Verifiable Delay Function and Its Blockchain-Related Application: A Survey

The concept of verifiable delay functions has received attention from researchers since it was first proposed in 2018. The applications of verifiable delay are also widespread in blockchain research, such as: computational timestamping, public random beacons, resource-efficient blockchains, and proofs of data replication. This paper introduces the concept of verifiable delay functions and systematically summarizes the types of verifiable delay functions. Firstly, the description and characteristics of verifiable delay functions are given, and weak verifiable delay functions, incremental verifiable delay functions, decodable verifiable delay functions, and trapdoor verifiable delay functions are introduced respectively. The construction of verifiable delay functions generally relies on two security assumptions: algebraic assumption or structural assumption. Then, the security assumptions of two different verifiable delay functions are described based on cryptography theory. Secondly, a post-quantum verifiable delay function based on super-singular isogeny is introduced. Finally, the paper summarizes the blockchain-related applications of verifiable delay functions.


Introduction
The concept of a verifiable delay function was first proposed in 2018 by Boneh et al. [1], who proposed several candidate structures for constructing verifiable delay functions and it is an important tool to add time delay in decentralized applications [2][3][4][5]. To be exact, the verifiable delay function is a function f : X → Y that takes a prescribed wall-clock time to compute, even on a parallel processor, ond outputs a unique result that can effectively output the verification. In short, even if it is evaluated on a large number of parallel processors and still requires evaluation of f in a specified number of sequential steps. Most importantly, given an input x and an output y, anyone must quickly verify the output y = f (x). That is to say, for all x ∈ X and y ∈ Y, this function f : X → Y satisfies the following requirements: The verifiable delay function is a cryptographic function that requires to be computed in T sequential steps and produces a unique, efficiently and publicly verified output [6]. Because the verifiable delay function satisfies the characteristic of sequentiality, the iterated value does depend on the order of the iterated elements. Choose the tuple (N, x, T) as the puzzle, and the verifiable delay function is defined as e := 2 T mod ϕ(N), y := x e mod N. (2) where N = p · q is an RSA modulus [7], x ∈ Z * N is a random seed, T ∈ N is time parameter and knows the group order ϕ(N) = (p − 1) · (q − 1).
Although verifiable delay functions have been roughly described in the review of verifiable delay functions published by Boneh et al. [8], the summary is not comprehensive with the emergence of more candidate structures of verifiable delay functions. In addition, the application of different kinds of verifiable delay functions in the blockchain is not explained in detail. Therefore, this paper makes a more comprehensive and detailed summary.
The verifiable delay function has several important characteristics, such as being T-sequential, uniqueness and effective verifiability, as shown in Table 1. Table 1. Characteristics of verifiable delay functions.

Characteristics
Description

T-Sequentiality
The function cannot be calculated in a sequential steps less than T to obtain the final result, even given a large amount of parallelism.

Uniqueness
For the input of any verifiable delay functions, only one unique output result shall pass the inspection. Meanwhile, it is necessary to ensure that the probability of the verifier passes the verification because of the proof, but the output result is not the correct result is negligible.

Effective verifiability
The calculation results can be efficiently verified so that the honest party can calculate.
The remainder of this paper is organized as follows. Section 2 introduces the descriptions of verifiable delay functions. Section 3 describes verifiable delay functions based on various algebraic assumptions. In Section 4, verifiable delay functions based on various structural assumptions are introduced in detail. Section 5 the postquantum-secure verifiable delay function. Section 6 describes applications of verifiable delay functions combined with blockchain. Section 7 gives a summary.

Descriptions of Verifiable Delay Functions
The concept of the verifiable delay function first proposed by Boneh and Fisch. The verifiable delay function requires a specified number of sequential steps to evaluate and will produce a function with a unique output that can be validated effectively and publicly. Next, a triple of algorithm (Setup, Eval, Verify) of verifiable delay functions are described as follows [9]. The algorithm flow is shown in Figure 1 and the different types of verifiable delay functions are described in Table 2. Setup(λ, T) → pp = (ek, vk) is a randomized algorithm that takes a delay parameter T and a security parameter λ as input and outputs public parameters pp composed of the evaluation key ek and the verification key vk. Because Setup algorithm is limited by security parameter λ, the running time cannot be too long. In addition, Setup algorithm usually needs a secret random as a parameter to ensure meaningful security, so it is difficult to avoid that the scheme needs a trusted setup to select the random.

Classification Description
Weak verifiable delay functions The function cannot be calculated in a sequential steps less than T to obtain the final result, even given a large amount of parallelism.

Incremental verifiable delay functions
All verifiable delay functions need to require the Eval algorithm to be completed in at least T steps. If the delay parameter T is not uniquely determined in the Setup algorithm, but is allowed to be determined in the Eval algorithm, then the verifiable delay function can be called as incremental verifiable delay function.

Decodable verifiable delay functions
For any verifiable delay function scheme, as long as a random input element x can be obtained from the output value y in reverse, the verifiable delay function can be called a decodable verifiable delay function. Another output value π for the proof is empty.

