1 Introduction

1.1 Proofs of Sequential Work (PoSW)

Mahmoody, Moran and Vadhan [MMV13] introduce the notion of proofs of sequential work (PoSW), and give a construction in the random oracle model (ROM), their construction can be made non-interactive using the Fiat-Shamir methodology [FS87]. Informally, with such a non-interactive PoSW one can generate an efficiently verifiable proof showing that some computation was going on for N time steps since some statement \(\chi \) was received. Soundness requires than one cannot generate such a proof in time much less than N even considering powerful adversaries that have a large number of processors they can use in parallel.

[MMV13] introduce a new standard model assumption called “inherently sequential” hash functions, and show that the random oracle in their construction can be securely instantiated with such hash functions.

Random Oracle Model (ROM). PoSW are easiest to define and prove secure in the ROM, as here we can identify a (potentially parallel) query to the RO as one time step. Throughout this paper we’ll work in the ROM, but let us remark that everything can be lifted to the same standard model assumptions (collision resistant and sequential hash functions) used in [MMV13].

A proof of sequential work in the ROM is a protocol between a prover \(\mathcal{P}\) and a verifier \(\mathcal{V}\), both having access to a random oracle \(\mathsf{H}:\{0,1\}^*\rightarrow \{0,1\}^w\). Figure 1 illustrates PoSW as constructed in [MMV13] and also here. We’ll give a more formal definition in Sect. 1.2.

Fig. 1.
figure 1

Proofs of Sequential Work in the ROM as constructed in [MMV13] and this paper. N is the time parameter, i.e., \(\mathsf{PoSW}(\chi ,N)\) makes N queries to \(\mathsf{H}\) computing \(\phi \), and any cheating prover \(\tilde{\mathcal{P}}\) that makes \(\mathcal{V}\) accept must make almost N sequential queries to \(\mathsf{H}\) computing \(\phi \). t is a statistical security parameter, the larger t the better the soundness: any \(\tilde{\mathcal{P}}\) making only \((1-\alpha )N\) sequential queries for some \(\alpha >0\), will succeed with probability at most \((1-\alpha )^t\) (e.g. with \(t=21\), a cheating prover making only \(0.8\cdot N\) sequential queries succeed with probability \(<1\% \)). w is the output range of our hash function, which we need to be collision resistant and sequential, \(w=256\) is a typical value.

Full size image

Non-interactive PoSW. The first message is sent from \(\mathcal{V}\) to \(\mathcal{P}\), and is just a uniformly random w bit string \(\chi \). In applications this first message is a “statement” for which we want to prove that N time has passed since it was received. The distribution and domain of this statement is not important, as long as it has sufficiently high min-entropy, because we can always first hash it down to a uniform w bit string using the RO.

As the prover is public-coin, we can make the protocol non-interactive using the Fiat-Shamir heuristic [FS87]: A non-interactive PoSW for statement \(\chi \) and time parameter N is a tuple \((\chi ,N,\phi ,\tau )\) where the challenge \(\gamma =(\mathsf{H}(\phi ,1),\ldots ,\mathsf{H}(\phi ,t))\) is derived from the proof \(\phi \) by hashing with the RO.

1.2 PoSW Definition

The PoSW we consider are defined by a triple of oracle aided algorithms \(\mathsf{PoSW}\), \(\mathsf{open}\) and \(\mathsf{verify}\) as defined below.  

Common Inputs:

\(\mathcal{P}\) and \(\mathcal{V}\) get as common input two statistical security parameters \(w,t\in \mathbb {N}\) and a time parameter \(N\in \mathbb {N}\). All parties have access to a random oracle \(\mathsf{H}:\{0,1\}^*\rightarrow \{0,1\}^w\).

Statement:

\(\mathcal{V}\) samples a random \(\chi \leftarrow \{0,1\}^w\) and sends it to \(\mathcal{P}\).

Compute PoSW:

\(\mathcal{P}\) computes (ideally, making N queries to \(\mathsf{H}\) sequentially) a proof \((\phi ,\phi _\mathcal{P}):= \mathsf{PoSW}^\mathsf{H}(\chi ,N)\). \(\mathcal{P}\) sends \(\phi \) to \(\mathcal{V}\) and locally stores \(\phi _\mathcal{P}\).

Opening Challenge:

\(\mathcal{V}\) samples a random challenge \(\gamma \leftarrow \{0,1\}^{t\cdot w}\) and sends it to \(\mathcal{P}\).

Open:

\(\mathcal{P}\) computes \(\tau :=\mathsf{open}^\mathsf{H}(\chi ,N,\phi _\mathcal{P},\gamma )\) and sends it to \(\mathcal{V}\).

Verify:

\(\mathcal{V}\) computes and outputs \(\mathsf{verify}^\mathsf{H}(\chi ,N,\phi ,\gamma ,\tau )\in \{\mathsf{accept},\mathsf{reject}\}\).

  We require perfect correctness: if \(\mathcal{V}\) interacts with an honest \(\mathcal{P}\), then it will output \(\mathsf{accept}\) with probability 1. The soundness property requires that any potentially malicious prover \(\widetilde{\mathcal{P}}\) who makes \(\mathcal{V}\) accept with good probability must have queried \(\mathsf{H}\) “almost” N times sequentially. This holds even if in every round \(\widetilde{\mathcal{P}}\) can query \(\mathsf{H}\) on many inputs in parallel, whereas the honest \(\mathcal{P}\) just needs to make a small (in our construction 1, in [MMV13] 2) number of queries per round.

1.3 The [MMV13] and our Construction in a Nutshell

In the construction from [MMV13], the statement \(\chi \) is used to sample a fresh random oracle \(\mathsf{H}\). Then \(\mathcal{P}\) uses \(\mathsf{H}\) to compute “labels” of a directed acyclic graph (DAG) G, where the label of a node is the hash of the labels of its parents. Next, \(\mathcal{P}\) computes a Merkle tree commitment of those labels, sends it to \(\mathcal{V}\), who then challenges \(\mathcal{P}\) to open some of the labels together with its parents.

