A proof of sequential work allows a prover to convince a verifier that a certain amount of sequential steps have been computed. In this work we introduce the notion ofincremental proofs of sequential work where a prover can carry on the computation done by the previous prover incrementally, without affecting the resources of the individual provers or the size of the proofs.

To date, the most efficient instance of proofs of sequential work [Cohen and Pietrzak, Eurocrypt 2018] forN steps require the prover to have\(\sqrt{N}\) memory and to run for\(N + \sqrt{N}\) steps. Using incremental proofs of sequential work we can bring down the prover’s storage complexity to\(\log N\) and its running time toN.

We propose two different constructions of incremental proofs of sequential work: Our first scheme requires a single processor and introduces a poly-logarithmic factor in the proof size when compared with the proposals of Cohen and Pietrzak. Our second scheme assumes\(\log N\) parallel processors but brings down the overhead of the proof size to a factor of 9. Both schemes are simple to implement and only rely on hash functions (modelled as random oracles).

1. 1.

   e.g.,https://www.freetsa.org.

2. 2.

   As we are working in the random oracle model, these coins can be taken directly from\(\ell _v\) if we make the hashes sufficiently longer. However, for presentation purposes we use a separate hash function which hashes\(\ell _v\).

Authors and Affiliations

1. CISPA Helmholtz Center for Information Security, Saarbrücken, Germany

   Nico Döttling

2. Friedrich-Alexander-Universität Erlangen-Nürnberg, Erlangen, Germany

   Russell W. F. Lai

3. Carnegie Mellon University, Pittsburgh, USA

   Giulio Malavolta

Corresponding author

Correspondence toRussell W. F. Lai.

Editors and Affiliations

1. Technion, Haifa, Israel

   Yuval Ishai

2. COSIC Group, KU Leuven, Heverlee, Belgium

   Vincent Rijmen

A General Arity Constructions

The schemes described in Sects. 4.2 and5.2 can be generalized rather easily to work withp-ary trees for any.

1.1A.1 Generalized CP Graphs

We begin by describing the generalized CP graph\(CP^p_n\), and generalizing Lemmas 1,2, and3.

Definition 6

(Generalized CP Graphs). For, let\(N = p^{n+1} - 1\) and\(T_{p,n} = (V, E')\) be a completep-ary tree of depthn. Let\(\varSigma := \{0,\ldots ,p-1\}\) be an alphabet set of sizep. The nodes\(V = \varSigma ^{\le n}\) are identified byp-ary strings of length at mostn and the empty string\(\epsilon \) represents the root. The edges are directed from the leaves towards the root.

The graph\(CP^p_n = (V,E)\) is a DAG constructed from\(T_{p,n} = (V, E')\) as follows. For any leaf, for any nodev which is a left-sibling of a node on the path fromu to the root\(\epsilon \), an edge (v, u) is appended to\(E'\). Formally,\(E := E' \cup E''\) where

We state and prove the generalizations of Lemmas 1,2, and3.

Lemma 6

The labels of a\(CP^p_n\) graph can be computed in topological order using bits of memory.

Proof

We prove by induction onn. Let\(0, \ldots , p-1\) be the children of\(\epsilon \). For\(i \in \varSigma = \{0,\ldots ,p-1\}\), let\(\mathfrak {T}_i\) be the subtree rooted at thei. Note that\(\mathfrak {T}_i\) is isomorphic to\(CP^p_{n-1}\). To compute the labels of\(CP^p_n\), we first compute the labels of\(\mathfrak {T}_0\). Upon completion, we store only the label of 0, denoted\(\ell _0\). Next, we compute the labels of\(\mathfrak {T}_1\) using\(\ell _0\). This is possible since all edges start from the node 0. Upon completion, we store the label\(\ell _1\). Now suppose that for some\(i \in \{1, \dots , p\}\) the labels of\(\mathfrak {T}_0, \ldots , \mathfrak {T}_{i-1}\) are computed, and we have stored\(\ell _0, \dots , \ell _{i-1}\). The labels of\(\mathfrak {T}_i\) can be computed since all edges start from the nodes\(0, \ldots , i-1\). Eventually, we obtain the last label\(\ell _{p-1}\). Using this with\(\ell _0, \dots , \ell _{p-2}\) stored in the memory, we can compute the label of\(\epsilon \).

Since for each\(i \in \varSigma \), storing\(\ell _i\) requires bits of memory, the memory required for computing the label of\(CP^p_n\) equals to that of\(CP^p_{n-1}\) plus extra bits. Furthermore,\(CP^p_{0}\) has exactly 1 node and its label can be computed using bits of memory. Solving the recursion gives the claimed bound.

