SPARKs: Succinct Parallelizable Arguments of Knowledge

Suppose that \( (\mathit {ptr} ,\mathit {segtree}) \) is consistent with a partial string D. For any ordered set \( S = (\ell ^{(1)},\ldots ,\ell ^{(p)}) \) of locations \( \ell ^{(i)} \in [n] \) and tuple \( V = (v ^{(1)},\ldots ,v ^{(p)}) \) of words \( v ^{(i)} \in \{0,1\} ^{\lambda } \) , let \( (\mathit {ptr} ^{\prime },\mathit {segtree}^{\prime }) \) be pointers to memory after computing \( \mathbf {C}.\mathbf {Update} (\mathit {pp} ,\mathit {ptr} ,S,V) \) . Then, \( (\mathit {ptr} ^{\prime },\mathit {segtree}^{\prime }) \) is consistent with the partial string \( D^{\prime } \) , where \( D_{\ell ^{(i)}}^{\prime } = v ^{(i)} \) for all \( i\in [p] \) , and \( D^{\prime } \) agrees with D at all other locations.□

When \( \mathbf {C}.\mathbf {Update} (\mathit {pp} ,\mathit {ptr} ,S,V) \) is computed, the only nodes updated in \( \mathit {ptr} \) and \( \mathit {segtree} \) are those in \( \mathbf {ancestors} (S) \) . In \( \mathit {segtree} \) , every node in \( \mathbf {ancestors} (S) \) is set to 1. This immediately gives the first two properties of consistency. To show the third property, let \( \mathit {MT} \) be the Merkle tree for the string \( \mathbf {block} (D_{1}) || \ldots || \mathbf {block} (D_{n}) \) using the hash function given by \( \mathit {pp} \) . We need to show that every node with value 1 in \( \mathit {segtree}^{\prime } \) has the same value in \( \mathit {ptr} ^{\prime } \) and \( \mathit {MT} \) . Since \( (\mathit {ptr} ,\mathit {segtree}) \) are consistent with D, and the only changes are to nodes in \( \mathbf {ancestors} (S) \) , it suffices to show that this holds for every node in \( \mathbf {ancestors} (S) \) . Throughout this proof, we will refer to iteration j of \( \mathbf {C}.\mathbf {Update} \) as the iteration that updates the jth level of the tree, for \( j=0,\ldots ,\log n \) .

Consider any node \( \mathit {node} \in \mathbf {ancestors} (S) \) . We show by induction on the level of \( \mathit {node} \) that its value in \( \mathit {ptr} ^{\prime } \) is equal to its value in \( \mathit {MT} \) . For the base case, when \( \mathit {node} \) is at level 0 (i.e., it is a leaf), it follows that \( \mathit {node} = \ell ^{(i)} \) for some index i. It is only updated at iteration 0, where it is set to \( \mathbf {block} (v ^{(i)}) = \mathbf {block} (D_{\ell ^{(i)}}) \) , which gives the base case.

Next, assume that every node at level j has the same value in \( \mathit {ptr} ^{\prime } \) and \( \mathit {MT} \) , and suppose \( \mathit {node} \) is at level \( j+1 \) . For convenience, let \( \ell _{L},\ell _{R} \) be the locations for the left and right child of \( \mathit {node} \) , respectively. During the update, \( \mathit {node} \) is only written to in the \( (j+1) \) st iteration, where it is set to the hash of the concatenation of values corresponding to its children, found in sets \( R,W \) maintained by the algorithm. Let \( u _{L},u _{R} \) be the values used for the left and right child, respectively. To show that the value for \( \mathit {node} \) is indeed its value in \( \mathit {MT} \) , it therefore suffices to show that \( u _{L},u _{R} \) are the values for \( \ell _{L},\ell _{R} \) in \( \mathit {MT} \) . Without loss of generality, we show this for the value \( u _{L} \) used for \( \ell _{L} \) .

To prove that \( u _{L} \) is indeed the value of \( \ell _{L} \) in \( \mathit {MT} \) , we claim the following:

We complete the proof assuming Subclaim 5.12 and then show that the subclaim holds. The only time that \( \ell _{L} \) is accessed by \( \mathbf {C}.\mathbf {Update} \) is during the jth iteration. There are two cases to consider:

Since \( \mathit {node} \) is an ancestor of a leaf in S, these are the only two cases. Therefore, assuming Subclaim 5.12, the value \( u _{L} \) agrees with \( \mathit {MT} \) . To complete the proof, it remains to show Subclaim 5.12.

To prove that Subclaim 5.12 holds, recall that the algorithm \( \mathbf {C}.\mathbf {Update} \) first checks if \( \ell _{L} \) is in the set W and then checks the set R. Both children are only accessed and modified in \( R,W \) in iteration j. Between the two children, at least one child must be in \( \mathbf {ancestors} (S) \) . In this case, in iteration j it is initialized and its final value in memory is added to W, which is the value used. If either child is not in \( \mathbf {ancestors} (S) \) , then it is in \( \mathbf {dangling} (S) \) by definition. In this case, it follows that in iteration j it is added to R (and not W), where either its value in memory is used, or \( \mathbf {dummy}(j) \) if it is not initialized. This completes the proof of Subclaim 5.12, which in turn gives the claim. \( \Box \)

Let \( D_{\mathsf {start}} = (n,I,A) \) be a partial string, and let \( (\mathit {ptr} ,\mathit {segtree}) \) be the pointers to the Merkle tree and segment tree in memory after running \( \mathbf {C}.\mathbf {Hash} (\mathit {pp} ,D_{\mathsf {start}}) \) . Then, \( (\mathit {ptr} ,\mathit {segtree}) \) are consistent with \( D_{\mathsf {start}} \) .

Running \( \mathbf {C}.\mathbf {Hash} (\mathit {pp} ,D_{\mathsf {start}}) \) results in the same memory as running:

After \( \mathbf {C}.\mathbf {Hash} (\mathit {pp} ,D_{\bot }) \) , it is vacuously true that the resulting memory is consistent with \( D_{\bot } \) , since there are no non- \( \bot \) words in \( D_{\bot } \) . Therefore, by Claim 5.11, the memory after \( \mathbf {C}.\mathbf {Update} (\mathit {pp} ,\mathit {ptr} ,I,A) \) is consistent with \( D_{\mathsf {start}} \) . \( \Box \) □

For any \( \lambda , n \le 2^{\lambda }, p\in \mathbb {N} \) , \( \mathit {pp} \) in the support of \( \mathbf {C}.\mathbf {Gen} (1^{\lambda} ,n) \) , ordered set \( S = (\ell ^{(1)},\ldots ,\ell ^{(p)}) \) , tuple \( V = (v ^{(1)}, \ldots , v ^{(p)}) \) , digest \( \mathit {digest} \) , and proof \( \pi \) , ifthen there exist proofs \( \pi ^{(1)},\ldots ,\pi ^{(p)} \) such thatfor all \( i\in [p] \) . Moreover, they can be computed from \( (S,V,\pi) \) in polynomial time.□

There exists a polynomial-time algorithm \( \mathcal {A}^{\prime } \) that on input \( (\mathit {pp} , \mathit {digest}, \ell , v, \pi , \mathit {digest}^{\prime }, S , V , \tau), \) if

then \( \mathcal {A}^{\prime } \) either outputs a collision in \( \mathcal {H} \) under h, where h is given by \( \mathit {pp} \) , or outputs a proof \( \pi ^\star \) such thatwhere \( v ^\star = v \) if \( \ell \not\in S \) and otherwise \( v ^{\star } \) is the value in V at the index of \( \ell \) in S.

