Reversible Proofs of Sequential Work

Abstract

Proofs of sequential work (PoSW) are proof systems where a prover, upon receiving a statement \(\chi \) and a time parameter T computes a proof \(\phi (\chi ,T)\) which is efficiently and publicly verifiable. The proof can be computed in T sequential steps, but not much less, even by a malicious party having large parallelism. A PoSW thus serves as a proof that T units of time have passed since \(\chi \) was received.

PoSW were introduced by Mahmoody, Moran and Vadhan [MMV11], a simple and practical construction was only recently proposed by Cohen and Pietrzak [CP18].

In this work we construct a new simple PoSW in the random permutation model which is almost as simple and efficient as [CP18] but conceptually very different. Whereas the structure underlying [CP18] is a hash tree, our construction is based on skip lists and has the interesting property that computing the PoSW is a reversible computation.

The fact that the construction is reversible can potentially be used for new applications like constructing proofs of replication. We also show how to “embed” the sloth function of Lenstra and Weselowski [LW17] into our PoSW to get a PoSW where one additionally can verify correctness of the output much more efficiently than recomputing it (though recent constructions of “verifiable delay functions” subsume most of the applications this construction was aiming at).

H. Abusalah—Partially supported by FFG COMET under SBA-K1 grant.

C. Kamath, K. Klein, K. Pietrzak and M. Walter—Supported by the European Research Council, ERC consolidator grant (682815 - TOCNeT).

A Proof of Lemma 1

Proof

(of Lemma 1). Let \(X = (X_1, \dots , X_q)\) be the random variable corresponding to the responses to the queries of \(\mathsf {A}^{\pi ,\pi ^{-1}}\) and \(Y = (Y_1, \dots , Y_q)\) the one corresponding to the responses to the queries of \(\mathsf {A}^{F_1,F_2}\). We will show that \(\varDelta _{SD}(X,Y) \le \frac{q(q-1)}{2^w}\). The lemma then follows from standard properties of \(\varDelta _{SD}\).

In the following, we will abbreviate the conditional distributions \((X_i |X_1=x_1, \dots , X_{i-1}=x_{i-1})\) as \((X_i |(x_1, \dots , x_{i-1}))\) and similarly for Y. From sub-additivity for joint distributions (a property of \(\varDelta _{SD}\)), we have

$$\begin{aligned} \varDelta _{SD}(X,Y) \le \sum _{i=1}^q \max _{x = (x_1,\dots ,x_{i-1})} \varDelta _{SD}(X_i |x, Y_i |x). \end{aligned}$$

For each particular i we have

From the definition of \(F_1, F_2\), it is clear that \(\mathsf {Pr}\left( Y_i = y |x\right) = 2^{-w}\) for all and . For the other case, notice that any query to \(\pi \) or \(\pi ^{-1}\) fixes a particular input/output pair. Accordingly, \(X_i\) is uniform among the remaining \(2^w - (i - 1)\), no matter if \(\pi \) or \(\pi ^{-1}\) was queried (recall that no input/output pair is repeated). It follows that

$$\begin{aligned} \varDelta _{SD}(X_i |x, Y_i |x)&= \frac{1}{2} \left[ \frac{i-1}{2^w} + (2^{w} - (i-1))\left( \frac{1}{2^w - (i-1)} - \frac{1}{2^w}\right) \right] \\&= \frac{i-1}{2^w} \end{aligned}$$

for any x (in particular, the maximum). Summing over all i yields the final bound.    \(\square \)