Trapdoor verifiable delay functions
If there is an algorithm that enables the party who knows a certain secret key value sk to calculate the output value of the verifiable delay function through the Eval algorithm too quickly, then the function is a trapdoor verifiable delay function.
Eval(ek, x) → (y, π) is a slow cryptographic algorithm that takes the evaluation key ek and a random seed x ∈ X as input and outputs a y ∈ Y together with a possibly empty proof π. To ensure sequentiality, Eval must run in time T with no more than a polynomial logarithm of T parallel processors.
Veri f y(vk, x, y, π) → {accept, reject} is a deterministic cryptographic algorithm, in which the algorithm inputs verification key vk, random seed x, outputs y and proof π. If f (x) = y, output accept; Otherwise output reject. Veri f y is much faster than Eval and it must run in total time polynomial in log(T) and λ.

Weak Verifiable Delay Functions
Definition 1. (Weak verifiable delay functions.) The system V = (Setup, Eval, Veri f y) is a weak verifiable delay function if the verifiable delay function allows Eval to achieve O(T) parallelism. (T 2 , o(T))-sequentiality can only be meaningful for a weak verifiable delay function if Eval is allowed strictly less that T − o(T) on fewer than T 2 parallel processors, otherwise the honest computation of Eval would require more parallelism than even the adversary is allowed.
The weak verifiable delay function can be constructed based on the existence of degree T injective rational maps [10] that cannot be inverted faster than computing polynomial greatest common denominators of degree T polynomials.
Injective rational maps. Define the reverse problem of an injective rational map F = ( f 1 , . . . , f m ) on algebraic sets Y ⊆ F n q to X ⊆ F m q , where each f i : F n q → F q is a rational function in F q ( X 1 , . . . , X n ), for i = {1, . . . , m}. An algebraic set Y is the set of vanish points of some set of polynomial S.
Boneh et. al. abstract weak verifiable delay functions from an injective rational map. First, let F: F n q → F q be a rational function that is an injective map from Y to X := F(Y ). At the same time, X is required to be efficiently sampleable and F can be evaluated efficiently for all y ∈ Y. If you need to use the injective rational map function F in the verifiable delay function, you must guarantee |X | > λT 3 to prevent brute force attacks, where a delay parameter T and a security parameter λ as input to the Setup algorithm.
Verifiable delay functions construct a weak verifiable delay function by function family F := (q, F, X , Y ) λ,T with a security parameter λ and a delay parameter T as input parameters.
Setup(λ, T) → pp = ((q, F), (q, F)) is a randomized algorithm that takes a delay parameter T and a security parameter λ as input and choose a (q, F, X , Y ) ∈ F , then outputs public parameters pp composed of the (q, F).
Eval((q, F), x ) → (y , π) is a slow cryptographic algorithm that takes the (q, F) and a random seed x ∈ X ⊆ F m q as input and compute a y ∈ Y together with a possibly empty proof π.
Veri f y((q, F), x , y , π) → {accept, reject} is a deterministic cryptographic algorithm, in which the algorithm inputs (q, F), random seed x , outputs y and proof π. If F(x ) = y , output accept; Otherwise output reject.
In order to ensure that the solution y is unique, F is required to be injective on Y.

Incremental Verifiable Delay Functions
Definition 2. (Incremental verifiable delay functions.) The system V = (Setup, Eval, Veri f y) is a incremental verifiable delay function if the time parameter T of the verifiable delay function is not uniquely determined and is allowed to be determined in the output π of Eval, which does not generate additional proofs.
Since the verifiable delay function is a sequential function [11], Boneh et. al. propose the use of tight incremental verifiable computation to construct an incremental verifiable delay function construction. Next, here's how to build an incremental verifiable delay function with a tight incremental verifiable computation.
Incremental verifiable computation was first proposed by Valiant [12]. After that, Bitansky et al. [13] applied it to distributed computions and to other proof systems. The incremental verifiable computation is to guarantee that the prover can generate a proof that a certain state is indeed the current state of the computation at every incremental step of the computation. The proof is updated after every step of the computation to produce a new proof. Iterative sequence functions can be implemented via tight incremental verifiable computation, which captures the primitives required by verifiable delay functions.
Let f λ : N × X → X be an interated sequential function with round function g λ having (T, )-sequentiality. An incremental verifiable computation system for an interated sequential function f λ is polynomial time algorithm (IVCGen, IVCProve, IVCVeri f y) that satisfy completeness, succinctness and soundness. Completeness.
Soundness. The soundness satisfied by the incremental verifiable computation is sub-exponential soundness. For all algorithm A running in time 2 o(λ) .

Pr
IVCVeri f y y(vk, x, y, k, π) = Yes (vk, ek) Next, we introduce the verifiable delay function construction based on tight incremental verifiable computation. Let a family f λ , where each f λ , N × X λ → X λ is defined by f λ (k, x) = g k λ (x). Here g λ is a (T, )-sequential function on an efficiently sampleable domain of size O(2 λ ).
Setup(λ, T) → pp = ((ek, k), vk) is a randomized algorithm that takes a delay parameter T and a security parameter λ as input and outputs public parameters pp composed of the evaluation key ek, a largest integer k and the verification key vk. Generate (ek, vk) by running IVCGen(λ, f λ ).
Eval((ek, k), x) → (y, π) is a slow cryptographic algorithm that takes the evaluation key ek, a largest integer k and a random seed x as input and runs IVCProve(ek, k, x), and outputs a y together with a possibly empty proof π.
Since T is fixed in the public parameters pp. However, it is also possible to directly assign the T to Eval algorithm. Therefore, a tight incremental verifiable computation based the verifiable delay function is an incremental verifiable delay function.

