Next Article in Journal / Special Issue
Cybersecurity Test Bed for Smart Contracts
Previous Article in Journal / Special Issue
A Decentralized COVID-19 Vaccine Tracking System Using Blockchain Technology
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Models for Generation of Proof Forest in zk-SNARK Based Sidechains

1
Department of Mathematical Methods in Theoretical Physics, Bogolyubov Institute for Theoretical Physics, National Academy of Sciences of Ukraine, 03143 Kiev, Ukraine
2
Input Output, 61022 Kharkiv, Ukraine
3
G. E. Pukhov Institute for Modelling in Energy Engineering, National Academy of Sciences of Ukraine, 03164 Kyiv, Ukraine
4
Department of Information Security, National University “Zaporizhzhia Polytechnic”, 69063 Zaporizhzhia, Ukraine
5
Department of Information Systems and Technologies Security, V. N. Karazin Kharkiv National University, 61022 Kharkiv, Ukraine
6
Horizen Labs, Austin, TX 78701, USA
*
Authors to whom correspondence should be addressed.
Cryptography 2023, 7(1), 14; https://doi.org/10.3390/cryptography7010014
Submission received: 10 December 2022 / Revised: 27 February 2023 / Accepted: 1 March 2023 / Published: 7 March 2023
(This article belongs to the Special Issue Emerging Topics in Blockchain Security and Privacy)

Abstract

:
Sidechains are among the most promising scalability and extended functionality solutions for blockchains. Application of zero knowledge techniques (Latus, Mina) allows for reaching high level security and general throughput, though it brings new challenges on keeping decentralization where significant effort is required for robust computation of zk-proofs. We consider a simultaneous decentralized creation of various zk-proof trees that form proof-trees sequences in sidechains in the model that combines behavior of provers, both deterministic (mutually consistent) or stochastic (independent) and types of proof trees. We define the concept of efficiency of such process, introduce its quantity measure and recommend parameters for tree creation. In deterministic cases, the sequences of published trees are ultimately periodic and ensure the highest possible efficiency (no collisions in proof creation). In stochastic cases, we obtain a universal measure of prover efficiencies given by the explicit formula in one case or calculated by a simulation model in another case. The optimal number of allowed provers’ positions for a step can be set for various sidechain parameters, such as number of provers, number of time steps within one block, etc. Benefits and restrictions for utilization of non-perfect binary proof trees are also explicitly presented.

1. Introduction

Sidechains (SCs) were first proposed in [1] and quickly became a universal and very comfortable tool in blockchain technology, while [1] proposed sidechains with a “classical” proof-of-work (PoW) protocol for usage in Bitcoin blockchain, the next article [2] builds secure proof-of-stake (PoS) sidechains, and articles [3,4] create a special type of sidechain consensus, the Latus protocol, which is secure for both PoW and PoS sidechains. They may be considered as an additional construction bound to blockchain (called mainchain (MC)) with the aim to provide some additional functionalities. SCs should be bound to an MC, as described in mentioned articles, to provide stronger security guarantees using blockchain properties, such as liveness and persistence [5]. Binding means that SCs also should send some information to the MC to guarantee the fairness of transformations in the SC [3].
In Latus, this information contains a series of recursive zk-SNARK-proofs [6,7] to establish decentralized and verifiable cross-chain transfers. Such an approach is similar to the ones proposed in [8] (Mina) and [9] (zkSync Era), but with additional features that allow its secure usage in sidechains. Latus introduces a special dispatching scheme that assigns the generation of proofs randomly to interested parties, who then implement these tasks in parallel and submit generated proofs to the blockchain. An incentive scheme provides a reward for each accepted proof.
There are a variety of purposes to use SCs in different blockchains: for making smart-grid systems scalable and adaptable [10]; for secure data isolation in scalable consortium blockchain architecture based on world-state collaborative storage methods [11]; for secure parallel computation [12]; and for creating an exchange platform that allows the ability to trade tokens issued from different sidechains [13].
SCs may be based on various consensus protocols (such as PoW [14], PoS [15], etc.).
In this paper, we assume that SC uses the Latus protocol [4], which is a hybrid PoS based on Ouroboros Praos [16]. However, as SCs may be based on various consensuses, our main results may be applied for other consensus protocols (such as proof of work, proof of stake, etc.) with similar properties, allowing distributed proof generation and recursive SNARKs.
Following the modern trends in blockchain investigations, we use SNARKs to prove the correct functioning of SCs (detailed survey about different types of SNARKs used in blockchain can be found in [17]). These cause some modifications of the Merkle tree, which we call the “proof tree”.
Distributed proof generation for block creation is the basic feature of Latus consensus. In brief, the procedure of block creation is as follows. A block forger—an entity that creates the block—shares a list of transactions to be included into the block. Then, other entities, called provers, construct SNARK-proofs for these transactions and also for each node of the corresponding proof trees built on these transactions.
Each prover, who creates a SNARK-proof, sets the prices for their proofs, according to the pricing policy of the current epoch. In the case of collisions, when there are several proofs for some node of the binary tree, the block forger chooses the cheapest one. Proofs that were included into the block are paid by the block forger from the corresponding transaction fees.
Our previous papers [18,19,20] considered only issues related to a single block creation. We used probabilistic and game-theoretic approaches to answer the questions on the optimal choice of SC parameters (e.g., a recommended number of transactions per block and a recommended value of incentives chosen). The model in which we obtain our results is very close to realistic with only one simplifying assumption: splitting of the block construction process into a fixed number of similar steps. Such assumption can be justified by the fact that the network synchronization time is essentially smaller than the proof generation time.
In this paper, unlike the previous ones, we consider algorithms related to simultaneous construction of trees by different block forgers. The sequence of such trees forms a linearly ordered forest. When the following block is published, the most left tree is included into it, and the remaining ones are regarded as a buffer for further block generation. The base assumptions used in this paper is almost the same as in the our previous papers, with the following modification: In practice, blockchain’s sequences of transitions are proved using base SNARK for certifying single state transitions (in leaves) and merge SNARK for merging two proofs (in other vertices) ([21], Section 4.1.1). We consider the scheme that replaces each base proof for a transaction by merged proofs for pair of leaves from the new additional level. So, we obtain a mathematically equivalent model where trees are one level higher and a pair of fresh leaves correspond to each transaction; therefore, we obtain more succinct algorithms.
The paper is organized as follows. The necessary basic preliminary results on binary trees are presented in Section 2. For us it is convenient to consider the sets of strict binary trees and of non-strict binary trees as specific realizations of the free magma M = n 0 M 0 with a single generator. In Section 2.2, we introduce agreed monoid structures on infinite sequences of strict binary trees and positive numbers. The background of these constructions is explained in Appendix A. In Section 2.3, we introduce the concept of perfect forest necessary for description of the main algorithm.
Section 3 presents the general scheme for 2 × 2 algorithms corresponding to the prover’s behavior: deterministic (mutually consistent) or stochastic (independent), and shapes of generated trees: strict binary or perfect binary. It works with a potentially infinite sequence of trees t called a buffer. In the external for-loop, the first element is removed from the buffer and published as the following block. Block generation is divided into a fixed number of steps, each of which calls the OneStep() procedure. In all 2 × 2 cases each of suitable subsequent pairs of trees is merged into a single tree. Selection of such suitable pairs, deterministic or stochastic, is the unique difference among 2 × 2 cases (see Table 1). Its result can be encoded as a sequence Λ of trees with the height  1 . After this, the result of OneStep() procedure can be described as a function f : t Λ t , acting on the buffer t via the product defined in Section 2.2. Iteration of f over all steps and then a removal of the first tree from the buffer determines a function F ( t ) describing transformation of the buffer during block generation. In Section 3.1, we consider a reduction of the above scheme, where only the number of leaves of each tree is taken into account. This is sufficient to study the throughput parameters of the blockchain(s). This reduction is possible due to the homomorphism of monoids described in Section 2.2.
In Section 4, we consider the case when behavior is deterministic. We prove that a sequence ( t , F t , F 2 t , ) of buffer states takes a finite number of values and, hence, this sequence and the sequence of published trees are ultimately periodic. In Section 4.1, deterministic generation of strict binary trees is considered. The sequences of buffer states and published blocks are ultimately periodic with a period of length 1. This follows from the fact that transformation of the buffer after each block publishing is a weak contraction with respect to the Hamming distance. Under some natural assumption the height of the tree published over the period is the sum of (the integer part of) the binary logarithm of the number of provers and of the number of steps. An explicit formula for the fixed point is obtained in terms of the product on infinite sequences of binary trees. In Section 4.2, deterministic generation of perfect binary trees is considered. It is observed that the period of the sequence of published trees consists of perfect trees of two heights h max 1 and h max . The total efficiency is independent of shapes of generated trees and can be expressed by an explicit formula and admits natural asymptotics. Explicit results are obtained in the cases of a singe prover of a single step.
In Section 5, we consider the case when behavior is stochastic. In Section 5.1, it is shown that the placement of provers into suitable positions at each stage can be described by the classical occupancy distribution. In the deterministic case, the total number of generated proofs is the product of numbers of published blocks, of steps in a block and of provers. In the stochastic case, we define the total efficiency (respectively the block publishing efficiency) as the total number of generated proofs (respectively the number of proofs embodied in published blocks) divided by the above product. Thus, both efficiencies are numbers in the interval [ 0 , 1 ] . They are convenient to compare the cases of various shapes and various values of integer parameters. The total efficiency is independent of shapes of generated trees and is expressed by an explicit formula and admits natural asymptotics. In Section 5.2, average values of the block publishing efficiency are calculated using a simulation model. We compare two cases when the shape of trees is binary strict or perfect. The maxima of these values as functions of numbers of positions are investigated. In Section 5.3 for generation of strict binary trees in a stochastic case we investigate an analog of the deterministic Formula (22) for heights of trees. Using the least squares method, we find the best approximation of the expected height of generated trees linear on the number of steps and logarithmic on the number of provers.
In Appendix A, we recall the concept of a non-symmetric operad and construction of the corresponding PRO. As the following step, one can obtain a monoid structure of infinite sequences of operations. The non-symmetric magma operad and the non-symmetric semi-group operad as its factor come from corresponding free objects with a single generator. The corresponding monoids of infinite sequences of strict binary trees and its factor-monoid given by taking the number of leaves of each tree are considered in Section 2.2.
In Appendix B, we describe the software implementation of our algorithms and explain how they are used in the main text.

2. Preliminaries: Binary Trees and Forests

2.1. Binary Trees and Free Magmas

Trees, as a part of Graph Theory, are used in mathematics ([22], Chapter 5) and computer science, (see the classical volume [23]). In this subsection, we give some necessary definitions related to various types of binary rooted trees and forests, as there is no precise description convenient for our purposes and there might exist a confusion in terminology.
Rooted trees can be defined either (1) recursively, or as (2) partially ordered sets, or as (3) special types of graphs. All of these points of view are useful in their respective contexts.
A tree is defined as a connected acyclic undirected graph. Choosing a vertex in a tree as a root determines the natural direction for all edges (towards the root). However, usually it is not shown explicitly.
A rooted tree is a directed graph with a distinguished vertex called the root such that there exists a unique path from each vertex to the root. Thus, the set of vertices is equipped with a natural partial order: v w if there exists a path from v to w. In addition, the rooted tree itself becomes the Hasse diagram for this partial order (being drawn root up). If v w is an edge in a directed rooted tree, we say that v is a child of w, and w is a parent of v. A vertex that has no child is called a leaf. Let us denote as ht t the height of the tree t, i.e., the maximal length of the path from a leaf to the root. Thus, leaves are minimal elements, and the root is the greatest element in the corresponding partially ordered set.
Each tree can be embedded in the plane. For a rooted tree all such embeddings are classified by linear orderings for the children of each vertex. Thus, if all such orderings are fixed, we say they are an ordered rooted tree (or a plane rooted tree).
Here, we mainly consider strict binary plane rooted trees (Instead of the term “strict binary tree”, the terms “complete binary trees” and “full binary trees” are also used.), where “strict binary” means that every vertex is either a leaf or has exactly two children (left and right). In this case, for each non-leaf vertex, its left child vertex and its right child vertex are roots of maximal binary subtrees called, respectively, a left child tree and a right child tree.
Notation 1.
Let us denote as n v ( t ) the number of vertices, as n i ( t ) the number of internal vertices and as n ( t ) the number of leaves in a rooted tree t.
In a strict binary tree t these numbers satisfy the identities
n v ( t ) = n i ( t ) + n ( t ) , n ( t ) = n i ( t ) + 1 .
A magma is a set equipped with a binary operation ★ without any additional properties Chapter 1 [23], ([24], 0.2). The free magma M with a single generator ∗ (up to isomorphism) is described recursively as
M : = n = 1 M n
of recursively described subsets:
M 1 : = { } , M n : = m = 1 n 1 { ( x y ) | x M m y M n m } for n > 1 .
Thus, an element of M n + 1 is a bracketing of a string of n + 1 symbols ∗, i.e., the insertion of n left parentheses and n right parentheses defining the order of an n-fold application of the binary operation, e.g., five elements of M 4 are presented in Figure 1a (with the outer brackets removed). Cardinality of M n + 1 is counted by Catalan number C n : = 1 n + 1 2 n n . Various kinds of objects that are counted using Catalan numbers are called Catalan families. The Stanley’s book [25] presents 214 Catalan families including various types of trees.
Strict binary trees are mentioned in Exercise 2.5 [25]. The generator of the free magma of strict binary trees is the zero height tree • whose single vertex is the root. For two binary trees t 1 , t 2 , the binary tree t 1 t 2 is a binary tree with a new root, whose left child tree is t 1 and the right child tree is t 2 . Strict binary trees with four leaves corresponding to elements of M 4 are presented in Figure 1c.
Non-strict binary trees (often in computer science literature just “binary trees”) obtain yet another example of Catalan family Exercise 2.4 [25]. Thus, they can be defined recursively in the same way as strict binary trees, with the only difference that their free magma generator is the empty tree. A non-empty non-strict binary tree can be represented by a plane rooted tree, where each vertex has 0, 1 or 2 children, but with additional structure, every single child must be labeled “left” or “right”. Such trees with three vertices corresponding to elements of M 4 are presented in Figure 1b. Note that a non-strict binary tree is obtained from the corresponding strict binary by removing all its leaves.

2.2. Monoid of Sequences of Strict Binary Trees

Here, we consider composition t t of infinite sequences of strict binary trees given by the gluing of subsequent leaves in t with subsequent roots in t , and composition of infinite sequences of positive integers corresponding to the numbers of leaves in a tree.
First, for a strict binary tree t with n leaves and strict binary trees t 1 , , t n , we define the composition t ( t 1 , , t n ) obtained by gluing together the i-th leaf in t with the root of t i for i = 1 , 2 , n .
This obtains the a non-symmetric operad structure on strict binary trees. Then one can apply the construction from Appendix A to obtain the monoidal structures described below. The details of the Appendix A are not necessary to understand the remainder of the material.
Let T = T strict be a set of sequences ( t i ) i 0 of strict binary trees with only a finite number of non-zero height trees, equipped with a binary operation ( t , t ) t t , where
( t t ) i = t i t n ( t 0 ) + + n ( t i 1 ) , t n ( t 0 ) + + n ( t i 1 ) + 1 , , t n ( t 0 ) + + n ( t i ) 1 ,
i.e., each t i is successively applied in the sense of (A1) to the first not yet used n ( t i ) elements of t .
Let L = L strict be a set of sequences ( i ) i 0 of positive integers with only a finite number of elements > 1 , equipped with a binary operation ( , ) , where
( ) i = 0 + + i 1 + 0 + + i 1 + 1 + + 0 + + i 1 ,
i.e., successively each ( t t ) is the sum of the first not yet used i elements of .
Corollary 1.
The above binary operations turn both T and L into monoids. The units are t ( 0 ) = ( ) i 0 T and ( 0 ) = ( 1 ) i 0 L . The map T L , t i i 0 n ( t i ) i 0 is a morphism of monoids.

2.3. Perfect Binary Trees and Forests

A rooted tree is called perfect (“complete” by some authors) if all leaves are of the same distance to the root (that equals to the height h of the tree).
Notation 2.
For each non-negative integer h, the unique perfect binary tree of height h is denoted as  t h .
The perfect binary tree t h has 2 h leaves; moreover, 2 d vertices are on the distance d from the root (they can be subsequently indexed with 0 j < 2 d , whose binary string representation has length d), and 2 h + 1 1 vertices in total. See Figure 2.
Note that a non-strict binary tree can be obtained from the corresponding strict binary tree by removing all its leaves.
All perfect binary trees are built recursively using magma square:
t 0 = , t h + 1 = t h t h .
Perfect binary trees are most convenient to store a maximal number of leaves (that correspond to transactions).
A forest (respectively plane forest) f is a co-product (disconnected disjoint union) of a family of trees (respectively plane trees) ( t i ) i I . In both cases, the set of components I is unordered.
Let us recall that a subset I P in a poset P is called a down-set (respectively up-set) if, for each x I and y P with y x (respectively y x ), we have y I . Note that a subset I P is a down-set if its complement P \ I is an up-set.
Lemma 1.
For a finite sequence f = ( t i ) 0 i < p of strict binary trees, the following conditions are equivalent:
1.
There exists a bracketing, i.e., an element of the free magma M p , such that, after the corresponding application of p 1 magma operations ★, a perfect binary tree t ( f ) is obtained;
2.
( t i ) 0 i < p is a down-set of some perfect binary tree containing all its leaves with components ordered from left to right;
3.
(a)Each tree t i in the family is perfect,
(b)For each i, n ( t i ) divides j = 0 j = i 1 n ( j ) ;
(c)The total sum j = 0 j = p 1 n ( j ) is an power of 2.
Proof. 
1 2 : For a down-set in the perfect binary tree containing all its leaves, its complement is the non-strict binary tree corresponding to the appropriate bracketing.
1 3 : (a) and (c) are obvious; to prove (b), let t be a subtree of height h in a perfect tree t of height h such that each leaf in t is a leaf in t. Then, there exists a subforest in t that consists of 2 h h perfect trees of height h including t .
3 2 : Split the leaves of f into equal left and right halves. If there is a tree t i in our forest whose leaves are in both halves, then, from 3(c), we conclude that the forest consists of this unique tree. Otherwise, we can represent f = f f r as a co-product of two forests satisfying condition 3, so we suppose t ( f ) = t ( f ) t ( f r ) and repeat the above choice for f and f r .  □
Definition 1.
A finite sequence ( t i ) 0 i < p of binary trees satisfying conditions of the above lemma is called a perfect binary forest.
Figure 3 shows an example of a perfect binary forest and the corresponding perfect binary tree t 4 = ( t 2 ( t 1 ( t 0 t 0 ) ) ) ( t 2 ( ( t 0 t 0 ) t 1 ) ) .
In what follows, we use (potentially) infinite sequences of proof trees ( t i ) i 0 with only a finite number of non-zero height trees as a buffer of proofs.
Definition 2.
An infinite sequences of binary trees ( t i ) i 0 with only a finite number of non-zero height trees is called perfect if some its initial fragment ( t i ) 0 i < p , containing all non-zero height trees, is perfect.
Proposition 1.
A sequence t T is perfect if there exists t T such that t t is a sequence that consists of a single perfect tree followed by zero-height trees.
Definition 3.
A pair ( t i , t i + 1 ) of subsequent trees in a perfect sequence is called a perfect, if the new sequence with the pair ( t i , t i + 1 ) replaced with the product t i t i + 1 remains perfect.
Note that the binary operation between two strict binary trees can be written as t t = ( t , t ) , where ∧ is the strict binary tree of the height 1. Thus, to replace ( t i , t i + 1 ) with the product t i t i + 1 is the same as to take the composition i t in the sense of (2), where i : = ( , , i , , , ) .
According to Lemma 1 a pair ( t i , t i + 1 ) is perfect if n ( t i ) = n ( t i + 1 ) and 2 n ( t i ) divides j = 0 j = i 1 n ( j ) .
Equivalently, suppose that the vertices of the whole perfect tree are labeled as in Figure 2. A pair ( t i , t i + 1 ) of neighboring trees in its down-set is perfect if their roots are labeled by strings ’ w 0 ’ and ’ w 1 ’ respectively for some w { 0 , 1 } * .
Obviously, two different perfect pairs cannot intersect. Thus, perfect pairs in a perfect sequence form an infinite sequence.

