Efficient Verifiable Delay Functions

Abstract

We construct a verifiable delay function (VDF). A VDF is a function whose evaluation requires running a given number of sequential steps, yet the result can be efficiently verified. They have applications in decentralised systems, such as the generation of trustworthy public randomness in a trustless environment, or resource-efficient blockchains. To construct our VDF, we actually build a trapdoor VDF. A trapdoor VDF is essentially a VDF which can be evaluated efficiently by parties who know a secret (the trapdoor). By setting up this scheme in a way that the trapdoor is unknown (not even by the party running the setup, so that there is no need for a trusted setup environment), we obtain a simple VDF. Our construction is based on groups of unknown order such as an RSA group, or the class group of an imaginary quadratic field. The output of our construction is very short (the result and the proof of correctness are each a single element of the group), and the verification of correctness is very efficient.

© IACR 2019. This article is the final version submitted by the author to the IACR and to Springer-Verlag on March 14, 2019. The version published by Springer-Verlag is available at https://doi.org/10.1007/978-3-030-17659-4_13.

B. Wesolowski—The author is currently affiliated to CWI², yet this work was completed at EPFL¹.

1 Introduction

We describe a function that is slow to compute and easy to verify: a verifiable delay function (henceforth, VDF) in the sense of [4]¹. These functions should be computable in a prescribed amount of time \(\varDelta \), but not faster (the time measures an amount of sequential work, that is work that cannot be performed faster by running on a large number of parallel cores), and the result should be easy to verify (i.e., for a cost \(\mathrm {polylog}(\varDelta )\)). These special functions are used in [15] (under the name of slow-timed hash functions) to construct a trustworthy randomness beacon: a service producing publicly verifiable random numbers, which are guaranteed to be unbiased and unpredictable. These randomness beacons, introduced by Rabin in [17], are a valuable tool in a public, decentralised setting, as it is not trivial for someone to flip a coin and convince their peers that the outcome was not rigged. A number of interesting applications of VDFs have recently emerged—see [4] for an overview. Most notably, they can be used to design resource-efficient blockchains, eliminating the need for massively power-consuming mining farms. VDFs play a key role in the Chia blockchain design (chia.net), and the Ethereum Foundation (ethereum.org) and Protocol Labs (protocol.ai) are teaming up to investigate the technology of VDFs which promise to play a key role in their respective platforms.

There is thereby a well-motivated need for an efficient construction. This problem was left open in [4], and we address it here with a new, simple, and efficient VDF.

1.1 Contribution

An efficient construction. The starting point of our construction is the time-lock puzzle of Rivest, Shamir and Wagner [18]: given as input an RSA group \((\mathbf{Z}/N\mathbf{Z})^\times \), where N is a product of two large, secret primes, a random element \(x \in (\mathbf{Z}/N\mathbf{Z})^\times \), and a timing parameter \({t}\), compute \(x^{2^{t}}\). Without the factorisation of N, this task requires \({t}\) sequential squarings in the group. More generally, one could work with any group G of unknown order. This construction is only a time-lock puzzle and not a VDF, because given an output y, there is no efficient way to verify that \(y = x^{2^{t}}\).

The new VDF construction consists in solving an instance of the time-lock puzzle of [18], and computing a proof of correctness, which allows anyone to efficiently verify the result. Fix a timing parameter \(\varDelta \), a security level k (say, 128, 192, or 256), and a group G. Our construction has the following properties:

1. 1.

   It is \(\varDelta \)-sequential (meaning that it requires \(\varDelta \) sequential steps to evaluate) assuming the classic time-lock assumption of [18] in the group G.

2. 2.

   It is sound (meaning that one cannot produce a valid proof for an incorrect output) under some group theoretic assumptions on G, believed to be true for RSA groups and class groups of quadratic imaginary number fields.

3. 3.

   The output and the proof of correctness are each a single element of the group G (also, the output can be recovered from the proof and a 2k-bit integer; so it is possible to transmit a single group element and a small integer instead of 2 group elements).

4. 4.

   The verification of correctness requires essentially two exponentiations in the group G, with exponents of bit-length 2k.

5. 5.

   The proof can be produced in \(O(\varDelta /\log (\varDelta ))\) group operations.

For applications where a lot of these proofs need to be stored, widely distributed, and repeatedly verified, having very short and efficiently verifiable proofs is invaluable.

Following discussions about the present work at the August 2018 workshop at Stanford hosted by the Ethereum Foundation and the Stanford Center for Blockchain Research, we note that our construction features two other useful properties: the proofs can be aggregated and watermarked. Aggregating consists in producing a single short proof that simultaneously proves the correctness of several VDF evaluations. Watermarking consists in tying a proof to the evaluator’s identity; in a blockchain setting, this allows to give credit (and a reward) to the party who spent time and resources evaluating the VDF. These properties are discussed in Sect. 7.

Note that the method we describe to compute the proof requires an amount \(O(\varDelta /\log (\varDelta ))\) group operations. Hence, there is an interval between the guaranteed sequential work \(\varDelta \) and the total work \({(1+\varepsilon )\varDelta }\), where \(\varepsilon = O(1/\log (\varDelta ))\). For practical parameters, this \(\varepsilon \) is in the order of 0.05, and this small part of the computation is easily parallelizable, so that the total evaluation time with s cores is around \((1 + 1/(20s))\varDelta \). This gap should be of no importance since anyways, computational models do not capture well small constant factors with respect to real-world running time. Precise timing is unlikely to be achievable without resorting to trusted hardware, thus applications of VDFs are designed not to be too sensitive to these small factors.

If despite these facts it is still problematic in some application to know the output of the VDF slightly before having the proof, it is possible to eliminate this gap by artificially considering the proof as part of the output (the output is now a pair of group elements, and the proof is empty). The resulting protocol is still \(\varDelta \)-sequential (trivially), and as noted in Remark 5, it is also sound. We also propose a second method in Sect. 4.3 which allows to exponentially reduce the overhead of the proof computation at the cost of lengthening the resulting proof by a few group elements.

Trapdoor verifiable delay function. The construction proposed is actually a trapdoor VDF, from which we can derive an actual VDF. A party, Alice, holds a secret key \(\mathsf {sk}\) (the trapdoor), and an associated public key \(\mathsf {pk}\). Given a piece of data x, a trapdoor VDF allows to compute an output \(y\) from x such that anyone can easily verify that either \(y\) has been computed by Alice (i.e., she used her secret trapdoor), or the computation of \(y\) required an amount of time at least \(\varDelta \) (where, again, time is measured as an amount of sequential work). The verification that \(y\) is the correct output of the VDF for input x should be efficient, with a cost \(\mathrm {polylog}(\varDelta )\).

Deriving a verifiable delay function. Suppose that a public key \(\mathsf {pk}\) for a trapdoor VDF is given without any known associated secret key. This results in a simple VDF, where the evaluation requires a prescribed amount of time \(\varDelta \) for everyone (because there is no known trapdoor).

Now, how to publicly generate a public key without any known associated private key? In the construction we propose, this amounts to the public generation of a group of unknown order. A standard choice for such groups are RSA groups, but it is hard to generate an RSA number (a product of two large primes) with a strong guarantee that nobody knows the factorisation. It is possible to generate a random number large enough that with high probability it is divisible by two large primes (as done in [19]), but this approach severely damages the efficiency of the construction, and leaves more room for parallel optimisation of the arithmetic modulo a large integer, or for specialised hardware acceleration. It is also possible to generate a modulus by a secure multiparty execution of the RSA key generation procedure among independent parties, each contributing some secret random seeds (as done in [6]). However, in this scenario, a third party would have to assume that the parties involved in this computation did not collude to retrieve the secret. We propose to use the class group of an imaginary quadratic order. One can easily generate an imaginary quadratic order by choosing a random discriminant, and when the discriminant is large enough, the order of the class group cannot be computed. These class groups were introduced in cryptography by Buchmann and Williams in [9], exploiting the difficulty of computing their orders (and the fact that this order problem is closely related to the discrete logarithm and the root problems in this group). To this day, the best known algorithms for computing the order of the class group of an imaginary quadratic field of discriminant d are still of complexity \(L_{|d|}(1/2)\) under the generalised Riemann hypothesis, for the usual function \(L_t(s) = \mathrm {exp}\left( O\left( \log (t)^s\log \log (t)^{1-s}\right) \right) \), as shown in [14] and [20].

Circumventing classic impossibility results. Finally, we further motivate the notion of trapdoor VDF by showing that it constitutes an original tool to circumvent classic impossibility results. We illustrate this in Sect. 8 with a simple and efficient identification protocol with surprising zero-knowledge and deniability properties.

1.2 Time-Sensitive Cryptography and Related Work

Rivest, Shamir and Wagner [18] introduced in 1996 the use of time-locks for encrypting data that can be decrypted only in a predetermined time in the future. This was the first time-sensitive cryptographic primitive taking into account the parallel power of possible attackers. Other timed primitives appeared in different contexts: Bellare and Goldwasser [1, 2] suggested time capsules for key escrowing in order to counter the problem of early recovery. Boneh and Naor [7] introduced timed commitments: a hiding and binding commitment scheme, which can be forced open by a procedure of determined running time. More recently, and as already mentioned, the notion of slow-timed hash function was introduced in [15] as a tool to provide trust to the generation of public random numbers.

Verifiable delay functions. These slow-timed hash functions were recently revisited and formalised by Boneh et al. in [4] under the name of verifiable delay functions. The function proposed in [15], sloth, is not asymptotically efficiently verifiable: the verification procedure (given x and y, verify that \(\mathsf {sloth}(x) = y\)) is faster than the evaluation procedure (given x, compute the value \(\mathsf {sloth}(x)\)) only by a constant factor. The authors of [4] proposed practical constructions that achieve an exponential gap between evaluation and verification, but do not strictly achieve the requirements of a VDF. For one of them, the evaluation requires an amount \(\mathrm {polylog}(\varDelta )\) of parallelism to run in parallel time \(\varDelta \). The other one is insecure against an adversary that can run a large (but feasible) pre-computation, so the setup must be regularly updated. The new construction we propose does not suffer these disadvantages.

Pietrzak’s verifiable delay function. Independently from the present work, another efficient VDF was proposed in [16]. The author describes an elegant construction, provably secure under the classic time-lock assumption of [18] when implemented over an RSA group \((\mathbf{Z}/N\mathbf{Z})^\times \) where N is a product of two safe primes. The philosophy of [16] is close to our construction: it consists in solving the puzzle of [18] (for a timing parameter \(\varDelta \)), and computing a proof of correctness. Their proofs can be computed with \(O(\sqrt{\varDelta }\log (\varDelta ))\) group multiplications. However, the proofs obtained are much longer (they consist of \(O(\log (\varDelta ))\) group elements, versus a single group element in our construction), and the verification procedure is less efficient (it requires \(O(\log (\varDelta ))\) group exponentiations, versus essentially two group exponentiations in our construction—for exponents of bit-length the security level k in both cases).