If \(G=(V,E)\) is “depth-robust”, which means it has a long path even after removing many vertices, a cheating prover can either (1) try to cheat and make up many of the labels, or (2) compute most of the labels correctly. The security proof now shows that in case (1) the prover will almost certainly not be able to correctly open the Merkle tree commitments, and in case (2) he must make a large number of sequential queries: if he cheats on labels of nodes \(S\subseteq V\), then the number of sequential queries must be at least as large as the length of the longest path in the subgraph on \(V-S\). As G is depth-robust and S is not too large, this path is long.

Our construction is conceptually similar, but our underlying graph is much simpler. We use the nodes in the tree underlying the Merkle commitment not just for the commitment, but also to enforce sequential computation. For this it suffices to add some edges as illustrated in Fig. 3.

Our graph has some convenient properties, for example the parents of a leaf node v are always a subset of the nodes whose labels one needs to provide for the opening of the Merkle tree commitment of the label of v, so checking that the labels are correctly computed and verifying the opening of a leaf label can be done simultaneously without increasing communication complexity and with only a little bit of extra computation.

But most importantly, the labels in our graph can be computed in topological orderFootnote 1 while keeping only logarithmically many labels in memory at any point, whereas computing the labelling of a depth-robust graph is much more expensive. In fact, because of this property depth-robust graphs are used to build so called memory-hard functions. Concretely, [ABP17] show that if the labelling of a depth-robust graph on N nodes is done in time T using space S, then \(T\cdot S\in \varOmega (N^2)\). In particular, if one wants to compute the labels in time N, or even just some O(N), then linear \(\varOmega (N)\) space is required.

There is a caveat. If using only logarithmic memory in our construction, the prover needs to recompute all the labels in the opening phase, whereas one wouldn’t need any computation (just some lookups) in the opening phase if everything was stored. This is unfortunate, as it means we get a factor 2 difference in the sequential computation that is claimed, versus what has to actually be done, but some applications need this factor to be close to 1. Fortunately there is a simple trade-off, where using slightly more memory one can make the opening phase much more efficient. The basic idea, which we describe in detail in Sect. 5.4, is to store all the \(2^m\) nodes at some level m of the tree. With this, one can compute any other node making just \(2^{n-m}\) queries.

1.4 More Related Work

Time Release Cryptography. The idea of “time-release” cryptography goes back to [CLSY93, May93].

Most related to PoSW are time-lock puzzles, which were introduced by Rivest, Shamir and Wagner [RSW00]. They give a construction of such puzzles based on the assumption that exponentiation modulo an RSA integer is an “inherently sequential” computation. A recent treatment with new constructions is [BGJ+16].

Time-lock puzzles allow a puzzle generator to generate a puzzle with a message of its choice encoded into it, such that this message can only be redeemed by a solver after t steps of sequential work. Such a scheme can be used as a PoSW as the decoded message constitutes a proof of sequential work, but as the puzzle generator has a trapdoor, this proof will not be convincing to anyone else and as it’s not public-coin, it can’t be made non-interactive by the Fiat-Shamir methodology. Although incomparable, time-lock puzzles seem to be more sophisticated objects than PoSW. Unlike for PoSW, we have no constructions based on random oracles, and [MMV11] give black-box separations showing this might be inherent (we refer to their paper for the exact statements). Existing PoSW (including ours) have another drawback, namely, that the proofs are not unique. We’ll discuss this in more detail at the end of Sect. 6.

Proofs of Work. Proofs of work (PoW) – introduced by Dwork and Naor [DN93] – are defined similarly to proof of sequential work, but as the name suggests, here one does not require that the work has been done sequentially. Proofs of work are very easy to construct in the random oracle model. The simplest construction of a PoW goes as follows: given a statement \(\chi \) and a work parameter t, find a nonce x s.t. \(\mathsf{H}(\chi ,x)\) starts with t zeros. If \(\mathsf{H}\) is modelled as a random oracle, finding such an x requires an expected \(2^t\) number of queries, while verifying that x is a valid solution just requires a single query. Proofs of work are used to secure several decentralised cryptocurrencies and other blockchain applications, most notably Bitcoin.

1.5 Basic Notation

We denote with \(\{0,1\}^{\le n}{\mathop {=}\limits ^\mathsf{def}}\bigcup _{i=0}^n \{0,1\}^i\) the set of all binary strings of length at most n, including the empty string \(\epsilon \). Concatenation of bitstrings is denoted with \(\Vert \). For \(x\in \{0,1\}^*\), x[i] denotes its ith bit, \(x[i\ldots j]=x[i]\Vert \ldots \Vert x[j]\) and |x| denotes the bitlength of x.

2 Building Blocks

In Sect. 2.1 below, we define the basic properties of graphs used in this work. Then in Sect. 2.2 we summarize the properties of the random oracle model [BR93] used in our security proof.

2.1 Graphs Basics

To define the [MMV13] and our construction we’ll need the following

Definition 1

(Graph Labelling). Given a directed acyclic graph (DAG) \(G=(V,E)\) on vertex set \(V=\{0,\ldots ,N-1\}\) and a hash function \(\mathsf{H}:\{0,1\}^*\rightarrow \{0,1\}^w\), the label \(\ell _i\in \{0,1\}^w\) of \(i\in V\) is recursively computed as (where u is a parent of v if there’s a directed edge from u to v)

$$\begin{aligned} \ell _i=\mathsf{H}(i,\ell _{p_1},\ldots ,\ell _{p_d})~where ~(p_1,\ldots ,p_d)=\mathsf{parents}(i). \end{aligned}$$
(1)

Note that for any DAG the labels can be computed making N sequential queries to \(\mathsf{H}\) by computing them in an arbitrary topological order. If the maximum indegree of G is \(\delta \), then the inputs will have length at most \(\lceil \log (N)\rceil +\delta \cdot w\).

