## A variety of mathematical proof-of-work problems will provide better security for cryptocurrencies than hash-based proof-of-work problems

I have some great news. For the first time, the total market cap as of 5/23/2017 for all cryptocurrencies is at \$80,000,000,000 (a month ago it was at \$30,000,000,000 but who knows what it will be in a month or two). Furthermore, as of 5/17/2017, for the first time cryptocurrencies other than Bitcoin consist of more than 50 percent of the total market cap for all cryptocurrencies. These historic events should not be taken lightly. I predict that in the future, cryptocurrencies will for the most part replace fiat currencies. The rise of cryptocurrencies will undoubtably change the world in many important ways. For example, some have predicted that cryptocurrencies will end all war (it will be hard to fund wars with cryptocurrencies)! To learn more about cryptocurrencies, you can read the original paper on the first cryptocurrency Bitcoin.

A proof-of-work problem is a computational problem that one must do to in order to produce new coins in the cryptocurrency and to maintain the security of the cryptocurrency. For example, in Bitcoin, the proof-of-work problem consists of finding suitable strings which produce exceptionally low SHA-256 hashes (the hashes must be low enough so that only one person produces a such hash every 10 minutes or so). In this post, I am going to outline how employing many different kinds of more mathematical proof-of-work problems will provide much better security for cryptocurrencies than if one were to employ only one type of proof-of-work problem and how some of the issues that arise with useful proof-of-work problems are resolvable.

I believe that hash problems are popular proof-of-work problems for cryptocurrencies not because they are the best but simply because they are simple and these hash-based proof of work problems have been the best proof of work problems in instances where a proof-of-work was needed before cryptocurrencies came into being. For example, hash-based proof-of-work problems are used to thwart denial-of-service attacks and spam since for a normal user the proof-of-work problems are not too difficult to solve but the problems will be too difficult for an attacker to compute. While the hash-based proof-of-work problems are ideal to thwarting denial-of-service attacks and spammers, they are not ideal as proof-of-work schemes for cryptocurrencies.

Cryptocurrencies with a many kinds of proof-of-work problems can satisfy very lax requirements compared to cryptocurrencies with only one type of proof-of-work problem.

The security of cryptocurrencies depends on the fact that no single entity can solve more than 50 percent of the proof-of-work problems. If a malicious entity solves more than 50 percent of the proof-of-work problems, then such an entity can undermine the security of the entire cryptocurrency (such an attack is called a 51 percent attack). If a cryptocurrency has only one kind of proof-of-work problem, then that proof-of-work problem must satisfy very strict requirements. But if the same cryptocurrency has many different kinds of proof-of-work problems, then those proof-of-work problems are only required to satisfy relatively mild conditions, and it is therefore feasible for many useful proof-of-work problems to satisfy those conditions (here temporarily assume that there is a good protocol for removing broken proof-of-work problems). Let me list those conditions right here.

The conditions colored orange are always absolutely essential for any proof-of-work problem on a cryptocurrency. The conditions colored green are essential when there is only one kind of proof-of-work problem, but these conditions in green are not necessary when there are many different kinds of proof-of-work problems for the cryptocurrency.

1. Verifiable but intractible

-These problems need to be difficult to solve but it must be easy to verify the solution to these problems.

2. Utility

The solution to the problem should have other uses than simply securing the cryptocurrency. The solution should have practical applications as well, or at the very least, the solutions to the problem should advance mathematics or science. Right now, the proof-of-work problem for Bitcoin is amounts to simply finding data whose SHA-256 hash is exceptionally low.

3. Scalability.

For Bitcoin, the proof-of-work problems need to be solved approximately every 10 minutes (with an exponential distribution), and in any cryptocurrency, the proof-of-work problem must consistently be solved in about the same amount of time. As time goes on, the proof-of-work problems need to get more difficult to accomodate for faster computers, quicker algorithms, more people working on the problem, and more specialized computer chips solving the problem. If $X$ is the distribution of the amount of time it takes to compute the proof-of-work problem, then $X$ should have a consistent mean and the distributions $X,1/X$ should have low variance (we do not want to solve the problem for one block in one second and solve the problem for the next block in one hour).

4. Efficient automatic generation

-The proof-of-work problems need to be generated automatically based on the previous blocks in the blockchain. Cryptocurrencies are decentralized so there cannot be a central agency which assigns each individual proof-of-work problem.