In the example given in [18], the group G is an RSA group for a 2048 bit modulus, and the time \(\varDelta \) is set to \(2^{40}\) sequential squarings in the group, so the proofs are 10KB long. In comparison, in the same setting, our proofs are 0.25KB long.

1.3 Notation

Throughout this paper, the integer k denotes a security level (typically 128, 192, or 256), and the map \({H : \{\mathtt{0,1}\}^* \rightarrow \{\mathtt{0,1}\}^{2k}}\) denotes a secure cryptographic hash function. For simplicity of exposition, the function H is regarded as a map from \(\mathscr {A}^*\) to \(\mathscr {\{}\mathtt{0,1}\}^{2k}\), where \(\mathscr {A}^*\) is the set of strings over some alphabet \(\mathscr {A}\) such that \(\{\mathtt{0,1}\}\subset \mathscr {A}\). The alphabet \(\mathscr {A}\) contains at least all nine digits and twenty-six letters, and a special character \(\star \). Given two strings \(s_1,s_2 \in \mathscr {A}^*\), denote by \(s_1||s_2\) their concatenation, and by \(s_1|||s_2\) their concatenation separated by \(\star \). The function \(\mathtt{int}: \{\mathtt{0,1}\}^*\rightarrow \mathbf{Z}_{\ge 0}\) maps \(x\in \{\mathtt{0,1}\}^*\) in the canonical manner to the non-negative integer with binary representation x. The function \(\mathtt{bin}: \mathbf{Z}_{\ge 0} \rightarrow \{\mathtt{0,1}\}^* \) maps any non-zero integer to its binary representation with no leading \(\mathtt 0\)-characters, and \(\mathtt{bin}(0) = \mathtt{0}\).

2 Trapdoor Verifiable Delay Functions

Let \(\varDelta : \mathbf Z_{>0} \rightarrow \mathbf R_{>0}\) be a function of the (implicit) security parameter k. This \(\varDelta \) is meant to represent a time duration, and what is precisely meant by time is explained in Sect. 3 (essentially, it measures an amount of sequential work). A party, Alice, has a public key \(\mathsf {pk}\) and a secret key \(\mathsf {sk}\). Let x be a piece of data. Alice, thanks to her secret key \(\mathsf {sk}\), is able to quickly evaluate a function \(\mathsf {trapdoor}_\mathsf {sk}\) on x. On the other hand, other parties knowing only \(\mathsf {pk}\) can compute \(\mathsf {eval}_\mathsf {pk}(x)\) in time \(\varDelta \), but not faster (and important parallel computing power does not give a substantial advantage in going faster; remember that \(\varDelta \) measures the sequential work), such that the resulting value \(\mathsf {eval}_\mathsf {pk}(x)\) is the same as \(\mathsf {trapdoor}_\mathsf {sk}(x)\).

More formally, a trapdoor VDF consists of the following components (very close to the classic VDF defined in [4]):

• \(\mathsf {keygen}\rightarrow (\mathsf {pk}, \mathsf {sk})\) is a key generation procedure, which outputs Alice’s public key \(\mathsf {pk}\) and secret key \(\mathsf {sk}\). As usual, the public key should be publicly available, and the secret key is meant to be kept secret.

• \(\mathsf {trapdoor}_\mathsf {sk}(x,\varDelta ) \rightarrow (y,\pi )\) takes as input the data \(x \in \mathcal X\) (for some input space \(\mathcal X\)), and uses the secret key \(\mathsf {sk}\) to produce the output \(y\) from x, and a (possibly empty) proof \(\pi \). The parameter \(\varDelta \) is the amount of sequential work required to compute the same output \(y\) without knowledge of the secret key.

• \(\mathsf {eval}_\mathsf {pk}(x, \varDelta ) \rightarrow (y,\pi )\) is a procedure to evaluate the function on x using only the public key \(\mathsf {pk}\), for a targeted amount of sequential work \(\varDelta \). It produces the output \(y\) from x, and a (possibly empty) proof \(\pi \). This procedure is meant to be infeasible in time less than \(\varDelta \) (this will be expressed precisely in the security requirements).

• \(\mathsf {verify}_\mathsf {pk}(x, y, \pi , \varDelta ) \rightarrow \mathsf {true}\) or \(\mathsf {false}\) is a procedure to check if \(y\) is indeed the correct output for x, associated to the public key \(\mathsf {pk}\) and the evaluation time \(\varDelta \), possibly with the help of the proof \(\pi \).

Note that the security parameter k is implicitly an input to each of these procedures. Given any key pair \((\mathsf {pk}, \mathsf {sk})\) generated by the \(\mathsf {keygen}\) procedure, the functionality of the scheme is the following. Given any input x and time parameter \(\varDelta \), let \((y,\pi ) \leftarrow \mathsf {eval}_\mathsf {pk}(x, \varDelta )\) and \((y',\pi ') \leftarrow \mathsf {trapdoor}_\mathsf {sk}(x,\varDelta )\). Then, \(y= y'\) and the procedures \(\mathsf {verify}_\mathsf {pk}(x, y,\pi , \varDelta )\) and \(\mathsf {verify}_\mathsf {pk}(x, y',\pi ', \varDelta )\) both output \(\mathsf {true}\).

We also require the protocol to be sound, as in [4]. Intuitively, we want that if \(y'\) is not the correct output of \(\mathsf {eval}_\mathsf {pk}(x, \varDelta )\) then \(\mathsf {verify}_\mathsf {pk}(x, y', \varDelta )\) outputs \(\mathsf {false}\). We however allow the holder of the trapdoor to generate misleading values \(y'\).

Definition 1

(Soundness). A trapdoor VDF is sound if any polynomially bounded algorithm solves the following soundness-breaking game with negligible probability (in k): given as input the public key \(\mathsf {pk}\), output a message x, a value \(y'\) and a proof \(\pi '\) such that \(y' \ne \mathsf {eval}_\mathsf {pk}(x, \varDelta )\), and \(\mathsf {verify}_\mathsf {pk}(x, y', \pi ', \varDelta ) = \mathsf {true}\).

The second security property is that the correct output cannot be produced in time less than \(\varDelta \) without knowledge of the secret key \(\mathsf {sk}\). This is formalised in the next section via the \(\varDelta \)-evaluation race game. A trapdoor VDF is \(\varDelta \)-sequential if any polynomially bounded adversary wins the \(\varDelta \)-evaluation race game with negligible probability.

3 Wall-Clock Time and Computational Assumptions

Primitives such as verifiable delay functions or time-lock puzzles wish to deal with the delicate notion of real-world time. This section discusses how to formally handle this concept, and how it translates in practice.

3.1 Theoretical Model

A precise notion of wall-clock time is difficult to capture formally. However, we can get a first approximation by choosing a model of computation, and defining time as an amount of sequential work in this model. A model of computation is a set of allowable operations, together with their respective costs. For instance, working with circuits with gates \(\vee \), \(\wedge \) and \(\lnot \) which each have cost 1, the notion of time complexity of a circuit \(\mathscr {C}\) can be captured by its depth \(d(\mathscr {C})\), i.e., the length of the longest path in \(\mathscr {C}\). The time-complexity of a boolean function f is then the minimal depth of a circuit implementing f, but this does not reflect the time it might take to actually compute f in the real world where one is not bound to using circuits. A random access machine might perform better, or maybe a quantum circuit.

A good model of computation for analysing the actual time it takes to solve a problem should contain all the operations that one could use in practice (in particular the adversary). From now on, we suppose the adversary works in a model of computation \(\mathscr {M}\). We do not define exactly \(\mathscr {M}\), but only assume that it allows all operations a potential adversary could perform, and that it comes with a cost function c and a time-cost function t. For any algorithm \(\mathcal A\) and input x, the cost \(C(\mathcal A,x)\) measures the overall cost of computing \(\mathcal A(x)\) (i.e., the sum of the costs of all the elementary operations that are executed), while the time-cost \(T(\mathcal A,x)\) abstracts the notion of time it takes to run \(\mathcal A(x)\) in the model \(\mathscr {M}\). For the model of circuits, one could define the cost as the size of the circuit and the time-cost as its depth. For concreteness, one can think of the model \(\mathscr {M}\) as the model of parallel random-access machines.

All forthcoming security claims are (implicitly) made with respect to the model \(\mathscr {M}\). The time-lock assumption of Rivest, Shamir and Wagner [18] can be expressed as Assumption 1 below.

Definition 2

(\((\delta ,t)\)-time-lock game). Let \(k \in \mathbf Z_{>0}\) be a difficulty parameter, and \(\mathcal A\) be an algorithm playing the game. The parameter \({t}\) is a positive integer, and \(\delta : \mathbf Z_{>0} \rightarrow \mathbf R_{>0}\) is a function. The \((\delta ,{t})\)-time-lock game goes as follows:

1. 1.

   An RSA modulus N is generated at random by an RSA key-generation procedure, for the security parameter k;

2. 2.

   \(\mathcal A(N)\) outputs an algorithm \(\mathcal B\);

3. 3.

   An element \(g \in \mathbf Z/N\mathbf Z\) is generated uniformly at random;

4. 4.

   \(\mathcal B(g)\) outputs \(h \in \mathbf Z/N\mathbf Z\).

Then, \(\mathcal A\) wins the game if \(h = g^{2^{t}} \mod N\) and \(T(\mathcal B,g) < {t}\delta (k)\).

Assumption 1

(Time-lock assumption). There is a cost function \(\delta : \mathbf Z_{>0} \rightarrow \mathbf R_{>0}\) such that the following two statements hold:

1. 1.

   There is an algorithm \(\mathcal S\) such that for any modulus N generated by an RSA key-generation procedure with security parameter k, and any element \(g \in \mathbf Z/N\mathbf Z\), the output of \(\mathcal S(N,g)\) is the square of g, and \(T(\mathcal S, (N,g)) < \delta (k)\);

2. 2.

   For any \({t}\in \mathbf Z_{>0}\), no algorithm \(\mathcal A\) of polynomial cost² wins the \((\delta ,{t})\)-time-lock game with non-negligible probability (with respect to the difficulty parameter k).

The function \(\delta \) encodes the time-cost of computing a single modular squaring, and Assumption 1 expresses that without knowledge of the factorisation of N, there is no faster way to compute \(g^{2^{t}} \mod N\) than performing \({t}\) sequential squarings.

