# On the Security of Proofs of Sequential Work in a Post-Quantum World

A proof of sequential work allows a prover to convince a resource-bounded verifier that the prover invested a substantial amount of sequential time to perform some underlying computation. Proofs of sequential work have many applications including time-stamping, blockchain design, and universally verifiable CPU benchmarks. Mahmoody, Moran, and Vadhan (ITCS 2013) gave the first construction of proofs of sequential work in the random oracle model though the construction relied on expensive depth-robust graphs. In a recent breakthrough, Cohen and Pietrzak (EUROCRYPT 2018) gave a more efficient construction that does not require depth-robust graphs. In each of these constructions, the prover commits to a labeling of a directed acyclic graph G with N nodes and the verifier audits the prover by checking that a small subset of labels are locally consistent, e.g., L_v = H(L_v_1,…,L_v_δ), where v_1,…,v_δ denote the parents of node v. Provided that the graph G has certain structural properties (e.g., depth-robustness), the prover must produce a long ℋ-sequence to pass the audit with non-negligible probability. An ℋ-sequence x_0,x_1… x_T has the property that H(x_i) is a substring of x_i+1 for each i, i.e., we can find strings a_i,b_i such that x_i+1 = a_i · H(x_i) · b_i. In the parallel random oracle model, it is straightforward to argue that any attacker running in sequential time T-1 will fail to produce an ℋ-sequence of length T except with negligible probability – even if the attacker submits large batches of random oracle queries in each round. (See the paper for the full abstract.)

READ FULL TEXT