A Class Group Verifiable Delay Function (VDF) is a cryptographic building block that guarantees a minimum elapsed wall-clock time for its computation, even with massive parallelism. It is constructed using the algebraic properties of class groups of imaginary quadratic fields. The function takes an input, performs a long sequence of squaring operations within the class group, and produces a unique output. Crucially, the result can be verified as correct in a fraction of the time it took to compute, making it a powerful tool for creating trustless timing mechanisms in decentralized systems.
LABS
Glossary
Class Group VDF
A Class Group Verifiable Delay Function (VDF) is a cryptographic primitive that generates a unique, publicly verifiable output proving that a specific, unavoidable amount of sequential computation time has elapsed.
Chainscore © 2026
definition
CRYPTOGRAPHIC PRIMITIVE
What is a Class Group VDF?
A Class Group Verifiable Delay Function (VDF) is a cryptographic primitive that produces a unique, publicly verifiable output after a predetermined, sequential computation, leveraging the algebraic structure of imaginary quadratic class groups.
The security and sequential nature of a Class Group VDF stem from the conjectured computational hardness of problems within these algebraic structures, such as computing the class group structure itself or performing certain operations without knowing the group order. Unlike VDFs based on repeated squaring in groups of unknown order like RSA, class groups are believed to be post-quantum secure, as their security does not rely on the difficulty of integer factorization. This makes them a future-proof candidate for protocols requiring long-term, verifiable delays.
In blockchain and decentralized protocols, Class Group VDFs have several critical applications. They are fundamental to proof-of-stake randomness beacons, like those proposed for Ethereum, where they ensure unpredictable and bias-resistant leader election. They also enable timelock encryption, where a message can be encrypted so it can only be decrypted after a specific time has passed. Furthermore, they are used in proof of sequential work and creating non-interactive time-stamping services that are resistant to parallel computation attacks.
how-it-works
MECHANISM
How Does a Class Group VDF Work?
A Class Group Verifiable Delay Function (VDF) is a cryptographic primitive that produces a unique, verifiable output after a mandatory, non-parallelizable computation, using the algebraic structure of imaginary quadratic class groups.
A Class Group VDF operates by performing repeated squaring within a class group of an imaginary quadratic field. The core operation is the function VDF(x) = x^(2^T), where x is an input element of the class group and T is the required number of sequential steps. The security relies on the conjectured computational hardness of computing this exponentiation significantly faster than performing T sequential squarings, a property known as sequentiality. This makes the function a delay function, as the computation cannot be sped up by adding more parallel processors.
The verification of a Class Group VDF is efficient and does not require re-running the long computation. After the prover spends time T to compute the output y, they generate a succinct proof using Wesolowski's or Pietrzak's interactive proof protocols made non-interactive via the Fiat-Shamir heuristic. A verifier can then check the proof's correctness using the public parameters, the input x, the output y, and the time parameter T in logarithmic time relative to T. This verifiability is the second critical property, ensuring anyone can cheaply confirm the output is correct without trusting the prover.
The choice of imaginary quadratic class groups is crucial for security and efficiency. Unlike groups based on integer factorization (like RSA groups) or elliptic curves, class groups are believed to resist attacks from quantum computers and offer asymptotically smaller parameters. The structure provides a low-order assumption, meaning it is hard to find elements of small order, which is essential for the security of the sequential squaring operation. This makes Class Group VDFs a leading candidate for post-quantum secure VDF constructions.
In practice, a Class Group VDF system requires a trusted setup to generate the public parameters, specifically the discriminant D defining the class group. This setup must ensure the discriminant's factorization is unknown and that the group's structure is suitable. Once established, the function can be used in applications requiring a proof of elapsed time, such as generating unbiased randomness in blockchain consensus (e.g., in proof-of-stake systems like Chia), securing timelock puzzles, or preventing grinding attacks in leader election protocols.
key-features
MECHANICAL PROPERTIES
Key Features of Class Group VDFs
Class groups provide the cryptographic foundation for a Verifiable Delay Function (VDF) that is post-quantum secure and sequentially slow to compute, enabling unique applications in decentralized systems.
01
Sequential Computation
A Class Group VDF requires a fixed, non-parallelizable sequence of squaring operations in an imaginary quadratic field's class group. This creates a verifiable time delay that cannot be sped up by adding more parallel processors, making it ideal for generating unbiased randomness or timestamps in consensus protocols.
