine at home but does it work in the real network right and I'm going to test it so everything else remains the same but we add an attacker oracle right so what this does is that now not only does the detector talk to the device it can what it can do is it can see it can have oracle access to an attacker and it sends a start attack symbol to the attacker and the attacker would then give it messages to send to the device right and then the detector forwards this message to the device or computes a function of it and continues this conversation and this emulates the setting when your device is online and an attacker might try to mount an attack and if you're looking at the information that is input to the device and the outputs of the device can you figure out whether your device is subverted or not so this greatly improves the detector strength so most of our attack attacks actually are not offline detectable so in most settings you won't be able to detect at home whether your device is a subverted or not and as I said it's very easy for the attacker to trigger the device but in the online detection setting only some of the attacks succeed or have plausible deniability because once you see an attack in session you can kind of figure out that maybe this conversation is what is what's making your device perform negatively right and so what are the real world concerns here like fine we have we have these like detection things like cryptography games but how do we detect stuff detection is certainly useful but only if it's fast right because testing and profitability is at odds there's a paradox here so let's say you don't trust your manufacturer and so you're testing your device a lot the more you test your device the more your device is online right so while your device stays online other people's fractional hash rate is that much higher so distrust in the malicious manufacturer actually benefits them right and there's also simple timer based attacks like I just put a timer in the device so that it starts failing after a year of being online and these devices actually have a small lifespan 18 months until they're profitable after which you have to take them out at least in the case of bitcoin and the attacker could only subvert real-world difficulty parameters since there's so many devices in the network a single device finds the solution every once in a while so a device which is $5,000 would find a solution like once a year or if it's operating by itself and like even huge mining rigs with millions of dollars in investment find only solutions in a few weeks or so right but each solution is over a hundred thousand dollars right now right so we need to study puzzles which are easily testable so that at home I can test it and be sure that it's actually going to be fine in the real world as well right testing also doesn't work because a lot of these hardware devices have hardware errors and they operate within a certain error rate right so as you can see for this device its puzzle solving ability operates in a plus minus three percent error rate so as an attacker I can just always make the device work at its like lower strength and it's still acceptable right and let's say your device is exfiltrating solutions are failing on certain inputs it would look exactly like how it looks in the real world with hardware errors so with hardware errors what you have is on certain inputs your device stops working and on your mining software or portal it would say that there were a few hardware errors on your chip and you say okay maybe you know it overheated or some cycles ran out or something like that but if I'm an attacker I would make things look exactly how they look right here right I exfiltrate the solution and you just think you had a hardware error right and statistically testing your miner with some statistical confidence so you want you want to know for sure that with probability higher than 95 percent your device is actually subverted so what you can do is you can try to measure its hash rate over time depending on like how many solutions it finds and we have this nice graph that we've plotted so for depending on the miner hash rate if you buy a device that's a thousand dollars it'll take you roughly 600,000 blocks to test which is a lot of blocks and your device's lifespan will run out before that so unless you own mining rigs over a hundred thousand dollars you will never be able to test your devices with high certainty before their lifespan is actually over so we suggest that people collaboratively test their mining devices to figure out whether they're subverted or not we also talked about another counter measure which is preprocessing so certain puzzles allow the puzzle solver to enter entropy into the puzzle solving process and so then what happens is the information that is input to the device is not exactly selected by the malicious party right so you can add entropy so that the malicious party doesn't know for sure what would be input to the device we model this as a cryptographic game and this unpredictable preprocessing actually prevents most input triggered based backdoors right you could also mask your puzzle inputs so you can do an algebraic transformation so that if you have an input x you transform it to x prime which the malicious party does not know about and then your device solves for x prime and it finds the solution let's say y prime and you can unmask the output from y prime to y which is the solution to the original input x before masking and for algebraic protocols which have a lot of structure you can develop these masking protocols so in our paper we have a masking protocol for phx vdfs and the overhead for masking is very small so 10 to the negative 6 almost overhead over the actual vdf evaluation cost and time and for other algebraic protocols such as the Veselowski vdfs and any other puzzle construction which has this structure you can devise similar masking based protocols so that in the future if these devices for vdfs are being run in a space where solving the vdf and finding the solution is a higher reward process then input based triggered backdoors are not possible right so that's it thanks a lot here's a link to the paper on e-print