5. Progress-freeness

Progress freeness for search problems means that the probability that the first solution is found at time $t$ follows an exponential distribution. Progress freeness for problems whose objective is to optimize $f(x)$ means that for all $\alpha$ the probability of finding a solution where $f(x)\geq\alpha$ at time $t$ follows an exponential distribution. In other words, solutions are found randomly without regard of how long one has been working on obtaining a solution. Said differently, if Alice spends 30 minutes attempting to find a solution without finding a solution, then Alice will not have any advantage if she has not spent any of the 30 minutes searching for a solution. If there is only one kind of proof-of-work problem for a cryptocurrency, and that proof-of-work problem is far from progress free, then the entity who has the fastest computer will always win, and such an entity could launch a 51 percent attack. As an extreme example of why progress-freeness is needed, suppose that a problem always takes 1000 steps to solve. If Alice has a computer that can do 500 steps a second and Bob has a computer that can do 1000 steps a second, then Bob will solve the problem in 1 second and Alice will solve the problem in 2 seconds. Therefore Bob will always win. However, a lack of progress freeness is no longer a problem if in the cryptocurrency, there are many proof-of-work problems running simultaneously. For example, in the above scenario, even if Bob is able to solve a particular problem better than everyone else, Bob will have to spend much of his computational power solving that particular problem, and Bob will not have enough resources to solve the other proof-of-work problems, and therefore Bob will be unable to launch a 51 percent attack.

6. Optimization-freeness

By optimization-freeness, I mean that people need to be confident that in the future an entity will not be able to obtain a faster algorithm than we have today. The motivation behind optimization freeness is that if an entity has a secret algorithm which is much faster or better than all the other algorithms, then such an entity will be able to launch a 51 percent attack. However, a cryptocurrency employs many different kinds of proof-of-work problems, then such an entity will be able to solve a particular problem better than all others but that entity will not be able to launch a 51 percent attack. In fact, if a cryptocurrency employs many different kinds of proof-of-work problems, then optimization freeness will make the cryptocurrency less secure instead of more secure.

7. Pre-computation resistance

Pre-computation refers to when an entity solves a proof-of-work problem before the proof-of-work problem for a particular block is determined.

8. Unlimited problems

There needs to be an unlimited supply of proof-of-work problems to solve. This is only an issue if there is only one kind of proof-of-work problem for the cryptocurrency. If there are many kinds of proof-of-work problems in a cryptocurrency, then a particular type of proof-of-work problem can simply be removed by an automatic procedure or when all of the particular instances of the problem have been solved.

The problem-removal-protocol

So for a cryptocurrency which employs many different kinds of proof-of-work problems, the list of all problems which are currently being used in the cryptocurrency shall be called the problem schedule. If there are many different types of proof-of-work problems in the problem schedule, there is a good chance that a few of these proof-of-work problems should eventually be broken and should therefore be removed from the problem schedule. Since cryptocurrencies are meant to be as decentralized as possible, the process of removing broken proof-of-work problems from he problem schedule needs to be done automatically without a change to the programming of the cryptocurrency. Let me therefore list three different ways that a proof-of-work problem could be automatically removed from the problem schedule.

1. Formal proof of break

The proof-of-work problem will be considered to be broken and removed from the problem schedule if an entity submits a formal proof that the proof-of-work problem can be solved in polynomial time. The entity who submits the formal proof will win a pre-determined number of blocks in the blockchain and hence new coins.

2. Heuristic algorithm for break

The proof-of-work problem will be considered to be broken and removed form the problem schedule if an entity named Alice submits an algorithm that breaks the proof-of-work problem. For search problems, the algorithm is simply expected to consistently find a fast and accurate solution even if the difficulty of the proof-of-work problem is increased to very high levels. For optimization problems, the breaking algorithm must quickly and consistently give solutions which are at least as good as solutions obtained using other algorithms. In the case of optimization problems broken by a heuristic algorithm, the protocol for removing a problem from the problem schedule is more involved. Alice will first need to openly submit her algorithm for solving the proof-of-work problem. Alice is then required to follow her own algorithm and obtain a solution which is at least as optimized as the solutions produced by all other entities (keep in mind that other entities may use Alice’s algorithm or attempt to improve upon Alice’s algorithm. Furthermore, the optimization process will last long enough for other entities to attempt to improve upon Alice’s algorithm). If Alice satisfies these requirements, then the problem is removed from the problem schedule, Alice is given a pre-determined number of blocks in the blockchain, and Alice will be awarded plenty of coins.

3. Automatic removal of broken proof-of-work problems

For search problems, if the proof-of-work problem is repeatedly quickly solved (possibly with multiple solutions) even when the difficulty of the problem increases without bounds, then the proof-of-work problem will be automatically removed from the problem schedule. For optimization problems, if the best solution or best solutions are consistently obtained early within the timespan for solving the problem, then the proof-of-work problem will automatically be removed from the problem schedule and after the problem is removed, no entity will be awarded any blocks in the blockchain as a prize.

The automatic removal system should preferrably be implemented in a way so that an entity with a secret algorithm can always provide the best solutions to this proof-of-work problem simply by producing solutions which always win but which fall below the threshold-of-removal. However, the automatic removal system should also be implemented so that if the secret algorithm that breaks the system becomes publicly available, then the problem will easily be removed. In other words, an entity can cross the threshold-of-removal if he wants to but such an entity can just as easily remain just below the threshold-of-removal in order to obtain many coins.

The benefits of having many kinds of proof-of-work problems

The most obvious benefit to our composite proof-of-work system with many kinds of proof-of-work problems is that our proof-of-work system allows for a wide flexibility of problems and hence it allows for proof-of-work problems which have useful benefits besides securing the cryptocurrency.

Useful proof-of-work problems will greatly benefit cryptocurrencies

Useful proof-of-work problems will obviously provide benefits since the solution to those proof-of-work problems will have practical applications or at least advance mathematics. Useful proof-of-work problems will also provide a benefit to the cryptocurrencies themselves since useful proof-of-work problems will greatly help the public image of cryptocurrencies.

The public image of cryptocurrencies is one of the most important battles that advocates of cryptocurrencies must face. After all, cryptocurrencies directly threaten many of the powers that governments possess, and governments have the power to ban cryptocurrencies. Not only can governments ban cryptocurrencies, but powerful governments also have the power to undermine the security of cryptocurrencies by launching 51 percent attacks against them since governments have nearly unlimited resources. Cryptocurrencies therefore need to obtain and maintain a strong public image in order to avoid governmental backlash as much as possible.

Another reason for cryptocurrencies need to obtain a strong public image is that cryptocurrencies are still new and many people do not consider cryptocurrencies as legitimate currencies (those dinosaurs are wrong). People therefore need to accept cryptocurrencies as legitimate currency.

Today, many people view the process of mining cryptocurrencies and maintaining the blockchain for a cryptocurrency as being incredibly wasteful and bad for the environment, and these criticisms against cryptocurrencies are justified. Cryptocurrency advocates would respond by saying that cryptocurrency mining is useful for securing and decentralizing the blockchain and hence not wasteful, but in any case, it is much better and much more efficient for these proof-of-work problems to have applications besides securing the blockchain (many cryptocurrencies have attempted to do away with proof-of-work problems since proof-of-work problems are seen as wasteful). I personally will not give cryptocurrencies my full endorsement until they are used to solve useful problems with mathematical, scientific, or practical merit.

Today people receive about 4 million dollars worth of bitcoins every day from mining these bitcoins. Unfortunately, in order to mine these bitcoins, people need to use much energy to power the computers that make these calculations. Imagine how much cryptocurrencies can be used to advance mathematics and science if the proof-of-work problems are selected with scientific advancements in mind. Imagine how much these advancements to science could boost the public image of cryptocurrencies.

A multitude of proof-of-work problems will increase the security of cryptocurrencies

It is less obvious that our composite proof-of-work system also strengthens the security of the cryptocurrency against 51 percent attacks. It is much more straightforward for an entity to launch a 51 percent attack against a cryptocurrency with only one type of proof-of-work problem than it is to launch an attack against a cryptocurrency with many types of proof-of-work problems. After all, to launch a 51 percent attack against a single proof-of-work hash-based problem, one must simply spend a lot of money to produce a lot of ASICs for solving that problem and at any time the attacker can completely break the problem. On the other hand, to launch a 51 percent attack against many proof-of-work problems, one must obtain many different types of ASICs in order to solve many different kinds of problems. Furthermore, in some cases, an attacker may not be able to solve some of these problems since the attacker may not have access to a secret algorithm for solving this problem, and an attacker will not have access to some specialized knowledge which will allow one to quickly solve the problem.