With this formalism, we can finally express the security notion of a trapdoor VDF.

Definition 3

(\(\varDelta \)-evaluation race game). Let \(\mathcal A\) be a party playing the game. The parameter \(\varDelta : \mathbf Z_{>0} \rightarrow \mathbf R_{>0}\) is a function of the (implicit) security parameter k. The \(\varDelta \)-evaluation race game goes as follows:

1. 1.

   The random procedure \(\mathsf {keygen}\) is run and it outputs a public key \(\mathsf {pk}\);

2. 2.

   \(\mathcal A(\mathsf {pk})\) outputs an algorithm \(\mathcal B\);

3. 3.

   Some data \(x \in \mathcal X\) is generated according to some random distribution of min-entropy at least k;

4. 4.

   \(\mathcal B^{\mathcal O}(x)\) outputs a value \(y\), where \(\mathcal O\) is an oracle that outputs the evaluation \(\mathsf {trapdoor}_\mathsf {sk}(x', \varDelta )\) on any input \(x' \ne x\).

Then, \(\mathcal A\) wins the game if \(T(\mathcal B, x) < \varDelta \) and \(\mathsf {eval}_\mathsf {pk}(x, \varDelta )\) outputs \(y\).

Definition 4

(\(\varDelta \)-sequential). A trapdoor VDF is \(\varDelta \)-sequential if any polynomially bounded player (with respect to the implicit security parameter) wins the above \(\varDelta \)-evaluation race game with negligible probability.

Observe that it is useless to allow \(\mathcal A\) to adaptively ask for oracle evaluations of the VDF during the execution of \(\mathcal A(\mathsf {pk})\): for any data \(x'\), the procedure \(\mathsf {eval}_\mathsf {pk}(x', \varDelta )\) produces the same output as \(\mathsf {trapdoor}_\mathsf {sk}(x',\varDelta )\), so any such request can be computed by the adversary in time \(O(\varDelta )\).

Remark 1

Suppose that the input x is hashed as H(x) (by a secure cryptographic hash function) before being evaluated (as is the case in the construction we present in the next section), i.e.

$$\mathsf {trapdoor}_\mathsf {sk}(x, \varDelta ) = t_\mathsf {sk}(H(x), \varDelta ),$$

for some procedure t, and similarly for \(\mathsf {eval}\) and \(\mathsf {verify}\). Then, it becomes unnecessary to give to \(\mathcal B\) access to the oracle \(\mathcal O\). We give a proof in Appendix A when H is modeled as a random oracle.

Remark 2

At the third step of the game, the bound on the min-entropy is fixed to k. The exact value of this bound is arbitrary, but forbidding low entropy is important: if x has a good chance of falling in a small subset of \(\mathcal X\), the adversary can simply precompute the VDF for all the elements of this subset.

3.2 Timing Assumptions in the Real World

Given an algorithm, or even an implementation of this algorithm, its actual running time will depend on the hardware on which it is run. If the algorithm is executed independently on several single-core general purpose CPUs, the variations in running time between them will be reasonably small as overclocking records on clock-speeds barely achieve 9 GHz (cf. [10]), only a small factor higher than a common personal computer. Assuming the computation is not parallelisable, using multiple CPUs would not allow to go faster. However, specialized hardware could be built to perform a certain computation much more efficiently than on any general purpose hardware.

For these reasons, the theoretical model developed in Sect. 3.1 has a limited accuracy. To resolve this issue, and evaluate precisely the security of a timing assumption like Assumption 1, one must estimate the speed at which the current state of technology allows to perform a certain task, given a possibly astronomical budget. To this end, the Ethereum Foundation and Protocol Labs [13] are currently investigating extremely fast hardware implementations of RSA multiplication, and hope to construct a piece of hardware close enough to today’s technological limits, with the goal of using the present construction in their future platforms. Similarly, the Chia Network has opened a competition in the near future for very fast multiplication in the class group of a quadratic imaginary field.

4 Construction of the Verifiable Delay Function

Let \(x\in \mathscr {A}^*\) be the input at which the VDF is to be evaluated. Alice’s secret key \(\mathsf {sk}\) is the order of a finite group G, and her public key is a description of G allowing to compute the group multiplication efficiently. We also assume that any element g of G can efficiently be represented in a canonical way as binary strings \(\mathtt{bin}(g)\). Also part of Alice’s public key is a hash function \(H_G : \mathscr {A}^* \rightarrow G\).

Example 1

(RSA setup). A natural choice of setup is the following: the group G is \((\mathbf{Z}/N\mathbf{Z})^\times \) where \(N = pq\) for a pair of distinct prime numbers p and q, where the secret key is \((p-1)(q-1)\) and the public key is N, and the hash function (where H is a secure cryptographic hash function). For a technical reason explained later in Remark 4, we actually need to work in \((\mathbf{Z}/N\mathbf{Z})^\times /\{\pm 1\}\), and we call this the RSA setup.

Example 2

(Class group setup). For a public setup where we do not want the private key to be known by anyone, one could choose G to be the class group of an imaginary quadratic field. The construction is simple. Choose a random, negative, square-free integer d, of large absolute value, and such that \(d \equiv 1\mod 4\). Then, let \(G = \mathrm {Cl}(d)\) be the class group of the imaginary quadratic field \(\mathbf{Q}(\sqrt{d})\). Just as we wish, there is no known algorithm to efficiently compute the order of this group. The multiplication can be performed efficiently, and each class can be represented canonically by its reduced ideal. Note that the even part of \(|\mathrm {Cl}(d)|\) can be computed if the factorisation of d is known. Therefore one should choose d to be a negative prime, which ensures that \(|\mathrm {Cl}(d)|\) is odd. See [8] for a review of the arithmetic in class groups of imaginary quadratic orders, and a discussion on the choice of cryptographic parameters.

Consider a targeted evaluation time given by \(\varDelta = {t}\delta \) for a timing parameter \({t}\), where \(\delta \) is the time-cost (i.e., the amount of sequential work) of computing a single squaring in the group G (as done in Assumption 1 for the RSA setup).

To evaluate the VDF on input x, first let \(g = H_G(x)\). The basic idea (which finds its origins in [18]) is that for any \({t}\in \mathbf{Z}_{>0}\), Alice can efficiently compute \(g^{2^{t}}\) with two exponentiations, by first computing \(e = 2^{t}\mod |G|\), followed by \(g^e\). The running time is logarithmic in \({t}\). Any other party who does not know |G| can also compute \(g^{2^{t}}\) by performing \({t}\) sequential squarings, with a running time \({t}\delta \). Therefore anyone can compute \(y= g^{2^{t}}\) but only Alice can do it fast, and any other party has to spend a time linear in \({t}\). However, verifying that the published value \(y\) is indeed \(g^{2^{t}}\) is long: there is no shortcut to the obvious strategy consisting in recomputing \(g^{2^{t}}\) and checking if it matches. To solve this issue, we propose the following public-coin succinct argument, for proving that \(y= g^{2^{t}}\). The input of the interaction is \((G,g,y,{t})\). Let \(\mathrm {Primes}(2k)\) denote the set containing the \(2^{2k}\) first prime numbers.

1. 1.

   The verifier samples a prime \(\ell \) uniformly at random from \(\mathrm {Primes}(2k)\).

2. 2.

   The prover computes \(\pi = g^{\lfloor {2^{t}}/{\ell }\rfloor }\) and sends it to the verifier.

3. 3.

   The verifier computes \(r = 2^{t}\mod \ell \), (the least positive residue of \(2^{t}\) modulo \(\ell \)), and accepts if \(g,y,\pi \in G\) and \(\pi ^\ell g^{r} = y\).

Now, it might not be clear how Alice or a third party should compute \(\pi = g^{\lfloor {2^{t}}/{\ell }\rfloor }\). For Alice, it is simple: she can compute \(r = 2^{t}\mod \ell \). Then we have \(\lfloor {2^{t}}/{\ell }\rfloor = ( {2^{t}- r})/{\ell }\), and since she knows the order of the group, she can compute \(q = (2^{t}- r)/\ell \mod |G|\) and \(\pi = g^{q}\). We explain in Sect. 4.1 how anyone else can compute \(\pi \) without knowing |G|, with a total of \(O({t}/\log ({t}))\) group multiplications.

This protocol is made non-interactive using the Fiat-Shamir transformation, by letting \(\ell = H_\mathtt{prime}(\mathtt{bin}(g) ||| \mathtt{bin}(y))\), where \(H_\mathtt{prime}\) is a hash function which sends any string s to an element of \(\mathrm {Primes}(2k)\). We assume in the security analysis below that this function is a uniformly distributed random oracle. The procedures \(\mathsf {trapdoor}\), \(\mathsf {verify}\) and \(\mathsf {eval}\) are fully described in Algorithms 1, 2 and 3 respectively.

Remark 3

Instead of hashing the input x into the group G as \(g = H_G(x)\), one could simply consider \(x \in G\). However, the function \(x \mapsto x^{2^{{t}}}\) being a group homomorphism, bypassing the hashing step has undesirable consequences. For instance, given \(x^{2^{{t}}}\), one can compute \((x^\alpha )^{2^{{t}}}\) for any integer \(\alpha \) at the cost of only an exponentiation by \(\alpha \).

Verification. It is straightforward to check that the verification condition \(\pi ^\ell g^{r} = y\) holds if the evaluator is honest. Now, what can a dishonest evaluator do? That question is answered formally in Sect. 6, but the intuitive idea is easy to understand. We will show that given x, finding a pair \((y,\pi )\) different from the honest one amounts to solve a root-finding problem in the underlying group G (supposedly hard for anyone who does not know the secret order of the group). As a result, only Alice can produce misleading proofs.

Consider the above interactive succinct argument, and suppose that the verifier accepts, i.e., \(\pi ^\ell g^{r} = y\), where r is the least residue of \(2^{{t}}\) modulo \(\ell \). Since \(r = 2^{t}- \ell \lfloor {2^{t}}/{\ell }\rfloor \), the verification condition is equivalent to

$$yg^{-2^{t}} = \left( \pi g^{-\lfloor {2^{t}}/{\ell }\rfloor }\right) ^\ell .$$

Before the generation of \(\ell \), the left-hand side \(\alpha = yg^{-2^{t}}\) is already determined. Once \(\ell \) is revealed, the evaluator is able to compute \(\beta = \pi g^{-\lfloor {2^{t}}/{\ell }\rfloor }\), which is an \(\ell \)-th root of \(\alpha \). For a prover to succeed with good probability, he must be able to extract \(\ell \)-th roots of \(\alpha \) for arbitrary values of \(\ell \). This is hard in our groups of interest, unless \(\alpha = \beta = 1_G\), in which case \((y,\pi )\) is the honest output.

