Krzysztof Pietrzak

Zeta Avarikioti, Ray Neiheiser, Krzysztof Pietrzak et al.

Over the last years, Ethereum has evolved into a public platform that safeguards the savings of hundreds of millions of people and secures more than $650 billion in assets, placing it among the top 25 stock exchanges worldwide in market capitalization, ahead of Singapore, Mexico, and Thailand. As such, the performance and security of the Ethereum blockchain are not only of theoretical interest, but also carry significant global economic implications. At the time of writing, the Ethereum platform is collectively secured by almost one million validators highlighting its decentralized nature and underlining its economic security guarantees. However, due to this large validator set, the protocol takes around 15 minutes to finalize a block which is prohibitively slow for many real world applications. This delay is largely driven by the cost of aggregating and disseminating signatures across a validator set of this scale. Furthermore, as we show in this paper, the existing protocol that is used to aggregate and disseminate the signatures has several shortcomings that can be exploited by adversaries to shift stake proportion from honest to adversarial nodes. In this paper, we introduce Wonderboom, the first million scale aggregation protocol that can efficiently aggregate the signatures of millions of validators in a single Ethereum slot (x32 faster) while offering higher security guarantees than the state of the art protocol used in Ethereum. Furthermore, to evaluate Wonderboom, we implement the first simulation tool that can simulate such a protocol on the million scale and show that even in the worst case Wonderboom can aggregate and verify more than 2 million signatures within a single Ethereum slot.

Zeta Avarikioti, Krzysztof Pietrzak, Iosif Salem et al.

Payment channels effectively move the transaction load off-chain thereby successfully addressing the inherent scalability problem most cryptocurrencies face. A major drawback of payment channels is the need to ``top up'' funds on-chain when a channel is depleted. Rebalancing was proposed to alleviate this issue, where parties with depleting channels move their funds along a cycle to replenish their channels off-chain. Protocols for rebalancing so far either introduce local solutions or compromise privacy. In this work, we present an opt-in rebalancing protocol that is both private and globally optimal, meaning our protocol maximizes the total amount of rebalanced funds. We study rebalancing from the framework of linear programming. To obtain full privacy guarantees, we leverage multi-party computation in solving the linear program, which is executed by selected participants to maintain efficiency. Finally, we efficiently decompose the rebalancing solution into incentive-compatible cycles which conserve user balances when executed atomically. Keywords: Payment Channel Networks, Privacy and Rebalancing.

Krzysztof Pietrzak, Iosif Salem, Stefan Schmid et al.

Payment channel networks are a promising approach to improve the scalability of cryptocurrencies: they allow to perform transactions in a peer-to-peer fashion, along multi-hop routes in the network, without requiring consensus on the blockchain. However, during the discovery of cost-efficient routes for the transaction, critical information may be revealed about the transacting entities. This paper initiates the study of privacy-preserving route discovery mechanisms for payment channel networks. In particular, we present LightPIR, an approach which allows a source to efficiently discover a shortest path to its destination without revealing any information about the endpoints of the transaction. The two main observations which allow for an efficient solution in LightPIR are that: (1) surprisingly, hub labelling algorithms - which were developed to preprocess "street network like" graphs so one can later efficiently compute shortest paths - also work well for the graphs underlying payment channel networks, and that (2) hub labelling algorithms can be directly combined with private information retrieval. LightPIR relies on a simple hub labeling heuristic on top of existing hub labeling algorithms which leverages the specific topological features of cryptocurrency networks to further minimize storage and bandwidth overheads. In a case study considering the Lightning network, we show that our approach is an order of magnitude more efficient compared to a privacy-preserving baseline based on using private information retrieval on a database that stores all pairs shortest paths.

Joel Alwen, Jeremiah Blocki, Krzysztof Pietrzak

Memory-hard functions (MHF) are functions whose evaluation cost is dominated by memory cost. MHFs are egalitarian, in the sense that evaluating them on dedicated hardware (like FPGAs or ASICs) is not much cheaper than on off-the-shelf hardware (like x86 CPUs). MHFs have interesting cryptographic applications, most notably to password hashing and securing blockchains. Alwen and Serbinenko [STOC'15] define the cumulative memory complexity (cmc) of a function as the sum (over all time-steps) of the amount of memory required to compute the function. They advocate that a good MHF must have high cmc. Unlike previous notions, cmc takes into account that dedicated hardware might exploit amortization and parallelism. Still, cmc has been critizised as insufficient, as it fails to capture possible time-memory trade-offs, as memory cost doesn't scale linearly, functions with the same cmc could still have very different actual hardware cost. In this work we address this problem, and introduce the notion of sustained-memory complexity, which requires that any algorithm evaluating the function must use a large amount of memory for many steps. We construct functions (in the parallel random oracle model) whose sustained-memory complexity is almost optimal: our function can be evaluated using $n$ steps and $O(n/\log(n))$ memory, in each step making one query to the (fixed-input length) random oracle, while any algorithm that can make arbitrary many parallel queries to the random oracle, still needs $Ω(n/\log(n))$ memory for $Ω(n)$ steps. Our main technical contribution is the construction is a family of DAGs on $n$ nodes with constant indegree with high "sustained-space complexity", meaning that any parallel black-pebbling strategy requires $Ω(n/\log(n))$ pebbles for at least $Ω(n)$ steps.

Krzysztof Pietrzak, Maciej Skorski

De, Trevisan and Tulsiani [CRYPTO 2010] show that every distribution over $n$-bit strings which has constant statistical distance to uniform (e.g., the output of a pseudorandom generator mapping $n-1$ to $n$ bit strings), can be distinguished from the uniform distribution with advantage $ε$ by a circuit of size $O( 2^nε^2)$. We generalize this result, showing that a distribution which has less than $k$ bits of min-entropy, can be distinguished from any distribution with $k$ bits of $δ$-smooth min-entropy with advantage $ε$ by a circuit of size $O(2^kε^2/δ^2)$. As a special case, this implies that any distribution with support at most $2^k$ (e.g., the output of a pseudoentropy generator mapping $k$ to $n$ bit strings) can be distinguished from any given distribution with min-entropy $k+1$ with advantage $ε$ by a circuit of size $O(2^kε^2)$. Our result thus shows that pseudoentropy distributions face basically the same non-uniform attacks as pseudorandom distributions.

Maciej Skorski, Alexander Golovnev, Krzysztof Pietrzak

We consider the task of deriving a key with high HILL entropy from an unpredictable source. Previous to this work, the only known way to transform unpredictability into a key that was $\eps$ indistinguishable from having min-entropy was via pseudorandomness, for example by Goldreich-Levin (GL) hardcore bits. This approach has the inherent limitation that from a source with $k$ bits of unpredictability entropy one can derive a key of length (and thus HILL entropy) at most $k-2\log(1/ε)$ bits. In many settings, e.g. when dealing with biometric data, such a $2\log(1/ε)$ bit entropy loss in not an option. Our main technical contribution is a theorem that states that in the high entropy regime, unpredictability implies HILL entropy. The loss in circuit size in this argument is exponential in the entropy gap $d$. To overcome the above restriction, we investigate if it's possible to first "condense" unpredictability entropy and make the entropy gap small. We show that any source with $k$ bits of unpredictability can be condensed into a source of length $k$ with $k-3$ bits of unpredictability entropy. Our condenser simply "abuses" the GL construction and derives a $k$ bit key from a source with $k$ bits of unpredicatibily. The original GL theorem implies nothing when extracting that many bits, but we show that in this regime, GL still behaves like a "condenser" for unpredictability. This result comes with two caveats (1) the loss in circuit size is exponential in $k$ and (2) we require that the source we start with has \emph{no} HILL entropy (equivalently, one can efficiently check if a guess is correct). We leave it as an intriguing open problem to overcome these restrictions or to prove they're inherent.