 Hi everyone, so today I'm going to talk about incremental proof of sequential work and It was very convenient that there was a talk before me So I don't have to go through the same things again But this is again to look off talk about proof of sequential work So just let me give you a brief introduction about the primitive So the idea is that the prover receives an input a statement then it does some work the work takes Approximately time and and then the prover is able to find and to compute a small proof Which we call pi Such that the verifier given the statement X and the proof pi is able to say yes or no in the sense that you accept or rejects the proof and This is a very very natural primitive to have and there are many applications and Beyond you know like the classical blockchains with this this can be used right off the box for doing things like CPU Benchmarking or you know time stamping of a document in general is a nice little primitive that that we I think we all agree This deserves to be studied So let me let me be slightly more formal and this is going to be the last formal slide of the talk So get out of the way and So what we want from from a proof of sequential work is of course completeness Completed this means that honest proof correctly verify is like sanity checks fine We want soundness soundness intuitively means that I cannot force proof in time much less than and and note that it is important here that That the soundness is parameterized by a certain constant This constant doesn't have to be universal in the sense that it's a constant might show up for example in the proof size But the sequentiality of the prover is required to be at least one minus constant times and so in the sense There is some some some slack is not a perfect proof You're allowed to make some some shortcuts as not as long as you are not taking too many of those then Then we're okay with it and if you are too short then then we want this We wanted that the verifier ejects your proof with all but negligible probability And throughout the next the next talk by time I mean random oracle queries and Number of random oracle queries. It's easy to show that that in the random oracle model repeated queries are inherently sequential, right? so But you can substitute time with random oracle queries and We have some efficiency requirement which makes the primitive non-trivial The primitive has to has to have short proof And fast verification in the sense that you need don't want to go through the whole computation again and We want additionally to be non-interactive by non-interactive I mean that there is just a single proof that gets exchanged from the prover to the verifier and Publicly verifiable which was exactly the point that you raised before so I'm glad that I actually Yeah Yeah, so it's publicly verifiable everyone should be able to verify the proof and Well, this is a bonus feature which is due to the fact that our construction achieves it and that the fact that You can extend queries for for parameters greater than than the fixed n without of course starting over and this is you know for example, this is this feature is useful for For the time stamping when you know that your computer or your hardware is are is prone to to some failure And you don't want to start over every time your machine shuts down, right? So it the you you compute the proof up to a certain point you can fork you it's it's an interesting feature And it's good to have Okay, so now this these slides require a bit of imagination in the sense that I didn't put any constant here You substitute with your favorite constant and I didn't put all the related work here because of space issues But like RSW is all captured by by this so that means said Let me let me quickly summarize the feature of what's known. So the first two are Construction of proof of sequential work. The first was from a Mood et al, which we call MMD and The second one is from a coin Peter tuck and I don't want to slaughter anybody's surname. So it's CP Okay So the first the first construction was was the motivating exam motivating work of this of this line of work and It achieves essentially logarithmic proof size and very fire complexity, which is nice But it had a Prover memory complexity proportional to MF if you think the N is Something around 2 to the 40. This is like typical parameters of N. It requires really a lot of memory So and this is why this is where the the coin Peter's a CP construction Improved a lot and they they had this very elegant idea to use this nice graph that we show in the talk before and They they they managed to bring down the proof of the proof of memory complexity all the way to log N However, this came at a slight cost in the sense that the prover computation is now to N as opposed to N And we'll see in a minute where does where does this come from and let me mention that that they also they also outline a They also have a have a trade-off where they managed to trade a little bit of proof of computation for for for Decreasing the the the proof of memory this in practice is very good But you know there is this motivates the question whether we can get you know the best of both words Okay, let me mention all these both this construction. They are based only on our random oracles and And there is no no no additional assumption. They are both Both very very simple and very easy to implement and practically efficient Right, so now it comes to the rest of the machinery Of course as we discussed before Verifiable delay function is a proof of sequential work. It is a stronger primitive and as such It requires at least week. It's conjecture. They require stronger assumption We we known we know new constructions very recent construction and they're presented at this conference that take the RSW paradigm paradigm and use the sequentiality of squaring over in the northern group plus random oracles But they they essentially achieve the best support of whole words. They are incremental and they they get best parameter asymptotically and Well, then of course if we go one level one level above in the hierarchy, then we get incremental verifiable computation, which is a Verifiable delay function. It's again, of course proof sequential work and what is this really really involves machinery this builds on on on Recursive compositions of snarks. So as far as I'm aware, they're the only two construction one uses a random oracle in a non-blackbox way So it's unclear what it means and the other one uses