A Survey of Two Verifiable Delay Functions Using Proof of Exponentiation

. A verifiable delay function (VDF) is an important tool used for adding delay in decentralized applications. This paper surveys and compares two elegant verifiable delay functions, one due to Pietrzak (ITCS’19), and the other due to Wesolowski (Eurocrypt’19). We provide a new computational proof of security for one of them, present an attack on a natural but incorrect implementation of the other, and compare the complexity assumptions needed for both schemes.


Introduction: What is a Verifiable Delay Function?
A verifiable delay function (VDF) [LW17,BBBF18] is a function f : X → Y that takes a prescribed time to compute, even on a parallel computer.However once computed, the output can be quickly verified by anyone.Moreover, every input x ∈ X must have a unique valid output y ∈ Y.
In more detail, a VDF is a tuple of three algorithms: • Setup(1 λ , T ) → pp is a PPT algorithm that takes as input a security parameter λ and a time bound T , both positive integers, and outputs public parameters pp.This pp includes a description of the domain X and range Y of the VDF.
• Eval(pp, x) → (y, π) takes an input pp and x ∈ X , and outputs y ∈ Y and a proof π.
Let Eval 1 (pp, x) be the algorithm that runs Eval(pp, x) and outputs only y ∈ Y.
While Eval can be randomized, we require that for every (pp, x) there is a unique y ∈ Y such that Eval 1 (pp, x; r) = y, for all random bit strings r consumed by Eval.
• Verify(pp, x, y, π) → {accept, reject} outputs accept if y is the correct evaluation of the VDF on input x.The algorithm must run in time at most poly(λ, log T ).
We require that for all pp output by Setup(1 λ , T ) and all x ∈ X we have that if (y, π) ← Eval(pp, x) then Pr[Verify(pp, x, y, π) = accept] = 1.
A VDF must satisfy three properties.We state these properties informally and refer to [BBBF18] for a complete definition: • ϵ-evaluation time: algorithm Eval(pp, x) runs in time at most (1 + ϵ)T for all pp output by Setup(1 λ , T ), all x ∈ X , and all random bits consumed by Eval.We will explain how to measure run time in the next section.
• Sequentiality: a parallel algorithm A, using at most poly(λ) processors, that runs in time less than T cannot compute the function.That is, for every such A, if pp is sampled by Setup(1 λ , T ) and x is uniform in X , then Pr A(pp, x) = Eval 1 (pp, x) is negligible in λ.This should hold even if A can spend time poly(λ, T ) to preprocess pp before x is given.Here we are assuming that T is at most poly-log in |X |.
• Uniqueness: for an input x ∈ X , exactly one y ∈ Y will be accepted by Verify.Specifically, for every PPT algorithm A, if pp is sampled by Setup(1 λ , T ) and A(pp) outputs (x, y, π), then Pr Verify(pp, x, y, π) = accept AND Eval 1 (pp, x) ̸ = y is a negligible function of λ.VDFs have many applications.They are useful for constructing a verifiable randomness beacon [BN22], and they provide a "proof of elapsed time" for certain blockchain designs [CP18].We refer to [BBBF18, Sec.2] and [MLQ23] for a survey of their applications.
How to build a VDF?A VDF is built from a computational task that cannot be sped up substantially by parallelism.Some candidate tasks include: • Iterating a cryptographic hash function H : X → X .In particular, for certain H it is believed that computing y ← H(H(H(• • • H(x) • • • ))) for a random x ∈ X cannot be substantially sped up by parallelism.The challenge in using this for a VDF is designing a fast verifier to check that y is correct.We briefly discuss VDFs based on this task in Section 7.These VDFs use a general purpose succinct argument system, a SNARK, to convince the verifier that y is correct.
Constructing VDFs this way is the main topic of this survey.
• Exponentiation in a finite abelian group of known order.The Minroot VDF candidate [KMT22] uses several rounds of exponentiation in the multiplicative group Z/p, for some fixed 256-bit prime p.Unfortunately, it was later discovered that exponentiation in Z/p can be sped up by parallel processing using sufficiently many processors [LMPR23].
• Sequential composition of isogenies on elliptic curves [DMPS19].We discuss VDFs based on this task in Section 7.
We also mention that the mere existence of some task that cannot be parallelized, is sufficient to construct a delay mechanism [BGJ + 16, JMRR21].These generic constructions rely on obfuscation or other heavy tools, and cannot, currently, be practically instantiated.
This survey.We survey two VDFs built from exponentiation in a finite abelian group of unknown order.For certain families of such groups it is believed that exponentiation cannot be substantially sped up by parallelism.Rotem and Segev [RS20] proved that speeding up repeated squaring in a generic ring is equivalent to factoring.Rivest, Shamir, and Wagner [RSW96] relied on this property to construct a time-lock puzzle.Two elegant VDF proposals, one due to Wesolowski [Wes19,Wes20], and another due to Pietrzak [Pie19], make use of the serial nature of exponentiation.These two constructions are the main topic of this survey.Our goal is to present, analyze, and compare both constructions using a unified notation.Along the way we make two observations.First, in Theorem 1 we give a new security analysis of the Pietrzak proof of exponentiation that expands the set of groups where the protocol is sound.This is needed in instantiations of the protocol that use class groups.Second, in Section 3.3 we present an attack on a natural but incorrect implementation of the Wesolowski proof of exponentiation.