\( \mathbf {C}.\mathbf {VerOpen} (\mathit {pp} ,\mathit {digest},S,V,\pi) \) accepts if and only if \( \mathit {digest} \) is the value for the root induced by \( (S,V,\pi) \) .

Fix \( \lambda \) , \( \mathit {pp} \) , S, V, \( \mathit {digest} \) , and \( \pi \) as in the statement of the claim. Let \( \mathit {MT} =\mathbf {extend} (\mathit {pp} ,S,V,\pi) \) . For each \( i\in [p] \) , let \( \pi ^{(i)} \) contain all pairs \( (\ell ,u) \) such that \( \ell \in \mathbf {dangling} (\ell ^{(i)}) \) and u is the value of \( \ell ^{(i)} \) in \( \mathit {MT} \) . Note that these values exist as \( \mathbf {dangling} (\ell ^{(i)}) \subseteq \mathbf {ancestors} (S) \cup \mathbf {dangling} (S) \) , and \( \mathit {MT} \) contains the latter nodes.

For each \( i\in [p] \) , we show first that \( \pi ^{(i)} \) is efficiently computable, and then we show that it gives a valid opening proof. For efficiency, note that \( \mathbf {extend} (\mathit {pp} ,S,V,\pi) \) runs in time \( \mathrm{poly} (\lambda ,p,\log n) \) , since it requires computing at most \( \left|S \cup \mathbf {dangling} (S) \right| \) hashes, each taking time polynomial in \( \lambda \) , and \( \left|S \cup \mathbf {dangling} (S) \right| \in \mathrm{poly} (p,\log n) \) by Claim 5.7. Moreover, the input to \( \mathbf {extend} \) has length polynomial in \( \lambda \) , p, and \( \log n \) , so it follows that \( \pi ^{(i)} \) can be computed in polynomial time based on \( S,V,\pi \) .

Next, we show that \( \mathbf {C}.\mathbf {VerOpen} (\mathit {pp} ,\mathit {digest},\ell ^{(i)},v ^{(i)},\pi ^{(i)}) = 1 \) . By Subclaim 5.17, this accepts whenever \( \mathit {digest} \) is the value for the root induced by \( (\ell ^{(i)},v ^{(i)},\pi ^{(i)}) \) . Let \( \mathit {MT}^{\prime } = \mathbf {extend} (\mathit {pp} ,\ell ^{(i)},v ^{(i)},\pi ^{(i)}) \) . We want to show that \( \mathit {digest} \) is the value of the root in \( \mathit {MT}^{\prime } \) . Note that the values of \( \ell ^{(i)} \) and of \( \mathbf {dangling} (\ell ^{(i)}) \) agree between \( \mathit {MT} \) and \( \mathit {MT}^{\prime } \) by definition. It follows that the values for each ancestor of \( \ell ^{(i)} \) agree between the two Merkle trees. Finally, we note that, since \( \mathbf {C}.\mathbf {VerOpen} (\mathit {pp} ,\mathit {digest},S,V,\pi) \) accepts, then \( \mathit {digest} \) is the value of the root of \( \mathit {MT} \) , and hence is the value of the root of \( \mathit {MT}^{\prime } \) , which completes the proof. \( \Box \) □

Since \( \mathbf {C}.\mathbf {VerUpd} (\mathit {pp} , \mathit {digest}, S, V, \mathit {digest}^{\prime }, \tau) = 1 \) , then \( \tau \) can be parsed as \( V _{\mathsf {prev}} || \pi ^{\prime } \) such that \( \mathbf {C}.\mathbf {VerOpen} (\mathit {pp} , \mathit {digest}, S, V _{\mathsf {prev}}, \pi ^{\prime }) = 1 \) and \( \mathbf {C}.\mathbf {VerOpen} (\mathit {pp} , \mathit {digest}^{\prime }, S, V, \pi ^{\prime }) = 1 \) . In the case that \( \ell \in S \) , then by Claim 5.15, \( \mathcal {A}^{\prime } \) can use \( (S,V,\pi ^{\prime }) \) to compute and output a proof \( \pi ^{\star } \) in polynomial time such that \( \mathbf {C}.\mathbf {VerOpen} (\mathit {pp} ,\mathit {digest}^{\prime },\ell ,v ^{\star },\pi ^{\star }) \) accepts, where \( v ^{\star } \) is the value of \( \ell \) given by V. As a result, we focus on the case that \( \ell \not\in S \) , and thus \( v ^\star = v \) .

Consider running the verifications \( \mathbf {C}.\mathbf {VerOpen} (\mathit {pp} , \mathit {digest}, \ell , v, \pi) \) , \( \mathbf {C}.\mathbf {VerOpen} (\mathit {pp} , \mathit {digest}, S, V _{\mathsf {prev}},\pi ^{\prime }) \) , and \( \mathbf {C}.\mathbf {VerOpen} (\mathit {pp} , \mathit {digest}^{\prime }, S, V, \pi ^{\prime }) \) . They all accept by assumption, and from the inputs to each we can define a Merkle tree with all the induced values. Specifically, let \( \mathit {MT} = \mathbf {extend} (\mathit {pp} ,\ell ,v,\pi) \) , let \( \mathit {MT} ^{\mathsf {prev}} = \mathbf {extend} (\mathit {pp} ,S,V _{\mathsf {prev}},\pi ^{\prime }) \) , and let \( \mathit {MT} ^{\mathsf {final}} = \mathbf {extend} (\mathit {pp} ,S,V,\pi ^{\prime }) \) . By Subclaim 5.17, the root of \( \mathit {MT} \) and \( \mathit {MT} ^{\mathsf {prev}} \) is \( \mathit {digest} \) , and the root of \( \mathit {MT} ^{\mathsf {final}} \) is \( \mathit {digest}^{\prime } \) . Note that \( \mathit {MT} \) contains all nodes in \( \mathbf {ancestors} (\ell) \cup \mathbf {dangling} (\ell) \) , and both \( \mathit {MT} ^{\mathsf {prev}} \) and \( \mathit {MT} ^{\mathsf {final}} \) contain \( \mathbf {ancestors} (S) \cup \mathbf {dangling} (S) \) .

To construct a proof \( \pi ^\star \) corresponding to opening location \( \ell \) to value \( v ^{\star } \) in \( \mathit {digest}^{\prime } \) , we need to construct values for \( \mathbf {dangling} (\ell) \) , which are simply the nodes in the authentication path for \( \ell \) . Before defining \( \pi ^{\star } \) , we introduce some notation. For \( j\in \{0,\ldots ,\log n-1\} \) , let \( \mathit {node} _{j} \) be the ancestor of \( \ell \) at level j and let \( \mathit {sib} _{j} \) be its sibling. Also, let \( i \in [\log n] \) be the level in a binary tree containing the closest common ancestor of leaf \( \ell \) and any leaf in S.

Next, define \( \pi ^{\star } \) to contain all pairs \( (\mathit {sib} _{j},u _{j}) \) for \( j\in \{0,\ldots ,\log n-1\} \) where \( u _{j} \) is defined as follows:

We claim that either \( \mathbf {C}.\mathbf {VerOpen} (\mathit {digest}^{\prime }, \ell , v ^\star , \pi ^\star) = 1 \) , in which case \( \mathcal {A}^{\prime } \) outputs \( \pi ^{\star } \) , or we can find a collision in the hash function. Recall that \( \mathbf {C}.\mathbf {VerOpen} \) can be split into syntactic checks, and checking the value of \( \mathit {digest}^{\prime } \) . We first show that the syntactic checks done by \( \mathbf {C}.\mathbf {VerOpen} \) pass, and then we show that either \( \mathcal {A}^{\prime } \) outputs a collision, or the rest of the verification succeeds.

For the syntactic checks, it follows that the inputs to \( \mathbf {C}.\mathbf {VerOpen} \) are formatted correctly, so we only need to show that \( \pi ^{\star } \) contains a value for all nodes in \( \mathbf {dangling} (\ell) = (\mathit {sib} _{1},\ldots , \mathit {sib} _{\log n-1}) \) . To show this, we have the following:

This shows that \( \pi ^{\star } \) contains a value for every node in \( \mathbf {dangling} (\ell) \) , so the syntactic checks done by verification pass.

Next, \( \mathbf {C}.\mathbf {VerOpen} (\mathit {digest}^{\prime }, \ell , v ^\star , \pi ^\star) \) checks \( \mathit {digest}^{\prime } \) by computing the root induced by \( (\ell ,v ^{\star },\pi ^{\star }) \) . Along the way, it computes a value for each node in \( \mathbf {ancestors} (\ell ^{(i)}) \) . Let \( c_{1},\ldots ,c_{\log n} \) be these values. We will show that either \( c_{\log n} = \mathit {digest}^{\prime } \) , and so verification accepts, or we can find a collision. Towards this, we have the following observations:

Observation 4 implies that \( c_{\log n} = \mathit {digest}^{\prime } \) , so \( \mathbf {C}.\mathbf {VerOpen} (\mathit {pp} , \mathit {digest}^{\prime }, \ell , v ^\star , \pi ^\star) = 1 \) , as required. \( \Box \) □

There exists a polynomial \( q_1 \) such that for any \( \lambda ,n\in \mathbb {N} \) with \( n \le 2^{\lambda } \) and \( \mathit {pp} \) in the support of \( \mathbf {C}.\mathbf {Gen} (1^{\lambda} ,n) \) , the algorithms \( \mathbf {C}.\mathbf {Open} \) , \( \mathbf {C}.\mathbf {Update} \) , \( \mathbf {C}.\mathbf {VerOpen} \) , and \( \mathbf {C}.\mathbf {VerUpd} \) , when given a set S of p locations and public parameters \( \mathit {pp} \) , can each be computed in with work \( p \cdot q_{1}(\lambda) \) , or with depth \( q_1(\lambda) \) using \( p \cdot q_1(\lambda) \) processors.□

We analyze \( \mathbf {C}.\mathbf {Update} \) , and we observe that the analyses for \( \mathbf {C}.\mathbf {Open} \) and \( \mathbf {C}.\mathbf {VerOpen} \) follow similarly as the algorithms have the same overall structure. Furthermore, \( \mathbf {C}.\mathbf {VerUpd} \) simply calls \( \mathbf {C}.\mathbf {VerOpen} \) twice. Thus, it suffices to argue the claim for \( \mathbf {C}.\mathbf {Update} \) .

We note that \( \mathbf {C}.\mathbf {Update} \) can be split into (1) preprocessing, (2) access and compute steps at each level in the tree, and (3) forming the output. Before analyzing the complexity of each of these, we discuss how to implement each of the relevant sets to achieve efficiency. The sets S, \( \mathbf {dangling} (S) \) , \( \mathbf {ancestors} (S) \) , R, and W each contain at most \( p \cdot \log n \in p \cdot \mathrm{poly} (\lambda) \) nodes, and \( R,W \) additionally contain \( 2\lambda \) -bit values for each node. We would like each set to support concurrent reads and writes to distinct locations. This is done by allocating \( 2n \cdot \mathrm{poly} (\lambda) \) bits in memory for each set (initialized to zeroes) and using an indicator bit to say if an element is in the set or not followed by its value (if any).

This can be done as there are 2n nodes in the tree, and each location can be encoded with \( \log (2n) \) bits (and so with the above implementation, there are \( \mathrm{poly} (\lambda) \) bits in memory for each node). Specifically, the root is encoded as 0, and for each node with index i, its left and right children are encoded as \( 2i+1 \) and \( 2i+2 \) , respectively. The exact encoding is not important for our application, only that each location requires \( \log (2n) \) bits and that it gives a way to find a node’s parent or child in time \( \mathrm{poly} (\lambda) \) . Note that with this encoding and at most \( p\cdot \mathrm{poly} (\lambda) \) processors for each of the above sets, every location in each set can be accessed concurrently.

Next, we analyze the running time of (1), (2), and (3). For (1), the preprocessing steps require computing the relevant sets, which can be done in depth \( \mathrm{poly} (\lambda) \) using p processors with the implementation described above. Specifically, computing R and W is straightforward, where for W, we assume that each \( \mathbf {block} (v ^{(i)}) \) can be encoded (and decoded) in \( \mathrm{poly} (\lambda) \) time. For \( \mathbf {ancestors} (S) \) , we can use p processors as follows: Each of the p processors can start at the leaf nodes (where each processor know its starting leaf index). Subsequently, they can move down the tree and update the sets. To make sure only one process is accessing a single location at a time, after each processor adds node at level i of the tree, it can check if that node’s sibling was also added to \( \mathbf {ancestors} (S) \) . If so, then only the processor accessing the sibling with the larger index can move on to the next level. Once a node stops (because its corresponds to the smaller of the two nodes), it can stop checking nodes further down the tree. Thus, at most two processors might be trying to access a node at each step, and each processor can efficiently check if it should continue. After determining \( \mathbf {ancestors} (S) \) , the set \( \mathbf {dangling} (S) \) can be computed in depth \( \mathrm{poly} (\lambda) \) with p processors, where each processor is initially assigned to a leaf node in S, and adds that node’s sibling to \( \mathbf {dangling} (S) \) whenever the sibling is not given by \( \mathbf {ancestors} (S) \) . Each processor can stop making updates exactly as above, so each memory location is only accessed by a single process.

For (2), we would like each access step to take a single time slot, as specified by the algorithm. To do this, at the end of the pre-processing steps, we can compute the locations for each leaf in \( S \cup \mathbf {dangling} (S) \) , which only adds an additional \( \mathrm{poly} (\lambda) \) depth using \( p \log n \) processors, and then spawn \( p\log n \) processors to access these locations in Merkle tree in the subsequent access step. Then, during the compute steps, using depth \( \mathrm{poly} (\lambda) \) and at most p processors, the locations for the next access step can be computed as above. Continuing in this fashion ensures that each access step is indeed a single step, with at most p processors. The compute steps additionally require updating R and W, as well as computing a hash per each of the p processors. This takes depth \( \mathrm{poly} (\lambda) \) using \( p \cdot \mathrm{poly} (\lambda) \) processors, where \( \mathrm{poly} (\lambda) \) extra processors are possibly needed to compute the hash efficiently. These access and compute steps are repeated \( \log n \le \lambda \) times for each level in the tree.

For (3), forming the output requires reading R with at most \( \mathrm{poly} (\lambda) \) work per element in the set, which can be distributed as above. Obtaining the value of \( \mathit {digest} \) from W requires an additional \( O(\lambda) \) depth.

Thus, it holds that there is a polynomial \( q_1 \) such that \( \mathbf {C}.\mathbf {Update} \) , \( \mathbf {C}.\mathbf {Open} \) , \( \mathbf {C}.\mathbf {VerOpen} \) , and \( \mathbf {C}.\mathbf {VerUpd} \) can be computed with work \( p \cdot q_{1}(\lambda) \) , or with depth \( q_1(\lambda) \) using at most \( p \cdot q_1(\lambda) \) processors. \( \Box \) □

There exists a polynomial \( q_2 \) such that for any \( \lambda ,n\in \mathbb {N} \) with \( n \le 2^{\lambda } \) , \( \mathit {pp} \) in the support of \( \mathbf {C}.\mathbf {Gen} (1^{\lambda} ,n) \) , and partial string \( D = (n,I,A) \) computing \( \mathbf {C}.\mathbf {Hash} (\mathit {pp} ,D) \) can be done in work \( \left|I \right| \cdot q_{2}(\lambda) \) , or with depth \( q_{2}(\lambda) \) with \( |I| \cdot q_{2}(\lambda) \) processors.

Recall that computing \( \mathbf {C}.\mathbf {Hash} (\mathit {pp} ,D) \) consists of allocating memory initialized to 0 (which we assume is free), computing \( \log n \) hashes to compute dummy values, and running \( \mathbf {C}.\mathbf {Update} (\mathit {pp} ,\mathit {ptr} ,I,A) \) . As shown in the previous claim, running \( \mathbf {C}.\mathbf {Update} \) takes either work \( \left|I \right| \cdot q_{1}(\lambda) \) , or depth \( q_1(\lambda) \) using \( |I| \cdot q_1(\lambda) \) processors, and computing \( \log n \le \lambda \) hashes requires \( t_{\mathsf{H} }(\lambda) \cdot \log n \in \mathrm{poly} (\lambda) \) work. Thus, we let \( q_2 \) be a polynomial such that \( q_2(\lambda) \) is at least as large as \( q_1(\lambda) + t_\mathsf{H} (\lambda) \cdot \lambda \) to cover the depth requirement. \( \Box \) □

There exists a polynomial \( q_3 \) and an algorithm \( \mathbf {OpenUpdate} \) such that the following holds: For any \( \lambda ,p,n \in \mathbb {N} \) with \( n \le 2^{\lambda } \) , \( \mathit {pp} \) in the support of \( \mathbf {C}.\mathbf {Gen} (1^{\lambda} ,n) \) , pointer \( \mathit {ptr} \) , ordered set \( S \subseteq [n] \) of p locations, and tuple of words \( V \in (\{0,1\} ^{\lambda })^{p} \) , define \( (V^{\prime },\pi ,\mathit {digest},\tau) \) as follows:

It holds that \( \mathbf {OpenUpdate} (\mathit {pp} ,\mathit {ptr} ,S,V) \) outputs \( (V^{\prime },\pi ,\mathit {digest} , \tau) \) and computing k sequential calls to \( \mathbf {OpenUpdate} \) , each on at most \( p_\mathsf {max} \) locations, can be done with \( k \cdot p_{\mathsf {max}} \cdot q_{3}(\lambda) \) work, or with depth \( (k-1) + q_3(\lambda) \) using at most \( p_\mathsf {max} \cdot q_3(\lambda) \) processors.

For the algorithm \( \mathbf {OpenUpdate} \) , we note that \( \mathbf {C}.\mathbf {Update} \) already computes the values for S before the update and the values for \( \mathbf {dangling} (S) \) . We therefore define \( \mathbf {OpenUpdate} \) to run \( \mathbf {C}.\mathbf {Update} \) to obtain \( (\mathit {digest},\tau) \) , parse \( \tau = V^{\prime } || \pi \) where \( V^{\prime } \in (\{0,1\} ^{\lambda } \cup \{\bot\})^{p} \) and output \( (V^{\prime },\pi ,\mathit {digest},\tau) \) . Since \( V^{\prime } \) gives value for each location in S in the Merkle tree before being updated (or \( \bot \) is uninitialized), then \( V^{\prime } \) is the tuple of values for S given by \( \mathbf {C}.\mathbf {Open} (\mathit {pp} ,\mathit {ptr} ,\ell) \) before the update. Additionally, because the node values for \( \mathbf {dangling} (S) \) are unchanged by \( \mathbf {C}.\mathbf {Update} \) , the proof \( \pi \) output by \( \mathbf {OpenUpdate} \) will be the same as in \( \mathbf {C}.\mathbf {Open} \) . Therefore, the output of \( \mathbf {OpenUpdate} \) is correct.