The PoSW by Mahmoody et al. [MMV13] is based on depth-robust graphs, a notion introduced by Erdős et al. in [EGS75].

Definition 2

(Depth-Robust DAG). A DAG \(G=(V,E)\) is (ed) depth-robust if for any subset \(S\subset V\) of at most \(|S|\le e\) vertices, the subgraph on \(V-S\) has a path of length at least d.

For example, the complete DAG \(G=(V,E),\ |V|=N,\ E=\{(i,j):0\le i<j\le N-1\}\) is \((e,N-e)\) depth-robust for any e, but for PoSW we need a DAG with small indegree. Already [EGS75] showed that \((\varTheta (N),\varTheta (N))\) depth-robust DAGs with indegree \(O(\log (N))\) exist. Mahmoody et al. give an explicit construction with concrete constants, albeit with larger indegree \(O(\log ^2(N)\mathrm{polyloglog}(N))\in O(\log ^3(N))\).

2.2 Random Oracles Basics

Salting the RO. In [MMV13] and also our construction, all three algorithms \(\mathsf{PoSW}\), \(\mathsf{open}\) and \(\mathsf{verify}\) described in Sect. 1.2 use the input \(\chi \) only to sample a random oracle \({\mathsf{H}_\chi }\), for example by using \(\chi \) as prefix to every input

$$ {\mathsf{H}_\chi }(\cdot ){\mathop {=}\limits ^\mathsf{def}}\mathsf{H}(\chi ,\cdot ). $$

We will sometimes write e.g., \(\mathsf{PoSW}^{\mathsf{H}_\chi }(N)\) instead \(\mathsf{PoSW}^\mathsf{H}(\chi ,N)\). Using the uniform \(\chi \) like this implies that in the proof we can assume that to a cheating prover, the random oracle \({\mathsf{H}_\chi }\) just looks like a “fresh” random oracle on which it has no auxiliary information [DGK17].

Random Oracles are Collision Resistant

Lemma 1

(RO is Collision Resistant). Consider any adversary \(\mathcal{A}^\mathsf{H}\) which is given access to a random function \(\mathsf{H}:\{0,1\}^*\rightarrow \{0,1\}^w\). If \(\mathcal{A}\) makes at most q queries, the probability it will make two colliding queries \(x\ne x',\mathsf{H}(x)=\mathsf{H}(x')\) is at most \(q^2/2^{w+1}\).

Proof

The probability that the output of the i’th query collides with any of the \(i-1\) previous outputs is at most \(\frac{i-1}{2^{w}}\). By the union bound, we get that the probability that any i hits a previous output is at most \(\sum _{i=1}^{q}\frac{i-1}{2^{w}}<\frac{q^2}{2^{w+1}}\).    \(\square \)

Random Oracles are Sequential. Below we show that ROs are “sequential”, this is already shown in [MMV13], except that we use concrete parameters instead of asymptotic notations.

Definition 3

(\(\mathsf{H}\)-sequence). An \(\mathsf{H}\) sequence of length s is a sequence \(x_0,\ldots ,x_s\in \{0,1\}^*\) where for each \(i,1\le i< s\), \(\mathsf{H}(x_i)\) is contained in \(x_{i+1}\) as continuous substring, i.e., \(x_{i+1}=a\Vert \mathsf{H}(x_i)\Vert b\) for some \(a,b\in \{0,1\}^*\).

Lemma 2

(RO is Sequential). Consider any adversary \(\mathcal{A}^\mathsf{H}\) which is given access to a random function \(\mathsf{H}:\{0,1\}^*\rightarrow \{0,1\}^w\) that it can query for at most \(s-1\) rounds, where in each round it can make arbitrary many parallel queries. If \(\mathcal{A}\) makes at most q queries of total length Q bits, then the probability that it outputs an \(\mathsf{H}\)-sequence \(x_0,\ldots ,x_s\) (as defined above) is at most

$$q\cdot \frac{Q+\sum _{i=0}^s|x_i|}{2^w}$$

Proof

There are two ways \(\mathcal{A}\) can output an \(\mathsf{H}\) sequence \(x_0,\ldots ,x_s\) making only \(s-1\) sequential queries.

  1. 1.

    Lucky guess: It holds that for some i, \(\mathsf{H}(x_i)\) is a substring of \(x_{i+1}\) and the adversary did not make the query \(\mathsf{H}(x_i)\). As \(\mathsf{H}\) is uniform, the probability of this event can be upper bounded by

    $$ q\cdot \frac{\sum _{i=0}^s|x_i|}{2^w}. $$
  2. 2.

    Collision: The \(x_i\)’s were not computed sequentially. That is, it holds that for some \(1\le i \le j\le s-1\), a query \(a_i\) is made in round i and query \(a_j\) in round j where \(\mathsf{H}(a_j)\) is a substring of \(a_i\). Again using that \(\mathsf{H}\) is uniformly random, the probability of this event can be upper bounded by

    $$ q\cdot \frac{Q}{2^w}. $$

The claimed bound follows by a union bound over the two cases analysed above.    \(\square \)

Thus, whenever an adversary outputs an \(\mathsf{H}\)-sequence of length s where \(q\cdot (Q+\sum _{i=0}^{s}|x_i|)\) is much smaller than \(2^{w}\) – which in practice will certainly be the case if we use a standard block length like \(w=256\) – we can assume that it made at least s sequential queries to \(\mathsf{H}\).

Merkle-Damgård. The inputs to our hash function \(\mathsf{H}\) are of length up to \((\lceil \log N\rceil +1)w\) bits (assuming \(N\le 2^w\), so the index of a node can be encoded into \(\{0,1\}^w\)). We can build a function for arbitrary input lengths from a compression function \(\mathsf{h}:\{0,1\}^{2w}\rightarrow \{0,1\}^w\) using the classical Merkle-Damgård construction [Dam90, Mer90]. Concretely, let \(y_0\) be the statement \(\chi \) (used for salting as outlined above) and then recursively define

$$ \mathsf{H}(x_1,\ldots ,x_z)=y_z\text { where }y_i=\mathsf{h}(x_{i},y_{i-1})\text { for }i\ge 1. $$

One must be careful with this approach in our construction. As it’s possible to compute \(y_i\) using only the prefix \(x_1,\ldots ,x_i\), an adversary might get an advantage by computing such intermediate \(y_i\)’s before the entire input is known, and thus exploit parallelism to speed up the computation. This can be avoided by requiring that \(x_1\) is always the label of the node that was computed right before the current node.

3 The [MMV13] Construction

In this section we informally describe the PoSW from [MMV13] using the high-level protocol layout from Sect. 1.2.

For any \(N=2^n\), the scheme is specified by a depth-robust DAG \(G^\mathsf{DR}_{n}=(V,E)\) on \(|V|=N\) vertices. Let \(B_n=(V',E')\) denote the full binary tree with \(N=2^n\) leaves (and thus \(2N-1\) nodes) where the edges are directed towards the root. Let \(G^\mathsf{MMV}_{n}\) be the DAG we get from \(B_n\), by identifying the N leaves of this tree with the N nodes of \(G^\mathsf{DR}_{n}\) as illustrated in Fig. 2.

Fig. 2.
figure 2

Illustration of \(B_2\) (left), a (toy example of a) depth-robust graph \(G^\mathsf{DR}_{2}\) (middle) and the corresponding \(G^\mathsf{MMV}_2\) graph.

Full size image

Now \((\phi ,\phi _\mathcal{P}):=\mathsf{PoSW}^{{\mathsf{H}_\chi }}(N)\) computes and stores the labels \(\phi _\mathcal{P}=\{\ell _v\}_{v\in \{0,1\}^{\le n}}\) (cf. Definition 1) of \(G^\mathsf{MMV}_n\) using \({\mathsf{H}_\chi }\) as hash function, and sends the label \(\phi =\ell _\epsilon \) of the root to \(\mathcal{V}\). We remark that in [MMV13] this is described as a two step process, where one first computes a labeling of \(G^\mathsf{DR}_{n}\) (using a sequential hash function), and then a Merkle-tree commitment of the N labels (using a collision resistant hash function).

After receiving the challenge \(\gamma =(\gamma _1,\ldots ,\gamma _t)\) from \(\mathcal{V}\), the prover \(\mathcal{P}\) computes the answer \(\tau :=\mathsf{open}^{\mathsf{H}_\chi }(N,\phi _\mathcal{P},\gamma )\) as follows: For any \(i,1\le i\le t\), \(\tau \) contains the opening of the Merkle commitments of the label \(\ell _{\gamma _i}\), and the labels of the parents of i, and moreover the labels labels required for the opening of the Merkle commitment of this label.Footnote 2

Upon receiving the answer \(\tau \), \(\mathcal{V}\) invokes \(\mathsf{verify}^{\mathsf{H}_\chi }(N,\phi ,\gamma ,\tau )\) to check if the labels \(\ell _{\gamma _i}\) were correctly computed as in Eq. (1), and if the Merkle openings of the labels \(\ell _{\gamma _i}\) are all correct.

To argue soundness, one uses the fact that \(G^\mathsf{DR}_{n}\) is (ed) depth-robust with \(e,d=\varTheta (N)\). As \({\mathsf{H}_\chi }\) is collision resistant, a cheating prover \(\tilde{\mathcal{P}}\) must commit to unique labels \(\{\ell '_v\}_{v\in \{0,1\}^{n}}\) of the leaves (that it can later open to). We say that a vertex i is inconsistent if it is not correctly computed from the other labels, i.e.,

$$ \ell '_i\ne \mathsf{H}(i,\ell '_{p_1},\ldots ,\ell '_{p_d})\text { where }(p_1,\ldots ,p_d)=\mathsf{parents}(i) $$

Let \(\beta \) be the number of inconsistent vertices. We make a case distinction:

  • If \(\beta \ge e\), then one uses the fact that the probability that a cheating prover \(\tilde{\mathcal{P}}\) will be asked to open an inconsistent vertex is exponentially (in t) close to 1, namely \(1-\left( \frac{N-\beta }{N}\right) ^t\), and thus \(\tilde{P}\) will fail to make \(\mathcal{V}\) accept except with exponentially small probability.

  • if \(\beta < e\), then there’s a path of length \(d=\varTheta (N)\) of consistent verticies, which means the labels \(\ell '_{i_0},\ldots ,\ell '_{i_{d-1}}\) on this path constitute an \({\mathsf{H}_\chi }\) sequence (cf. Definition 3) of length \(d-1\), and as \({\mathsf{H}_\chi }\) is sequential, \(\tilde{\mathcal{P}}\) must almost certainly have made \(d-1=\varTheta (N)\) sequential queries to \({\mathsf{H}_\chi }\).

4 Definition and Properties of the DAG \(G^\mathsf{PoSW}_{n}\)

In this section we describe the simple DAG underlying our construction, and prove state some simple combinatorial properties about it which we’ll later need in the security proof and to argue efficiency.

