Abstract
A Verifiable Delay Function (VDF) is a function that takes at least T sequential steps to evaluate and produces a unique output that can be verified efficiently, in time essentially independent of T. In this work we study tight VDFs, where the function can be evaluated in time not much more than the sequentiality bound T.
On the negative side, we show the impossibility of a black-box construction from random oracles of a VDF that can be evaluated in time \(T + O(T^\delta )\) for any constant \(\delta < 1\). On the positive side, we show that any VDF with an inefficient prover (running in time cT for some constant c) that has a natural self-composability property can be generically transformed into a VDF with a tight prover efficiency of \(T+O(1)\). Our compiler introduces only a logarithmic factor overhead in the proof size and in the number of parallel threads needed by the prover. As a corollary, we obtain a simple construction of a tight VDF from any succinct non-interactive argument combined with repeated hashing. This is in contrast with prior generic constructions (Boneh et al., CRYPTO 2018) that required the existence of incremental verifiable computation, which entails stronger assumptions and complex machinery.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Known constructions of incremental verifiable computation require succinct arguments with knowledge extraction.
References
Armknecht, F., Barman, L., Bohli, J.-M., Karame, G.O.: Mirror: enabling proofs of data replication and retrievability in the cloud. In: 25th SENIX Security Symposium (USENIX Security 16), pp. 1051–1068 (2016)
Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Scalable zero knowledge via cycles of elliptic curves. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 276–294. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_16
Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: Recursive composition and bootstrapping for SNARKS and proof-carrying data. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th Annual ACM Symposium on Theory of Computing, Palo Alto, CA, USA, 1–4 June, pp. 111–120. ACM Press (2013)
Bitansky, N., Goldwasser, S., Jain, A., Paneth, O., Vaikuntanathan, V., Waters, B.: Time-lock puzzles from randomized encodings. In: Sudan, M. (ed.) ITCS 2016: 7th Conference on Innovations in Theoretical Computer Science, Cambridge, MA, USA, 14–16 January, pp. 345–356. Association for Computing Machinery (2016)
Boneh, D., Bonneau, J., Bünz, B., Fisch, B.: Verifiable delay functions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 757–788. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_25
Boneh, D., Bünz, B., Fisch, B.: A survey of two verifiable delay functions. Cryptology ePrint Archive, Report 2018/712 (2018). https://eprint.iacr.org/2018/712
Buchmann, J., Williams, H.C.: A key-exchange system based on imaginary quadratic fields. J. Cryptol. 1(2), 107–118 (1988). https://doi.org/10.1007/BF02351719
Chia network second VDF competition. https://www.chia.net/2019/04/04/chia-network-announces-second-vdf-competition-with-in-total-prize-money.en.html. Accessed 22 Apr 2019
Cohen, B.: Proofs of space and time. Blockchain protocol analysis and security engineering (2017). https://cyber.stanford.edu/sites/default/files/bramcohen.pdf
Cohen, B., Pietrzak, K.: Simple proofs of sequential work. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 451–467. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_15
Döttling, N., Lai, R.W.F., Malavolta, G.: Incremental proofs of sequential work. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 292–323. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_11
De Feo, L., Masson, S., Petit, C., Sanso, A.: Verifiable delay functions from supersingular isogenies and pairings. Cryptology ePrint Archive, Report 2019/166 (2019). https://eprint.iacr.org/2019/166
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Kilian, J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: 24th Annual ACM Symposium on Theory of Computing, Victoria, BC, Canada, 4–6 May, pp. 723–732. ACM Press (1992)
Mahmoody, M., Moran, T., Vadhan, S.P.: Publicly verifiable proofs of sequential work. In: Kleinberg, R.D. (ed.) ITCS 2013: 4th Innovations in Theoretical Computer Science, Berkeley, CA, USA, 9–12 January, pp. 373–388. Association for Computing Machinery (2013)
Mahmoody, M., Smith, C., Wu, D.J.: A note on the (im)possibility of verifiable delay functions in the random oracle model. Cryptology ePrint Archive, Report 2019/663 (2019). https://eprint.iacr.org/2019/663
Micali, S.: CS proofs (extended abstracts). In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, NM, USA, 20–22 November, pp. 436–453. IEEE Computer Society Press (1994)
Pietrzak, K.: Simple verifiable delay functions. In: Blum, A. (ed.) ITCS 2019: 10th Innovations in Theoretical Computer Science Conference, San Diego, CA, USA, 10–12 January, vol. 124, pp. 60:1–60:15. LIPIcs (2019)
Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signature and public-key cryptosystems. Commun. Assoc. Comput. Mach. 21(2), 120–126 (1978)
Rivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto. Technical Report MIT/LCS/TR-684 (1996)
Valiant, P.: Incrementally verifiable computation or proofs of knowledge imply time/space efficiency. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 1–18. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_1
Wesolowski, B.: Efficient verifiable delay functions. Cryptology ePrint Archive, Report 2018/623 (2018). https://eprint.iacr.org/2018/623
Acknowledgments
S. Garg is supported in part from DARPA SIEVE Award, AFOSR Award FA9550-15-1-0274, AFOSR Award FA9550-19-1-0200, AFOSR YIP Award, NSF CNS Award 1936826, DARPA and SPAWAR under contract N66001-15-C-4065, a Hellman Award, a Sloan Research Fellowship and research grants by the Okawa Foundation, Visa Inc., and Center for Long-Term Cybersecurity (CLTC, UC Berkeley). The views expressed are those of the author and do not reflect the official policy or position of the funding agencies.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Instantiations
A Instantiations
In the following we survey the existing candidate VDF schemes and we discuss the implications of our results.