Remark 4

Observe that in the RSA setup, this task is easy if \(\alpha = \pm 1\), i.e. \(y= \pm g^{2^{t}}\). It is however a difficult problem, given an RSA modulus N, to find an element \(\alpha \mod N\) other than \(\pm 1\) from which \(\ell \)-th roots can be extracted for any \(\ell \). This explains why we need to work in the group \(G = (\mathbf{Z}/N\mathbf{Z})^\times /\{\pm 1\}\) instead of \((\mathbf{Z}/N\mathbf{Z})^\times \) in the RSA setup. This problem is formalized (and generalised to other groups) in Definition 6.

4.1 Computing the Proof \(\pi \) in \(O({t}/\log ({t}))\) Group Operations

In this section, we describe how to compute the proof \(\pi = g^{\lfloor {2^{t}}/{\ell }\rfloor }\) with a total of \(O({t}/\log ({t}))\) group multiplications. First, we mention a very simple algorithm to compute \(\pi \), which simply computes the long division \(\lfloor {2^{t}}/{\ell }\rfloor \) on the fly, as pointed out by Boneh, Bünz and Fisch [5], but requires between \({t}\) and \(2{t}\) group operations. It is given in Algorithm 4.

We now describe how to perform the same computation with only \(O({t}/\log ({t}))\) group operations. Fix a parameter \(\kappa \). The idea is to express \(\lfloor {2^{t}}/{\ell }\rfloor \) in base \(2^\kappa \) as

$$\lfloor {2^{t}}/{\ell }\rfloor = \sum _{i} b_i2^{\kappa i} = \sum _{b = 0}^{2^\kappa -1}b \left( \sum _{i \text { such that } b_i = b} 2^{\kappa i}\right) .$$

Similarly to Algorithm 4, each coefficient \(b_i\) can be computed as

$$b_{i} = \left\lfloor \frac{2^\kappa (2^{{t}- \kappa (i + 1)} \mod \ell )}{\ell } \right\rfloor ,$$

where \(2^{{t}- \kappa (i + 1)} \mod \ell \) denotes the least residue of \(2^{{t}- \kappa (i + 1)}\) modulo \(\ell \). For each \(\kappa \)-bits integer \(b \in \{0,\dots ,2^{\kappa } - 1\}\), let \(I_b = {\{i \mid b_i = b\}}\). We get

$$\begin{aligned} g^{\lfloor {2^{t}}/{\ell }\rfloor } = \prod _{b = 0}^{2^\kappa -1} \left( \prod _{i \in I_b} g^{ 2^{\kappa i}}\right) ^{b}. \end{aligned}$$

(1)

Suppose first that all the values \(g^{ 2^{\kappa i}}\) have been memorised (from the sequential computation of the value \(y= g^{2^{t}}\)). Then, each product \(\prod _{i \in I_b} g^{ 2^{\kappa i}}\) can be computed in \(|I_b|\) group multiplications (for a total of \(\sum _b |I_b| = {t}/\kappa \) multiplications), and the full product (1) can be deduced with about \(\kappa 2^\kappa \) additional group operations. In total, this strategy requires about \({t}/\kappa + \kappa 2^\kappa \) group operations. Choosing, for instance, \(\kappa = \log ({t})/2\), we get about \({t}\cdot 2/\log ({t})\) group operations. Of course, this would require the storage of \({t}/\kappa \) group elements.

We now show that the memory requirement can easily be reduced to, for instance, \(O(\sqrt{{t}})\) group elements, for essentially the same speedup. Instead of memorising each \(\kappa \) element of the sequence \(g^{2^i}\), only memorise every \(\kappa \gamma \) element (i.e., the elements \(g^{2^0}, g^{2^{\kappa \gamma }}, g^{2^{2\kappa \gamma }},\dots \)), for some parameter \(\gamma \) (we will show that \(\gamma = O(\sqrt{{t}})\) is sufficient). For each integer j, let \(I_{b,j} = \{i \in I_b \mid i \equiv j \mod \gamma \}\). Now,

$$\begin{aligned}g^{\lfloor {2^{t}}/{\ell }\rfloor } = \prod _{b = 0}^{2^\kappa -1} \left( \prod _{j = 0}^{\gamma -1} \prod _{i \in I_{b,j}} g^{ 2^{\kappa i}}\right) ^{b} = \prod _{j = 0}^{\gamma -1}\left( \prod _{b = 0}^{2^\kappa -1} \left( \prod _{i \in I_{b,j}} g^{ 2^{\kappa (i-j)}}\right) ^{b}\right) ^{2^{\kappa j}}.\end{aligned}$$

In each factor of the final product, \(i-j\) is divisible by \(\gamma \), so \(g^{2^{\kappa (i-j)}}\) is one of the memorised values. A straightforward approach allows to compute this product with a total amount of group operations about \({t}/ \kappa + \gamma \kappa 2^\kappa \), yet one can still do better. Write \(y_{b,j} = \prod _{i \in I_{b,j}} g^{ 2^{\kappa (i-j)}}\), and split \(\kappa \) into two halves, as \(\kappa _1 = \lfloor \kappa /2\rfloor \) and \(\kappa _0 = \kappa - \kappa _1\). Now, observe that for each index j,

$$\prod _{b = 0}^{2^\kappa -1} y_{b,j}^{b} = \prod _{b_1 = 0}^{2^{\kappa _1}-1}\left( \prod _{b_0 = 0}^{2^{\kappa _0}-1} y_{b_12^{\kappa _0}\,+\,b_0,j}\right) ^{b_12^{\kappa _0}} \cdot \prod _{b_0 = 0}^{2^{\kappa _0}-1}\left( \prod _{b_1 = 0}^{2^{\kappa _1}-1} y_{b_12^{\kappa _0}\,+\,b_0,j}\right) ^{b_0}$$

The right-hand side provides a way to compute the product with a total of about \(2(2^{\kappa } + \kappa 2^{\kappa /2})\) (instead of \(\kappa 2^{\kappa }\) as in the more obvious strategy). The full method is summarised in Algorithm 5 (on page 29), and requires about \({t}/ \kappa + \gamma 2^{\kappa +1}\) group multiplications.

The algorithm requires the storage of about \({t}/(\kappa \gamma ) + 2^\kappa \) group elements. Choosing, for instance, \(\kappa = \log ({t})/3\) and \(\gamma = \sqrt{{t}}\), we get about \({t}\cdot 3/\log ({t})\) group operations, with the storage of about \(\sqrt{{t}}\) group elements. This algorithm can also be parallelised.

4.2 A Practical Bandwidth and Storage Improvement

Typically, an evaluator would compute the output \(y\) and the proof \(\pi \), and send the pair \((y,\pi )\) to the verifiers. Each verifier would compute the Fiat-Shamir challenge

$$\ell \leftarrow H_\mathtt{prime}(\mathtt{bin}(g) ||| \mathtt{bin}(y)),$$

then check \(y= \pi ^\ell g^{2^{t}\mod \ell }.\) Instead, it is possible for the evaluator to transmit \((\ell ,\pi )\), which has almost half the size (typically, \(\ell \) is in the order of hundreds of bits while group elements are in the order of thousands of bits). The verifiers would recover

$$y\leftarrow \pi ^\ell g^{2^{t}\mod \ell },$$

and then verify that \(\ell = H_\mathtt{prime}(\mathtt{bin}(g) ||| \mathtt{bin}(y))\). The two strategies are equivalent, but the second divides almost by 2 the bandwidth and storage footprint.

4.3 A Trade-Off Between Proof Shortness and Prover Efficiency

The evaluation of the VDF, i.e., the computation of \(y= g^{2^{t}}\), takes time \(T = \delta {t}\), where \(\delta \) is the time of one squaring in the underlying group. As demonstrated in Sect. 4.1, the proof \(\pi \) can be computed in \(O({t}/\log ({t}))\) group operations. Say that the total time of computing the proof is a fraction \(T/\omega \); considering Algorithm 5, one can think of \(\omega = 20\), a reasonable value for practical parameters. One potential issue with the proposed VDF is that the computation of \(\pi \) can only start after the evaluation of the VDF output \(g^{2^{t}}\) is completed. So after the completion of the VDF evaluation, there still remains a total amount \(T/\omega \) of work to compute the proof. We call overhead these computations that must be done after the evaluation of \(y= g^{2^{t}}\). Even though this part of the computation can be parallelised, it might be advantageous for some applications to reduce the overhead to a negligible amount of work.

We show in the following that using only two parallel threads, the overhead can be reduces to a total cost of about \(T/\omega ^n\), at the cost of lengthening the proofs to n group elements (instead of a single one), and \(n-1\) small prime numbers. Note that the value of \(\omega \) varies with T, yet for simplicity of exposition, we assume that it is constant in the following analysis (a reasonable approximation for practical purposes).

The idea is to start proving some intermediate results before the full evaluation is over. For instance, consider \({t}_1 = {t}\frac{\omega }{\omega \,+\,1}\). Run the evaluator, and when the intermediate value \(g_1 = g^{2^{{t}_1}}\) is reached, store it (but keep the evaluator running in parallel), and compute the proof \(\pi _1\) for the statement \(g_1 = g^{2^{{t}_1}}\). The computation of this proof takes time about \(\delta {t}_1/\omega = T/(\omega +1)\), which is the time it takes to finish the full evaluation (i.e., going from \(g_1\) to \(y= g^{2^{{t}}} = g_1^{2^{{t}/(\omega +1)}}\)). Therefore, the evaluation of \(y\) and the first proof \(\pi _1\) finish at the same time. It only remains to produce a proof \(\pi _2\) for the statement \(y= g_1^{2^{{t}/(\omega +1)}}\), which can be done in total time \(\frac{\delta {t}}{\omega (\omega \,+\,1)} \le T/\omega ^2\). Therefore the overhead is at most \(T/\omega ^2\). At first glance, it seems the verification requires the triple \((g_1,\pi _1,\pi _2)\), but in fact, the value \(g_1\) can be recovered from \(\pi _1\) and the prime number \(\ell _1 = H_{\mathtt{prime}}(\mathtt{bin}(g)|||\mathtt{bin}(g_1))\) via \(g_1 = \pi _1^\ell g^{t_1 \mod \ell }\), as done is Sect. 4.2. Therefore, the proof can be compressed to \((\ell _1,\pi _1,\pi _2)\).