To perform k sequential updates to the Merkle tree, we observe that it is possible to pipeline them, as we describe next. Note that each update only needs to share memory corresponding to the Merkle tree and segment tree. All other memory used by the algorithm specified in Claim 5.19 can be allocated per updated. Consider a sequence of k sequential calls to \( \mathbf {OpenUpdate} \) , denoted \( \mathit {Upd} ^{i} \) for \( i \in \{0,\ldots ,k-1\} \) , each updating at most \( p_{\mathsf {max}} \) locations. Recall that \( \mathbf {OpenUpdate} \) pre-processes its input, then iterates over the levels of a binary tree doing a single access step and then compute steps at each level, and then forms its output. In what follows, it will be helpful to denote the phases of computation done by \( \mathit {Upd} ^{i} \) as the sequence:where \( P^{i} \) denotes the pre-processing steps, \( A_{j}^{i} \) is the access step at iteration j, \( C_{j}^{i} \) denotes the compute steps at iteration j, and \( F^{i} \) corresponds to the steps for forming the output.

To perform the updates in parallel, we will pipeline them in different processes so one starts after the other: Specifically, \( \mathit {Upd} ^{0} \) will start at time 0, \( \mathit {Upd} ^{1} \) will start at time 1, and in general \( \mathit {Upd} ^{i} \) will start at time i. Each process remembers the node values it sees during the procedure. The value of the root node, when all operations finish, is the new digest. Additionally, even if some update is given less than \( p_{\mathsf {max}} \) positions, we require that certain phases of the update whose running time depends on \( p_{\mathsf {max}} \) (namely, the preprocessing steps and compute steps) still take time as if they were given \( p_{\mathsf {max}} \) positions. Namely, each of these takes fixed polynomial time in \( \lambda \) and \( p_{\mathsf {max}} \) , so this can be easily implemented by doing dummy operations until the right amount of time has elapsed. This ensures that for each update \( P^{i} \) takes the same amount of time for each update i, and \( C_{i}^{j} \) takes the same amount of time for each \( i,j \) .

In terms of correctness, we want to show that for every \( i \in [k] \) , the output of \( \mathit {Upd} ^{i} \) in the concurrent execution is the identical to its output in a sequential execution where the operations are run sequentially (using the number of processors specified by the \( \mathbf {C}.\mathbf {Update} \) description). To do so, we will show that for each block of memory shared between different operations, the memory accesses to that block occur in the same order in both executions. The shared memory is that in \( \mathit {ptr} \) and \( \mathit {segtree} \) . Note that the only steps that access this memory are the access steps \( A_{j}^{i} \) .

Consider any memory location in level j of \( \mathit {ptr} \) or \( \mathit {segtree} \) . This is only accessed by \( A_{j}^{i} \) for each i. Therefore, consider any \( A_{j}^{i} \) and \( A_{j}^{i^{\prime }} \) such that such that \( A_{j}^{i} \) occurs before \( A_{j}^{i^{\prime }} \) in the sequential execution. We will show that this is preserved in the concurrent execution.

To show this, let \( t_{P} \) be the depth of the preprocessing steps in single call to \( \mathbf {C}.\mathbf {Update} \) and let \( t_{C} \) be the depth of the compute steps in a single \( \mathbf {C}.\mathbf {Update} \) , and note that \( t_{P},t_{C} \) are functions of \( \lambda ,p_{\mathsf {max}} \) . In the concurrent execution, \( A_{j}^{i} \) occurs at time \( t \triangleq i + t_{P} + j \cdot (t_{C}+1) \) . This is because \( \mathit {Upd} ^{i} \) starts at time i, and before \( A_{j}^{i} \) occurs, there are \( t_{P} \) steps for the pre-processing \( P^{i} \) , j access steps \( A_{0}^{i},\ldots ,A_{j-1}^{i} \) , and j groups of \( t_{C} \) compute steps \( C_{0}^{i},\ldots ,C_{j-1}^{i} \) . Let \( t^{\prime } \triangleq i^{\prime } + t_{P} + j \cdot (t_{C} + 1) \) be the time that \( A_{j}^{i^{\prime }} \) occurs. Since \( A_{j}^{i} \) occurs first in the sequential execution, then \( i \lt i^{\prime } \) , which implies that \( t \lt t^{\prime } \) . Since this holds for every \( i \ne i^{\prime } \) , it follows that every memory access to level j of the tree occurs in the same order in both the concurrent and sequential executions, which implies correctness. Note that this crucially relied on the fact that each access step indeed is a single step.

Last, we show efficiency for the pipelined operations. We note that, since \( \mathbf {OpenUpdate} \) requires running \( \mathbf {C}.\mathbf {Update} \) and then formatting the output, a single invocation to \( \mathbf {OpenUpdate} \) requires depth \( 2 \cdot q_{1}(\lambda) \) using at most \( p_{\mathsf {max}} \cdot q_1(\lambda) \) processors by Claim 5.19, and can be done with \( 2 p_{\mathsf {max}} \cdot q_{1}(\lambda) \) total work. This implies that the total work to do all k operations is \( k \cdot p_{\mathsf {max}} \cdot 2q_{1}(\lambda) \) . To decouple this into depth and processors, we note that, since we pipeline the operations such that in every step a new \( \mathbf {OpenUpdate} \) begins, the total depth of this sequence of operations can be bounded by \( 2\cdot q_{1}(\lambda) + (k-1) \) . Moreover, there can be a total of \( 2\cdot q_{1}(\lambda) \) operations occurring concurrently, and so \( (2 \cdot q_{1}(\lambda)) \cdot (p_{\mathsf {max}} \cdot q_1(\lambda)) \) bounds the total number of processors needed at any given time. Letting \( q_{3}(\lambda) = 2 \cdot (q_{1}(\lambda))^{2} \) completes the proof. \( \Box \) □

There exists a polynomial \( q_\mathsf {inner} \) such that for every non-uniform probabilistic polynomial-time prover \( \mathcal {P} ^{\star } = \{\mathcal {P} ^{\star }_{\lambda }\}_{\lambda \in \mathbb {N}} \) , \( \lambda ,c\in \mathbb {N} \) , statement \( (M,x,t,L) \) where M has access to \( n \le 2^{\lambda } \) words in memory and \( p_{M} \) processors, with \( \left|M,x,t \right| \le \lambda \) , \( L \le \lambda \) , and \( t\cdot p_{M} \le \left|x \right|^{c} \) , and \( z,s\in \{0,1\} ^{*} \) , the expected running time (with a single processor) of \( \mathcal {E} _{\mathsf {inner}} ^{\mathcal {P} ^{\star }_{\lambda ,z,s},\mathcal {V} _{r}}(1^{\lambda} , (M,x,t,L)) \) is at most \( q_\mathsf {inner} (\lambda ,t \cdot p_{M}) \) .□

