Proofs of Useless Work – Positive and Negative Results for Wasteless Mining Systems

by   Maya Dotan, et al.
Hebrew University of Jerusalem

Many blockchain systems today, including Bitcoin, rely on Proof of Work (PoW). Proof of work is crucial to the liveness and security of cryptocurrencies. The assumption when using PoW is that a lot of trial and error is required on average before a valid block is generated. One of the main concerns raised with regard to this kind of system is the inherent need to "waste" energy on "meaningless" problems. In fact, the Bitcoin system is believed to consume more electricity than several small countries [5]. In this work we formally define three properties that are necessary for wasteless PoW systems: (1) solve "meaningful" problems (2) solve them efficiently and (3) be secure against double-spend attacks. We analyze these properties and deduce constraints that impose on PoW systems. In particular, we conclude that under realistic assumptions, the set of allowed functions for mining must be preimage resistant functions. Finally, we propose a modification to the Bitcoin consensus rule that allows users to upload a certain subset of preimage resistant problems and let the mining process solve them. We prove security against Double-Spend attacks identical to the existing security guarantee in Bitcoin today.


page 1

page 2

page 3

page 4


Bitcoin and Blockchain: Security and Privacy

A cryptocurrency is a decentralized digital currency that is designed fo...

Optical Proof of Work

Most cryptocurrencies rely on Proof-of-Work (PoW) "mining" for resistanc...

Profit from Two Bitcoin Mining Tactics: Towing and Shutdown

Since Bitcoin's inception in 2008, it has became attractive investments ...

Babylon: Reusing Bitcoin Mining to Enhance Proof-of-Stake Security

Bitcoin is the most secure blockchain in the world, supported by the imm...

Block Double-Submission Attack: Block Withholding Can Be Self-Destructive

Proof-of-Work (PoW) is the core security mechanism of Bitcoin, the first...

Twisted by the Pools: Detection of Selfish Anomalies in Proof-of-Work Mining

The core of many cryptocurrencies is the decentralised validation networ...

Parallel Proof-of-Work with Concrete Bounds

Authorization is challenging in distributed systems that cannot rely on ...

1. Introduction

Cryptocurrencies (such as Bitcoin(Nakamoto, 2008)) are distributed (and often decentralized) currencies. Bitcoin offered a revolutionary way for people to control the currency, potentially independent of governments and central power. Bitcoin operates on top of the Blockchain (a Merkel tree of blocks) in which each block encapsulates monetary transactions. The blockchain is an appendable data structure. A transaction is valid only upon being included in a block. Security in Bitcoin translates to ensuring that the Blockchain is constantly appended, and it is appended in the same way across all users in the system (consistency). Appending the blockchain is done through a process called ”Mining”, and block creators are called ”Miners”. It is of vital importance to the health of the protocol that mining is not controlled by an adversary. In particular, it is vital that the rate of blocks created is regulated, and that block creation is not vulnerable to Sybil attacks. The most popular method for regulating block creation is through ”Proof of Work” (most commonly known as mining). In a proof of work system, in order to create a block, users (miners) must supply a proof of performing a sufficient amount of ”computational work”. This is commonly enforced via requiring users to find a solution to a problem which is believed to be computationally hard, in the sense that the best method for solving it is via brute force.

In Bitcoin, Mining works as follows: A difficulty parameter is dictated by the protocol. Then, miners start guessing binary strings (according to a certain format dictated by the protocol). If a miner comes up with a string (which depends on the previous block and the block content) such that 111In Bitcoin, is double application of the SHA-256 cryptographic hash function, but the definition extends to any preimage resistant function., they get to create the new block. Since it is believed that inverting is hard, it stems that the optimal way of finding such an is via repeated trial and error.

Since solving this puzzle takes a measurable amount of computational resources, it holds that with overwhelming probability, miners can only create blocks at a rate which is proportional to the percent of the computational power in the network. From this property stems the security guarantee of Bitcoin - As long as no single user controls a majority

222 according to Nakamoto in (Nakamoto, 2008), taking into account selfish mining such as (Eyal and Sirer, 2018) etc. of the computational power in the network, then the probability of inconsistency across users decreases exponentially with the number of blocks created. In this sense, proof of work is what ensures that the Bitcoin system is secure.

Upon creating a new block, the miner will broadcast it to all of the network, and all users will in turn append this block to their own local view of the blockchain. A miner which succeeds in mining a block is awarded a prize, and gets to decide which transactions are included in the newly created block. The Blockchain must be constantly extended in order to keep the system alive. In Bitcoin the rule of thumb currently is that a block is created once every 10 minutes. The reward for the creator of a block is the fee of the transactions it contains in addition to an amount for the block itself (an amount that halves every blocks).

Though impressive and revolutionary, the mining process introduces a serious environmental problem due to its massive energy consumption. This energy use is the focus of this paper. The energy consumption of the Bitcoin network has been widely discussed in popular literature over the past few years, and is estimated to be at least as high as that of some small countries

(O’Dwyer and Malone, 2014). While many regard the energy consumption as waste, it plays a crucial role in securing the network. From this we can see that a more formal definition for ”waste” is needed. Once the proper terminology is established, solutions that reduce energy consumption can be examined thoroughly.

There have been two major flavors of solutions that address the issue of energy consumption in PoW systems. The first attempts to minimize, or even eliminate the energy consumption used by cryptocurrencies. We mention a few of these in the following section. The second, and noticeably less studied, is the option of using the outcome of the computations performed by Bitcoin at the end of the mining process. We will focus on the latter in this work.

One could argue that the fact that the energy used to mine Bitcoins ensures its security is enough to deem it not wasteful. However, the fact remains that the computations currently being performed by Bitcoin miners have no other merit except for being ”hard”. Once a result to the puzzle is found, it is verified and then never used again. The main question studied in this work is whether this need not be the case. Can one design a PoW system in which the results of the computation can be useful for real life applications while maintaining the property of being ”sufficiently hard” and not subject to manipulation?

We make the case that mining is wasteless if the problems that the mining process solves are ”meaningful”. We consider problems to be meaningful if users are willing to pay money for their solutions in some setting external to the mining process. If so, we claim that the mining process ”saved” electricity in that external system, and ”used” the electricity that went into mining for solving that problem. Thus we require that a wasteless mining systems will enable users to request problems that they need to be solved. We will use, for this reason, the terms ”Meaningful” and ”User Uploaded” interchangeably.