Two Verifiable Delay Functions
We begin by describing a general framework for building a VDF using exponentiation in a finite abelian group of unknown order.Both the VDF constructions of Pietrzak [Pie19] and Wesolowski [Wes19] follow this framework.This abstract VDF operates as follows.
• The setup algorithm Setup(1 λ , T ) outputs two objects: -A finite abelian group G of unknown order; we discuss specific families of groups in Section 6; -An efficiently computable hash function H : X → G that is modeled as a random oracle.
The public parameters pp are set to be pp := (G, H, T ).
• The evaluation algorithm Eval(pp, x) is defined as follows: compute the proof π as described later, -output (y, π).
We measure the evaluation running time in terms of the number of group operations in G needed to compute the function.For certain families of groups, it is believed that computing y requires T sequential squarings in G even on a parallel computer with poly(λ) processors.As we will see, computing the proof π increases the running time to (1 + ϵ)T , which satisfies ϵ-evaluation time.In practice one might set T = 2 30 and ϵ = 0.01.
The remaining question is how a public verifier Verify(pp, x, y, π) can quickly check that the output y is correct, namely that y = H(x) (2 T ) .This is where the two VDF constructions differ.They give two different public coin succinct arguments for proving that the output y is correct.Thanks to the public coin nature of these arguments, they can be made non-interactive using the Fiat-Shamir transformation [FS87].
Proving correctness of the output y.To state the problem more abstractly, let us use the following notation: • let G be a finite abelian group whose order is unknown to the VDF evaluator; • let g := H(x) ∈ G be the base element given as input to the VDF evaluator; • let h := y ∈ G be the purported output of the VDF, namely h = g (2 T ) ; • let T > 0 be a publicly known integer.
The VDF evaluator needs to produce a proof that a given tuple (G, g, h, T ) satisfies h = g (2 T ) in G.More precisely, we need a succinct public coin interactive argument for the language (1) There is a simple private coin proof system for this language [Mao01, Sec.4].However, designing a succinct public coin argument is harder.A public coin protocol is important for practical applications because it can be made non-interactive using the Fiat-Shamir transform.
The prover and verifier take as input (G, g, h, T ) and do: 0. The verifier checks that g, h are in G and outputs reject if not.
1.The verifier sends to the prover a random prime ℓ sampled uniformly from the set Primes(λ).
2. The prover computes q, r ∈ Z such that 2 T = qℓ + r with 0 ≤ r < ℓ, and sends π ← g q ∈ G to the verifier.
3. The verifier computes r ← 2 T mod ℓ and outputs accept if π ∈ G and h = π ℓ g r in G.

Wesolowski's succinct argument for L EXP
Wesolowski [Wes19,Wes20] presents a succinct public coin interactive argument for the language L EXP defined in (1).Specifically, given a tuple (G, g, h, T ) as input, the prover and verifier engage in the protocol in Figure 1 to prove that h = g (2 T ) in G.Here we use Primes(λ) to denote the set containing the first 2 λ primes, namely 2, 3, 5, 7, etc.We prove security of the protocol in Section 3. We note that the protocol works equally well when the exponent 2 T is an arbitrary integer e, not necessarily a power of two.The verifier just needs a quick way to compute r := e mod ℓ in step (3).
Non-interactive variant.When the protocol is made non-interactive using the Fiat-Shamir transform it is necessary to generate the prime ℓ in step (1) from the set Primes(2λ), the set containing the first 2 2λ primes.Generating ℓ from Primes(λ), as in the interactive protocol in Figure 1, results in an insecure protocol; we present an attack in Section 3.3.With this modification, the non-interactive variant obtained by applying Fiat-Shamir, works by having the prover first generate ℓ using a hash function that maps the input (G, g, h, T ) to an element of Primes(2λ).The analysis will assume that this hash function is a random oracle.The prover computes π ← g q as in step (2) in Figure 1, and outputs this π ∈ G as the proof.The verifier computes ℓ the same way as the prover and decides to accept or reject as in step (3).Overall, the proof π is a single element in G.The Verifier's work.The verifier needs to hash the transcript into Primes(2λ).It also needs to compute r ← 2 T mod ℓ, which only takes log 2 T multiplications in Z/ℓ.Beyond that, the verifier only computes two small exponentiations in G.The verifier was further optimized in [AVD22].The Prover's work.The prover needs to compute π = g q ∈ G where q = ⌊2 T /ℓ⌋.Because T is large, we cannot write out q as an explicit integer exponent.Nevertheless, The prover and verifier take as input (G, g, h, T ) and do: 0. The verifier checks that g, h are in G and outputs reject if not.
1.If T = 1 the verifier checks that h = g 2 in G, outputs accept or reject, and stops.

