Proof-Of-Useful-Randomness: Mitigating the Energy Waste in Blockchain Proof-Of-Work

Proof-of-Useful-Randomness: Mitigating the Energy Waste in Blockchain Proof-of-Work

Efe Ulas Akay Seyitoglu1, Attila Altay Yavuz1 and Thang Hoang2 1Department of Computer Science and Engineering, University of South Florida, Tampa FL, USA 2Department of Computer Science, Virginia Tech, Blacksburg VA, USA {efe3, attilaayavuz}@usf.edu, [email protected]

Keywords: Blockchain, Proof-of-Work

Abstract: Proof-of-Work (PoW) is one of the fundamental and widely-used consensus algorithms in blockchains. In PoW, nodes compete to receive the mining reward by trying to be the first to solve a puzzle. Despite its fairness and wide-availability, traditional PoW incurs extreme computational and energy waste over the blockchain. This waste is considered to be one of the biggest problems in PoW-based blockchains and cryptocurrencies. In this work, we propose a new useful PoW called Proof-of-Useful-Randomness (PoUR) that mitigates the energy waste by incorporating pre-computed (disclosable) randomness into the PoW. The key idea is to inject special randomness into puzzles via algebraic commitments that can be stored and later disclosed. Unlike the traditional wasteful PoWs, our approach enables pre-computed commitments to be utilized by a vast array of public-key cryptography methods that require offline-online processing (e.g., digital signature, key exchange, zero-knowledge protocol). Moreover, our PoW preserves the desirable properties of the traditional PoW and therefore does not require a substantial alteration in the underlying protocol. We showed the security of our PoW, and then fully implemented it to validate its significant energy-saving capabilities.

1 INTRODUCTION more than the electricty consumption of Qatar and Bulgaria (Bahri and Girdzijauskas, 2018). A big The proof-of-work (PoW) algorithm provides a chunk of these electricity consumption are due to the means of consensus in blockchains and therefore computational wastefulness of traditional PoW algo- plays a central role in various blockchain applications. rithms. This severe energy waste is considered as one The traditional PoW puzzle has been shown to be fair of the biggest disadvantage of traditional PoW (Ger- and is widely adopted in practice. Specifically, a tradi- vais et al., 2016). Various alternative consensus al- tional PoW (at minimum) satisfies the following prop- gorithms have been developed to reduce the energy erties: (i) Hardness: Each attempt to solve the PoW waste in blockchains. Below, we first outline some puzzle should succeed in a similar probability. This of the prominent approaches related to our work, and gives incentives to invest in computational resources then elaborate our contributions in this paper. because the puzzle rate (i.e., the hashing effort) grows linearly with the possibility of finding a solution. (ii) Efficiency: A puzzle must have a solution, and should 2 RELATED WORK be generated/verified in polynomial time. (iii) Com- pleteness: Only a valid puzzle solution should be ac- cepted by the verifier (Ball et al., 2018). The existing PoW algorithms can be classified into The traditional PoW accounts for about 90% of three groups: (i) Traditional Proof-of-Work, (ii) the total market in digital cryptocurrencies (Gervais Proof-of-Non-Wasteful-Work, (iii) Proof-of-Useful- et al., 2016), as well as dominating the blockchain- Work. based applications. However, despite its merits and • Traditional Proof-of-Work: The most common wide-use in practice, the traditional PoW also has example for such consensus algorithms is the hash- been shown to be extremely energy costly. For in- based Bitcoin PoW algorithm. These type of algo- stance, Bitcoin was measured to have consumed 39 rithms are based on the fact that the hash function TWh of electricity in 2018 which at the time was output is pseudorandom. The puzzle is constructed in a way that, every miner in the network tries to cou- words, finding the solution to the PoW puzzle should ple an arbitrary nonce with the block content whose have no relation with the cryptocurrency