More generally, one could split the computation into n segments of length \({t}_i = {t}\omega ^{n-i}\frac{\omega \,-\,1}{\omega ^n\,-\,1}\), for \(i = 1,\dots ,n\). We have that \({t}= \sum _{i=1}^n {t}_i\), and \({t}_i = {t}_{i-1}/\omega \), so during the evaluation of each segment (apart from the first), one can compute the proof corresponding to the previous segment. The overhead is only the proof of the last segment, which takes time \(T\frac{\omega \,-\,1}{\omega (\omega ^n\,-\,1)} \le T/\omega ^n\). The proof consists of the n intermediate proofs and the \(n-1\) intermediate prime challenges.

5 Analysis of the Sequentiality

In this section, the proposed construction is proven to be \(({t}\delta )\)-sequential, meaning that no polynomially bounded player can win the associated \(({t}\delta )\)-evaluation race game with non-negligible probability (in other words, the VDF cannot be evaluated in time less than \({t}\delta \)). For the RSA setup, it is proved under the classic time-lock assumption of Rivest, Shamir and Wagner [18] (formalised in Assumption 1), and more generally, it is secure for groups where a generalisation of this assumption holds (Assumption 2).

5.1 Generalised Time-Lock Assumptions

The following game generalises the classic time-lock assumption to arbitrary families of groups of unknown orders.

Definition 5

(Generalised \((\delta ,{t})\)-time-lock game). Consider a sequence \((\mathscr {G}_k)_{k \in \mathbf Z_{>0}}\), where each \(\mathscr {G}_k\) is a set of finite groups (supposedly of unknown orders), associated to a “difficulty parameter” k. Let \(\mathsf {keygen}\) be a procedure to generate a random group from \(\mathscr {G}_k\), according to the difficulty k.

Fix the difficulty parameter \(k \in \mathbf Z_{>0}\), and let \(\mathcal A\) be an algorithm playing the game. The parameter \({t}\) is a positive integer, and \(\delta : \mathbf Z_{>0} \rightarrow \mathbf R_{>0}\) is a function. The \((\delta ,{t})\)-time-lock game goes as follows:

1. 1.

   A group G is generated by \(\mathsf {keygen}\);

2. 2.

   \(\mathcal A(G)\) outputs an algorithm \(\mathcal B\);

3. 3.

   An element \(g \in G\) is generated uniformly at random;

4. 4.

   \(\mathcal B(g)\) outputs \(h \in G\).

Then, \(\mathcal A\) wins the game if \(h = g^{2^{t}}\) and \(T(\mathcal B,g) < {t}\delta (k)\).

Assumption 2

(Generalised time-lock assumption). The generalised time-lock assumption for a given family of groups \((\mathscr {G}_k)_{k \in \mathbf Z_{>0}}\) is the following. There is a cost function \(\delta : \mathbf Z_{>0} \rightarrow \mathbf R_{>0}\) such that the following two statements hold:

1. 1.

   There is an algorithm \(\mathcal S\) such that for any group \(G \in \mathscr {G}_k\) (for the difficulty parameter k), and any element \(g \in G\), the output of \(\mathcal S(G,g)\) is the square of g, and \(T(\mathcal S, (G,g)) < \delta (k)\);

2. 2.

   For any \({t}\in \mathbf Z_{>0}\), no algorithm \(\mathcal A\) of polynomial cost wins the \((\delta ,{t})\)-time-lock game with non-negligible probability (with respect to the difficulty parameter k).

The function \(\delta \) encodes the time-cost of computing a single squaring in a group of \(\mathscr {G}_k\), and Assumption 2 expresses that without more specific knowledge about these groups (such as their orders), there is no faster way to compute \(g^{2^{t}}\) than performing \({t}\) sequential squarings.

5.2 Sequentiality in the Random Oracle Model

Proposition 1

(\({t}\delta \)-sequentiality of the trapdoor VDF in the random oracle model). Let \(\mathcal A\) be a player winning with probability \(p_\mathsf {win}\) the \(({t}\delta )\)-evaluation race game associated to the proposed construction, assuming \(H_G\) and \(H_\mathtt{prime}\) are random oracles and \(\mathcal A\) is limited to q oracle queries³. Then, there is a player \(\mathcal C\) for the (generalised) \((\delta ,{t})\)-time-lock game, with winning probability \(p \ge (1-q/2^k)p_{\mathsf {win}}\), and with same running time as \(\mathcal A\) (up to a constant factor⁴).

Proof

Build \(\mathcal C\) as follows. Upon receiving the group G, \(\mathcal C\) starts running \(\mathcal A\) on input G. The random oracles \(H_G\) and \(H_\mathtt{prime}\) are simulated in a straightforward manner, maintaining a table of values, and generating a random outcome for any new request (with distribution uniform in G and in \(\mathrm {Primes}(2k)\) respectively). When \(\mathcal A(G)\) outputs an algorithm \(\mathcal B\), \(\mathcal C\) generates a random \(x \in \mathcal X\) (according to the same distribution as the \(({t}\delta )\)-evaluation race game). If x has been queried by the oracle already, \(\mathcal C\) aborts; this happens with probability at most \(q/2^k\), since the min-entropy of the distribution of messages in the \(({t}\delta )\)-evaluation race game is at least k. Otherwise, \(\mathcal C\) outputs the following algorithm \(\mathcal B'\). When receiving as input the challenge g, \(\mathcal B'\) adds g to the table of oracle \(H_G\), for the input x (i.e., \(H_G(x) = g\)). As discussed in Remark 1, we can assume that the algorithm \(\mathcal B\) does not call the oracle \(\mathsf {trapdoor}_\mathsf {sk}(-, y, \varDelta )\). Then \(\mathcal B'\) can invoke \(\mathcal B\) on input x while simulating the oracles \(H_G\) and \(H_\mathtt{prime}\). Whenever \(\mathcal B\) outputs \(y\), \(\mathcal B'\) outputs \(y\), which equals \(g^{2^{{t}}}\) whenever \(y\) is the correct evaluation of the VDF at x. We assume that simulating the oracle has a negligible cost, so \(\mathcal B'(g)\) has essentially the same time-cost as \(\mathcal B(x)\). Then, \(\mathcal C\) wins the \((\delta ,{t})\)-time-lock game with probability \(p \ge p_\mathsf {win}(1-q/2^k)\).    \(\square \)

6 Analysis of the Soundness

In this section, the proposed construction is proven to be sound, meaning that no polynomially bounded player can produce a misleading proof for an invalid output of the VDF. For the RSA setup, it is proved under a new number theoretic assumption expressing that it is hard to find an integer \(u \ne 0, \pm 1\) for which \(\ell \)-th roots modulo an RSA modulus N can be extracted for arbitrary \(\ell \)-values sampled uniformly at random from \(\mathrm {Primes}(2k)\), when the factorisation of N is unknown. More generally, the construction is sound if a generalisation of this assumptions holds in the group of interest.

6.1 The Root Finding Problem

The following game formalises the root finding problem.

Definition 6

(The root finding game \({\mathcal G}^\mathsf{root}\)). Let \(\mathcal A\) be a party playing the game. The root finding game \({\mathcal G}^\mathsf{root}(\mathcal A)\) goes as follows: first, the \(\mathsf {keygen}\) procedure is run, resulting in a group G which is given to \(\mathcal A\) (G is supposedly of unknown order). The player \(\mathcal A\) then outputs an element u of G. An integer \(\ell \) is sampled uniformly from \(\mathrm {Primes}(2k)\) and given to \(\mathcal A\). The player \(\mathcal A\) outputs an integer v and wins the game if \(v^\ell = u\ne 1_G\).

In the RSA setup, the group G is the quotient \((\mathbf{Z}/N\mathbf{Z})^\times / \{\pm 1\}\), where N is a product of two random large prime numbers. It is not known if this problem can easily be reduced to a standard assumption such as the difficulty of factoring N or the RSA problem, for which the best known algorithms have complexity \(L_{N}(1/3)\).

Similarly, in the class group setting, this problem is not known to reduce to a standard assumption, but it is closely related to the order problem and the root problem (which are tightly related to each other, see [3, Theorem 3]), for which the best known algorithms have complexity \(L_{|d|}(1/2)\) where d is the discriminant.

We now prove that to win this game \({\mathcal G}^\mathsf{root}\), it is sufficient to win the following game \({\mathcal G}_X^\mathsf{root}\), which is more convenient for our analysis.

Definition 7

(The oracle root finding game \({\mathcal G}_X^\mathsf{root}\)). Let \(\mathcal A\) be a party playing the game. Let X be a function that takes as input a group G and a string s in \(\mathscr {A}^*\), and outputs an element \(X(G,s) \in G\). Let \(\mathcal O: \mathscr {A}^* \rightarrow \mathrm {Primes}(2k)\) be a random oracle with the uniform distribution. The player has access to the random oracle \(\mathcal O\). The oracle root finding game \({\mathcal G}_X^\mathsf{root}(\mathcal A, \mathcal O)\) goes as follows: first, the \(\mathsf {keygen}\) procedure is run and the resulting group G is given to \(\mathcal A\). The player \(\mathcal A\) then outputs a string \(s \in \mathscr {A}^*\), and an element v of G. The game is won if \(v^{\mathcal O(s)} = X(G,s) \ne 1_G\).

Lemma 1

If there is a function X and an algorithm \(\mathcal A\) limited to q queries to the oracle \(\mathcal O\) winning the game \({\mathcal G}_X^\mathsf{root}(\mathcal A, \mathcal O)\) with probability \(p_{\mathsf {win}}\), there is an algorithm \(\mathcal B\) winning the game \({\mathcal G}^\mathsf{root}(\mathcal B)\) with probability at least \(p_{\mathsf {win}} / (q+1)\), and same running time, up to a small constant factor.

Proof

Let \(\mathcal A\) be an algorithm limited to q oracle queries, and winning the game with probability \(p_{\mathsf {win}}\). Build an algorithm \(\mathcal A'\) which does exactly the same thing as \(\mathcal A\), but with possibly additional oracle queries at the end to make sure the output string \(s'\) is always queried to the oracle, and the algorithm always does exactly \(q+1\) (distinct) oracle queries.

