HackerTrans
TopNewTrendsCommentsPastAskShowJobs

c0742e9366

no profile record

comments

c0742e9366
·2 yıl önce·discuss
It’s unfair to equate this paper to obviously flawed ones since all their claims seem to be properly substantiated. Also, the protocol does not assume a trusted leader (otherwise agreement would be trivially solved).

In general, I am also not fond of this writing style. However, if one reads more papers published in this community/area, then one notices that many of them are written similarly. Since the primary audience of these papers are other researchers in the same area, they are presumably able to read past the cruft efficiently.

I also agree that academia incentivizes overselling results. In this case, however, this is a nice result and not oversold by the authors (being somewhat knowledgeable in this field).
c0742e9366
·2 yıl önce·discuss
I disagree with this uncharitable view of the paper.

First, an important missing point is that the protocol does not require trusted setup. In contrast, most prior works require that parties hold threshold secret keys (necessitating a trusted third-party or expensive setup procedure).

Second, a lot of effort is currently being poured into the transition to post-quantum. So having a post-quantum secure protocol is evidently valuable to a lot of people.

Third, Byzantine agreement protocols usually always assume pairwise private and authenticated communication channels. It makes sense that protocols should not need to concern themselves with the communication layer and such channels can be realized from standard cryptographic building blocks anyways. Here the paper not using any PK-cryptography is especially nice because the protocol can be layered on top without a lot of fuss—no matter what the channels are based on.

Last, this problem is far from "made up". It was an obvious (and also seemingly hard to solve) to people working in this area. Also, Byzantine agreement is a practically important problem and this is an elegant solution.
c0742e9366
·4 yıl önce·discuss
The (freely available) book "SAT/SMT by Example" [1] shows how a lot of different problems can be tackled with an SMT solver. I highly recommend it!

[1] https://sat-smt.codes/
c0742e9366
·4 yıl önce·discuss
As written below, "Introduction to Modern Cryptography" by Katz & Lindell. Another option would be "A Graduate Course in Applied Cryptography" by Boneh & Shoup. However, for starting out, I would definitely recommend the former as it's more polished and focuses on the essentials.
c0742e9366
·4 yıl önce·discuss
For a rigorous, yet accessible and rather in-depth introduction to modern, provable cryptography I would recommend

"Introduction to Modern Cryptography" by Katz & Lindell.

It starts from the basics, the proofs are thoroughly elaborated and it has an appendix covering the necessary math prerequisites.
c0742e9366
·5 yıl önce·discuss
ZKP inherit this definition from the complexity class of interactive proofs (IP) that is usually defined this way. As pointed out in a comment below, IP = PSPACE. Interestingly enough, changing the definition of IP to perfect correctness (1 instead of 2/3) does not make IP any weaker. However, requiring perfect soundness (0 instead of 1/3) would result in IP = NP.
c0742e9366
·5 yıl önce·discuss
It seems to work for me. Though here is a snapshot just in case https://archive.md/MpPRL
c0742e9366
·5 yıl önce·discuss
I like the Ali Baba's cave [1] explanation for ZKP. Especially since it gives intuition for how one can prove that a protocol is in fact zero-knowledge.

[1] http://pages.cs.wisc.edu/~mkowalcz/628.pdf
c0742e9366
·5 yıl önce·discuss
Yes, in the strict sense of the meaning. In general, the comparison of VDFs (a cryptographic building block) and Bitcoin-style PoW (a consensus mechanism) is not that useful. However, using a VDF as part of a consensus mechanism (see e.g., Chia) does not introduce an energy overhead.

To demystify what a VDF is, consider the delay function (i.e., the majority of the work done to compute a VDF) used by the most prominent proposals:

Let N = p*q be a product of two large primes (so an RSA modulus) and assume that the primes p and q have been immediately thrown away/forgotten after initialization. Then, computing

f(x) = x^(2^T) mod N

is believed (dating back to a paper by Rivest, Shamir and Wagner in 1996) to take T sequential steps provided that T is large enough. For a large T, the only feasible approach seems to be repeated squaring modulo N. That is, compute y = x^2 mod N, y' = y^2 mod N, ... for T times.
c0742e9366
·5 yıl önce·discuss
If you go by the usual, energy-wasting meaning of "proof of work" that is also the one relevant to the discussion (i.e., Bitcoin-style PoW which is described in the article), then no.
c0742e9366
·5 yıl önce·discuss
No, a VDF just proves that, given a certain input, you spent a certain amount of time to compute the unique (!) VDF output. As said, this computation must be carried out sequentially. Of course, it can still be sped up by creating an ASIC (the same technology used for Bitcoin miners nowadays). However, there is not point in running multiple ASICs (like a Bitcoin mining farm) because the computation cannot be parallelized and the output is unique. Thus, running one ASIC has exactly the same effect as running thousands ASICs and there is no energy waste.
c0742e9366
·5 yıl önce·discuss
As far as I am aware, these long-range forks can be hindered by using verifiable delay functions (VDFs) [1, p. 6]. Essentially, VDFs take a certain amount of steps to compute and cannot be parallelized. However, the correctness of their output can be verified efficiently.

Now if a proof of stake includes a VDF that needs to be computed for every block, then a long-range attack needs to recompute the VDF outputs as well. This is infeasible as it will take a long time given the correct choice of VDF parameters.

Notably, the Chia blockchain mentioned in the article would succumb to long-range attacks as well were it not for their usage of VDFs [2, p. 17].

[1] https://eprint.iacr.org/2018/601.pdf [2] https://www.chia.net/assets/ChiaGreenPaper.pdf