In addition, we show that in order for the mining process to be truly wasteless, the algorithm used by the mining process to solve each individual problem must in fact be the optimal algorithm (otherwise the external system would require less electricity for the same task, deeming the mining process wasteful). We connect this insight to a property which we refer to as ”energy efficiency”.

Finally, any wasteless mining system must still remain secure according to the standard notions of security in the Blockchain world today.

We therefore explore the world of mining systems that uphold all three properties - (1) Meaningful (User Uploaded), (2) Energy-Efficient and (3) Secure.

1.1. Related Work

Before we dive into our results, we first stop to discuss previous attempts in tackling the issue of energy consumption in cryptocurrencies, some of which are: ”Proof of Stake” studied by Bentov et al in (Bentov et al., 2014), Gilad et al. in (Gilad et al., 2017), and later expanded by Ben Tove et al. in (Bentov et al., 2014), Kiayias in (Kiayias et al., 2017) and many more. They replace energy with a different resource. Another approach is ”Proof of Space”, introduced by Dziembowski in (Dziembowski et al., 2015) replaces energy with physical storage. While these approaches avoid the immediate problem of energy waste, they incur waste in other domains (such as physical storage or liquid currency). Therefore, we consider these approaches to be only as partial solutions. These methods are outside the scope of this paper, but we will comment how our results may be applicable to them in the conclusions section of this paper.

We will focus on an approach first presented by King in (King, 2013), and again by Ball, Rosen et al. in (Ball et al., 2017). They introduce the notion of ”Proof of Useful Work”. In these systems, the outputs of the ”mining computation” are supposed to be meaningful.

Both of these works however do not allow users to upload their own problems, rather the problems are dictated by the system. We claim that in order to make such systems favorable, users must be allowed to upload computational tasks that have some value to them in order to avoid energy waste. Enabling users to upload real problems to which they need a solution, in a way that is provably secure against adversaries or double spend attacks can be a huge improvement, as energy will inevitably be exerted in order to solve these problems. For these reasons, these works do not meet our definition of solving meaningful problems.

A step forward in implementing useful proofs of work has been done in (Zhang et al., 2017), however it is strongly based on 2 facts: (i) The assumption that the hardware enforces correct reporting of work (and it cannot be fooled), and (ii) The assumption that all miners use this very specific hardware (Intel SGX instructions). This in fact can be viewed as a special case of the general solution we describe here, where a trusted setup can count the complexity on the computation. We elaborate of this in appendix B.

In (Ball et al., 2017) writers present a useful proof of work system. They however do not present a proof of security against double spend attacks (as in the original Bitcoin protocol).

The idea of “Hybrid mining” was proposed in many papers, such as (Chatterjee et al., 2019), (Oliver et al., 2017) and (Zheng et al., 2020), in which miners can choose to work on solving problems or in increasing the blockchain’s weight. We argue that these systems are not energy efficient because there are contradicting incentives between investing computational power into the security of the blockchain, and into solving other problems for a fee. Thus, there are still significant resources that will go to waste just to keep the system secure, as well as a security decrease due to computational power which is diverted away from mining.

1.2. Our Contribution

In this paper we formally define the notion of ”wasted energy”. We say that energy invested in a computation is ”wasted” if no one is willing to pay for the result of the computation independently from the mining procedure (i.e. no one would pay money for this computation in an external system). From this we deduce that a “meaningful problem” is one that someone is willing to pay for.

We take a close look at the trade-off between solving meaningful problems, reducing marginal computation work, and keeping the system secure against double spend attackers. Formally, we define three desired properties for a ”non-wasteful” proof of work system:

  1. Meaningful Problems - The results of computations performed by miners should be of interest to some user. We measure interest by economic incentive - the user must be willing to pay enough money for the result of the computation. A simple economic analysis in Section 5 shows that this definition can be reduced to ”User Uploaded” problems.

  2. Energy Efficiency - The additional functionality should not increase the amount of energy needed to solve the problems (or the amount of increase is provably small), and the algorithms used to solve the problems are optimal.

  3. Security - Our security model will be the same as in the original Bitcoin paper (Nakamoto, 2008) in the sense that the system should by secure against double spend attacks by a minority attacker with overwhelming probability. In particular our definition coincides with the common prefix property as defined by Garay et al. in (Garay et al., 2015).

We discuss existing attempts at creating PoW systems that solve meaningful problems. In particular we survey existing solutions under the lens of these three properties, and show that to this day the only existing solution (Zhang et al., 2017) which upholds all three properties requires trusted hardware.

Figure 1. Schematic illustration of the intersections of the three requirements compared to state of the art systems today

We now present, in high level, conditions which we prove are necessary for a system that meets all requirements:

  1. Solving user-uploaded problems is an integral and mandatory part of the mining process (namely, miners cannot choose if they want to solve user uploaded problems or not).

  2. Miners must supply a proof that they attempted to solve user-uploaded problems. These proofs need to be easy to verify and ”unfakeable” given any prior knowledge on the problems, the solution or any structural information on the problem (including the answer to the problem).

  3. Anyone with computational resources should be economically incentivized to solve a problem within the mining process rather than offline (being payed by someone for finding a valid solution to the problem in some offline setting).

  4. The computational requirements for solving a mining objective should be known to the system (or the system should be able to evaluate them). This means the system should have prior knowledge on the computational resources it take to evaluate the function on every input, or measure precisely the amount of work that went into each computation.

  5. Following the previous point, unless there is trusted reporting of the amount of computational work done by a user, the system should only allow users to upload problems for which every case is the ”worse case” (For example, inverting one-way functions).

1.3. Structure

The structure of this paper is as follows:

In section 2 we formally define the model for a mining proof of work system and mining objectives. We explain how these definitions are a generalization and abstraction of existing proof-of-work systems. In addition, we formally define the property of energy-efficiency. In section 3 we analyze properties that must exist in any such systems in order for them to meet the security definitions that are standard in the field. We fully characterize the family of possible mining systems. We discuss how\whether current proof of work systems meet these definitions.

In section 4 we present a possible implementation of a mining system which meets all criteria. In section 5 we discuss a basic economic approach of systems which allow user uploaded mining objectives. Finally, in section 6 we discuss some future directions.

