A Survey of Two Veriﬁable Delay Functions

A veriﬁable delay function (VDF) is an important tool used for adding delay in decentralized applications. This short note brieﬂy surveys and compares two recent beautiful Veriﬁable Delay Functions (VDFs), one due to Pietrzak and the other due to Wesolowski. We also provide a new computational proof of security for one of them, and compare the complexity assumptions needed for both schemes.

1 What is a Verifiable Delay Function?
A verifiable delay function (VDF) [11,2] is a function f : X → Y that takes a prescribed time to compute, even on a parallel computer.However once computed, the output can be quickly verified by anyone.Moreover, every input x ∈ X must have a unique valid output y ∈ Y.
In more detail, a VDF that implements a function X → Y is a tuple of three algorithms: • Setup(λ, T ) → pp is a randomized algorithm that takes a security parameter λ and a time bound T , and outputs public parameters pp, • Eval(pp, x) → (y, π) takes an input x ∈ X and outputs a y ∈ Y and a proof π.
• Verify(pp, x, y, π) → {accept, reject} outputs accept if y is the correct evaluation of the VDF on input x.
If (y, π) ← F (pp, x) then Verify(pp, x, y, π) = accept, for all x ∈ X and pp output by Setup(λ, T ).A VDF must satisfy three properties.We state these properties informally and refer to [2] for a complete definition: • -evaluation time: algorithm Eval(pp, x) runs in time at most (1 + )T , for all x ∈ X and all pp output by Setup(λ, T ).We will explain how to measure run time in the next section.
• Sequentiality: a parallel algorithm A, using at most poly(λ) processors, that runs in time less than T cannot compute the function.Specifically, for a random x ∈ X and pp output by Setup(λ, T ), if (y, π) ← Eval(pp, x) then Pr A(pp, x) = y is negligible.
• Uniqueness: for an input x ∈ X , exactly one y ∈ Y will be accepted by Verify.Specifically, let A be an efficient algorithm that given pp as input, outputs (x, y, π) such that Verify(pp, x, y, π) = accept.Then P r[Eval(pp, x) = y] is negligible.
VDFs have many applications.They are useful for constructing a verifiable randomness beacon, and they provide a "proof of elapsed time" for certain blockchain designs [6].We refer to [2,Sec. 2] for a survey of their applications.

Two Verifiable Delay Functions
A VDF is based on a computational task that cannot be sped up by parallelism.Exponentiation in a group of unknown order is believed to have this property, and was previously used by Rivest, Shamir, and Wagner [13] to construct a time-lock puzzle.The two recent VDF proposals, one due to Pietrzak [12] and the other due to Wesolowski [14], similarly make use of the serial nature of this task.
Both VDF constructions operate as follows: • The setup algorithm Setup(λ, T ) outputs two objects: -A finite abelian group G of unknown order -we will discuss concrete groups in Section 6; -An efficiently computable hash function H : X → G that we model as a random oracle.
We set the public parameters pp to be pp := (G, H, T ).
• The evaluation algorithm Eval(pp, x) is defined as follows: compute the proof π as described later, output (y, π).
We measure running time in terms of the number of group operations in G needed to compute the function.It is believed that computing y requires T sequential squarings in G even on a parallel computer with poly(λ) processors, as required for sequentiality.As we will see, computing the proof π increases the running time to (1 + )T , as needed for -evaluation time.In practice one might set T = 2 30 and = 0.01.
The remaining question is how a public verifier Verify(pp, x, y, π) can quickly check that the output y is correct, namely that y = H(x) (2 T ) .This is where the proposal of Pietrzak and the proposal of Wesolowski differ.They give two different public-coin succinct arguments for proving that the output y is correct.Thanks to the public-coin nature of these arguments they can be made non-interactive using the Fiat-Shamir Heuristic [3,Sec. 19.6.1].
Proving correctness of the output y.To state the problem more abstractly, let us use the following notation: • let g := H(x) ∈ G be the base element given as input to the VDF evaluator; • let h := y ∈ G be the purported output of the VDF, namely h = g (2 T ) ; • T > 0 is a publicly known quantity.
The VDF evaluator needs to produce a proof that a given tuple (G, g, h, T ) satisfies h = g (2 T ) in G.More precisely, we need a succinct public-coin interactive argument for the language (1)