itself but hash will be satisfying the puzzle (Meng et al., 2018). should be a process that is dependent on external fac- The more computational power a miner has, the more tors such as hash output. In the PoS algorithm, the nonce values they can try which can potentially end pseudorandomness is internal (Brown-Cohen et al., up satisfying the requirements of the puzzle. We take 2019). the Bitcoin PoW algorithm as a starting point and The PoS variants also suffer from the "nothing thus, will elaborate on this idea further in the pro- at stake" problem. In PoS, validators can maximize posed PoW algorithm section. their earning by joining various forks (and generat- Note: There are other variants of PoW algorithm ing clashing blocks) without taking on extra risk for such as Number Theoretic PoW which is used in losing the stake (Li et al., 2017). Some important ap- popular cryptocurrencies such as PrimeCoin (King, proaches to mitigate this problem can be found in (Ki- 2013). Another important variants are linear alge- ayias et al., 2017). Another concern with PoS is the bra based (e.g. (Ball et al., 2017)) or graph theoretic security impact of stale blocks as described in (Ger- ones (e.g. (Tromp, 2015)). However, the focus of vais et al., 2016). GHOST protocol works to solve this paper is going to be a hash-based approach for this problem (Gervais et al., 2016). two reasons: (i) our construction is on top of the tra- Another good example is the Intel’s proof-of- ditional hash-based Bitcoin PoW, (ii) the hash-based elapsed-time (PoET) which is based on time instead PoW dominates the cryptocurrency market (Loe and of execution power. The first node to finish waiting Quaglia, 2018). gets the mining reward (Chen et al., 2017). This al- • Proof-of-Non-Wasteful-Work: A proof-of-non- gorithm is a good candidate to solve the PoW elec- wasteful-work, is an algorithm that does not consume tricity consumption problem, but it does not incen- computational resources for establishing consensus. tivize nodes and has a considerable deployment cost One good example is the the proof-of-stake (PoS) al- on PoW dominated blockchains. gorithm. In this algorithm, the nodes deposit certain • Proof-of-Useful-Work (PoUW): This type of al- amount of financial resources as stakes. The node gorithms produce a useful component during consen- that will add a new block to the blockchain is cho- sus. One good example is from Ball et. al. who pro- sen with a probability that is linear to the stake they posed a PoUW that helps tackle computational prob- deposit. PoS is a clever attempt to solve the electric- lems (3SUM, Orthagonal Vectors etc.) while solv- ity/computation waste problem. An instantiation of ing the PoW puzzle (Ball et al., 2017). Another good the PoS puzzle idea can be found in (Bentov et al., approach is by (Loe and Quaglia, 2018) who gener- 2016). PoS has also been partially used in other novel ated an instance of the Travelling-Salesman problem PoW schemes (e.g. (Bentov et al., 2014)). Further- which is known to be NP-Hard during the PoW con- more, Krol et. al. proposed Proof-of-Prestige (PoP) sensus. There are other notable approaches such as which is built on top of PoS. In PoP, the users earn Hastings et. al., who proposed a PoUW algorithm prestige via performing useful work which in turn in- that computes the discrete logarithm of a cyclic group creases their chances of obtaining the mining reward during consensus (Hastings et al., 2019) or by Lihu et. (Król et al., 2019). al. who incorporates ML training into puzzle solving (Lihu et al., 2020) to save energy. However, PoS is not perfect due to its innate To sum up, the traditional (wasteful) PoW is still foundational differences (i.e. incentivizing the miner the most widely adopted consensus algorithm despite via stakes instead of compuatation power) compared its wastefulness. Therefore, we need a new useful to PoW. This is a problem because many popular PoW algorithm that stays in the realm of traditional blockchains (e.g. Bitcoin) use the wasteful PoW as PoW consensus but also mitigates its energy waste the consensus algorithm (Nakamoto, 2009). There- problem (Nakamoto, 2009). fore, a big algorithmic jump from PoW to a com- pletely different consensus algorithm (PoS) would require costly development efforts. Furthermore, coin holders in the network would need to be convinced to 3 Our Contribution participate in a whole different consensus algorithm which could be problematic (Kiayias et al., 2017). In this work, to the best of our knowledge, Another fundamental difference between traditional we proposed the first PoUW that creates useful- PoW algorithms and the PoS algorithm is the source randomnesses, which not only substantially reduces of pseudorandomness. In a desirable PoW algorithm, the energy waste, but also preserves the main PoW the pseudorandomness should be external. In other architecture, thereby avoid the hurdles of heavy transition costs of alternative consensus algorithms. minimal alteration to the existing and traditional We name our scheme as proof-of-useful-randomness PoW algorithms in popular platforms such as Bit- (PoUR). coin. We save commitments during consensus Main Idea: In the traditional PoW, one-time without impacting the other parts of the system. randomnesses (nonces) are used as a solution to the puzzle. However, this is expensive and wasteful, as generating a bitcoin block takes on average 232 at- 4 Preliminaries tempts (O’Dwyer and Malone, 2014), and mostly im- portantly, those nonces are just discarded (wasted). We now present the prelimineries of our scheme. Our key observation is that the wasted randomness generation in PoW can be turned into an opportunity, Definition 1. An Algebraic One-way function AOWF if one can produce (special) useful randomness that consist of two algorithms Gen,F(Catalano et al., can be harnessed by the cryptographic algorithms. 2013): Our PoUR algorithm randomly generates (one-way) 1.K ← Gen(1κ): Given the security parameter κ, algebraic commitments that not only serve as the ran- Gen(1κ) outputs a key K. The key K determines domness source for PoW but also can be integrated the order of the groups AK and BK for F. into a vast range of public key cryptographic prim- 2.F K : AK → BK: For input a ∈ AK, there is an itives. We call these useful randonmness as Pre- output b ∈ BK such that b = FK(a) is computed computed Algebraic Commitments (PAC), which can in polynomial-time. However, given b, it should be integrated into various cryptographic schemes in be infeasible for a probabilistic polynomial-time offline-online settings (e.g., digital signatures, key ex- (PPT) adversary A to come up with a function F0 change). We further elaborate the desirable properties such that Pr[F0(a0) = b] ≥ ε. of our scheme as follows: κ 3. ∀ κ ∈ N,K ← Gen(1 ) such that K constitutes an • Energy-Saving and Efficient Consensus: PoUR order for AK and BK in FK : AK → BK. saves considerable energy by creating useful- 4. We can perform efficient group operations: F(AK) L L L randomnesses that can be used by various F(BK) = F(AK BK) where is an operator cryptographic operations as needed. For example, over the ring R. 30 after 2 puzzle-solving attempts, PoUR saves AOWF is popular in many cryptographic domains 5 around 2.18 · 10 J worth of energy in elliptic- such as ECDLP, DLP and Post-Quantum Cryptogra- curve settings. This energy-saving process does phy. We leverage them in PoUR for energy saving not come with the cost of any additional efficiency purposes. overhead to the protocol since the target value of One of the most popular AOWF is the hash func- the puzzle could be adjusted to accommodate the tion H. A hash function is a one-way function takes desired hardness (i.e. the necessary number of in an arbitary length input and produces a fixed out- attempts to solve the puzzle on average). put. We leveraged SHA-256 in our constructions as • Security and Open-Source Implementation: We an AOWF. Bitcoin also leverages the SHA-256 hash present a security discussion for PoUR and pro- function durining consensus (Nakamoto, 2009). vide the implementation of our proposed scheme Definition 2. Given an elliptic curve E(Fq) over a on commodity hardware. We will open-source finite field Fq, ECDLP asks to find a