Build an algorithm \(\mathcal B\) playing the game \({\mathcal G}^\mathsf{root}\), using \(\mathcal A'\) as follows. Upon receiving \(\mathsf {pk}= G\), \(\mathcal B\) starts running \(\mathcal A'\) on input \(\mathsf {pk}\). The oracle \(\mathcal O\) is simulated as follows. First, an integer \(i \in \{1,2,...,{q+1}\}\) is chosen uniformly at random. For the first \(i-1\) (distinct) queries from \(\mathcal A'\) to \(\mathcal O\), the oracle value is chosen uniformly at random from \(\mathrm {Primes}(2k)\). When the ith string \(s \in \mathscr {A}^*\) is queried to the oracle, the algorithm \(\mathcal B\) outputs \(u = X(G,s)\), concluding the first round of the game \({\mathcal G}^\mathsf{root}\). The game continues as the integer \(\ell \) is received (uniform in \(\mathrm {Primes}(2k)\)). This \(\ell \) is then used as the value for the ith oracle query \(\mathcal O(s)\), and the algorithm \(\mathcal A'\) can continue running. The subsequent oracle queries are handled like the first \(i-1\) queries, by picking random primes in \(\mathrm {Primes}(2k)\). Finally, \(\mathcal A'\) outputs a string \(s' \in \mathscr {A}^*\) and an element v of G. To conclude the game \({\mathcal G}^\mathsf{root}(\mathcal B)\), \(\mathcal B\) returns v.

Since \(\mathcal O\) simulates a random oracle with uniform outputs in \(\mathrm {Primes}(2k)\), \(\mathcal A'\) outputs with probability \(p_\mathsf {win}\) a pair \((s',v)\) such that \(v^{\mathcal O(s')} = X(G,s') \ne 1_G\); denote this event \(\mathsf {win}_{\mathcal A'}\). If \(s = s'\), this condition is exactly \(v^{\ell } = u \ne 1_G\), where \(u = X(G,s)\) is the output for the first round of \({\mathcal G}^\mathsf{root}\), and \(\mathcal O(s) = \ell \) is the input for the second round. If these conditions are met, the game \({\mathcal G}^\mathsf{root}(\mathcal B)\) is won. Therefore

$$\begin{aligned} \Pr [\mathcal B \text { wins }{\mathcal G}^\mathsf{root}]&\ge p_{\mathsf {win}}\cdot \Pr \left[ s = s' | \mathsf {win}_{\mathcal A'}\right] . \end{aligned}$$

Let \(\mathcal Q = \{s_1, s_2, ..., s_{q+1}\}\) be the \(q+1\) (distinct) strings queried to \(\mathcal O\) by \(\mathcal A'\), indexed in chronological order. By construction, we have \(s = s_i\). Let j be such that \(s' = s_j\) (recall that \(\mathcal A'\) makes sure that \(s' \in \mathcal Q\)). Then,

$$\begin{aligned} \Pr \left[ s = s' | \mathsf {win}_{\mathcal A'}\right] = \Pr \left[ i = j|\mathsf {win}_{\mathcal A'}\right] \end{aligned}$$

The integer i is chosen uniformly at random in \(\{1,2,...,q+1\}\), and the values given to \(\mathcal A'\) are independent from i (the oracle values are all independent random variables). So \(\Pr \left[ i = j|\mathsf {win}_{\mathcal A'}\right] = 1/(q+1)\). Therefore \(\Pr [\mathcal B \text { wins }{\mathcal G}^\mathsf{root}] \ge p_{\mathsf {win}}/(q\,+\,1)\). Since \(\mathcal B\) mostly consists in running \(\mathcal A\) and simulating the random oracle, it is clear than both have the same running time, up to a small constant factor.    \(\square \)

6.2 Soundness in the Random Oracle Model

Proposition 2

(Soundness of the trapdoor VDF in the random oracle model). Let \(\mathcal A\) be a player winning with probability \(p_\mathsf {win}\) the soundness-breaking game associated to the proposed scheme, assuming \(H_G\) and \(H_\mathtt{prime}\) are random oracles and \(\mathcal A\) is limited to q oracle queries⁵. Then, there is a player \(\mathcal D\) for the root finding game \({\mathcal G}^\mathsf{root}\) with winning probability \(p \ge p_{\mathsf {win}}/(q+1)\), and with same running time as \(\mathcal A\) (up to a constant factor).

Proof

Instead of directly building \(\mathcal D\), we build an algorithm \(\mathcal D'\) playing the game \({\mathcal G}_X^\mathsf{root}(\mathcal D', \mathcal O)\), and invoke Lemma 1. Define the function X as follows. Recall that for any group G that we consider in the construction, each element \(g \in G\) admits a canonical binary representation \(\mathtt{bin}(g)\). For any such group G, any elements \(g,h \in G\), let

$$X(G,\mathtt{bin}(g)|||\mathtt{bin}(h)) = h/g^{2^{t}},$$

and let \(X(G,s) = 1_G\) for any other string s. When receiving \(\mathsf {pk}\), \(\mathcal D'\) starts running \(\mathcal A\) with input \(\mathsf {pk}\). The oracle \(H_G\) is simulated by generating random values in the straightforward way, and \(H_\mathtt{prime}\) is set to be exactly the oracle \(\mathcal O\). The algorithm \(\mathcal A\) outputs a message x, and pair \({(y,\pi )\in G\times G}\) (if it is not of this form, abort). Output \(s = \mathtt{bin}(H_G(x))|||\mathtt{bin}(y)\) and \(v = \pi /H_G(x)^{\lfloor {2^{t}}/{\mathcal O(s)}\rfloor }\). If \(\mathcal A\) won the simulated soundness-breaking game, the procedure did not abort, and \(v^{\mathcal O(s)} = X(G,s) \ne 1_G\), so \(\mathcal D'\) wins the game. Hence \(\mathcal D'\) has winning probability \(p_\mathsf {win}\). Since \(\mathcal A\) was limited to q oracle queries, \(\mathcal D'\) also does not do more than q queries. Applying Lemma 1, there is an algorithm \(\mathcal D\) winning the game \({\mathcal G}^\mathsf{root}(\mathcal B)\) with probability \({p \ge p_\mathsf {win}(1-\varepsilon ) / (q+1)}\).    \(\square \)

Remark 5

The construction remains sound if instead of considering the output \(y\) and the proof \(\pi \), we consider the output to be the pair \((y,\pi )\), with an empty proof. The winning probability of \(\mathcal D\) in Proposition 2 becomes \(p \ge p_{\mathsf {win}}(1-\varepsilon )/(q+1)\), where \(\varepsilon = \mathrm {negl}\left( \frac{k}{\log \log (|G|)\log (q)}\right) \), by accounting for the unlikely event that the large random prime \(\mathcal O(s)\) is a divisor of |G|.

7 Aggregating and Watermarking Proofs

In this section, we present two useful properties of the VDF: the proofs can be aggregated, and watermarked. The methods of this section follow from discussions at the August 2018 workshop at Stanford hosted by the Ethereum Foundation and the Stanford Center for Blockchain Research. The author wishes to thank the participants for their contribution.

7.1 Aggregation

If the VDF is evaluated at multiple inputs, it is possible to produce a single proof \(\widetilde{\pi }\in G\) that simultaneously proves the validity of all the outputs. Suppose that n inputs are given, \(x_1,\dots ,x_n\). For each index i, let \(g_i = H_G(x_i)\). The following public-coin interactive succinct argument allows to prove that a given list \((y_i)_{i = 1}^n\) satisfies \(y_i = g_i^{2^{t}}\):

1. 1.

   The verifier samples a prime \(\ell \) uniformly at random from \(\mathrm {Primes}(2k)\), and n uniformly random integers \((\alpha _i)_{i = 1}^n\) of k bits.

2. 2.

   The prover computes

   $$\widetilde{\pi }= \left( \prod _{i = 1}^ng_i^{\alpha _i}\right) ^{\lfloor 2^{t}/\ell \rfloor }$$

   and sends it to the verifier.

3. 3.

   The verifier computes \(r = 2^{t}\mod \ell \), (the least positive residue of \(2^{t}\) modulo \(\ell \)), and accepts if

   $$\widetilde{\pi }^\ell \left( \prod _{i = 1}^ng_i^{\alpha _i}\right) ^r = \prod _{i = 1}^ny_i^{\alpha _i}.$$

The single group element \(\widetilde{\pi }\) serves as proof for the whole list of n statements \(y_i = g_i^{2^{t}}\): it is an aggregated proof. The protocol can be made non-interactive by a Fiat-Shamir transformation: let

$$s = \mathtt{bin}(g_1) ||| \mathtt{bin}(g_2) ||| \dots ||| \mathtt{bin}(g_n) ||| \mathtt{bin}(y_1) ||| \mathtt{bin}(y_2) ||| \dots ||| \mathtt{bin}(y_n),$$

and let \(\ell = H_{\mathtt{prime}}(s)\), and for each index i, let \(\alpha _i = \mathtt{int}(H(\mathtt{bin}(i) ||| s))\) (where H is a secure cryptographic hash function). For simplicity, we prove the soundness in the interactive setup (the non-interactive soundness then follows from the Fiat-Shamir heuristic).

Remark 6

One could harmlessly fix \(\alpha _1 = 1\), leaving only \(\alpha _i\) to be chosen at random for \(i > 1\). We present the protocol as above for simplicity, to avoid dealing with \(i = 1\) as a special case in the proof below.

Theorem 1

If there is a malicious prover \(\mathcal P\) breaking the soundness of the above interactive succinct argument with probability p, then there is a player \(\mathcal B\) winning the root finding game \({\mathcal G}^\mathsf{root}\) with probability at least \((p^2 - 2^{-k})/3\), with essentially the same running time as \(\mathcal P\).

Proof

Let \(\mathcal I = \{0,1,\dots ,2^k-1\}\), and let \(\mathcal Z = \mathcal I^{n-1}\times \mathrm {Primes}(2k)\). Let \(Z = (\alpha _2, \dots , \alpha _n, \ell )\) be a uniformly distributed random variable in \(\mathcal Z\), and let \(\alpha _1\) and \(\alpha _1'\) be two independent, uniformly distributed random variables in \(\mathcal I\). Let \(\mathsf {win}\) and \(\mathsf {win}'\) be the events that \(\mathcal P\) breaks soundness when given \((\alpha _1,\alpha _2, \dots , \alpha _n, \ell )\) and \((\alpha _1',\alpha _2, \dots , \alpha _n, \ell )\) respectively. We wish to estimate the probability of the event \(\mathsf {double\_win} = \mathsf {win}\wedge \mathsf {win}' \wedge (\alpha _1 \ne \alpha _1')\). Observe that conditioning over \(Z = z\) for an arbitrary, fixed \(z \in \mathcal Z\), the events \(\mathsf {win}\) and \(\mathsf {win}'\) are independent and have same probability, so

$$\begin{aligned} \Pr [\mathsf {win}\wedge \mathsf {win}'] = \frac{1}{|Z|}\sum _{z \in \mathcal Z}\Pr [\mathsf {win}\wedge \mathsf {win}' \mid Z = z] = \frac{1}{|Z|}\sum _{z \in \mathcal Z}\Pr [\mathsf {win}\mid Z=z]^2. \end{aligned}$$

From the Cauchy-Schwarz inequality, we get

$$\begin{aligned} \frac{1}{|Z|}\sum _{z \in \mathcal Z}\Pr [\mathsf {win}\mid Z=z]^2 \ge \left( \frac{1}{|Z|}\sum _{z \in \mathcal Z}\Pr [\mathsf {win}\mid Z=z]\right) ^2 = \Pr [\mathsf {win}]^2 = p^2. \end{aligned}$$

We conclude that \(\Pr [\mathsf {win}\wedge \mathsf {win}'] \ge p^2\), and therefore, \(\Pr [\mathsf {double\_win}] \ge p^2 - 2^{-k}\).