If T > 1 the prover and verifier do:
(a) The prover computes v ← g (2 T /2 ) ∈ G and sends v to the verifier.The verifier checks that v ∈ G and, if not, outputs reject and stops.
Next, the prover needs to convince the verifier that h = v (2 T /2 ) and v = g (2 T /2 ) , which together prove that h = g (2 T ) .Because the same exponent is used in both equalities, the two checks can be folded into a single equality test by checking a random linear combination, namely that The verifier and prover do so as follows.
(c) Both the prover and verifier compute g 1 ← g r v and h 1 ← v r h in G.
(d) The prover and verifier recursively engage in an interactive proof that the prover can compute π = g q in at most 2T group operations and constant space using the long-division algorithm, where the quotient is computed "in the exponent" base g.The algorithm works as follows: The running time can be reduced to about T group operations using a windowing method where we process k bits of 2 T per iteration, for some parameter k ≥ 1, say k = 5.
In Appendix A we describe an extension that speeds up the computation of g q by a factor of s using s processors.Hence, the VDF output and the proof π can be computed in total time approximately (1 + 1 s )T with s processors and space s.Wesolowski [Wes19, Wes20] shows that with space 2 k one can further speed up the computation by a factor of k.

Pietrzak's succinct argument for L EXP
Pietrzak [Pie19] presents a different succinct public coin interactive argument for the language L EXP defined in (1).Given a tuple (G, g, h, T ) as input, the prover and verifier engage in a recursive protocol shown in Figure 2 to prove that h = g (2 T ) in G.For simplicity, we assume that T is a power of two in which case the protocol takes log 2 T rounds.The protocol can be adjusted to handle arbitrary T , including a T that is not a power of two [Pie19].We prove security of this protocol in Section 3.
Non-interactive variant.When the protocol is made non-interactive using Fiat-Shamir the prover generates the challenge r in every level of the recursion by hashing the entire transcript to this point, and appends v to the overall proof π.Hence, the overall proof π contains log 2 T elements in G.The Verifier's work.At every level of the recursion the verifier does two λ-bit exponentiations in G to compute g 1 and h 1 for the next level.Hence, verifying the proof takes about 2 log 2 T small exponentiations in G.The Prover's work.The prover computes the quantity v at every level of the recursion.We let v 1 , r 1 be the values of v and r at the top level of the recursion, v 2 , r 2 the values at the next level, and so on.Unwinding the recursion shows that these quantities are: = a power product of eight elements The pattern that emerges suggests an efficient way to construct the proof π.When the VDF evaluator first computes the VDF output h = g (2 T ) it stores 2 d group elements g (2 (i•T /2 d ) ) for i = 0, . . ., 2 d − 1 as they are encountered along the way.Later, as it constructs the proof π, these 2 d stored values let it compute the group elements v 1 , . . ., v d needed for the proof using a total of about 2 d small exponentiations in G (each exponent is a product of some subset of {r 1 , . . ., r d } and is therefore at most dλ bits).The prover computes the remaining elements v d+1 , v d+2 , . . ., v log T from scratch by raising g d+1 , g d+2 , . . ., g log T to the appropriate exponents.This step takes a total of T /2 d multiplications in G. Hence, the total time to compute the proof is about 2 d + T /2 d , which suggests that d = 1 2 log 2 T is optimal.Hence, the VDF output and the proof π can be computed in total time approximately (1 + 2 √ T )T .

Security assumptions needed to prove soundness
To analyze security of these interactive arguments for L EXP we rely on two complexity assumptions: the low order assumption and the adaptive root assumption.We prove soundness of Pietrzak's argument in groups where the low order assumption holds.We prove soundness of Wesolowski's argument in groups where the adaptive root assumption holds.We discuss the relation between these assumptions in Section 4.