Fig. 3.
figure 3

Illustration of \(G^\mathsf{PoSW}_{4}\). The set \(S^*=\{01,101,1100\}\) – which e.g. could be derived from \(S=\{010,0110,0111,101,1010,1100\}\) – is shown in red. \(D_{S^*}\) is the union of red and orange nodes. \(\hat{S}=\hat{S}^*\) are the orange or red leaves. The path of length \(2N-1-|B_S|=32-1-11=19\) (as constructed in the proof of Lemma 4) is shown in blue. (Color figure online)

Full size image

For \(n\in \mathbb {N}\) let \(N=2^{n+1}-1\) and \(B_n=(V,E')\) be a complete binary tree of depth n. We identify the N nodes \(V=\{0,1\}^{\le n}\) with the binary strings of length at most n, the empty string \(\varepsilon \) being the root. We say vertex v is above u if \(u=v\Vert a\) for some a (then u is below v). The directed edges go from the leaves towards the root

$$ E'=\{(x\Vert b,x)\ :\ b\in \{0,1\}, x \in \{0,1\}^i,i<n \}. $$

We define the DAG \(G^\mathsf{PoSW}_{n}=(V,E)\) by starting with \(B_n\), and then adding some edges. Concretely \(E=E'\cup E''\) where \(E''\) contains, for all leaves \(u\in \{0,1\}^n\), an edge (vu) for any v that is a left sibling of a node on the path from u to the root \(\varepsilon \). E.g., for \(v=1101\) we add the edges (1100, 1101), (10, 1101), (0, 1101), formally

$$ E''=\{ (v,u)\ :\ u\in \{0,1\}^n, u=a\Vert 1\Vert a', v=a\Vert 0\}. $$

Lemma 3

The labels of \(G^\mathsf{PoSW}_{n}\) can be computed in topological order using only \(w\cdot (n+1)\) bits of memory.

Proof

The proof of the lemma follows by induction: to compute the labels of \(G^\mathsf{PoSW}_{n}\), start by computing the labels of the left subtree L, which is isomorphic to \(G^\mathsf{PoSW}_{n-1}\). Once the last label \(\ell _0\) of L is computed, keep only this one label. Now compute the labels of the right subtree R, which is also isomorphic to \(G^\mathsf{PoSW}_{n-1}\), except that it has some incoming edges from the left subtree. As all these edges start at \(\ell _0\), one can compute the labeling of this graph with just w extra bits of space. Once the last label \(\ell _1\) of R is computed, delete all labels except \(\ell _0,\ell _1\), and compute the label of the root \(\ell _\varepsilon =\mathsf{H}(\varepsilon ,\ell _0,\ell _1)\). The memory required to compute the labels of \(G^\mathsf{PoSW}_{n}\) is thus the memory required for \(G^\mathsf{PoSW}_{n-1}\) plus w bits (to store \(\ell _0\) while computing the right subtree). \(G^\mathsf{PoSW}_{1}\) just has 3 nodes and so can trivially be computed with \(3\cdot w\) bits. Solving this simple recursion gives the claimed bound.    \(\square \)

Definition 4

(\(\hat{S},S^*,D_S\)). For a subset \(S\subseteq V\) of nodes, we denote with \(\hat{S}\) the set of leaves below S

$$ \hat{S}=\{v\Vert u \in \{0,1\}^n \ :\ v\in S,u\in \{0,1\}^{n-|v|}\} $$

We denote with \(S^*\) the minimal set of nodes with exactly the same set of leaves as S, i.e., \(S^*\subseteq V\) is the smallest set satisfying \(\hat{S}^*=\hat{S}\).

We denote with \(D_S\) all the nodes which are in S or below some node in S

$$ D_{S}=\{v\Vert v'\ :\ v\in S, v'\in \{0,1\}^{\le n-|v|}\} $$

Lemma 4

The subgraph of \(G^\mathsf{PoSW}_{n}=(V,E)\) on vertex set \(V-D_{S^*}\) (for any \(S\subseteq V\)) has a directed path going through all the \(|V|-|D_{S^*}|=N-|D_{S^*}|\) nodes.

Proof

The proof is by induction on n, an example path is illustrated in Fig. 3. The lemma is trivially true for \(G^\mathsf{PoSW}_{0}\), which just contains a single node. Assume it’s true for \(G^\mathsf{PoSW}_{i}\), now \(G^\mathsf{PoSW}_{i+1}\) consists of a root \(\varepsilon \), with a left and right subgraph L and R isomorphic to \(G^\mathsf{PoSW}_{i}\), with extra edges going from the root of L – which is 0 – to all the leaves in R. If \(\varepsilon \in {S^*}\) the lemma is trivially true as \(|V|-|D_{S^*}|=0\). If \(0\in {S^*}\), then all of L is in \(D_{S^*}\), in this case just apply the Lemma to \(R\equiv G^\mathsf{PoSW}_{i}\), and add an extra last edge \(1\rightarrow \varepsilon \). If \(0\not \in {S^*}\), apply the Lemma first to \(L\equiv G^\mathsf{PoSW}_{i}\) to get a path that ends in its root 0, then – if \(1\not \in S^*\) – apply the lemma to \(R\equiv G^\mathsf{PoSW}_{i}\), to get a path that starts at a leaf v. Now add the edges \(0\rightarrow v\) and \(1\rightarrow \varepsilon \). If \(1\in S^*\) we just add the edge \(0\rightarrow \varepsilon \).    \(\square \)

Lemma 5

(trivial). For any \(S^*,S\subset V\), \(D_{S^*}\) contains

$$ |\{0,1\}^{n}\cap D_{S^*}|= \frac{|D_{S^*}|+|S^*|}{2} $$

many leaves.

Proof

Let \(S^*=\{v_1,\ldots ,v_k\}\), using that \(D_{v_i}\cap D_{v_j}=\emptyset \) for all \(i\ne j\) (as otherwise \(S^*\) would not be minimal), we can write

$$ |\{0,1\}^{n}\cap D_{S^*}|=\sum _{i=1}^k |\{0,1\}^n\cap D_{v_i}|. $$

As each \(D_{v_i}\) is a full binary tree it has \((|D_{v_i}|+1)/2\) many leaves, so

$$ \sum _{i=1}^k |\{0,1\}^n\cap D_{v_i}|=\sum _{i=1}^k \frac{|D_{v_i}|+1}{2}=\frac{|D_{S^*}|+|S^*|}{2}. $$

   \(\square \)

5 Our Construction

In this section we specify our PoSW based on the graphs \(G^\mathsf{PoSW}_{n}\).