02
Post-Quantum Security
Unlike VDFs based on repeated squaring modulo a prime (RSA groups), which are vulnerable to quantum computers via Shor's algorithm, the security of Class Group VDFs relies on the hardness of computing class group structure. This problem is believed to be quantum-resistant, providing long-term security assurances.
03
Compact Proof & Fast Verification
After the slow computation, the prover generates a succinct proof (e.g., using the Wesolowski or Pietrzak proof systems). This proof allows any verifier to instantly confirm the correctness of the long computation with minimal computational effort, a property known as inherent asymmetry.
04
Unique Output (Uniqueness)
For a given input (challenge) and time parameter, the VDF guarantees a single, unique output. This prevents adversarial manipulation where different parties could compute different valid results, a critical property for applications like leader election or random beacon generation in blockchain consensus.
05
Construction via Imaginary Quadratic Fields
The function is built upon the class group of an imaginary quadratic field Q(√-D), where D is a large, non-square integer. The fundamental operation is repeated squaring of an ideal class, and the discriminant D is a public parameter that defines the group.
etymology
TERM BACKGROUND
Etymology and Origin
This section traces the linguistic and conceptual origins of the term 'Class Group VDF', explaining how its components—'Class Group' and 'Verifiable Delay Function'—were synthesized to create a specific cryptographic primitive.
The term Class Group VDF is a compound noun formed by combining Class Group—a concept from algebraic number theory—with Verifiable Delay Function (VDF), a modern cryptographic primitive. Its etymology reflects a direct technical synthesis: it denotes a VDF whose sequential delay is intrinsically tied to the computational hardness of problems within an imaginary quadratic field's class group. The name was coined in academic cryptography circles around 2017-2018 as researchers, including Dan Boneh and others, sought post-quantum secure and uniquely sequential alternatives to existing VDF constructions like those based on repeated squaring.
The 'Class Group' component originates from class field theory, a branch of mathematics developed in the late 19th and early 20th centuries by David Hilbert and others. In this context, a class group measures the failure of unique factorization in the ring of integers of an algebraic number field. For VDFs, the specific focus is on the class group of an imaginary quadratic field (denoted Cl(√-D)), where the group operation is composition of quadratic forms. The security assumption—that computing the class group structure or performing an evaluation is inherently sequential—is known as the adaptive root assumption or the low-order assumption within this group.
The 'Verifiable Delay Function' component was formally defined in a 2018 paper by Boneh et al. as a function that requires a prescribed number of sequential steps to compute, yet whose output can be verified efficiently. The fusion with class groups was proposed to overcome limitations in trusted setup and quantum resistance. Unlike RSA-based VDFs that need a trusted setup to generate a modulus, class groups of imaginary quadratic fields can be generated transparently from a publicly verifiable, nothing-up-my-sleeve number, like a discriminant -D. This makes the Class Group VDF a minimal assumption construct, appealing for decentralized systems like blockchain protocols.
The development of Class Group VDFs is closely associated with their intended application in blockchain consensus and proof-of-stake systems, such as the proposed Ethereum protocol upgrade for randomness generation. Their origin story is thus not just linguistic but deeply embedded in the pragmatic needs of creating publicly verifiable, unbiasable randomness beacons and securing leader election without specialized hardware. The term has since become a standard entry in the lexicon of succinct cryptography and decentralized protocol design.
ecosystem-usage
CLASS GROUP VDF
Ecosystem Usage and Protocols
A Class Group Verifiable Delay Function (VDF) is a cryptographic primitive that enforces a mandatory, sequential computation time, creating a reliable source of time in decentralized systems. Its primary applications are in consensus mechanisms and randomness generation.
01
Core Cryptographic Mechanism
A Class Group VDF is a function that requires a specified number of sequential squarings within a class group of an imaginary quadratic field. This structure ensures the computation cannot be parallelized, creating a verifiable time delay. The output includes a proof that can be verified much faster than it was generated, providing a trustless proof of elapsed time.
02
Chia Network Consensus (Proof of Space and Time)
The Chia blockchain uses a Class Group VDF as the "Time" in its Proof of Space and Time (PoST) consensus. Farmers with provable storage (Proof of Space) become eligible to win blocks. A VDF then imposes a mandatory delay between these eligibility proofs, ensuring block times are consistent and preventing grinding attacks, making the chain more secure and decentralized than pure Proof of Work.