Decodable Verifiable Delay Functions
Definition 3. (Decodable verifiable delay functions.) The system V = (Setup, Eval, Veri f y) is a decodable verifiable delay function if there is an algorithm in the verifiable delay function that can decode input x backwards from output y. If the decoding is efficient then no additional proof π is required [14].
Using a slow and easy to verify function with exponentiation [15] based calculations in a finite group can be constructed a decodable verifiable delay function. Boneh et al. propose a simple exponentiation-based decodable verifiable delay functions with bounded pre-computation. However, the adversary cannot run a long pre-computation between the time the public parameter pp is exposed and the time that the verifiable delay function is computed.
Next, we introduce a decodable verifiable delay function based on an exponentiation in a finite group. Let L = {ι 1 , ι 2 , . . . , ι T } be the first T odd promes, namely ι 1 = 3, ι 2 = 5, etc. Let P be the product of the primes in L, namely P : is a randomized algorithm that takes a delay parameter T, a security parameter λ and a preprocessing security parameter b as input and outputs public parameters pp composed of the evaluation key ek and the verification key vk.
In algorithm Setup, let a integer module N multiplicative group G := (Z/N N) * and a random hash function H : Z → G. The algorithm needs to compute h i ← H(i) ∈ G, for i ∈ {1, 2, . . . , b = 2 30 } then compute g i := h 1/P i . It outputs the evaluation key ek := (G, H, g 1 , g 2 , . . . , g b ) and the verification key vk := (G, H).
Eval(ek, x) → y is a slow cryptographic algorithm that takes the evaluation key ek and a random seed x as input and outputs a y.
In algorithm Eval, using random hash function to map a random seed x to a size of λ random subset L x ⊆ L and random subset S x of λ values in {1, 2 . . . , b = 2 30 }. At the same time, let P x be the product of all prime numbers in L x . Let g be g := Π i∈S x g i ∈ G and the seed solution y is simply y ← g P/P x ∈ G.
Veri f y(vk, x, y, π) → {accept, reject} is a deterministic cryptographic algorithm, in which the algorithm inputs verification key vk, random seed x, outputs y and proof π. If f (x) = y, output accept; Otherwise output reject.
In algorithm Veri f y, let h be h := Π i∈S x H(i) ∈ G and if and only if y P x = h ∈ G, where P x and S x are calculated by the algorithm Eval(ek, x).
The preprocessing parameter b in an exponentiation-based the decodable verifiable delay function ensures the security of the construction. The construction requires a trusted setup [16,17], but can be eliminated by choosing a random number large enough.

Trapdoor Verifiable Delay Functions
Definition 4. (Trapdoor verifiable delay functions.) The system V = (Keygen, Trapdoor, Eval, Veri f y) is a trapdoor verifiable delay function if there is a secret key sk that can quickly get the output of Eval through the input of Eval. In other words, the trapdoor verifiable delay function can bypass the delay parameter to quickly calculate the result through the trapdoor [18].
Given a pair of Alice's public-secret keys (pk, sk), where pk is Alice's public key and sk is the secret key. Alice is able to quickly evaluate trap [19,20] functions Trapdoor sk on x with a secret key sk. Let T be an implicit time function about the security parameter λ and x be a piece of data. Except for Alice, everyone else can only compute the public evaluation function Eval pk with the public key pk in T-sequential steps and the calculation is slow, but the result between Eval pk and Trapdoor sk is equal. A trapdoor verifiable delay function comsists of four algorihtm (Keygen, Trapdoor, Eval, Veri f y).
Genkey(λ) → (pk, sk) is a key generation algorithm that takes a security parameter λ as input and outputs Alice's public key pk and the secret key sk. Meanwhile, Alice's public key is publicly valid, and the secret key is known only to Alice herself.
Trapdoor sk (x, T) → (y, π) is a slow cryptographic algorithm that takes an implicit time function T about the security parameter λ and a piece of data x as input, and uses the secret key sk to output y together with a possibly empty proof π. The function T is a sequence of sequential steps required to compute the same output y without knowledge of the secret key sk.
Eval pk (x, T) → (y , π ) is a slow cryptographic algorithm to evaluate the function on x using only the public key pk. It produces an output y associated with y and a possibly empty proof π . This procedure is meant to be infeasible in time less than T (this will be expressed precisely in the security requirements).
Veri f y(x, T, y, π) → {accept, reject} is a deterministic cryptographic algorithm to verify if y is indeed the correct output for x, associated with the public key pk and the evaluation time T, possibly with the help of the proof π.
The time delay T is a function of the security parameter λ and T is an input to each algorithm, so the security parameter λ is implicitly an input to each of these procedures. Generate a public-secret key pair (pk, sk) through the key generation algorithm Genkey. Given a piece of data x and time delay parameter T, let Trapdoor sk (x, T) → (y, π) and Eval pk (x, T) → (y , π ). If y = y and Veri f y(x, T, y, π) = Veri f y(x, T, y , π ) output accept; Otherwise output reject.

