A new ECDLP-based PoW model

We lay the foundations for a blockchain scheme, whose consensus is reached via a proof of work algorithm based on the solution of consecutive discrete logarithm problems over the point group of elliptic curves. In the considered architecture, the curves are pseudorandomly determined by block creators, chosen to be cryptographically secure and changed every epoch. Given the current state of the chain and a prescribed set of transactions, the curve selection is fully rigid, therefore trust is needed neither in miners nor in the scheme proposers.


Introduction
A proof of work (PoW) is a procedure that allows a prover to demonstrate that he is very likely to having performed a specific amount of computational work within a prescribed interval of time [34].
Since 2008, PoW-methods have been attracting a considerable interest as Bitcoin [38] introduced a PoW-based consensus algorithm, which puts miners in competition for solving a cryptographic challenge. Bitcoin's consensus relies on a hashcash system [4,5], whose workload may be easily adjusted with a fastly verifiable output. Despite their high efficiency and easy implementation, all the hashcash-based protocols share a common limitation: the huge amount of computations employed by nodes becomes useless after the consensus is reached. This aspect has been raising environmental concerns and many solutions have been proposed to reduce these energy-intensive computer calculations.
A promising countermeasure to this issue is the adoption of bread pudding protocols [28]. They face the aforementioned problem by performing a computational work that is reusable either for practical [17,19,37,47], cryptographical [28,41] or mathematical [52] reasons. Moreover, the latter class of systems encloses several protocols that are meant to be research propellants [6], namely designed to boost the commitment upon the solution of difficult mathematical problems.
Along the same line, we have proposed [33] a blockchain architecture with a PoWconsensus algorithm based on the solution of the Discrete Logarithm Problem over the point groups of elliptic curves (ECDLP). In this work, we provide that germinal proposal with precise mathematical foundations and further implementation details.
The idea of basing the PoW on ECDLP has already appeared in other works [27,30], as this problem is widely studied and applied in cryptographic protocols. However, the considered curves does not usually fulfil the standard security criteria [7], especially for what concerns the fully rigidity: the network has to initially trust an authority that is providing the curve parameters.
In this work we radically solve this issue by designing a PoW-system based on elliptic curves that are changing over the time. Since the curves are pseudo-randomly constructed and satisfy general security conditions, a malicious user could attack the chain only by breaking the ECDLP for an immense class of elliptic curves, which is currently considered infeasible.
This paper is organized as follows: after a quick summary of the ECDLP in Section 2, we deline the proposed blockchain architecture in Section 3 and its blocks construction in Section 3.1 and 3.2. The strong points of this system are discussed in Section 4, including a theorem on the security of our system, while in Section 5 future work directions are suggested.

ECDLP
The ECDLP is a renown problem that consists of finding an integer N ∈ N such that the N -th multiple of a base point P of an elliptic curve E over a finite field equals another given point Q, i.e. Q = N · P .
Here we are only interested in elliptic curves over prime fields F p and determined by their short Weierstrass equation y 2 = x 3 + Ax + B. Solving ECDLP for a curve E over large fields is considered to be a difficult challenge except for degenerate cases.

The general case
Currently the best known general attacks are Baby-Step Giant-Step [46] and Pollard's Rho -Kangaroo algorithms [40], which have an asymptotic complexity of O( |E|), where |E| is the size of E. These are general parallel collision-finding algorithms, which work over any groups, i.e. no properties of the underlying structure but the operation definition are used.
The introduction of Semaev's polynomials [45] have suggested the existence of subexponential algorithms to solve ECDLP, however no clear evidence has emerged. Pairingsbased attacks [22,36], Index calculus [2,32,49] and Xedni calculus [48] have been recently being studied, but none of them seem to significantly reduce the problem complexity of the general case, so far.

Special cases
There are some families of curves whose ECDLP is known to be easier than the general case, namely there are algorithm for efficiently solving it. Consequently, these curves have to be carefully avoided for designing a ECDLP-based protocol. The following is a concise summary of those particular attacks, the curve on which they may be efficiently applied and how we avoid them.

