Efficient Verifiable Delay Functions

Abstract

We construct a verifiable delay function (VDF). A VDF is a function whose evaluation requires running a given number of sequential steps, yet the result can be efficiently verified. They have applications in decentralised systems, such as the generation of trustworthy public randomness in a trustless environment, or resource-efficient blockchains. To construct our VDF, we actually build a trapdoor VDF. A trapdoor VDF is essentially a VDF which can be evaluated efficiently by parties who know a secret (the trapdoor). By setting up this scheme in a way that the trapdoor is unknown (not even by the party running the setup, so that there is no need for a trusted setup environment), we obtain a simple VDF. Our construction is based on groups of unknown order such as an RSA group or the class group of an imaginary quadratic field. The output of our construction is very short (the result and the proof of correctness are each a single element of the group), and the verification of correctness is very efficient.

Appendices

Proof of Remark 1

Model H as a random oracle. Suppose that

$$\begin{aligned} {\mathsf {trapdoor}}_{\mathsf {sk}}^H(x, \varDelta )&= t_{\mathsf {sk}}(H(x), \varDelta ),\\ {\mathsf {eval}}_{\mathsf {pk}}^H(x, \varDelta )&= e_{\mathsf {pk}}(H(x), \varDelta ), and \\ {\mathsf {verify}}_{\mathsf {pk}}(x, {y}, \varDelta )&= v_{\mathsf {pk}}(H(x), {y}, \varDelta ), \end{aligned}$$

for procedures t, e and v that do not have access to H.

Let \({\mathcal {A}}\) be a player of the \(\varDelta \)-evaluation race game. Assume that the output \({\mathcal {B}}\) of \({\mathcal {A}}\) is limited to a number q of queries to \({\mathcal {O}}\) and H. We are going to build an algorithm \({\mathcal {A}}'\) that wins with same probability as \({\mathcal {A}}\) when its output \({\mathcal {B}}'\) is not given access to \({\mathcal {O}}\).

Let \((Y_i)_{i = 1}^q\) be a sequence of random hash values (i.e. uniformly distributed random values in \(\{\mathtt{0,1}\}^{2k}\)). First observe that \({\mathcal {A}}\) wins the \(\varDelta \)-evaluation race game with the same probability if the last step runs the algorithm \({\mathcal {B}}^{{\mathcal {O}}', H'}\) instead of \({\mathcal {B}}^{{\mathcal {O}}, H}\), where

1. 1.

   \(H'\) is the following procedure: for any new requested input x, if x has previously been requested by \({\mathcal {A}}\) to H then output \(H'(x) = H(x)\); otherwise set \(H'(x)\) to be the next unassigned value in the sequence \((Y_i)\);

2. 2.

   \({\mathcal {O}}'\) is an oracle that on input x outputs \(t_{\mathsf {sk}}(H'(x), \varDelta )\).

With this observation in mind, we build \({\mathcal {A}}'\) as follows. On input \({\mathsf {pk}}\), \({\mathcal {A}}'\) first runs \({\mathcal {A}}^{H}\) which outputs \({\mathcal {A}}^{H}({\mathsf {pk}}) = {\mathcal {B}}\). Let X be the set of inputs of the requests that \({\mathcal {A}}\) made to H. For any \(x\in X\), \({\mathcal {A}}'\) computes and stores the pair \((H(x), {\mathsf {eval}}_{\mathsf {pk}}(x, \varDelta ))\) in a list L. In addition, it computes and stores \((Y_i, e_{\mathsf {pk}}(Y_i, \varDelta ))\) for each \(i = 1,\ldots ,q\), and adds them to L.

Consider the following procedure \({\mathcal {O}}'\): on input x, look for the pair of the form \((H'(x), \sigma )\) in the list L, and output \(\sigma \). The output of \({\mathcal {A}}'\) is the algorithm \({\mathcal {B}}' = {\mathcal {B}}^{{\mathcal {O}}',H'}\). It does not require access to the oracle \({\mathcal {O}}\) anymore: all the potential requests are available in the list of precomputed values. Each call to \({\mathcal {O}}\) is replaced by a lookup in the list L, so \({\mathcal {B}}'\) has essentially the same running time as \({\mathcal {B}}\). Therefore \({\mathcal {A}}'\) wins the \(\varDelta \)-evaluation race game with same probability as \({\mathcal {A}}\) even when its output \({\mathcal {B}}'\) is not given access to a evaluation oracle.