Notation.
In what follows we use x ← R S to denote an independent uniform random variable over the set S, and use y ← R A(x) to denote the random variable that is the output of a randomized algorithm A on input x.We say that a function f : A group generator is a PPT algorithm GGen(1 λ ) that outputs the description of a group G.In Section 6 we will discuss group generators that are believed to output the description of a group of unknown order.
We say that an interactive argument for L EXP has negligible soundness error if for every PPT adversary A = (A 0 , A 1 ) the following function is negligible in λ where A 1 (state), V (G, g, h, T ) = accept is the event that the verifier V with input (G, g, h, T ) outputs accept when interacting with A 1 (state) as the prover.The definition extends to the random oracle model by giving A 0 , A 1 , and V access to the random oracle.

Security of Pietrzak's succinct argument
The low order assumption says that it is hard to find a low order element in a group G output by a group generator GGen(1 λ ).
Definition 1.We say that the low order assumption holds for GGen if there is no PPT algorithm A that takes as input the description of a group G generated by GGen(1 λ ), and outputs a pair (µ, d) where µ d = 1 for 1 ̸ = µ ∈ G and 1 < d < 2 λ .We say that A outputs a low order element µ in G.More precisely, the advantage is a negligible function of λ.
The following theorem proves soundness of Pietrzak's succinct argument using the low order assumption.The proof is given in Section 5.

Theorem 1. Suppose the low order assumption holds for GGen. Then Pietrzak's interactive succinct argument has negligible soundness error.
Concretely, let A be an algorithm that succeeds with probability ϵ in the following task: A takes a description of G ← R GGen(1 λ ) as input, outputs a tuple (G, g, h, T ) ̸ ∈ LEXP where 1 ≤ T < 2 t is a power of two, and convinces the verifier to incorrectly accept this tuple.Then there is an algorithm B, whose running time is about twice that of A, that breaks the low order assumption for GGen with advantage at least ϵ ′ := (ϵ 2 /t) − (ϵ/2 λ ).Hence if ϵ ′ is negligible then so must be ϵ.

Necessity of the low order assumption.
The low order assumption is necessary for soundness of the protocol; if the assumption does not hold for GGen then the protocol becomes insecure.To see why, let G ← R GGen(1 λ ) and let µ ∈ G be a known element of low order d > 1 (i.e., low order is broken).Let (G, g, h, T ) ∈ L EXP .Then the prover can cause the tuple (G, g, hµ, T ) ̸ ∈ L EXP to be incorrectly accepted by the verifier with probability 1/d.To do so, the prover sends v ← g (2 T /2 ) µ ∈ G to the verifier.We claim that this causes (G, g, hµ, T ) to be incorrectly accepted whenever the verifier chooses an r satisfying r +1 ≡ 2 T /2 (mod d).This happens with probability 1/d, which is non-negligible when d is small.
To see why (G, g, hµ, T ) is incorrectly accepted when r + 1 ≡ 2 T /2 (mod d) observe that the tuple G, g r v, v r (hµ), T /2 generated in the recursive step, Step (2d) in Figure 2, is a tuple in L EXP .To see why, recall that the prover sets v = g (2 T /2 ) µ and moreover µ 2 (T /2) = µ r+1 .Hence, Therefore G, g r v, v r (hµ), T /2 is in L EXP , which means that the verifier accepts it in the recursive step.As a result, the verifier incorrectly accepts G, g, hµ, T whenever it chooses an r satisfying r + 1 ≡ 2 T /2 (mod d).This happens with probability 1/d.Concretely, this attack shows that for 128-bit security, the adversary had better not be able to find an element in G of order less than 2 128 .Remark 1.If the group G contains no low order elements, other than the identity, then the low order assumption holds unconditionally, as does soundness of Pietrzak's succinct argument.The original analysis of Pietrzak [Pie19] focused on this case, which excludes some desirable instantiations, such as class groups, where low order elements may exist.We discuss this further in Section 6.
Remark 2.Even the if the adversary has an element in G of very low order, say order 2, the attack above only lets it fool the verifier with probability 1/2.Block et al. [BHR + 21] use this to show that by running λ instances of Pietrzak's protocol in parallel, we obtain a proof system that is unconditionally sound, with soundness error of about 1/2 λ .Of course, this comes at the cost of making the proof λ times bigger and λ times harder to generate.For special exponents e that come up in applications, Hoffmann et al. [HHK + 22] show that one can reduce the number of required parallel instances to about λ/ log log e.