2. Formal Model for Mining Systems

Until now we have discussed in high-level the desired properties of Proofs of Useful Work systems, and why existing solutions fail. In this Section we dive into detail, and formalize the properties that we believe any wasteless mining system must uphold. We then analyze these properties carefully, and derive limitations and restrictions that any such system must follow. After we define and understand these limitations, we introduce our own solution, which is (1) secure, (2) energy efficient and (3) performs meaningful work, according to our definitions.

We first define security in REMSs. Our definitions use notations inspired by Boneh et al. in (Boneh et al., 2018), which discusses general Verifiable Delay Functions, and the definitions coincide with the ones in (Garay et al., 2015), which discusses Bitcoin specifically. In particular, our definitions of security still are with respect to common prefix property and the chain quality property which should be upheld as long as an honest majority of the computational power in the network still exists. We do not change or interfere with these definitions in any way.

2.1. Definitions

Definition 0 (Mining Objective).

Let . A mining objective is a pair where is a function and . 333In Bitcoin and is a binary string smaller than the current difficulty . We will say that a mining objective was solved if some was found such that . 444A more general definition of a mining objective would be a pair such that and a solution is s.t. there exists s.t. . We will omit this for the ease of notation, but all of our analysis can be easily generalized to this case.

We will later see how the above definition coincides the Bitcoin mining system.

Definition 0 (REMS).

A Repeated Eval Mining System is a quadruple defined as follows:

  • is a set of mining objectives.

  • a randomized, polynomial time algorithm that takes no parameters, and returns an evaluation key , which is unpredictable to all players.

  • is a polynomial time algorithm which takes an input and produces an output . Where . The first coordinate of is an indication of whether the seed

    results in a successful mine (a block was created), and the rest is an indicator vector of which mining objectives were solved by

    . is a (possibly empty) proof . 666In this paper when we say ”proof” we mean some function of the output of the computation . It may be interesting to think about systems in which the proof can be independent of the output (such as in (Zhang et al., 2017)), however this is outside the scope of this paper. 555We assume that is some function of the combination of the outputs of all ’s for all . We assume that runs in polynomial time in .

  • is a deterministic polynomial time algorithm which returns if a valid output of , and otherwise.

In an REMS, repeated calls to are made, and when a query returns then a mining attempt was successful, and we will refer to this as a new block was mined.

For example, in today’s Bitcoin, is the hash of the previous block, is some string in , and there exists a parameter , such that . executes SHA on , gets an output , and returns the vector and proof where: it holds that i.f.f , and i.f.f. one of the objectives was solved. returns i.f.f the proof (in this case ) maintains that the hash of is at most .

The following two definitions will describe two necessary conditions for any REMS system - Correctness and Soundness (regardless off the energy efficiency question).

Definition 0 (Soundness).

We will say that an REMS is sound if for every algorithm that runs in time , and which is sampled uniformly from : If the output of is then

Definition 0 (Correctness).

We will say that an REMS is correct if .

From now on, we will only discuss REMS’s which are both Sound and Correct.

Throughout the following sections, for the sake of ease of notations, assume that for every the task of evaluating takes the same amount of computational resources for every . Moreover, we assume from now on that consumes a constant amount of computational resources per execution. We will address the general case and discuss why these assumptions is not necessary in Section 6.

Definition 0 (Blockchain).

Let be an REMS. A linked list of blocks is called a blockchain if for every block in the blockchain, it holds that . Moreover denote the following: is called the genesis block, is the head, and is the weight of the blockchain.

Throughout this paper we do not deviate from the notion of consensus as presented in the original Bitcoin paper by see (Nakamoto, 2008).

Note that in the above definition, we assume that every block for which returns is a block with the same weight as all other blocks. This notion can in theory be generalized, however we will not go into this case in this work.

Definition 0 (Computational Resources Demands).

Let be an REMS. Let be a mining objective in .

  1. We denote the computational resources necessary to compute the value for any , assuming the computation is executed by the optimal algorithm for computing .

  2. Denote the computational resources necessary, in expectation, to find a solution such that , where is sampled uniformly from . Again, the computation assumed the optimal algorithm for computing .

2.2. Security, Energy Efficiency, Meaningfulness

Our adversarial model is the same model as in (Garay et al., 2015). In particular, we assume that the attacker can first observe the activity of the honest nodes and be the last player to decide on a strategy, and that he can change the content of his own messages at will. We assume that he is computationally bounded and that regular cryptographic assumptions hold (especially that the attacker can not invert one way functions efficiently).

Definition 0 (Secure REMS).

Let be an REMS. Let be a family of mining objectives in . Let be a miner in the system. We say that the REMS is secure if it holds that:

Where gets to choose the distribution over from which she samples (without knowing ).

The guarantee should be that an attacker can not create blocks faster than his\her ratio of the total computational power in the network. This means that the ”cryptopuzzle” should uphold the property that

If this property does not hold we say that the system is vulnerable to double spend attacks by a minority attacker.

Note that this notion of security coincides with the notion of security in “The Bitcoin Backbone Protocol” (Garay et al., 2015) (in their notations, each player contributes a single vote, so a user that controls a mining pool of size players, out of the total players in the network, creates of the blocks). As shown there, this is enough to ensure that the common prefix property and the chain quality property are maintained in the system.

Definition 0 (Meaningful REMS).

We say that a mining objective is meaningful if there exists someone willing to pay for the resources that are required to solve it regardless of the mining process. We say that an REMS is meaningful if all of the mining objectives in are meaningful.

Due to to Definition 8 we will from now on use the terms “meaningful” and “user-uploaded” interchangeably.

Definition 0 (Secure-User-Uploaded REMS).

Let be the set of all the users in a system (including all miners) . Let be a set of mining objectives that was chosen by 777In particular, a miner may have any non trivial amount of information about any mining objective , such as a solution for which .. We say that it is secure user-uploaded if secure.

Definition 9 is the formalization of the combination two of the conditions discussed in the introduction. Notice that the requirement that the mining objective was chosen by the miner (and not a user that is participating only through uploading problems) is necessary in order to ensure security. This is because we want any such solution to be resistant to miners maliciously uploading problems in order to increase their chances of successfully mining a block888In Bitcoin this would translate to a miner being able to artificially increase her relative computational power in the network., which can lead to a double spend.

For the next part of our definitions we use the following intuition: We say that a mining objective is meaningful if there is someone who is willing to pay for the computational resources that are needed in order to solve it. We would like to make sure that any system that meets our requirements will only allow for meaningful objectives to belong to . Since this is not yet well defined, we begin with the following softer definition of energy efficiency. Combining this notion with the fact that is composed of user uploaded problems, we can describe necessary conditions for systems in which all mining objectives are meaningful.