Construction Based on Finite Abelian Groups of Unknown Order
Verifiable delay functions can be constructed by showing Rivests-Shamir-Wagner (RSW) when the time-lock puzzle [21,22] is publicly verifiable. To be precise, giving a statistically sound public-coin protocol [23] to prove that a tuple (T, N, x, y) satisfies y = x t (modN) verifiers do not know the decomposition of N and its running time is mainly to solve the puzzle, where the time t = 2 T is a power of two. This construction solves an instance of the time-lock puzzle, and computes a proof of correctness, which allows anyone to efficiently verify the result.
Pietrzak [24] proposed a verifiable delay function based on finite abelian groups [25,26] of unknown order consisting of four algorithm (Setup, Genkey, Sloth, Veri f y).
Setup(1 λ ) → N inputs the statistical security parameter 1 λ output N, where the λ defines another security parameter λ RSA specifying the bitlength of an λ RSA modulus and N is the single λ RSA bit RSA modulus of public parameters. The N := p · q is composed of two λ RSA /2-bit secure prime numbers p and q randomly selected by the Setup algorithm.
Define QR N def = {z 2 modN : z ∈ Z * N } as quadratic residues and the signed quadratic residues [27] are the group QR + def = {|x| : x ∈ QR N }. In a verifiable delay function, calculating . Because |QR N | = |Z * N |/4, the probability that a random number in is also in QR N is 1/4. Therefore, if one can break the assumption with probability over QR N , the assumption can also be broken over Z * N with probability /4. Then, they uses (QR N , ·) instead of (QR + N , •) in the proof. This approach can make the proof more efficient because the multiplication mod N in QR N is more convenient and simpler than the • operation in QR + N .
Since (QR N , ·) and (QR + , •) are isomorphic, it is proved (QR N , ·) means (QR + , •) has the same security. Let random number x ∈ QR N and y = x 2 T modN in (QR N , ·), and x = |x| and y = (x = |y| in (QR + N , •), where y = |y| and y = |y | −1 , and y ∈ y , N − y . Although it is not certain whether y = y or y = N − y , y has a 1/2 probability of getting the correct value. This shows that given an algorithm that calculates x 2 T in QR + N with probability in time T, it is possible to obtain an algorithm that calculates x 2 T in QR + N in time when time T and probability /2 are essentially the same.
Sloth(N, (x, T)) → (y, π) is a slow algorithm that takes the N and a random seed x and time delay parameter T as input and outputs a y together with π, where y = x 2 T is the solution of the RSW time-lock puzzle in QR + N and π = {u i } i ∈ [T] is a possibly empty proof that y has been correctly evaluated. It is derived by applying the Fiat-Shamir heuristic [28,29] to the protocol.
Veri f y(N, (x, T), (y, π)) → {accept, reject} is a deterministic cryptographic algorithm to verify if x, y and all u i are in QR + N . If these are not the case output reject. Otherwise, all x i and y i should be calculated, and y T+1 ? = x 2 T+1 should be judged. If all the above are satisfied, output accept.

Construction Based on Elliptic Curve Cryptography
De Feo et al. [30] designed a new verifiable delay function using isogenic and bilinear pairs [31,32] of super-singular elliptic curves [33], and this framework is non-interactive in nature, the output can be effectively verified without additional proofs. Before describing this structure, let's introduce some basic factors of super-singular curves, pairings and isogenies.
Elliptic curves on finite fields are described in detail in [34][35][36] and their use in cryptography is described in detail in [37][38][39]. In addition, the ideal class group of quadratic imaginary fields are explained in [40] and the maximal orders of quaternion algebras are introduced in [41,42].
Let C be an elliptic curve defined over a finite field F q characterized by p and the order of C(F q ) is #C(F q ) = q + 1 − L, where L is the trace of the Frobenius endomorphism π. If and only when p divided L, the curve can be called a super-singular elliptic curve. Each super-singular curve is isomorphic to the curve defined on F p 2 , and for the fixed prime number p, there are only a finite number of super-singular curves until isomorphism.
Weil pairing [43] e N : C[N] × C[N] → µ N with bilinear pairs is defined on supersingular curves are used to describe verifiable delay functions. That pairing needs to be satisfied the compatibility condition e N (ϕ(P), Q) = e N (P,φ(Q)) for any isogeny ϕ : C → C and points P ∈ C[N], Q ∈ C [N].
Verifiable delay functions from super-singular curves. Let X 1 , X 2 , Y 1 , Y 2 , G be groups of prime order N. Let e X : X 1 × X 2 → G and e Y : Y 1 × Y 2 → G be non degenerate bilinear pairings, where a pair of bijections ϕ : X 1 → Y 1 andφ : Y 2 → X 2 and ϕ andφ are group isomorphisms. Let g be any generator of X 1 and (N, X 1 , X 2 , Y 1 , Y 2 , G, e X , e Y , g, ϕ(g)) be the public parameters. The verifiable delay function is the mapφ and the maps ϕ,φ are also part of the public parameters. To verify the output, one checks that e X (g,φ(Q)) = e Y (ϕ(g), Q), where Q ∈ Y 1 is the point at which Eval calculates the value.
De Feo et al. propose verifiable delay functions for super-singular curves over prime field F p and F p 2 , using super-singular elliptic curves for the pairing groups, and isogenies of prime power degree for the maps ϕ,φ. Next, we mainly introduce verifiable delay functions with super-singular curves over a prime field F p .
Let p be prime so that p + 1 contains the larger prime factor N. Let degree l = 2, p = 7mod8 or a small prime such that ( −p l ) = 1. Take the super-singular elliptic curve C/F p , and denote by e N (·, ·) the Weil pairing on C[N].
Setup(λ, T) → (ek, vk) = (φ, (C, C , g, ϕ(g))) is a randomized algorithm that takes a delay parameter T and a security parameter λ as input. First, a super-singular curve C/F p needs to be chosen and a direction needs to be chosen on the horizontal l-isogeny graph to compute a cyclic isogeny ϕ : C → C of degree l T and its dualφ in this algorithm. Next, the algorithm chooses a generator g of X 1 = v −1 (C[N] ∩C(F p ))) and compute ϕ(g), where µ ∈ F p is a non quadratic residue andC is a quadratic twist of C. Finally, the algorithm outputs public parameters (ek, vk) = (φ, (C, C , g, ϕ(g))), where (ek, vk) composed of the evaluation key ek and the verification key vk, and (φ, (C, C , g, ϕ(g))) composed of the map ϕ, the cyclic isogeny C → C , generator of X 1 and the map ϕ(g) of generator g.
Eval(φ, Q ∈ Y 1 ) →φ(Q) is a slow cryptographic algorithm that takes the mapφ and a point Q ∈ Y 1 as input and outputsφ(Q).