Security of Wesolowski's succinct argument
For the next assumption recall that Primes(λ) denotes the set of first 2 λ positive integer primes.
Definition 2. We say that the adaptive root assumption holds for GGen if there is no PPT adversary (A 1 , A 2 ) that succeeds in the following task.First, A 1 outputs an element w ∈ G and some state.Then, a random prime ℓ in Primes(λ) is chosen and A 2 (ℓ, state) outputs w 1/ℓ ∈ G.More precisely, the advantage ARadv (A1,A2),GGen (λ) := Pr The advantage is always at least 1/|Primes(λ)|.Indeed, if the adversary (A 1 , A 2 ) correctly guesses ℓ ∈ Primes(λ) ahead of time, then A 1 would output w ← u ℓ , for some u ∈ G, and A 2 would output this u.This is why we must choose the set Primes(λ) to be sufficiently large.The reason we cannot choose ℓ uniformly in some interval, but must choose it from Primes(λ), is because a random ℓ in {1, . . ., 2 λ } has a reasonable chance of being a smooth integer.The adversary can then win by having A 1 output w ← u B where B is a product of all small prime powers up to some bound k, and having A 2 output u B/ℓ .This works whenever ℓ is a k-smooth integer, so that B/ℓ is an integer.Choosing ℓ as a prime number eliminates this attack.
The following theorem proves soundness of Wesolowski's succinct argument using the adaptive root assumption.The proof is given in Section 5.

Concretely, let A be an algorithm that succeeds with probability ϵ in the following task:
A takes G ← R GGen(1 λ ) as input, outputs a tuple (G, g, h, T ) ̸ ∈ LEXP, and convinces the verifier to incorrectly accept this tuple.Then there is an adversary (B1, B2) whose combined running time is about the same as the running time of A plus the time to compute T squarings in G.This (B1, B2) breaks the adaptive root assumption for GGen with the same advantage ϵ that A breaks soundness.

Necessity of the adaptive root assumption.
The adaptive root assumption is necessary for soundness of the protocol; if the assumption does not hold for GGen then the protocol becomes insecure.To see why, let (A 1 , A 2 ) be an adaptive root adversary and let G ← R GGen(1 λ ).To break the protocol using (A 1 , A 2 ) choose an arbitrary g ∈ G, fix some T , and run (w, state) ← A 1 (G), where w ̸ = 1.Let h ← g (2 T ) .Now, let us see how to convince the verifier to incorrectly accept the tuple (G, g, wh, T ) ̸ ∈ L EXP .The verifier outputs a random ℓ ∈ Primes(λ) and we need to produce a π such that wh = π ℓ g r , where r ≡ 2 T mod ℓ and 0 ≤ r < ℓ.To do so, calculate q and r ∈ [0, ℓ) such that 2 T = qℓ + r.Then run A 2 (ℓ, state) to a get u ∈ G such that u ℓ = w.Now π := ug q is a valid proof because π ℓ g r = (ug q ) ℓ g r = u ℓ g qℓ+r = u ℓ g (2 T ) = wh, as required.Concretely, this attack shows that for 128-bit security, we must ensure that the challenge space from which ℓ is chosen contains at least 2 128 primes.

Security of the non-interactive variants
While Theorems 1 and 2 analyze the interactive variants of the protocols, the non-interactive variants obtained by applying the Fiat-Shamir transform can be similarly shown to be secure by an analysis in the random oracle model.Interestingly, for Wesolowski's succinct argument, there is a loss of soundness between the the interactive and non-interactive variants of the protocol, as already mentioned in Section 2.1.To explain the issue, let us first recall a basic result about 2-special sound sigma protocols, such as Schnorr's proof of knowledge of discrete log [BS22,Ch. 19].For such protocols, if the interactive version is secure with a λ-bit verifier challenge, then the noninteractive version obtained via Fiat-Shamir is also secure with a λ-bit challenge [AFK23].One might expect that the same holds for Wesolowski's argument.However, that is not the case.We show that when the Fiat-Shamir hash function outputs a challenge ℓ in Primes(λ), there is a practical Õ(2 λ/2 ) time attack on Wesolowski's non-interactive argument that succeeds with probability close to 1.That is, a malicious prover can fool the verifier into accepting an incorrect statement (G, g, h, T ) ̸ ∈ L EXP with Õ(2 λ/2 ) work.Concretely, taking λ = 128 results in an insecure argument that can be defeated by a malicious prover with about 2 64 work.
Our attack matches the security analysis of the non-interactive variant.Wesolowski shows in [Wes19] that if the Fiat-Shamir hash function, modeled as a random oracle, outputs a prime ℓ in Primes(2λ), then a malicious prover will fool the verifier in the non-interactive argument with probability at most Q 2 /2 2λ , where Q is the maximum number of queries that the adversary makes to the random oracle.Hence, any malicious prover that succeeds with probability close to 1, must make at least Q ≥ 2 λ queries to the random oracle, and therefore must run in time at least 2 λ , which is infeasible.Our attack described below shows that the expression Q 2 /2 2λ is not an artifact of the proof, but an inherent property of the protocol.
The attack and the matching security analysis shows that for Wesolowski's noninteractive argument to be secure, one must use a Fiat-Shamir hash function that outputs a challenge ℓ in Primes(2λ).Concretely for 128-bit security, the hash function must output a 256-bit prime ℓ.
The attack.Let us see a Õ(2 λ/2 ) time attack on Wesolowski's non-interactive argument when the Fiat-Shamir hash function outputs a prime ℓ in Primes(λ).Let H be a hash function that maps an input (G, g, h ′ , T ) to a prime ℓ in Primes(λ).
Then (G, g, h, T ) ∈ L EXP .We can assume that w ̸ = 1, otherwise choose a different subset S. Now, the attacker finds the smallest k ≥ 1 such that H(G, g, hw k , T ) = ℓ and ℓ ∈ S. (3) If we model H as a random oracle, then each candidate k = 1, 2, . . .satisfies (3) with probability d/2 λ = 2 −λ/2 .Therefore, finding k takes an expected O(2 λ/2 ) tries.Once k is found, observe that The attacker can compute this π because the exponent (L/ℓ) is an integer.This π incorrectly convinces the verifier that h ′ := hw k satisfies h ′ = g (2 T ) .Indeed, the verification condition is satisfied, thus breaking soundness.The complete attack runs in expected time Õ(2 λ/2 ), which is the time needed to compute w and to find k, as promised.
Concretely, for 128-bit security, this attack shows that the verifier must generate its random challenge ℓ from Primes(2 256 ).Generating ℓ from Primes(2 128 ) would make the non-interactive version of the protocol insecure.In the interactive version of the protocol, sampling ℓ from Primes(2 128 ) is fine, as implied by Theorem 2.