Definition 0 ().

[-Energy Efficient REMS] Let . We say that a mining system is energy efficient if it holds that for every the energy ratio:

That is, the system can make sure that the percent of energy used for solving user uploaded problems is arbitrarily close to .

From now on, any time we say that a claim holds for an “energy-efficient” REMS, we mean that it holds for an -energy-efficient REMS for every

3. Necessary Properties of REMS’s - Formal Analysis

In this section we will prove our main theorems about Repeated Evaluation Mining systems. We will fully characterize the allowed set of functions that may belong to in the case of REMS’s which are Secure,Energy Efficient and Meaningful.

The claims are organized in the following structure. First, we discuss secure REMS’s and show two basic properties which we prove are necessary for any REMS to be secure: The function should be optimally efficient and the relationship between mining a block and solving a mining objective should be correlative to “how hard” the objective is.

Next, we refine the discussion to secure & energy-efficient REMS, wherein we introduce the proof to our analysis. We initially shows that “hard-enough” proofs are mandatory in order to keep the system energy-efficient. Additionally, projecting the above basic properties on this scenario we prove (i) should be optimally efficient in generating the proof, and (ii) the relationship between finding a coherent proof and solving a mining objective should be correlative as above.

In the last subsection we show our main theorems which hold for (1) secure (2) energy-efficient and (3) user uploaded REMSs. We combine the constraints on , and deduce from them constraints on the allowed set of mining objectives in any secure, energy-efficient and user uploaded REMS.

3.1. Secure REMS

Claim 1 ( is optimal).

Let be a secure REMS. Then there does not exist any algorithm that is more efficient than such that is sound. 999This condition means that is the optimal algorithm for the computational task which mining is based on.

The proof is in Appendix C

In the following claim, we formalize the following notion: In a secure REMS, solving each mining objective will result in successfully mining with a probability that is proportional to the resources demand of the objective.

Claim 2 ().

For any it holds that:

The proof is in Appendix C

Where is the expected amount of computational power required for Finding a solution that satisfies .

If this assumption does not hold, the system should in fact be able to adjust the weight of the block according to the amount for the relevant which resulted in the block creation.

Corollary 0 ().

Let be a secure-energy-efficient REMS. Assume that mining a block depends on solving the mining objectives. Then must be known to the system.

3.2. Secure & Energy-Efficient REMS

We now turn our attention to analyzing the energy efficiency requirement and some basic properties that must be kept in order for it to hold. Namely we show that the energy efficiency property implies that the system shouldn’t use much energy beside solving the mining objectives.

The following claim is the first time we consider the proofs as a tool for enforcing that miners indeed solve mining objectives, which we will be important for the rest of our claims. It is also important since it formally captures the following intuition: Miners must always be incentivised to solve the mining objective, rather than generating proofs in some way that is external to the system.

Claim 3 ().

Let be an energy efficient REMS. Then miners must supply proofs of attempting to solve mining objectives from as part of the mining process. Furthermore, the computational difficulty of computing is lower than the difficulty of finding a proof for which evaluates to

The proof for claim 3 appears in Appendix D.

Claim 4 ().

Let be a secure and energy efficient REMS. Then is the optimal algorithm for generating the proof given setup .

The proof for claim 4 appears in Appendix D.

Discussion 1 ().

In claim 1 We proved that must execute the optimal algorithm for solving mining objectives in . In claim 4 we showed that is the optimal algorithm for generating proofs at attempting to solve mining objectives from . We point out that in the special case that the proof of trying to solve a mining objective using input , is exactly the output , then the two claims are identical. However, in the general setting, this need not be the case. We will further discuss this special case of the output being the proof later in Theorem 4.

Claim 5 ().

Let be a secure-energy-efficient REMS. Let be the mining objectives. Then for any and for all , for any algorithm used to generate proofs it holds that:

Where is the output of .

The proof for Claim 5 appears in Appendix D.

From the above we conclude that the objectives can only contain problems for which it is hard to generated pairs for which will be evaluated to true. So in order for an objective to be legal, it should be both (1) equally hard to solve across all users and (2) equally hard to generate a proof for all users.

For example, assume that a system can be designed through utilizing mining objectives that are -SAT problems, and the proofs are possible assignments (i.e. where is a -SAT formula, and the proof is a binary string symbolizing which variables in are ). Assume in addition that an adversary miner has some small amount of non-trivial information about a mining objective (for instance, the adversary may know that for any assignment it holds that in at most half of the clauses are satisfiable). Then the miner can avoid verifying the assignment to every clause in if he\she discovers that half of the clauses have already been satisfied, reducing the amount of computations this attacker has to use for the task of solving . This way the attacker increases their relative power in the system, again increasing their chance of a successful double spend attack.

Corollary 0 ().

Let be a family of secure problems, and is an energy-efficient mining system. Then , it holds that is in .

An immediate result of what we have now seen is that proofs of attempts of running mining objectives from need to be hard to fake. How hard - for a mining objective it should be at least as hard as finding such that ; But this is exactly the amount

We will henceforth assume that the proof which is the output of contains proofs of attempts at running mining objectives from .

3.3. Secure & Energy-Efficient & User-Uploaded REMS

From this point on, we will discuss the user-uploaded property. In this case, we will show that the above claims need to hold for every in the sense that if a mining objective is allowed to be in , then it holds that the system must have information on the amounts and for every .

Theorem 3 (Secure Energy Efficient User Uploaded REMS).

Let be a secure-energy-efficient-user-uploaded REMS.

Therefore for a function to be a legal mining objective, for every it must hold that is known. 101010The difference between this claim and Corollary 1 is that here we also quantify over every , whereas in the corollary we quantify only over ’s

The proof of Theorem 3 is in Appendix E

In the following theorem we will take a closer look at the family of allowed mining objectives in secure-energy-efficient-user-uploaded REMS’s. We will show that in the setting in which we restrict ourselves to the case where the proofs generated by are the output of each objective, we have that may contain only preimage resistance functions (definition 1 can be found in appendix C).

Theorem 4 (Pre-Image Resistance Property).

Let an REMS be secure-energy-efficient-user-uploaded. Assume in addition that the proof generated by at index given input is exactly . Then it holds that the family contains only preimage resistant functions.

