RSA-based VDF

An RSA-based VDF computes a function y = x^(2^T) mod N, where N is a product of two large primes (the RSA modulus) and T is the required number of sequential squarings. The sequentiality is guaranteed by the inherent structure of the RSA group, making it impossible to compute the result faster with parallel hardware. A succinct proof (Wesolowski or Pietrzak) allows anyone to verify the result y in logarithmic time, without re-running the full computation.

VDFs are a key component for generating unpredictable and unbiasable randomness (a random beacon) in consensus protocols. A high-entropy seed is fed into the VDF, and after a fixed delay, the output becomes the verifiable random value. This is critical for:

• Proof-of-Stake leader/committee selection (e.g., Ethereum's RANDAO+VDF design).
• Preventing last-revealer attacks in commit-reveal schemes.
• Ensuring fair ordering in consensus protocols like Chia.

In PoET-based blockchains like Chia, an RSA-based VDF serves as the core Proof of Space-Time. Miners first commit disk space (Proof of Space). The winner is determined by who has the fastest VDF evaluation on a challenge derived from their space proof. This creates a fair, energy-efficient consensus where the primary resources are storage and verifiable time, not raw computation (Proof-of-Work).

A critical requirement for RSA-based VDFs is a trusted setup to generate the RSA modulus N. The two prime factors must be securely discarded to ensure no party can compute the VDF faster using a trapdoor. Projects like Chia conducted public, multi-party ceremonies (MPCs) to generate this modulus. The security relies on the sequential squaring assumption within the RSA group and the integer factorization problem.

RSA-based VDFs are contrasted with class group-based VDFs (e.g., using imaginary quadratic fields). Key differences:

• RSA VDFs: Require trusted setup but offer very efficient verification and are well-studied.
• Class Group VDFs: Do not require trusted setup (transparent), but verification can be slower. The choice depends on the protocol's trust assumptions and performance requirements for verifiers.

The security of RSA-based VDFs is fundamentally based on the classical hardness of integer factorization. Shor's algorithm, a quantum algorithm, can factor large integers in polynomial time on a sufficiently large quantum computer. This makes RSA-VDFs post-quantum insecure, unlike some hash-based VDFs whose sequentiality relies on inherently quantum-resistant properties.

The repeated squaring operation (x^(2^T) mod N) must be implemented with constant-time, side-channel resistant algorithms. Vulnerabilities can arise from:

• Timing attacks leaking information about the exponent or modulus.
• Power analysis during modular exponentiation.
• Fault injection to corrupt the computation and produce an invalid proof. These require careful cryptographic engineering at the hardware and software level.

While computing the VDF is slow, verifying the accompanying proof (e.g., a Wesolowski proof) must be fast. However, the verifier must perform operations modulo the large RSA modulus N. This verification, while efficient, is still significantly more computationally intensive than verifying a hash-based VDF proof, which typically involves just a few hash evaluations. This impacts systems requiring ultra-lightweight clients.

Security depends on correctly generating the RSA group (Z_N^*). This involves:

• Ensuring p and q are strong primes to resist specialized factoring attacks like Pollard's p-1.
• Verifying that the public parameter g (the base for squaring) generates a sufficiently large subgroup within Z_N^*. Weak parameter choices can reduce the actual sequential work required below the claimed delay time T.

A core security assumption of any VDF is that the computation cannot be meaningfully parallelized. For RSA-based VDFs, the repeated squaring operation is inherently sequential. However, an adversary with a massive hardware advantage (e.g., a custom ASIC for modular multiplication) could still compute the function faster than the honest party using generic hardware, potentially undermining fairness in applications like leader election or randomness beacons.

A Verifiable Delay Function (VDF) is a cryptographic primitive that requires a prescribed amount of sequential computation to evaluate, but whose output can be verified quickly. This property is crucial for creating trustless time delays in decentralized systems. Key characteristics include:

• Sequentiality: Computation cannot be parallelized.
• Verifiability: Proof of correct computation is fast to check.
• Uniqueness: Only one valid output for a given input. RSA-based constructions are a prominent class of VDFs.

Proof of Work (PoW) is a consensus mechanism where participants (miners) compete to solve a computationally hard, but easily verifiable, puzzle. Unlike a VDF, PoW is highly parallelizable and energy-intensive, as miners use massive arrays of hardware to find a solution faster than competitors. It is used to secure blockchains like Bitcoin. The key difference from VDFs is that PoW's delay is probabilistic and variable, while a VDF's delay is deterministic and fixed.

Proof of Stake (PoS) is a consensus mechanism where validators are chosen to create new blocks based on the amount of cryptocurrency they "stake" as collateral. It is far more energy-efficient than PoW. VDFs are often integrated into PoS systems to add cryptographic timekeeping, preventing manipulation of block proposal order and ensuring random leader election is unbiased and unpredictable. This combats grinding attacks.

A Random Beacon is a service that provides publicly verifiable, unpredictable, and unbiasable randomness at regular intervals. VDFs are a core component in constructing distributed random beacons (e.g., in Ethereum's RANDAO+ VDF design). The VDF imposes a mandatory time delay on the revealed randomness, preventing a last-revealer from manipulating the final output. This creates verifiable delay-based randomness critical for lotteries and leader election.

A Time-Lock Puzzle is a cryptographic problem designed to be solvable only after a specific amount of sequential computation has been performed, effectively "encrypting" a message for a period of time. RSA-based time-lock puzzles, proposed by Rivest, Shamir, and Wagner, are the direct precursor to RSA-based VDFs. The core difference is that a VDF produces a publicly verifiable proof, while a classic time-lock puzzle requires the solver to perform the work to decrypt.

The Wesolowski Proof is a specific, efficient proof system that enables fast verification of RSA-based VDF outputs. After computing the slow sequential function y = x^(2^T) mod N, the prover generates a compact proof π. A verifier can check this proof using a few modular exponentiations, without redoing the long computation. This proof structure is what transforms a simple sequential function into a verifiable delay function, making RSA-VDFs practical.