{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,9]],"date-time":"2026-01-09T19:31:35Z","timestamp":1767987095420,"version":"3.49.0"},"reference-count":42,"publisher":"International Association for Cryptologic Research","license":[{"start":{"date-parts":[[2024,1,8]],"date-time":"2024-01-08T00:00:00Z","timestamp":1704672000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2024,3,5]]},"abstract":"<jats:p>A verifiable delay function (VDF) is an important tool used for adding delay in decentralized applications. This paper surveys and compares two beautiful verifiable delay functions, one due to Pietrzak, and the other due to Wesolowski, In addition, we provide a new computational proof of security for one of them, present an attack on an incorrect implementation of the other, and compare the complexity assumptions needed for both schemes. <\/jats:p>","DOI":"10.62056\/av7tudhdj","type":"journal-article","created":{"date-parts":[[2024,4,9]],"date-time":"2024-04-09T19:27:10Z","timestamp":1712690830000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":5,"title":["A Survey of Two Verifiable Delay Functions   Using Proof of Exponentiation"],"prefix":"10.62056","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0820-0421","authenticated-orcid":false,"given":"Dan","family":"Boneh","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/00f54p054","id-type":"ROR","asserted-by":"publisher"}],"name":"Stanford University","place":["353 Jane Stanford Way, Stanford, CA, 94305, U.S.A"],"department":["Computer Science"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2082-4480","authenticated-orcid":false,"given":"Benedikt","family":"B\u00fcnz","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/0190ak572","id-type":"ROR","asserted-by":"publisher"}],"name":"New York University","place":["251 Mercer St., New York, NY, 10012, U.S.A"],"department":["Computer Science"]}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-1154-2277","authenticated-orcid":false,"given":"Ben","family":"Fisch","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/03v76x132","id-type":"ROR","asserted-by":"publisher"}],"name":"Yale University","place":["51 Prospect St., New Haven, CT, 06511, U.S.A"],"department":["Computer Science"]}]}],"member":"48349","published-online":{"date-parts":[[2024,4,9]]},"reference":[{"key":"ref1:LW17","doi-asserted-by":"publisher","first-page":"330","DOI":"10.1504\/IJACT.2017.089354","article-title":"Trustworthy public randomness with sloth, unicorn, and trx","volume":"3","author":"Arjen K Lenstra","year":"2017","journal-title":"International Journal of Applied Cryptography"},{"key":"ref2:C:BBBF18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"757","DOI":"10.1007\/978-3-319-96884-1_25","article-title":"Verifiable Delay Functions","volume-title":"Advances in Cryptology \u2013 CRYPTO\u00a02018, Part\u00a0I","volume":"10991","author":"Dan Boneh","year":"2018"},{"key":"ref3:beacon","article-title":"Public Randomness and Randomness Beacons","author":"Joseph Bonneau","year":"2022"},{"key":"ref4:EC:CohPie18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"451","DOI":"10.1007\/978-3-319-78375-8_15","article-title":"Simple Proofs of Sequential Work","volume-title":"Advances in Cryptology \u2013 EUROCRYPT\u00a02018, Part\u00a0II","volume":"10821","author":"Bram Cohen","year":"2018"},{"key":"ref5:CSF:MedLoeQua23","doi-asserted-by":"publisher","first-page":"169","DOI":"10.1109\/CSF57540.2023.00028","article-title":"SoK: Delay-Based Cryptography","volume-title":"CSF 2023: IEEE 36th Computer Security Foundations\n  Symposium","author":"Liam Medley","year":"2023"},{"key":"ref6:EC:Wesolowski19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"379","DOI":"10.1007\/978-3-030-17659-4_13","article-title":"Efficient Verifiable Delay Functions","volume-title":"Advances in Cryptology \u2013 EUROCRYPT\u00a02019, Part\u00a0III","volume":"11478","author":"Benjamin Wesolowski","year":"2019"},{"key":"ref7:JC:Wesolowski20","doi-asserted-by":"publisher","first-page":"2113","DOI":"10.1007\/s00145-020-09364-x","article-title":"Efficient Verifiable Delay Functions","volume":"33","author":"Benjamin Wesolowski","year":"2020","journal-title":"Journal of Cryptology"},{"key":"ref8:ITCS:Pietrzak19b","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.ITCS.2019.60","article-title":"Simple Verifiable Delay Functions","volume-title":"ITCS 2019: 10th Innovations in Theoretical Computer Science\n  Conference","volume":"124","author":"Krzysztof Pietrzak","year":"2019"},{"key":"ref9:EPRINT:KhoMalTiw22","article-title":"MinRoot: Candidate Sequential Function for Ethereum\n  VDF","author":"Dmitry Khovratovich","year":"2022"},{"key":"ref10:minrootattack","article-title":"Analysis