Wesolowski's succinct argument
Wesolowski [14] presents the following succinct public-coin interactive argument for the language L EXP defined in (1).Specifically, given a tuple (G, g, h, T ) as input, the prover and verifier engage in the following protocol to prove that h = g (2 T ) in G.We let Primes(λ) be the set containing the first 2 λ primes, namely 2, 3, 5, 7, etc.
0. The verifier checks that g, h ∈ G and outputs reject if not, 1.The verifier sends to the prover a random prime sampled uniformly from Primes(λ), 2. The prover computes q, r ∈ Z such that 2 T = q + r with 0 ≤ r < , and sends π ← g q to the verifier.
3. The verifier computes r ← 2 T mod and outputs accept if π ∈ G and h = π g r in G We note that the protocol works equally well when the exponent 2 T is an arbitrary integer e, not necessarily a power of two.The verifier just needs a quick way to compute r := e mod .
Non-interactive variant.When the protocol is made non-interactive using the Fiat-Shamir heuristic it is necessary to increase the size of the random prime generated in step (1), otherwise the protocol is insecure, as explained in Section 3.3.In the non-interactive variant obtained by applying Fiat-Shamir, the prover first generates by using a hash function that maps the input (G, g, h, T ) to an element of Primes(2λ), the set containing the first 2 2λ primes.The analysis will assume that this hash function is a random oracle.The prover computes π ← g q as in step (2) above, and outputs this π ∈ G as the proof.The verifier computes the same way as the prover and decides to accept or reject as in step (3) above.Overall, the proof π is a single element in G.
Verifier efficiency.The verifier needs to compute r ← 2 T mod , which only takes log 2 T multiplications in Z/ .Beyond that, the verifier only computes two small exponentiations in G.
Prover efficiency.The prover needs to compute π = g q ∈ G where q = 2 T / .Because T is large, we cannot write out q as an explicit integer exponent.Nevertheless, we can compute π = g q in at most 2T group operations and constant space using the long-division algorithm, where the quotient is computed in the exponent base g.
The running time can be reduced to about T group operations using a windowing method where we process k bits of 2 T per iteration, for some parameter k ≥ 1, say k = 5.
In Appendix A we describe an extension that lets us speed up the computation of g q by a factor of s using s processors.Hence, the VDF output and the proof π can be computed in total time 0. The verifier checks that g, h ∈ G and outputs reject if not, 1.If T = 1 the verifier checks that h = g 2 in G, outputs accept or reject, and stops.

If T > 1 the prover and verifier do:
(a) The prover computes v ← g (2 T /2 ) ∈ G and sends v to the verifier.The verifier checks that v ∈ G and outputs reject and stops, if not.
Next, the prover needs to convince the verifier that h = v (2 T /2 ) and v = g (2 T /2 ) , which proves that h = g (2 T ) .Because the same exponent is used in both equalities, they can be verified simultaneously by checking a random linear combination, namely that The verifier and prover do so as follows.
(c) Both the prover and verifier compute g 1 ← g r v and h 1 ← v r h in G.
(d) The prover and verifier recursively engage in an interactive proof that approximately (1 + 1 s )T with s processors and space s.Wesolowski [14] shows that with space 2 k one can further speed-up the computation by a factor of k.