Verifiable Delay Functions Based on Structural Assumptions
Ephraim et al. design continuous verifiable delay functions based on a high arity tree [44], where each intermediate state of the computation can be verified and proofs of the computation can be efficiently merged. It is a verifiable delay function based on the assumption of tree structure constructed on the basis of the repeated square [45] assumption. The continuous verifiable delay function only depends on the Fiat-Shamir heuristic for a constant round proof system. Next, we introduce continuous verifiable delay functions based on high arity trees.
First, the computational steps correspond to a specific traversal of a (k + 1)-ary tree of height h = log B k . Each node in the (k + 1)-ary tree is related to a statement (x, y, T, π) of the underlying verifiable delay functions, where the output value y = x 2 T and the possible empty proof π are the corresponding proofs of correctness. If x is the node's input, the difficulty T = k h−l is determined by its height in (k + 1)-ary tree and l is root node.
Next, they define a tree structure. Starting from the root node with input x 0 and difficulty T = k h , divide the tree structure into k segments x 1 , x 2 , . . . , x k similar to the verifiable delay functions structure. In a tree-based verifiable delay functions structure, only calculating the input x of a leaf node from the previous state can guarantee that each step of calculation corresponds to the calculation of a single leaf's statement.
Before introducing continuous verifiable delay functions, let's review unique verifiable delay functions. Next, the interactive proof that language L N,B corresponding to repeated squares is transformed into unique verifiable delay functions by using the Fiat-Shamir heuristic, where L N,B = (x 0 , y, T) : A unique verifiable delay function is composed of the following four algorithm (uVDF.Gen, uVDF.Sample, uVDF.Eval, uVDF.Veri f y).
uVDF.Gen(1 λ ) → pp = (N, B, k, d, hash) is a randomized algorithm that takes a statistical security parameter 1 λ as input and outputs public parameters pp composed of the RSA modulus N, the upper bound B, the arity k, a constant d and a hash function hash, where hash ← H, k = λ and B = B(λ).
uVDF.Sample(1 λ , pp) → x 0 takes a statistical security parameter 1 λ and the public parameters pp and sample and output a random element x 0 ← Z * N such that gcd(x 0 ± 1, N) = 1 and x 0 = |x 0 |.
uVDF.Eval(1 λ , pp, (x 0 , T)) → (y, π) is a slow cryptographic algorithm that takes a statistical security parameter 1 λ , the public parameters pp, a random element x 0 and the time delay parameter T as input and outputs a y together with a possibly empty proof π.
uVDF.Veri f y(1 λ , pp, (x 0 , T), (y, π)) → {0, FS − Veri f y(pp, (x 0 , T), (y, π))} is a deterministic cryptographic algorithm. If all the above are satisfied, output accept. Otherwise, output FS − Veri f y(pp, (x 0 , T), (y, π)). The FS − Veri f y is a verification algorithm for Fiat-Shamir transformations defined on the protocol for language L N,B relative to some hash family H. For details of the algorithm, see [46]. Then, we review the definition of a continuous verifiable delay function and describe it in detail.
At a high level, the continuous verifiable delay function will iteratively compute each leaf node in a (pp uVDF , d , g)-puzzle tree, where pp uVDF = (N, B, k, d, hash) are the public parameters of the underlying unique verifiable delay function and g is the starting point of the tree given by uVDF.Sample.
Next, we define a frontier. At a high level, for a leaf s, the frontier of s will correspond to the state of the continuous verifiable delay function upon reaching s. Specifically, it will contain all nodes whose values have been computed at that point, but whose parents values have not yet been computed. Definition 6. (Frontier.) For a node s in a (pp uVDF , d , g)-puzzle tree, the frontier of s, denoted f rontier(s), is the set of pairs (s , val(s )) for nodes s that are left siblings of any of the ancestors of s. We note that s is included as one of its ancestors.
Next, we review the formal details of continuous verifiable delay functions, which is a tuple (cVDF.Gen, cVDF.Sample, cVDF.Eval, cVDF.Veri f y).
cVDF.Gen(1 λ ) → pp = (pp uVDF , d , hgt) is a randomized algorithm that takes a statistical security parameter 1 λ as input and outputs public parameters pp composed of the pp uVDF = (N, B, k, d, hash), a constant d and a tree height hgt = log k (B) − d .
cVDF.Sample(1 λ , pp) → v = (g, 0 h , φ) takes a statistical security parameter 1 λ and public parameters pp as input and outputs a random element v, where g ← uVDF.Sample(1 λ , pp uVDF ) is sampled by the Sample algorithm of unique verifiable delay functions.
cVDF.Eval(1 λ , pp, v) → v takes a state v corresponding to a leaf s in the tree and computes the next state v corresponding to the next leaf. Each state v will be of the form (g, s, F), where s is the current leaf in the tree, F is the frontier of s and g is the starting point of the tree given by uVDF.Sample.
cVDF.Veri f y(1 λ , pp, (v, T), v ) → {accept, reject} verifies the state v by recursively running this verification algorithm and whether v is correct. Output accept if all the check conditions of the continuous verifiable delay function are satisfied; Otherwise output reject.
The heart of our construction is the cVDF.Eval functionality which takes a state v corresponding to a leaf s in the tree and computes the next state v corresponding to the next leaf. Each state v will be of the form (g, s, F), where s is the current leaf in the tree and F is the frontier of s. Then, cVDF.Eval(1 λ , pp, (g, s, f rontier(s)) will output (g, s + 1, f rontier(s + 1)). There are three phases of the algorithm cVDF.Eval. First, it checks that its input is well-formed. It then computes val(s) using f rontier(s), and then computes f rontier(s + 1) using both f rontier(s) and val(s).