We first analyze the time to emulate a full interaction between \( \mathcal {P} ^{\star }_{\lambda ,z,s} \) and \( \mathcal {V} _{r} \) , which is used to determine the statements \( \mathit {statement} _i \) and to emulate the oracle calls of \( \mathcal {E} _\mathsf {sARK} \) to \( \mathcal {P} _{i}^{\star } \) and \( \mathcal {V} _{\mathsf {sARK}, r_i} \) . Since each oracle call takes a single step by assumption, it follows that the emulation time is at most \( \mathbf {work} _\mathcal {V} (1^{\lambda} , (M,x,t,L)) \) to receive and read each message. By the succinctness of \( (\mathcal {P},\mathcal {V}) \) (given by Lemma 6.16) this is bounded by a polynomial \( q_\mathcal {V} (\lambda ,\left|(M,x) \right|,L,p_{M},\log (t\cdot p_{M})) \) independent of \( \mathcal {P} ^{\star } \) and the statement.

Next, we analyze the expected running time of \( \mathcal {E} _\mathsf {sARK} ^{\mathcal {P} ^{\star }_i, \mathcal {V} _{\mathsf {sARK}, r_i}} \) for each \( i \in [m] \) . Recall that \( t_{\mathsf {upd}} \cdot p_\mathsf {upd} \) is an upper bound on the amount of work to verify a statement with at most t updates in \( \mathcal {L}_{\mathsf {upd}} \) . Since \( \mathcal {E} _{\mathsf {sARK}} \) is extracting a witness for an \( \mathcal {L}_{\mathsf {upd}} \) statement, then for each \( i\in [m] \) , the expected running time of \( \mathcal {E} _\mathsf {sARK} ^{\mathcal {P} ^{\star }_i, \mathcal {V} _{\mathsf {sARK}, r_i}} \) is at most \( q_\mathsf {sARK} (\lambda , t_{\mathsf {upd}} \cdot p_\mathsf {upd}) \) for some polynomial \( q_\mathsf {sARK} \) when given oracle access to \( \mathcal {P} ^{\star }_i \) and \( \mathcal {V} _{\mathsf {sARK}, r_i} \) assuming \( r_i \) is uniformly distributed. As the random coins for \( \mathcal {V} _{r} \) are uniform and \( \mathcal {V} \) invokes m independent instances of \( \mathcal {V} _{\mathsf {sARK}} \) , this implies that the randomness \( r_i \) used by \( \mathcal {V} _{\mathsf {sARK}, r_i} \) is uniform. Thus, the expected running time of \( \mathcal {E} _\mathsf {sARK} ^{\mathcal {P} _{i}^{\star }, \mathcal {V} _{\mathsf {sARK}, r_i}} \) is at most \( q_\mathsf {sARK} (\lambda ,t_{\mathsf {upd}} \cdot p_\mathsf {upd}) \) .

Putting everything together, we have that \( \mathcal {E} _{\mathsf {inner}} \) first emulates the interaction between \( \mathcal {P} ^{\star }_{\lambda ,z,s} \) and \( \mathcal {V} _{r} \) and then runs \( \mathcal {E} _\mathsf {sARK} \) to extract a witness m times while emulating the oracle calls of \( \mathcal {E} _\mathsf {sARK} \) (and the resulting oracle calls made to \( \mathcal {P} ^{\star }_{\lambda ,z,s} \) and \( \mathcal {V} _{r} \) ). Thus, the full expected running time is bounded byWe can bound \( t_{\mathsf {upd}}(\lambda ,\left|(M,x) \right|,t) \in \mathrm{poly} (\lambda ,\left|(M,x) \right|,t) \) and \( p_\mathsf {upd} (\lambda , p_{M}) \in \mathrm{poly} (\lambda , p_{M}) \) , as well as \( \left|(M,x) \right| \le \lambda \) , and \( L \le \lambda \) . For m, by succinctness (Lemma 6.16), we have that \( m \le \alpha ^{\star } \cdot \mathrm{poly} (\lambda ,\left|(M,x) \right|,L,\log (t \cdot p_{M})) \) and \( \alpha ^{\star } \) can be bounded by a polynomial in \( \lambda ,\left|(M,x) \right|,t,p_{M} \) by definition. Putting these bounds together, this implies that the expected running time is bounded by a polynomial \( q_\mathsf {inner} (\lambda , t \cdot p_{M}) \) . \( \Box \) □

For every non-uniform probabilistic polynomial-time prover \( \mathcal {P} ^{\star } = \{\mathcal {P} ^{\star }_{\lambda }\}_{\lambda \in \mathbb {N}} \) and constant \( c \in \mathbb {N} \) , there exists a negligible function \( \mathsf {negl} _\mathsf {inner} \) such that for all \( \lambda \in \mathbb {N} \) , statement \( (M,x,t,L) \) where M has access to \( n \le 2^{\lambda } \) and \( p_{M} \) processors, and with \( \left|M,x,t \right| \le \lambda \) , \( L \le \lambda \) , and \( t\cdot p_{M} \le \left|x \right|^{c} \) , and every \( z,s\in \{0,1\}^{*} \) , it holds thatwhere \( \mathit {statement} _{i} \) is defined to be the statement of the ith sub-protocol in the interaction \( (\mathcal {P} ^{\star }_{\lambda ,z,s},\mathcal {V} _{r}) \) .

To analyze the above probability, we start by formalizing an algorithm \( \mathcal {S} \) , which is implicit in the description of \( \mathcal {E} _{\mathsf {inner}} \) . The algorithm \( \mathcal {S} \) takes as input \( r \in \{0,1\} ^{l(\lambda)} \) , and emulates the interaction \( (\mathcal {P} ^{\star }_{\lambda ,z,s},\mathcal {V} _{r}) \) . It then outputs \( (y,\mathit {statement} _{1},\ldots ,\mathit {statement} _{m}) \) , where \( \mathit {statement} _{i} \) is the ith statement in the interaction and y is the output of the protocol. Note that these statements are the same as the ones computed by \( \mathcal {E} _{\mathsf {inner}} \) in the first step of its description. We can then write the above probability asNext, we apply a union bound to upper bound this byWe now upper bound the above probability for any particular \( i \in [m] \) . We notice that whenever \( y \not= \bot \) , that implies that \( \mathcal {V} \) accepts in protocol \( \Pi _i \) for \( \mathit {statement} _i \) .