Pietrzak's succinct argument
Pietrzak [12] presents a different succinct public-coin interactive argument for the language L EXP defined in (1).Specifically, given a tuple (G, g, h, T ) as input, the prover and verifier engage in a recursive protocol shown in Figure 1 to prove that h = g (2 T ) in G.For simplicity, we assume that T is a power of two in which case the protocol takes log 2 T rounds.The protocol can be adjusted to handle arbitrary T , including a T that is not a power of two [12].
Non-interactive variant.When the protocol is made non-interactive using Fiat-Shamir the prover generates the challenge r in every level of the recursion by hashing the quantities (G, g, h, T, v) at that level, and appends v to the overall proof π.Hence, the overall proof π contains log 2 T elements in G.
Verifier efficiency.At every level of the recursion the verifier does two small exponentiations in G to compute g 1 and h 1 for the next level.Hence, verifying the proof takes about 2 log 2 T small exponentiations in G.
Prover efficiency.The prover needs to compute the quantity v at every level of the recursion.We let v 1 , r 1 be the values of v and r at the top level of the recursion, v 2 , r 2 the values at the next level, and so on.Unwinding the recursion shows that these quantities are: = a power product of eight elements g (2 T /16 ) , g (2 3T /16 ) , g (2 5T /16 ) , . . ., g (2 15T /16 ) .
The pattern that emerges suggests an efficient way to construct the proof π.When the VDF evaluator first computes the VDF output h = g (2 T ) it stores 2 d group elements g (2 (i•T /2 d ) ) for i = 0, . . ., 2 d − 1 as they are encountered along the way.Later, as it constructs the proof π, these 2 d stored values let it compute the group elements v 1 , . . ., v d needed for the proof using a total of about 2 d small exponentiations in G.The prover computes the remaining elements v d+1 , v d+2 , . . ., v log T from scratch by raising g d+1 , g d+2 , . . ., g log T to the appropriate exponents.This step takes a total of T /2 d multiplications in G. Hence, the total time to compute the proof is about 2 d + T /2 d , which suggests that d = 1 2 log 2 T is optimal.Hence, the VDF output and the proof π can be computed in total time approximately (1 + 2 √ T )T .

Security assumptions needed to prove soundness
To analyze security of these interactive arguments for L EXP we rely on two complexity assumptions: the low order assumption and the adaptive root assumption.We prove security of Pietrzak's argument in groups where the low order assumption holds.We prove security of Wesolowski's argument in groups where the adaptive root assumption holds.We discuss the relation between these assumptions in Section 4.

Notation.
In what follows we use x ← R S to denote an independent uniform random variable over the set S, and use y ← R A(x) to denote the random variable that is the output of a randomized algorithm A on input x.We say that a function f :

Security of Pietrzak's succinct argument
Let GGen(λ) be a randomized algorithm that outputs the description of a group G of unknown order.The low order assumption says that it is hard to find a low order element in a random group output by GGen(λ).Definition 1.We say that the low order assumption holds for GGen if there is no efficient algorithm A that takes as input the description of a group G generated by GGen(λ), and outputs a pair (µ, d) where µ d = 1 for 1 = µ ∈ G and 1 < d < 2 λ .We say that A outputs a low order element µ in G.More precisely, the advantage is a negligible function of λ.
The following theorem proves soundness of Pietrzak's succinct argument using the low order assumption.The proof is given in Section 5.
Theorem 1. Suppose the low order assumption holds for GGen.Then Pietrzak's succinct argument has negligible soundness error.
Concretely, let A be an algorithm that succeeds with probability in the following task: A takes a description of G ← R GGen(λ) as input, outputs a tuple (G, g, h, T ) ∈ L EXP where 1 ≤ T < 2 t is a power of two, and convinces the verifier to incorrectly accept this tuple.Then there is an algorithm B, whose running time is about twice that of A, that breaks the low order assumption for GGen with advantage at least = ( 2 /t) − ( /2 λ ).Hence if is negligible then so must be .
Necessity of the low order assumption.The low order assumption is necessary for soundness of the protocol -if the assumption does not hold for GGen then the protocol becomes insecure.To see why, let G ← R GGen(λ) and let µ ∈ G be a known element of order d > 1 (i.e., low order is broken).Let (G, g, h, T ) ∈ L EXP .Then the tuple (G, g, hµ, T ) ∈ L EXP will be incorrectly accepted by the verifier with probability 1/d.To do so the prover sends v ← g (2 T /2 ) µ ∈ G which causes the tuple (G, g, hµ, T ) to be incorrectly accepted whenever the verifier chooses an r satisfying r + 1 ≡ 2 T /2 (mod d).This happens with probability 1/d, which is non-negligible when d is small.Note that when r + 1 ≡ 2 T /2 (mod d) we have that (G, g r v, v r (hµ), T /2) ∈ L EXP , which is why the tuple (G, g, hµ, T ) is incorrectly accepted.
Note that if the group G contains no low order elements other than the identity, then the low order assumption holds unconditionally, as does soundness of Pietrzak's succinct argument.We discuss this further in Section 6.