How our system could be implemented on established cryptocurrencies

Cryptocurrencies are supposed to be decentralized currencies. Since cryptocurrencies are supposed to be decentralized, there should be as few changes to cryptocurrencies as possible. This poses a problem for cryptocurrencies which are attempting to switch from useless proof-of-work problems to useful proof-of-work problems. My solution is to only make a change to the cryptocurrency protocol once. In order to minimize backlash and other chaos, the changes stated in the cryptocurrency protocol will be implemented gradually. Let me now give an example of how the change from useless proof-of-work problems to useful proof-of-work problems could take place. Let $t$ be the number of years before the change of the proof-of-work protocol were to take place. When $t=-4$, the cryptocurrency will begin selecting 144 different proof-of-work problems to be used in the cryptocurrency. At time $t=-1$, all 144 of the proof-of-work problems will be selected and the changes to the cryptocurrency protocol will be finalized. At time $t=0$, the cryptocurrency protocol will be modified but these modifications will take effect over a process of 6 years. Every day an average of 144 blocks will be generated. Every month from time $t=0$ to time $t=6$, two out of these 144 proof-of-work problems will be selected at random to be implemented into the problem schedule. At the $m$-th month from $t=0$, every day approximately $144-2m$ of the blocks on the blockchain will have a hash-based proof-of-work problem while the $2m$ other blocks will be from the 144 proof-of-work problems which have already been implemented into the problem schedule. At time $t=10$, a collection of new proof-of-work problems will be selected to replace the problems which have already been broken or which will be broken in the future.

## Graphs obtained from endomorphic Laver tables

At this page, you can now plot the graphs of the output of endomorphic Laver tables. As one would expect, the endomorphic Laver tables are much more complex than their corresponding classical Laver tables or multigenic Laver tables. Here is an graph of the outputs of an endomorphic Laver table operation.

## An open invitation to evaluate endomorphic Laver table based cryptosystems-Part II

In this post, I will give an analysis of the Ko-Lee key exchange for the functionally endomorphic Laver tables (the Ko-Lee key exchange for functional endomorphic Laver tables is simpler to analyze than the distributive version of the Anshel-Anshel-Goldfeld key exchange). In the next post, I will simply link a JavaScript program here on this site which will allow one to analyze the Ko-Lee key exchange for functional endomorphic Laver tables. We will leave an analysis of the more complex but probably more secure distributive version of the Anshel-Anshel-Goldfeld key exchange for functional endomorphic Laver tables for a later post (we believe that the distributive Anshel-Anshel-Goldfeld key exchange would be more secure for the functional endomorphic Laver tables).

Critical points

Suppose that $(X,*)$ is a Laver-like algebra. Then if $x,y\in X$, then define $\mathrm{crit}(x)\leq\mathrm{crit}(y)$ if $x^{n}*y\in\mathrm{Li}(X)$ for some $n$. We say that $\mathrm{crit}(x)=\mathrm{crit}(y)$ if $\mathrm{crit}(x)\leq\mathrm{crit}(y)$ and $\mathrm{crit}(y)\leq\mathrm{crit}(x)$. We shall call $\mathrm{crit}(x)$ the critical point of the element $x$. Let $\mathrm{crit}[X]=\{\mathrm{crit}(x)|x\in X\}$. Then $\mathrm{crit}[X]$ is a linearly ordered set.