03
Randomness Beacon (Randstorm / drand)
Class Group VDFs are a core component of unbiasable randomness beacons. In protocols like Randstorm, a VDF is applied to a high-entropy seed (e.g., from a commit-reveal scheme or BLS threshold signature). The mandatory delay prevents the last participant from manipulating the final output, as they cannot compute the VDF result faster than anyone else. This produces publicly verifiable, unpredictable randomness for smart contracts and lotteries.
04
Comparison to Other VDF Constructions
Class Group VDFs are contrasted with RSA-based VDFs (e.g., Wesolowski, Pietrzak). Key differentiators include:
- Quantum Resistance: Relies on the hardness of computing class numbers, believed to be post-quantum secure.
- Succinct Proofs: Generates very small, constant-sized proofs.
- No Trusted Setup: Unlike RSA groups which require a trusted prime generation, class groups are setup-free. The trade-off is that computation can be slower than optimally configured RSA VDFs.
05
Implementation & Efficiency Challenges
Efficient implementation requires optimized algorithms for composition and reduction of binary quadratic forms within the class group. Key challenges include:
- Minimizing the overhead of the reduction step after each squaring.
- Ensuring the discriminant is chosen to guarantee a large, cyclic class group.
- Hardware acceleration for the sequential squaring operation, which is a core bottleneck. Projects like Chia invest heavily in optimized VDF client software.
06
Security Assumptions and Trust Model
The security of a Class Group VDF rests on two main computational assumptions:
- Sequentiality: That the repeated squaring operation cannot be meaningfully parallelized.
- Soundness: That the class group order (the class number) is unknown and difficult to compute. Knowing the group order would allow for shortcutting the delay. The trust model is minimal, requiring only that the initial discriminant parameters are correctly generated to form a suitable group.
security-considerations
CLASS GROUP VDF
Security Considerations and Assumptions
Verifiable Delay Functions (VDFs) based on class groups provide a unique cryptographic primitive for generating unbiased randomness. Their security relies on specific, well-defined computational assumptions.
02
Trusted Setup & Public Parameters
A critical assumption is the correct generation of the public parameters, specifically the discriminant. This process must:
- Generate a fundamental discriminant of sufficient size.
- Ensure the discriminant's class number is not trivially small.
- Securely discard the factorization of the discriminant during setup. If the setup is compromised (e.g., the factorization is leaked), an adversary could compute the VDF output instantly, breaking the delay property. This necessitates a trusted setup ceremony or novel setup-free constructions.
03
Sequentiality vs. Verifiability
Security requires a clear separation between two properties:
- Sequentiality (Hardness): The evaluation of the VDF must take a prescribed number of sequential steps. The class group assumption guarantees that no algorithm, even with many parallel processors, can compute the output significantly faster.
- Verifiability (Easiness): The proof that the output is correct must be efficiently and quickly verifiable by anyone. This is typically achieved via a Wesolowski or Pietrzak proof, which relies on different cryptographic assumptions (like the Adaptive Root Assumption).
04
Resistance to Parallelization & Precomputation
A key security goal is unpredictable, unbiasable randomness. The VDF design must prevent:
- Parallel Speedup: The iterative squaring operation in the class group should have no shortcut, forcing a strict sequential chain of operations.
- Precomputation Attacks: An adversary should not be able to precompute future outputs before the input (e.g., a block hash) is known. The security model assumes the input is unpredictable until the VDF evaluation begins.
05
Implementation & Side-Channel Risks
Practical security depends on a correct and robust implementation. Key risks include:
- Algorithmic Errors: Incorrect group operation logic can break sequentiality or verifiability.
- Side-Channel Attacks: Timing or power analysis on the sequential squaring loop could leak internal state.
- DoS via Verification: While verification is fast, it is not free; systems must guard against spam with invalid proofs.
06
Comparison to RSA-Based VDFs
Class group VDFs make different trade-offs than the more common RSA-based VDFs:
- Post-Quantum Security: Based on problems (class group structure) believed to be hard for quantum computers, unlike RSA factorization.
- Setup Requirement: Requires a trusted setup to generate the discriminant, whereas RSA VDFs can use a publicly verifiable modulus (like the RSA UFO).
- Group Size: Class group elements have more compact representations than RSA groups for equivalent security levels, improving efficiency.