Security of Wesolowski's succinct argument
For the next assumption recall that Primes(λ) denotes the set of first 2 λ positive integer primes.Definition 2. We say that the adaptive root assumption holds for GGen if there is no efficient adversary (A 1 , A 2 ) that succeeds in the following task.First, A 1 outputs an element w ∈ G and some state.Then, a random prime in Primes(λ) is chosen and A 2 ( , state) outputs w 1/ ∈ G.More precisely, the advantage The advantage is always at least 1/|Primes(λ)|.Indeed, if the adversary (A 1 , A 2 ) correctly guesses ∈ Primes(λ) ahead of time, then A 1 would output w ← u , for some u ∈ G, and A 2 would output this u.This is why we must choose the set Primes(λ) to be sufficiently large.The reason we cannot choose uniformly in some interval, but must choose it from Primes(λ), is because a random in {1, . . ., 2 λ } has a reasonable chance of being a smooth integer.The adversary can then win by having A 1 output w ← u B where B is a product of small prime powers up to some bound k, and having A 2 output u B/ .This works whenever is a k-smooth integer.Choosing as a prime number eliminates this attack.
The following theorem proves soundness of Wesolowski's succinct argument using the low order assumption.The proof is given in Section 5.
Concretely, let A be an algorithm that succeeds with probability in the following task: A takes G ← R GGen(λ) as input, outputs a tuple (G, g, h, T ) ∈ L EXP , and convinces the verifier to incorrectly accept this tuple.Then there is an adversary (B 1 , B 2 ) whose combined running time is about the same as the running time of A plus the time to compute T squarings in G.This (B 1 , B 2 ) breaks the adaptive root assumption for GGen with the same advantage that A breaks soundness.
Necessity of the adaptive root assumption.The adaptive root assumption is necessary for soundness of the protocol -if the assumption does not hold for GGen then the protocol becomes insecure.To see why, let (A 1 , A 2 ) be an adaptive root adversary and let G ← R GGen(λ).To break the protocol using (A 1 , A 2 ) choose an arbitrary g ∈ G, fix some T , and run (w, state) ← A 1 (G), where w = 1.Let h ← g (2 T ) .Now, let's see how to convince the verifier to incorrectly accept the tuple (G, g, wh, T ) ∈ L EXP .The verifier outputs a random ∈ Primes(λ) and we need to produce a π such that wh = π g r where 2 T = q + r and 0 ≤ r < .To do so, we run A 2 ( , state) to a get u ∈ G such that u = w.Then π := ug q is a valid proof because π g r = (ug q ) g r = u g q +r = u g (2 T ) = wh, as required.

Security of the non-interactive variants
While Theorems 1 and 2 analyze the interactive variants of the protocols, the non-interactive variants obtained by applying the Fiat-Shamir heuristic can be similarly shown to be secure by an analysis in the random oracle model.
Interestingly, for Wesolowski's succinct argument, there is a loss in soundness between the interactive and non-interactive variants of the protocol, as already mentioned in Section 2.1.This forces us to generate the challenge prime from the set Primes(2λ) instead of Primes(λ); otherwise there is a Õ(2 λ/2 ) time attack on the non-interactive succinct argument.Sampling from Primes(2λ) makes the attack time Õ(2 λ ), which is infeasible.It also makes it possible to prove soundness in the random oracle model [14].This is an example where the Fiat-Shamir heuristic harms the soundness of an argument, and forces the verifier to choose a larger challenge to compensate.
Let's see the Õ(2 λ/2 ) time attack.Suppose is generated using a hash function H that maps an input (G, g, h, T ) to a prime in Primes(λ).
The attacker finds the smallest k ≥ 1 such that H(G, g, hw k , T ) = and ∈ S. (2) If we model H as a random oracle, then each candidate k = 1, 2, . . .satisfies (2) with probability d/2 λ = 2 −λ/2 .Therefore, finding k takes an expected O(2 λ/2 ) tries.Once k is found, observe that and the attacker can compute this π because the exponent (L/ ) is an integer.This π incorrectly convinces the verifier that h := hw k satisfies h = g (2 T ) .Indeed, the verification condition is satisfied, thus breaking soundness.The complete attack runs in expected time Õ(2 λ/2 ), which is needed to compute w and to find k, as promised.