A sample blockchain architecture
To show how our PoW works, we introduce a schematic sample ledger architecture, but our algorithm may easily be adapted for any blockchain scheme. Our architecture is based on two types of blocks: [EB] An Epoch Block contains, aside from the header and a list of transactions, a prime number p, an elliptic curve E defined over F p and a base point P of E, all to be determined by the proposing miner.
Moreover, it encloses as PoW two integer N 1 and N 2 ∈ {0, . . . , |E| − 1} to be discovered by the proposing miner such that N i · P are points of E deterministically determined from the header of the block.
These EBs occur once every 2016 blocks in the blockchain.
[SB] The Standard Blocks are just a light version of the EB blocks, they are constructed in the same way except for p, E, P , which are inherited from the last EB block of the chain.
SBs constitute the vast majority of the blocks of the chain. [EB] p, E, P EBs basically define the setting (curves and base points) on which the discrete logarithm PoWs will have to be solved in the following epoch. They are slightly heavier to be produced and verified but occur rarely (roughly once every two weeks with a BTC-like difficulty adjustment).
In order to give the specifications of our blocks we need a deterministic function P_Gen to construct a point on a given elliptic curve E from a prescribed hash digest h, which we treat as an integer for simplicity. The following is a concrete example of such a function.
function P_Gen (h , E ) i = 0 while #{ points of E with x -coord = h + i } = 0: We notice that the points determined by the above function are affine by construction. The hash H that we propose to use in the following is SHA3-512 [8], which provides a satisfying collision resistance even against post-quantum attacks, but one might conceivably replace it with another properly constructed one.
We also assume that all proposing miners use prescribed signature algorithms and we denote with σ k (m) the signature of the string m obtained by the miner with signing key k. where E and P are defined in the last EB.

Standard Blocks
[SB] h = H(new header)

Epoch Blocks
An EB is a thick version of a SB, namely it is constructed in a similar fashion but it enclodes three additional data: the prime p, the elliptic curve E over F p and the base point P of E.
• Generating p The prime number p is the responsible of the expected run time of the PoW. Its size is determined by the difficulty parameter d, whose tuning depends on the block production ratio that a designer wants to obtain. Therefore we do not discuss the choice of d but we refer to the BTC implementation [9] or to more structured models such as personalized difficulty adjustments [14]. Our goal is to produce a prime number of the prescribed size and satisfying the following properties.

EXCEPTIONALITY PROPERTIES
1. p is not a Crandall prime [16], i.e. not of the from 2 k − c for a relatively small and positive integer c.
2. p is neither a Generalized Mersenne prime [51] nor a More Generalized Mersenne prime [15], i.e. it may not be written as p(m) for some integer m and polynomial p with very small coefficients and number of monomials.
Given the difficulty parameter d and the hash of the previous header h, we propose the generation of such a prime number p as follows.

function p_Gen (d , h ) repeat h = H( h ) p = N e x t P r i m e( h mod 2 2d ) until p s a t i s f i e s e x c e p t i o n a l i t y p r o p e r t i e s return p
• Generating E We aim at generating pseudorandom elliptic curves for which no efficient attacks are currently known, i.e. satisfying the following properties.

SECURITY PROPERTIES
1. The number of points of E is prime and different from p.
3. Let D be the CM field discriminant, defined as where t is the trace of E. Then we require D > 2 40 .
Let h be the previous block header, we suggest to generate the curve as follows.
function E_Gen (p , h ) i = 0 repeat i = i + 1 The base point we prescribe for an EB and its subsequent epoch is The new epoch parameters are manufactured before the PoW production, which therefore depends on them. [EB] Epoch Data Despite the verification of SBs is extremely fast, EBs are slower to be checked since verifiers need to test that all the curve parameters involved have been properly constructed, running several types of mathematical algorithms such as primality testing, finite fields operations and points counting.