value k ∈ Zq our implementation. such that P2 = k · P1 where P1,P2 are points on E(Fq) • Potential Use-Cases: PoUR is applicable to a (Behnia et al., 2019). wide-array of cryptographic schemes that admit Definition 3. Short Integer Solution Problem (SIS): an offline-online phase, in which PACs can be Given a collection of n-dimensional modulo q (prime n generated via PoUR and then later consumed by number) vectors v˜1,...,v˜m ∈ Zq, the SIS problem cryptographic scheme. Some example crypto- asks to find a collection of non-trivial s1,...,sm ∈ n graphic schemes that receive benefit from PoUR {−1,0,1} such that s1 · v˜1 + ... + sm · v˜m = v˜0 ∈ Zq includes ,but not limited to digital signatures, key- where v˜0 is an n-dimensional vector that contains all exchange, public-key encryption, zero-knowledge zeros (Peikert, 2016). proofs, random beacons and their quantum-safe Definition 4. Learning with Errors Problem (LWE): variants. We have shown two specific PoUR in- Given dimension n, modulo q, an error distribution e stantiations with elliptic-curve and lattice based √ such that n ≤ e ≤ q, and b ∈ Zq, the LWE problem digital signatures. n asks to find a secret s ∈ Zq, such that b = hs,ai + e ∈ n • Ease-of-Integration: PoUR algorithm requires Zq where a ∈ Zq and hs,ai denotes the inner-product between s and a. The decision version of the same the target. In PoUR we replace the duty of nonces problem asks to distinguish a collection of pairs from with disclosable PACs and store them for energy- truly random pairs (Peikert, 2016). saving. Storing PACs is essential for our scheme be- Definition 5. Cryptographic Pseudorandom Num- cause the usage of PACs are common in blockchain- ber Generators (CPRNG): A CPRNG, G is a deter- based public-key infrastructure where offline-online ministic algorithm that takes a uniform input seed and cryptography is leveraged. Furtermore, in our PAC produces a pseudorandom output. Given a short uni- creation we leverage BR. This prevents miners to pre- form seed s, G is a CPRNG satisfies the following create and use these PACs prior to mining. properties: PoUR Energy Saving: PACs are computation- • ∀s, L(G(s)) > L(s) where L is gives the string ally expensive to create and are neccessary in cryp- length. tographic operations. Our PoUR construction pre- • |Pr[T (G(s)) = 1] - Pr[T [(r) = 1]]| ≤ ε where ε is a computes PACs during consensus and stores them. negligible value, T is an efficient statistical random- L(G(s)) The stored PACs results in energy-efficiency because ness test (distinguisher), and r ∈ {0,1} (Katz instead of creating them in future cryptographic meth- and Lindell, 2014). ods, we fetch the stored ones. Definition 6. Pre-computed Algebraic Commit- ments (PAC): PACs are expensive cryptographic to- Generic PoUR Algorithm: We now present the kens created in the offline phase and directly used in generic construction of our PoUR algorithm. We use the online phase for computational saving. Creation this construction as a starting point to show the us- of a PAC consists of three steps: age of PoUR in other cryptographic settings such as offline-online cryptographic settings as well as instan- $ 1.r i ← D for all i = 1 to K where ri is selected from tiations in elliptic-curve and post-quantum settings. −→ is selected from a specified distribution D which We note that m : (m1,...mn) means a vector of mes- is random-uniform. sages. {0,1}∗ denotes a string with arbitrary length 2.R i ← AOWF(ri) for all i = 1 to K (All Ri are dis- and BR denotes the block randomness. closable randomnesses) 3. U ← U ∪ {(ri,Ri)} for all i = 1 to K where U is Algorithm 1 Generic Constructions of PoUR a set that stores the commitments. c ← PoUR.Gen(1κ) : Definition 7. A PoW scheme has three algorithms 1: Target value T is determined ∗ (Ball et al., 2018): 2: Let (BC, BR) ∈ {0,1} 3: return c = (B ,T,B ) •c ← Gen(1κ): Generates the challange c given the C R security parameter κ. π ← PoUR.Solve(c = (B ,T,B )): • π ← Solve(c) : Satisfies the requirements of the C R challenge c and generates the proof π. 1: i = 0 2: do • {0,1} ← Ver(c, π): Verifies that the proof π satis- $ fies the requirements of the challenge c. 3: si ← D 4: ri ← G(si || BR) Miners try to solve the puzzle by finding a nonce v 5: Ri ← AOWF(ri) such that H(BC || v) < T (target value) where || denotes 6: U ← U ∪ {(ri,Ri)} concatenation and BC denotes the block content. The 7: i = i + 1 first miner with such a nonce keeps the reward. 