If $\alpha\in\mathrm{crit}[X]$, then there is some $r\in X$ with $\mathrm{crit}(r)=\alpha$ and $r*r\in\mathrm{Li}(X)$. Suppose now that $\alpha\in\mathrm{crit}[X],\mathrm{crit}(r)=\alpha,r*r=\mathrm{Li}(X)$. Then define a congruence $\equiv^{\alpha}$ on $X$ by letting $x\equiv^{\alpha}y$ if and only if $r*x=r*y$. Then the congruence $\equiv^{\alpha}$ does not depend on the choice of $\alpha$. The congruence $\equiv^{\alpha}$ is the smallest congruence on $X$ such that if $\mathrm{crit}(x)\geq\alpha$, then $y\in\mathrm{Li}(X)$ for some $y$ with $y\equiv^{\alpha}x$. If $x\in X$, then define the mapping $x^{\sharp}:\mathrm{crit}[X]\rightarrow\mathrm{crit}[X]$ by letting $x^{\sharp}(\mathrm{crit}(y))=\mathrm{crit}(x*y)$. The mapping $x^{\sharp}$ is monotone; if $\alpha\leq\beta$, then $x^{\sharp}(\alpha)\leq x^{\sharp}(\beta)$. Suppose that $(X,E,F)$ is a Laver-like endomorphic algebra. Then suppose that $\alpha\in\mathrm{crit}(\Gamma(X,E))$. Then define the congruence $\equiv^{\alpha}$ on $(X,E,F)$ by letting $x\equiv^{\alpha}y$ if and only if $f(x_{1},…,x_{n_{f}},x)=f(x_{1},…,x_{n_{f}},y)$ where $x_{1},…,x_{n_{f}}\in X$ and $\mathrm{crit}(f,x_{1},…,x_{n_{f}})=\alpha$ and $(f,x_{1},…,x_{n_{f}})*(f,x_{1},…,x_{n_{f}})\in\mathrm{Li}(\Gamma(X,E))$.

In the Laver-like LD-systems which we have looked at which are suitable for cryptographic purposes, $\mathrm{crit}[X]$ tends to be rather small (for cryptographic purposes, $X$ should have at least about 9 critical points, but the largest classical Laver table ever computed $A_{48}$ has 49 critical points).

$\mathbf{Proposition}:$

1. If $y\equiv^{\alpha}z$, then $x*y\equiv^{x^{\sharp}(\alpha)}x*z$ and $x\circ y\equiv^{x^{\sharp}(\alpha)}x\circ z$.
2. Suppose that $X$ is a Laver-like LD-system and $x\in X$. Let $\alpha$ be the least critical point such that $x^{\sharp}(\alpha)=\max(\mathrm{crit}[X])$. Then if $y\equiv^{\alpha}z$, then $x*y=x*z$ and $x\circ y=x\circ z.$

Therefore if $\mathbf{y}\in X/\equiv^{\alpha}$ is the equivalence class of $y\in X$, then define $x*\mathbf{y}$ to be the equivalence class of $x*y$ in the quotient algebra $X/\equiv^{x^{\sharp}(\alpha)}$ and define $x\circ\mathbf{y}$ to be the equivalence class of $x\circ\mathbf{y}$ in $X/\equiv^{x^{\sharp}(\alpha)}$.

$\mathbf{Proposition}$ Suppose that $(X,t^{\bullet})$ is an $n+1$-ary Laver-like LD-system. Suppose that $\mathfrak{u}_{1},…,\mathfrak{u}_{n},\mathfrak{v}_{1},…,\mathfrak{v}_{n}\in\Diamond(X,t^{\bullet})$. Then $\mathrm{crit}(\mathfrak{u}_{1},…,\mathfrak{u}_{n})\leq\mathrm{crit}(\mathfrak{v}_{1},…,\mathfrak{v}_{n})$ in $\Gamma(\Diamond(X,t^{\bullet}))$ if and only if $\mathrm{crit}(\mathfrak{u}_{1}(\varepsilon),…,\mathfrak{u}_{n}(\varepsilon))\leq\mathrm{crit}(\mathfrak{v}_{1}(\varepsilon),…,\mathfrak{v}_{1}(\varepsilon))$.

We may therefore define $\mathrm{crit}(\mathfrak{u}_{1},…,\mathfrak{u}_{n})=\mathrm{crit}(\mathfrak{u}_{1}(\varepsilon),…,\mathfrak{u}_{1}(\varepsilon))$.