Post-Quantum Verifiable Delay Functions
In 2021, Jorge Chavez-Saab et al. [47] researched the problem of constructing postquantum secure verifiable delay functions, especially verifiable delay functions based on super-singular isogeny. They propose an arithmetic structure specifically for homologous settings using succinct non-interacting arguments (SNARGs) [48] to achieve good asymptotic efficiency. This isogeny-based verifiable delay functions has the advantages of post-quantum security [49], quasi-logarithmic verification, and does not require a trusted setup. Since the Eval algorithm for postquantum verifiable delay functions involves isogeny walks on super-singular elliptic curves that can be publicly verified through a SNARG-based verification process. Formally, a verifiable delay function is composed of three main algorithm: Setup(λ, T) → pp = (ek, vk) takes a delay parameter T and a security parameter λ as input and outputs public parameters pp composed of the evaluation key ek and the verification key vk.
Eval(ek, x) → (y, π) takes the evaluation key ek and a certain input x as input and calculates an output y and a possibly empty proof π.
The function involves computing walks of length T in the 2-isogeny graph of supersingular curves on F p 2 , where p 2 ≡ 9mod16 (which is required to apply Kong's square root algorithm [50]) and p = poly(T). Given a time delay parameter T, and the evaluator needs to compute a walk of length T on the 2-isogeny graph, where the exact path is determined by a string s and the path is not backtracking. Given the two v-invariant curves v i and v i+1 , they are 2-isogenous over F p 2 if and only if the modular polynomial Φ(v i , v i+1 ) vanishes. For a fixed v i the next curve in the path can be calculated by finding the root of and focus on finding the roots of the quadratic factor. After the square root is calculated, the evaluator selects the symbol using the input string, resulting in a definite traversal process.
Veri f y(vk, x, y, π) → {accept, reject} inputs verification key vk, a certain input x, a output y and a proof π. If f (x) = y, output accept; Otherwise output reject.
Since the postquantum verifiable delay functions is constructed over SNARG, a deterministic process and a fixed symbol are required for the SNARG verification process. For the validation process, the evaluator keeps track the results of the evaluation and construct an SNARG, and the values resulting from the evaluation process must be satisfied.
De-Feo et al. proposed a new verifiable delay function framework based on the assumption of elliptic curve cryptography, and instantiated this framework using supersingular elliptic curves and bilinear pairs. The structure of this verifiable delay function is non-interactive in nature, and the output can be effectively verified without additional proofs. However, the only secure way to instantiate a verifiable delay function requires a trusted setup to perform a random isogeny traversal. In fact, this setup needs to start with super-singular elliptic curves with unknown autohomomorphic rings. In order to explain how to implement the proposed verifiable delay function on elliptic curves with commutative self-homomorphic rings, Shani later used the idea of verifiable delay functions based on isogeny and pairing proposed by De-Feo et al. to construct developed a verifiable delay function based on isogeny without pairing. The scheme is a combination of a timelock puzzle and a trapdoor verifiable delay function.
However, neither scheme is quantum secure. Thus, Chavez-Saab et al. studied the problem of constructing post-quantum secure verifiable delay functions, especially verifiable delay functions based on super-singular isogeny. They propose an arithmetic structure specifically for homologous settings using SNARGs to achieve good asymptotic efficiency. This isogeny-based verifiable delay function has the advantages of post-quantum security, quasi-logarithmic verification, and does not require a trusted setup.
This verifiable delay function construction finds codomain curves, which are computed from any three-point evaluation, so the problem in the verifiable delay function setting could be regarded as a general problem. The precomputation time allowed in the setting is given before learning the isogeny to be evaluated, suggesting that this verifiable delay function construction uses a different isogeny for each input. This verifiable delay function relies on a very weak assumption, so it is more secure. Starting from a public curve means we do not need a trusted setup. Next, we analyze two security properties of postquantum verifiable delay functions based on super-singular elliptic curves: sequentiality and soundness.
Sequentiality. Any protocol that does not prescribe isogeny walk in some way is insecure in terms of sequentiality. The evaluator can be asked to provide SNARG proof of any large degree of isogeny and consider this to be a good proof of sequentiality even if the output is not unique. However, if the evaluator is free to choose the path, this does not constitute a proof of sequential computation. The sequentiality of post-quantum verifiable delay functions relies on isogeny shortcut problem of De Feo et al.. If no pair of random algorithms A 0 (running in total time poly(T, λ)) and A 1 (running in parallel time less than T) can win the following sequential game with non-negligible probability, then the postquantum verifiable delay functions based on super-singular elliptic curves is sequential. The Setup must use secret randomness to choose the starting curve, and the Setup is left with choosing isogeny and generators, both of which can use public randomness. Furthermore, A 0 allows for poly(T) computations, so it can compute isogeny on generators. Therefore, setting aside the choice of starting curve, the Setup can be absorbed into A 0 , which proves that the verifiable delay function of the post-quantum is sequential Soundness. The soundness of post-quantum verifiable delay functions based on super-singular elliptic curves completely depends on the SNARG proofs. Succinctness and non-interactiveness are achieved by generating SNARG through a transform that acts on any probabilistic checkable proofs. As long as the hash function is collision-resistant, it is straightforward to prove that the soundness of the structure reduces to the soundness of the original probabilistic checkable proofs. Therefore, the post-quantum verifiable delay functions construction based on super-singular elliptic curves is sufficiently soundness.

