The VDF Model Clause Samples

The VDF Model. Our work introduces the VDF model as a refinement of the common PoW model to replace trusted setups and protect against ▇▇▇▇▇ attacks in permissionless consensus. Similar to the PoW model, we assume that the adversary only controls less than 1/2 of a computational resource to invest in producing proofs of computation. In contrast to the PoW model, however, we require a lower bound on the time it takes to create such proofs. This differs from the PoW model, where proofs can be computed almost arbitrarily fast, given sufficient parallel resources. We believe that the VDF model is a realistic alternative for the PoW model. Indeed, there exists various different constructions of VDFs [Wes19,Pie19a,FMPS19] that leverage inherently sequential computation, and are used (or envisioned to be used) by blockchain projects for their consensus protocol (albeit not as an anti ▇▇▇▇▇ countermeasure as in our work). Examples include Chia, which relies on VDFs for leader election [CP19], and ETH 2.0, which plans to leverage VDFs for constructing a random beacon [But13]. To make our model more realistic, we follow Wan et al. [WXDS20], and allow the adversary a small speedup in evaluating the VDF compared to the honest parties. Let us describe our model with a concrete example. Suppose that the total amount computational power (over all protocol participants) over a fixed time period of length t is 1000 VDF evaluations. Then, we demand that the total number of proofs produced by the adversary be at most 500 in the same time span. This is similar to the case of PoW model, where it is assumed that the majority of computational power belongs to honest parties. As mentioned above, we additionally give the adversary a small speedup, meaning that it can compute proofs a little bit faster than the honest parties. The VDFδ Oracle. We now explain our formalization of the VDF model in some more detail. At the center of our model, we introduce the oracle VDFδ, which parties can query on an input s to obtain one evaluation ϕ of the VDF after δ time. Thus, δ denotes the difficulty parameter, specifying the number of sequential steps to be computed for one VDF evaluation. To make the model more realistic, we allow corrupted parties a κ-speedup κ (where κ ≥ 1), meaning that they can obtain an output from VDFδ after δ/κ time. An adversary in our model controls some q number of parties, where each party has κ-speed- up. For some i > 1, let us discuss how many proofs an adversary is able to co...