$\mathbf{Proposition}$ Suppose that $(X,t^{\bullet})$ is an $n+1$-ary Laver-like LD-system and $\alpha\in\mathrm{crit}(\Gamma(X,t^{\bullet}))=\mathrm{crit}(\Gamma(\Diamond(X,t^{\bullet})))$. Then $(\Diamond(X,t^{\bullet}))/\equiv^{\alpha}\simeq\Diamond((X,t^{\bullet})/\equiv^{\alpha})$. In particular, define a mapping $\phi:\Diamond(X,t^{\bullet})\rightarrow\Diamond((X,t^{\bullet})/\equiv^{\alpha})$ as follows. Let $\mathfrak{l}\in\Diamond(X,t^{\bullet})$. Let $\mathbf{BAD}_{\mathfrak{l}}$ be the set of all strings $i\mathbf{x}\in\{1,…,n\}^{*}$ with $\mathrm{crit}(1\mathbf{x},…,n\mathbf{x})\geq\alpha$. Let $\mathbf{GOOD}_{\mathfrak{l}}$ be the set of all strings in $\{1,…,n\}^{*}$ which are not in $\mathbf{BAD}_{\mathfrak{l}}$ nor have suffixes in $\mathbf{BAD}_{\mathfrak{l}}$. Then $\phi(\mathfrak{l})(\mathbf{x})=\mathfrak{l}(\mathbf{x})/\equiv^{\alpha}$ whenever $\mathbf{x}\in\mathbf{GOOD}_{\mathfrak{l}}$ and $\phi(\mathfrak{l})(\mathbf{x})=\#$ otherwise. Then $\phi$ is a homomorphism whose kernel is $\equiv^{\alpha}$.

Analysis of the Ko-Lee key exchange for Laver-like LD-systems.

The security of the Ko-Lee key exchange for Laver-like LD-systems depends on the difficulty of the following problem.

Problem A for $(a,x,b)$ in $X$: Suppose that $X$ is a Laver-like algebra. Suppose that $a,x,b\in X,r=a\circ x,s=x\circ b$. Let $\alpha$ be the least ordinal such that $a^{\sharp}(\alpha)=\max(\mathrm{crit}[X])$ and let $\beta$ be the least ordinal such that $r^{\sharp}(\beta)=\max(\mathrm{crit}[X])$.

INPUT: $x,r,s,\alpha,\beta$ are known.

OBJECTIVE: Find $a’$ such that $r=a’\circ x$ (Problem A-1) or find $\mathbf{b}\in X/\equiv^{\beta}$ such that $x\circ\mathbf{b}\equiv^{\alpha}s$ (Problem A-2).

Note: In the above problem, we assume that $\alpha$ is known since $X$ usually has a limited number of critical points and $\alpha$ can either be solved or there are a limited number of possibilities for $\alpha$.

We take note that problem A is asymmetric in the roles of $a$ and $b$. In particular, Problem A-2 seems to be an easier problem than problem A-1 since $X/\equiv^{\beta}$ is simpler than $X$.

Constructing endomorphic Laver tables

Suppose that $(X,*)$ is a Laver-like LD-system. If $t:X^{n}\rightarrow X$ is a mapping that satisfies the identity $x*t(x_{1},…,x_{n})=t(x*x_{1},…,x*x_{n})$, then define an operation $T:X^{n+1}\rightarrow X$ by letting $T(x_{1},…,x_{n},x)=t(x_{1},…,x_{n})*x$. Then the algebra $(X,T)$ is a Laver-like endomorphic algebra.

$\mathbf{Proposition:}$ Suppose that $(X,*)$ is a Laver-like LD-system and $t:X^{n}\rightarrow X$ is a mapping that satisfies the identity $x*t(x_{1},…,x_{n})=t(x*x_{1},…,x*x_{n})$. Then define $T:X^{n+1}\rightarrow X$ by letting $T(x_{1},…,x_{n},x)=t(x_{1},…,x_{n})*x$. Then
$\mathrm{crit}(T,x_{1},…,x_{n})\leq\mathrm{crit}(T,y_{1},…,y_{n})$ in $\Gamma(X,T)$ if and only if
$\mathrm{crit}(t(x_{1},…,x_{n}))\leq\mathrm{crit}(t(y_{1},…,y_{n}))$ in $(X,*)$.

By the above Proposition, we will hold to the convention that $\mathrm{crit}(T,x_{1},…,x_{n})=\mathrm{crit}(t(x_{1},…,x_{n}))$.

If $x>0$, then define $(x)_{r}$ to be the unique integer with $1\leq(x)_{r}\leq r$ and where $(x)_{r}=x\mod\,r$. If $n\geq m$, then define a mapping $\pi_{n,m}:A_{n}\rightarrow A_{m}$ by letting $\pi_{n,m}(x)=(x)_{2^{m}}$. Define a linear ordering $\leq^{L}_{n}$ on the classical Laver table $A_{n}$ by induction on $n$ by letting $x<^{L}_{n+1}y$ if and only if $\pi_{n+1,n}(x)<^{L}_{n}\pi_{n+1,n}(y)$ or $\pi_{n+1,n}(x)=\pi_{n+1,n}(y),x < y$. For simplicity, we shall simply write $\leq^{L}$ for $\leq^{L}_{n}$. Then $y\leq^{L}z\rightarrow x*_{n}y\leq^{L}x*_{n}z$.