Lemma 7

For all\(S \subseteq V\), the subgraph of\(CP^p_n = (V, E)\) on vertex set\(V \setminus \mathfrak {T}_{S^*}\), has a directed path going through all the\(|V| - |\mathfrak {T}_{S^*}|\) nodes.

Proof

We prove by induction onn. The lemma is trivial for\(CP^p_0\) as it contains only 1 node. Now, suppose the lemma is true for\(CP^p_{n-1}\). Consider\(CP^p_n\), and let\(0, \ldots , p-1\) be the children of\(\epsilon \). For\(i \in \varSigma = \{0,\ldots ,p-1\}\), let\(\mathfrak {T}_i\) be the subtree rooted at thei. Note that\(\mathfrak {T}_i\) is isomorphic to\(CP^p_{n-1}\).\(CP^p_n\) consists of the root\(\epsilon \), the subtrees\(\mathfrak {T}_0, \ldots , \mathfrak {T}_{p-1}\), and edges going fromi to the leaves of\(\mathfrak {T}_j\) for all\(i < j\) and\(i,j \in \varSigma \).

The lemma is true if\(\epsilon \in S^*\), as\(|V| - |\mathfrak {T}_{S^*}| = 0\). Otherwise, let\(I := S^* \cap \varSigma \) be the subset of children of\(\epsilon \) which are in\(S^*\). For concreteness, we write\(I = \{i_1, \ldots , i_k\}\) for some\(k \in \{1, \dots , p\}\). We apply the lemma to\(\mathfrak {T}_i\) for all\(i \in \varSigma \setminus I\), so that for each\(\mathfrak {T}_i\) there exists a directed path going from the left-most leaf of\(\mathfrak {T}_i\),i.e.,\(i0\ldots 0\), toi. Since for all\(i,j \in \varSigma \) where\(i < j\), there exists an edge fromi to\(j0\ldots 0\), it means that for each\(i' \in I\), there exists a edge\((i'-1, (i'+1)0\ldots 0)\) which “skips”\(\mathfrak {T}_{i'}\). Formally, the following edges exist:

Finally, we note that there also exists an edge\((i^*, \epsilon )\) where\(i^* := \max _{i \notin I} (i \in \varSigma )\), which completes the path from\(0\ldots 0\) to\(\epsilon \), passing through all\(|V| - |\mathfrak {T}_{S^*}|\) nodes.

Lemma 8

For all\(S \subset V\),\(\mathfrak {T}_{S^*}\) contains\(\frac{|\mathfrak {T}_{S^*}| + |S|}{p}\) many leaves.

Proof

Let\(S^* = \{v_1,\ldots ,v_k\}\). Since\(S^*\) is minimal, it holds that\(\mathfrak {T}_{v_i} \cap \mathfrak {T}_{v_j} = \emptyset \) for all\(i,j \in \{1,\dots , k\}\) with\(i \ne j\). Therefore we can write

As for all\(i \in \{1, \dots , k\}\),\(\mathfrak {T}_{v_i}\) is a completep-ary tree, it has\((|\mathfrak {T}_{v_i}|+1)/p\) many leaves. Thus,

1.2A.2 Generalized Single-Thread Construction

The generalized construction is almost identical to the basic one presented in Sect. 4.2, except the graph\(CP_n\) is replaced with\(CP^p_n\), and the computation of the labels is changed accordingly.

1. 1.

   Initialize\(U \leftarrow \emptyset \).

2. 2.

   Assign.

3. 3.

   Traverse the graph\(CP^p_n= (V, E)\) starting from\(0^n\). At every node\(v\in V\) which is traversed, do the following:

   1. (a)

      Compute the label\(\ell _v\) by, where\(v_1,\dots ,v_d \in V\) are all nodes with edges pointing to\(v\),i.e.,\((v_i, v) \in E\).

   2. (b)

      Let\(c_0,\ldots ,c_{p-1}\) be the children of\(v\).

   3. (c)

      If, set

      
   4. (d)

      Otherwise (i.e., if), do the following:

      1. i

         Compute.

      2. ii

         Choose a random-subset\(S_v\) of via.

      3. iii

         For, write where\(0 \le a < p\) and\(0 \le b < t\) and set\({\mathcal {L}_{v}} [j] \leftarrow (v,\ell _{c_0},\ldots ,\ell _{c_{p-1}},j) \Vert \mathcal {L}_{c_a}[ b ]\).