Comparing the two protocols
Each proof system has its own strengths and no one dominates the other.The proof system of Wesolowski [Wes19,Wes20] produces shorter proofs (one group element versus log 2 T elements) and proof verification is faster (two exponentiations versus 2 log 2 T ).However, the proof of Pietrzak [Pie19] has two advantages discussed below.
Prover efficiency.For the VDF application, Pietrzak's prover is more efficient.It takes O( √ T ) group operations to construct the proof, where as for Wesolowski it takes O(T ).Both provers parallelize well and can be sped up by a factor of s using s processors, for a moderate value of s.
Comparing the assumptions.If Wesolowski's protocol is secure then so is Pietrzak's, but the converse is not known to be true.The reason is that if the adaptive root assumption holds then so must the low order assumption.In other words, adaptive root is potentially a stronger assumption than low order.
To show that the adaptive root assumption implies the low order assumption we show the contra-positive: if low order is broken then so is adaptive root.Let G ← R GGen(1 λ ) and let 1 ̸ = µ ∈ G be a public element satisfying µ d = 1 for a known 1 < d < 2 λ (i.e., low order is broken).To break the adaptive root assumption, the adversary A 1 outputs µ, and when given a random prime number ℓ ∈ Primes(λ), adversary A 2 computes µ 1/ℓ as µ (ℓ −1 mod d) .This works as long as gcd(ℓ, d) = 1.Since ℓ is a prime, this is equivalent to ℓ is not a factor of d, which holds with overwhelming probability.Hence, A 2 succeeds with overwhelming probability.

