Efficient verifiable delay functions
read more
Citations
The knowledge complexity of interactive proof-systems
Concurrent Zero-Knowledge.
A Survey on Ethereum Systems Security: Vulnerabilities, Attacks, and Defenses
Linear Zero-Knowledgde. A Note on Efficient Zero-Knowledge Proofs and Arguments
Transparent SNARKs from DARK Compilers
References
The knowledge complexity of interactive proof systems
Nonmalleable Cryptography
Time-lock Puzzles and Timed-release Crypto
A note on efficient zero-knowledge proofs and arguments (extended abstract)
Computationally Sound Proofs
Related Papers (5)
Frequently Asked Questions (14)
Q2. How can one easily generate a class group of unknown order?
One can easily generate an imaginary quadratic order by choosing a random discriminant, and when the discriminant is large enough, the order of the class group cannot be computed.
Q3. What is the definition of a timed challenge-response identification protocol?
A timed challenge-response identification protocol is (perfectly, computationally, or statistically) zero-knowledge if there is an algorithm S that on input k, Δ, pk and a random challenge(k,Δ) produces an output (perfectly, computationally, or statistically) indistinguishable from respondsk(c, k,Δ), and the running time of S is polynomial in k.
Q4. How can an identification protocol exploit this delay?
An identification protocol can exploit this delay to become deniable, and this is achieved by the timed challenge-response identification protocol derived from a VDF.
Q5. What is the probability of the (t)-evaluation race game?
If x has been queried by the oracle already, C aborts; this happens with probability at most q/2k, since the min-entropy of the distribution of messages in the (tδ)-evaluation race game is at least k.
Q6. What is the protocol made non-interactive using?
This protocol is made non-interactive using the Fiat-Shamir transformation, by letting = Hprime(bin(g)|||bin(y)), where Hprime is a hash function which sends any string s to an element of Primes(2k).
Q7. What are the disadvantages of the proposed constructions?
The authors of [4] proposed practical constructions that achieve an exponential gap between evaluation and verification, but do not strictly achieve the requirements of a VDF.
Q8. How can the authors capture the notion of time complexity of a circuit?
For instance, working with circuits with gates ∨, ∧ and ¬ which each have cost 1, the notion of time complexity of a circuit C can be captured by its depth d(C), i.e., the length of the longest path in C.
Q9. What is the order of the strings queried to O by A′?
ThereforePr[B wins Groot] ≥ pwin · Pr [s = s′|winA′ ] .Let Q = {s1, s2, ..., sq+1} be the q + 1 (distinct) strings queried to O by A′, indexed in chronological order.
Q10. How can one generate a modulus by a secure multiparty execution of the RSA?
It is also possible to generate a modulus by a secure multiparty execution of the RSA key generation procedure among independent parties, each contributing some secret random seeds (as done in [6]).
Q11. What is the actual running time of an algorithm?
Given an algorithm, or even an implementation of this algorithm, its actual running time will depend on the hardware on which it is run.
Q12. What is the protocol that avoids this impossibility?
The above protocol avoids this impossibility thanks to a modified notion of soundness, ensuring that only Alice canrespond fast enough.
Q13. What is the known algorithm for generating a class group of an imaginary quadratic?
To this day, the best known algorithms for computing the order of the class group of an imaginary quadratic field of discriminant d are still of complexity L|d|(1/2) under the generalised Riemann hypothesis, for the usual function Lt(s) = exp ( O ( log(t)s log log(t)1−s )) , as shown in [14] and [20].
Q14. What is the probability of a game involving a random oracle?
Since B mostly consists in running A and simulating the random oracle, it is clear than both have the same running time, up to a small constant factor.