Large memory PoW with fast verification, third version:
The miner sends h and λi as proof.
h is the block hash value.
λi is a key for an elliptic curve point.
i is the value h MOD N.
N is the number of keys used.
The verifier calculates a point pi on the elliptic curve. The proof is valid if pi = λiGj and h XOR hash(λi) is less than the target difficulty, where λi > 1. Gj is a member of a set G with predefined constant points on the elliptic curve. The points in G are chosen so that there is at least one nontrivial solution to pi = λiGj for all points pi.
The point pi is calculated by setting x to hash(i) MOD M, where M is the order of the finite field FM for the elliptic curve y2 = x3 + 7. N < C < M, where C is a value for 1% hash collisions. If no solution y is found for x, then x = x + 1 until a solution is found.
Since the calculations of pi and λiGj are easy the verification is fast without the need for much memory. The miner on the other hand needs the value λi which is difficult to calculate and therefore the miner has to store all keys λi, i = 0, ... N-1 in memory as pre-calculated values.