5.1 Parameters

We have the following parameters:  

N :

The time parameter which we assume is of the form \(N=2^{n+1}-1\) for an integer \(n\in \mathbb {N}\).

\(\mathsf{H}:\{0,1\}^{\le w(n+1)}\rightarrow \{0,1\}^w\) :

the hash function, which for the security proof is modelled as a random oracle, and which takes as inputs strings of length up to \(w(n+1)\) bits.

t :

A statistical security parameter.

M :

Memory available to \(\mathcal{P}\), we assume it’s of the form

$$M=(t+n\cdot t+1+2^{m+1})w $$

for some integer \(m,0\le m\le n\).

 

5.2 The \(\mathsf{PoSW},\mathsf{open}\) and \(\mathsf{verify}\) Algorithms

Our PoSW follows the outline given in Sect. 1.2 using three algorithms \(\mathsf{PoSW}\), \(\mathsf{open}\) and \(\mathsf{verify}\). Note that \(n\approx \log N\) and \(m\approx \log M\) are basically the logarithms of the time parameter N and the memory M (measured in w bit blocks) we allow \(\mathcal{P}\) to use.  

\((\phi ,\phi _\mathcal{P}):=\mathsf{PoSW}^{\mathsf{H}_\chi }(N):\) :

computes the labels \(\{\ell _i\}_{i\in \{0,1\}^{\le n}}\) (cf. Definition 1) of the graph \(G^\mathsf{PoSW}_{n}\) (as defined in Sect. 4) using \({\mathsf{H}_\chi }\). It stores the labels \(\phi _\mathcal{P}=\{\ell _i\}_{i\in \{0,1\}^{\le m}}\) of the m highest layers, and sends the root label \(\phi =\ell _\varepsilon \) to \(\mathcal{V}\).

\(\tau :=\mathsf{open}^{\mathsf{H}_\chi }(N,\phi _\mathcal{P},\gamma ):\) :

on challenge \(\gamma =(\gamma _1\,\ldots ,\gamma _t)\), \(\tau \) contains – for every \(i,1\le i\le t\) – the label \(\ell _{\gamma _i}\) of node \(\gamma _i\in \{0,1\}^n\) and the labels of all siblings of the nodes on the path from \(\gamma _i\) to the root (as in an opening of a Merkle tree commitment), i.e.,

$$ \{\ell _k\}_{k\in \mathcal{S}_{\gamma _i}}\text { where }{\mathcal{S}_{\gamma _i}}{\mathop {=}\limits ^\mathsf{def}}\{\gamma _i[1\ldots j-1]\Vert (1-\gamma _i[j])\}_{j=1\ldots n} $$

and

$$ \tau {\mathop {=}\limits ^\mathsf{def}}\{\ell _{\gamma _i}, \{\ell _k\}_{k\in \mathcal{S}_{\gamma _i} } \}_{i=1\ldots t}. $$

E.g., for \(\gamma _i=0101\) (cf. Fig. 3) \(\tau \) contains the labels of 0101, 0100, 011, 00 and 1.

If \(m=n\), \(\mathcal{P}\) stores all labels in \(\phi _\mathcal{P}\) and thus this needs no queries to \({\mathsf{H}_\chi }\). We’ll discuss the case \(0<m<n\) in Sect. 5.4.

\(\mathsf{verify}^{\mathsf{H}_\chi }(N,\phi ,\gamma ,\tau ):\) :

Using that the graphs \(G^\mathsf{PoSW}_{n}\) have the property that all the parents of a leaf \(\gamma _i\) are in \(\mathcal{S}_{\gamma _i}\), for every \(i,1\le i\le t\), one first checks that \(\ell _{\gamma _i}\) was correctly computed from its parent labels (i.e., as in Eq. 1)

$$ \ell _{\gamma _i}{\mathop {=}\limits ^{?}}\,\mathsf{H}_\chi (i,\ell _{p_1},\ldots ,\ell _{p_d})\text { where }(p_1,\ldots ,p_d)=\mathsf{parents}(\gamma _i). $$

Then we verify the “Merkle tree like” commitment of \(\ell _{\gamma _i}\), by using the labels in \(\tau \) to recursively compute, for \(i=n-1,n-2,\ldots 0\)

$$ \ell _{\gamma _i[0\ldots i]}:={\mathsf{H}_\chi }(\gamma _i[0\ldots i],\ell _{\gamma _i[0\ldots i]\Vert 0},\ell _{\gamma _i[0\ldots i]\Vert 1}) $$

and then verifying that the computed root \(\ell _{\gamma _i[0\ldots 0]}=\ell _\varepsilon \) is equal to \(\phi \) received before.

 

5.3 Security

Theorem 1

Consider the PoSW from Sect. 5.2, with parameters twN and a “soundness gap” \(\alpha >0\). If \(\tilde{\mathcal{P}}\) makes at most \((1-\alpha )N\) sequential queries to \(\mathsf{H}\) after receiving \(\chi \), and at most q queries in total, then \(\mathcal{V}\) will output \(\mathsf{reject}\) with probability

$$ 1-(1-\alpha )^t-\frac{2\cdot n\cdot w \cdot q^2}{2^w} $$

So, for example setting the statistical security parameter to \(t=21\), means a \(\tilde{\mathcal{P}}\) who makes only 0.8N sequential queries will be able to make \(\mathcal{V}\) accept with \({\le }1\%\) probability. This is sufficient for some applications, but if we want to use Fiat-Shamir to make the proof non-interactive, the error should be much smaller, say \(2^{-50}\) which we get with \(t=150\).

Proof

The exponentially small \(2\cdot n\cdot w \cdot q^2/2^w\) loss accounts for the assumption we’ll make, that \(\tilde{\mathcal{P}}\), after receiving \(\chi \) (1) won’t find a collision in \({\mathsf{H}_\chi }\), and (2) whenever it outputs an \({\mathsf{H}_\chi }\)-sequence of length s it must have made s sequential queries to \(\mathsf{H}\). The concrete bound follows from Lemmas 1 and 2 (recall that \(\mathsf{H}\) only takes inputs of length \(\le (n+1)w\)).

After sending \(\phi \), \(\tilde{\mathcal{P}}\) is committed to the labels \(\{\ell '_i\}_{i\in \{0,1\}^{\le n}}\) it can open. We say a node i is inconsistent if its label \(\ell '_i\) was not correctly computed, i.e.,

$$ \ell '_i\ne \mathsf{H}(i,\ell '_{p_1},\ldots ,\ell '_{p_d})\text { where }(p_1,\ldots ,p_d)=\mathsf{parents}(i). $$

Let us mention that i can be consistent even though \(\ell '_i\ne \ell _i\) (\(\ell _i\) denoting the label the honest \(\mathcal{P}\) would compute), so being consistent is not the same as being correct. We can also determine these \(\ell '_i\) from just looking at \(\tilde{\mathcal{P}}\)’s oracle queries, but for the proof we just need that they are unique.

Let \(S\subseteq V= \{0,1\}^{\le n}\) denote all inconsistent nodes. Then by Lemma 4 there’s a path going through all the nodes in \(V-D_{S^*}\). As all these nodes are consistent, the labels \(\ell '_i\) on this path constitute an \({\mathsf{H}_\chi }\)-sequence of length \(N-|D_{S^*}|\). If \(|D_{S^*}|\le \alpha N\), \(\tilde{\mathcal{P}}\) must have made at least \((1-\alpha )N\) sequential queries (recall we assume \(\tilde{\mathcal{P}}\) did not break sequentiality of \({\mathsf{H}_\chi }\)), so we now assume

$$ |D_{S^*}|> \alpha N=\alpha (2^{n+1}-1). $$

By Lemma 5 and the above equation

$$\begin{aligned} |\{0,1\}^{n}\cap D_{S^*}|=\frac{|D_{S^*}|+|S^*|}{2} > \alpha 2^n. \end{aligned}$$
(2)

\(\tilde{\mathcal{P}}\) will fail to produce a valid proof given t random challenges \(\gamma =(\gamma _1,\ldots ,\gamma _t)\) if there’s at least one \(\gamma _i\) such that a node on the path from \(\gamma _i\) to the root is in S, i.e., \(\gamma \cap \hat{S}\ne \emptyset \), or equivalently

$$ \gamma \cap D_{S^*}=\gamma \cap \hat{S}^*=\gamma \cap \hat{S} \ne \emptyset {.} $$

By Eq. (2), and using that every \(\gamma _i\) is uniform

$$ \Pr [\gamma _i \not \in D_{S^*}]=1-|\{0,1\}^n\cap D_{S^*}|/2^n<1-\alpha $$

and as the \(\gamma _i\) are also independent

$$ \Pr [\gamma \cap D_{S^*}= \emptyset ] =\prod _{i=1}^t \Pr [\gamma _i \not \in D_{S^*}] < (1-\alpha )^t $$

so \(\tilde{\mathcal{P}}\) will fail to generate a valid proof with probability \(>1-(1-\alpha )^t\) as claimed.    \(\square \)

5.4 Efficiency

We’ll now discuss the efficiency of the scheme from Sect. 5.2 in terms of proof size, computation and memory requirements.

Proof Size. The exchanged messages \(\chi ,\phi ,\gamma ,\tau \) are of length (we need w bits to specify a label and n bits to specify a node)

$$ |\chi |=w\qquad |\phi |=w\qquad |\gamma |=t\cdot n\qquad |\tau |\le t\cdot w\cdot n $$

When we make the proof non-interactive using Fiat-Shamir (where \(\gamma \) is derived from \(\phi \)) the length of a proof for a given statement \(\chi \) becomes

$$ |\phi |+|\tau |\le w(t\cdot n+1) $$

With \(w=256\) bit blocks, \(t=150\), which is sufficient to get \(2^{-50}\) security for soundness gap \(\alpha =0.2\) (i.e., a cheating prover must make 0.8N sequential queries) and \(n=40\) (i.e., over a trillion steps) the size of the proof is less than 200 KB.

Prover Efficiency. \(\mathcal{P}\)’s efficiency is dominated by queries to \({\mathsf{H}_\chi }\) for computing \(\mathsf{PoSW}\) and \(\mathsf{open}\), so below we just count these.

\(\mathsf{PoSW}^{\mathsf{H}_\chi }(N)\) can be computed making N (sequential) queries to \({\mathsf{H}_\chi }\), each input being of length at most \((n+1)\cdot w\) bits, and on average about 1 / 4 of that (for comparison, the construction from [MMV13] has inputs of length \(n^2\cdot \mathrm{polylog}(n) \cdot w\)).

\(\mathsf{open}^{\mathsf{H}_\chi }(N,\phi ,\gamma )\): Here the efficiency depends on m, which specifies the size of the memory \(M=(n+1+n\cdot t+2^{m+1})w\) we allow \(\mathcal{P}\) to use. Here \(w\cdot n\cdot t\) bits are used to store the values in \(\tau \) to send back, \((n+1)\cdot w\) bits are used to compute the label (cf. Lemma 3), and \(2^{m+1}w\) labels are used to store \(\phi _\mathcal{P}\), which contains the labels of the m upmost levels \(\{\ell _{i}\}_{i\in \{0,1\}^{\le m}}\).

  • If \(m=n\), \(\mathcal{P}\) stored all the labels computed by \(\mathsf{PoSW}^{\mathsf{H}_\chi }(N)\), and thus needs no more queries.