Suppose that $\mathbf{S}$ is a function such that

1. if $n$ is a natural number and $x_{1},…,x_{r}\in A_{n}$, then $\mathbf{S}(n;x_{1},…,x_{r})\in\{0,1\}$, and
2. if $x_{1},…,x_{r}\in A_{m},y_{1},…,y_{r}\in A_{n}$ and there is an isomorphism $\iota:\langle x_{1},…,x_{r}\rangle\rightarrow\langle y_{1},…,y_{r}\rangle$ with $\iota(x_{1})=y_{1},…,\iota(x_{r})=y_{r}$ and which preserves $\leq^{L}$, then $\mathbf{S}(m,x_{1},…,x_{r})=\mathbf{S}(n,y_{1},…,y_{r})$.

Then define a mapping $\mathbf{S}_{n}:A_{n}^{r}\rightarrow A_{n}$ for all $n$ by induction on $n$. Suppose that $\mathbf{S}_{n}$ has been defined already and suppose that $x_{1},…,x_{r}\in A_{n+1}$. Then let $v=\mathbf{S}_{n}(\pi_{n+1,n}(x_{1}),…,\pi_{n+1,n}(x_{r}))$. If $|\{v,v+2^{n}\}\cap\langle x_{1},…,x_{r}\rangle|=1$, then let $\mathbf{S}_{n+1}(x_{1},…,x_{r})$ be the unique element in $\{v,v+2^{n}\}\cap\langle x_{1},…,x_{r}\rangle$. If $|\{v,v+2^{n}\}\cap\langle x_{1},…,x_{r}\rangle|=2$, then let $\mathbf{S}_{n}(x_{1},…,x_{r})=v+2^{n}\cdot\mathbf{S}(n;x_{1},…,x_{r})$.

Then for all $n$, the operation $\mathbf{S}_{n}$ satisfies the identity $x*_{n}\mathbf{S}_{n}(x_{1},…,x_{r})=\mathbf{S}_{n}(x*_{n}x_{1},…,x*_{n}x_{r})$.

Analysis of the Ko-Lee key exchange for functional endomorphic Laver tables.

For our analysis of the Ko-Lee key exchange for functional endomorphic Laver tables, assume that $t:A_{n}^{2}\rightarrow A_{n}$ is a mapping that satisfies the identity $x*_{n}t(y,z)=t(x*_{n}y,x*_{n}z)$ and $T^{\bullet}:A_{n}^{3}\rightarrow A_{n}$ is defined by $T^{\bullet}(x,y,z)=t(x,y)*z$.

In the classical Laver table $A_{n}$, we have $\mathrm{crit}(x)\leq\mathrm{crit}(y)$ if and only if $\gcd(x,2^{n})\leq\gcd(y,2^{n})$. Therefore, for the classical Laver table $A_{n}$, we define $\mathrm{crit}(x)=\log_{2}(\gcd(x,2^{n}))$. In the classical Laver table $A_{n}$, we have $x\equiv^{m}y$ if and only if $x=y\mod 2^{m}$. If $x\in A_{n}$, then let $o_{n}(x)$ be the least natural number $m$ such that $x*_{n}2^{m}=2^{n}$. In other words, $o_{n}(x)$ is the least critical point $\alpha\in\mathrm{crit}[A_{n}]$ where in $A_{n}$, we have $x^{\sharp}(\alpha)=\max(\mathrm{crit}[A_{n}])$.

