Simple Proofs of Sequential Work

  • Bram CohenEmail author
  • Krzysztof Pietrzak
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10821)


At ITCS 2013, Mahmoody, Moran and Vadhan [MMV13] introduce and construct publicly verifiable proofs of sequential work, which is a protocol for proving that one spent sequential computational work related to some statement. The original motivation for such proofs included non-interactive time-stamping and universally verifiable CPU benchmarks. A more recent application, and our main motivation, are blockchain designs, where proofs of sequential work can be used – in combination with proofs of space – as a more ecological and economical substitute for proofs of work which are currently used to secure Bitcoin and other cryptocurrencies.

The construction proposed by [MMV13] is based on a hash function and can be proven secure in the random oracle model, or assuming inherently sequential hash-functions, which is a new standard model assumption introduced in their work.

In a proof of sequential work, a prover gets a “statement” \(\chi \), a time parameter N and access to a hash-function \(\mathsf{H}\), which for the security proof is modelled as a random oracle. Correctness requires that an honest prover can make a verifier accept making only N queries to \(\mathsf{H}\), while soundness requires that any prover who makes the verifier accept must have made (almost) N sequential queries to \(\mathsf{H}\). Thus a solution constitutes a proof that N time passed since \(\chi \) was received. Solutions must be publicly verifiable in time at most polylogarithmic in N.

The construction of [MMV13] is based on “depth-robust” graphs, and as a consequence has rather poor concrete parameters. But the major drawback is that the prover needs not just N time, but also N space to compute a proof.

In this work we propose a proof of sequential work which is much simpler, more efficient and achieves much better concrete bounds. Most importantly, the space required can be as small as \(\log (N)\) (but we get better soundness using slightly more memory than that).

An open problem stated by [MMV13] that our construction does not solve either is achieving a “unique” proof, where even a cheating prover can only generate a single accepting proof. This property would be extremely useful for applications to blockchains.


  1. [ABP17]
    Alwen, J., Blocki, J., Pietrzak, K.: Depth-robust graphs and their cumulative memory complexity. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 3–32. Springer, Cham (2017). Scholar
  2. [BGJ+16]
    Bitansky, N., Goldwasser, S., Jain, A., Paneth, O., Vaikuntanathan, V., Waters, B.: Time-lock puzzles from randomized encodings. In: Sudan, M. (ed.) ITCS 2016, pp. 345–356. ACM, January 2016Google Scholar
  3. [BR93]
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 93, pp. 62–73. ACM Press, November 1993Google Scholar
  4. [CLSY93]
    Cai, J.-Y., Lipton, R.J., Sedgewick, R., Yao, A.C.-C.: Towards uncheatable benchmarks. In: Proceedings of the Eighth Annual Structure in Complexity Theory Conference, San Diego, CA, USA, 18–21 May 1993, pp. 2–11 (1993)Google Scholar
  5. [Dam90]
    Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, New York (1990). Scholar
  6. [DFKP15]
    Dziembowski, S., Faust, S., Kolmogorov, V., Pietrzak, K.: Proofs of space. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 585–605. Springer, Heidelberg (2015). Scholar
  7. [DGK17]
    Dodis, Y., Guo, S., Katz, J.: Fixing cracks in the concrete: random oracles with auxiliary input, revisited. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 473–495. Springer, Cham (2017). Scholar
  8. [DN93]
    Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993). Scholar
  9. [EGS75]
    Erdoes, P., Graham, R.L., Szemeredi, E.: On sparse graphs with dense long paths. Technical report, Stanford, CA, USA (1975)Google Scholar
  10. [FS87]
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). Scholar
  11. [LW17]
    Lenstra, A.K., Wesolowski, B.: Trustworthy public randomness with sloth, unicorn, and trx. IJACT 3(4), 330–343 (2017)CrossRefGoogle Scholar
  12. [May93]
    May, T.C.: Timed-release crypto (1993).
  13. [Mer90]
    Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). Scholar
  14. [MMV11]
    Mahmoody, M., Moran, T., Vadhan, S.: Time-lock puzzles in the Random Oracle model. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 39–50. Springer, Heidelberg (2011). Scholar
  15. [MMV13]
    Mahmoody, M., Moran, T., Vadhan, S.P.: Publicly verifiable proofs of sequential work. In: Kleinberg, R.D. (ed.) ITCS 2013, pp. 373–388. ACM, January 2013Google Scholar
  16. [RSW00]
    Rivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed release crypto. Technical report (2000)Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Chia NetworkSan FranciscoUSA
  2. 2.IST AustriaKlosterneuburgAustria

Personalised recommendations