Security proofs
Proof of Theorem 2. We construct an adaptive root adversary (B 1 , B 2 ) that uses A. When B 1 is initialized with input G, it runs A(G) and gets back (G, g, h, T ) ̸ ∈ L EXP .
Algorithm B 1 then outputs w ← h/g (2 T ) ∈ G, state ← (G, g, h, T, w) and exits.Note that because h ̸ = g (2 T ) we have that w ̸ = 1, as required of an adaptive root adversary.
Next, a random ℓ ∈ Primes(λ) is chosen and B 2 (ℓ, state) is activated.Let 2 T = qℓ + r with 0 ≤ r < ℓ.Algorithm B 2 sends the ℓ it was given to A, and A outputs π ∈ G. Now, B 2 outputs u ← π/g q ∈ G and exits.If A outputs a valid proof, namely π satisfies h = π ℓ g r , then Hence, (B 1 , B 2 ) succeeds in breaking the adaptive root assumption with the same advantage as A succeeds in breaking soundness, as required.
Proof of Theorem 1.We use a forking argument to construct an adversary B that breaks the low order assumption using A. Recall that 2 t is an upper bound on the value T output by A.
Let A(G, r 0 , . . ., r t−1 ; R) denote an execution of A with random tape R, where r 0 , . . ., r t−1 ∈ {1, . . ., 2 λ } are the verifier's challenges at each level of the recursion.The adversary A outputs the protocol transcript which is a sequence of t + 1 tuples: (P 0 , v 0 ), . . ., (P t , v t ) where P i = (G, g i , h i , T /2 i ) is the input to the recursion at level i, and v i ∈ G is the prover's message at level i, for i = 0, 1, . . ., t.Here P 0 = (G, g 0 , h 0 , T ) ̸ ∈ L EXP is the tuple chosen by A that it is trying to get the verifier to accept incorrectly.A does so by choosing v 0 , . . ., v t ∈ G in response to the random challenges r 0 , . . ., r t−1 .The tuples P 1 , . . ., P t are defined by the protocol in Figure 2 We assume that T = 2 t , but if T is a power of two less than 2 t , then we replicate the last pair (P log 2 T , v log 2 T ) to get a full transcript of t + 1 tuples.
Next, define the following probabilistic experiment EXP: 1. choose a random tape R for A.
4. if P 0 ̸ ∈ L EXP but P t ∈ L EXP (i.e., the verifier incorrectly accepts P 0 ) then: • let j be the lowest index for which P j ̸ ∈ L EXP but P j+1 ∈ L EXP .
• if P ′ j+1 ∈ L EXP and r j ̸ = r ′ j , output (g j , h j , T /2 j+1 , v j , r j , r ′ j ) and stop. 5. in all other cases output fail.Let E be the event that EXP does not output fail.When E happens we have P j ̸ ∈ L EXP and P j+1 , P ′ j+1 ∈ L EXP .Therefore, if EXP outputs g, h, T , v, r, r ′ we have that Re-arranging terms of the two equalities on the right we get Dividing the left equality by the right we obtain Hence µ := g (2 T ) /v is an element of order at most d := |r − r ′ | in G, where 0 < d < 2 λ .We show that µ ̸ = 1.Suppose towards a contradiction that µ = 1.Then v = g (2 T ) which implies by (5) that h = v (2 T ) .But these two equalities together imply that h = g (2 2 T ) , and this contradicts the left side of (4).Hence µ ̸ = 1, and we know that µ d = 1 where To summarize, our adversary B runs experiment EXP, and if it does not fail, that is, if event E happens, then B outputs a pair (µ, d) that breaks the low order assumption.It remains to determine how likely is event E to happen.Fortunately this has already been worked out in the generalized forking lemma of Bellare and Neven [BN06, Lemma 1].An application of their lemma shows that if A succeeds in fooling the verifier with probability ϵ, then event E happens with probability at least (ϵ 2 /t) − (ϵ/2 λ ), as required.

Concrete groups
Next, we briefly discuss two families of finite abelian groups of unknown order in which the low order and adaptive root assumptions are believed to hold.

The RSA group
Let GGen be an algorithm that outputs an odd integer N with an unknown factorization.Computing the order of the multiplicative group G := (Z/N ) * is as hard as factoring N , and therefore G can be used as a group of unknown order.However, the low order assumption is trivially false in such groups because (−1) ∈ Z/N is an element of order two.Fortunately, this is the only impediment and it is easily corrected by instead working in the group G + := G/{±1}.Elements in this group are represented as cosets {x, −x} for x ∈ G and multiplication is defined as {x, −x} • {y, −y} = {xy, −xy}.Of course when computing in this group it suffices to represent a coset {x, −x} by a single number, either x or −x, whichever is in the range [0, N/2).The low order assumption is believed to hold for a group generator GGen that generates such groups.
Pietrzak [Pie19] proves soundness of his proof of exponentiation (Figure 2) for integers N that are a product of strong primes.Recall that a prime number p is strong if (p − 1)/2 is also a prime number.If N = p • q is a product of distinct strong primes then the group G QR of quadratic residues in (Z/N ) * , namely the group G QR := {z 2 : z ∈ (Z/N ) * }, contains no elements of low order other than 1.Hence, the low order assumption holds unconditionally in G QR .Pietrzak proved unconditional soundness of the protocol when used in this group G QR .
Theorem 1 shows that by relying on the low order assumption in the multiplicative group G + := G/{±1} we are able to prove soundness even when N is not a product of strong primes.We note that an inconvenience in using G QR is that checking membership in this group is difficult, and this complicates Pietrzak's protocol.In contrast, checking membership in G + is easy and therefore the protocol in Figure 2 can be used as is.Moreover, Seres and Burcsi [SB20] point out that when gcd(p − 1, q − 1) = 2, a low order element µ ̸ = ±1 in Z/N can be used to factor N by computing gcd(µ − 1, N ).Hence, for moduli N = pq where gcd(p − 1, q − 1) = 2, the low order assumption is equivalent to the hardness of factoring assumption.
The difficulty with the group (Z/N ) * is that the group generator GGen must be trusted not to reveal the factorization of N .One can instead make GGen use public randomness to choose a sufficiently large N so that factoring N is hard.However the resulting N must be so large as to be impractical.The problem is that arithmetic modulo such a large modulus presents too many opportunities for parallelizing the squaring algorithm.

