# Efficient Verifiable Delay Functions

## Abstract

We construct a verifiable delay function (VDF). A VDF is a function whose evaluation requires running a given number of sequential steps, yet the result can be efficiently verified. They have applications in decentralised systems, such as the generation of trustworthy public randomness in a trustless environment, or resource-efficient blockchains. To construct our VDF, we actually build a *trapdoor* VDF. A trapdoor VDF is essentially a VDF which can be evaluated efficiently by parties who know a secret (the trapdoor). By setting up this scheme in a way that the trapdoor is unknown (not even by the party running the setup, so that there is no need for a trusted setup environment), we obtain a simple VDF. Our construction is based on groups of unknown order such as an RSA group, or the class group of an imaginary quadratic field. The output of our construction is very short (the result and the proof of correctness are each a single element of the group), and the verification of correctness is very efficient.

## Notes

### Acknowledgements

The author wishes to thank a number of people with whom interesting discussions helped improve the present work, in alphabetical order, Dan Boneh, Justin Drake, Alexandre Gélin, Novak Kaluđerović, Arjen K. Lenstra and Serge Vaudenay.

## References

- 1.Bellare, M., Goldwasser, S.: Encapsulated key escrow. Technical report (1996)Google Scholar
- 2.Bellare, M., Goldwasser, S.: Verifiable partial key escrow. In: Proceedings of the 4th ACM Conference on Computer and Communications Security, CCS 1997, pp. 78–91. ACM, New York, NY, USA (1997)Google Scholar
- 3.Biehl, I., Buchmann, J., Hamdy, S., Meyer, A.: A signature scheme based on the intractability of computing roots. Des. Codes Crypt.
**25**(3), 223–236 (2002)MathSciNetCrossRefGoogle Scholar - 4.Boneh, D., Bonneau, J., Bünz, B., Fisch, B.: Verifiable delay functions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 757–788. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_25CrossRefGoogle Scholar
- 5.Boneh, D., Bünz, B., Fisch, B.: A survey of two verifiable delay functions. Cryptology ePrint Archive, report 2018/712 (2018). https://eprint.iacr.org/2018/712
- 6.Boneh, D., Franklin, M.: Efficient generation of shared RSA keys. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 425–439. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052253CrossRefGoogle Scholar
- 7.Boneh, D., Naor, M.: Timed commitments. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 236–254. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_15CrossRefGoogle Scholar
- 8.Buchmann, J., Hamdy, S.: A survey on IQ cryptography. In: Proceedings of Public Key Cryptography and Computational Number Theory, pp. 1–15 (2001)Google Scholar
- 9.Buchmann, J., Williams, H.C.: A key-exchange system based on imaginary quadratic fields. J. Cryptol.
**1**(2), 107–118 (1988)MathSciNetCrossRefGoogle Scholar - 10.CPU-Z OC world records (2018). http://valid.canardpc.com/records.php
- 11.Dodis, Y., Katz, J., Smith, A., Walfish, S.: Composability and on-line deniability of authentication. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 146–162. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_10CrossRefzbMATHGoogle Scholar
- 12.Drake, J.: Ethereum 2.0 randomness. August 2018 Workshop at Stanford Hosted by the Ethereum Foundation and the Stanford Center for Blockchain Research (2018)Google Scholar
- 13.Drake, J.: Minimal VDF randomness beacon. Ethereum Research Post (2018). https://ethresear.ch/t/minimal-vdf-randomness-beacon/3566
- 14.Hafner, J.L., McCurley, K.S.: A rigorous subexponential algorithm for computation of class groups. J. Am. Math. Soc.
**2**(4), 837–850 (1989)MathSciNetCrossRefGoogle Scholar - 15.Lenstra, A.K., Wesolowski, B.: Trustworthy public randomness with sloth, unicorn and trx. Int. J. Appl. Cryptol.
**3**, 330–343 (2016)MathSciNetCrossRefGoogle Scholar - 16.Pietrzak, K.: Simple verifiable delay functions. In: Blum, A. (ed.), 10th Innovations in Theoretical Computer Science Conference, ITCS 2019, San Diego, California, USA, 10–12 January 2019, pp. 60:1–60:15 (2019)Google Scholar
- 17.Rabin, M.O.: Transaction protection by beacons. J. Comput. Syst. Sci.
**27**(2), 256–267 (1983)MathSciNetCrossRefGoogle Scholar - 18.Rivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto. Technical report (1996)Google Scholar
- 19.Sander, T.: Efficient accumulators without trapdoor extended abstract. In: Varadharajan, V., Mu, Y. (eds.) ICICS 1999. LNCS, vol. 1726, pp. 252–262. Springer, Heidelberg (1999). https://doi.org/10.1007/978-3-540-47942-0_21CrossRefGoogle Scholar
- 20.Vollmer, U.: Asymptotically fast discrete logarithms in quadratic number fields. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 581–594. Springer, Heidelberg (2000). https://doi.org/10.1007/10722028_39CrossRefzbMATHGoogle Scholar