With these probabilities at hand, we can now construct the player \(\mathcal B\) for the root finding game \({\mathcal G}^\mathsf{root}\). Run \(\mathcal P\), which outputs values \(g_i\) and \(y_i\). If \(y_i = g_i^{2^{t}}\) for all i, abort. Up to some reindexing, we can now assume \(y_1 \ne g_1^{2^{t}}\). Draw \(\alpha _1,\alpha _1',\alpha _2,\dots ,\alpha _n\) uniformly at random from \(\mathcal I\). Define

$$\begin{aligned} x_0&= y_1/g_1^{2^{t}},\ x_1 = \prod _{i = 1}^n(y_i^{\alpha _i} / g_i^{2^{t}})^{\alpha _i},\ x_2 = (y_1 / g_1^{2^{t}})^{\alpha _1'}\prod _{i = 2}^n(y_i^{\alpha _i} / g_i^{2^{t}})^{\alpha _i}. \end{aligned}$$

Let b be a uniformly random element of \(\{0,1,2\}\). The algorithm \(\mathcal B\) outputs \(x_b\). We get back a challenge \(\ell \). Run the prover \(\mathcal P\) twice, independently, for the challenges \((\alpha _1,\alpha _2,\dots , \alpha _n, \ell )\) and \((\alpha _1',\alpha _2,\dots , \alpha _n, \ell )\), and suppose that both responses break soundness, and \(\alpha _1 \ne \alpha _1'\) (i.e., the event \(\mathsf {double\_win}\) occurs). If \(x_1 \ne 1_G\) or \(x_2 \ne 1_G\), the winning responses from \(\mathcal P\) allow to extract an \(\ell \)-th root of either \(x_1\) or \(x_2\) respectively. Otherwise, we have \(x_1 = x_2\), which implies that \(x_0^{\alpha _1-\alpha _1'} = 1_G,\) so \(x_0\) is an element of order dividing \(\alpha _1-\alpha _1'\), and one can easily extract any \(\ell \)-th root of \(x_0\). In conclusion, under the event \(\mathsf {double\_win}\), one can always extract an \(\ell \)-th root of either \(x_0\), \(x_1\) or \(x_2\), so the total winning probability of algorithm \(\mathcal B\) is at least \((p^2 - 2^{-k})/3\).    \(\square \)

7.2 Watermarking

When using a VDF to build a decentralised randomness beacon (e.g., as a backbone for an energy-efficient blockchain design), people who spent time and energy evaluating the VDF should be rewarded for their effort. Since the output of the VDF is supposed to be unique, it is hard to reliably identify the person who computed it. A naive attempt of the evaluator to sign the output would not prevent theft: since the output is public, a dishonest party could as easily sign it and claim it their own.

Let the evaluator’s identity be given as a string \(\mathsf {id}\). One proposed method (see [12]) essentially consists in computing the VDF twice: once on the actual input, and once on a combination of the input with the evaluator’s identity \(\mathsf {id}\). Implemented carefully, this method could allow to reliably reward the evaluators for their work, but it also doubles the required effort. In the following, we sketch two cost-effective solutions to this problem.

The first cost-effective approach consists in having the evaluator prove that he knows some hard-to-recover intermediate value of the computation of the VDF. Since the evaluation of our proposed construction requires computing in sequence the elements \(g_i = g^{2^{i}}\) for \(i = 1,\dots ,{t}\), and only the final value \(y= g_{t}\) of the sequence is supposed to be revealed, one can prove that they performed the computation by proving that they know \(g_{{t}-1}\) (it is a square root of \(y\), hence the fastest way for someone else to recover it would be to recompute the full sequence). A simple way to do so would be for the evaluator to reveal the value \(c_\mathsf {id} = g_{{t}-1}^{p_{\mathsf {id}}}\) (a certificate), where \(p_{\mathsf {id}} = H_{\mathtt{prime}}(\mathsf {id})\). The validity of the certificate can be checked via the equation \(y^{p_{\mathsf {id}}} = c_\mathsf {id}^2\). The security claim is the following: given the input x, the output \(y\), the proof \(\pi \), and the certificate \(c_\mathsf {id}\), the cost for an adversary with identifier \(\mathsf {id'}\) (distinct from \(\mathsf {id}\)) to produce a valid certificate \(c_\mathsf {id'}\) is as large as actually recomputing the output of the VDF by themself.

The above method is cost-effective as it does not require the evaluator to perform much more work than evaluating the VDF. However, it makes the output longer by adding an extra group element: the certificate. Another approach consists in producing a single group element that plays simultaneously the role of the proof and the certificate. This element is a watermarked proof, tied to the evaluator’s identity. This can be done easily with our construction. In the evaluation procedure (Algorithm 3), replace the definition of the prime \(\ell \) by \(H_{\mathtt{prime}}(\mathsf {id}|||\mathtt{bin}(g)|||\mathtt{bin}(y))\) (and the corresponding change must be made in the verification procedure). The resulting proof \(\pi _\mathsf {id}\) is now inextricably tied to \(\mathsf {id}\). Informally, the security claim is the following: given the input x, the output y, and the watermarked proof \(\pi _\mathsf {id}\), the cost for an adversary with identifier \(\mathsf {id'}\) (distinct from \(\mathsf {id}\)) to produce a valid proof \(\pi _\mathsf {id'}\) is about as large as reevaluating the VDF altogether. Indeed, a honest prover, after having computed the output \(y\), can compute \(\pi _\mathsf {id}\) at a reduced cost thanks to some precomputed intermediate values. But an adversary does not have these intermediate values, so they would have to compute \(\pi _\mathsf {id'}\) from scratch. This is an exponentiation in G, with exponent of bit-length close to \({t}\); without any intermediate values, it requires in the order of t sequential group operations, which is the cost of evaluating the VDF.

8 Circumventing Impossibility Results with Timing Assumptions

In addition to the applications mentioned in the introduction, we conclude this paper by showing that a trapdoor VDF also constitutes a new tool for circumventing classic impossibility results. We illustrate this through a simple identification protocol constructed from a trapdoor VDF, where a party, Alice, wishes to identify herself to Bob by proving that she knows the trapdoor. Thanks to the VDF timing properties, this protocol features surprising zero-knowledge and deniability properties challenging known impossibility results.

As this discussion slightly deviates from the crux of the article (the construction of a trapdoor VDF), most of the details are deferred to Appendices B and C, and this section only introduces the main ideas. As in the rest of the paper, the parameter k is the security level. The identification protocol goes as follows:

1. 1.

   Bob chooses a challenge \(c \in \{\mathtt{0},\mathtt{1}\}^k\) uniformly at random. He sends it to Alice, along with a time limit \(\varDelta \), and starts a timer.

2. 2.

   Alice responds by sending the evaluation of the VDF on input c (with time parameter \(\varDelta \)), together with the proof. She can respond fast using her trapdoor.

3. 3.

   Upon receiving the response, Bob stops the timer. He accepts if the verification of the VDF succeeds and the elapsed time is smaller than \(\varDelta \).

Remark 7

We present here only an identification protocol, but it is easy to turn it into an authentication protocol for a message m by having Alice use the concatenation c||m as input to the VDF.

Since only Alice can respond immediately thanks to her secret, Bob is convinced of her identity. Since anyone else can compute the response to the challenge in time \(\varDelta \), the exchange is perfectly simulatable, hence perfectly zero-knowledge. It is well-known (and in fact clear from the definition) that a classic interactive zero-knowledge proof cannot have only one round (this would be a challenge-response exchange, and the simulator would allow to respond to the challenge in polynomial time, violating soundness). The above protocol avoids this impossibility thanks to a modified notion of soundness, ensuring that only Alice can respond fast enough. This is made formal in Appendix B, via the notion of zero-knowledge timed challenge-response protocol.

Remark 8

Note that this very simple protocol is also efficient: the “time-lock” evaluation of the VDF does not impact any of the honest participants, it is only meant to be used by the simulator. Only the trapdoor evaluation and the verification are actually executed.

Finally, this protocol has strong deniability properties. Indeed, since anyone can produce in time \(\varDelta \) a response to any challenge, any transcript of a conversation that is older than time \(\varDelta \) could have been generated by anyone. In fact the protocol is on-line deniable against any judge that suffers a communication delay larger than \(\varDelta /2\). Choosing \(\varDelta \) to be as short as possible (while retaining soundness) yields a strongly deniable protocol. Full on-line deniability is known to be impossible in a PKI (see [11]), and this delay assumption provides a new way to circumvent this impossibility. This is discussed in more detail in Appendix C.

Appendices

A Proof of Remark 1

Model H as a random oracle. Suppose that

$$\begin{aligned} \mathsf {trapdoor}_\mathsf {sk}^H(x, \varDelta )&= t_\mathsf {sk}(H(x), \varDelta ),\\ \mathsf {eval}_\mathsf {pk}^H(x, \varDelta )&= e_\mathsf {pk}(H(x), \varDelta ), and \\ \mathsf {verify}_\mathsf {pk}(x, y, \varDelta )&= v_\mathsf {pk}(H(x), y, \varDelta ), \end{aligned}$$

for procedures t, e and v that do not have access to H.

Let \(\mathcal A\) be a player of the \(\varDelta \)-evaluation race game. Assume that the output \(\mathcal B\) of \(\mathcal A\) is limited to a number q of queries to \(\mathcal O\) and H. We are going to build an algorithm \(\mathcal A'\) that wins with same probability as \(\mathcal A\) when its output \(\mathcal B'\) is not given access to \(\mathcal O\).

Let \((Y_i)_{i = 1}^q\) be a sequence of random hash values (i.e., uniformly distributed random values in \(\{\mathtt{0,1}\}^{2k}\)). First observe that \(\mathcal A\) wins the \(\varDelta \)-evaluation race game with the same probability if the last step runs the algorithm \(\mathcal B^{\mathcal O', H'}\) instead of \(\mathcal B^{\mathcal O, H}\), where

1. 1.

