POTENCIALES USOS DEL HYDROCHAR

A verifiable delay encoding (VDE) is an encoding that is slow to compute yet fast to decode. The encoding requires non-parallelizable sequential work to evaluate and therefore in theory cannot be computed in shorter than some minimum wall-clock time. A VDE is a special case of a verifiable delay function recently introduced in [14]. Practical (heuristic) examples of VDEs include Sloth [31], MiMC [4], and a special class of permutation polynomials [14].

Formally, a VDE is a tuple of three algorithmsVDE=VDE.Setup,VDE.Enc,VDE.Decdefined as follows.

1. VDE.Setup(t, λ)→pp is given security parameterλand delay parametertproduce public parameters pp. By convention, the public parameters also specify an input space X and a code spaceY. We assume thatX is efficiently samplable. VDE.Setupmight need secret randomness, leading to a scheme requiring a trusted setup.

2. VDE.Enc(pp, x)→y takes an inputx∈ X and produces an outputy∈ Y. 3. VDE.Dec(pp, y)→x takes an inputy∈ Y and produces an output x∈ X.

Correctness For allppgenerated byVDE.Setup(λ, t) and allx∈ X, algorithmVDE.Enc(pp, x) must run in parallel timetwith poly(log(t), λ) processors, andVDE.Dec(pp,VDE.Enc(pp, x)) =x with probability 1.

Parallelism The practical significance of allowing poly(log(t), λ) parallelism in VDE.Enc is that any implementation must have this much parallelism in order to evaluate within the delay time t. The security property of a VDE will bound the success probability of an adversary running in less than timet. If the construction demandsVDE.Encto use a significant amount of parallelism to complete in a time tfor which this sequentiality bound holds (i.e. the adversary cannot gain further speedup) then it may only be useful for applications where the “honest” eval- uators have this much parallelism available. Constructions that do not require any parallelism to evaluateVDE.Encin the optimal number of sequential steps are obviously superior. However, it is unlikely that such constructions exist (without trusted hardware). In fact, it is necessary thatY >poly(t) (otherwise the output can be guessed and checked quickly usingVDE.Dec) and hence the challenge inputs have size poly log(t). Therefore, at a minimum we must allow up to poly log(t) parallelism. In practice, much of this parallelism may already be taken advantage of by the hardware (e.g. word sizes on modern processors and/or SIMD instructions).

A.5.1 VDE security

The main security property of a VDE isσ-sequentiality, which characterizes that no adversary running in parallel time significantly less thantis able to computeVDE.Encon arandom input in X, even given preprocessing advice.25This captures an unpredictability property given time constraints on the adversary.

Definition 19 (sequentiality). For a function σ(t) a VDE is σ-sequential if for any pair of randomized algorithmsA₀, which runs in total timeO(poly(t, λ)), andA₁, which runs in parallel time t−σ(t) on at most O(poly(t)) processors, the following probability distribution over pp←

VDE.Setup(t, λ) is negligible: P r " y← A1(α,pp, x) ∧ y=VDE.Enc(x) x←R _X α← A₀(λ,pp, t) # <negl(λ)

A second (stronger) property concerns the pseudorandomness of the output. Clearly the output ofVDE.Encon an input x is not indistinguishable from random as we can runVDE.Dec to recover the input, however we may want the property that Encode(pp,·) is indistinguishable from a random permutation (ifX =Y) forppsampled from the setup, similar to modeling block ciphers as anideal cipher. We formalize the ideal delay encoding object (for the special case of a permutation) as an oracle in the following definition.

25

Asymptoticallytmust be subexponential inλ. The reason for this is that the adversary needs to be able to run in time at leastt, and iftis exponential inλthen the adversary might be able to break the computational security underlying σ-sequentiality. Of course, ifσ-sequentiality is somehow achieved unconditionally then this constraint no longer applies.

Definition 20. An ideal delay permutation (IDP) is a family of oracles {O_IDP(t) }that implement a random permutation Πand respond to two types of queries. On a query (q,0)the oracle O(_IDPt)

internally simulates t sequential queries to Π−1 and then outputs Π(q). On a query (q,1) it outputs Π−1(q).

Indifferentiability on random inputs One would hope to instantiate an IDP given ora- cle access to a random permutation Π, Π−1, and any o(1)-sequential VDE. A first attempt would be the system C which first samples pp ← VDE.Setup(t, λ) for sufficiently large λ and then on input (q,0) returns ι(q) = Π(VDE.Enc(pp,Π(q))) and on input (q,1) returnsι−1_{(q) =}

Π−1(VDE.Dec(pp,Π−1(q))). We would further hope to argue thatCisindifferentiable fromO(_IDPt)

in the sense of Maurer et. al. [38]. Unfortunately, due to the fact that Π used in the construction is necessarily available to the adversary as well, the adversary can choose any value (say 0) and query for x = Π−1(0), and then query C on input x. Since VDE is only necessarily sequential on random inputs the adversary may be able to find an input x in this way that causes C to output ι(x) in significantly fewer than t steps, which would enable it to distinguish C from

O(_IDPt) . Nonetheless, it is still possible that indifferentiability is achieved when the distinguisher is restricted to random queries (and for applications that only make random queries this may be good enough).