This is another unpublished signed-hashcash variant with an indistinguishable short-cut I came up with recently based on RSA (n here is the RSA modulus):

setup: c=random, s=salt, i=counter, t=random mod 2^k, a=c^t mod n, m=message
repeat find i such that t =? h( s, i, a, m ) mod 2^k
verify: a == c^t mod n and t = h( s, i, a, m ) mod 2^k
shortcut: s=salt, v=random, i=plausible random, t = h( s, i, a, m ) mod 2^k, c=v^(1/t) mod n

works because knowing p, q you can efficiently compute arbitrary t-th roots.


It has feature parity with Dwork & Naor's (section 4.2 of paper) Fiat-Shamir signature forgery based proof of work (if you want RSA trapdoor for some reason).  But its faster, smaller, and simpler, also supports trap door based on RSA.

They could have supported delegation because Fiat-Shamir is an identity based signature scheme, which they dont seem to mention in their use cases, that this approach doesnt.  However then you cant revoke so thats probably why they avoided it.  Also users who do the work can forge identities anyway in their scheme, though they cannot if they have delegated authority.

[EDIT: also not blindable/offloadable because the work is in the exposed hash, but RSA has a simpler form of blinding so its a start.]

Adam