Commit c50cbe73 authored by Krzysztof Pietrzak's avatar Krzysztof Pietrzak

started abstract

parent ef20e397
......@@ -44,7 +44,7 @@
\title{Sequential Squaring with Precomputation}
\title{Verifiable Delay Functions in Fixed Groups of Unknown Order}%Sequential Squaring with Precomputation}
......@@ -54,6 +54,17 @@
A verifiable delay function (VDF) on input a challenge $x$ and time parameter $T$ outputs a value $y$ together with a proof $\pi$. The value $y$ can be computed in $T$ sequential steps, but not much faster, even with high parallelism. $\pi$ is an efficiently verifiable proof that certifies that $y$ is correct.
VDFs were only recently introduced, but have already found many applications, most prominently in blockchain protocols. Currently, the only practical constructions of VDFs compute a value $y=x^{2^T}$ by squaring $x$ sequentially $T$ times in a group of unknown order.
Two such groups have been suggested, RSA groups $Z_N^*$ (where the group operation is multiplication modulo a product $N=p\cdot q$ of two large primes $p,q$) and class groups of an imaginary quadratic field.
The RSA group has the advantage
Verifiable delay functions (VDFs) are functions whose evaluation requires a prescribed number of sequential operations (a \emph{delay}), but at the same time are \emph{verifiable} in the sense that they offer an efficient way of proving the correctness of the output: Given an input $x$, the prover does not only compute the output $y$ of the function but also provides a proof $\pi$, which allows the verifier to verify that $y$ is indeed the correct output of the function much more efficiently than evaluating the function himself.\\
The design and implementation of VDFs have become a hot topic in cryptography especially due to their application in several decentralized cryptocurrencies such as Ethereum ( and Chia ( The two most practical proposals are those by Pietrzak \cite{P18} and Wesolowski \cite{W18}. Both of them are inspired by the timelock puzzle of Rivest, Shamir and Wagner \cite{RSW96} and rely on the assumption that, given a description of a group of unknown order of size exponential in the security parameter $\lambda$ and a uniformly random group element $x$, the fastest algorithm to compute $x^{2^T}$ for some time parameter $T=\poly(\lambda)$ requires $T$ sequential squarings.\\
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment