Theory

The DCI recognizes the value of solid theoretical foundations in addition to robust implementation: both in the immediate term, for technologies to deliver their promised security and functionality, and in the longer term, to explore the frontiers of current and future technologies' capabilities.

Theoretical foundations can be an important reference and building block for designers of technology, even in ways unforeseeable at the time of the initial research. (For example, the widespread RSA encryption system is based on mathematics that was long considered pure theory, without applications.) Theoretical research may also explore the frontiers of what technologies may be possible in the near or distant future, or even prove certain approaches are impossible (allowing us to focus our attention on alternatives). And in the context of designing systems, theoretical modeling is an important tool (among others) to discover potential bugs and vulnerabilities.

Projects and Research

Verifiably Delaying Adversaries in Consensus

Consensus is a fundamental problem in the field of distributed computing and multi-agent systems to achieve system reliability in the presence of some number of faulty or adversarial processes. The goal of processes participating in consensus is to agree on some shared data value that is needed in computation. In the context of blockchains, such data values consist of transactions; all participants must simultaneously agree on the same shared ledger, and new transactions must be able to be added to the ledger. Consensus is at the heart of ensuring that such guarantees are met in blockchains.

Archived Research

Currency Efficiency

As a neutral digital currency research lab, the MIT DCI has fielded many questions about the energy consumption of Proof of Work (PoW) cryptocurrencies (e.g. Bitcoin). Given the potential environmental impacts of unjustified energy use, we recognize the importance of this issue—but despite the stakes, we see a disturbing lack of rigor, neutrality, and concrete data pervading the conversation. To that end, our Currency Efficiency research project is an attempt to isolate the root concerns underpinning the environmental considerations, offer a usable framework, and gather rigorous data on various crypto and fiat currencies in order to help move the larger conversation forward in a productive manner. We hope this work will eventually allow for a meaningful, rational assessment and comparison of the environmental impact of many cryptocurrencies and payment systems.

It wasn't me! Repudiability and (Un)claimability of Ring Signatures

Static-Memory-Hard Functions, and Modeling the Cost of Space vs. Time

Abstract:

Ring signatures, introduced by [RST01], are a variant of digital signatures which certify thatone among a particular set of parties has endorsed a message while hiding which party in the set was the signer. Ring signatures are designed to allow anyone to attach anyone else’s name to a signature, as long as the signer’s own name is also attached.

But what guarantee do ring signatures provide if a purported signatory wishes to denounce a signed message — or alternatively, if a signatory wishes to later come forward and claim ownership of a signature? Prior security definitions for ring signatures do not give a conclusive answer to this question: under most existing definitions, the guarantees could go either way. That is, it is consistent with some standard definitions that a non-signer might be able torepudiate a signature that he did not produce, or that this might be impossible. Similarly, a signer might be able to later convincingly claim that a signature he produced is indeed his own, or not. Any of these guarantees might be desirable. For instance, a whistleblower might have reason to want to later claim an anonymously released signature, or a person falsely implicated in a crime associated with a ring signature might wish to denounce the signature that is framing them and damaging their reputation. In other circumstances, it might be desirable that even under duress, a member of a ring cannot produce proof that he did or did not sign a particular signature. In any case, a guarantee one way or the other seems highly desirable.

In this work, we formalize definitions and give constructions of the new notions of repudiable,unrepudiable, claimable, and unclaimable ring signatures. Our repudiable construction is based on VRFs, which are implied by several number-theoretic assumptions (including strong RSA or bilinear maps); our claimable construction is a black-box transformation from any standard ring signature scheme to a claimable one; and our unclaimable construction is derived from the lattice-based ring signatures of [BK10], which rely on hardness of SIS. Our repudiable construction also provides a new construction of standard ring signatures.

Abstract:

A series of recent research starting with (Alwen and Serbinenko, STOC 2015) has deepened our understanding of the notion of memory-hardness in cryptography — a useful property of hash functions for deterring large-scale password-cracking attacks — and has shown memory-hardness to have intricate connections with the theory of graph pebbling. Definitions of memory-hardness are not yet unified in the somewhat nascent field of memory-hardness, however, and the guarantees proven to date are with respect to a range of proposed definitions. In this paper, we observe two significant and practical considerations that are not analyzed by existing models of memory- hardness, and propose new models to capture them, accompanied by constructions based on new hard-to-pebble graphs. Our contribution is two-fold, as follows.

First, existing measures of memory-hardness only account for dynamic memory usage (i.e., memory read/written at runtime), and do not consider static memory usage (e.g., memory on disk). Among other things, this means that memory requirements considered by prior models are inherently upper-bounded by a hash function’s runtime; in contrast, counting static memory would potentially allow quantification of much larger memory requirements, decoupled from runtime. We propose a new definition of static-memory-hard function (SHF) which takes static memory into account: we model static memory usage by oracle access to a large preprocessed string, which may be considered part of the hash function description. Static memory requirements are complementary to dynamic memory requirements: neither can replace the other, and to deter large-scale password-cracking attacks, a hash function will benefit from being both dynamic- memory-hard and static-memory-hard. We give two SHF constructions based on pebbling. To prove static-memory-hardness, we define a new pebble game (“black-magic pebble game”), and new graph constructions with optimal complexity under our proposed measure. Moreover, we provide a prototype implementation of our first SHF construction (which is based on pebbling of a simple “cylinder” graph), providing an initial demonstration of practical feasibility for a limited range of parameter settings.

Secondly, existing memory-hardness models implicitly assume that the cost of space and time are more or less on par: they consider only linear ratios between the costs of time and space. We propose a new model to capture nonlinear time-space trade-offs: e.g., how is the adversary impacted when space is quadratically more expensive than time? We prove that nonlinear tradeoffs can in fact cause adversaries to employ different strategies from linear tradeoffs.

Finally, as an additional contribution of independent interest, we present an asymptotically tight graph construction that achieves the best possible space complexity up to log log n-factors for an existing memory-hardness measure called cumulative complexity in the sequential pebbling model.