Comparison of the two protocols
Each proof system has its own strengths and no one dominates the other.The proof system of Wesolowski [14] produces shorter proofs (one group element versus log 2 T elements) and proof verification is faster (two exponentiations versus 2 log 2 T ).However, the proof of Pietrzak [12] has two advantages discussed below.
Prover efficiency.For the VDF application, Pietrzak's prover is more efficient.It takes O( √ T ) group operations to construct the proof, where as for Wesolowski it takes O(T ).Both provers parallelize well and can be sped up by a factor of s using s processors, for a moderate value of s.
Comparison of the assumptions.If Wesolowski's protocol is secure then so is Pietrzak's, but the converse is not known to be true.The reason is that if the adaptive root assumption holds then so must the low order assumption.In other words, adaptive root is potentially a stronger assumption than low order.
To show that the adaptive root assumption implies the low order assumption we show the converse -if low order is broken then so is adaptive root.Let G ← R GGen(λ) and let 1 = µ ∈ G be a public element satisfying µ d = 1 for a known d > 1 (i.e., low order is broken).To break the adaptive root assumption, the adversary A 1 outputs µ, and when given a random prime number ∈ Primes(λ), adversary A 2 computes µ 1/ as µ ( −1 mod d) .This works as long as d is not a multiple of , which only happens with negligible probability.

Security proofs
Proof of Theorem 2. We construct an adaptive root adversary (B 1 , B 2 ) that uses A. When B 1 is initialized with input G, it runs A(G) and gets back (G, g, h, T ) ∈ L EXP .Algorithm B 1 then outputs w ← h/g (2 T ) ∈ G, state ← (G, g, h, T, w) and exits.Note that because h = g (2 T ) we have that w = 1, as required of an adaptive root adversary.
Next, a random ∈ Primes(λ) is chosen and B 2 ( , state) is activated.Let 2 T = q + r with 0 ≤ r < .Algorithm B 2 sends the it was given to A, and A outputs π ∈ G. Now, B 2 outputs u ← π/g q ∈ G and exits.If A outputs a valid proof, namely π satisfies h = π g r , then u = (π/g q ) = π g r /g q +r = h/g (2 T ) = w.
Hence, (B 1 , B 2 ) succeeds in breaking the adaptive root assumption with the same advantage as A succeeds in breaking soundness, as required.
Proof of Theorem 1.We use a forking argument to construct an adversary B that breaks the low order assumption using A.
Recall that 2 t is an upper bound on the value T output by A. Let A(G, r 0 , . . ., r t−1 ; R) denote an execution of A with random tape R, where r 0 , . . ., r t−1 are the verifier's challenges at each level of the recursion.The adversary A outputs the protocol transcript which is a sequence of t + 1 tuples: (P 0 , v 0 ), . . ., (P t , v t ) where P i = (G, g i , h i , T /2 i ) is the input to the recursion at level i, and v i is the prover's message at level i. Recall that g i ← g Here we assume T = 2 t , but if T < 2 t then we replicate the last pair (P log 2 T , v log 2 T ) to get a full transcript of t + 1 tuples.
Next, define the following probabilistic experiment EXP: 1. choose a random tape R for A.
4. if P 0 ∈ L EXP but P t ∈ L EXP (i.e., the verifier incorrectly accepts P 0 ) then: • let j be the lowest index for which P j ∈ L EXP but P j+1 ∈ L EXP .
• if P j+1 ∈ L EXP and r j = r j , output (g j , h j , T /2 j+1 , v j , r j , r j ) and stop.
5. in all other cases output fail.
Let E be the event that EXP does not output fail.When E happens we have P j ∈ L EXP and P j+1 , P j+1 ∈ L EXP .Therefore, if EXP outputs g, h, T , v, r, r we have that Re-arranging terms of the two equalities on the right we get Dividing the left equality by the right we obtain Hence µ := g (2 T ) /v is an element of order at most 0 < |r − r | < 2 λ in G.
To summarize, algorithm B runs experiment EXP, and if it does not fail, it outputs (µ, d).This shows that when event E happens, algorithm B succeeds in breaking the low order assumption.It remains to determine how likely is event E to happen.Fortunately this has already been worked out in the generalized forking lemma of Bellare and Neven [1, Lemma 1].An application of their lemma shows that if A succeeds in fooling the verifier with probability , then event E happens with probability at least ( 2 /t) − ( /2 λ ), as required.