1.1 A.1 Compute-and-Prove VDF
The original work of Boneh et al. [5] discusses an instantiation for VDF based on any (conjectured) inherently sequential function and a succinct non-interactive argument system (SNARG) [14, 17]. The prover simply evaluates the function on a randomly chosen input and computes a short proof that the computation is done correctly. However, such an approach is dismissed since the time to compute a SNARG is typically much longer than that needed for the corresponding relation. Therefore, to achieve meaningful sequentiality guarantees, the prover needs to resort to massive parallelization which requires a number of processors linear in the time parameter T.
For this reason they turned their attention to incremental verifiable computation schemes [21]. Such a primitive derives from the recursive composition of SNARGs and allow one to compute the proof incrementally as the computation proceeds. However, this feature comes at a cost: The number of recursions introduces an exponential factor in the running time of the extractor and therefore the schemes can be shown sound only for a constant amount of iterations. Other constructions [3] circumvent this issue by constructing computation trees of constant depth, however the overhead given by the recursive application of a SNARG is typically the bottleneck of the computation.
Our approach can be seen as a lightweight composition theorem for VDFs and rehabilitates the compute-and-prove paradigm using standard SNARGs in conjunction with iterated sequential functions: Most of the existing SNARG schemes can be computed in time quasi-linear in T [2] and can be parallelized to meet our weak efficiency requirements using a poly-logarithmic amount of processors (in the time parameter T). Our compiler shows that the combination of SNARGs and iterated sequential functions already gives a tightly sequential VDF, for any value of T.
1.2 A.2 Wesolowski’s VDF
A recent work by Wesolowski [22] builds an efficient VDF exploiting the conjectured sequentiality of repeated squaring in groups of unknown order, such as RSA groups [19] or class groups of imaginary quadratic order [7]. Loosely speaking, given a random instance \(x\in \mathbb {G}\) and a time parameter T, the sequential function is defined as \(f(x) = x^{2^T}\). Wesolowski proposes a succinct argument for the corresponding language
where the verification is much faster than recomputing the function from scratch. The argument goes as follows:
-
(1)
The verifier samples a random prime p from the set of the first \(2^\lambda \) primes.
-
(2)
The prover computes \(q, r \in \mathbb {Z}\) such that \(2^T = pq + r\) and outputs \(\pi = x^q\) as the proof.
-
(3)
The proof \(\pi \) can be verified by checking that \(\pi ^p x^r = y\), where r is computed as \(2^T\mod p\).
The argument can be made non-interactive using the Fiat-Shamir transformation [13]. Note that the value of q cannot be computed by the prover explicitly since the order of the group is unknown, however it can be computed in the exponent of x in time close to T.
Wesolowski’s proof consists of a single group element and the verifier workload is essentially that of two exponentiations in \(\mathbb {G}\). The main shortcoming of the scheme is that the time to compute a valid proof is proportional to the time to compute the function. However, Wesolowski briefly explains how to reduce this overhead to a constant factor using parallel processors. The modification sketched in his paper is essentially an ad-hoc version of our compiler.
1.3 A.3 Pietrzak’s VDF
Recently, Pietrzak [18] also showed an efficient succinct argument for the same language \(\mathcal {L}\), taking a slightly different route. In the following we briefly recall the backbone of the argument:
-
(1)
If \(T = 1\), the verifier simply checks that \(x^2 = y\).
-
(2)
Else the prover computes \(z = x^{2^{T/2}}\) and sends it to the verifier.
-
(3)
The verifier samples some \(r \in \{1, \dots , 2^\lambda \}\).
-
(4)
The prover and the verifier recurse on input \((\mathbb {G}, x^rz, z^ry, T/2)\).
The resulting argument is less efficient than Wesolowski’s approach in terms of proof size and verifier complexity by a factor of \( log (T)\). However Pietrzak’s argument can be computed in time approximately \(\sqrt{T}\) using roughly \(\sqrt{T}\) memory by storing some intermediate values of the function evaluation.
It is clear that such a VDF fulfills the conditions to apply our compiler and allows us to truncate the additional \(\sqrt{T}\) factor from the proof computation. Due to the increased proof size, it might appear that the resulting scheme is strictly worse than that obtained by combining our compiler with Wesolowski’s approach. However the significantly shorter proving time allows us to give a sharper bound on the number of recursion of our algorithm: In each iteration the new time parameter is computed as \(1/2\sqrt{4T+1} -1\) and therefore approximately \( log log (T)\) iterations suffice to hit the bottom of the recursion. As a consequence, Pietrzak’s argument needs less parallelism to achieve optimal prover runtime. We also point out that Pietrzak’s argument rests on a weaker assumption, as discussed in [6].
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Döttling, N., Garg, S., Malavolta, G., Vasudevan, P.N. (2020). Tight Verifiable Delay Functions. In: Galdi, C., Kolesnikov, V. (eds) Security and Cryptography for Networks. SCN 2020. Lecture Notes in Computer Science(), vol 12238. Springer, Cham. https://doi.org/10.1007/978-3-030-57990-6_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-57990-6_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-57989-0
Online ISBN: 978-3-030-57990-6
eBook Packages: Computer ScienceComputer Science (R0)