8: while H(BC || Ri) ≥ T 9: return π = (si−1,Ri−1) Note: We disclose only a single PAC out of the 5 Proposed Proof-of-Work 232 (on average) PACs we save. Therefore, our Algorithm 232 (on average) -1 PACs are processable and we save the energy that would have been needed to The classical PoW compares the target value with create the commitments. H(BC || v)(v is the nonce). If the comparison fails, {0,1} ← PoUR.Ver(c = (BC,T,BR),π = (s,R)): PoW increases the nonce by one and compares the 0 1: r ← AOWF(G(s || BR)) hash output against the target value. The idea in tradi- 0 tional Bitcoin PoW is that the miners try out different 2: if AOWF(r ) = R & G(BC || R) < T then nonces for which when appended with the block con- 3: return 1 tent, will result in a hash output that is smaller than 4: return 0 In our PoUR.Solve method, we store the PACs. now show how PoUR uses PACs and saves energy These pre-computed PACs could later be utilized in in ECDLP settings. We chose SchnorrQ signa- many cryptographic methods instead of creating them tures (Schnorr, 1991) but any digital signature with from stratch (which results in energy efficiency). In special features (e.g., forward-security, aggregation the subsequent sections, we show how we leverage (e.g. (Seyitoglu et al., 2020)) would benefit from PoUR in cryptographic applications. PoUR. We denote (k, K) as a public, private key pair. Usage in Offline-Online Cryptography: In The key generation, signature generation and verifi- blockchains with public-key infrastructure, online cation functions are denoted by Kg,Sig,Ver respec- stage execution time is crucial. Thus, we store the tively. Rx is the x-coordinate of R. P is the elliptic pre-computed and compuationally expensive alge- curve generator. braic commitments in U during the offline-phase for faster execution in the online phase. CryptOp.process Algorithm 3 PoUR Construction in Elliptic-Curves is a function for cryptographic operations like encryp- and its usage in SchnorrQ Signature tion, signing etc. whereas CryptOp.verify refers to its c ← PoUR.Gen(1κ) : verification. 1: Target value T is determined ∗ Algorithm 2 Offline-Online Settings with PoUR 2: Let (BC, BR) ∈ {0,1} 3: return c = (B ,T,B ) U ← PoUR.Offline(1κ) C R κ 1: c ← PoUR.Gen(1 ) π ← PoUR.Solve(c = (BC,T,BR)): 2: π ← PoUR.Solve(c) //PACs are in U 1: i = 0 3: if PoUR.Verify(c, π) = 0 then 2: do 4: Go Back to Step 1 $ ∗ 3: si ← Zq 4: r ← H(s || B ) (F ,R ) ← PoUR.Online(−→m , U) i i R 5: Ri ← ri · P //P: Elliptic Curve Generator 1: for i = 1 to n do 6: U ← U ∪ {(ri,Ri)} 2: (ri,Ri) ← Pick and remove from U 7: i = i + 1 3: ← ∪ {(R )} R R i 8: while H(BC || Ri) ≥ T 4: F ← F ∪ CryptOp.process(ri, Ri, mi) 9: return π = (s ,R ) return (F , R ) i−1 i−1 (0,1) ← PoUR.Ver(c = (B ,T,B ),π = (s,R)): {0,1} ← PoUR.Verify(−→m ,F ,R ) C R 1: t ← H(s || BR) 1: ( f ,.., f ) Let F : 1 n 2: if P ·t = R & H(BC || R)) < T then 2: Let R : (R1,..,Rn) −→ 3: return 1 3: m = (m1,..,mn) 4: return 0 4: for i = 1 to n do κ 5: fi ← Pick from F (k,K) ← SchnorrQ.Kg(1 ): 6: R ← Pick from i R 1: (k,K) ← Pick and remove from 7: if CryptOp.verify(R , f , m ) = 0 then U i i i 2: return (k,K) 8: return 0 9: return 1 σ ← SchnorrQ.Sig(k,M): 1: (r,R) ← Pick and remove from 5.1 Generic Constructions of PoUR U 2: e ← H(M || Rx) //Rx: x coordinate of the point R 3: s ← r − e · k We now describe our elliptic-curve and lattice instan- 4: return σ = (s,e) tiations with PoUR. The core idea is to generate commitments during consensus and use them in crypto- {0,1} ← SchnorrQ.Ver(K,M,σ = (s,e)): graphic operations later. If it were not for the PoUR, these commitments would need to be created from 1: R0 ← K · e + P · s 0 scratch which would be computationally costly. 2: if e = H(M || Rx) then Note: The type of commitments that are saved in 3: return 1 PoUR.Solve is dependent on the underlying crypto- 4: else return 0 graphic instantiation. PoUR Construction in Elliptic Curves: We PoUR Construction in Lattices: PoUR can be 5.2 Security Analysis of PoUR l useful in Lattices. ϕ is the coefficient threshold. Rq is m×l a vector with l elements. Rq is a matrix with dimen- We base our security claim on the fact that the disclos- l l m×l able commitments we save in PoUR operates identi- sions m × l. Sϕ ∈ Rq and G is the generator in Rq . We use the sampling in lattices Samp() to incorporate cal as the nonce in the original hash-based PoW. The the BR in our secret. β is the maximum coefficient. difference between the traditional hash-based PoW High and Low refer to high and low bits due to sig- and our PoUR is that we replace the nonce in tradi- nature compression in Dilithium (Ducas et al., 2018). tional hash-based PoW algorithm with the disclosable ||z|| is the norm operation on z. ∞ is the norm infinity. PAC component in our construction. The secret component of PACs in PoUR is Algorithm 4 PoUR Construction in Lattices and its selected from a uniformly distributed set of numbers. usage in Dilithium Signature (Ducas et al., 2018) Furthermore, the disclosable commitment portion is created as a AOWF of the secret. Thus, the discloable c ← PoUR.Gen(1κ) : PAC component operates identical as the traditional 1: Target value T is determined nonce since the probability of selecting the same ∗ 2: Let (BC, BR) ∈ {0,1} disclosable secret component is neglible by κ. Fur- 3: return c = (BC,T,BR) thermore, we assume a collusion-free AOWF. The collusion-freeness property is preserved in Schnorr π ← PoUR.Solve(c = (BC,T,BR): (Schnorr, 1991) variants or discrete log based prob- 1: i = 0 lems. Even if the AOWF is not collusion-free, PoUR 2: do still preserve its security but can potentially cause a $ l slight (negligible) performance drawback. 3: si ← Sϕ, ri ← Samp(si,BR), Ri ← G · ri $ l 4: ei ← Sϕ, U ← U ∪ (ri,ei), i = i + 1 Remark: The security of SchnorrQ (Schnorr, 5: while H(BC || Ri−1) ≥ T 1991), Dilithium (Ducas et al., 2018), and, CryptoOp 6: return π = (si−1,Ri−1) are presevered when instantiated with PoUR since the corresponding commitments (which are located in U) (0,1) ← PoUR.Ver(c = (BC,T,BR),π = (s,R)): with PoUR are identical to the original corresponding 1: x ← Samp(s,BR) commitments. 2: return G · x = R & H(BC || R)) < T Therefore, since our disclosable commitment component operates identical as the original nonce in (k,K) ← Dilithium.Kg() the traditional consensus, PoUR is as secure as the 1: (r,e) ← Pick and remove from U traditional Bitcoin PoW. 2: t = G · r + e 3: return (k = (r,e,G,t), K = (G,t)) 5.3 Alternative Constructions of PoUR

σ ← Dilithium.Sig(k,M) We now discuss alternative constructions of PoUR. 1: do Key-Exchange: PACs created during PoUR can 2: (r,e) ← pick from U be used as session keys during key-exchanges. 3: w ← G · r, c ← H(High(w) || M) Signcryption: PACs created during PoUR can be 4: z ← y + c · r used in signcryption when the public-keys are known 5: b1 ← ||z||∞ ≥ ϕ1 − β prior to mining. 6: b2 ← ||Low(w − c · e),M)||∞ ≥ ϕ2 − β Zero-Knowledge Proofs: PoUR provides sup- 7: while b1 or b2 port for creating PACs for zero-knowledge proof con- 8: return σ ← (z,c) structions such as (Biasse et al., ) the same way it provides support with digital signatures. (0,1) ← Dilithium.Ver(K, M,σ) Cryptographic Beacons: We could store the ran- 1: a ← H(High(G · z - c · t) || M) dom beacon outputs during consensus with PoUR 2: b1 ← ||z||∞ < ϕ1 − β, b2 ← H(M || a) = c (Bünz et al., 2017). 