Verifiable Delay Functions Applications
With the proposal of more and more verifiable delay function schemes, the application of verifiable delay function in distributed systems is also well known. Next, as shown in Figure 2, this paper introduces several particularly important applications. In Table 3, the blockchain-related applications of verifiable delay functions are described. Computational Timestamping. Almost all know proof-of-stake [51] systems face the problem of long-range attack [52]. In a proof-of-stake protocol, a group of stakeholders has voting rights proportional to their stake at any time. Assume that the majority of stakeholders have no reason to break the system, since the stakeholders themselves are incentivized. However, when too many stakeholders sell their stake, they can collude to create a new longer system to replace history. An external timestamp mechanism [53] can prove to the user that the true history of the system is much older.
Incremental verifiable delay functions can provide computational evidence that a given version of the state system is older by proving that long-running verifiable delay function computations has been performed on the true history after divergence from the fraud history. This has the potential to detect long-range attack without relying on external timestamping mechanisms. In 2019, Landerreche et al. [54] presented the first treatment of non-interactive publicly verifiable timestamping schemes and a secure timestamping scheme based on a verifiable delay function is proved. The timestamping scheme [55] consists of sequence of verifiable delay function proofs linked to each other by a cryptographic hash function, modeled as a sequence of random oracles. Add verifiable delay functions to the sequence to increase the structure, thus preserving the safety guarantees of the structure. Table 3. Blockchain-related applications of verifiable delay functions.

Applications Solution Purpose
Timestamping A verifiable delay function is equivalent to a proof of the passage of time, with the input and output of a verifiable delay function on-chain to prove the history of a given block.
Mitigating long-range attacks.

Randomness Beacon
The time delay parameter T of the verifiable delay function is set long enough, and the latest block header is used as part of the input in the verifiable delay function, and the final output is the random beacon result.
Enhancing the security of public verifiable random numbers.

Permissionless Consensus
Combine proofs-of-resource with incremental verifiable delay functions and use the product of resource proved and delay induced as a measure of blockchain quality.
Solving nothing-at-stake attacks.