Let $\mathfrak{u}_{1},\mathfrak{u}_{2},\mathfrak{l}_{1},\mathfrak{l}_{2},\mathfrak{v}_{1},\mathfrak{v}_{2}\in\Diamond(X,T^{\bullet})$. Then in order for problem A for $(\mathfrak{u}_{1},\mathfrak{u}_{2}),(\mathfrak{l}_{1},\mathfrak{l}_{2}),(\mathfrak{v}_{1},\mathfrak{v}_{2})$ to be difficult, one needs for $o_{n}(t(\mathfrak{u}_{1}(\varepsilon),\mathfrak{u}_{2}(\varepsilon))\circ_{n}t(\mathfrak{l}_{1}(\varepsilon),\mathfrak{l}_{2}(\varepsilon)))$ to be as large as possible. We therefore recommend for $o_{n}(t(\mathfrak{u}_{1}(\varepsilon),\mathfrak{u}_{2}(\varepsilon))\circ_{n}t(\mathfrak{l}_{1}(\varepsilon),\mathfrak{l}_{2}(\varepsilon)))\geq 4$ for the functional endomorphic Laver table based Ko-Lee key exchange to be secure. Unfortunately, $o_{n}(x\circ y)$ is usually very small $\leq 4$ except for highly specialized values of$x,y$. If $x,y\in A_{n}$, then $o_{n}(x\circ_{n}y)\leq\min(o_{n}(x),o_{n}(y))$, so $o_{n}(x\circ_{n}y)$ is typically very small.

The following function shows that $o_{n}(x)$ is usually small (usually 2 or 4).

Function:The following function maps $n$ to the number of elements $x\in A_{20}$ with $o_{20}(x)=n$.
[0→1,1→20,2→555085,3→ 107010,4→ 316545,5→ 55,6→ 37235,7→ 7255,8→ 21230,9→ 24, 10→2193, 11→462, 12→1191, 13→12, 14→144, 15→41, 16→58, 17→4, 18→8, 19→2, 20→1 ]
Increasing $n$ past $10$ in $A_{n}$ will probably not increase the security of functional endomorphic Laver table based cryptosystems.

While $\{o_{n+1}(x),o_{n+1}(x)+2^{n}\}\subseteq\{o_{n}(x),o_{n}(x)+2^{n}\}$, and $o_{n+1}(x+2^{n})=o_{n}(x)$, the following data indicates that for $n\geq 10$ increasing $n$ has little effect on $o_{n}(x)$ since it is very rare for $o_{n+1}(x)=o_{n}(x)+1$ as $n$ gets large.

The n-th entry in the following data list is the probability (from a sample size of 100000) that $o_{n}(x)-o_{n}((x)_{2^{n-1}})=1$ for $x\in A_{n}$.
[1→0.5004, 2→ 0.50211, 3→ 0.5006, 4→ 0.37539, 5→ 0.37352, 6→ 0.25163, 7→ 0.18058, 8→ 0.11521, 9→ 0.0929, 10→ 0.05558, 11→ 0.0364, 12→ 0.02191, 13→ 0.01572, 14→ 0.00878, 15→ 0.00513, 16→ 0.00324, 17→ 0.00242, 18→ 0.00124, 19→ 0.00072, 20→ 0.00043, 21→ 0.00041, 22→
0.0002, 23→ 0.00012, 24→ 2.e-05, 25→ 4.e-05, 26→ 1.e-05, 27→ 2.e-05, 28→ 0., 29→ 0., 30→ 0., 31→ 0., 32→ 0., 33→ 0., 34→ 0., 35→ 0., 36→ 0., 37→ 0., 38→ 0., 39→ 0., 40→ 0., 41→ 0., 42→ 0., 43→ 0., 44→ 0., 45→ 0., 46→ 0., 47→ 0., 48→ 0. ]

While one can show that $o_{n}(1)\rightarrow\infty$ using large cardinals, there is no known proof in ZFC that $o_{n}(1)\rightarrow\infty$ and it is known that if $o_{n}(1)\rightarrow\infty$, then $o_{n}(1)$ must diverge very slowly.

Increases $n$ past about 10 or so does not seem to increase the security of the functional endomorphic Laver table based cryptosystems. If $n$ is much larger than $10$, and if $f$ is a $k$-ary term in $\Diamond(X,T^{\bullet})$ and $\mathfrak{l}_{1},…,\mathfrak{l}_{k}\in\Diamond(X,T^{\bullet})$, then $f(\mathfrak{l}_{1},…,\mathfrak{l}_{k})(\mathbf{x})$ is either very close to $2^{n}$, very close to $1$, or very close to $\mathfrak{l}_{i}(\mathbf{y})$ for some string $\mathbf{y}$. Said differently, increasing the size of $n$ past about 10 or so does not seem to make problem A (or any other cryptographic problem) much harder to solve.