By definition of \( \mathcal {E} _{\mathsf {inner}} ^{\mathcal {P} ^{\star }_{\lambda ,z,s},\mathcal {V} _{r}} \) , for each \( i \in [m] \) , the witness \( \mathit {wit} _{i} \) is computed by running \( \mathcal {E} _{\mathsf {sARK}}^{\mathcal {P} _{i}^{\star },\mathcal {V} _{\mathsf {sARK},r_{i}}} \) , where \( \mathcal {E} _{\mathsf {inner}} \) uses its oracles \( \mathcal {P} ^{\star }_{\lambda ,z,s} \) and \( \mathcal {V} _{r} \) to emulate all queries that \( \mathcal {E} _{\mathsf {sARK}} \) makes to \( \mathcal {P} _{i}^{\star } \) and \( \mathcal {V} _{\mathsf {sARK},r_{i}} \) . Specifically, emulating \( \mathcal {P} _{i}^{\star } \) requires querying \( \mathcal {P} _{\lambda ,z,s}^{\star } \) for every sub-protocol, and querying \( \mathcal {V} _{r} \) for all protocols other than i.

Let \( r_{-i} \) be the randomness of \( \mathcal {V} _{r} \) used in all protocols other than i, where it uses \( r_{i} \) . Note that \( \mathcal {P} ^{\star }_{i} \) only depends on \( r_{-i} \) , since it only uses \( \mathcal {V} _{r} \) in protocols other than i. Another way to state this is to view \( \mathcal {P} _{i}^{\star } \) as an randomized prover that emulates the verifier in all sub-protocols other than i using its internal randomness, where in the above execution, its internal randomness is \( r_{-i} \) . To make this clear, let \( \mathcal {P} ^{\star }_{i,r_{-i}} \) denote the prover \( \mathcal {P} ^{\star }_{i} \) (viewing it as a randomized algorithm) that uses randomness \( r_{-i} \) to emulate the verifier in all protocols other than i, and note that \( \mathcal {P} ^{\star }_{i,r_{-i}} \) can still be emulated using the oracles \( \mathcal {P} _{\lambda ,z,s}^{\star } \) and \( \mathcal {V} _{r} \) . We can then write the above probability asWhenever \( y \ne \bot \) , it must be the case that \( \mathcal {V} \) accepts in all sub-protocols, and therefore by definition of \( \mathcal {P} _{i}^{\star } \) , it follows that \( \mathcal {V} _{\mathsf {sARK},r_{i}} \) accepts in protocol \( \Pi _{i} \) with \( \mathcal {P} _{i,r_{-i}}^{\star } \) . We can therefore upper bound the above probability byWe can now use the argument of knowledge property of \( (\mathcal {P} _{\mathsf {sARK}},\mathcal {V} _{\mathsf {sARK}}) \) . Let \( l^{\prime }(\lambda) \) be the length of the randomness used by \( \mathcal {V} _{\mathsf {sARK}} \) . For any \( r = (r_{-i},r_{i}) \in \{0,1\}^{l(\lambda)} \) , using \( r_{-i} \) as the randomness for \( \mathcal {P} ^{\star }_{i,r_{-i}} \) , by the argument of knowledge property of \( (\mathcal {P} _{\mathsf {sARK}},\mathcal {V} _{\mathsf {sARK}}) \) there exists a negligible function \( \mu _{i} \) (which depends on the algorithm \( \mathcal {P} _{i}^{\star } \) but is independent of its randomness) such that for every randomness \( r_{-i} \) for \( \mathcal {P} _{i}^{\star } \) , and for the statement \( \mathit {statement} _{i} \) (which in this case is determined by \( r_{-i} \) ) it holds thatBy using the law of total probability in Equation (6.2) (to sum over each choice of \( r_{-i} \) ), and by applying the above inequality, we obtain that Equation (6.2) is bounded above by \( \mu _{i}(\lambda) \) . Finally, by plugging this back into Equation (6.1), we obtain that the probability in the statement of the claim is upper bounded by \( \sum _{i\in [m]} \mu _i(\lambda) \) . As in the analysis of the previous claim, we can bound m by \( \mathrm{poly} (\lambda ,\left|(M,x) \right|,L,t,p_{M}) \) . As \( \left|(M,x) \right| \le \lambda \) , \( L \le \lambda \) , and \( t \cdot p_{M} \le \left|x \right|^{c} \) , then \( m \in \mathrm{poly} (\lambda) \) , so this is negligible as required. \( \Box \) □

There exists a polynomial q such that \( \mathcal {E} ^{\mathcal {P} ^{\star }_{\lambda ,z,s},\mathcal {V} _{r}}(1^{\lambda} , (M,x,t,L)) \) has expected running time at most \( q(\lambda , t \cdot p_{M}) \) .

\( \mathcal {E} \) first runs \( \mathcal {E} _{\mathsf {inner}} \) , which has expected running time bounded by a polynomial \( q_\mathsf {inner} (\lambda , t \cdot p_{M}) \) by Claim 6.4. We bound the remaining running time of \( \mathcal {E} \) by a polynomial in \( \lambda \) and \( t \cdot p_{M} \) , which completes the claim.

\( \mathcal {E} \) parses the output as containing m sets of states and words that together have size \( m \cdot p_{M} \cdot \mathrm{poly} (\lambda) \) , as well as a sequence of t updates, where each update has size at most \( 2\beta \cdot p_{M} \cdot \lambda \in \mathrm{poly} (\lambda) \) by the efficiency of the underlying concurrently updatable hash function. As \( m \in \mathrm{poly} (\lambda) \) as discussed in the previous claims, together this takes time \( t \cdot p_{M} \cdot \mathrm{poly} (\lambda) \) . Using these updates to determine which values to read, \( \mathcal {E} \) emulates M for t steps, which can be done in time \( t \cdot p_{M} \cdot \mathrm{poly} (\lambda) \) . Finally, \( \mathcal {E} \) computes the initial memory \( D^{\mathsf {Init}} \) to output a witness w, which, as discussed above, requires specifying at most \( t+\lceil L/ \lambda \rceil \) positions and therefore takes at most \( \mathrm{poly} (\lambda ,L,t) \in \mathrm{poly} (\lambda ,t) \) time. Altogether, \( \mathcal {E} \) runs in expected time at most \( q_\mathsf {inner} (\lambda , t \cdot p_{M}) + t \cdot p_{M} \cdot \mathrm{poly} (\lambda) + t \cdot p_{M} \cdot \mathrm{poly} (\lambda) + \mathrm{poly} (\lambda ,t), \) which can be bounded by a polynomial \( q(\lambda , t \cdot p_{M}) \) . \( \Box \) □

