Experimental Comparisons of Verifiable Delay Functions

Abstract

Verifiable delay function (VDF) has been a hot topic in recent cryptography research since the Ethereum researchers announced that they intended to use it in Ethereum 2.0. VDF has many applications in decentralized systems. This paper tries to organize the development path of VDF and related applications. We compare the performance of the four state-of-art VDFs by theoretical analysis and experimental verification. And through experiments, the influence of different type of groups and different hardware conditions on VDF performance are compared. In the end, we concluded that Wesolowski VDF is more suitable for decentralized clock applications that require higher time accuracy. Meanwhile, modular N multiplicative cyclic group is more suitable for constructing VDF that requires higher time accuracy while the class group is more suitable for applications with limited space. Besides, the effect of hardware on various VDFs is basically the same if the four VDFs use the same group and in the case of the same number of evaluation steps. Generally speaking, it might have a constant multiple improvement on the performance of VDF.

A Appendix

1.1 A.1 Non-interactive Proof System

The construction of non-interactive proof system:

• Prover(x, t, y):

  • If \(t < k^d\), compute \(y=x^{2^t}\), return y and proof \(\emptyset \). d was defined in advance.

  • Otherwise, compute y = \(x^{2^t}\) and build the msg parameter with the intermediate states: \(msg=(x_1,x_2,\ldots ,x_{k-1})\) where \(x_i = x^{2^{(it)/k}}\).

  • Compute \((x',y')=sketch(x,t,y,msg)\).

  • Return y and proof \(\pi \) where \(\pi =(msg,\pi ')\) and \(\pi '=Prover(x',t/k,y')\).

• Sketch(x, t, y, msg):

  • We first check whether msg can be parsed as \((x_1,x_2,\ldots ,x_{k-1})\) where \(x_i=x^{2^{(it)/k}}\), set \(x_k=y=x^{2^t}\)and \(x_0=x\).

  • Generate k random numbers \((r_1,r_2,\ldots ,r_k )=hash(x,t,y,msg)\).

  • Compute \(x'= \prod _{i=1}^{k} x_{i-1}^{r_i} ,y'= \prod _{i=1}^k x_i^{r_i}\), where \(y'= x'^{2^{t/k}}\).

  • Return \((x',y')\).

• \(Verifier(x,t,y,\pi )\):

  • If \(t < k^d\), check whether \(\pi = \emptyset \) and \(y=x^{2^t}\), return 1 if correct or 0 otherwise.

  • We parse \(\pi \) as \((msg,\pi ')\), compute \((x',y')=sketch(x,t,y,msg)\).

  • Run \(Verifier(x',t/k,y',\pi ')\).

1.2 A.2 Unique VDF

The construction of uVDF:

• \(uVDF.Setup(\lambda ,t) \rightarrow PP\):

  • Generate a big number \(N=pq\) where both p and q are primes. Here \(p=2p'+1\), \(q=2q'+1\), both \(q'\) and \(p'\) are primes in \([2^\lambda ,2^{\lambda +1})\).

  • Sample a hash function H. For the tree structure, set the number of child \(k = \lambda \), where t is the power of k. Set the number d so that when \(t < k^d\) we compute the VDF directly without generating proof.

  • Output the Public Parameter \(PP = (N, t, k, d, H)\)

• \(uVDF.eval(x,t,PP) \rightarrow (y,\pi )\):

  • If \(t < k^d\), compute \(y=x^{2^t}\) directly and output y.

  • If \(t > k^d\), compute \(y=x^{2^t}\) and generate \(msg=(x_1,x_2,\dots ,x_{k-1} )\) where \(x_i =x^{2^{it/k}}\). Compute \((x',y')=sketch(x,t,y,msg)\).

  • Output \((y,\pi )\),where \(\pi =(msg,\pi ')\), \(\pi '=Prover(x',t/k,y')\).

• \(uVDF.verify(x,t,y,\pi ,PP) \rightarrow \{0,1\}\):

  • If \(t < k^d\), return 1 if \(y=x^{2^t}\) or 0 otherwise.