DELAY MECHANISM ARCHITECTURE
Comparison: Class Group VDF vs. Other Delay Mechanisms
A technical comparison of Verifiable Delay Function (VDF) implementations and alternative methods for creating cryptographic time delays, focusing on security assumptions, performance, and practical deployment.
| Feature / Property | Class Group VDF (e.g., Chia, Ethereum RANDAO upgrade) | Sequential Hash Chain (e.g., early VDF proposals) | Proof of Sequential Work (PoSW) | Trusted Hardware (e.g., Intel SGX) |
|---|---|---|---|---|
Cryptographic Foundation | Ideal class groups of imaginary quadratic fields | Repeated hashing (e.g., SHA-256) | Repeated hashing with proof batching | Secure enclave attestation & execution |
Verifiability | ||||
Uniqueness of Output | Varies by construction | |||
Sequentiality Guarantee | Relies on group order unknownness | Relies on hash function preimage resistance | Relies on hash function preimage resistance | Relies on hardware isolation |
Inherent Parallelism Resistance | Asymptotically optimal | Optimal (by hash design) | Optimal (by hash design) | Dependent on hardware implementation |
Setup / Trust Assumptions | Requires a trusted setup for group generation | None (hash function only) | None (hash function only) | Requires trust in hardware manufacturer and correct implementation |
Verification Speed | Fast (single group op) | Slow (must recompute chain) | Moderate (verify batched proof) | Very Fast (signature check) |
Hardware Requirements for Evaluation | Moderate (efficient group ops) | Trivial (only hash function) | Moderate (proof generation) | Specialized (specific CPU model) |
Primary Use Case | Leader election, randomness beacons | Simple timing delays, timestamping | Proof of elapsed time constructs | Trusted execution environments |
DEBUNKING MYTHS
Common Misconceptions About Class Group VDFs
Class Group Verifiable Delay Functions (VDFs) are a critical cryptographic primitive for blockchain consensus and randomness beacons, but their mathematical complexity often leads to widespread misunderstandings. This section clarifies the most frequent points of confusion regarding their security, performance, and application.
No, Class Group VDFs are fundamentally different from Proof of Work (PoW). While both require sequential computation, their purpose and security model are distinct. Proof of Work is a probabilistic, parallelizable competition where miners race to find a hash below a target; its security relies on the economic cost of hardware and energy. A Class Group VDF produces a unique, deterministic output that must be computed sequentially for a set number of steps; its security relies on the algebraic complexity of composing ideal class group operations, making shortcuts computationally infeasible. VDFs provide verifiable delay, not competitive hashing, and are used for tasks like leader election or randomness generation where a guaranteed time delay is the desired property, not wasted energy.
CRYPTOGRAPHIC PRIMITIVES
Technical Deep Dive
A detailed exploration of Class Groups and Verifiable Delay Functions (VDFs), advanced cryptographic constructs used for generating trustless randomness and securing proof-of-stake protocols.
A Class Group is a mathematical structure derived from the theory of quadratic number fields, specifically the ideal class group of an imaginary quadratic field. In cryptography, it provides a candidate for a cryptographic group where certain problems, like computing the group structure or solving the discrete logarithm, are believed to be computationally hard, even for quantum computers. Its primary modern application is within Verifiable Delay Functions (VDFs), where it serves as the underlying 'sequential' function. The group operation is relatively fast, but computing a group action (e.g., repeated squaring in the class group) requires a large, predetermined number of sequential steps, creating a verifiable time delay. This property is crucial for protocols like Chia and Ethereum's RANDAO/VDF beacon chain, which use it to generate unbiasable, publicly verifiable randomness.
CLASS GROUP VDF
Frequently Asked Questions (FAQ)
A Verifiable Delay Function (VDF) is a cryptographic primitive that enforces a minimum, non-parallelizable computation time. Class Group VDFs are a specific construction that leverages the computational hardness of problems in imaginary quadratic fields.
A Class Group VDF is a Verifiable Delay Function that uses the algebraic structure of class groups of imaginary quadratic fields to create a proof of elapsed time. It works by performing repeated squaring (or a similar slow operation) within a class group, where the group's structure ensures the computation cannot be significantly sped up with parallel processors. The output is a unique result that can be quickly verified by anyone using a short proof, confirming that a specific, unavoidable amount of sequential work was performed. This property is crucial for creating trustless randomness, leader election in consensus protocols, and preventing manipulation in blockchain systems like Chia.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall