Proofs of Work and Bread Pudding Protocols(Extended Abstract)

  • Markus Jakobsson
  • Ari Juels
Chapter
Part of the IFIP — The International Federation for Information Processing book series (IFIPAICT, volume 23)

Abstract

We formalize the notion of a proof of work (POW). In many cryptographic protocols, a prover seeks to convince a verifier that she possesses knowledge of a secret or that a certain mathematical relation holds true. By contrast, in a POW, a prover demonstrates to a verifier that she has performed a certain amount of computational work in a specified interval of time. POWs have served as the basis of a number of security protocols in the literature, but have hitherto lacked careful characterization. In this paper, we offer definitions treating the notion of a POW and related concepts.

We also introduce the dependent idea of a bread pudding protocol. Bread pudding is a dish that originated with the purpose of reusing bread that has gone stale. In the same spirit, we define a bread pudding protocol to be a POW such that the computational effort invested in the proof may be reused by the verifier to achieve a separate, useful, and verifiably correct computation. As an example of a bread pudding protocol, we show how the MicroMint scheme of Rivest and Shamir can be broken up into a collection of POWs. These POWs can not only serve in their own right as mechanisms for security protocols, but can also be harvested in order to outsource the MicroMint minting operation to a large group of untrusted computational devices.

References

  1. [1]
    M. Abadi, J. Feigenbaum, and J. Kilian. On hiding information from an oracle. Journal of Computer and System Sciences, 39 (1): 21–50, Aug 1989.MathSciNetMATHCrossRefGoogle Scholar
  2. [2]
    M. Bellare and S. Goldwasser. Encapsulated key escrow. Technical Report Technical Report 688, MIT Laboratory for Computer Science, April 1996.Google Scholar
  3. [3]
    M. Bellare and S. Goldwasser. Verifiable partial key escrow. In Proceedings of the 4th ACM Conference on Computer and Communications Security, pages 78–91, April 1997.Google Scholar
  4. [4]
    M. Blum and H. Wasserman. Software reliability via run-time result-checking. Journal of the ACM. To appear. Preliminary version. Software reliability via run-time result-checking. Journal of the ACM. To appear. Preliminary version: ‘Program Result-Checking: A Theory of Testing Meets a Test of Theory, ’ Proc. 35th IEEE FOCS, 1994, pp. 382–392.Google Scholar
  5. [5]
    J. Cai, R. Lipton, R. Sedgewick, and A. Yao. Towards uncheatable benchmarks. IEEE Structures, pages 2–11, 1993.Google Scholar
  6. [6]
    C. Dwork and M. Naor. Pricing via processing or combatting junk mail. In Ernest F. Brickell, editor, Proc. CRYPTO ‘82,pages 139147. Springer-Verlag, 1992. Lecture Notes in Computer Science No. 740. (FC ‘87),pages 151–160.Google Scholar
  7. [7]
    Springer-Verlag, 1997. Lecture Notes in Computer Science No. 1318.Google Scholar
  8. [8]
    E. Gabber, M. Jakobsson, Y. Matias, and A. Mayer. Curbing junk e-mail via secure classification. In R. Hirschfeld, editor, Financial Cryptography ‘88. Springer-Verlag, 1998.Google Scholar
  9. [9]
    D. Goldschlag and S. Stubblebine. Publicly verifiable lotteries: Applications of delaying functions. In R. Hirschfeld, editor, Financial Cryptography ‘88. Springer-Verlag, 1998.Google Scholar
  10. [10]
    M. Jakobsson and J. Müller. How to defend against a militant spammer, 1999. manuscript.Google Scholar
  11. [11]
    A. Juels and J. Brainard. Client puzzles: A cryptographic defense against connection depletion attacks. In Proceedings of the 1999 ISOC Network and Distributed System Security Symposium, pages 151–165, 1999.Google Scholar
  12. [12]
    S. Micali. Guaranteed partial key escrow. Technical Report Technical Memo 537, MIT Laboratory for Computer Science, September 1995.Google Scholar
  13. [13]
    F. Monrose, P. Wyckoff, and A. Rubin. Distributed execution with remote audit. In Proceedings of the 1999 ISOC Network and Distributed System Security Symposium, pages 103–113, 1999.Google Scholar
  14. [14]
    M. Naor and B. Pinkas. Secure and efficient metering. In K. Nyberg, editor, Advances in Cryptology - Eurocrypt ‘88, pages 576590. Springer-Verlag, 1998.Google Scholar
  15. [15]
    R. Ostrovsky. A proposal for internet computational commerce: How to tap the power of the WEB, 1998. Presentation at CRYPTO ‘88 Rump Session.Google Scholar
  16. [16]
    R.L. Rivest and A. Shamir. PayWord and MicroMint-two simple micropayment schemes. RSA Laboratories. CryptoBytes, 2 (1): 7–11, Spring 1996.Google Scholar
  17. [17]
    R.L. Rivest, A. Shamir, and D. Wagner. Time-lock puzzles and timed-release crypto. To appear, 10 March 1996.Google Scholar
  18. [18]
    Irma S. Rombauer and Marion Rombauer. Bread-pudding with meringue (six servings). In Joy of Cooking, page 751. Penguin Group, 1997.Google Scholar

Copyright information

© Springer Science+Business Media Dordrecht 1999

Authors and Affiliations

  • Markus Jakobsson
    • 1
  • Ari Juels
    • 2
  1. 1.Bell LabsInformation Sciences Research CenterMurray HillUSA
  2. 2.RSA LaboratoriesBedfordUSA

Personalised recommendations