3: if b1 & b2 then Remark: Due to the generation of PACs, a single 4: return 1 iteration in PoUR can take more time than a single it- 5: else return 0 eration in a traditional PoW. However, this does not result in a loss in performance because it is possible to adjust the target value of the puzzle and use PoUR instead of PoW so that we do not give up on the hard- 6.2 Performance Evaluation ness of the puzzle and also leverage a useful PoW. We focused on the savings that PoUR enables on execution time and energy consumption. J and W mean 6 Performance Analysis Joule and Watt. Our experiments showed a linear relation between the puzzle solving attempts and the energy/execution time savings. We now present our evaluation metrics and experimental setup. Table 1: Experimental Results for Savings in Elliptic-Curve and Post-Quantum Settings Puzzle Power Execution Time Energy Solving Consumption 6.1 Evaluation Metrics and Savings (ms) Savings (J) Attempts Rate (W = J/Sec) Experimental Setup Elliptic-Curve Commitments 25 0.306 0.0065 210 10.6 0.2248 21.2 Hardware: We fully-implemented the PoUR on 215 314.74 6.6724 commodity hardware with an Intel i7-8750H 2.20 Post-Quantum Commitments 25 2.47 0.06 GHz processor on a 32GB of RAM. 210 84.60 2.12 25.2 Implementation: Our implementation is based 215 2596.295 65.85 on the Bitcoin infrastructure (Nakamoto, 2009). We replace the classical hash-based Bitcoin1 PoW with PoUR. This allows for the creation of commitments Execution Time Savings (ms) during consensus to be used at a later time and thus, prevents energy and execution-time waste. Energy Savings (J) scale) (log (J) Savings Energy 1013 1012 108 1011 107 www.github.com/efeseyitoglu/PoUR 1010 106 109 105 8 4 107 10 Open-Source Tools: We executed the open-source 10 3 2 106 10 code of Dilithium (Ducas et al., 2018) for generating 5 102 10 1 post-quantum commitments. For elliptic-curve com- 104 10 103 100 mitment savings, we measured SchnorrQ (Schnorr, 102 10−1 1 −2 3 100 10 1991) implementation of the FourQlib library . 10 −3 10 20 30 10 We chose Dilitium (Ducas et al., 2018) and 25 2 215 2 225 2 235 Puzzle Solving Attempts SchnorrQ (Schnorr, 1991) due to their popularity and leveraged the FourQlibrary because it is a fast ellip- Execution Time Savings (ms) (log scale) tic curve library. We obtained the energy savings Figure 1: Execution Time (ms) and Energy (J) Savings for and power consumption by executing Intel’s power- Elliptic-Curve Commitments top tool4. Performance: We calculate the performance ef- Execution Time Savings (ms) ﬁciency in terms of execution and energy savings we

Energy Savings (J) scale) (log (J) Savings Energy acquire via PACs. Considering that a traditional com- 13 1012 109 mitment pair (e.g. (Schnorr, 1991)) would require 10 8 1011 10 around 32KB of storage, this is a small price to pay 1010 107 109 106 considering our efficiency results. 8 5 107 10 Methodology: Since it would be difficult to cre- 10 104 6 3 45 105 10 ate large number of commitments (e.g. 2 ), we mea- 10 2 104 10 3 101 sured the execution time and power requirements for 10 0 5 10 15 102 10 generating 2 ,2 ,2 commitments and extrapolated 101 10−1 20 100 −2 with Matlab for larger number of commitments 2 , 5 10 15 20 25 30 35 10 25 30 35 2 2 2 2 2 2 2 2 , 2 , 2 . Puzzle Solving Attempts Execution Time Savings (ms) (log scale) 1https://github.com/bitcoin/bitcoin Figure 2: Execution Time (ms) and Energy (J) Savings for 2https://github.com/pq-crystals/dilithium Post-Quantum Commitments 3https://github.com/Microsoft/FourQlib 4https://github.com/fenrus75/powertop 7 CONCLUSION Crystals-dilithium: A lattice-based digital signature scheme. IACR Transactions on Cryptographic Hard- We propose PoUR: a PoW algorithm that requires ware and Embedded Systems, 2018(1):238–268. minial alteration to the existing hash-based consen- Gervais, A., Karame, G. O., Wüst, K., Glykantzis, V., Ritz- sus. Our experiments showed that PoUR saves around dorf, H., and Capkun, S. (2016). On the security 6 5 and performance of proof of work blockchains. In 2 · 10 J in post-quantum and 2 · 10 J in elliptic-curve Proceedings of the 2016 ACM SIGSAC conference on settings. We fully-implemented PoUR to demonstrate computer and communications security, pages 3–16. its’ energy-saving capabilities. We also algorithmi- Hastings, M., Heninger, N., and Wustrow, E. (2019). Short cally showed how the PACs we save with PoUR could paper: The proof is in the pudding. In International be used in a wide array of cryptographic schemes. Conference on Financial Cryptography and Data Se- Acknowledgements: We thank the anonymous re- curity, pages 396–404. Springer. viewers for their feedback. This work is supported Katz, J. and