A Wesolowski Proof (also known as a VDF proof or (\pi)) is a cryptographic construction that allows a prover to convince a verifier that they correctly computed a Verifiable Delay Function (VDF) output, specifically one based on repeated squaring in a group of unknown order, such as an RSA group or a class group. The proof is succinct (small and fast to verify) and non-interactive, meaning it can be published once and verified by anyone without further communication. Its security relies on the Low Order and Sequentiality assumptions, ensuring the computation required a specific, un-parallelizable amount of sequential work.
LABS
Glossary
Wesolowski Proof
A Wesolowski Proof is a succinct, non-interactive proof for a Verifiable Delay Function (VDF), proving a sequential computation was performed without shortcuts.
Chainscore © 2026
definition
CRYPTOGRAPHIC PROTOCOL
What is a Wesolowski Proof?
A Wesolowski Proof is a succinct, non-interactive zero-knowledge proof system used to verify the result of a repeated squaring computation, forming the core of Verifiable Delay Functions (VDFs).
The protocol works by having the prover compute the VDF output (y = x^{2^T}) modulo (N), where (N) is the modulus of the hidden-order group and (T) is the delay parameter. To generate the proof, the verifier sends a random prime (l) sampled from a challenge space. The prover then computes (q) and (r) such that (2^T = ql + r), and outputs the proof (\pi = x^q \mod N). Verification involves checking that (\pi^l \cdot x^r \equiv y \pmod{N}), a computation exponentially faster than computing the VDF itself. This elegant structure ensures soundness—a cheating prover cannot forge a valid proof without performing the work.
Wesolowski Proofs are a critical component in blockchain and distributed systems where trustless, time-based coordination is required. Key applications include - Proof-of-Space-Time in consensus mechanisms like Chia, - generating unbiased, unpredictable random beacons, and - securing leader election protocols. Compared to the earlier Pietrzak VDF protocol, Wesolowski's construction produces a constant-size proof (a single group element) versus a logarithmic-size one, making it more efficient for on-chain verification. This efficiency is paramount in blockchain environments where storage and computation are scarce resources.
The security of the proof hinges on the algebraic structure of the group. If the group order were known, a malicious prover could compute a proof without the delay by using the group's order to find a shortcut. Therefore, groups like RSA groups (where (N = pq) for unknown primes) or ideal class groups of imaginary quadratic fields are used. The random challenge (l) must be generated after the prover commits to the output (y), typically via a verifiable random function (VRF) or a public coin from a blockchain's beacon, to prevent pre-computation attacks.
In practice, implementing Wesolowski Proofs requires careful parameter selection for the security parameter (\lambda) and the challenge space from which (l) is drawn. The proof's verification speed, while fast, still involves modular exponentiation, so optimizations like sloth (slow-timed hash) are sometimes used for simpler, albeit less secure, time delays. As a foundational primitive for verifiable delay, Wesolowski Proofs enable a new class of cryptographic protocols that reliably prove the passage of real, unbiasable time in a decentralized setting.
how-it-works
VERIFIABLE DELAY FUNCTION
How Does a Wesolowski Proof Work?
A Wesolowski Proof, also known as a Verifiable Delay Function (VDF) proof, is a cryptographic mechanism that proves a specific, sequential computation was performed without shortcuts.
A Wesolowski Proof is the output of a Verifiable Delay Function (VDF), a cryptographic primitive that requires a prescribed number of sequential steps to compute, but whose result can be verified almost instantly. The core function is y = x^(2^T) mod N, where x is an input, T is the delay parameter (the number of sequential squarings), and N is a large, publicly known RSA modulus. The prover must perform all T steps, which cannot be parallelized, creating a verifiable proof of elapsed time. The prover then generates a compact proof π that allows any verifier to check the correctness of y in logarithmic time relative to T.
The verification process is remarkably efficient. Instead of re-running the entire sequential computation, the verifier uses the proof π and a challenge derived from the output y and public parameters. The core verification check involves a single, fast modular exponentiation. This stark asymmetry—slow to generate, fast to verify—is the defining property. The security relies on the sequential nature of repeated squaring modulo N, assuming that no adversary can compute x^(2^T) mod N significantly faster than performing T sequential squarings, even with massive parallelization.