3. The General Scheme

A special feature of Algorithm 1 considered in this paper is a simultaneous construction of several trees forming a linear ordered forest, rather than a single tree. Periodically, the leftmost tree is included into the published block, and the remainder are considered as a buffer for further block generation.
Algorithm 1: The general scheme of blocks generation
Cryptography 07 00014 i001
Input parameters are:
  • Dichotomous b behavior regulates behavior of provers, deterministic (mutually consistent) or stochastic (independent);
  • Dichotomous b shape describes the shape of generated trees, only perfect binary trees or arbitrary strict binary trees;
  • n bl is the number of blocks published during the epoch;
  • n st is the number of steps for one block generation;
  • n pr is the number of provers;
  • n pos is the number of positions allocated for proof.
During the work of the algorithm, a potentially infinite sequence of binary trees t = ( t i ) i 0 arises that we call a buffer. It describes the state of the system and is used in the further block generation.
The output is the sequence t © = ( t i © ) 0 i < n bl of binary trees included into published blocks (one tree per block).
The published list is initialized with the empty list t © ( ) . Theoretically, we assume that at the beginning t = ( ) i 0 is a potentially infinite sequence of zero height trees. In practice, we initialize t with an empty list and put zero-height trees there as needed.
Remark 1.
In a specific implementation, instead of two lists of binary trees, one can work with a single list, and an integer pointer p; trees with indexes i < p are considered as published, and trees with indexes i p form a buffer. Block publishing in these terms is just an increment of the pointer p p + 1 .
The external for-loop of Algorithm 1 runs over all n bl blocks in the epoch. The body of this loop consists of the internal for-loop that runs over n st steps in the block and the block publishing directives. The body of the internal loop consists of Procedure OneStep ( b behavior , b shape , n pr , n pos ) .
Procedure OneStep(bbehavior, bshape, npr, npos)
Cryptography 07 00014 i002
This procedure presents the general scheme for 2 × 2 different cases corresponding to combinations of two dichotomous parameters b behavior and b shape . It acts on the buffer: some subsequent pairs of trees ( t k , t k + 1 ) are replaced with their magma product t k t k + 1 , and these pairs essentially depend on dichotomous parameters b behavior and b shape .
In the case “ b behavior is deterministic”, the number of such pairs coincides with the number of provers n pr ; then, for the case that “ b shape is strict”, these pairs are first n pr subsequent pairs of the trees in the buffer: { ( t 0 , t 1 ) , ( t 2 , t 3 ) , ( t 2 n pr 2 , t 2 n pr 1 ) } ; for the case that b shape is perfect, we use first n pr perfect pairs in the buffer. In the case “ b behavior is stochastic”, first n pos subsequent/perfect positions are reserved for the random choice. Each prover independently with equal probability selects one of these positions. For positions selected by at least one prover, the corresponding pair of trees is replaced with its magma product.
For fixed input parameters b behavior , b shape , n st , n pr , n pos , the following functions (deterministic or random) together with their domains and codomains are defined. Let us denote
  • T = T b shape the set of b shape (i.e., strict/perfect) binary trees;
  • T = T b shape the set of sequences t = ( t i ) i 0 of b shape binary trees with finitely many non-zero height trees;
  • t [ ] be the sequence obtained by the shift, i.e., t i [ ] = t i + 1 for i 0 .
    f = f b behavior , b shape , n pr , n pos : T T , t Λ t ,
    F = F b behavior , b shape , n st , n pr , n pos : T T , t f n st ( t ) [ ] ,
    π = π b behavior , b shape , n st , n pr , n pos : T T , t f n st ( t ) 0 .
Here, the function (4) is determined by Procedure OneStep. It can be described as a product (2) with the sequence Λ = Λ b behavior , b shape , n pr , n pos T of trees of height 1 . The internal for-loop of Algorithm 1 means the n st -th iteration of this function. Then, block publishing determines the map (6), and the state of the buffer after each block publishing is changed according to the map (5).
Table 1 shows the whole scheme. This four cases are also implemented in software described in Appendix B.

The Algorithm in Terms of Numbers of Leaves

Let us recall that a perfect tree is completely determined by its height, but there are C n strict binary trees with n + 1 leaves. However, the exact shape of trees is not important for the blockchain(’s) throughput parameters’ study. Thus, we can collect information about the number of leaves (and, therefore, (1) about the number of vertices) and optionally about heights of trees. Thus, instead of the sequence of trees t = ( t i ) i 0 , one can consider the sequence of integers = ( i ) i 0 , where i = n ( t i ) is the number of leaves of the corresponding tree. The initial state is described as ( i = 1 ) i 0 . The magma operation ★ on strict trees corresponds to addition of the numbers of leaves: n ( t i t i + 1 ) = n ( t i ) + n ( t i + 1 ) .
A pair of numbers ( j , j + 1 ) in a perfect sequence ( i ) i 0 is perfect (i.e., corresponds to the perfect pair of trees) if
j = j + 1 and 2 j divides i = 0 j 1 i .
If, moreover, the sequence ( i ) i 0 is non-increasing, the condition (7) takes the equivalent form
j = j + 1 and # { i | 0 i < j i = j } is even .
Let us denote by L = L b shape a set of sequences ( i ) i 0 of positive integers with only a finite number of elements > 1 , in the case that b shape is perfect. For a version of Algorithm 1 in terms of numbers of leaves, one considers the functions corresponding to (4)–(6). We keep the same names for the functions. Different (co)domains avoid ambiguity:
f : L L , λ ,
F : L L , f n st ( ) [ ] ,
π : L Z > 0 , t f n st ( ) 0 ,
where in (9), λ = λ b behavior , b shape , n pr , n pos L is the sequence of 1 or 2.
Functionality of the transition from trees to their numbers of leaves is expressed by the commutative squares
Cryptography 07 00014 i003
Here, n : T L means t i i 0 n ( t i ) i 0 .
Let us define the sequences of sequences (of elements of L ) as
( n , k ) : = f k F n ( 1 ) i 0 , n 0 , 0 k n pr ,
( n ) : = ( n , 0 ) = F n ( 1 ) i 0 , n 0 .
Elements of the double sequence ( n , k ) are naturally linearly ordered, lexicographically on the pairs ( n , k ) . In this sequence,
( n , k + 1 ) = f ( n , k ) , ( n + 1 , 0 ) = ( n , n st ) [ ] .
The length of the sequence = ( i ) i 0 L is defined as follows:
Len : = min j { j 0 | i j : i = 1 } .

4. Deterministic Case

In this section, we consider only the case of Algorithm 1 when b behavior is deterministic. We consider sequences ( n , k ) for an arbitrary n that corresponds to the limiting case n bl of an infinite outer for-loop. One can also consider the infinite sequence ^ of the number of leaves of published trees with elements
n © = π ( n ) , n 0 .
Lemma 2.
In the case, b behavior is deterministic, and the function f : L L preserves a property of a sequence to be non-increasing.
Proof. 
In the case b shape is perfect, take into account (8). □
Corollary 2.
In the case that b behavior is deterministic, the sequences ( n , k ) from (12) are non-increasing for all n 0 and 0 k n pr .
Let us denote as L a set of non-increasing sequences from L .
For a non-increasing sequence L (e.g., for all ( n , k ) when b behavior is deterministic), the Formula (14) can be simplified:
Len = min j { j 0 | j = 1 } .
For L , the sum
N i ( ) : = j ( j 1 )
has only finite non-zero summands and, according to (1), can be interpreted as the total numbers of internal vertices. Independently on b shape , for L , we have the identities
N i ( f ( ) ) = N i ( ) + n pr .
π ( ) 1 + N i ( F ( ) ) = N i ( ) + n st n pr .
Lemma 3.
In the case “ b behavior is deterministic”, for fixed n st , n pr the total number of internal vertices (and, hence, the length and all elements) of all ( n , k ) are bounded together, i.e.,:
sup n , k N i ( ( n , k ) ) < , sup n , k Len ( n , k ) < , sup n , k , j j ( n , k ) < .
Proof. 
In the case “ b shape is strict”, Len ( n , k ) n pr and Len ( n ) < n pr . This follows from the observation that Len 2 n pr implies Len f ( ) n pr .
In the case that “ b shape is perfect”, the number of the same non-zero height trees in the buffer is bounded by n pr + 1 . See (27) for more accurate estimates.
Then, we can estimate from above the total number of internal vertices:
N i ( ( n ) ) C b shape ( 0 ( n ) ) = ( n pr 1 ) ( 0 ( n ) 1 ) , if   b shape is   strict , ( n pr + 1 ) ( 2 0 ( n ) log 2 0 ( n ) 1 ) , if   b shape is   perfect .
In the second case, we use the fact that all j ( n ) are powers of 2. For 0 ( n ) > 1 and n pr > 1 , the function C b shape is monotone increasing and, hence, invertible. Let N i ( ( n ) ) C b shape ( n st n pr + 1 ) . Then, π ( ( n ) ) 0 ( n ) n st n pr + 1 and, by (16), we have N i ( F ( ) ) N i ( ) . Thus, sup n , k N i ( ( n , k ) ) < C b shape ( n st n pr + 1 ) + n st n pr . □
Definition 4.
The sequence x = ( x i ) i Z 1 is called ultimately periodic if there exists r Z 0 and s Z > 0 such that, if i > r , then x i = x i + s . In this case, we write
x = x 0 , , x r preperiod , ( x r + 1 , , x r + s period ) .
The minimal preperiod is the minimal r satisfying the above condition. The minimal period is the minimal s for minimal r satisfying the above condition.
Given a function g : X X and an element x 0 X , the sequence x 0 , g ( x 0 ) , g ( g ( x 0 ) ) , is ultimately periodic, whenever X is finite. Lemma 3 implies that the set ( n ) | n 0 is finite.
Corollary 3.
In the case that " b behavior is deterministic", the sequences ( n ) n 0 of buffer states and © of published trees are ultimately periodic.
Lemma 4.
If ( ( r + 1 ) , , ( r + s ) ) is a period of ( n ) , then
r + 1 © + + r + s © s = s n st n pr .
Proof. 
The identity (17) is the result of the summing of (16) over a period, i.e., for = ( r + 1 ) , , ( r + s ) . □

4.1. Generation of Strict Binary Trees

In this subsection, we consider the case “ b behavior is deterministic” and “ b shape is strict”. In this case, one-step functions (4) and (9) are
t Λ t , Λ = n pr = ( , , n pr , , ) , λ , λ = n pr · 2 = ( 2 , , 2 n pr , 1 , ) .
Lemma 5.
t ( 0 , k ) = ( n pr ) k , t ( n , k ) = ( n pr ) k t ( n ) .
( 0 , k ) = ( n pr · 2 ) k , ( n , k ) = ( n pr · 2 ) k ( n ) .
Let us consider the Hamming distance for , L :
d H ( , ) : = # { i | i i } .
Lemma 6.
In the case that " b behavior is deterministic and b shape is strict", the transformation F is a weak contraction on ( L , d H ) :
d H ( F ( ) , F ( ) ) < d H ( , ) , L .
Corollary 4.
The sequence of buffer states ( n ) n 0 is stabilized at the fixed point of F. Thus, this sequence and the sequence of published blocks are ultimately periodic with a period of length 1. The tree published in the period has n pr n st + 1 leaves.
The following lemma shows that, if n st log 2 ( n pr 1 ) , then the length of pre-period 1 .
Lemma 7.
If n st log 2 ( n pr 1 ) , then
t ( n ) = ( n pr ) n st [ ] , t n © = ( n pr ) n st ( n pr ) n st [ ] 0 , n 1 .
If n st log 2 ( n pr ) , then
( n pr ) n st [ ] = ( n pr ) log 2 n pr [ ] .
Proof. 
In both cases, we use the observation: for t , t T , if n ( t 0 ) Len t , then ( t t ) [ ] = t [ ] . □
Thus, if n st log 2 ( n pr ) , then the period of the sequence of published trees consists of a single tree ( n pr ) n st ( n pr ) log 2 n pr [ ] 0 . According to (17), this is a tree with n st n pr + 1 leaves.
Proposition 2.
For n st log 2 n pr , the height of the tree published in the period is the following
ht ( n pr ) n st ( n pr ) log 2 n pr [ ] 0 = log 2 n pr + n st .
Proof. 
Both parts of (22) equal to ht ( n pr ) n st 0 + ht ( n pr ) log 2 n pr 1 . □
Example 1.
Let n pr = 2 m and n st m ; then, the period of the buffers consists of the single sequence (21) of perfect trees
( 2 m ) m [ ] = ( t m , t m 1 , t m 1 , , t 1 , , t 1 2 m 1 , t 0 ) ) .
Let us consider a semi-infinite matrix, where rows are given by (21) for n pr 1 , and the corresponding matrix, where each tree is replaced by the number of its leaves. Elements ( n ) log 2 n 0 = t log 2 n are removed after the shift. The matrix is lower triangular in the sense that ( n ) log 2 n m = for m n 1 .
Proposition 3.
Let us denote f k , p = p · , ( 2 k p ) · the sequence of trees of length 2 k for 0 p 2 k .
1.
For each m 1 , the following sequence can be presented as the concatenation
( n ) log 2 n m n > m = k = 1 2 k 1 ( m 1 ) t k , t k f k , 1 , t k f k , 2 , , t k f k , 2 k .
2.
For n m 1 ,
( n ) log 2 n m = t k f k , n 2 k m , i f log 2 n m + 1 = log 2 n m = k , t k , i f log 2 n m = log 2 n m + 1 + 1 = k .
Proof. 
For each m 1 , the sequence (23) is the concatenation over all positive integers k of sequences consisting of 2 k 1 ( m 1 ) copies of t k and then compositions t k ( p ) for p from 1 to 2 k . (Note that t k ( 2 k ) = t k + 1 .) The tree t k appears in the positions 2 k 1 ( m + 1 ) n 2 k m , or, equivalently, n m 2 k 2 n m + 1 . The tree t k ( p ) appears in the position 2 k m < n = p + 2 k m 2 k ( m + 1 ) , or, equivalently, n m + 1 2 k < n m . □
Corollary 5.
For each m 1 ,
( n · 2 ) log 2 n m n m = ( 1 , 2 , , 2 m , 3 , , 2 k + 1 1 , 2 k + 1 , , 2 k + 1 2 k ( m 1 ) + 1 , 2 k + 1 + 1 , )
is a sequence of positive integers with inserted additional ( m 1 ) · 2 k copies of 2 k + 1 for each k 0 .

4.2. Generation of Perfect Binary Trees

Let us recall that the perfect tree is completely determined by its height. Thus, in this subsection, we consider the sequences h = ( h i ) i 0 of heights of perfect trees instead of perfect trees itself: t = t h i * i 0 . Buffer states and published trees are characterized by the sequences of heights h ( n , k ) and h © with t i ( n , k ) = t h i ( n , k ) and t i © = t h i © .
According to Lemma 2, at each moment, the sequence of heights of perfect trees in the buffer is non-increasing. By Lemma 3, the heights of trees are bounded by the constant h max , the same for all buffer states.
Let μ h = μ h ( n , k ) be the number of perfect trees in the buffer of positive height h, i.e., the buffer at each step has the form
h ( n , k ) = h max × μ h max , ( h max 1 ) × μ h max 1 , , 1 × μ 1 , 0 × ,
where h i × μ : = h i , , h i μ .
The following Lemma describes these parameters for a fixed number of provers n pr and number of steps n st .
Lemma 8.
At every step,
μ h n pr 1 2 h 1 + 2 , 1 h h max ;
h = 1 h max μ h 2 n pr .
The map f corresponding to one step is given by the formula
μ h ( n , k + 1 ) = 2 μ h ( n , k ) / 2 + μ h 1 ( n , k ) / 2 , i f   h > 1 , n pr h μ h ( n , k ) / 2 , i f   h = 1 .
Here 2 { p / 2 } { 0 , 1 } is the parity of p.
Proof. 
The inequality (26) is proved by induction. Let μ h max = max n , k μ h ( n , k ) . Then μ 1 max 1 + n pr and μ h + 1 max 1 + μ h max 2 n pr 1 2 h + 2 .
The inequality (27) and the formula (28) are proved together. If (27) is satisfied, then the quantity of provers is sufficient to build all possible non-zero height perfect trees and, hence, we obtain (28). Now, suppose that h μ h 2 n pr ; then, at the next step, by (28),
h μ h ( n , k + 1 ) 2 = μ 1 ( n , k ) 2 + n pr 2 1 2 h μ h ( n , k ) 2 + h = 2 h max μ h ( n , k ) 2 + 1 2 μ h 1 ( n , k ) 2 1 2 + n pr 2 1 2 h μ h ( n , k ) 2 + h = 2 h max 1 2 + 1 2 μ h 1 ( n , k ) 2 2 n pr + 1 2 = n pr ,
where the last inequality follows from the fact that the number of non-zero summands in (27) is not greater than n pr . □
Remark 2.
The above lemma allows for constructing an optimized implementation of OneStep() procedure according to formula (28), and then to obtain a (pre-)reduced form of h © according to Definition 5. The remainder of the results in this subsection essentially use this implementation.
Let h © = h © n pr , n st be the sequence of heights of trees in generated blocks. According to Corollary 3, it is ultimately periodic.
Hypothesis 1.
h max = log 2 n st n pr + 1 = min { k Z > 0 | 2 k > n st n pr } .
Moreover, μ h max = 0 after block publishing.
Hypothesis 2.
A period of h © consists of perfect trees of heights h max 1 and h max in some order.
Corollary 6.
Let a (respectively b) be the number of perfect trees of height h max 1 (respectively h max ). Then, the length of the period is
a + b = 2 log 2 n st n pr ν ,
for some ν { 0 , 1 , , ν 2 ( n st n pr + 1 ) } , where ν 2 ( n st n pr + 1 ) is the multiplicity of 2 in prime factorization of n st n pr + 1 , and
a = 2 log 2 n st n pr + 1 ν n st n pr + 1 2 ν , b = n st n pr + 1 2 ν 2 log 2 n st n pr ν .
Remark 3.
The difference h i + 1 © h i © can be arbitrarily large:
h © ( n pr , n st ) = n st , 2 n st , , whenever n pr 2 2 n st 1 + 2 n st 1 .
Definition 5.
The presentation h © = h 1 © , , h r © , ( h r + 1 © , , h r + s © ) of the sequence (of heights) of published trees with the smallest pre-period and period is called the reduced form of h © .
If h ( 1 ) , , h ( r ) , ( h ( r + 1 ) , , h ( r + s ) ) is the presentation of the sequence of buffer states with the smallest pre-period and period, then the corresponding presentation of the sequence (of heights) of published trees h © = h 1 © , , h r © , ( h r + 1 © , , h r + s © ) is called the pre-reduced form of h © .
Remark 4.
The pre-reduced and reduced forms of h © can be different as in the following cases:
h © ( 2 6 + 1 , 1 ) = 1 , 2 , 3 , 4 , 5 , 6 × 31 , ( 6 × 30 , 7 , 6 ) = 1 , 2 , 3 , 4 , 5 , 6 × 30 , ( 6 × 31 , 7 ) ;
h © ( 360 , 1 ) = 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 × 4 , 9 , 8 , ( 8 , 9 , , 9 , 8 2 8 ) = 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 × 4 , 9 , ( 8 × 2 , 9 , , 9 2 8 ) ;
h © ( 361 , 1 ) = 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 × 4 , 9 , 8 × 2 , ( 9 , 8 , , 9 , 8 2 2 7 ) = 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 × 4 , 9 , ( 8 × 2 , 9 , 8 , , 9 2 7 ) .
Hypothesis 3.
The pre-period of the reduced form of h © is a non-decreasing sequence.
Remark 5.
The above hypothesis is not true for the pre-reduced form of h © as we can see in (29) and (30).

4.2.1. The Case of a Single Prover n pr = 1

In the case of a single prover Conjectures 1 and 2 are obvious, moreover explicit description is obtained.
Proposition 4.
Let 2 h k + 1 2 h + 1 . In the case of a single prover n pr = 1 , the sequence h © = h © ( 1 , k ) can be determined recursively together with an auxiliary sequence g that calculates the number of generated proofs in the buffer
g 0 = 0 , h n © = log 2 ( g n + k + 1 ) = h , i f g n + k < 2 h + 1 1 , h + 1 , o t h e r w i s e , g n + 1 = g n + k 2 h n © + 1 .
Corollary 7.
In the case of a single prover n pr = 1 , the sequence h © ( 1 , k ) is periodic.
Let k , k [ 2 h 1 , 2 h + 1 1 ] and k + k = 2 h + 1 + 2 h 2 . Then, the periods of reduced forms of h © ( 1 , k ) and h © ( 1 , k ) are obtained each from the other with order reversing and replacement h h + 1 .
Proof. 
The sequence of the buffer state is periodic because at each step the increment of the number of generated proofs in the buffer is constant k by module 2 h 1 .
If ( q 0 , q 1 , , q s 1 ) is the period of the sequence of the number of generated proofs in the buffer for k steps, then ( 2 h q s 1 , , 2 h q 1 , 2 h q 0 ) is the period of the sequence of the number of generated proofs in the buffer for k = 2 h + 1 + 2 h 2 k steps. Equation (31) for the first data implies the same equations for the second data. □
Example 2.
The cases of n pr = 1 and n st are closed to 2 h 1 . The following presentations are special cases (31):
  • k 1 = 2 h 1 , k 2 = 2 h + 1 1
    h © ( 1 , 2 h 1 ) = ( h ) , h © ( 1 , 2 h + 1 1 ) = ( h + 1 ) .
  • k 1 = 2 h , k 2 = 2 h + 1 2
    h © ( 1 , 2 h ) = ( h × ( 2 h 1 ) , h + 1 ) , h © ( 1 , 2 h + 1 2 ) = ( h , ( h + 1 ) × ( 2 h 1 ) ) .
  • k 1 = 2 h + 1 , k 2 = 2 h + 1 3
    h © ( 1 , 2 h ) + 1 = ( h × ( 2 h 1 1 ) , h + 1 ) , h © ( 1 , 2 h + 1 3 ) = ( h , ( h + 1 ) × ( 2 h 1 1 ) ) .
  • k 1 = 2 h + 2 , k 2 = 2 h + 1 4 , if h = 3 , 5 , 7 ,
    h © ( 1 , 2 h + 2 ) = h × 2 h 2 3 , h + 1 , h × 2 h 2 3 , h + 1 , h × 2 h 5 3 , h + 1 , h © ( 1 , 2 h + 1 4 ) = h , ( h + 1 ) × 2 h 5 3 , h , ( h + 1 ) × 2 h 2 3 , h , ( h + 1 ) × 2 h 2 3 ,
    if h = 4 , 6 , 8 ,
    h © ( 1 , 2 h + 2 ) = h × 2 h 1 3 , h + 1 , h × 2 h 4 3 , h + 1 , h × 2 h 4 3 , h + 1 , h © ( 1 , 2 h + 1 4 ) = h , ( h + 1 ) × 2 h 4 3 , h , ( h + 1 ) × 2 h 4 3 , h , ( h + 1 ) × 2 h 1 3 .

4.2.2. The Case of a Single Step n st = 1

Hypothesis 4.
Let k 1 , k 2 [ 2 h 1 , 2 h + 1 1 ] and k 1 + k 2 = 2 h + 1 + 2 h 2 . Then the periods of reduced forms of h © ( k 1 , 1 ) and h © ( k 2 , 1 ) are obtained each from the other by order reversing and replacement h h + 1 .
Example 3.
The cases of n st = 1 and n pr closed to 2 h 1 agree with the above hypothesis:
  • k 1 = 2 h 1 , k 2 = 2 h + 1 1
    h © ( 2 h 1 , 1 ) = 1 , 2 , , h 1 , ( h ) , h © ( 2 h + 1 1 , 1 ) = 1 , 2 , , h , ( h + 1 ) ;
  • k 1 = 2 h , k 2 = 2 h + 1 2
    h © ( 2 h , 1 ) = 1 , 2 , , h 1 , h × ( 2 h h ) , ( h × ( 2 h 1 ) , h + 1 ) ,
    h © ( 2 × ( h + 1 ) 2 , 1 ) = 1 , 2 , , h , ( h , ( h + 1 ) × ( 2 h 1 ) ) ;
  • k 1 = 2 h , k 2 = 2 h + 1 2 , h 3
    h © ( 2 h + 1 , 1 ) = 1 , 2 , , h 1 , h × 2 h 1 h 1 2 , ( h × ( 2 h 1 1 ) , h + 1 ) ,
    h © ( 2 h + 1 3 , 1 ) = 1 , 2 , , h , ( h , ( h + 1 ) × ( 2 h 1 1 ) ) .

5. Stochastic Case

In this section, we consider the result of Algorithm 1 only in the case of “ b behavior is stochastic”.

5.1. Occupancy Distribution: Efficiency

Placement of provers into suitable positions at each stage can be described by the classical occupancy distribution. See [26], the more recent [27] and references therein. Another closely related model is a coupon collector problem.
Thus, we have n pr 1 provers placed independently and with equal probability into n pos 1 positions. In terms of urn models [26], provers and positions correspond to balls and bins, respectively. Let us denote ξ n pr n pos a random number of non-empty positions. It takes integer values i from 1 to min { n pr , n pos } with probabilities
Pr { ξ n pr n pos = i } = n pos n pr n pos i i ! n pr i = n pos n pr ( n pos ) i n pr i .
Here, we use the following notations:
Notation 3.
  • n m is the Stirling number of the second kind, i.e., the number of factorizations of an n-element set to an m-element factor-set;
  • ( n ) k = n ( n 1 ) ( n k + 1 ) is the falling factorial.
Mean and variance of the occupancy distribution (e.g., Theorem 2A [27]) are obtained as the special cases of expected values of falling factorials Theorem 1A [27]:
E n pos ξ n pr n pos r = n pos r E r , E r = 1 r / n pos n pr , 0 r < n pos ; E ξ n pr n pos = n pos ( 1 E 1 ) , Var ξ n pr n pos = n pos ( n pos 1 ) E 2 + E 1 n pos E 1 2 .
Let N t : = Len denote the total number of generated trees, N and N int , respectively, the numbers of leaves and internal vertices in these trees. Similarly let N t © = n bl be the number of published trees, N © and N int © , respectively, the number of leaves and internal vertices in these trees.
Note that, according to (1),
N = N int + N t , N © = N int © + n bl .
Moreover, as a random variable,
N int = n bl n st ξ n pr n pos .
Throughput of our system can be naturally measured by the number of processed transactions, i.e., be the number of leaves N and N © . On the other hand, the useful work of provers is given by the number of internal vertices N int and N int © . According to (32), if n st n pr 1 , then N int / N 1 and N int © / N © 1 .
Note that in the cases that “ b behavior is deterministic”, N int = n bl n st n pr . We use this to define the “normalized” values:
  • proof generation efficiency
    Ef ( n pr , n pos ) : = E N int n bl n st n pr = E ξ n pr n pos n pr = n pos n pr 1 1 1 / n pos n pr ,
  • proof publishing efficiency
    Ef © ( n bl , n st , n pr , n pos ) : = E N int © n bl n st n pr .
Note that
0 < Ef © Ef 1 .
There are two limit cases:
lim n pos Ef ( n pr , n pos ) = 1 , lim n pr n pos n pr / n pos γ Ef ( n pr , n pos ) = 1 e γ γ .

5.2. Simulation Model for Block Publishing Efficiencies

In both cases that “ b shape is strict” and “ b shape is perfect”, Ef © is an increasing function of n bl . In the cases that “ b shape is strict”, the lengths of buffers h ( n ) are not greater then n pos 1 . This implies convergence in the following proposition.
Proposition 5.
In the case that “ b shape is strict”, Ef © Ef whenever n bl .
Hypothesis 5.
In the case that “ b shape is perfect”, Ef © Ef whenever n bl .
We try to illustrate the above convergences in Figure 4. As we can see, in the case that “ b shape is strict”, Ef © tends quickly to Ef. On the contrary, in the case that “ b shape is perfect”, the convergence is very slow. Note that the limit value is Ef | n pr = n pos = 5 = 0.67232 , and some values close to asymptote are Ef © | n bl = 1000 = 0.6359 , Ef © | n bl = 2000 = 0.6451 , Ef © | n bl = 3000 = 0.6497 , Ef © | n bl = 5000 = 0.6541 .
In practice, it is important to select a right value of n pos when other parameters are fixed. In Figure 5, dependencies of Ef and Ef © (for both cases “ b shape is strict” and binary and “ b shape is perfect”) on the number of positions are shown in the case when n bl = 100 , n st = 10 , n pr = 10 . Values for efficiencies are average over 300 random calculations.
In Table 2, for the case “ b shape is perfect” and in Table 3 for the case “ b shape is strict”, the arguments of maxima and the corresponding maximal values of blocks publishing efficiency Ef © are given, as functions of the number of positions n pos for n bl = 200 and various values of n st and n pr .

5.3. Simulation Model for Heights of Strict Binary Trees

Here, we consider an analog of the formula (22) for average heights h of published strict binary trees in the case when “ b behavior is stochastic”. We consider a linear approximation
h ( n st , n pr ) α n st + β log 2 n pr + γ .
Optimal parameters α , β , γ are obtained by means of the least squares method. For a fixed positive integer m, we consider all pairs of integers ( n st , log 2 n pr ) = ( i , j ) satisfying 1 j i m . Thus, the problem is to minimize the square of the error vector
r = i = 1 m j = 1 i α i + β j + γ h ( i , 2 j ) 2 .
The critical point ( α , β , γ ) is the solution of the system of linear equations
r α = 0 r β = 0 r γ = 0 i = 1 m j = 1 i i j 1 i j 1 α β γ h ( i , 2 j ) = 0 .
The inverse matrix for this system is:
i = 1 m j = 1 i i j 1 i j 1 1 = 6 ( m + 2 ) 4 8 4 4 m 4 8 4 4 m 4 3 m 2 + 3 m + 2 .
It can be calculated using Wolfram Mathematica. Enthusiasts can verify this using formulas for sums k = 1 n k ( p ) = 1 p + 1 n ( p + 1 ) of rising factorial powers for k ( p ) = k ( k + 1 ) ( k + p 1 ) or the Faulhaber’s formulas for generalized harmonic numbers H n , p : = k = 1 n k p .
The results of numerical experiments (coefficients for linear approximation and the standard deviation) are presented in Table 4.
For the case m = 8 , the graphical presentation of average values h ( i , 2 j ) and their linear approximation are given in Figure 6.

6. Discussion

Latus consensus, proposed in [3,4], provides secure and stable sidechain operation, even under the complete distrust assumption in sidechains, and even when all participants in the sidechain consensus are malicious. We assume that the adversary in the sidechain may try to sensor the transactions of other participants inside the SC, or from the MC to the SC, or try to steal tokens in the SC, hide the state of the SC, or stop block production in the SC, but these actions must not be successful. For reliable operation under such assumptions, Latus consensus needs uninterruptible zk-SNARK-proof generation, which, in turn, demands essential computational power and cannot be performed by a single regular participant with commodity hardware. Projects Coda [8] or Polygon [28] implicitly involve a semi-trusted participant with powerful computational capabilities (such as cloud computation) to solve this task on time, but this approach may lead to a single failure point. To eliminate this problem we propose a new approach for efficient decentralization proof generation. According to our approach, decentralized generation is applied not only to blocks in the whole epoch but even to each block. Thus, proofs are generated with the involvement of a large number of independent participants, which are called provers. This provides a decentralization of the zk-SNARK sidechain operation in secure and reliable way.
In this article, we introduced the properties of this process as proof generation efficiency Ef and proof publishing efficiency Ef © , which are investigated in Section 5.1.
For the generation of a single block considered in [18], the block forger initially selects the number of levels of a perfect binary tree that will be included into a block. In [18] (Table 1), we find what number of provers is needed to build the perfect binary tree with = 4 , 5 , 6 , 7 , 8 , 9 levels during n st = 9 steps with probability 0.95 . In this limit case, the role of the efficiency garnered from this article results in the ratio of the number of useful proofs, which is the number of internal vertices n i ( t ) in the built tree to the total number of proofs n st n pr produced by all provers during the block publishing process
Ef 1 n i ( t ) n st n pr = 2 1 1 9 n pr .
In Table 5, we compare the values of Ef 1 from (37) with the efficiencies Ef © obtained by the emulation procedure when b shape is perfect in three cases: n bl = 10 , n bl = 100 and n bl = n pr , and when b shape is strict and n bl = 10 (denoted Ef perfect © and Ef strict © , respectively). The value of Ef calculated from (34) is the limit for both Ef perfect © and Ef strict © at n bl .
So, one can see Ef © / Ef 1 3 as the average. In the top half of Table 5, the values of Ef © are closed to the best possible limit Ef. At the bottom, when the number of provers becomes extreme, Ef perfect © still obtains an increment with respect to Ef 1 ; however, both values are too small. The convergence Ef perfect © Ef is slow and a very big buffer size is required in this situation. However, Ef strict © remains closed to Ef.

7. Conclusions

We investigated characteristics of blocks and characteristics of a SC in a whole under various parameters of a SC, such as the number of blocks in an epoch, number of provers, number of available transactions, time of block creation, etc. We obtained theoretical results for a model with additional restrictions on provers’ behavior and various experimental results for an extended model without such restrictions. These results are helpful when determining the parameters of a sidechain, such as epoch length, block creation time, proof incentives, etc. We show that in deterministic cases the sequences of published trees are ultimately periodic and ensure the highest possible efficiency of the proof creation process, because in this case there are no collisions in proof creation.
In stochastic cases, we obtain a universal measure of prover efficiencies taking values in the interval [0,1] and given by the explicit formula in one case, calculated by simulation models in other cases.
In the sense of efficiency defined, the optimal number of allowed prover positions for a step can be proposed for various sidechain parameters, such as number of provers, number of steps in a block, and so on. We also considered non-perfect binary tree utilization in a blockchain, and described benefits and restrictions for such trees’ use. It turns out that we can achieve large efficiency using these very trees.
Our algorithm for the strict binary trees gives the following differences (compared with the case of perfect binary trees):
  • The buffer size is smaller;
  • Block publishing efficiency is higher;
  • The average height of the generated perfect binary trees is proportional to log n st n pr = log n st + log n pr . The average height of the generated strict binary trees has a similar linear dependence on the logarithm of the number of provers log n pr , but a different linear dependence to the number of steps n st (not log n st ). So, we can consider the case of strict binary trees practically interesting only if the number of steps n st is small.
All results from [18,19,20] and the present paper are related and, put together, give a comprehensive description of SC behavior under our chosen parameters, allowing us to find the optimal sets of parameters that help to optimize functioning, in particular increasing throughput.
One of the most interesting results in this article shows that, under the condition of quick synchronization among block forgers, the throughput increases up to three times in practical settings and can be increased even more for extreme settings cases.
One topic of future research is the investigation of the efficiency of Verkle tree [29] and Curve tree structures [30], which can be used for creating proof trees instead of using different variants of Merkle trees.

Author Contributions

Conceptualization, R.O.; Software, H.N.; Validation, R.V.; Formal analysis, Y.B. and L.K. All authors have read and agreed to the published version of the manuscript.

Funding

This work was supported in part by the National Research Foundation of Ukraine under Grant 2020.01/0351.

Data Availability Statement

Presented data was generated using the program with its source code available at https://github.com/annanelasa/ProofStream (accessed on 9 December 2022).

Acknowledgments

We would like to thank Alberto Garoffolo for the fruitful discussion and comments.

Conflicts of Interest

The authors declare that they have no conflict of interest.

Abbreviations

The following abbreviations are used in this manuscript:
zk-SNARKZero-Knowledge Succinct Non-Interactive Argument of Knowledge
SCSidechain
MCMainchain
PoWProof of work
PoSProof of stake
iffif and only if
PROproduct category

Appendix A. Monoid from Operad

Here we describe two constructions of the monoidal category from a plain operad and the monoid from the monoidal category. Necessary knowledge about category theory and about operads can be obtained in [31,32,33,34,35], respectively, while [36] serves as a begining introduction to both subjects. The monoids from Section 2.2 are results of these constructions applied to the magma and monoid operads.
Let us recall the direct definition a non-symmetric set operad.
Definition A1.
A non-symmetric operad is a sequence ( P ( n ) ) n 1 of sets, whose elements are called n-ary operations, equipped with
  • for all positive integers n , m 1 , , m n , a composition function
    γ n ; m 1 , , m n : P ( n ) × P ( m 1 ) × × P ( m n ) P ( m 1 + + m n ) ( θ , θ 1 , , θ n ) θ ( θ 1 , , θ n ) ,
  • an element 1 P ( 1 ) called the identity,
satisfying the following coherence axioms, associativity and identity:
θ ( θ 1 ( θ 1 , 1 , , θ 1 , m 1 ) , , θ n ( θ n , 1 , , θ n , m n ) ) = ( θ ( θ 1 , , θ n ) ) ( θ 1 , 1 , , θ 1 , m 1 , , θ n , 1 , , θ n , m n ) ,
θ ( 1 , , 1 ) = θ = 1 θ .
A morphism of non-symmetric operads P P is a family of maps g n : P ( n ) P ( n ) n 1 compatible with compositions and units:
g m 1 + + m n γ n ; m 1 , , m n = γ n ; m 1 , , m n ( g n × g m 1 × × g m n ) , n , m 1 , , m n Z > 0 , g 1 ( 1 ) = 1 .
Example A1.
The components of a free magma with a single generator forms a non-symmetric magma operad ( M n ) n 1 . If elements of M n are interpreted as strict binary trees with n leaves, the composition t ( t 1 , , t n ) is obtained by gluing together of i-th leaf in t with the root of t i for i = 1 , 2 , n , and the unit is zero height tree •.
The free semi-group with a single generator can be identified with the additive semigroup of positive integers ( Z > 0 , + ) . The non-symmetric semi-group operad has the single n-ary operation ( m 1 , , m n ) m 1 + + m n for each n > 0 .
The map t n ( t ) (number of leaves of strict binary tree) is the unique morphism between the magma operad and the semi-group operad.
Given a non-symmetric operad P, there exists a general functorial construction P P ^ of the corresponding PRO. P ^ is a category whose objects are non-negative integers, morphisms are finite lists of operations:
m 1 + + m n ( θ 1 , , θ n ) n , θ i P ( m i ) , 1 i n
and for θ i P ( m i ) , 1 i n , the composition in P ^ is expressed via the operadic composition:
( θ 1 , , θ n ) ( θ 1 , 1 , , θ 1 , m 1 , , θ n , 1 , , θ n , m n ) : = θ 1 ( θ 1 , 1 , , θ 1 , m 1 ) , , θ n ( θ n , 1 , , θ n , m n ) .
The category P ^ is equipped with a strict monoidal structure ( , 0 ) given by addition of objects and by concatenation of a list on morphisms:
m ( θ 1 , , θ n ) n m ( θ 1 , , θ n ) n : = m + m ( θ 1 , , θ n , θ 1 , , θ n ) n + n .
Let us consider the pushout (i.e., the colimit) of the diagram of sets and functions:
Mor P ^ Id Mor P ^ 1 Mor P ^ ,
involving the set Mor P ^ of all morphisms in P ^ . This is the factor-set Mor P ^ / by the transitive relation ∼ obtained by identifications ( θ 1 , , θ n ) ( θ 1 , , θ n , 1 ) for each morphism ( θ 1 , , θ n ) in P ^ . Moreover, this factor-set can be naturally identified with a set of infinite sequences ( θ i ) i 0 with only finite number θ i 1 .
One can turn this set into a monoid. The composition of sequences θ and θ with θ i P ( m i ) is described as
( θ θ ) i = θ i ( θ j ) M i 1 j < M i , M i = j = 0 i m j .
The unit for this composition is the constant sequence ( 1 ) i 0 .
The natural projection π : Mor P ^ Mor P ^ / is a functor with an additional property: π ( θ 1 ) = π ( θ ) .

Appendix B. Software Implementation

The software is implemented in C as a console application based on a single class with static procedures. Due to the peculiarities found during the studies, it turned out to be convenient to implement 2 × 2 cases as separate procedures DP(), DS(), SP(), SS(), where the first (respectively second) letter in the name corresponds to the case when b behaviour is D[eterministic] or S[tochastic] (respectively b shape is P[erfect] or S[trict]). In addition, we have procedures SPP(), SSP() which repeat simulations and with additional external loop over the number of positions. The Main() procedure calls one of the above 6 procedures depending on the input parameters, which corresponds to command lines “>ProofStream …” with the following 4, 5, 6 or 8 parameters.
Two cases when b behaviour is deterministic:
  • >ProofStream 1 0 n bl n st n pr
    In the case b shape is strict is the most simple. The corresponding calculations helped to formulate the results from Section 4.1 which all then was proved.
  • >ProofStream 1 1 n st n pr
    In the case b shape is perfect the output is the complete description of ultimately periodic sequences of buffer states and heights of published trees for special values of number of steps n st and number of provers n pr . Hypothesis 1–4 are based on numerous computation.
Two cases when b behaviour is stochastic require the additional parameter: the number of positions n pos . They use a pseudo-random number generator with seeds obtained from cryptographic RNG.
  • >ProofStream 0 0 n bl n st n pr n pos
  • >ProofStream 0 1 n bl n st n pr n pos
Graphs in Figure 4, Figure 5 and Figure 6 were obtained using Wolfram Mathematica. A part of data to plot as well as some result in Table 2, Table 3 and Table 4 are results of running loop over different parameter. In particular, the loop for(int n pos = min ; n pos < max ; n pos + = increment ){…} is called by the command lines:
  • >ProofStream 0 0 n simulations n bl n st n pr min max increment
  • >ProofStream 0 1 n simulations n bl n st n pr min max increment
The initial C code with a brief description and some calculation examples is available at the annanelasa/ProofStream repo on GitHub.

References

  1. Back, A.; Corallo, M.; Dashjr, L.; Friedenbach, M.; Maxwell, G.; Miller, A.; Poelstra, A.; Timón, J.; Wuille, P. Enabling Blockchain Innovations with Pegged Sidechains. 2014. Available online: https://blockstream.com/sidechains.pdf (accessed on 27 February 2023).
  2. Gaži, P.; Kiayias, A.; Zindros, D. Proof-of-work sidechains. In Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 19–23 May 2019; pp. 139–156. [Google Scholar] [CrossRef] [Green Version]
  3. Garoffolo, A.; Kaidalov, D.; Oliynykov, R. Zendoo: A zk-SNARK Verifiable Cross-Chain Transfer Protocol Enabling Decoupled and Decentralized Sidechains. In Proceedings of the 2020 IEEE 40th International Conference on Distributed Computing Systems (ICDCS), Singapore, 29 November–1 December 2020; pp. 1257–1262. [Google Scholar] [CrossRef]
  4. Garoffolo, A.; Viglione, R. Sidechains: Decoupled Consensus Between Chains. arXiv 2018, arXiv:1812.05441. [Google Scholar] [CrossRef]
  5. Garay, J.; Kiayias, A.; Leonardos, N. The bitcoin backbone protocol: Analysis and applications. In Advances in Cryptology—EUROCRYPT 2015, Part II; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2015; Volume 9057, pp. 281–310. [Google Scholar] [CrossRef]
  6. Ben-Sasson, E.; Chiesa, A.; Tromer, E.; Virza, M. Succinct Non-Interactive Zero Knowledge for a von Neumann architecture. In Proceedings of the 2014 23rd USENIX Conference on Security Symposium—SEC’14, San Diego, CA, USA, 20–22 August 2014; pp. 781–796. Available online: https://dl.acm.org/doi/abs/10.5555/2671225.2671275 (accessed on 27 February 2023).
  7. Bowe, S.; Gabizon, A. Making Groth’s zk-SNARK Simulation Extractable in the Random Oracle Model. 2018. Available online: https://ia.cr/2018/187 (accessed on 27 February 2023).
  8. Bonneau, J.; Meckler, I.; Rao, V.; Shapiro, E. Coda: Decentralized Cryptocurrency at Scale. Cryptology ePrint Archive, Report 2020/352. 2020. Available online: https://ia.cr/2020/352 (accessed on 27 February 2023).
  9. Matter Labs. zkSync Era Basics. 2023. Available online: https://era.zksync.io/docs/dev/fundamentals/zkSync.html (accessed on 27 February 2023).
  10. Ochôa, I.S.; Silva, L.A.; de Mello, G.; Garcia, N.M.; de Paz Santana, J.F.; Leithardt, V.R.Q. A Cost Analysis of Implementing a Blockchain Architecture in a Smart Grid Scenario Using Sidechains. Sensors 2020, 20, 843. [Google Scholar] [CrossRef] [PubMed] [Green Version]
  11. Zhou, J.; Wang, N.; Liu, A.; Wang, W.; Du, X. CBCS: A Scalable Consortium Blockchain Architecture Based on World State Collaborative Storage. Electronics 2023, 12, 735. [Google Scholar] [CrossRef]
  12. Lee, N.Y. Hierarchical Multi-Blockchain System for Parallel Computation in Cryptocurrency Transfers and Smart Contracts. Appl. Sci. 2021, 11, 10173. [Google Scholar] [CrossRef]
  13. Garoffolo, A.; Kaidalov, D.; Oliynykov, R. Trustless Cross-chain Communication for Zendoo Sidechains. Cryptology ePrint Archive, Report 2022/1179. 2022. Available online: https://ia.cr/2022/1179 (accessed on 27 February 2023).
  14. Kiayias, A.; Zindros, D. Proof-of-Work Sidechains. Cryptology ePrint Archive, Report 2018/1048. 2018. Available online: https://ia.cr/2018/1048 (accessed on 27 February 2023).
  15. Gaži, P.; Kiayias, A.; Zindros, D. Proof-of-Stake Sidechains. Cryptology ePrint Archive, Report 2018/1239. 2018. Available online: https://ia.cr/2018/1239 (accessed on 27 February 2023).
  16. Kiayias, A.; Russell, A.; David, B.; Oliynykov, R. Ouroboros: A provably secure proof-of-stake blockchain protocol. In CRYPTO 2017, Part I; Lecture Notes in Computer Science; Springer: Heidelberg, Germany, 2017; Volume 10401, pp. 357–388. [Google Scholar] [CrossRef]
  17. Eagen, L. μCash: Transparent Anonymous Transactions. Cryptology ePrint Archive, Report 2022/1104. 2022. Available online: https://ia.cr/2022/1104 (accessed on 27 February 2023).
  18. Bespalov, Y.; Garoffolo, A.; Kovalchuk, L.; Nelasa, H.; Oliynykov, R. Probability Models of Distributed Proof Generation for zk-SNARK-Based Blockchains. Mathematics 2021, 9, 3016. [Google Scholar] [CrossRef]
  19. Bespalov, Y.; Garoffolo, A.; Kovalchuk, L.; Nelasa, H.; Oliynykov, R. Game-Theoretic View on Decentralized Proof Generation in zk-SNARK Based Sidechains. In CEUR Workshop Proceedings, Cybersecurity Providing in Information and Telecommunication Systems (CPITS 2021), Kyiv, Ukraine, 28 January 2021; RWTH Aachen University: Aachen, Germany, 2021; Volume 2923, pp. 47–59. Available online: http://ceur-ws.org/Vol-2923/ (accessed on 27 February 2023).
  20. Bespalov, Y.; Kovalchuk, L.; Nelasa, H.; Oliynykov, R.; Garoffolo, A. Game theory analysis of incentive distribution for prompt generation of the proof tree in zk-SNARK based sidechains. In Proceedings of the 2022 IEEE International Carnahan Conference on Security Technology (ICCST), Valec u Hrotovic, Czech Republic, 7–9 September 2022; pp. 1–7. [Google Scholar] [CrossRef]
  21. Bonneau, J.; Meckler, I.; Rao, V.; Shapiro, E. Mina: Decentralized Cryptocurrency at Scale. 2020. Available online: https://minaprotocol.com/wp-content/uploads/technicalWhitepaper.pdf (accessed on 27 February 2023).
  22. Cioabă, S.M.; Murty, M.R. A First Course in Graph Theory and Combinatorics; Texts and Readings in Mathematics 55; Cambridge University Press: Cambridge, UK, 2022. [Google Scholar] [CrossRef]
  23. Bourbaki, N. Algebra I. Chapters 1–3; Springer: Berlin/Heidelberg, Germany, 1998. [Google Scholar]
  24. Reutenauer, C. Free Lie Algebras; London Mathematical Society Monographs New Series 7; Clarendon Press; Oxford University Press: Oxford, UK, 1993. [Google Scholar]
  25. Stanley, R.P. Catalan Numbers; Cambridge University Press: Cambridge, UK, 2015. [Google Scholar] [CrossRef]
  26. Johnson, N.L.; Kotz, S. Urn Models and Their Applications; John Wiley and Sons: New York, NY, USA, 1977. [Google Scholar]
  27. O’Neill, B. The Classical Occupancy Distribution: Computation and Approximation. Am. Stat. 2021, 75, 364–375. [Google Scholar] [CrossRef]
  28. Kanani, J.; Nailwal, S.; Arjun, A. Matic Whitepaper. 2020. Available online: https://github.com/maticnetwork/whitepaper (accessed on 27 February 2023).
  29. Kuszmaul, J. Verkle Trees. In Proceedings of the Eighth Annual PRIMES Conference, 19–20 May 2018; Available online: https://math.mit.edu/research/highschool/primes/materials/2018/Kuszmaul.pdf (accessed on 27 February 2023).
  30. Campanelli, M.; Hall-Andersen, M.; Kamp, S.H. Curve Trees: Practical and Transparent Zero-Knowledge Accumulators. Cryptology ePrint Archive, Report 2022/756. 2022. Available online: https://ia.cr/2022/756 (accessed on 27 February 2023).
  31. Mac Lane, S. Categories for the Working Mathematician, 2nd ed.; Graduate Texts in Mathematics 5; Springer: Berlin/Heidelberg, Germany, 1998. [Google Scholar]
  32. Awodey, S. Category Theory, 2nd ed.; Oxforg Logic Guides 52; Oxford University Press: Oxford, UK, 2010. [Google Scholar]
  33. Leinster, T. Basic Category Theory; Cambridge Studies in Advanced Mathematics 143; Cambridge University Press: Cambridge, UK, 2014. [Google Scholar]
  34. Markl, M.; Shnider, S.; Stasheff, J.D. Operads in Algebra, Topology and Physics; Mathematical Surveys and Monographs 96; AMS: Providence, RI, USA, 2002. [Google Scholar] [CrossRef] [Green Version]
  35. Méndez, M.A. Set Operads in Combinatorics and Computer Science; SpringerBriefs in Mathematics; Springer: Berlin/Heidelberg, Germany, 2015. [Google Scholar] [CrossRef]
  36. Spivak, D.I. Category Theory for the Sciences; MIT Press: Cambridge, MA, USA, 2014. [Google Scholar]
Figure 1. Images of the free magma: (a) bracketing, (b) non-strict binary tree, (c) strict binary tree.
Figure 1. Images of the free magma: (a) bracketing, (b) non-strict binary tree, (c) strict binary tree.
Cryptography 07 00014 g001
Figure 2. The perfect binary tree t 3 with nodes labeled by binary strings.
Figure 2. The perfect binary tree t 3 with nodes labeled by binary strings.
Cryptography 07 00014 g002
Figure 3. Example of a perfect binary forest.
Figure 3. Example of a perfect binary forest.
Cryptography 07 00014 g003
Figure 4. Dependencies of Ef © on the number of blocks for n st = n pr = n pos = 5 .
Figure 4. Dependencies of Ef © on the number of blocks for n st = n pr = n pos = 5 .
Cryptography 07 00014 g004
Figure 5. Dependencies of Ef and Ef © on the number of positions.
Figure 5. Dependencies of Ef and Ef © on the number of positions.
Cryptography 07 00014 g005
Figure 6. Average heights of generated trees and their linear approximation for m = 8 .
Figure 6. Average heights of generated trees and their linear approximation for m = 8 .
Cryptography 07 00014 g006
Table 1. The scheme of 2 × 2 algorithms.
Table 1. The scheme of 2 × 2 algorithms.
Strict binary trees:
merged positions are first pairs of subsequent trees
Perfect binary trees:
merged positions are first so-called perfect pairs
Deterministic prover behavior:
provers act mutually consistent, taking the first possible n pr merge positions
b behavior is deterministic b shape is strict b behavior is deterministic b shape is perfect
Stochastic prover behavior:
provers act independently, with each selecting one of n pos merge positions
b behavior is stochastic b shape is strict b behavior is stochastic b shape is perfect
Table 2. ArgMax and Max of the function n bl Ef © for the case “ b shape is perfect”.
Table 2. ArgMax and Max of the function n bl Ef © for the case “ b shape is perfect”.
nstnpr2345678910
17
0.89
8
0.83
8
0.78
8
0.72
8
0.67
9
0.62
9
0.58
9
0.55
9
0.52
24
0.85
5
0.74
5
0.67
6
0.62
6
0.58
7
0.56
7
0.53
7
0.51
8
0.49
33
0.80
4
0.70
5
0.65
5
0.60
6
0.57
6
0.55
7
0.53
7
0.51
8
0.50
43
0.78
4
0.70
5
0.65
6
0.61
6
0.58
7
0.57
8
0.56
9
0.54
9
0.53
53
0.77
4
0.71
5
0.66
6
0.63
7
0.61
7
0.59
8
0.56
9
0.55
9
0.53
63
0.79
4
0.72
5
0.67
6
0.65
7
0.62
7
0.60
7
0.58
8
0.57
9
0.55
73
0.79
4
0.71
6
0.68
6
0.65
7
0.63
7
0.61
8
0.60
9
0.59
10
0.59
83
0.79
4
0.73
6
0.70
6
0.67
7
0.65
8
0.64
9
0.62
10
0.61
10
0.60
93
0.80
5
0.74
6
0.70
6
0.68
8
0.66
8
0.65
10
0.64
10
0.61
11
0.61
103
0.81
5
0.75
6
0.72
7
0.70
8
0.68
9
0.66
10
0.64
10
0.63
11
0.62
Table 3. ArgMax and Max of n bl Ef © for the case “ b shape is strict”.
Table 3. ArgMax and Max of n bl Ef © for the case “ b shape is strict”.
nstnpr2345
113/0.92   19/0.9023–24/0.8928–29/0.88
214/0.9321–22/0.91   28/0.9034–35/0.89
315/0.9423–24/0.92   32/0.9138–39/0.90
416/0.9425–26/0.9333–34/0.9241–42/0.91
518/0.9527–28/0.9336–37/0.9244–46/0.92
Table 4. Linear approximations of average height of generated trees as functions of n st and log 2 n pr .
Table 4. Linear approximations of average height of generated trees as functions of n st and log 2 n pr .
m α β γ 2 r m ( m + 1 )
60.841.35−0.750.072
70.811.40−0.750.074
80.791.43−0.740.075
90.771.46−0.740.075
100.751.49−0.730.075
Table 5. Comparison of efficiencies for n st = 9 steps and n pos = n pr .
Table 5. Comparison of efficiencies for n st = 9 steps and n pos = n pr .
n pr Ef 1 Ef perfect © Ef perfect © Ef perfect © Ef strict © Ef
n bl = 10 n bl = 100 n bl = n pr n bl = 10
340.260.640.690.500.690.70
440.190.640.670.540.670.68
1050.170.480.590.500.620.65
3360.100.340.450.430.580.64
9570.070.180.270.260.560.63
45280.030.050.090.110.530.63
217690.010.020.030.040.500.63
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Bespalov, Y.; Kovalchuk, L.; Nelasa, H.; Oliynykov, R.; Viglione, R. Models for Generation of Proof Forest in zk-SNARK Based Sidechains. Cryptography 2023, 7, 14. https://doi.org/10.3390/cryptography7010014

AMA Style

Bespalov Y, Kovalchuk L, Nelasa H, Oliynykov R, Viglione R. Models for Generation of Proof Forest in zk-SNARK Based Sidechains. Cryptography. 2023; 7(1):14. https://doi.org/10.3390/cryptography7010014

Chicago/Turabian Style

Bespalov, Yuri, Lyudmila Kovalchuk, Hanna Nelasa, Roman Oliynykov, and Rob Viglione. 2023. "Models for Generation of Proof Forest in zk-SNARK Based Sidechains" Cryptography 7, no. 1: 14. https://doi.org/10.3390/cryptography7010014

Article Metrics

Back to TopTop