Timed Challenge-Response Identification Protocols

A timed challenge-response identification protocol has four procedures:

• \({\mathsf {keygen}}\rightarrow ({\mathsf {pk}}, {\mathsf {sk}})\) is a key generation procedure, which outputs a prover’s public key \({\mathsf {pk}}\) and secret key \({\mathsf {sk}}\).

• \(\mathsf {challenge} \rightarrow c\) which outputs a random challenge.

• \(\mathsf {respond}_{\mathsf {sk}}(c, \varDelta ) \rightarrow r\) is a procedure that uses the prover’s secret key to respond to the challenge c, for the time parameter \(\varDelta \).

• \({\mathsf {verify}}_{\mathsf {pk}}(c, r, \varDelta ) \rightarrow {\mathsf {true}}\) or \({\mathsf {false}}\) is a procedure to check if r is a valid response to c, for the public key \({\mathsf {pk}}\) and the time parameter \(\varDelta \).

The security level k is implicitly an input to each of these procedures. The \({\mathsf {keygen}}\) procedure is used the generate Alice’s public and secret keys; then, the identification protocol is as follows:

1. 1.

   Bob generates a random c with the procedure \(\mathsf {challenge}\). He sends it to Alice, along with a time limit \(\varDelta \), and starts a timer.

2. 2.

   Alice responds \(r = \mathsf {respond}_{\mathsf {sk}}(c, \varDelta )\).

3. 3.

   Bob stops the timer. He accepts if \({\mathsf {verify}}_{\mathsf {pk}}(c, r, \varDelta ) = {\mathsf {true}}\) and the elapsed time is smaller than \(\varDelta \).

Given a time parameter \(\varDelta \), a \(\varDelta \)-response race game and an associated notion of \(\varDelta \)-soundness can be defined in a straightforward manner as follows.

Definition 9

(\(\varDelta \)-response race game) Let \({\mathcal {A}}\) be a party playing the game. The parameter \(\varDelta : {\mathbf {Z}}_{>0} \rightarrow {\mathbf {R}}_{>0}\) is a function of the (implicit) security parameter k. The \(\varDelta \)-response race game goes as follows:

1. 1.

   The random procedure \({\mathsf {keygen}}\) is run and it outputs a public key \({\mathsf {pk}}\);

2. 2.

   \({\mathcal {A}}({\mathsf {pk}})\) outputs an algorithm \({\mathcal {B}}\);

3. 3.

   A random challenge c is generated according to the procedure \(\mathsf {challenge}\);

4. 4.

   \({\mathcal {B}}^{{\mathcal {O}}}(c)\) outputs a value r, where \({\mathcal {O}}\) is an oracle that outputs the evaluation \(\mathsf {respond}_{\mathsf {sk}}(c', \varDelta )\) on any input \(c' \ne c\).

Then, \({\mathcal {A}}\) wins the game if \(T({\mathcal {B}}, c) < \varDelta \) and \({\mathsf {verify}}_{\mathsf {pk}}(c, r, \varDelta ) = {\mathsf {true}}\).

Definition 10

(\(\varDelta \)-soundness) A timed challenge-response identification protocol is \(\varDelta \)-sound if any polynomially bounded player (with respect to the implicit security parameter) wins the above \(\varDelta \)-response race game with negligible probability.

It is as immediate to verify that a sound and \(\varDelta \)-sequential trapdoor VDF gives rise to a \(\varDelta \)-sound identification protocol (via the construction of Sect. 9). Similarly, the completeness of the identification protocol (that a honest run of the protocol terminates with a successful verification) is straightforward to derive from the fact that the verification of a valid VDF output always outputs \({\mathsf {true}}\). There simply is one additional requirement: if the procedure \(\mathsf {respond}_{\mathsf {sk}}(c, \varDelta )\) requires computation time at least \(\epsilon _1\), and the channel of communication has a transmission delay at least \(\epsilon _2\), we must have \(\epsilon _1 + 2 \epsilon _2 < \varDelta \). Finally the zero-knowledge property is defined as follows.

Definition 11

(Zero-knowledge) A timed challenge-response identification protocol is (perfectly, computationally, or statistically) zero-knowledge if there is an algorithm \({\mathcal {S}}\) that on input k, \(\varDelta \), \({\mathsf {pk}}\) and a random \(\mathsf {challenge}(k,\varDelta )\) produces an output (perfectly, computationally, or statistically) indistinguishable from \(\mathsf {respond}_{\mathsf {sk}}(c,k,\varDelta )\), and the running time of \({\mathcal {S}}\) is polynomial in k.

In a classical cryptographic line of though, this zero-knowledge property is too strong to allow for any soundness, since an adversary can respond to the challenge with a running time polynomial in the security parameter of Alice’s secret key. This notion starts making sense when the complexity of the algorithm \({\mathcal {S}}\) is governed by another parameter, here \(\varDelta \), independent from Alice’s secret.