In practice, Wesolowski Proofs enable trustless coordination in decentralized systems where a measurable and unbiased delay is required. A primary use case is in blockchain consensus protocols, such as Chia's proof-of-space-and-time, where they ensure a minimum time has passed between blocks, preventing grinding attacks. They are also crucial for generating unbiased, publicly verifiable randomness beacons. The proof's compact size and fast verification make it practical for inclusion in blockchain headers, providing a cryptographically guaranteed timestamp that is immune to acceleration by specialized hardware like ASICs.
key-features
VERIFIABLE DELAY FUNCTION (VDF)
Key Features of Wesolowski Proofs
Wesolowski Proofs (VDFs) are cryptographic primitives that guarantee a minimum, non-parallelizable computation time, enabling trustless randomness and leader election in blockchain protocols.
01
Sequential Computation
A Wesolowski Proof, or Verifiable Delay Function (VDF), is defined by its sequentiality. It requires a prescribed number of sequential steps to compute, making it impossible to speed up significantly with parallel processors. This creates a reliable, protocol-enforced time delay, which is essential for generating unbiased randomness in proof-of-stake networks like Ethereum's RANDAO/VDF hybrid.
02
Efficient Verification
While the computation is slow and sequential, the proof's verification is extremely fast. Anyone can verify the correctness of the output in logarithmic time relative to the computation time, using a succinct proof. This property separates it from Proof-of-Work, where verification is also computationally intensive.
03
Unique Output (Uniqueness)
For a given input (challenge) and time parameter, a VDF guarantees a unique, deterministic output. There is only one valid result for the computation. This prevents adversarial manipulation and ensures all honest participants will arrive at the same final value, a critical property for consensus and randomness beacons.
04
The 'Proof' Component
The prover generates a succinct, non-interactive proof (the Wesolowski proof) alongside the output. This proof allows any verifier to check that:
- The output is correct for the given input.
- The prover indeed performed the full sequential work. This proof is based on low-degree polynomial interpolation and is central to the function's verifiability.
05
Core Cryptographic Construction
The Wesolowski VDF is typically instantiated using repeated squaring in a group of unknown order (e.g., an RSA group or a class group). The computation is y = x^(2^T) mod N, where T is the time parameter. The security relies on the computational hardness of taking roots in such groups, ensuring the delay cannot be shortcut.
06
Primary Use Case: Randomness Beacon
The main blockchain application is for bias-resistant randomness generation. In proof-of-stake, a VDF can be applied to a commit-reveal scheme (like RANDAO). It delays the final output, preventing the last revealer from manipulating the result, as they cannot compute the VDF output fast enough to predict and bias it.
etymology
THE NAMING OF A PROOF
Etymology and Origin
This section traces the origin of the Wesolowski Proof, a cryptographic primitive that transformed verifiable delay functions (VDFs) from a theoretical concept into a practical tool for blockchain consensus.
The Wesolowski Proof is named after its inventor, cryptographer Benjamin Wesolowski, who published the seminal paper "Efficient Verifiable Delay Functions" in 2018. This work provided the first practical, publicly verifiable construction for a Verifiable Delay Function (VDF), solving a key cryptographic challenge. The proof's name directly credits its creator, following the common academic tradition of eponymous naming for foundational algorithms and protocols, such as the Schnorr signature or the Merkle tree.
The genesis of the proof lies in the earlier theoretical concept of verifiable delay functions, which were proposed as a way to prove that a specific, non-parallelizable amount of sequential computation has been performed. Prior to Wesolowski's construction, proposed VDFs were either inefficient or relied on trusted setup. Wesolowski's breakthrough was a novel interactive protocol that could be made non-interactive using the Fiat-Shamir heuristic, resulting in succinct proofs and efficient verification. This made VDFs viable for real-world applications.
The proof's development was intrinsically linked to the needs of decentralized systems. It emerged from research into proof-of-work alternatives and randomness beacons, where guaranteeing a meaningful passage of time is critical. The Wesolowski Proof enabled the core property of sequentiality, ensuring that the output of a VDF could not be computed faster than by iterating the sequential function, even with massive parallelism. This property is essential for creating fair and unpredictable leader election or randomness in protocols like Ethereum's consensus mechanism.
In practice, the Wesolowski Proof is often implemented using repeated squaring in a group of unknown order, such as an RSA group or a class group. The prover computes a large exponentiation and generates a small, fixed-size proof. The verifier can then check this proof's correctness with a computation significantly faster than the original work. This asymmetry—slow to generate, fast to verify—is the hallmark of the construction and what makes it so valuable for blockchain consensus and synchronization.