Lindell, Y. (2014). Introduction to modern by the NSF CAREER Award CNS-1917627. cryptography. CRC press. Kiayias, A., Russell, A., David, B., and Oliynykov, R. (2017). Ouroboros: A provably secure proof-of-stake blockchain protocol. In CRYPTO, pages 357–388. REFERENCES Springer. King, S. (2013). Primecoin: Cryptocurrency with prime Bahri, L. and Girdzijauskas, S. (2018). When trust saves number proof-of-work. July 7th, 1(6). energy: a reference framework for proof of trust (pot) Król, M., Sonnino, A., Al-Bassam, M., Tasiopoulos, A., and blockchains. In Companion Proceedings of the The Psaras, I. (2019). Proof-of-prestige: A useful work re- Web Conference 2018, pages 1165–1169. ward system for unverifiable tasks. In 2019 IEEE In- Ball, M., Rosen, A., Sabin, M., and Vasudevan, P. N. ternational Conference on Blockchain and Cryptocur- (2017). Proofs of useful work. Cryptology ePrint rency (ICBC), pages 293–301. IEEE. Archive, Report 2017/203. https://eprint.iacr. Li, W., Andreina, S., Bohli, J.-M., and Karame, G. org/2017/203. (2017). Securing proof-of-stake blockchain protocols. Ball, M., Rosen, A., Sabin, M., and Vasudevan, P. N. In Data Privacy Management, Cryptocurrencies and (2018). Proofs of work from worst-case assump- Blockchain Technology, pages 297–315. Springer. tions. In Annual International Cryptology Confer- Lihu, A., Du, J., Barjaktarevic, I., Gerzanics, P., and ence, pages 789–819. Springer. Harvilla, M. (2020). A proof of useful work for ar- Behnia, R., Ozmen, M. O., and Yavuz, A. A. (2019). Aris: tificial intelligence on the blockchain. Authentication for real-time iot systems. ICC 2019 - Loe, A. F. and Quaglia, E. A. (2018). Conquering generals: 2019 IEEE International Conference on Communica- an np-hard proof of useful work. In Proceedings of the tions (ICC), pages 1–6. 1st Workshop on Cryptocurrencies and Blockchains Bentov, I., Lee, C., Mizrahi, A., and Rosenfeld, M. (2014). for Distributed Systems, pages 54–59. Proof of activity: Extending bitcoin’s proof of work Meng, W., Wang, J., Wang, X., Liu, J., Yu, Z., Li, J., Zhao, via proof of stake [extended abstract]y. SIGMETRICS Y., and Chow, S. S. M. (2018). Position paper on Perform. Eval. Rev., 42(3):34–37. blockchain technology: Smart contract and applica- Bentov, I., Pass, R., and Shi, E. (2016). Snow white: Prov- tions. In Au, M. H., Yiu, S. M., Li, J., Luo, X., ably secure proofs of stake. IACR Cryptology ePrint Wang, C., Castiglione, A., and Kluczniak, K., editors, Archive, 2016:919. Network and System Security, pages 474–483, Cham. Biasse, J.-F., Chellappan, S., Kariev, S., Khan, N., Menezes, Springer International Publishing. L., Seyitoglu, E., Somboonwit, C., and Yavuz, A. Nakamoto, S. (2009). Bitcoin: A peer-to-peer electronic Trace-σ. cash system. Brown-Cohen, J., Narayanan, A., Psomas, A., and Matthew O’Dwyer, K. J. and Malone, D. (2014). Bitcoin mining and Weinberg, S. (2019). Formal barriers to longest-chain its energy footprint. proof-of-stake protocols? Peikert, C. (2016). A decade of lattice cryptography. Foun- Bünz, B., Goldfeder, S., and Bonneau, J. (2017). Proofs- dations and Trends® in Theoretical Computer Sci- of-delay and randomness beacons in ethereum. IEEE ence, 10(4):283–424. Security and Privacy on the blockchain (IEEE S&B). Schnorr, C. (1991). Efficient signature generation by smart Catalano, D., Fiore, D., Gennaro, R., and Vamvourellis, K. cards. Journal of Cryptology, 4(3):161–174. (2013). Algebraic (trapdoor) one-way functions and Seyitoglu, E. U. A., Yavuz, A. A., and Ozmen, M. O. their applications. In Theory of Cryptography Confer- (2020). Compact and resilient cryptographic tools for ence, pages 680–699. Springer. digital forensics. In 2020 IEEE Conference on Com- Chen, L., Xu, L., Shah, N., Gao, Z., Lu, Y., and Shi, W. munications and Network Security (CNS), pages 1–9. (2017). On security analysis of proof-of-elapsed-time Tromp, J. (2015). Cuckoo cycle: a memory bound graph- (poet). theoretic proof-of-work. In International Conference Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., on Financial Cryptography and Data Security, pages Schwabe, P., Seiler, G., and Stehlé, D. (2018). 49–62. Springer.