pairings But but but but as a trusted setup. So Then this brings me to our result We are interested in the first setting. So in the simple proof of sequential works based on random oracles only And we want to have best parameters possible meaning polylogarithmic Prover complexity in terms of memory and and linear with constant one Prover cop prover computation and we propose two constructions. The first achieves. It's asymptotically optimal But as an extra Square factor in the in the in the prover memory But it's it runs on a single processor Whereas our second construction The it removes this this square From there from the prover memory But it requires some parallelism from the prover then we can bound the parallel the number of parallel processor to log n Which is which is I think is a reasonable isn't it reasonable assumption. I'll talk more about that later and Bonus feature both both constructions are incremental both construction are practically efficient and they are based on your random oracles Okay, so this is the one slide about the CP construction that they want to they want to give you as a glimpse So this is the graph that we saw in the previous talk and As you can see you can you can think of this as a miracle tree with some extra edges for example this one and and and this one and I Highlighted in red the traversal order. So this is the order in which the prover computes the node So very very executive summary about this The how does this how does this proof sequential work work the prover computes starts computing this graph It goes through the all computation Then once it gets to the root it applies the fission me transformation and gets a set as of challenge leaves right Now for all these leaves s he returns the the miracle commitment So let's say that this that this the one of these leaf is here And he has to return the path plus all the siblings and given all this information Then the verifier can verify indeed that that this is correctly correctly formed and that the hash are indeed computed correctly and And this is repeated in parallel to boost sadness, but this is not not really important All right, didn't tell you how the how the labels are computed Well, essentially if you take a node the label of the node consists of the hash of all the Folded labels of the node with an incoming edge Okay, so this is this is it But what's the problem where does the where does the the computation as luck come from? Well, the problem comes from the fact that you don't know the set f of challenge leaf Until you get to the root and the root is actually the last step of the computation, right? so you have no idea which Which leaves you should keep in memory until you get at the end of the computation and that's already in steps So how do you how do you solve this? Well, there are several solution, but the naive way in a sense is you know You just compute everything and either you keep the old graph in the memory That it's not good because that goes back to having a really large memory or you Recomputed in the worst case the whole graph and again, let me stress that there is a there is a trade-off which is Which brings this memory and the over to square root of n But the question is can we do better? Okay And this is this is this is where our work. These are the idea of our work. So Just before you tell me how this is trivial. I'm just presenting the idea in plain text and for the math I refer you to the paper. I just want to give you a very very high level Idea of our of our of our construction. So the idea the basic idea is actually very simple Instead of waiting until the root to sample the leaf We start accumulating and pruning leaves throughout the computation of the graph. So this is what happens, for example at node V Let's say that let our our lambda is actually the in this slide is the set of challenges. So the the cardinality of the set and You can think of this as the hardness parameter of the of the scheme So now at this point for the node L We have exactly three path and for the node R. We have exactly three path. So everything is fine And once we get to know V Then the idea is to apply Fiat Shamir to to denote V and this will index a subset of size 3 of all This of all this path. So what we do is simply we drop the path, which do not belong to this subset and Of course for for for reasonable values of lambda for high-def nodes So at the very beginning of the computation we'll just keep all the leaves, right? And the more we get higher up to the tree. Well, the more we start pruning and forgetting about about about Path that that we do that we don't need and note that as soon as the path is forgotten We don't need it anymore because what we do is just pruning Gradually as we go up to to to the tree and The the the conceptual difference is that instead of performing Fiat Shamir at the very end of the computation We do it at each node sort of except for the for the for the very high depth nodes Okay, so let me give you let me give you a quick glimpse of the algorithm and This is again, it's it's very simplified version But this is the backbone of the of the ideas from I think from here you can all reconstruct the algorithm so the prover starts the computation of the same graph of CP log n and We we define SR and SL to be the challenge set for each node V. So first we check whether whether they exceed the parameter lambda and Is such we apply Fiat Shamir. So using a random oracle to the node V and we take s We define s to be a random lambda size such set of SR Concatenated with SL Otherwise, if if they are not not large enough, we just keep s to be the unit The very fire is identical as CP. The only difference is that additionally to check the correct labeling of the graph and to Yeah, to check that the response is actually well formed the very fire is also to check whether we prune the correct branches, right? We need We need to check that the subset is correctly chosen and this can be done by simply Recomputing the hash of the node and parsing this appropriately as a subset Well, now it's very easy to see that we have at most log n log n nodes in the memory and We have at most lambda times log n root root root to leave pass in the memory So the space complexity of this of this construction is roughly lambda logs log n square and this is actually not where the Where the source of inefficiency come from I'll tell you in a minute Oh, and let me let me let me highlight that this scheme is naturally incremental in the sense