   \(H'\) is the following procedure: for any new requested input x, if x has previously been requested by \(\mathcal A\) to H then output \(H'(x) = H(x)\); otherwise set \(H'(x)\) to be the next unassigned value in the sequence \((Y_i)\);

2. 2.

   \(\mathcal O'\) is an oracle that on input x outputs \(t_\mathsf {sk}(H'(x), \varDelta )\).

With this observation in mind, we build \(\mathcal A'\) as follows. On input \(\mathsf {pk}\), \(\mathcal A'\) first runs \(\mathcal A^{H}\) which outputs \(\mathcal A^{H}(\mathsf {pk}) = \mathcal B\). Let X be the set of inputs of the requests that \(\mathcal A\) made to H. For any \(x\in X\), \(\mathcal A'\) computes and stores the pair \((H(x), \mathsf {eval}_\mathsf {pk}(x, \varDelta ))\) in a list L. In addition, it computes and stores \((Y_i, e_\mathsf {pk}(Y_i, \varDelta ))\) for each \(i = 1,\dots ,q\), and adds them to L.

Consider the following procedure \(\mathcal O'\): on input x, look for the pair of the form \((H'(x), \sigma )\) in the list L, and output \(\sigma \). The output of \(\mathcal A'\) is the algorithm \(\mathcal B' = \mathcal B^{\mathcal O',H'}\). It does not require access to the oracle \(\mathcal O\) anymore: all the potential requests are available in the list of precomputed values. Each call to \(\mathcal O\) is replaced by a lookup in the list L, so \(\mathcal B'\) has essentially the same running time as \(\mathcal B\). Therefore \(\mathcal A'\) wins the \(\varDelta \)-evaluation race game with same probability as \(\mathcal A\) even when its output \(\mathcal B'\) is not given access to a evaluation oracle.

B Timed Challenge-Response Identification Protocols

A timed challenge-response identification protocol has four procedures:

• \(\mathsf {keygen}\rightarrow (\mathsf {pk}, \mathsf {sk})\) is a key generation procedure, which outputs a prover’s public key \(\mathsf {pk}\) and secret key \(\mathsf {sk}\).

• \(\mathsf {challenge} \rightarrow c\) which outputs a random challenge.

• \(\mathsf {respond}_\mathsf {sk}(c, \varDelta ) \rightarrow r\) is a procedure that uses the prover’s secret key to respond to the challenge c, for the time parameter \(\varDelta \).

• \(\mathsf {verify}_\mathsf {pk}(c, r, \varDelta ) \rightarrow \mathsf {true}\) or \(\mathsf {false}\) is a procedure to check if r is a valid response to c, for the public key \(\mathsf {pk}\) and the time parameter \(\varDelta \).

The security level k is implicitly an input to each of these procedures. The \(\mathsf {keygen}\) procedure is used the generate Alice’s public and secret keys, then the identification protocol is as follows:

1. 1.

   Bob generates a random c with the procedure \(\mathsf {challenge}\). He sends it to Alice, along with a time limit \(\varDelta \), and starts a timer.

2. 2.

   Alice responds \(r = \mathsf {respond}_\mathsf {sk}(c, \varDelta )\).

3. 3.

   Bob stops the timer. He accepts if \(\mathsf {verify}_\mathsf {pk}(c, r, \varDelta ) = \mathsf {true}\) and the elapsed time is smaller than \(\varDelta \).

Given a time parameter \(\varDelta \), a \(\varDelta \)-response race game and an associated notion of \(\varDelta \)-soundness can be defined in a straightforward manner as follows.

Definition 8

(\(\varDelta \)-response race game). Let \(\mathcal A\) be a party playing the game. The parameter \(\varDelta : \mathbf Z_{>0} \rightarrow \mathbf R_{>0}\) is a function of the (implicit) security parameter k. The \(\varDelta \)-response race game goes as follows:

1. 1.

   The random procedure \(\mathsf {keygen}\) is run and it outputs a public key \(\mathsf {pk}\);

2. 2.

   \(\mathcal A(\mathsf {pk})\) outputs an algorithm \(\mathcal B\);

3. 3.

   A random challenge c is generated according to the procedure \(\mathsf {challenge}\);

4. 4.

   \(\mathcal B^{\mathcal O}(c)\) outputs a value r, where \(\mathcal O\) is an oracle that outputs the evaluation \(\mathsf {respond}_\mathsf {sk}(c', \varDelta )\) on any input \(c' \ne c\).

Then, \(\mathcal A\) wins the game if \(T(\mathcal B, c) < \varDelta \) and \(\mathsf {verify}_\mathsf {pk}(c, r, \varDelta ) = \mathsf {true}\).

Definition 9

(\(\varDelta \)-soundness). A timed challenge-response identification protocol is \(\varDelta \)-sound if any polynomially bounded player (with respect to the implicit security parameter) wins the above \(\varDelta \)-response race game with negligible probability.

It is as immediate to verify that a sound and \(\varDelta \)-sequential VDF gives rise to a \(\varDelta \)-sound identification protocol (via the construction of Sect. 8). Similarly, the completeness of the identification protocol (that a honest run of the protocol terminates with a successful verification) is straightforward to derive from the fact that the verification of a valid VDF output always outputs \(\mathsf {true}\). There simply is one additional requirement: if the procedure \(\mathsf {respond}_\mathsf {sk}(c, \varDelta )\) requires computation time at least \(\epsilon _1\), and the channel of communication has a transmission delay at least \(\epsilon _2\), we must have \(\epsilon _1 + 2 \epsilon _2 < \varDelta \). Finally the zero-knowledge property is defined as follows.

Definition 10

(Zero-knowledge). A timed challenge-response identification protocol is (perfectly, computationally, or statistically) zero-knowledge if there is an algorithm \(\mathcal S\) that on input k, \(\varDelta \), \(\mathsf {pk}\) and a random \(\mathsf {challenge}(k,\varDelta )\) produces an output (perfectly, computationally, or statistically) indistinguishable from \(\mathsf {respond}_\mathsf {sk}(c,k,\varDelta )\), and the running time of \(\mathcal S\) is polynomial in k.

In a classical cryptographic line of though, this zero-knowledge property is too strong to provide any soundness, since an adversary can respond to the challenge with a running time polynomial in the security parameter of Alice’s secret key. This notion starts making sense when the complexity of the algorithm \(\mathcal S\) is governed by another parameter, here \(\varDelta \), independent from Alice’s secret.

For the protocol derived from a VDF, the zero-knowledge property is ensured by the fact that anyone can compute Alice’s response to the challenge in time polynomial in k, with the procedure \(\mathsf {eval}\).

C Local Identification

The challenge-response identification protocol derived from a VDF in Sect. 8 is totally deniable against a judge, Judy, observing the communication from a long distance. The precise definition of on-line deniability is discussed in [11]. We refer the reader there for the details, but the high level idea is as follows. Alice is presumably trying to authenticate her identity to Bob. Judy will rule whether or not the identification was attempted. Judy interacts with an informant who is witnessing the identification and who wants to convince Judy that it happened. This informant could also be a misinformant, who is not witnessing any identification, but tries to deceive Judy into believing it happened. The protocol is on-line deniable if no efficient judge can distinguish whether she is talking to an informant or a misinformant. The (mis)informant is allowed to corrupt Alice or Bob, at which point he learns their secret keys and controls their future actions. When some party is corrupted, Judy learns about it.

It is shown in [11] that this strong deniability property is impossible to achieve in a PKI. To mitigate this issue, they propose a secure protocol in a relaxed setting, allowing incriminating aborts. We propose an alternative relaxation of the setting, where Judy is assumed to be far away from Alice and Bob (more precisely: the travel time of a message between Alice and Bob is shorter than between Alice (or Bob) and Judy⁶). For example, consider a building whose access is restricted to authorised card holders. Suppose the card holders do not want anyone other than the card reader to get convincing evidence that they are accessing the building (even if the card reader is corrupted, it cannot convince anyone else). Furthermore, Alice herself cannot convince anyone that the card reader ever acknowledged her identification attempt. In this context, the card and the card reader benefit from very efficient communications, while a judge farther away would communicate with an additional delay. An identification protocol can exploit this delay to become deniable, and this is achieved by the timed challenge-response identification protocol derived from a VDF.

The idea is the following. Suppose that the distance between Alice and Judy is long enough to ensure that the travel time of a message from Alice to Judy is larger than \(\varDelta /2\). Then, Judy cannot distinguish a legitimate response of Alice that took some time to reach her from a response forged by a misinformant that is physically close to Judy.

More precisely, considering an informant I who established a strategy with Judy, we can show that there is a misinformant M that Judy cannot distinguish from I. First of all, Bob cannot be incriminated since he is not using a secret key. It all boils down to tracking the messages that depend on Alice’s secret key. Consider a run of the protocol with the informant I. Let \(t_0\) be the point in time where Alice computed \(s = \mathsf {trapdoor}_\mathsf {sk}(c, \varDelta )\). The delay implies two things:

1. 1.

   The challenge c is independent of anything Judy sent after point in time \(t_0 - \varDelta /2\).

2. 2.

   The first message Judy receives that can depend on s (and therefore the first message that depends on Alice’s secret) arrives after \(t_0 + \varDelta /2\).

From Point 1, at time \(t_0 - \varDelta /2\), the misinformant (who is close to Judy) can already generate c (following whichever procedure I and Judy agreed on), and start evaluating \(\mathsf {eval}_\mathsf {pk}(c,\varDelta )\). The output is ready at time \(t_0 + \varDelta /2\), so from Point 2, the misinformant is on time to send to Judy messages that should depend on the signature s.

In practice. The protocol is deniable against a judge at a certain distance away from Alice and Bob, and the minimal value of this distance depends on \(\varDelta \). An accurate estimation of this distance would require in the first place an equally accurate estimation of the real time \(\varDelta \) (in seconds) a near-optimal adversary would need to forge the response. This non-trivial task relates to the discussion of Sect. 3.2.

Assuming reasonable bounds for \(\varDelta \) have been established, one can relate the distance and the communication delay in a very conservative way through the speed of light. We want Judy to stand at a sufficient distance to ensure that any message takes at least \(\varDelta /2\) s to travel between them, so Judy should be at least \(c\varDelta /2\) m away, where \(c \approx 3.00\times 10^8\) m/s is the speed of light. For security against a judge standing 100 m away, one would require \(\varDelta \approx 0.66\) \(\upmu \)s. Alice should be able to respond to Bob’s challenge in less time than that. At this point, it seems unreasonable to assume that such levels of precision can be achieved (although in principle, distance bounding protocols do deal with such constraints), yet it remains interesting that such a simple and efficient protocol provides full deniability against a judge that suffers more serious communication delays.