For the protocol derived from a VDF, the zero-knowledge property is ensured by the fact that anyone can compute Alice’s response to the challenge in time polynomial in k, with the procedure \({\mathsf {eval}}\).

Local Identification

The challenge-response identification protocol derived from a VDF in Sect. 9 is totally deniable against a judge, Judy, observing the communication from a long distance. The precise definition of on-line deniability is discussed in [15]. We refer the reader there for the details, but the high-level idea is as follows. Alice is presumably trying to authenticate her identity to Bob. Judy will rule whether or not the identification was attempted. Judy interacts with an informant who is witnessing the identification and who wants to convince Judy that it happened. This informant could also be a misinformant, who is not witnessing any identification, but tries to deceive Judy into believing it happened. The protocol is online deniable if no efficient judge can distinguish whether she is talking to an informant or a misinformant. The (mis)informant is allowed to corrupt Alice or Bob, at which point he learns their secret keys and controls their future actions. When some party is corrupted, Judy learns about it.

It is shown in [15] that this strong deniability property is impossible to achieve in a PKI. To mitigate this issue, they propose a secure protocol in a relaxed setting, allowing incriminating aborts. We propose an alternative relaxation of the setting, where Judy is assumed to be far away from Alice and Bob (more precisely: the travel time of a message between Alice and Bob is shorter than between Alice (or Bob) and Judy⁸). For example, consider a building whose access is restricted to authorised card holders. Suppose the card holders do not want anyone other than the card reader to get convincing evidence that they are accessing the building (even if the card reader is corrupted, it cannot convince anyone else). Furthermore, Alice herself cannot convince anyone that the card reader ever acknowledged her identification attempt. In this context, the card and the card reader benefit from very efficient communications, while a judge farther away would communicate with an additional delay. An identification protocol can exploit this delay to become deniable, and this is achieved by the timed challenge-response identification protocol derived from a VDF.

The idea is the following. Suppose that the distance between Alice and Judy is long enough to ensure that the travel time of a message from Alice to Judy is larger than \(\varDelta /2\). Then, Judy cannot distinguish a legitimate response of Alice that took some time to reach her from a response forged by a misinformant that is physically close to Judy.

More precisely, considering an informant I who established a strategy with Judy, we can show that there is a misinformant M that Judy cannot distinguish from I. First of all, Bob cannot be incriminated since he is not using a secret key. It all boils down to tracking the messages that depend on Alice’s secret key. Consider a run of the protocol with the informant I. Let \(t_0\) be the point in time where Alice computed \(s = {\mathsf {trapdoor}}_{\mathsf {sk}}(c, \varDelta )\). The delay implies two things:

1. 1.

   The challenge c is independent of anything Judy sent after point in time \(t_0 - \varDelta /2\).

2. 2.

   The first message Judy receives that can depend on s (and therefore the first message that depends on Alice’s secret) arrives after \(t_0 + \varDelta /2\).

From Point 1, at time \(t_0 - \varDelta /2\), the misinformant (who is close to Judy) can already generate c (following whichever procedure I and Judy agreed on), and start evaluating \({\mathsf {eval}}_{\mathsf {pk}}(c,\varDelta )\). The output is ready at time \(t_0 + \varDelta /2\), so from Point 2, the misinformant is on time to send to Judy messages that should depend on the signature s.

In practice. The protocol is deniable against a judge at a certain distance away from Alice and Bob, and the minimal value of this distance depends on \(\varDelta \). An accurate estimation of this distance would require in the first place an equally accurate estimation of the real time \(\varDelta \) (in s) a near-optimal adversary would need to forge the response. This non-trivial task relates to the discussion of Sect. 3.2.

Assuming reasonable bounds for \(\varDelta \) have been established, one can relate the distance and the communication delay in a very conservative way through the speed of light. We want Judy to stand at a sufficient distance to ensure that any message takes at least \(\varDelta /2\) s to travel between them, so Judy should be at least \(c\varDelta /2\) m away, where \(c \approx 3.00\times 10^8\) m/s is the speed of light. For security against a judge standing 100 m away, one would require \(\varDelta \approx 0.66\,\upmu \)s. Alice should be able to respond to Bob’s challenge in less time than that. At this point, it seems unreasonable to assume that such levels of precision can be achieved (although in principle, distance bounding protocols do deal with such constraints), yet it remains interesting that such a simple and efficient protocol provides full deniability against a judge that suffers more serious communication delays.