of MinRoot: Public report","author":"Ga\u00ebtan Leurent","year":"2023"},{"key":"ref11:AC:DMPS19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"248","DOI":"10.1007\/978-3-030-34578-5_10","article-title":"Verifiable Delay Functions from Supersingular Isogenies and\n  Pairings","volume-title":"Advances in Cryptology \u2013 ASIACRYPT\u00a02019, Part\u00a0I","volume":"11921","author":"Luca De Feo","year":"2019"},{"key":"ref12:ITCS:BGJPVW16","doi-asserted-by":"publisher","first-page":"345","DOI":"10.1145\/2840728.2840745","article-title":"Time-Lock Puzzles from Randomized Encodings","volume-title":"ITCS 2016: 7th Conference on Innovations in Theoretical\n  Computer Science","author":"Nir Bitansky","year":"2016"},{"key":"ref13:JMRR21","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"584","DOI":"10.1007\/978-3-030-92518-5_26","article-title":"Time-Release Cryptography from Minimal Circuit Assumptions","volume-title":"Progress in Cryptology \u2013 INDOCRYPT 2021","volume":"13143","author":"Samuel Jaques","year":"2021"},{"key":"ref14:C:RotSeg20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"481","DOI":"10.1007\/978-3-030-56877-1_17","article-title":"Generically Speeding-Up Repeated Squaring Is Equivalent to\n  Factoring: Sharp Thresholds for All Generic-Ring Delay Functions","volume-title":"Advances in Cryptology \u2013 CRYPTO\u00a02020, Part\u00a0III","volume":"12172","author":"Lior Rotem","year":"2020"},{"key":"ref15:RSW96","article-title":"Time-lock puzzles and timed-release crypto","author":"Ronald Rivest","year":"1996"},{"key":"ref16:C:FiaSha86","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"186","DOI":"10.1007\/3-540-47721-7_12","article-title":"How to Prove Yourself: Practical Solutions to\n  Identification and Signature Problems","volume-title":"Advances in Cryptology \u2013 CRYPTO'86","volume":"263","author":"Amos Fiat","year":"1987"},{"key":"ref17:SAC:Mao01","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"342","DOI":"10.1007\/3-540-45537-X_27","article-title":"Timed-Release Cryptography","volume-title":"SAC 2001: 8th Annual International Workshop on Selected\n  Areas in Cryptography","volume":"2259","author":"Wenbo Mao","year":"2001"},{"key":"ref18:C:BonBunFis19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"561","DOI":"10.1007\/978-3-030-26948-7_20","article-title":"Batching Techniques for Accumulators with Applications to\n  IOPs and Stateless Blockchains","volume-title":"Advances in Cryptology \u2013 CRYPTO\u00a02019, Part\u00a0I","volume":"11692","author":"Dan Boneh","year":"2019"},{"key":"ref19:C:LaiMal19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"530","DOI":"10.1007\/978-3-030-26948-7_19","article-title":"Subvector Commitments with Application to Succinct\n  Arguments","volume-title":"Advances in Cryptology \u2013 CRYPTO\u00a02019, Part\u00a0I","volume":"11692","author":"Russell W. F. Lai","year":"2019"},{"key":"ref20:EC:BunFisSze20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"677","DOI":"10.1007\/978-3-030-45721-1_24","article-title":"Transparent SNARKs from DARK Compilers","volume-title":"Advances in Cryptology \u2013 EUROCRYPT\u00a02020, Part\u00a0I","volume":"12105","author":"Benedikt B\u00fcnz","year":"2020"},{"key":"ref21:PKC:AGLMS23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"542","DOI":"10.1007\/978-3-031-31371-4_19","article-title":"Dew: A Transparent Constant-Sized Polynomial Commitment\n  Scheme","volume-title":"PKC\u00a02023: 26th International Conference on Theory and\n  Practice of Public Key Cryptography, Part\u00a0II","volume":"13941","author":"Arasu Arun","year":"2023"},{"key":"ref22:C:BHRRS21","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"123","DOI":"10.1007\/978-3-030-84259-8_5","article-title":"Time- and Space-Efficient Arguments from Groups of Unknown\n  Order","volume-title":"Advances in Cryptology \u2013 CRYPTO\u00a02021, Part\u00a0IV","volume":"12828","author":"Alexander R. Block","year":"2021"},{"key":"ref23:EPRINT:AttVigDim22b","article-title":"Efficient Verification of the Wesolowski Verifiable Delay\n  Function for Distributed Environments","author":"Vidal Attias","year":"2022"},{"key":"ref24:C:HHKKP22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"370","DOI":"10.1007\/978-3-031-15979-4_13","article-title":"Practical Statistically-Sound Proofs of Exponentiation in\n  Any Group","volume-title":"Advances in Cryptology \u2013 CRYPTO\u00a02022, Part\u00a0II","volume":"13508","author":"Charlotte Hoffmann","year":"2022"},{"key":"ref25:book","article-title":"A graduate course in applied cryptography, version\u00a00.6","author":"Dan