The proof of Theorem 4 is in Appendix E

To give an intuition to the above, we can draft the steps as: given a mining objective , it holds that

(the first equality is because is actually the function for all ). Thus if is not preimage resistant, then is inversable.

Discussion 2 ().

From all that we have shown above, it stem that there are two options for designing proof of useful work system (under the restrictions that were discussed above):

  • REMS in which block creation depends of the successful solution of user-uploaded mining objectives. In this case, we have from Claim 2 and Corollary 1 that for any ,

    And that the system should know to adjust the odds of block creation according to the amounts

    for all mining objectives that a user may upload to the system. For instance, if the system allows to upload both instances of and , then the amount of computations needed for a pair and should be known for any . This is a very harsh restriction for a system designer. One way in which it can be enforced is as in (Zhang et al., 2017) by counting the number of CPU operation based on the additional assumption of trusted hardware.

  • REMS in which problem solving is an integrated part of mining, but the success in solving a problem does not directly affect the chances of mining a block. In this setting, miners have to try to solve mining objectives as a requirement of the mining process, but the odds of creating a block are not affected if a miner did or did not solve a mining objective along the way. This means that finding a solution to a mining objectives is a byproduct of mining, but not the objective. We will describe such a system in the following section.

We have now fully characterized the space of possible Secure, Energy Efficient and Meaningful Repeated Evaluation Mining Systems. We have show that for all practical uses, without any assumptions of trust (hardware or otherwise), the only type of allowed mining objectives in such systems must be preimage resistance functions. On one hand, this is discouraging, as it gravely limits the amount of meaningful computation that can be diverted from traditional computing farms towards mining systems. On the other hand, we claim that this still leaves room for some hope. In the next section we present an implementation of an REMS that is secure, energy efficient and allows for user uploaded problems.

4. Implementation of Secure Energy Efficient User Uploaded REMS

In this section we formally define our suggested protocol. Our model strongly corresponds to the original Bitcoin protocol, and as such, any property that has not been specifically mentioned can be assumed to be untouched and remain loyal to the Bitcoin protocol. Our construction does deviate from the Bitcoin protocol in some aspects, namely the block creation rule and a new type of transaction.

4.1. Bitcoin Mining Protocol

In Bitcoin, blocks are created in the following way: each miner guesses random strings. For each string , the miner calculates a binary string , Where is the header of the block that the miner tries to mine, which contains the previous block hash (which is unpredictable, thus can be considered as ), its address, a commitment to the transactions the block contains and more. A miner gets to mine a new block if it holds that the output of the computation is smaller than some global parameter (which is referred to as the difficulty parameter). This process is what is called ”Bitcoin Mining”.

4.2. Modified Protocol - A High level Description

We begin with a high-level description of our secure-energy-efficient-user-uploaded REMS and in the following sections we will formally describe how everything is realized and prove correctness.

In order to describe the protocol more simply, we will consider only one type of problems - trimmed output of for . We will describe how this protocol can be generalized in section 4.5.

In our system, users can upload problems to the system using a new type of transaction. The transaction holds the prize that the user offers in exchange to a solution to his problem. The problem itself is an output of a to which they need the corresponding input.

Uploaded problems are partitioned into ”active” and ”non-active” problems, according to whether they were solved. The mining process works as follows: Miners choose a subset of a fixed size of the active problems. After committing to this subset, they start guessing binary strings and if they succeed a block is mined.

The commitment is done by writing a Merkle tree of the set in the header of the block being attempted (similar to what happens in the coin-base transaction in Bitcoin today).

Our solution ensures that a miner will work on all problems they committed to by pipelining the (untrimmed) result of one problem as the input to the next. Only the output of the last problem in might generate a block.

The miners, as in Bitcoin, generate a seed that is concatenated to the block header that they try to mine, and use the result as the input to the first problem. If a miner finds a solution to one of the problems while attempting to mine a block, she will publish the seed as a new transaction, and collect the prize to the problem. A block was mined only if the final output meets the difficulty requirements.

Let us formally define a class of problems, that we use later to describe the problems that our system will be able to solve.

Definition 0 ().

SHA256 trimmed output problem is a problem with the form where . In this problem, the goal is to find a such that , where means to take the bits from index to index .

An example problem is upper bounding SHA256’s output by demanding that the first bits should equals (which is close to Bitcoin’s mining objective for ).

4.3. Modified Protocol - Formal Description

The system contains the following elements:

4.3.1. Mining Objectives in

User-uploaded problems must be of the form where is a function and is a well formatted output of . We define be limited to contain only trimmed outputs of for . We later discuss how this family can be expanded slightly, while still keeping in line with the results from the previous section.

Users may upload mining objectives through a new special type of transaction, which will contain a description of the problem, alongside a deposit which can be withdrawn trough supplying a valid solution to the problem111111The solution has to be well formatted in the sense that it has to contain the header information of the relevant block at the time of solution. This is important in order to proof compliance with the requirement of unpredictability describes in the firs section.. When a miner finds a solution to a mining objective, she can publish a transaction with the solution. The solution contains the solver’s public key within it as the recipient of the deposited prize. So in order to hijack the solution a miner must be able to find collisions in SHA256. A schematic illustration of this mechanism can be found in Figure 2.

In addition we limit to be the set of “Active Problems”, defined in the follwoing way: Given a user-uploaded problem, it is considered active as long as it complies with the two following requirements:

  • It has not yet been solved in previous blocks.

  • It’s solution isn’t a part of the block’s transactions.


is simply the hash (SHA256) of the latest block header in the system (the last leaf on the longest chain).


Given a set of the active mining objectives: . A miner first chooses a subset of size k. The miner will query using the input parameters 121212If there aren’t enough problems in , then the miner most add problems to from a list of problems accepted by the system. The miner will then calculate , where holds the information on the block that he’s trying to mine (including the previous block hash , his identity, Merkle root of and Merkle root of the transactions that he includes in the block) and then for every active user-uploaded problem, the miner checks if the assignment . If not, the miner sets and keeps going. 131313If the trimming of is to strong, then this may degenrate the outputs space of - this is why we will always use the output before the trimming.. If at any point it holds that , the miner may publish a transaction with the proof141414The proof will be , and this way the miner is safe from anyone hijacking the solution, since contains the miners’ information and collect the fee offered by the problem-uploader. Finally, a block is mined if (where is the difficulty parameter). A schematic illustration of this mechanism can be found in Figure 3. The output is generated in the following way:

  • if (where is the difficulty parameter on the system). Otherwise, .