   5. (e)

      Mark\(c_0, \ldots , c_{p-2}\) as finished,i.e., remove\(c_0, \ldots , c_{p-2}\) fromU and, if\(v\) is not the right-most child of its parent, mark\(v\) as unfinished,i.e., add\(v\) toU.

4. 4.

   Once the set of unfinished nodes consists only of the root-node (i.e.,\(U = \{ \epsilon \}\)), terminate and output.

1. 1.

   Initialize\(U := \emptyset \).

2. 2.

   Parse\(\pi \) as

3. 3.

   Assign\(\ell _{0^{n'-n}} := \ell _\epsilon \) and.

4. 4.

   Execute the algorithm starting from step 3 with a slight change: Traverse the graph\(CP^p_{n'}\) starting from\(0^{n'-n-1} \Vert 1 \Vert 0^n\) (instead of from\(0^{n'}\)).

1. 1.

   Parse.

2. 2.

   For all paths do the following:

   1. (a)

      Parse\(\mathsf {path} \) as.

   2. (b)

      For every node\(v\in \{v_0,\dots ,v_n\}\) on the path, check if the label\(\ell _v\) was computed correctly. That is, for\(v= 0^n\) check whether, and for any other node\(v\in V \backslash \{ 0^n\}\) check whether, where\(\ell _{v_1}, \ldots , \ell _{v_d}\) are the nodes with edges pointing to\(v\). The value\(\ell _v\) can either be retrieved from the parent node of\(v\), or is directly available for the case of the root-node\(\epsilon \). For the special case of leaf-nodes, the values\(\ell _{v_1}, \ldots , \ell _{v_d}\) are not stored locally with the node\(v\), but are stored at some other (a-priori known) nodes along the path\(\mathsf {path} \) (refer to the structure of the graph\(CP^p_n\)).

   3. (c)

      For all\(j \in \{0,\dots ,n^*\}\), compute and. Let\(i \in \{0,\ldots ,p-1\}\) so that\(v_{j+1}\) is thei-th child of\(v_j\). Check if.

3. 3.

   If all checks pass then output 1. Otherwise output 0.

We state the soundness error and the efficiency of the generalized construction. The analysis is essentially identical to that in Sect. 4.3 and is therefore omitted.

Soundness. Here we state a generalized version of Lemma 5 forp-ary trees.

Lemma 9

Letv be a node and let\((v_1, \ldots , v_p)\) the set of children ofv. If for all\(i \in \{ 1, \ldots , p \}\) we have

then it holds that

The bound for the soundness error has the same form as that in the basic construction, except that\(n = \log _p (N + 1) - 1\). Previously,\(n = \log (N+1) - 1\). The proof is identical to that of Theorem 2, except that we apply Lemma 9 instead of Lemma 5.

Theorem 4

The construction given in Sect. A.2 is sound for any, and the soundness error is given by.

Efficiency. In the following, we set and. The parallel time complexity of the prover remains unchanged atO(N). The parallel time complexity of the verifier is, which decreases atp increases. The proof size and the space complexity of the prover are and respectively. The fractions\(\phi _p := \frac{p}{\log ^3 p}\) and\(\theta _p := \frac{p^2}{\log ^4 p}\) are minimized at\(p = 20\) and\(p = 7\) respectively. Compared to\(p = 2\), we have\(\phi _{20} / \phi _2 \approx 0.124\) and\(\theta _{7} / \theta _2 \approx 0.197\).

1.3A.3 Generalized Multi-thread Construction

Similar to the above, we present a generalization of the construction in Sect. 5.2.

1. 1.

   Initialize\(U \leftarrow \emptyset \) to be the set of unfinished nodes.

2. 2.

   Assign.

3. 3.

   Traverse the graph\(CP^p_n\) starting from\(0^n\). At every node\(v\in V\) which is traversed, do the following:

   1. (a)

      Compute the label\(\ell _v\) by, where\(v_1,\dots ,v_d \in V\) are all nodes nodes\(v\) is adjacent with,i.e.,\((v_i, v) \in E\).

   2. (b)

      Let\(c_0,\ldots ,c_{p-1}\) be the children of\(v\).

   3. (c)

      If, set

      
   4. (d)

      Otherwise (i.e., if), do the following:

      1. i.

         Compute.

      2. ii.

         Choose a random-subset\(S_v\) of via.

      3. iii.

         For, write where\(0 \le a < p\) and\(0 \le b < t\). Set.

   5. (e)

      If\(v\) is not a right node (i.e., it is not the right-most child of its parent):

      1. i.

         Compute.

      2. ii.

         Choose a randomt-set of paths with prefix\(v\) via.

      3. iii.

         Execute in a parallel thread and set.

      4. iv.

         Mark\(c_0,\ldots ,c_{p-2}\) as finished,i.e., remove\(c_0,\ldots ,c_{p-2}\) fromU and mark\(v\) as unfinished,i.e., add\(v\) toU.

4. 4.

   Once the set of unfinished nodes consists only of the root-node (i.e.,\(U = \{ \epsilon \}\)), terminate and output.

Defined as in Sect. A.2.

1. 1.

   Parse\(\pi \) as.

2. 2.

   For all paths do the following:

   1. (a)

      Parse\(\mathsf {path} \) as.

   2. (b)

      For every node\(v\in \{v_0,\dots ,v_n\}\) on the path, check if the label\(\ell _v\) was computed correctly. That is, for\(v= 0^n\) check whether, and for any other node\(v\in V \backslash \{ 0^n\}\) check whether, where\(v_1, \ldots , v_d\) are the nodes with edges pointing to\(v\). The value\(\ell _v\) can either be retrieved from the parent node of\(v\), or is directly available for the case of the root-node\(\epsilon \). For the special case of leaf-nodes, the values\(\ell _{v_1}, \ldots , \ell _{v_d}\) are not stored locally with the node\(v\), but are stored at some other (a-priori known) nodes along\(\mathsf {path} \) (refer to the structure of the graph\(CP^p_n\)).

   3. (c)

      For all\(j \in \{0,\dots ,n^*\}\):

      1. i.

         If\(v_j\) is the right-most child of its parent or\(j = 0\): Compute and. Let\(v_{j+1}\) be thei-th child of\(v_j\), check if.

      2. ii.

         If\(v_j\) is not the right-most child of its parent: Compute and. Check if all paths in\(S_{v_j}\) are present in.

3. 3.

   If all checks pass output 1, otherwise 0.

Next we state the soundness error and the efficiency.

Soundness. The soundness analysis requires some tweaking of the argument.

Theorem 5

The construction given in Sect. A.3 is sound for any, and the soundness error is given by.

Proof

The proof follows the blueprint of the proof of Theorem 3, except for the following changes. First we add a hybrid for each sibling of the nodes\(\{1^{n^*}, \ldots , 1, \epsilon \}\). The indistinguishability arguments are identical.

Then we define the event\(\hat{\mathsf {BAD}}_{v}\) as follows:\(\mathcal {A}\) queries with a query corresponding to a labeled sub-tree for which it holds that, where\(n_v\) is the depth of\(v\).

We bound the probability that\(\hat{\mathsf {BAD}}_{v}\) happens with an inductive argument over\(v\in \{1^{n^*},\ldots ,1, \epsilon \}\). For the base case\(v= 1^{n^*}\) is enough to observe that\(\delta (\mathsf {L}_v) = \gamma (\mathsf {L}_v)\) and therefore\(\hat{\mathsf {BAD}}_{v}\) happens with probability 0.

For any node\(v\in \{1^{n^*-1},\ldots ,1, \epsilon \}\), fix a query and let\((v_1, \ldots , v_p)\) be the children of\(v\). For all\(i \in \{1, \ldots , p-1\}\) we have that

(8)

as otherwise\(\mathsf {BAD}_{v_i}\) would be triggered. For the node\(v_{p}\) we have that

(9)

by induction hypothesis, as otherwise\(\hat{\mathsf {BAD}}_{v_p}\) would be triggered. We can now rewrite

by (8), (9), and Lemma 9. For\(p>1\) we can bound

since it is a geometric series. Thus we can set and derive

The remainder of the analysis is unchanged.   \(\square \)

Efficiency. In the following, we set and\(n= \log _p N\). The parallel time complexity of the prover remains unchanged atO(N). The number of parallel threads is bounded by\(O(p \log _p N)\), which is minimized at\(p = 3\). The parallel time complexity of the verifier is, which decreases atp increases. The proof size and the space complexity of the prover are and respectively. The fractions\(\phi '_p := \frac{p (1 + \frac{p}{p-1})^2 }{\log p}\) and\(\theta '_p := \frac{p^2 (1 + \frac{p}{p-1})^2 }{\log ^2 p}\) are both minimized at\(p = 4\). Compared to\(p = 2\), we have\(\phi '_{4} / \phi '_2 \approx 0.605\) and\(\theta '_{7} / \theta '_2 \approx 0.605\).

Reprints and permissions

© 2019 International Association for Cryptologic Research

Policies and ethics