that there is absolutely nothing special about the root The root node you could just keep going, right? There is there is no reason to stop at the root just the path are already there in memory And you can just keep going and and and even even after the computation So the incremental the incremental feature comes essentially for free So now the catch is that the analysis gets a bit more involved because now the proof can sheet Adaptively so what what the prover can do is that he can start some computations see if some favorable Some favorable subset of nodes is chosen then go back and change change labels introduce mistake and this this This messes up a lot and that's why we need to throw a lot of tail bounds To into our analysis and but this increases diseases increases significantly the challenge set lambda So we need in order to account for this adaptivity. We essentially need to check many more path This is the moral behind It's still fine in the sense that it's still poly logarithmic, but there is a square factor when you compare to CP 18 so our next idea is say is based on an extremely simple observation and So take any any balance miracle tree, right? Once the left tree once the left sub tree is computed Well, then it will take exactly the same amount of time to compute the rise of three So that means that for this left sub tree. We actually have enough time to run the CP 18 strategy And recompute even the left subtree. This doesn't matter. I will just spawn a parallel processor and and this and As long as we have enough parallelism this this doesn't really affect the running time because the moment I need those path I will be done with a computation and So the idea is very simple use essentially a hybrid approach between watch what I just described and the idea of CP 18 and I hope that this image help you understanding what was going on and So essentially this is the left sub tree that I was talking about So what happens is that my prover starts with a computation it gets up to this point and Up to this point if there is one the main thread continue the computation of this subtree Whereas this phones as parallel thread that goes and recompute the challenge path So in for this subtree the Fiat Shamir is just applied at this node We don't need to bother applying it doing our on-the-flying sampling strategy and The point is that we will merge the two subset at this point, but and we will need the Path that come out of this out of this subtree, but we will need them only When this node is also computed and it will take exactly the same time because it's a balanced tree, okay, and It's very easy to see that that you can there is a very easy proof Such that it allows you to bound the number of parallel processors used at all time to log n and Just I mean there are The log n is a really reasonable See if you take into account that there are two to the 80 atoms in the universe Take log n equal 80. You have 80 processor. It's fine. There exists machine with 80 processor So good and the point is that what was the point of this mess the point is that now we do not have to throw so many tail bounds because we have no adaptivity already in this full subtree, right and You can already see where we have to throw a tail bound. It's here here here and so That's very little with respect when compared to all the old three and now our Parameter get much better and we get proof of size approximately a factor of nine greater than CP 18 which is you know, if you think if you think that this gives you essentially optimal prover complexity and and The incrementality feature almost for free and it seems to be a reasonable price to pay Okay, so let me just give you give you a bit of Conclusion like I like to then conclude with some open problems so what we showed in this talk is the proof of sequential board which is a Synthetically optimal with respect to prove a efficiency. It comes from simple and well understood assumption and it is completely efficient and and simple to implement and I think it's a nice. It's a nice idea and I'm sure I'm sure that this idea will find other applications So then open problems if are of course, can we can we get unique group unique proof? Of course, you can using verifiable delay function. Maybe something simpler. It's good question Well avoid random miracles. This is also always an interesting an interesting question and Find other application of this on-the-fly sampling technique You can you can imagine you can think of this as Some sort of random probing over some data stream whenever you cannot go back to the data And you need to to sample some probing some verifiable way If you if you if you have some ideas how to use this technique, please come talk to me. I'm very interested Okay, this is it. Thank you for your attention Are there any questions So when you mix your technique with the CP 18, I wonder if you lose something in terms of incrementality because So I don't I'm not sure I completely understood how you achieve it But actually if CP 18 is not incremental then and some part of your proof is using CP 18 then no So the point. Yeah, good. That's a very good question. So the point is that Imagine imagine that we are at this point, right? Yeah, the proof the proof will not be increment the CP 18 is not incremental But the point is that if we if we keep going on upon this way Then we have enough time to recompute the old path and to do the the trivial incrementation so that the end proving the end is incremental and So is there a reason why you just always go to the left like this you have this particular structure of the This this comes why we start from the left and not the right or I don't know like alternating or something like that No, this is because of the of the structure of CP of CP 18 It has to go on this specific order, right? So that's that's why And this parameter lambda what's who chooses it and is it It's fixed. It's it's the hardness of the system. So I mean Lambda was just for the sake of the talk. We have a more fine-grained Any other questions So I had a Question so in this construction. You're essentially basing it on on CP 18 Yeah, there's the tree which is basically a power of two So can you have number of iterations amount of work that is not a power of two? I mean you can buy the way. Yes, it works You have just a log a log a log factor by just taking the power of two essentially But yeah, not very satisfactory Okay, thank you. If there are no other questions and let's thank the speaker again