Proof of Replication
Decodable verifiable delay functions generate multiple puzzles, and then the solutions of these puzzles are combined with all replicas to generate new replicas.
Preventing dynamic generation of replicas.
Public Randomness Beacons. Verifiable delay functions are useful for methods of obtaining random numbers from public sources. For example, constructing public randomness beacons [56] from stock prices, election audit or proof-of-work blockchains [57]. In the stock market, a strong enough stock trader can change the random output of stock prices by influencing the market trend, which greatly affects the fairness of the stock market [58]. The verifiable delay function can increase the security of public verifiable nonces by adding a long enough delay to calculate the beacon, which helps ensure that malicious traders do not have enough time to adjust the market. In a proof-of-work blockchain's computational puzzle solving, miners continuously mine and publish puzzles for monetary rewards. However, similarly powerful enough stock traders may manipulate stock prices, sufficiently powerful miners may manipulate beacon results by refusing to publish blocks [59] that produce unfavorable beacon outputs.
In addition, the verifiable delay function can also add some random beacon schemes involving multiple parties. For example, in "commit-and-reveal" [60], the attacker can wait until the end of the reveal phase to decide whether to reveal his or her commitment. If the following three conditions are met: discard the commit phase; integrate everyone's input at the end of the protocol and put it into the verifiable delay function instead of directly as the result of a random number; set the time parameter T long enough and later than the deadline for the last submission; then even the last-minute submitter has no way of knowing the result of the random number.
Resource Efficient Blockchains. When the blockchain [61] is forked, the consensus participants will choose to mortgage assets on different forked chains to participate in the block generation for their own interests, so that the forked chain may always exist and there will be more and more forks. Seriously endanger the consistency of the system and the consumption of resources. However, resource-efficient mining suffers from nothing-atstake attacks. Intuitively, since mining is not computationally expensive, miners can easily try to produce many individual forks.
To prevent nothing-at-stake attacks [62], random beacons are used to select a new leader at intervals. At the same time, a verifiable delay function can also be used to increase the security of random beacons in the consensus protocol that uses random beacons to select a new leader. Most of the random number schemes used by these protocols remain secure only when there is a majority of honest participants. Utilizing a verifiable delay function can improve the participation of any honest party.
In addition to the electoral scheme, Cohen proposes to combine proof of resources [63] with an incremental verifiable delay function and use the product of proven resources and induced delay as a measure of blockchain [64,65] quality. This scheme prevents nothingat-stake attacks by simulating the proof-of-work mining process. The timing of mining blocks is unpredictable, and each miner competes with each other to be the first to mine a block. The difference from the proof-of-work [66] is that this scheme does not actually need to consume too much time resources for parallel computing, and only has certain space resources when entering mining.
Proof of Data Replication. Proof of data replication [67][68][69] is a special type of proof of storage of data that allows a client to verify that it has a unique replica of some data stored on an untrusted server, even if the data is readily available from a public storage source. Proof of data replication is meant to prove that the server has a replica of the data, not that it owns the data. Boneh et al. proposed to provide a publicly verifiable solution using a decodable verifiable delay function that is asymmetric in time. The decodable verifiable delay function prevents the server from dynamically computing the client's replica when challenged to prove that it correctly stored a replica of the data.
Gritti proposes a publicly verifiable proof of data replication scheme using verifiable delayed functions, and explains the scheme in detail along with a security proof. Given a unique replicator identifier id. Then the server divides the file into b-bit sized file blocks Bi and calculate B id = B i (i||id) where H is a collision-resistant hash function H : {0, 1} → {0, 1} b and i ∈ {1, . . . , n}. The output value y i can be obtained by taking the calculated B id as part of the Eval algorithm input of the decodable verifiable delay function. The server stores all y i and the client continuously randomly selects i to challenge the server to return y i . If the server can respond to the corresponding result to the client within the specified time and the client can obtain B i by decoding y i in a very short time to complete the verification. If the server does not respond to the client correctly, y i must be calculated in T steps, but this calculation cannot be completed within the specified time.
Verifiable delay functions are widely used in blockchains. However, verifiable delay functions based on finite groups of unknown order are insecure against an adversary with access to a quantum computer. Quantum computers can easily compute the order of a group using Shor's algorithm, making it easy to break the application of verifiable delay functions in blockchains. In addition, the post-quantum secure verifiable delay function based on supersingular elliptic curves needs to be verified by SNARG, and the structure is in its infancy and can only be limited to the field of elliptic curves. Therefore, it is an open problem to develop a verifiable delay function that has a simple structure in quantum computers and can be safely applied to blockchain.

Conclusions and Perspectives
Verifiable delay function is a basic and important tool in the field of cryptography, and it has been widely used in distributed systems. This article firstly introduces the types of verifiable delay functions, and describes the construction schemes of different kinds of verifiable delay functions in detail. Secondly, in the algebraic assumption scheme, verifiable delay function schemes based on finite abelian groups of unknown order and super-singular elliptic curve cryptography scheme are introduced respectively, both of which are not quantum secure. Thirdly, the unique verifiable delay functions and the continuous verifiable delay functions based on tree-structure assumptions are introduced. The continuous verifiable delay function achieves effective verification of the output of each intermediate iteration through continuous iteration, and can efficiently incorporate proofs of final computation. Fourthly, this paper presents a postquantum secure verifiable delay function scheme based on super-singular isogeny, And the security analysis of the verifiable delay function is carried out. Finally, the application of verifiable delay function in different aspects of the blockchain is summarized.
Verifiable delay functions have been extensively studied, and the research results obtained cover various branches of verifiable delay function research. However, the application of the verifiable delay function in the existing research results has not been fully integrated into the blockchain, and the application in the blockchain still needs further research. We hope that this work will stimulate new practical applications of verifiable delay functions in blockchains and continue to investigate theoretically optimal verifiable delay function constructions in the future.