  • If \(m=0\), \(\mathcal{P}\) needs to recompute all N labels. This is not very satisfying, as it means that we’ll always have a soundness gap of at least 2: the honest prover needs a total of 2N sequential queries (N for each, \(\mathsf{PoSW}\) and \(\mathsf{open}\)), whereas (even an honest) prover with \(m=n\) space will only require N sequential queries. Fortunately there is a nice trade-off, where already using a small memory means \(\mathcal{P}\) just needs to make slightly more than N queries, as described next.

  • In the general case \(0\le m\le n\), \(\mathcal{P}\) needs to compute \(2^{n-m+1}-1\) labels for each of the t challenges, thus at most

    $$ t\cdot (2^{n-m+1}-1) $$

    in total (moreover this can be done making \(2^{n-m+1}-1\) queries sequentially, each with t inputs). E.g. if \(m=n/2\), this means \(\mathcal{P}\) uses around \(\sqrt{N}\cdot w\) bits memory, and \(\sqrt{N} \cdot t\) queries on top of the N for computing \(\mathsf{PoSW}\). For typical parameters \(\sqrt{N} \cdot t\) will be marginal compared to N. More generally, for any \(0\le \beta \le 1\), given \(N^{1-\beta }\cdot w\) memory means \(\mathcal{P}\) needs \(N^\beta \cdot t\) queries to compute \(\mathsf{open}\) (or \(N^\beta \) sequential queries with parallelism t).

    For our example with \(w=256,n=40,t=150\), setting, say \(m=20\), means \(\mathcal{P}\) uses 70 MB of memory, and the number of queries made by \(\mathsf{open}\) is less than N / 1000, which is marginal compared to the N queries made by \(\mathsf{PoSW}\).

5.5 Verifier Efficiency

The verifier is extremely efficient, it must only sample a random challenge \(\gamma \) (of length \(t\cdot w\)) and computing \(\mathsf{verify}(\chi ,N,\phi ,\gamma ,\tau )\) can be done making \(t\cdot n\) queries to \({\mathsf{H}_\chi }\), each of length at most \(n\cdot w\) bits. This is also basically the cost of verifying a non-interactive proof.

6 Conclusions and Open Problems

We constructed a proof of sequential work which is much simpler and enjoys much better parameters than the original construction from [MMV13]. They also state three open questions, two of which we answer in this work. Their first question is:

Space Complexity of the Solver. In our construction of time stamping and time-lock puzzles for time N, the solver keeps the hash labels of a graph of N vertices. Is there any other solution that uses o(N) storage? Or is there any inherent reason that \(\varOmega (N)\) storage is necessary?

We give a strong negative answer to this question, in our construction the storage of the prover is only \(O(\log (N))\). Their second question is:

Necessity of Depth-Robust Graphs. The efficiency and security of our construction is tightly tied to the parameters of depth-robust graph constructions: graphs with lower degree give more efficient solutions, while graphs with higher robustness (the lower bound on the length of the longest path remaining after some of the vertices are removed) give us puzzles with smaller adversarial advantage. An interesting open question is whether the converse also holds: do time-lock puzzles with better parameters also imply the existence of depth-robust graphs with better parameters?

Also here the answer is no. The graphs \(G^\mathsf{PoSW}_{n}\) we use, as illustrated in Fig. 3, are basically as terrible in terms of depth-robustness as a simple path. For example just removing the vertex 0 cuts the depth in half. Or just removing the \(2^{n/2}\approx \sqrt{N}\) vertices in the middle layer, will leave no paths of length more than \(\sqrt{N}\). Maybe depth-robustness is the wrong notion to look at here, our graphs satisfy a notion of “weighted” depth-robustness: assign each leaf weight 1, the nodes one layer up weight 2, then 4 etc., doubling with every layer. The total weight of all nodes will be \(n2^n\) (\(2^n\) for every layer), and one can show hat for any \(0\le \alpha \le 1\), removing nodes of weight \(\alpha 2^n\), will leave a path of length \((1-\alpha )2^n\).

Apart from [MMV13], depth-robust graphs have been used for cryptographic applications in at least one other case, namely to construct memory-hard functions [ABP17]. Moreover the proofs of space protocol from [DFKP15] is quite similar to the PoSW from [MMV13], the main difference being that the underlying graph does not have to be depth-robust, but needs to have high space complexity. Due to this similarities, it seems conceivable that using ideas from this work one can get improved constructions for memory-hard functions and proofs of space.

Let us also mention the third open question asked by [MMV13]. It asks whether a PoSW based only on random oracles can be used to achieve fairness in protocols like coin tossing. We refer to their paper for the details, and just mention that to achieve this, it’s sufficient to construct a PoSW with a “unique” proof (note that we already mention this problem in the related work Sect. 1.4). That is, we not only require that to generate a proof one needs to spend sequential time, but for every input (statement and time parameter), it should be hard to come up with two different valid proofs. Such a property would also be very useful in other contexts, like for constructing blockchains, which was the main motivation for this work.

Unfortunately, our construction also does not have unique proofs. It’s an intriguing open problem to construct a PoSW with unique proofs and an exponential gap between proof generation and proof verification. Currently, the publicly verifiable function with the largest gap between computation and verification is the sloth function [LW17], which is based on the assumption that computing square roots in a field of size p takes \(\log (p)\) times longer than the inverse operation, i.e., squaring. Under this assumption, the gap is \(\log (p)\), in practice one would probably use something like \(\log (p)\approx 1000\). Sloth is not a time-lock puzzle (as discussed in Sect. 1.4), as one can’t sample an input together with its output. It’s also not a good PoSW as there’s no further speedup if we only want to verify that a lot of sequential time has been spend on the computation, not correctness. Let us also mention that sloth, as well as our PoSW (but not [MMV13]) allow for a speedup of q in verification time if parallelism q is allowed and the proof can be of size linear in q. Basically one adds q “checkpoints” to the proof. These are intermediate states that appear during the computation, and one can verify that each two consecutive checkpoints are consistent independently.