  • For all , if it holds that . Otherwise, .

The proof is simply the output of the last objective. I.e.

A very important comment is that should be equal to the number of different functions (before the trimming) that are in . If contains multiple problems that are a different trimming of the same output, then the miner needs to calculate the output once, and check all of the possible ’s against this output. We assume the overhead of these checks, given the output of the function, is negligible (and can be computed in parallel) when compared to the execution of the function151515We can remove this assumption and allow only a single occurrence of each in ..

Otherwise is not the optimal algorithm for solving the group of the mining objectives (altogether), which is a contradiction to the definition of energy efficient.

Figure 2. Modified block creation mechanism to allow solving user uploaded preimage resistance functions as part of the mining process.


works as expected: Checks whether equals , and that (i.e. ).

4.3.5. Prize Collection

If a miner finds a solution to a mining objective, she publishes a special transaction with the solution. Since the seed to the solution contains the public key of the miner, everyone can verify that the solution is correct and that she is the legal recipient of the prize. Miners are incentivized to include this transaction in their newly created block because of the transaction’s fee, just like any other transaction.

4.4. Liveness

Figure 3. Our modified mining mechanism.

We notice that the probability of mining a block is the same compared to the Bitcoin protocol, so our guarantees of liveness stems from that of the original Bitcoin protocol. Meaning that the system continues to create blocks even if no problems are uploaded by users (though in this case there does exist the same waste of energy as in Bitcoin).

Moreover, we keep the incentives for the honest miners to keep mining blocks because they still get the block reward and the transactions fees. Therefore any honest transaction will eventually end up deep enough in an honest chain, assuming there’s an honest majority.

The only thing to make sure is that the new special transactions will be included. We claim that they will, since hijacking the solution is computationally infeasible (for an adversary whom cannot reverse preimage resistant functions). So miners gain nothing be ignoring such transactions, and are incentivised to include them via transaction fees.

4.5. Generalizing and Restrict the Family of allowed problems

In subsection 4.3.1 We limited the discussion to trimmed problems to simplify the model. This section will discuss a possible generalization, in which we broaden the allowed set of problems. We show that although we can generalize our protocol and keep it secure, the allowed problems and protocol still must have restrictions.

From Claim 2 and the fact that mining a block and solving a mining objective is independent, we need to enforce that each attempt to mine a block has the same computational demands. Each attempt to mine a block is actually executing all the problems in the chosen group of problems (that was denoted by ), therefore we have to constraint the possible groups.

One option to do so is by defining a ”score” to each type of problem. Then, the protocol can enforce “fixed score” for and thus control the computational resources of each execution of (each attempt to mine a block). Note that this implicitly holds in the above suggestion because we demanded a “fixed size” if , and there is only a single type of allowed problem.

We offer the following example to guide the readers intuition - Suppose the system allowed two families of functions as mining objectives - trimmed outputs of SHA and trimmed outputs of MD (instead of allowing only trimmed SHA). will be designed as follows - always run SHA for times and then MD for . Such a system meets all the formal requirements for security, user uploaded problems and energy efficiency (since these are questions uploaded by users whom are willing to pay for the output of the computation). This can be further extended to include other one-way functions, as long as their proportions remain controlled.

5. Relating Energy Efficiency to Market Powers - Pricing Mining Objectives Effectively

Throughout this paper we discuss the possibility of users uploading computational puzzles to which they need solution, alongside a fee. A miner which solves the problem collects the fee. We would like to discuss why a fee is in fact necessary for the liveness of the system. Assume for a moment an REMS that is (1) Secure (2) Energy Efficient and (3) User Uploaded, and users upload problems without a fee (or with a negligible fee). We claim that if the amount

is less than the amount , miners will not be incentivised to mine, and would prefer to solve problems in an offline setting. This is of course harmful to the security of the system (since less miners implies less security), and to the liveness of the system. We however argue that in reality, users will be incentivised to solve their problems through the REMS, since the price for a solution within it is lower the any outer market. This is the result of the REMS miners that are incentivised by block rewards and transaction fees in addition to the fee for solving mining objectives.

In addition, if someone chooses to maliciously upload a mining objective with a fee that is too small, miners may simply chose other queuing mining objectives instead, rendering this mining objective meaningless. The same holds for the case of users uploading ”uninteresting” problems with the sole purpose of wasting energy. In conclusion, market forces will make the miners to invest their energy only in interesting, well priced problems.

6. Conclusions and Future Work

In this paper we formally defined the property of energy efficiency in Proof of Work systems in the permissionless setting in which there is no trusted hardware. We used this definition to completely characterize systems in which the following properties hold: (1) Security against double spends by a minority attacker (2) Energy efficiency (3) Meaningful computations. This way we showed a negative result for different types of Proofs of Useful Work concept. We show that a system that, in general settings, satisfies all the three conditions can’t be used to solve general problems in . We use our definitions to construct a Proof of Work system in which users can upload problems to which they need solutions, alongside a fee. The mining process solves these problems. The model is derived by introducing relatively minor changes to the original Bitcoin protocol, which can be easily and effectively implemented in live systems. We proved the security and liveness of our architecture as compared to the original Bitcoin protocol, using the most recent definitions of security used today in cryptocurrency systems. A natural question is to extend this analysis to alternatives to proof of work such as proof of space (Dziembowski et al., 2015) and proof of stake (King and Nadal, 2012). In the case of proofs of space, the question is easily translated into whether can we use proofs of space for storing data in a way which avoids unnecessary data duplication, while making sure the data stored is data that real people in the world are willing to pay to store, all the while being safe against double spends. We believe that the answer to this question should be no, up to some degenerate cases. In the case of proofs of stake, the analogy is less natural and has to do with measuring the economical loss of storing money in escrow as compared to keeping it in circulation. We believe that this question is harder and is of interest.

In Definition 5 we assumed that all blocks must have equal weight. We believe that this can be generalized to a setting in which the weight of a block may vary across blocks. In this work, the system should in fact be able to adjust the weight of the block according to the amount for the relevant which resulted in the block creation. This is left as a direction for future work.