Concrete groups
The RSA group.Let GGen be an algorithm that outputs an odd integer N with an unknown factorization.Computing order of the multiplicative group G := (Z/N ) * is as hard as factoring N , and therefore G can be used as a group of unknown order.However, the low order assumption is trivially false in such groups because (−1) ∈ Z/N is an element of order two.Fortunately, this is the only impediment and it is easily corrected by instead working in the group G + := G/{±1}.Elements in this group are represented as cosets {x, −x} for x ∈ G and multiplication is defined as {x, −x} • {y, −y} = {xy, −xy}.Of course when computing in this group it suffices to represent a coset {x, −x} by a single number, either x or −x, whichever is in the range [0, N/2).The low order assumption is believed to hold for a group generator GGen that generates such groups.
We note that while Pietrzak [12] suggested using integers N that are a product of strong primes, our use of the low order assumption suggests that soundness holds for more general N .Recall that a prime number p is strong if (p−1)/2 is also a prime number.If N = p•q is a product of distinct strong primes then the group G of quadratic residues in (Z/N ) * (i.e.G := {z 2 : z ∈ (Z/N ) * }) contains no elements of low order other than 1.Hence, the low order assumption holds unconditionally in this group.Pietrzak proved unconditional soundness of the protocol when used in this group G .By relying on the low order assumption we are able to prove soundness even when N is not a product of strong primes.We note that checking membership in G is difficult and this complicates the protocol.Checking membership in G + is easy so that the protocol in Figure 1 can be used as is.
The difficulty with the group (Z/N ) * is that for best results the group generator GGen must be trusted to not reveal the factorization of N .One can instead make GGen use public randomness to choose a sufficiently large N so that factoring N is hard.However the resulting N must be so large as to be impractical.
The class group of an imaginary quadratic number field.To solve the trusted setup problem one can instead use the class group of the number field Q( √ p), where p is a negative prime p ≡ 1 mod 4, as suggested by Wesolowski [14].This class group has odd order and computing its order is believed to be difficult when |p| is large.See [4] for a discussion on the choice of cryptographic parameters for such groups.Concretely, the group generator GGen(λ) outputs a negative prime p from which the class group of Q( √ p) is completely specified.
The Cohen-Lenstra heuristics [7] suggest that for imaginary quadratic number fields: • the frequency of fundamental discriminants for which the odd part of the class group is cyclic is about 97.6%, • the frequency f (d) of fundamental discriminants for which the order of the class group is divisible by d is approximately: = 16%.
These heuristics suggest that the class group is often cyclic, but often contains elements of small odd order.The question is how hard is it to find an element of small odd order, if one exists?
An approach to finding low order elements in class groups.The low order assumption in the class group of an imaginary quadratic extension has not been studied much, and is a fascinating avenue for future work.For example, can we find an element of order three if one exists?
We mention one possible avenue for attack based on the work of Ellenberg and Venkatesh [9].Let I be an ideal of order 3 in the class group of Q( √ p).Then I 3 is principle meaning that The first inequality follows from the fact that we can take I to be a reduced ideal in the class group.
The second and third inequalities follow from the first.If we could find an integral point (x, y, z) satisfying ( 6) on the surface (5), where z is not a perfect square, then we will likely break the low order assumption in the class group of Q( √ p).We want a point (x, y, z) where |z| ≤ |p| is not a perfect square to ensure that z is not the norm of a principal ideal.Fortunately for this paper, the bounds (6) are out of reach for Coppersmith's method for finding low-norm integral points on curves and surfaces [8].However, perhaps Coppersmith's method can be tuned specifically for this family of surfaces?We leave that for future work.

Open problems
Post-quantum security.We conclude by pointing out that the two VDFs surveyed here are insecure against an adversary who has access to a quantum computer -a quantum computer can easily calculate the order of the group G using Shor's algorithm and break the VDF.It is a wonderful open problem to find a simple VDF that is post-quantum secure.Some of the VDFs studied in [2] are post-quantum secure, but it would be helpful to have a simpler construction.For example, Buterin [5] describes and implements one of the constructions from [2] using a combination of MiMC and a STARK.Sequential composition of isogenies on elliptic curves is a promising area for a post-quantum VDF.An interesting proposal for a VDF from isogenies is reported in [10].However, that construction is not designed to be post-quantum secure, and requires a trusted setup.