[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GNUnet PoWs hashfunction
From: |
Jeff Burdges |
Subject: |
Re: GNUnet PoWs hashfunction |
Date: |
Sat, 18 Apr 2020 14:51:24 +0200 |
> Do you have anything public you can refer to? Would love to read more
> about that. Thanks. >Y<
https://vdfresearch.org
There are several VDFs that do many squarings in a group of unknown order, for
which they provide the output along with a proof that they computed it by doing
the required squarings. There are two proposed proof strategies by Pietrzak
https://eprint.iacr.org/2018/627.pdf and Wesolowski
https://eprint.iacr.org/2018/623.pdf that differ primarily in the assumptions
they require from the underlying group of unknown order
https://eprint.iacr.org/2018/712.pdf There are two groups of unknown order
being proposed:
Integers modulo an RSA composite p q for which nobody knows p and q - These
require a really shitty trusted setup, but we’ll know ASIC speeds far sooner
since E.F. works towards this one.
Class group of an imaginary quadratic order - We’re far from any real
confidence in crypto with class groups, and do not expect ASIC speeds anytime
soon, but these avoid the trusted setup, and some software and GPU competition
exists: https://github.com/Chia-Network/vdf-competition
https://medium.com/@chia.net/chia-vdf-competition-round-1-results-and-announcements-5d0479663816
https://medium.com/@chia.net/chia-network-announces-2nd-vdf-competition-with-100-000-in-total-prize-money-899872fdc97c
There are also VDFs built on evaluating isogenies instead of doing squarings,
for which give cool properties like encryption to the eventual VDF evaluation,
so imagine one time-lock puzzles that opens an unlimited number of cypertxts.
ASIC speed estimates sound far off. Also, these require a trusted setup that’s
much less shitty than the RSA composite trusted setup, but they also require a
preliminary VDF setup run, so you cannot decide dynamically for how long you
run the VDF.
If you want to use the RSA VDF that E.F. funds, then you’ve two choices: You
can outsource confidence in the trusted setup by using E.F.’s trusted setup,
but then you’re vulnerable to ASICs that E.F. sponsors. If you want ASIC
resistance, then you can increase key size beyond their ASIC, and do your own
trusted setup, but doing this requires effort even assuming runnable code
exists.
Jeff
signature.asc
Description: Message signed with OpenPGP