  • Return \(Verifier(x',t/k,y',\pi ' )\).

1.3 A.3 Continuous VDF

• \(cVDF.Setup(\lambda )\rightarrow PP\):

  • Run \(uVDF.Setup(\lambda )\) to generate the public parameter \(PP_uvdf\).

  • Set the number \(d'\) so that every leaf node consists of \(k^{d'}\)steps.

  • Output the public parameter of cVDF \(PP=(PP_{uvdf},d')\).

• \(uVDF.eval\_node(x,PP,\Pi )\):

  • Verify the frontier: check the consistency of proofs in the frontier and verify all proofs in the frontier.

  • Use \(uVDF.eval(x,k^{d'},PP)\) to compute the \(k^{d'}\)step evaluation of the current node, and generate the output y and proof \(\pi \). We generate \(\pi _s=(x,y,\pi ,k^{d'})\). If the current node is the leftmost child, then x is the input of its father. If the current node is a middle node, then x is the output of its closest left sibling. And if the current node is the rightmost child then x is the output of sketch function of all its left-siblings.

  • Update the frontier: we denoted by s the current node and \(s+1\) the next node. And we denoted by a the closest common ancestor of s and \(s+1\), and denoted \(a^*\) by the child of a on the path from s to a. We generate \(\pi _{a^*}=(x^*,y^*,\pi ^*,k^{d'+h})\). If \(a^*=s\) then \(\pi _{a^*}=\pi _s\), otherwise if \(a^*\) is the ancestor of s then \(x^*\) is the input of leftmost child, \(y^*\)is the output of k-th child \(a^*\) and \(\pi ^*=Prover(x^*,k^{d'+h},y^*)\), h is the height of \(a^*\).

  • Delete all proofs of nodes that is the child of \(a^*\)from the frontier, and add \(\pi _{a^*}\)to the frontier.

• \(cVDF.verify(x,y,PP,\Pi )\):

  • Check the consistency of proofs in the frontier and verify all proofs in the frontier with uVDF.verify.

1.4 A.4 Pietrzek

• \(Setup(1^\lambda ):\)

  • Sample two \(\lambda /2\) bit numbers p and q the output N = pq.

  • Sample \(x \in QR_N^+\) and integer \(d'\) output \((x,t=2^{d'})\).

• Prover(x, t)

  • Compute \(y= x^{2^t}\).

  • Set \(x_0=x, y_0=y, t_0=t\) and \(i = 0\). Sample d.

  • While \(t_i > 2^d\), do the following steps:

    • \(\mu _i= x_i^{2^{t_i/2}}\)

    • \(r_i=hash(x_i,y_i,t_i/2,\mu _i)\)

    • \(x_{i+1}=x_i^{r_i}\mu _i\), \(y_{i+1}=\mu _i^{r_i}y_i\), \(t_{i+1} = t_i/2\) and \(i = i + 1\)

We take the intermediate states to generate the proof \(\pi =(\mu _1,\mu _2,\mu _3,\dots ,\mu _m )\), where \(m=log_2(t)-d\). We can conclude that \(\mu _i=\Sigma _{\eta =0}^{2^{i-1}-1} (x^{2^{(2\eta +1)t/2^i}})^{c_i}\) and \(c_i=\prod _{i \in K} r_i\) where \( K=\{i|binary(\eta )[i]\,=\,'0'\} \) and the binary function can convert a number into a binary string. For example, \(\mu _3= (x^{2^{t/8}})^{r_1r_2} + (x^{2^{3t/8}})^{r_1} + (x^{2^{5t/8}})^{r_2}+x^{2^{7t/8}}\), when binary(1) = “001”, \(K = \{1,2\}\) and when binary(5) = “101”, \(K = \{2\}\) etc.

When the verification, we compute \(x_{i+1}=x_i^{r_i} \mu _i\), \(y_{i+1}=\mu _i^{r_i} \mu _i\) recursively and finally check whether the equation \(y_{m+1}=x_{m+1}^{t_{m+1}}\) holds.