Proof of Result

A Client for Off-Chain Consensus and Immutability

and

Jan 16, 2023

Proof of Result (PoR) is an algorithm and rollup that allows users to reach agreement on a piece of data in a way that can later be proven to others. It works without an intermittent blockchain and is therefore nearly instantaneous and free. It is equal parts heavy cryptography and game theory, and reaches practical perfect security through incentive-aligned actions that make exploitation unprofitable.

Source: Ontropy

PoR Explained in Two Minutes

Let us simplify Proof of Result with an analogy where a car is ETH, a garage is smart contract code, and signed messages represent Proof of Result.

So imagine that someone owns a car and wants a loan. This person may post a listing, valuing the car at $5,000 as collateral.

A stranger checks other listings, confirms $5,000 is the going rate, and replies, agreeing to lend $2,000. The borrower parks the car in a garage that neither of them own. The borrower and lender exchange signed written messages that mutually confirm their agreement to the $5,000 valuation and $2,000 loan amount, along with a one-month repayment window.

Both the borrower and lender return to the garage after one month. In the first outcome, the borrower has $2,000 and pays it back to the lender through the garage. The lender cannot claim that the amount is not enough, as the borrower still has the lender’s signed message. The borrower can show the signed message to the garage and they will be given back their car.

In the second outcome, both return to the garage, but the borrower does not have the $2,000 to pay the lender. The lender will show the signed message of the $2,000 payment to the garage. Because the borrower’s signed message agreed to a time, the lender can take possession of the car if the garage has not detected a payment.

The lender, however, cannot attempt to steal the car before the agreed time has passed because the garage will check the timestamp. The borrower can also collect the car anytime before without the consent of the lender through the proof of payment.

Okay, let’s bring this analogy back to DeFi where a user wants to borrow against their ETH. The problem is, the price of Ethereum is quickly changing and is derived off-chain. Therefore, users must rely on an oracle to take this data and put it on chain so that the borrower and lender can agree on its value.

The misconception here is that an oracle is useful because it puts data on chain. This is untrue. An oracle is useful because the data it puts on chain is trustworthy. Either the lender or owner could easily upload the price of ETH, the problem is each is incentivized to advantage themself with a better price, so the other will not trust it.

Source: Ontropy

In the car price analogy, this incentive is met with signed messages by both users, so either user can independently prove the truth. Because either outcome (the borrower does or does not pay back) will benefit at least one of either the borrower or the lender, at least one will step forward and use the signed proof. Instead of fighting against them, PoR uses incentives to power the fairness of the protocol. This means that users become their own nodes and can trustlessly put data on chain for a given transaction.

The reason all of this has not been done on blockchain yet is that proving agreement between two or more users at one time with a quickly changing asset price is cryptographically complicated—and it’s easier to have one party, who everyone trusts, upload a constant stream of data. The problem with the status quo, of course, is that we must pay this one party, their data could be behind, and that they can be bribed or have their original data source corrupted or that their internet could go down—or any number of other problems associated with a centralized party.

Many will point out that there are decentralized networks of oracles and bridges. Because network costs scale linearly, there are less than 70 nodes for Polygon, Avalanche, Arbitrum, and Optimism combined. We’ve seen with Axie Infinity’s $650M Ronin Bridge hack that compromising even 4 nodes can be catastrophic.

There is more to consider, like the scenario where the value of the car falls near or below the loan amount during the repayment period. We’ll explore this in depth in a future post, subscribe to stay updated!

How is PoR Verifiably Fair?

Proof of Result makes user-validated data transactions possible. This means that no third party can exploit randomness in games, asset prices for transactions, or destination wallets for cross-chain bridging—all things we’ve seen get hacked for billions of dollars in the past few months alone.

As outlined in the analogy, Proof of Result is inherently “verifiably fair down to one non-cheating user.” Therefore, every user is either cheating (where cheating means refusing to participate) or can prove the scheme is fair. We know there is always one non-cheating player, and thus Proof of Result is fair, because of incentives.

Because every outcome will leave at least one user better off and everyone will work in their best interest, at least one user will participate, so there is always at least one non-cheating user. PoR ensures there is always at least one winner by eliminating third parties, allowing only the relevant users to participate, and thus creating a zero-sum game. This is true for oracles and bridges too, but the participating users extend beyond those relevant in the transaction, meaning those supplying the information or transferring the assets can benefit at the extent of everyone else. This is not zero-sum for the relevant users.

Source: Ontropy

This is the game theory element of Proof of Result, how this is accomplished in practice, we’ll review in the next section.

How Zero-Knowledge and MPC Achieve Off-Chain Consensus

We’re limited in the detail we can share at this moment, but here are 7 key points to how Proof of Result works:

Users communicate directly with each other and establish a shared, distributed key. This key is used to sign and verify data transactions, ensuring that all participants in the process have a common reference point for verifying the authenticity and integrity of the data.
To prevent possible attacks and counteract the influence of malicious participants, users exchange zero-knowledge proofs (ZK-proofs) that demonstrate the authenticity of their data without revealing the underlying data itself. This helps to ensure the security and reliability of the proof of result protocol.
For randomness generation, users perform the Dynamic User Entropy process, which involves generating a number on their own device and applying a partial homomorphic encryption scheme to it before signing it with the distributed key. Homomorphic encryption allows users to perform mathematical operations on encrypted data without having to decrypt it, providing an additional layer of security and privacy.
For other types of data, such as price feeds and oracles, users will sign the data directly with the distributed key. This helps to ensure the authenticity and integrity of the data, as it can be verified by all participants using the shared key.
Once a user receives the encrypted data from another party, they can compare it to their own encrypted version to determine if they agree on the underlying data. If the data matches, the user can submit it as proof of the other party's intent and agreement.
To reduce gas fees and improve security, users can bundle their Proof of Result data with other transactions, such as staking and acquiring loans. This allows financial transactions to be assessed in a more secure manner, as the true and verified valuations are intrinsically attached to the Proof of Result data.
In situations where data is continually requested, such as in a poker game with multiple rounds, users can record Merkle trees and postpone interacting with the blockchain until all necessary data has been collected. This can help to reduce the overall load on the blockchain and improve the efficiency of the Proof of Result protocol.

Essentially, Ontropy uses a lot of cool math and innovative cryptography to secure your data on and off the blockchain!

Stay tuned for updates on how Proof of Result can be used to verify data while it remains completely private! We’ll also detail how Ontropy achieves fault tolerance in cross-chain bridging.