The class group of an imaginary quadratic number field
To avoid the trusted setup problem one can instead use the class group of the number field Q( √ −p), where p is a prime p ≡ 3 mod 4, as suggested by Wesolowski [Wes19,Wes20].This class group has odd order and computing its order is believed to be difficult when p is large.See [BH01] for a discussion on the choice of cryptographic parameters for such groups.Concretely, the group generator GGen(1 λ ) outputs a prime p from which the class group of Q( √ −p) is completely specified.Several papers have proposed efficient ways to hash into such groups [SBK24,CLR24].
The Cohen-Lenstra heuristics [CL84] suggest that for imaginary quadratic number fields: • the frequency of fundamental discriminants for which the odd part of the class group is cyclic is about 97.6%, • the frequency f (d) of fundamental discriminants for which the order of the class group is divisible by d is approximately: These heuristics suggest that the class group is often cyclic, but often contains elements of small odd order.The question is how hard is it to find an element of small odd order, if one exists?
Shanks [Sha69] gives an example where finding an element of low order is easy.Specifically, when p = 2 n − 1 is a Mersenne prime, Shanks constructs an explicit element of order n − 2 in Q( √ −p).Belabas, Kleinjung, Sanso, and Wesolowski [BKSW20] build on this and construct other examples of weak discriminants where the low order assumption is false.
An approach to finding low order elements in class groups.The low order assumption in the class group of an imaginary quadratic extension has not been studied much, and is a fascinating avenue for future work.For example, can we find an element of order three if one exists?
We mention one possible avenue for attack based on the work of Ellenberg and Venkatesh [EV07].Let I be an ideal of order 3 in the class group of Q( √ −p).Then I 3 is principle meaning that I 3 = ⟨a + b √ −p ⟩ for some a, b ∈ Z. Then the ideal norm N (I) satisfies N (I) 3 = N (I 3 ) = a 2 + pb 2 .Setting z = N (I) we see that the existence of an ideal of order three implies an integral point (a, b, z) on the surface The first inequality follows from the fact that we can take I to be a reduced ideal in the class group.The second and third inequalities follow from the first.If we could find an integral point (a, b, z) satisfying (7) on the surface (6), where z is not a perfect square, then we will likely break the low order assumption in the class group of Q( √ −p).We want a point (a, b, z) where |z| ≤ √ p is not a perfect square to ensure that z is not the norm of a principal ideal.Fortunately for this paper, the bounds (7) are out of reach for Coppersmith's method for finding low-norm integral points on curves and surfaces [Cop97].However, perhaps Coppersmith's method can be tuned specifically for this family of surfaces?We leave that for future work.

Post-quantum secure VDFs
We conclude by pointing out that the two VDFs surveyed here are insecure against an adversary who has access to a sufficiently large quantum computer.A quantum computer can efficiently calculate the order of the group G using Shor's period finding algorithm and break the VDF.Some of the VDFs studied in [BBBF18], such as the one based on iterated hashing, are plausibly post-quantum secure.Buterin [But18] develops and implements this construction using a combination of the MiMC hash function and a STARK proof.A similar approach, based on the ZKBoo proof system, was suggested by Tan et al. [TSL + 23].This approach was further developed in [DGMV20,MSW20].
A very different approach uses sequential composition of isogenies on elliptic curves.An interesting proposal for a VDF from isogenies is reported in [DMPS19].The construction is not designed to be post-quantum secure, and requires pairings and a trusted setup.Shani [Sha19] gave a construction that avoids pairings.Ahrens and Zumbrägel [AZ23] propose a different scheme using isogenies that may be post-quantum secure.
Additional constructions for a post-quantum secure VDF is a fruitful avenue for further research.

Proofs of exponentiation (PoE). The
remainder of the paper focuses on two public coin succinct arguments for L EXP , one by Wesolowski and one by Pietrzak.These arguments are called Proof of Exponentiation, or PoE, and they have been used in many applications beyond VDFs.For example, these PoE have been used to build efficient accumulators [BBF19, LM19] and polynomial commitments [BFS20, AGL + 23, BHR + 21].They are deployed in the Great Internet Mersenne Prime Search (GIMPS) project to prove that every Mersenne probable prime test (PRP) was done correctly.We stress that these PoE are sound only when the order of the group G is unknown to the prover.