Efficient Verifiable Delay Functions
Benjamin Wesolowski
1,2(
B
)
1
EPFL IC LACAL, Station 14, 1015 Lausanne, Switzerland
2
Cryptology Group, CWI, Amsterdam, The Netherlands
benjamin.wesolowski@cwi.nl
Abstract. We construct a verifiable delay function (VDF). A VDF is a
function whose evaluation requires running a given number of sequential
steps, yet the result can be efficiently verified. They have applications
in decentralised systems, such as the generation of trustworthy public
randomness in a trustless environment, or resource-efficient blockchains.
To construct our VDF, we actually build a trapdoor VDF. A trapdoor
VDF is essentially a VDF which can be evaluated efficiently by parties
who know a secret (the trapdoor). By setting up this scheme in a way
that the trapdoor is unknown (not even by the party running the setup,
so that there is no need for a trusted setup environment), we obtain
a simple VDF. Our construction is based on groups of unknown order
such as an RSA group, or the class group of an imaginary quadratic field.
The output of our construction is very short (the result and the proof of
correctness are each a single element of the group), and the verification
of correctness is very efficient.
1 Introduction
We describe a function that is slow to compute and easy to verify: a verifiable
delay function (henceforth, VDF) in the sense of [4]
1
. These functions should
be computable in a prescribed amount of time Δ, but not faster (the time mea-
sures an amount of sequential work, that is work that cannot be performed faster
by running on a large number of parallel cores), and the result should be easy
to verify (i.e., for a cost polylog(Δ)). These special functions are used in [15]
(under the name of slow-timed hash functions) to construct a trustworthy ran-
domness beacon: a service producing publicly verifiable random numbers, which
are guaranteed to be unbiased and unpredictable. These randomness beacons,
introduced by Rabin in [17], are a valuable tool in a public, decentralised set-
ting, as it is not trivial for someone to flip a coin and convince their peers that
c
IACR 2019. This article is the final version submitted by the author to the IACR
and to Springer-Verlag on March 14, 2019. The version published by Springer-Verlag
is available at https://doi.org/10.1007/978-3-030-17659-4_13.
B. Wesolowski—The author is currently affiliated to CWI
2
, yet this work was completed
at EPFL
1
.
1
The paper [4] was developed independently of the present work, yet we adopt their
terminology for verifiable delay functions, for the sake of uniformity.
c
International Association for Cryptologic Research 2019
Y. Ishai and V. Rijmen (Eds.): EUROCRYPT 2019, LNCS 11478, pp. 379–407, 2019.
https://doi.org/10.1007/978-3-030-17659-4
_13
380 B. Wesolowski
the outcome was not rigged. A number of interesting applications of VDFs have
recently emerged—see [4] for an overview. Most notably, they can be used to
design resource-efficient blockchains, eliminating the need for massively power-
consuming mining farms. VDFs play a key role in the Chia blockchain design
(chia.net), and the Ethereum Foundation (ethereum.org) and Protocol Labs
(protocol.ai) are teaming up to investigate the technology of VDFs which
promise to play a key role in their respective platforms.
There is thereby a well-motivated need for an efficient construction. This
problem was left open in [4], and we address it here with a new, simple, and
efficient VDF.
1.1 Contribution
An efficient construction. The starting point of our construction is the time-
lock puzzle of Rivest, Shamir and Wagner [18]: given as input an RSA group
(Z/N Z)
×
,whereN is a product of two large, secret primes, a random element
x ∈ (Z/N Z)
×
,andatimingparametert, compute x
2
t
. Without the factorisation
of N, this task requires t sequential squarings in the group. More generally, one
could work with any group G of unknown order. This construction is only a
time-lock puzzle and not a VDF, because given an output y, there is no efficient
waytoverifythaty = x
2
t
.
The new VDF construction consists in solving an instance of the time-lock
puzzle of [18], and computing a proof of correctness, which allows anyone to
efficiently verify the result. Fix a timing parameter Δ, a security level k (say,
128, 192,or256), and a group G. Our construction has the following properties:
1. It is Δ-sequential (meaning that it requires Δ sequential steps to evaluate)
assuming the classic time-lock assumption of [18] in the group G.
2. It is sound (meaning that one cannot produce a valid proof for an incorrect
output) under some group theoretic assumptions on G, believed to be true
for RSA groups and class groups of quadratic imaginary number fields.
3. The output and the proof of correctness are each a single element of the group
G (also, the output can be recovered from the proof and a 2k-bit integer; so
it is possible to transmit a single group element and a small integer instead
of 2 group elements).
4. The verification of correctness requires essentially two exponentiations in the
group G, with exponents of bit-length 2k.
5. The proof can be produced in O(Δ/ log(Δ)) group operations.
For applications where a lot of these proofs need to be stored, widely dis-
tributed, and repeatedly verified, having very short and efficiently verifiable
proofs is invaluable.
Following discussions about the present work at the August 2018 workshop
at Stanford hosted by the Ethereum Foundation and the Stanford Center for
Blockchain Research, we note that our construction features two other useful
properties: the proofs can be aggregated and watermarked. Aggregating consists
Efficient Verifiable Delay Functions 381
in producing a single short proof that simultaneously proves the correctness of
several VDF evaluations. Watermarking consists in tying a proof to the evalua-
tor’s identity; in a blockchain setting, this allows to give credit (and a reward) to
the party who spent time and resources evaluating the VDF. These properties
are discussed in Sect. 7.
Note that the method we describe to compute the proof requires an amount
O(Δ/ log(Δ)) group operations. Hence, there is an interval between the guaran-
teed sequential work Δ and the total work (1 + ε)Δ,whereε = O(1/ log(Δ)).
For practical parameters, this ε is in the order of 0.05, and this small part of
the computation is easily parallelizable, so that the total evaluation time with
s coresisaround(1 + 1/(20s))Δ. This gap should be of no importance since
anyways, computational models do not capture well small constant factors with
respect to real-world running time. Precise timing is unlikely to be achievable
without resorting to trusted hardware, thus applications of VDFs are designed
not to be too sensitive to these small factors.
If despite these facts it is still problematic in some application to know the
output of the VDF slightly before having the proof, it is possible to eliminate
this gap by artificially considering the proof as part of the output (the output
is now a pair of group elements, and the proof is empty). The resulting protocol
is still Δ-sequential (trivially), and as noted in Remark 5, it is also sound. We
also propose a second method in Sect. 4.3 which allows to exponentially reduce
the overhead of the proof computation at the cost of lengthening the resulting
proof by a few group elements.
Trapdoor verifiable delay function. The construction proposed is actually a trap-
door VDF, from which we can derive an actual VDF. A party, Alice, holds a
secret key sk (the trapdoor), and an associated public key pk. Given a piece of
data x, a trapdoor VDF allows to compute an output y from x such that anyone
can easily verify that either y has been computed by Alice (i.e., she used her
secret trapdoor), or the computation of y required an amount of time at least
Δ (where, again, time is measured as an amount of sequential work). The veri-
fication that y is the correct output of the VDF for input x should be efficient,
with a cost polylog(Δ).
Deriving a verifiable delay function. Suppose that a public key
pk for a trapdoor
VDF is given without any known associated secret key. This results in a simple
VDF, where the evaluation requires a prescribed amount of time Δ for everyone
(because there is no known trapdoor).
Now, how to publicly generate a public key without any known associated pri-
vate key? In the construction we propose, this amounts to the public generation
of a group of unknown order. A standard choice for such groups are RSA groups,
but it is hard to generate an RSA number (a product of two large primes) with a
strong guarantee that nobody knows the factorisation. It is possible to generate
a random number large enough that with high probability it is divisible by two
large primes (as done in [19]), but this approach severely damages the efficiency
382 B. Wesolowski
of the construction, and leaves more room for parallel optimisation of the arith-
metic modulo a large integer, or for specialised hardware acceleration. It is also
possible to generate a modulus by a secure multiparty execution of the RSA key
generation procedure among independent parties, each contributing some secret
random seeds (as done in [6]). However, in this scenario, a third party would
have to assume that the parties involved in this computation did not collude to
retrieve the secret. We propose to use the class group of an imaginary quadratic
order. One can easily generate an imaginary quadratic order by choosing a ran-
dom discriminant, and when the discriminant is large enough, the order of the
class group cannot be computed. These class groups were introduced in cryptog-
raphy by Buchmann and Williams in [9], exploiting the difficulty of computing
their orders (and the fact that this order problem is closely related to the dis-
crete logarithm and the root problems in this group). To this day, the best known
algorithms for computing the order of the class group of an imaginary quadratic
field of discriminant d are still of complexity L
|d|
(1/2) under the generalised Rie-
mann hypothesis, for the usual function L
t
(s) = exp
O
log(t)
s
log log(t)
1−s
,
asshownin[14]and[20].