Method discussion
Here we discuss motivation and advantages of the presented choices.
First, this PoW model involves many different mathematical algorithms of wide interest, for which this blockchain may represent a concrete research propellant. Furthermore, it might also provides a public collection of cryptographically secure elliptic curves of moderate size.
Apart from its scientific usefulness, it conveys many desirable security properties. The challenges involved do not rely on a given curve of questionable provenance but on the generic difficulty of the ECDLP, which is much more fair to be trusted. Thus, we find it aims at embracing the decentralization ideals that lead to cryptocurrencies creation: even the mathematical objects involved are publicly manufactured, no trust is required even in the authors or the proposing entities.
The existence of different types of block in blockchains has become common, as it is considered suitable for tackling the problem of scalability [35].
As for blocks forgery, we point out that both SBs and EBs comprise a PoW which depends on the entire block, together with the previous one. This means that any counterfeit in any position of the chain results into an incorrect final block, which may be easily detected from the network.
Moreover, it is hard to conceive shortcuts for the PoW production: for a given difficulty parameter d we expect a d-bits secutity of the general ECDPL by using p ≈ 2 2d , unless attacks outperforming Pollard's rho are discovered. Moreover, common base field operations speed ups are avoided by making use of not-exceptional primes, ensuring a fair and general problem to be solved equally for every miner. In fact, neither specific algorithms nor dedicated hardware may be used for solving such a general problem, of which easy cases are carefully avoided. Also, the constructed curves fulfil the known security criteria [7]: • working over prime fields avoids Weil-descent attacks; • searching for curves of prime order prevents from Polig-Hellman attacks; • since p = |E| the curves are not anomalous so Smart, Semaev, Satoh-Araki attacks do not apply; • the embedding degree we suggest is greater than 20 as required by SEC1 [13], which prevents pairing attacks such as Menezes-Okamoto-Vanstone (based on Weil Pairing) and Frey-Rück (based on Tate-Lichtenbaum Pairing); • attacks to curves with low CM discriminant are prevented by requiring it higher than 2 40 , as for Brainpool Standard Curves [31]. Since E and P are determined by the epoch and h prev is determined by the previous block, the proposing miner has no control on them. Moreover, σ is deterministic and k is fixed, so Q 1 = P_Gen(H(σ k (h prev )), E) cannot be influenced by the miner. Therefore the miner must solve Q 1 = N 1 · P .
Remark 4.2. Even if in the previous proof we do not consider the equation Q 2 = N 2 · P , we believe that it adds extra security. Indeed, it is unlikely that a miner can avoid solving Q 2 = N 2 · P unless M has computed a multiple of P with any m,Q = mP , and solved the hash preimage equation H(M) = x, where x is the x-coordinate ofQ.
Besides security, the curves we propose are fully rigid as defined in [7]: their construction is entirely explained in terms of the previous block, which cannot be controlled by a malicious actor since there is no room for miner choices (such as nonces). Even assuming that the transactions of the previous block might be chosen ad hoc, an attacker who wants to impose a particular curve during the next epoch has to brute-force invert the hash H at the cost of one ECDLP solution for each attempt, until a desired hash digest is obtained, within the time needed for the entire network to solve a single ECDLP. We consider this scenario unachievable under realistic assumptions.
As regards the difference between EBs and SBs, we point out that the bulk of miner's work consists of the ECDLP solution: we expect good parameters to be generated in EBs in a time which is linear in the difficulty parameter [23] whereas the asymptotic difficulty of ECDLP solution is exponential in it. Since the curves creation appears not to be computationally demanding when compared to the actual PoW, then lazy miners do not have any substantial advantage in skipping it.

Conclusion
We have proposed a new PoW-based blockchain model based on general ECDLP, highlighting the desirable properties that such a scheme provides in terms of scientific relevance, security and pure decentralization ideals.
The past proposals [27,30] have the high merit of introducing ECDLP as a problem whose solution provides consensus, but we felt compelled to remove the suspiscious choice of the curve serving as a common battlefield for miners.
It may be interesting to produce an actual implementation of the proposed scheme, obtaining practical time measurments and efficiency considerations. A subsequent engaging project might address the resistance of such a protocol to the known attacks under real-world assumptions, comparing the obtained results with outcomes of existing cryptocurrencies. Further studies may also be carried on other types of curve models, such as Edwards or Montgomery curves. Even though this is likely to improve the overall performance of this scheme, it should be observed that it contrasts with our declared intention of making use of general objects.
Finally, different types of PoW might be conceived in a similar fashion, possibly employing problems which are thought to resist even to quantum attacks.

Aknowledgments
The results presented here have been carried on within the EU-ESF activities, call PON Ricerca e Innovazione 2014-2020, project Distributed Ledgers for Secure Open Communities. We thank the Quadrans Foundation for its support.