One final note is that throughout this paper we assumed that the amount was fixed per function (meaning that evaluating takes the same amount of computational work for every - Definition 6). This clearly need not be the case in general. We claim that this is not a problem. Indeed, if this is not the case, the REMS should be able to evaluate the amount of computational work that evaluating take for all possible ’s. One possibility for doing this is presented in (Zhang et al., 2017). They used trusted hardware to count cpu cycles, thus they have en exact estimate of the amount of work that went into computing for all ’s and ’s. Another option is to only allow to contain functions for which these amounts are known (which is the case in our discussion).

Another assumption we made in Definition 7 is that every execution of takes the same amount of computational resources. It will be interesting to study whether this is necessary. For instance, one can think of designing a system in which can determine the weight of blocks created according to the amount of computational work that went into its execution (meaning that blocks of different weights can be created). We notice that if this is the case, then the proofs provided by the miners can not be the outputs of the functions in , as this would be a contradiction to Theorem 4. If a system of this type can be designed in a secure way, we beleive that this would be of interest.


  • M. Ball, A. Rosen, M. Sabin, and P. N. Vasudevan (2017) Proofs of useful work.. IACR Cryptology ePrint Archive 2017, pp. 203. Cited by: Appendix A, §1.1, §1.1.
  • I. Bentov, C. Lee, A. Mizrahi, and M. Rosenfeld (2014) Proof of activity: extending bitcoin’s proof of work via proof of stake [extended abstract] y. ACM SIGMETRICS Performance Evaluation Review 42 (3), pp. 34–37. Cited by: §1.1.
  • D. Boneh, J. Bonneau, B. Bünz, and B. Fisch (2018) Verifiable delay functions. In Annual international cryptology conference, pp. 757–788. Cited by: §2.
  • K. Chatterjee, A. K. Goharshady, and A. Pourdamghani (2019) Hybrid mining: exploiting blockchain’s computational power for distributed problem solving. In Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, pp. 374–381. Cited by: §1.1.
  • A. De Vries (2018) Bitcoin’s growing energy problem. Joule 2 (5), pp. 801–805. Cited by: Proofs of Useless Work Positive and Negative Results for Wasteless Mining Systems.
  • S. Dziembowski, S. Faust, V. Kolmogorov, and K. Pietrzak (2015) Proofs of space. In Annual Cryptology Conference, pp. 585–605. Cited by: §1.1, §6.
  • I. Eyal and E. G. Sirer (2018) Majority is not enough: bitcoin mining is vulnerable. Communications of the ACM 61 (7), pp. 95–102. Cited by: footnote 2.
  • J. Garay, A. Kiayias, and N. Leonardos (2015) The bitcoin backbone protocol: analysis and applications. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 281–310. Cited by: item 3, §2.2, §2.2, §2.
  • Y. Gilad, R. Hemo, S. Micali, G. Vlachos, and N. Zeldovich (2017) Algorand: scaling byzantine agreements for cryptocurrencies. In Proceedings of the 26th Symposium on Operating Systems Principles, pp. 51–68. Cited by: §1.1.
  • A. Kiayias, A. Russell, B. David, and R. Oliynykov (2017) Ouroboros: a provably secure proof-of-stake blockchain protocol. In Annual International Cryptology Conference, pp. 357–388. Cited by: §1.1.
  • S. King and S. Nadal (2012) Ppcoin: peer-to-peer crypto-currency with proof-of-stake. self-published paper, August 19. Cited by: §6.
  • S. King (2013) Primecoin: cryptocurrency with prime number proof-of-work. July 7th. Cited by: §1.1.
  • L. Lamport (1979) Constructing digital signatures from a one-way function. Technical report Technical Report CSL-98, SRI International. Cited by: Definition 1.
  • S. Nakamoto (2008) Bitcoin: a peer-to-peer electronic cash system. Cited by: item 3, §1, §2.1, footnote 2.
  • K. J. O’Dwyer and D. Malone (2014) Bitcoin mining and its energy footprint. Cited by: §1.
  • C. G. Oliver, A. Ricottone, and P. Philippopoulos (2017) Proposal for a fully decentralized blockchain and proof-of-work algorithm for solving np-complete problems. arXiv preprint arXiv:1708.09419. Cited by: §1.1.
  • P. Rogaway and T. Shrimpton (2004) Cryptographic hash-function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In International workshop on fast software encryption, pp. 371–388. Cited by: Definition 1.
  • F. Zhang, I. Eyal, R. Escriva, A. Juels, and R. Van Renesse (2017) REM: resource-efficient mining for blockchains.. IACR Cryptology ePrint Archive 2017, pp. 179. Cited by: Appendix B, §1.1, §1.2, 1st item, §6, footnote 6.
  • W. Zheng, X. Chen, Z. Zheng, X. Luo, and J. Cui (2020) AxeChain: a secure and decentralized blockchain for solving easily-verifiable problems. arXiv preprint arXiv:2003.13999. Cited by: §1.1.

Appendix A Explicit Double Spend Attack when not all instances in are ”Every Case Hard”

An example of a double spend attack against the blockchain system presented in (Ball et al., 2017) where the mining objectives are allowed to be ”hard on average”. An attacker uploads an objective which is easier than the average case. for the sake of this example we will use a SAT problem (where are literals), however an example can be generated for any problem which has an easy\hard instance. Assume that the attacker knows that the first clause is satisfied under any assignment. Therefor the attacker has an extra bit of information compared to anyone else on the problem. This means that the attacker has an extra bit of information in the verification phase for every attempt of any . She simply doesn’t have to check if the first clause is satisfied, while all other users do. This means that the attacker increases her relative computational power, enabling her to double spend without a majority of the computational power.

Appendix B Resource-Efficient Mining is A Special Case of our Solution

In their paper “Resource-Efficient Mining for Blockchains” (Zhang et al., 2017), the authors suggest that miners use special hardware called “Intel SGX”. This hardware can provide secure instructions counting, and therefore provide a proof of the invested computational resources that a miner put into the mining process.

We consider this paper as a special case implementation of our guidelins. As in our protocol, mining a block is independent of problems, which proofs that their system meets the conditions imposed by Claim 2. Their experiments shows the the ”overhead” of their protocol is around which states that Claim 4 is true with . The other claims in our paper hold directly from the design of the secure hardware. Note that they do not have to demand that the mining objectives be preimage resistance functions because the conditions of Theorem 4 do not holds; They build the proofs with the special hardware rather then the output of the mining objectives.

