Tight Verifiable Delay Functions

Abstract

A Verifiable Delay Function (VDF) is a function that takes at least T sequential steps to evaluate and produces a unique output that can be verified efficiently, in time essentially independent of T. In this work we study tight VDFs, where the function can be evaluated in time not much more than the sequentiality bound T.

On the negative side, we show the impossibility of a black-box construction from random oracles of a VDF that can be evaluated in time \(T + O(T^\delta )\) for any constant \(\delta < 1\). On the positive side, we show that any VDF with an inefficient prover (running in time cT for some constant c) that has a natural self-composability property can be generically transformed into a VDF with a tight prover efficiency of \(T+O(1)\). Our compiler introduces only a logarithmic factor overhead in the proof size and in the number of parallel threads needed by the prover. As a corollary, we obtain a simple construction of a tight VDF from any succinct non-interactive argument combined with repeated hashing. This is in contrast with prior generic constructions (Boneh et al., CRYPTO 2018) that required the existence of incremental verifiable computation, which entails stronger assumptions and complex machinery.

A Instantiations

In the following we survey the existing candidate VDF schemes and we discuss the implications of our results.

1.1 A.1 Compute-and-Prove VDF

The original work of Boneh et al.  [5] discusses an instantiation for VDF based on any (conjectured) inherently sequential function and a succinct non-interactive argument system (SNARG)  [14, 17]. The prover simply evaluates the function on a randomly chosen input and computes a short proof that the computation is done correctly. However, such an approach is dismissed since the time to compute a SNARG is typically much longer than that needed for the corresponding relation. Therefore, to achieve meaningful sequentiality guarantees, the prover needs to resort to massive parallelization which requires a number of processors linear in the time parameter T.

For this reason they turned their attention to incremental verifiable computation schemes [21]. Such a primitive derives from the recursive composition of SNARGs and allow one to compute the proof incrementally as the computation proceeds. However, this feature comes at a cost: The number of recursions introduces an exponential factor in the running time of the extractor and therefore the schemes can be shown sound only for a constant amount of iterations. Other constructions  [3] circumvent this issue by constructing computation trees of constant depth, however the overhead given by the recursive application of a SNARG is typically the bottleneck of the computation.

Our approach can be seen as a lightweight composition theorem for VDFs and rehabilitates the compute-and-prove paradigm using standard SNARGs in conjunction with iterated sequential functions: Most of the existing SNARG schemes can be computed in time quasi-linear in T  [2] and can be parallelized to meet our weak efficiency requirements using a poly-logarithmic amount of processors (in the time parameter T). Our compiler shows that the combination of SNARGs and iterated sequential functions already gives a tightly sequential VDF, for any value of T.

1.2 A.2 Wesolowski’s VDF

A recent work by Wesolowski  [22] builds an efficient VDF exploiting the conjectured sequentiality of repeated squaring in groups of unknown order, such as RSA groups  [19] or class groups of imaginary quadratic order  [7]. Loosely speaking, given a random instance \(x\in \mathbb {G}\) and a time parameter T, the sequential function is defined as \(f(x) = x^{2^T}\). Wesolowski proposes a succinct argument for the corresponding language

$$\begin{aligned} \mathcal {L} = \left\{ (\mathbb {G}, x, y, T) : y = x^{2^T} \right\} \end{aligned}$$

where the verification is much faster than recomputing the function from scratch. The argument goes as follows:

1. (1)

   The verifier samples a random prime p from the set of the first \(2^\lambda \) primes.

2. (2)

   The prover computes \(q, r \in \mathbb {Z}\) such that \(2^T = pq + r\) and outputs \(\pi = x^q\) as the proof.

3. (3)

   The proof \(\pi \) can be verified by checking that \(\pi ^p x^r = y\), where r is computed as \(2^T\mod p\).

The argument can be made non-interactive using the Fiat-Shamir transformation  [13]. Note that the value of q cannot be computed by the prover explicitly since the order of the group is unknown, however it can be computed in the exponent of x in time close to T.

Wesolowski’s proof consists of a single group element and the verifier workload is essentially that of two exponentiations in \(\mathbb {G}\). The main shortcoming of the scheme is that the time to compute a valid proof is proportional to the time to compute the function. However, Wesolowski briefly explains how to reduce this overhead to a constant factor using parallel processors. The modification sketched in his paper is essentially an ad-hoc version of our compiler.

1.3 A.3 Pietrzak’s VDF

Recently, Pietrzak  [18] also showed an efficient succinct argument for the same language \(\mathcal {L}\), taking a slightly different route. In the following we briefly recall the backbone of the argument:

1. (1)

   If \(T = 1\), the verifier simply checks that \(x^2 = y\).

2. (2)

   Else the prover computes \(z = x^{2^{T/2}}\) and sends it to the verifier.

3. (3)

   The verifier samples some \(r \in \{1, \dots , 2^\lambda \}\).

4. (4)

   The prover and the verifier recurse on input \((\mathbb {G}, x^rz, z^ry, T/2)\).

The resulting argument is less efficient than Wesolowski’s approach in terms of proof size and verifier complexity by a factor of \( log (T)\). However Pietrzak’s argument can be computed in time approximately \(\sqrt{T}\) using roughly \(\sqrt{T}\) memory by storing some intermediate values of the function evaluation.

It is clear that such a VDF fulfills the conditions to apply our compiler and allows us to truncate the additional \(\sqrt{T}\) factor from the proof computation. Due to the increased proof size, it might appear that the resulting scheme is strictly worse than that obtained by combining our compiler with Wesolowski’s approach. However the significantly shorter proving time allows us to give a sharper bound on the number of recursion of our algorithm: In each iteration the new time parameter is computed as \(1/2\sqrt{4T+1} -1\) and therefore approximately \( log log (T)\) iterations suffice to hit the bottom of the recursion. As a consequence, Pietrzak’s argument needs less parallelism to achieve optimal prover runtime. We also point out that Pietrzak’s argument rests on a weaker assumption, as discussed in  [6].