Boneh","year":"2022"},{"key":"ref26:JC:AttFehKlo23","doi-asserted-by":"publisher","first-page":"36","DOI":"10.1007\/s00145-023-09478-y","article-title":"Fiat-Shamir Transformation of Multi-Round Interactive Proofs\n  (Extended Version)","volume":"36","author":"Thomas Attema","year":"2023","journal-title":"Journal of Cryptology"},{"key":"ref27:CCS:BelNev06","doi-asserted-by":"publisher","first-page":"390","DOI":"10.1145\/1180405.1180453","article-title":"Multi-signatures in the plain public-Key model and a general\n  forking lemma","volume-title":"ACM CCS 2006: 13th Conference on Computer and Communications\n  Security","author":"Mihir Bellare","year":"2006"},{"key":"ref28:EPRINT:SerBur20","article-title":"A Note on Low Order Assumptions in RSA groups","author":"Istv\u00e1n Andr\u00e1s Seres","year":"2020"},{"key":"ref29:Buch","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1515\/9783110881035.1","article-title":"A survey on IQ cryptography","volume-title":"Public-Key Cryptography and Computational Number Theory","author":"Johannes Buchmann","year":"2001"},{"key":"ref30:cryptoeprint:2024\/034","article-title":"How (not) to hash into class groups of imaginary quadratic\n  fields?","author":"Istv\u00e1n Andr\u00e1s Seres","year":"2024"},{"key":"ref31:cryptoeprint:2024\/295","article-title":"An Efficient Hash Function for Imaginary Class Groups","author":"Kostas Kryptos Chalkias","year":"2024"},{"key":"ref32:CL84","doi-asserted-by":"crossref","first-page":"33","DOI":"10.1007\/BFb0099440","article-title":"Heuristics on class groups of number fields","volume-title":"Number Theory Noordwijkerhout 1983","author":"Henri Cohen","year":"1984"},{"key":"ref33:shanks","doi-asserted-by":"publisher","first-page":"415","DOI":"10.1090\/pspum\/020\/0316385","article-title":"Class number, a theory of factorization, and genera","volume-title":"Proc. Sympos. Pure Math.","volume":"29","author":"Daniel Shanks","year":"1969"},{"key":"ref34:EPRINT:BKSW20","article-title":"A note on the low order assumption in class group of an\n  imaginary quadratic number fields","author":"Karim Belabas","year":"2020"},{"key":"ref35:akshay","doi-asserted-by":"publisher","DOI":"10.1093\/imrn\/rnm002","article-title":"Reflection principles and bounds for class group torsion","volume":"2007","author":"Jordan Ellenberg","year":"2007","journal-title":"International Mathematics Research Notices"},{"key":"ref36:JC:Coppersmith97","doi-asserted-by":"publisher","first-page":"233","DOI":"10.1007\/s001459900030","article-title":"Small Solutions to Polynomial Equations, and Low Exponent\n  RSA Vulnerabilities","volume":"10","author":"Don Coppersmith","year":"1997","journal-title":"Journal of Cryptology"},{"key":"ref37:vitalik","article-title":"STARKs, Part 3: Into the Weeds","author":"Vitalik Buterin","year":"2018"},{"key":"ref38:TSLSZ23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"530","DOI":"10.1007\/978-3-031-41181-6_29","article-title":"ZKBdf: A ZKBoo-Based Quantum-Secure Verifiable Delay\n  Function with Prover-Secret","volume-title":"Applied Cryptography and Network Security Workshops \u2013\n  ACNS satellite workshops 2023","volume":"13907","author":"Teik Guan Tan","year":"2023"},{"key":"ref39:SCN:DGMV20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"65","DOI":"10.1007\/978-3-030-57990-6_4","article-title":"Tight Verifiable Delay Functions","volume-title":"SCN 20: 12th International Conference on Security in\n  Communication Networks","volume":"12238","author":"Nico D\u00f6ttling","year":"2020"},{"key":"ref40:ICALP:MahSmiWu20","series-title":"LIPIcs","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.ICALP.2020.83","article-title":"Can Verifiable Delay Functions Be Based on Random Oracles?","volume-title":"ICALP 2020: 47th International Colloquium on Automata,\n  Languages and Programming","volume":"168","author":"Mohammad Mahmoody","year":"2020"},{"key":"ref41:EPRINT:Shani19b","article-title":"A note on isogeny-based hybrid verifiable delay functions","author":"Barak Shani","year":"2019"},{"key":"ref42:EPRINT:AhrZum23","first-page":"1537","article-title":"DEFEND: Towards Verifiable Delay Functions from\n  Endomorphism Rings","author":"Knud Ahrens","year":"2023","journal-title":"IACR Cryptol. ePrint Arch."}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2024,12,10]],"date-time":"2024-12-10T21:25:34Z","timestamp":1733865934000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/1\/1\/7"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,4,9]]},"references-count":42,"URL":"https:\/\/doi.org\/10.62056\/av7tudhdj","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,4,9]]},"assertion":[{"value":"2024-01-08","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-03-05","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-1-28"}}