For every non-uniform probabilistic polynomial-time prover \( \mathcal {P} ^{\star } = \{\mathcal {P} ^{\star } _{\lambda }\}_{\lambda \in \mathbb {N}} \) and constant \( c \in \mathbb {N} \) , there exists a negligible function \( \mathsf {negl} \) such that for all \( \lambda \in \mathbb {N} \) , statement \( (M,x,t,L) \) where M has access to \( n \le 2^{\lambda } \) and \( p_{M} \) processors, and with \( \left|(M,x,t) \right| \le \lambda \) , \( L \le \lambda \) , and \( t\cdot p_{M} \le \left|x \right|^{c} \) , and all \( z,s\in \{0,1\}^{*} \) , it holds that

In the following, all probabilities are over \( r \leftarrow \{0,1\}^{l(\lambda)} \) and \( w \leftarrow \mathcal {E} ^{\mathcal {P} ^{\star }_{\lambda ,z,s}, \mathcal {V} _{r}}(1^{\lambda} , (M,x,t,L)) \) , and we let y and \( \mathit {statement} _{i} \) for \( i \in [m] \) be determined by r in each probability, namely, \( y = \langle \mathcal {P} ^{\star }_{\lambda ,z,s}, \mathcal {V} _{r} \rangle (1^{\lambda} , (M,x,t,L)) \) and \( \mathit {statement} _{i} \) is the statement used by \( \mathcal {P} ^{\star }_{\lambda ,z,s} \) for the ith sub-protocol with \( \mathcal {V} _{r} \) . Additionally, we let \( \mathit {wit} _1,\ldots , \mathit {wit} _m,Y \) be the output of \( \mathcal {E} _{\mathsf {inner}} \) during the execution of \( \mathcal {E} \) in each probability.

Suppose by way of contradiction that there exists a polynomial p such that for infinitely many \( \lambda \in \mathbb {N} \) ,We can rewrite this probability asby Claim 6.5 above. As \( \mathsf {negl} _\mathsf {inner} (\lambda) \lt 1/(2p(\lambda)) \) for infinitely many \( \lambda \in \mathbb {N} \) , this implies that for infinitely many \( \lambda \in \mathbb {N} \) ,Furthermore, by a standard averaging argument, it holds thatOtherwise, the expected work done by \( \mathcal {E} \) must be greater than \( q(\lambda ,t \cdot p_{M}) \) , in contradiction with Claim 6.4. This implies that for infinitely many \( \lambda \in \mathbb {N} \) ,

Given this, consider the following non-uniform adversary \( \mathcal {A} = \{\mathcal {A} _{\lambda }\}_{\lambda \in \mathbb {N}} \) . At a high level, we will show that on input \( \mathit {pp} \leftarrow \mathbf {C}.\mathbf {Gen} (1^{\lambda} ,n) \) and \( h \leftarrow \mathcal {H} _{\lambda } \) , \( \mathcal {A} \) will either break the soundness of \( \mathbf {C} \) or the collision-resistance of \( \mathcal {H} \) with at least the probability above. In its non-uniform advice, \( \mathcal {A} _{\lambda } \) will have hardcoded the code of \( \mathcal {P} ^{\star }_{\lambda ,z,s} \) , the statement \( (M,x,t,L) \) , and the value of \( p(\lambda) \) .

\( \mathcal {A} _{\lambda }(\mathit {pp}, h) \) :

To analyze the success of \( \mathcal {A} \) in breaking the soundness of \( \mathcal {H} \) and \( \mathbf {C} \) , in the subsequent subclaims, we argue that (1) \( \mathcal {A} _{\lambda } \) runs in (strict) polynomial time; (2) if \( \mathcal {A} _{\lambda } \) outputs in step 5, then \( \mathcal {A} _{\lambda } \) finds a collision in h; (3) if \( \mathcal {A} _{\lambda } \) outputs in steps 7 or 8, then \( \mathcal {A} _{\lambda } \) finds values that breaking the soundness of \( \mathbf {C} \) ; and (4) if \( \mathcal {A} _{\lambda } \) reaches step 9, then it must be the case that \( ((M,x,y,L,t),w) \in \mathcal {R}_{\mathcal {U}} ^{\mathbf {PRAM}} \) .

Given these subclaims, we can conclude the proof as follows: First, note that \( \mathcal {A} _{\lambda } \) outputs in steps 5, 7, 8, or 9 whenever \( y \not= \bot \) , \( (\mathit {statement} _i, \mathit {wit} _i) \in R_{\mathsf {upd}} \) for all \( i \in [m] \) , and \( \mathcal {E} \) halts within \( 4 \cdot p(\lambda) \cdot q(\lambda , t\cdot p_{M}) \) steps. We can break this event into two cases asBy Subclaim 6.12, the first term is greater than the probability that \( \mathcal {A} _{\lambda } \) outputs in step 9. By Equation (6.3), the second term is greater than \( 1/(4p(\lambda)) \) . Putting these together, we get that the probability that \( \mathcal {A} _{\lambda } \) outputs in step 5, 7, or 8 is greater than \( 1/(4p(\lambda)) \) . It then follows from Subclaims 6.8, 6.9, and 6.11 that for infinitely many \( \lambda \in \mathbb {N} \) , \( \mathcal {A} _{\lambda } \) runs in polynomial time and either outputs a collision in \( \mathcal {H} \) or in \( \mathbf {C} \) with probability at least \( 1/(4p(\lambda)) \) . As \( \mathcal {A} \) directly implies an adversary \( \mathcal {A}^{\prime } \) that either gets \( \mathit {pp} \) or h as input and simulates the other input for \( \mathcal {A} \) , this implies that \( \mathcal {A} \) can be used to break the soundness of \( \mathcal {H} \) or of \( \mathbf {C} \) with probability at least \( 1/(4p(\lambda)) \) , in contradiction.

Next, we show that whenever \( \mathcal {A} \) reaches step 6, rather than viewing the extracted witnesses as m separate \( \mathcal {L}_{\mathsf {upd}} \) instances, they can be viewed as a single instance corresponding to all t updates. This will show that all t updates are in fact being applied to consecutive digests, which will help us show the subsequent claims analyzing \( \mathcal {A} \) ’s attack. In the subsequent claims, we say that \( (\mathit {State},V ^{\mathsf {rd}}) \) is a PRAM configuration if during any step of a PRAM evaluation, the set of states after that step are \( \mathit {State} \) and the words read in that step are \( V ^{\mathsf {rd}} \) .