We consider this protocol and ours as two different approaches to implement the idea of REMS that we presented in Section 3. On the one hand, Resource-Efficient Mining enforce specific hardware, thus can solve a wider family of mining objectives and be fully dynamic through the lifetime of the system. On the other hand, our protocol does not demand a specific type of hardware, therefore it increases the accessibility for new miners (lower entrance investment) which increases the security of the network.

Appendix C Security Proofs

This appendix contains proofs to all claims from Section 3.1 and known security definitions.

Definition 0 (Preimage Resistance Function).

A preimage resistance function is a function that is easy to compute, but whose inverse is difficult to compute. More precisely, a preimage resistance function holds the property that for every adversary algorithm that runs in polynomial time in , is negligible. (Lamport, 1979; Rogaway and Shrimpton, 2004)

Claim 0 (1 is optimal).

Let be a secure REMS. Then there does not exist any algorithm that is more efficient than such that is sound. 161616This condition means that is the optimal algorithm for the computational task which mining is based on.


Assume towards a contradiction that there exist which is more efficient than . Assume w.l.o,g that the execution of is more efficient than that of by a factor of Assume that an attacker uses instead of , while all other users use . Then it holds that the portion of block awarded to the attacker in expectation is:

Which is an honest miners’ probability of mining a block. So an attacker increases the speed at which he\she mines a block as compared to the honest network, which is a contradiction to the notion of security defined in 7. ∎

Claim 0 (2).

For any it holds that:

Where is the expected amount of computational power required for Finding a solution that satisfies .


Assume towards a contradiction that there exists a mining protocol which is secure that does not mandate the described property. If there exists some such that solving increases the chances of mining a block dis-proportionally to the relative computational power required to compute , an attacker may choose to focus on solving instead of using , and then run only on the solutions that they discovered for . This way, the attacker is in fact utilizing a more efficient algorithm than for mining a block, in contradiction to Claim 1 where we prove that is optimal. ∎

Appendix D Energy Efficiency Proofs

This appendix contains proofs to all claims from Section 3.2.

Claim 0 (3).

Let be an energy efficient REMS. Then miners must supply proofs of attempting to solve mining objectives from as part of the mining process. Furthermore, the computational difficulty of computing is lower than the difficulty of finding a proof for which evaluates to

To prove Claim 3 we will prove Claims 6, 7 and 8, from which Claim 3 follows.

Claim 6 ().

Let be an energy efficient REMS. Then miners must supply proofs of attempting to solve mining objectives from as part of the mining process.


Assume towards a contradiction that and REMS is an energy efficient in which miners do not need to prove that they attempted to solve the mining objectives from .

We look at the operation of . We divide into cases: If does not perform checks whether for some , then we have that is not energy efficient. therefore we can assume that does perform these evaluations. Since we assumed that the output of does not contain proofs of attempts at solving (evaluating) the individual objectives along the way,we can consider the following algorithm: operates in the same way does, but every time checks whether for some , outputs . This makes faster than , in contradiction to the optimality of which was proved in Claim 1.

We remind the reader that Claim 6 in fact did not require that the REMS be secure, which differentiates it from all other claims in this section.

Claim 7 ().

In an -energy-efficient REMS, the amount of computational resources that goes into computing is at most


Immediate from the definition of energy efficient: Let be the amount of computational resources that goes into computing . From -energy efficiency we have that:


The next claim will expand our definition of soundness to incorporate the new addition of proofs that is necessary to encompass our requirements of energy efficiency. The new addition will be that the probability of defeating will now also have to be negligible in the size of (and not only in the size of and ). Until now, just checked that is indeed the output of , but now we also want that verify will examine the proof .

Claim 8 ().

Let be a secure-energy-efficient REMS. Let be the difficulty of the optimal algorithm for generating such that . Then we have that it must hold that for all .


Assume towards a contradiction that for some . Then an adversary may choose to invest resources into his algorithm, which is inverting since it is easier. But from the energy efficiency, the computational resources that are needed to compute are at least (solving the mining objectives). I.e. The attacker found an algorithm which is more efficient than to produce proofs, contradiction to Claim 1. ∎

From the above three claims we conclude that Claim 3 holds.

Claim 0 (4).

Let be a secure and energy efficient REMS. Then is the optimal algorithm for generating the proof given setup .


The system is energy efficient, therefore compute possible solutions to the mining objectives in and produce proofs.

Assume toward contradiction that there exists more efficient algorithm s.t. that can generate valid proofs. If an adversary has access to then he\she can divert computational power away from solving mining objectives in (since she can generate a proof without trying to solve the mining objectives — unlike the other miners). This means that is not optimal, in contradiction to Claim 1. ∎

Claim 0 (5).

Let be a

secure-energy-efficient REMS. Let then for any

and for all , for any algorithm used to generate proofs it holds that:

Where is the output of .


Assume towards a contradiction that there is some such that knowing the solution to increases the odds of finding to satisfy by more than the relative difficulty of solving . Then an attacker can choose to invest resources in solving , and then in finding such instead of solving all other mining objectives in which contradicts the fact that that is an energy-efficient REMS. ∎

Appendix E Theorems Proofs

Theorem 0 (3 Secure Energy Efficient User Uploaded REMS).

Let be a secure-energy-efficient-user-uploaded REMS.

Therefore for a function to be a legal mining objective, for every it must hold that is known. 171717The difference between this claim and Corollary 1 is that here we also quantify over every , whereas in the corollary we quantify only over ’s


Following the definition of secure-user-uploaded REMS, we will assume that is chosen by a malicious user .

Following Corollary 1, we get that every mining objectives that will choose to put in most have the property that is known. can choose any to be in the mining objective, thus most hold the claimed property. ∎

Theorem 0 (4 Pre-Image Resistance Property).

Let an REMS be secure-energy-efficient-user-uploaded. Assume in addition that the proof generated by at index given input is exactly . Then it holds that the family contains only preimage resistant functions.


We need to show that every such that is pre-image resistant. This means that given for any polynomial time algorithm , and every it holds that is negligible in the size of .

We remember that from claim 6 we have that which is returned by when running on must contain proofs of attempts at checking whether for mining objectives . In addition, from the assumption of this claim we have that given , the proof is exactly .

Assume towards a contradiction that there exists which is not preimage resistant (Definition 1). There exists some polynomial time algorithm which, for a given input can generate ’s such that for some mining objective , is not negligible. This means that is also a polytime algorithm for generating proofs of attempting to solve . This means that is a faster algorithm than for producing the proof , which is a contradiction to the optimality of