Circumventing classic impossibility results. Finally, we further motivate the
notion of trapdoor VDF by showing that it constitutes an original tool to circum-
vent classic impossibility results. We illustrate this in Sect. 8 with a simple and
efficient identification protocol with surprising zero-knowledge and deniability
properties.
1.2 Time-Sensitive Cryptography and Related Work
Rivest, Shamir and Wagner [18] introduced in 1996 the use of time-locks for
encrypting data that can be decrypted only in a predetermined time in the future.
This was the first time-sensitive cryptographic primitive taking into account the
parallel power of possible attackers. Other timed primitives appeared in different
contexts: Bellare and Goldwasser [1,2] suggested time capsules for key escrowing
in order to counter the problem of early recovery. Boneh and Naor [7] introduced
timed commitments: a hiding and binding commitment scheme, which can be
forced open by a procedure of determined running time. More recently, and as
already mentioned, the notion of slow-timed hash function was introduced in
[15] as a tool to provide trust to the generation of public random numbers.
Verifiable delay functions. These slow-timed hash functions were recently revis-
ited and formalised by Boneh et al. in [4] under the name of verifiable delay
functions. The function proposed in [15], sloth, is not asymptotically efficiently
verifiable: the verification procedure (given x and y, verify that sloth(x)=y)
is faster than the evaluation procedure (given x, compute the value sloth(x))
only by a constant factor. The authors of [4] proposed practical constructions
that achieve an exponential gap between evaluation and verification, but do not
strictly achieve the requirements of a VDF. For one of them, the evaluation
requires an amount polylog(Δ) of parallelism to run in parallel time Δ.The
Efficient Verifiable Delay Functions 383
other one is insecure against an adversary that can run a large (but feasible)
pre-computation, so the setup must be regularly updated. The new construction
we propose does not suffer these disadvantages.
Pietrzak’s verifiable delay function. Independently from the present work,
another efficient VDF was proposed in [16]. The author describes an elegant con-
struction, provably secure under the classic time-lock assumption of [18]when
implemented over an RSA group (Z/N Z)
×
where N is a product of two safe
primes. The philosophy of [16] is close to our construction: it consists in solving
the puzzle of [18] (for a timing parameter Δ), and computing a proof of correct-
ness. Their proofs can be computed with O(
√
Δ log(Δ)) group multiplications.
However, the proofs obtained are much longer (they consist of O(log(Δ)) group
elements, versus a single group element in our construction), and the verification
procedure is less efficient (it requires O(log (Δ)) group exponentiations, versus
essentially two group exponentiations in our construction—for exponents of bit-
length the security level k in both cases).
Intheexamplegivenin[18], the group G is an RSA group for a 2048 bit
modulus, and the time Δ is set to 2
40
sequential squarings in the group, so
the proofs are 10KB long. In comparison, in the same setting, our proofs are
0.25KB long.
1.3 Notation
Throughout this paper, the integer k denotes a security level (typically 128, 192,
or 256), and the map H : {0, 1}
∗
→{0, 1}
2k
denotes a secure cryptographic hash
function. For simplicity of exposition, the function H is regarded as a map from
A
∗
to {0, 1}
2k
,whereA
∗
is the set of strings over some alphabet A such that
{0, 1}⊂A. The alphabet A contains at least all nine digits and twenty-six
letters, and a special character . Given two strings s
1
,s
2
∈ A
∗
, denote by
s
1
||s
2
their concatenation, and by s
1
|||s
2
their concatenation separated by .
The function int : {0, 1}
∗
→ Z
≥0
maps x ∈{0, 1}
∗
in the canonical manner
to the non-negative integer with binary representation x. The function bin :
Z
≥0
→{0, 1}
∗
maps any non-zero integer to its binary representation with no
leading 0-characters, and bin(0) = 0.
2 Trapdoor Verifiable Delay Functions
Let Δ : Z
>0
→ R
>0
be a function of the (implicit) security parameter k.This
Δ is meant to represent a time duration, and what is precisely meant by time is
explained in Sect. 3 (essentially, it measures an amount of sequential work). A
party, Alice, has a public key pk and a secret key sk.Letx be a piece of data.
Alice, thanks to her secret key sk, is able to quickly evaluate a function trapdoor
sk
on x. On the other hand, other parties knowing only pk can compute eval
pk
(x) in
time Δ, but not faster (and important parallel computing power does not give a