The term "Wesolowski Proof" has become standard lexicon in cryptography and blockchain literature. It is frequently abbreviated in context, such as in the "Wesolowski VDF" or the "Pietrzak-Wesolowski VDF", the latter referencing a related, similar construction by another researcher. Its adoption by major projects cemented its name, demonstrating how a researcher's contribution can define an entire category of cryptographic tools in a rapidly evolving field.
ecosystem-usage
WESOLOWSKI PROOF
Ecosystem Usage and Applications
The Wesolowski Proof (VDF) is a cryptographic primitive enabling verifiable delay, crucial for creating trustless randomness and secure leader election in blockchain protocols.
01
Randomness Beacon (Randao / drand)
A Wesolowski Proof (VDF) is used as a randomness beacon to generate publicly verifiable, unbiasable random numbers. It prevents any participant from predicting or manipulating the output by imposing a mandatory time delay on computation, even with parallel processing.
- Key Property: The output is unpredictable until the slow, sequential computation is complete.
- Example: The drand network uses VDFs to produce verifiable randomness for protocols like Filecoin and Ethereum's beacon chain, securing processes like shard committee assignment.
02
Proof-of-Stake Leader Election
In Proof-of-Stake (PoS) consensus, VDFs enable secure and fair leader election. They are used to select the next block proposer from a validator set in a way that cannot be accelerated or gamed.
- Mechanism: A VDF is applied to a random seed, creating a delay before the leader is known. This prevents last-revealer attacks where the last validator to reveal their choice can manipulate the outcome.
- Implementation: Chia Network uses VDFs in its Proof-of-Space-and-Time consensus to ensure a minimum time passes between blocks, securing the chain against grinding attacks.
03
Enhancing Proof-of-Work Security
VDFs can augment Proof-of-Work (PoW) by decoupling security from pure energy expenditure. They introduce a mandatory time delay for block production, making certain attacks like selfish mining more difficult.
- Concept: A miner must still solve a PoW puzzle, but the valid solution must also be the input to a slow VDF computation before a block can be published.
- Benefit: This reduces the advantage of miners with access to ASIC boost or other optimizations, as they cannot bypass the fixed-time VDF step, promoting a more level playing field.
04
Resource-Efficient Timestamping
Wesolowski Proofs provide a cryptographic timestamping service that is more resource-efficient than Proof-of-Work. They prove that a certain amount of real-world time has passed since an event.
- How it works: A VDF's output serves as a proof that its input (e.g., a document hash) existed before the computation finished.
- Use Case: This enables verifiable delay in decentralized systems for events like governance proposal deadlines, option expiry in DeFi, or proving data existed at a specific prior time without relying on a trusted authority.
05
Foundation for Verifiable Delay Functions
The Wesolowski Proof is a specific, efficient construction for a Verifiable Delay Function (VDF). Its core innovation is a succinct, single-round proof that can be verified much faster than it was computed.
- Core Components: It is based on repeated sequential squaring in a group of unknown order (like an RSA group or a class group).
- Advantage: The proof size is constant and verification is fast (logarithmic in the delay time), making it practical for blockchain environments where compact proofs are essential for scalability.
security-considerations
WESOLOWSKI PROOF
Security Considerations and Assumptions
The Wesolowski Proof (VDF) provides cryptographic proof of elapsed time, but its security depends on specific computational and cryptographic assumptions.
01
Sequentiality Assumption
The core security of a VDF relies on the sequentiality assumption: that computing the function requires a specific, non-parallelizable number of sequential steps. This is typically based on the hardness of repeated squaring in a group of unknown order (like an RSA group or a class group). If this assumption is broken—for example, through a novel algorithm that allows parallelization—the proof's security guarantee of elapsed time collapses.
02
Cryptographic Group Security
The VDF's soundness depends on the security of the underlying algebraic group. For RSA-based constructions, this requires:
- The RSA assumption to hold (factoring large integers is hard).
- The group order remains unknown to the prover. If the order is discovered, the prover can compute the output without performing the work, breaking the delay.
- Secure, verifiable setup to generate the group parameters without leaking the order.
03
Prover Honesty & Verifier Efficiency
The Wesolowski Proof is non-interactive and publicly verifiable. Security considerations include:
- Prover Malice: A malicious prover could attempt to provide an incorrect proof. The verification algorithm must be robust against this, efficiently detecting any deviation from the correct computation.
- Verification Speed: Verification must be exponentially faster than the computation itself (typically logarithmic in the time parameter). If verification becomes too costly, the system's practicality is compromised.
04
Random Oracle & Proof Uniqueness
The protocol uses a random oracle (modeled by a cryptographic hash function like SHA-256) to generate a random challenge. Security assumptions include:
- The hash function behaves as a true random oracle.
- The generated proof is unique for a given input and time parameter. This prevents a prover from generating multiple proofs and choosing a favorable one (grinding attacks).
05
Implementation Pitfalls
Real-world security depends on correct implementation:
- Side-channel attacks: The sequential computation must be constant-time to avoid leaking information through timing or power analysis.
- Parameter selection: The time parameter
Tand security parameterλmust be chosen to provide sufficient security margins against both classical and quantum attacks. - Network assumptions: In distributed systems, the security of processes like randomness beacons assumes the VDF computation is not pre-computed before the input is known.
06
Comparison to Proof-of-Work
While both prove computational effort, key security differences exist:
- Energy Efficiency: VDFs are designed to be energy-efficient, as the work is not wastefully parallelizable.
- Predictable Timing: VDF delay is deterministic and tunable, unlike PoW's probabilistic finding time.
- Security Foundation: PoW security relies on majority honest hashrate; VDF security relies on cryptographic assumptions and sequential hardness. A broken VDF assumption is a catastrophic failure, whereas PoW security degrades gradually with hashrate loss.
VDF PROOF SYSTEMS
Comparison: Wesolowski vs. Pietrzak VDF Proofs
A technical comparison of the two primary proof systems used to verify Verifiable Delay Function (VDF) outputs.
| Feature / Metric | Wesolowski Proof | Pietrzak Proof |
|---|---|---|
Proof Type | Single-round interactive | Multi-round interactive |
Proof Size | ~1 group element | O(log(t)) group elements |
Verification Complexity | O(1) exponentiations | O(log(t)) exponentiations |
Prover Complexity | O(t) group operations | O(t log(t)) group operations |
Communication Rounds | 1 | log(t) |
Security Assumption | Low Order + Adaptive Root | Low Order |
Primary Use Case | Blockchain consensus (e.g., Chia) | Theoretical foundation |
DEBUNKING MYTHS
Common Misconceptions About Wesolowski Proofs
Wesolowski Proofs (VDFs) are often misunderstood. This section clarifies their role, limitations, and technical realities to separate fact from fiction in blockchain consensus.
A Wesolowski Proof is a specific, efficient verifiable delay function (VDF) construction, not a synonym for all VDFs. It is a cryptographic protocol that proves a specific, sequential computation was performed without shortcuts, where verification is exponentially faster than the computation itself. The proof, proposed by Benjamin Wesolowski, enables trustless verification of elapsed time or work. While all Wesolowski Proofs are VDFs, not all VDFs (e.g., Pietrzak's VDF) use the Wesolowski construction. Its core components are a sequential squaring operation in a group of unknown order (like an RSA group or a class group) and a succinct proof that can be verified with a few modular exponentiations.
WESOLOWSKI PROOF
Technical Deep Dive
A cryptographic proof system for verifiable delay functions (VDFs), enabling trustless, sequential computation in decentralized protocols.
A Wesolowski Proof is a succinct, non-interactive proof that a prover has correctly computed the output of a Verifiable Delay Function (VDF). It allows any verifier to check the result of a long, sequential computation in a fraction of the time it took to compute, without re-running it. The proof leverages a repeated squaring operation in a finite group (like an RSA group) and uses a hash-based challenge to generate a compact proof. This mechanism is crucial for protocols like Chia and Ethereum's RANDAO to ensure unbiased randomness and secure leader election in a trustless manner.
WESOLOWSKI PROOF
Frequently Asked Questions (FAQ)
Common technical questions about the Wesolowski Proof, a foundational cryptographic primitive for verifiable delay functions (VDFs) used in blockchain consensus and randomness generation.
A Wesolowski Proof is a succinct, non-interactive proof of correct computation for a Verifiable Delay Function (VDF), allowing a prover to convince a verifier that they performed a specified, sequential number of computational steps without the verifier re-executing the entire, time-consuming operation. It is based on the repeated squaring paradigm in a group of unknown order (like an RSA group or a class group). The proof is compact and efficiently verifiable, enabling trustless verification of time-locked computations in decentralized systems.
Key Properties:
- Succinct: Proof size is constant, typically a single group element.
- Fast Verification: Verification is exponentially faster than the original computation.
- Non-Interactive: The proof can be generated and verified without back-and-forth communication.
further-reading
WESOLOWSKI PROOF
Further Reading and Resources
Explore the foundational research, practical implementations, and related cryptographic primitives that underpin the Wesolowski Proof (VDF).
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall