Nakamoto Consensus with Verifiable Delay Puzzle

by   Jieyi Long, et al.
Theta Labs

This technical report summarizes our work-in-progress on a new consensus protocol based on verifiable delay function. First, we introduce the concept of verifiable delay puzzle (VDP), which resembles the hashing puzzle used in the PoW mechanism but can only be solved sequentially. We then present a VDP implementation based on Pietrzak's verifiable delay function. Further, we show that VDP can be combined with the Nakamoto consensus in a proof-of-stake protocol. We analyze the safety and liveness of the protocol, and show that compared to PoW, our proposal consumes much less energy; compared to BFT based consensus algorithms which usually place an upper limit on the number of consensus nodes, our proposal is much more scalable and can thus achieve a higher level of decentralization.



There are no comments yet.


page 1

page 2

page 3

page 4


Analysis of the XRP Ledger Consensus Protocol

The XRP Ledger Consensus Protocol is a previously developed consensus pr...

SklCoin: Toward a Scalable Proof-of-Stake and Collective Signature Based Consensus Protocol for Strong Consistency in Blockchain

The proof-of-work consensus protocol suffers from two main limitations: ...

A Blockchain Consensus Protocol Based on Dedicated Time-Memory-Data Trade-Off

A problem of developing the consensus protocols in public blockchain sys...

Verification of Eventual Consensus in Synod Using a Failure-Aware Actor Model

Successfully attaining consensus in the absence of a centralized coordin...

ProPoS: A Probabilistic Proof-of-Stake Protocol

We present ProPoS, a Proof-of-Stake protocol dedicated, but not limited,...

Scalable BFT Consensus Mechanism Through Aggregated Signature Gossip

In this paper, we present a new BFT consensus mechanism which enables th...

Selfish Behavior in the Tezos Proof-of-Stake Protocol

Proof-of-Stake consensus protocols give rise to complex modeling challen...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Since the debut of Bitcoin [20] in 2009, the energy consumption of its proof-of-work

(PoW) consensus protocol has been growing at a stunning pace. It is estimated that the electricity demand of Bitcoin has already surpassed that of a small country such as Denmark. This has motivated researchers to investigate alternative consensus protocols that are more energy efficient and environmentally friendly. Among different replacement candidates, the

proof-of-stake (PoS) mechanism has attracted widespread attention [3, 13, 6, 9, 17, 7, 18]

. Instead of spending intensive computational resources on solving hashing puzzles, PoS protocols typically run a computational inexpensive process to pseudorandomly select the next block proposer, where the probability that a node is selected is proportional to the stake it possesses.

There are two major camps in PoS mechanism design. The first is the chain-based PoS which simulates the PoW process for leader election. While this approach is energy-efficient, some of the early works suffer from attacks such as “nothing-at-stake” or “long range” attack since the cost for simulating PoW is minimal [7, 8]. Later protocols including Ouroboros address such concerns [18]. However, the leader election in Ouroboros employs a secure multi-party computation based coin-tossing scheme that incurs a relatively large overhead. This scalability bottleneck is addressed in Ouroboros Praos [14] via a more efficient leader election scheme. A recent improvement, Ouroboros Genesis [2] further allows offline parties to safely bootstrap the blockchain when they come back online. The second type of design stems from the traditional Byzantine Fault Tolerant (BFT) research [19, 16, 15, 10]. Algorithms such as Tendermint, Casper FFG, Algorand, HotStuff fall into this category [6, 7, 17, 1]. The BFT based approaches usually have proven mathematical properties. For example, under the assumption that more than 2/3 stake are held by honest participants, the safety property can typically be guaranteed even with an asynchronous network [10]. Moreover, in the BFT based algorithms, the aforementioned attacks can be mitigated with the “slashing condition” introduced by the Casper FFG [7]. However, these algorithms are more complicated to implement compared to the chain-based alternative. More importantly, due to communication complexity, BFT based algorithms are less scalable. Typically they only allow a relatively small number (usually less than 100) of nodes to participate in the consensus process, which limits the level of decentralization, making them less attractive for permissionless public chains.

A question thus arises: Can we design a consensus mechanism that combines the benefits of the two approaches while avoids the shortcomings? To be more specific, our goal is to design a simple chain-based protocol that allows mass participation in the consensus process and yet has low energy consumption. In the paper we will present a new protocol based on the concept of verifiable delay puzzle (VDP), which can hopefully achieve these goals. In this framework, VDP resembles the hashing puzzle used in the PoW schemes but can only be solved sequentially. Our VDP construction is based on recent advancements of the verifiable delay functions (VDF) research [4, 22, 23, 5]. VDF is a type of function that requires a specified number of sequential steps to evaluate, and produces a unique output that can be publicly and efficiently verified [4]. At the first glance, such difficult-to-evaluate but easy-to-verify asymmetry is very similar to the PoW hashing puzzle, making VDF a perfect drop-in replacement for the PoW hashing puzzle. However, different from the hashing puzzle, a VDF function in its original form has no randomness. Given the same input, a VDF function always outputs the same result regardless of who computes it. To fully emulate the hashing puzzle, unpredictability needs to be somehow injected into the VDF to create the lottery effect for block proposer election. Later in the paper, we will show how this can be achieved by our verifiable delay puzzle constructions.

1.0.1 Our contributions.

Aside from introducing the concept of VDP, we also make the following novel contributions:

  • We present a VDP implementation based on Pietrzak’s verifiable delay function construction [22].

  • We incorporate the VDP into the Nakamoto consensus in a PoS blockchain. To create the lottery effect, we propose to leverage the verifiable random function (VRF) to pseudorandomly assign different verifiable delay puzzles to the nodes competing to propose the next block. The parameters of the puzzle for a new block are fully determined by the private key of the node and the parent block. As a result, each node could take a different amount of time to solve its assigned puzzle instance, and thus randomness arises. On the other hand, the combination of VDP and VRF makes it very efficient for other nodes to verify that a node has indeed solved its assigned puzzle instance.

  • We analyze the safety and liveness properties of the proposed consensus mechanism as well as its energy efficiency. In addition, we discuss the potential attack vectors and show how our protocol can mitigate these threats.

  • One of the challenges to employ VDP in consensus algorithms is that different implementations of VDP solver (e.g. ASIC vs. CPU based) might have significantly different speed solving the same VDP. Such speed difference could introduce unwanted bias. We propose a protocol improvement in the Appendix that can effectively eliminate the bias.

1.0.2 Related works.

We note that there are other attempts to incorporate VDF in consensus protocols, including using VDF for creating random beacons, and for validator shuffling in blockchain sharding. Among these works, a protocol called Chia proposed by Cohen et al., combines proofs-of-space with VDF [12, 11]. In their proposal, a miner can generate a proof which demonstrates that it has access to a certain amount of disk space. The miner then maps the space proof to a random integer in a way that a larger disk space has a higher likelihood to generate a smaller . The miner then evaluates VDF for iterations. The first miner that successfully computes the VDF can broadcast its block. Similar to our proposal, this process mimics the random delay weighted by the disk space possessed. However, since is explicitly calculated, a miner might be reluctant to compute the VDF if its is too large or could perform some kinds of grinding attack with this information. This could weaken the security of the system. In contrast, in our VDP based approach, a node cannot estimate the time to solve the assigned delay puzzle until it actually solves it, which is more similar to the hashing puzzle in PoW. Furthermore, our approach is based on proof-of-stake instead of proof-of-space, which does not require the time-consuming storage setup phase. Proof-of-stake also has less moving parts and thus is simpler to analyze and implement. One common challenge faced by both approaches though, is that different VDF solver implementation might have vastly different speed computing the same VDF. A node with a much faster VDF implementation (e.g. ASIC) could have great advantage compared to other nodes. While Chia has been actively working on open sourcing VDF implementations to bring everyone on par111Chia VDF competition, to the best of our knowledge, their current framework does not address this issue at the protocol level. In the Appendix, we will propose a protocol modification that can effectively reduce the advantage of faster VDF solvers.

2 Verifiable Delay Puzzle

In this section we introduce the concept of verifiable delay puzzle, and present a construction based on Pietrzak’s verifiable delay function.

Definition 1

A Verifiable Delay Puzzle (VDP) asks for an integer that satisfies inequality , where is a function that maps a non-negative integer to another integer, such that

  • Sequentiality: Any algorithm takes at least sequential steps to solve the puzzle, even on a parallel computer with a polynomial number of processors.

  • Efficient verifiability: Along with , the puzzle solution should also contain a proof , with which anyone can verify that efficiently, i.e., in steps.

One interesting aspect of this definition is that since is not available before solving the puzzle, the number of steps needed to solve the puzzle is unknown before the puzzle is solved. This property is crucial for creating an unbiased lottery effect for leader election, and to prevent grinding attacks.

2.0.1 VDP construction based on Pietrzak’s VDF.

Pietrzak and Wesolowski separately proposed two simple VDF constructions based on repeated squaring [22, 23]. A VDP can be constructed based on either approach. Here we present a VDP based on Pietrzak’s VDF [22]. We define the puzzle as follows: Given input and a constant , find solution , such that


Here is a hash function acting as a random oracle as in Pietrzak’s VDF [22]. And the constant is a threshold which controls the difficulty of the puzzle. is a one-way hash function which maps its input to a non-negative integer. To see why this is a verifiable delay puzzle, first we note that since is required to be a part of the solution, solving this VDP involves explicitly calculating the value and generating which proves that . If is the smallest integer that satisfies and , then solving the puzzle takes sequential steps, since it is at least as hard as computing Pietrzak’s VDF [22]. On the other hand, to check if a tuple is indeed the solution to the VDP, any third party just needs to verify 1) proves , and 2) . This verification can be done in steps, which is obviously in [22]. Thus, this construction conforms to our definition of a verifiable delay puzzle.

3 Nakamoto Consensus with VDP

For simplicity, let us first consider a blockchain with a fixed set of validators who are eligible to propose new blocks. For now we also assume that every validator node has the same speed computing verifiable delay functions. Later in the paper we will extend our discussion to the more general settings.

With these assumptions, we propose to use VDP to create the “lottery effect” to pseudorandomly select one of the validators to propose the next block. To inject randomness, we note that in Formula (1) the VDP takes an input . With different values of , the amount of time needed to solve the VDP varies. This is where the randomness can come from. In particular, we can leverage the verifiable random function (VRF) [17] to pseudorandomly determine the for each validator. As formulated in Formula (3), a VRF typically takes a private key of a node and a as input, and uniquely generates a pseudorandom random value and the corresponding proof . The proof enables anyone that knows the node’s public key to check that indeed corresponds to the , without having to know the private key .

Figure 1: Validators compete to solve VDPs. Each validator node is assigned a VDP instance fully determined by the value recorded in the parent block and the private key of the node. The VDP solution tuple is embedded in the header of the blocks.

Assume the block at the tail end of the chain has height as shown in Fig. 1. Validator wants to propose a block for height . To do this it first needs to solve the following VDP instance:


In Formula , is the private key of validator . We note that the VRF takes as the seed. It is the value in the VDP solution for the parent block at height . The VRF generates , which is then used as the input for the VDP in Formula . We note that since each validator node has its own private key , the pseudorandom value generated by Formula (4) is unique for each validator. Thus, each validator needs to solve a different VDP instance specified by Formula (5) which could require a different number of steps. This is where the randomness arises. Moreover, it is worth pointing out the seed does not depend on the content of the block (i.e. the transactions included in the block). This means for a validator, if it has decided to “mine” on top of a block, the VDP instance it needs to solve is fully determined. Hence, a validator node can not grind by changing the transactions included in a block to gain extra advantages.

Similar to Bitcoin, in our protocol, to propose the next block, a validator needs to first solve its VDP. Fig.1 illustrates the process where the validators compete to solve VDPs. Once the assigned VDP is solved, a validator can broadcast its block. The header of the new block should contain . As soon as a node receives a new block, it should first verify against the block proposer’s public key and seed . This is to confirm whether the block proposer was indeed solving the VDP instance assigned by the VRF. If the check is passed, the node then verifies the VDF puzzle solution . If both checks are passed, and all the transactions contained in the block are valid, the validator can append this block to its local chain.

The incentive structure is similar to Bitcoin. Each block comes with block reward for the block proposer in the form of newly minted tokens. Also each transaction might carry a certain amount of fees that the block proposer can collect.

To resolve forks, we adopt the Nakamoto longest chain rule. Bitcoin requires a number of block confirmations (typically 6 confirmations) to ensure a transaction is safe. In addition to that, we impose another rule. For a block be considered safe, we also require its longest descendant chain to be at least

blocks longer (e.g. ) than any other chain that forks before the block. Fig. 2 below illustrates this rule. We will call a block settled if both conditions are met.

Figure 2: The block settlement rules. All the gray blocks are considered settled since both criteria are satisfied. However, although there are already 6 blocks after Block , it is not settled since forks before and is only 4 blocks shorter than the main chain.

3.0.1 Permissionless blockchain.

Now we can extend the discussion to a permissionless proof-of-stake blockchain where any node can become a validator after putting down some stake. To be more specific, to become a validator, first a node needs to generate a private/public key pair , and then stake a certain number of tokens to its public key. To prevent sybil attack and also to avoid power concentration, we place a lower limit and upper limit on the amount of tokens that can be staked by a validator. For example, can be set to of the total token supply so the system can accommodate up to validators. We also require the staked tokens to be frozen for a significant amount of time (e.g. at least four weeks) before they can be unlocked. To account for the stake difference, we scale the right-hand side of Formula by the stake of the validator. This way the expected amount of time for a validator to solve a VDP is inversely proportional to its stake. Formula and thus becomes:


The complete puzzle for the permissionless chain case for a validator node with private key and stake can be rewritten as:


With this protocol enhancement, any user with sufficient amount of stake () can run a validator node. Compared to BFT based consensus which usually poses a relatively low limit on the number of validator nodes, this approach is as scalable as Bitcoin, and can thus achieve a much higher level of decentralization.

3.0.2 VDP solver speed variation.

One challenge in practice though, is that different VDP solver implementations might have vastly different speeds. A faster VDP solver could give a node advantage over others. For example, it can be shown that equipping with a solver twice as fast as others is equivalent to having doubled amount of stake. Thus, the amount of speed weighted stake of a validator is proportional to the probability of it being the first node to solve the VDP for the next block. In the remainder of this paper, we will assume the VDP solvers of all validators have the same speed. However, in the Appendix we will explore protocol level changes to address the solver speed variation.

4 Protocol Analysis

4.0.1 System model.

Before diving into the protocol analysis, we first list our assumptions of the system.

  • Validator model: We assume that the 3/4 super majority of the total stakes are controlled by honest validator nodes that execute the protocol as prescribed. We do not assume a direct message channel between all pairs of validators. Messages between them might need to be routed through other nodes, some of which could be byzantine nodes.

  • Timing model: We assume the “weak synchrony” model [15]. The network can be asynchronous, or even partitioned for a bounded period of time. Between the asynchronous periods there is a sufficient amount of time where all message transmissions between two directly connected validator nodes arrive within a known time bound. As we will discuss later in the paper, during the asynchronous period, forks might emerge. However, during the synchronous phase, forks will converge and liveness can be achieved eventually.

  • Attacker model: We assume powerful attackers. They can corrupt a number of targeted nodes, but can control less than 1/4 of the total stakes. They can manipulate the network at a large scale, and can even partition the network but only for a bounded period of time. However, they are computationally bounded. For instance, they cannot forge fake signatures, and cannot invert cryptographic hashes. Also, in this section, we assume the attackers can compute the VDF no faster than the honest parties, but they can have an unlimited number of VDP solvers running in parallel.

4.0.2 Safety analysis.

Safety in our protocol means that once is a block is settled, the probability that it can be reverted is negligible as the chain grows. As mentioned earlier in the paper, a block is settled when 1) there are at least blocks added after it, and 2) its longest descendant chain is at least blocks longer than any other chain that forks before the block. One way to revert a settled block is to launch the so-called “long-range” attack, i.e. to create a fork on the blockchain starting before a settled block and overtake the main chain.

To see why our protocol is immune to the long-range attack, first we note that it is not possible for the adversary to solve VDPs for consecutive blocks on the same chain in parallel, since in Formula (7), the parameter of a block depends on the VDP solution of its parent block. For example, say the adversary wants to fork the chain from block height 1000. He needs to solve the VDP instances for height 1001, 1002, 1003, …, and so on. Due to the seed dependency, these VDP instances can only be solved sequentially even if he has extra VDP solvers. Thus, with only up to 1/4 of the total stake, using the Chernoff bound, it is easy to prove that a single malicious validator node has little chance to secretly create a fork longer than the main chain.

Figure 3: Breadth-first-search to find the fastest growing fork. Assume the adversary controls two validators and , and has many VDP solvers. He can expand the “search tree” and identify the fastest growing branch (marked in gray). All the VDPs at the same tree depth can be solved in parallel.

A more subtle approach, is to control multiple validators and perform a “breadth-first-search” to find a fork that can outgrow the main chain. This approach is illustrated in Fig. 3. In this example the adversary controls two validators, and has a large number of VDP solvers available. At height , the adversary can create two forks, each by one valiator. Then at height , he creates four forks, two from each fork at height . Such forks expand into a binary tree structure. The adversary then picks the fastest growing fork and publish it if it is longer than the main chain. Cohen et al. has analyzed a similar case in the context of the Chia protocol. Using similar techniques, we can show that if an adversary extends all the tree branches, he can at most gain an advantage factor of as if his stake is increased by times [11]. From this result it is not difficult to calculate that as long as the honest parties control more than of the total stake, with overwhelming probability, the main chain always grows the faster than other forks. Recall that we require the honest parties own more than 3/4 () of the total stake. Hence, the attackers has negligible chance to revert a settled block and double-spend any coin.

This result also implies that without owning more than of the total stake, investing in VDP solvers brings no return. Hence, unlike Bitcoin, our protocol can disincentive users from trapping into the hashing power arms race, and is therefore much more energy efficient while can attain a high degree of decentralization.

4.0.3 Liveness analysis.

Liveness in our protocol means the chain can keep growing and forks can be resolved eventually. First, in our protocol, since the honest nodes only extend the main chain, it is obvious that there are always new blocks get appended to the longest chain. Thus there is at least one chain grows indefinitely. On the other hand, we could have multiple forks when more than one validators solve the assigned VDPs at almost the same time, or due to network asynchrony/partition. An adversary might try to extend on all (or at least many) known forks in parallel, to hedge its bets across all chains that might eventually become the main chain (i.e., the winning chain). This is also called the “nothing-at-stake” attack in the literature. This is due to one important difference between the PoW hashing puzzle and our proposed VDP. In a PoW system, when there are forks, if a miner mines on multiple branches, its hashing power will be divided. And as a result, it will has less hashing power on the longest chain, which reduces its probability to mine the next block. In our case though, if a validator node has extra computing power, it could mine on multiple forks without slowing down its VDP solver on the longest chain. An adversary can gain unfair advantage by attempting to secretly extend all forks and then reveal a fork if it is longer than the main chain. However, as we have shown in the safety analysis, even if the adversary extends all possible forks with the “breadth-first-search” attack, he still has negligible chance to produce a chain longer than the main chain. Thus forks can be resolved eventually. Therefore, the liveness can be guaranteed with arbitrarily high probability.

5 Conclusions and Future Works

In this paper we introduced the concept of verifiable delay puzzle and proposed a new PoS consensus protocol built on top of it. It has the advantage of low energy consumption and can scale to accommodate tens of thousands of validators nodes.

However, we also recognize there are large room for improvement. In particular, the current design requires 3/4 of the stakes are controlled by honest parties. We believe this bound can be reduced significantly, and we are actively working on protocol changes to achieve that. With these changes we can also relax the honest requirement to account for economically rational validators which might deviate from the protocol to maximize their profits. We believe with the protocol changes, similar to Ouroboros [18] and SpaceMint [21] we can prove that the honest strategy is a Nash equilibrium so rational nodes will simply follow the protocol.


  • [1] I. Abraham, G. Gueta, and D. Malkhi (2018) Hot-stuff the linear, optimal-resilience, one-message BFT devil. CoRR abs/1803.05069. External Links: Link, 1803.05069 Cited by: §1.
  • [2] C. Badertscher, P. Gazi, A. Kiayias, A. Russell, and V. Zikas (2018) Ouroboros genesis: composable proof-of-stake blockchains with dynamic availability. Note: Cryptology ePrint Archive, Report 2018/378 Cited by: §1.
  • [3] I. Bentov, A. Gabizon, and A. Mizrahi (2014) Cryptocurrencies without proof of work. CoRR abs/1406.5694. External Links: Link, 1406.5694 Cited by: §1.
  • [4] D. Boneh, J. Bonneau, B. Bünz, and B. Fisch (2018) Verifiable delay functions. In Annual International Cryptology Conference, pp. 757–788. Cited by: §1.
  • [5] D. Boneh, B. Bünz, and B. Fisch (2018) A survey of two verifiable delay functions. Note: Cryptology ePrint Archive, Report 2018/712 Cited by: §1.
  • [6] E. Buchman, J. Kwon, and Z. Milosevic (2018) The latest gossip on BFT consensus. CoRR abs/1807.04938. External Links: Link, 1807.04938 Cited by: §1, §1.
  • [7] V. Buterin and V. Griffith (2017) Casper the friendly finality gadget. CoRR abs/1710.09437. External Links: Link, 1710.09437 Cited by: §1, §1.
  • [8] V. Buterin (2014) Long-range attacks: the serious problem with adaptive proof of work. Note: Cited by: §1.
  • [9] V. Buterin (2016) Ethereum proof of stake faq. Note: Cited by: §1.
  • [10] M. Castro and B. Liskov (1999) Practical byzantine fault tolerance. In Proceedings of the Third Symposium on Operating Systems Design and Implementation, OSDI ’99, Berkeley, CA, USA, pp. 173–186. External Links: ISBN 1-880446-39-1, Link Cited by: §1.
  • [11] B. Cohen and K. Pietrzak (2019) The chia network blockchain. Note: Cited by: §1.0.2, §4.0.2.
  • [12] B. Cohen (2017) Proofs of space and time - removing waste. Note: Blockchain Protocol Analysis and Security Engineering Cited by: §1.0.2.
  • [13] P. Daian, R. Pass, and E. Shi (2016) Snow white: provably secure proofs of stake. Note: Cryptology ePrint Archive, Report 2016/919 Cited by: §1.
  • [14] B. David, P. Gaži, A. Kiayias, and A. Russell (2017) Ouroboros praos: an adaptively-secure, semi-synchronous proof-of-stake protocol. Note: Cryptology ePrint Archive, Report 2017/573 Cited by: §1.
  • [15] C. Dwork, N. Lynch, and L. Stockmeyer (1988-04) Consensus in the presence of partial synchrony. J. ACM 35 (2), pp. 288–323. External Links: ISSN 0004-5411, Link, Document Cited by: §1, 2nd item.
  • [16] M. J. Fischer, N. A. Lynch, and M. S. Paterson (1985-04) Impossibility of distributed consensus with one faulty process. J. ACM 32 (2), pp. 374–382. External Links: ISSN 0004-5411, Link, Document Cited by: §1.
  • [17] Y. Gilad, R. Hemo, S. Micali, G. Vlachos, and N. Zeldovich (2017) Algorand: scaling byzantine agreements for cryptocurrencies. In Proceedings of the 26th Symposium on Operating Systems Principles, pp. 51–68. Cited by: §1, §1, §3.
  • [18] A. Kiayias, A. Russell, B. David, and R. Oliynykov” (2017) Ouroboros: a provably secure proof-of-stake blockchain protocol. In Advances in Cryptology – CRYPTO 2017, J. Katz and H. Shacham” (Eds.), Cham, pp. 357–388. External Links: ISBN 978-3-319-63688-7 Cited by: §1, §1, §5.
  • [19] L. Lamport, R. Shostak, and M. Pease (1982-07) The byzantine generals problem. ACM Trans. Program. Lang. Syst. 4 (3), pp. 382–401. External Links: ISSN 0164-0925, Link, Document Cited by: §1.
  • [20] S. Nakamoto (2008) Bitcoin: a peer-to-peer electronic cash system. Cited by: §1.
  • [21] S. Park, K. Pietrzak, A. Kwon, J. Alwen, G. Fuchsbauer, and P. Gazi (2018) Spacemint: a cryptocurrency based on proofs of space. Financial Cryptography and Data Security. Cited by: §5.
  • [22] K. Pietrzak (2018) Simple verifiable delay functions. Note: Cryptology ePrint Archive, Report 2018/627 Cited by: 1st item, §1, §2.0.1, §2.0.1.
  • [23] B. Wesolowski (2018) Efficient verifiable delay functions. Note: Cryptology ePrint Archive, Report 2018/623 Cited by: §1, §2.0.1.

Appendix A Handling VDP Solver Speed Variation

One challenge we need to tackle in practice is that different VDP solver implementations might have vastly different speed. For example, an ASIC based implementation could be 20 times faster than a CPU based software solver. If a node’s stake multiplied by its speed advantage overwhelms all the other nodes, it can easily pull ahead of the majority, despite of the randomness created by the VDP. To address this issue, Chia has been actively arranging open-source design competitions to hopefully make the fastest possible implementations available to the public. However, in addition to these efforts, we argue that it is important to address the issue at the protocol level.

In this section, we will present a protocol modification that can eliminate the solver speed advantages. For simplicity, below we only discuss the case where all the validators have the same amount of stake. The more general cases can be analyzed similarly. In addtion, we assume the following idealized setting so we can focus on the core problems:

  • At least 3/4 of all validators are honest.

  • At least 2/3 of all honest validators are online at any time.

  • There is no difficulty resets, i.e. the value in Formula (2) remains a constant as the chain grows.

Recall that in the current design, as soon as an honest validator node sees a valid block for the same height it is working on, it simply gives up and switches to mine on top of this new block. Such a rule bias towards validators with fast VDP solvers. To put all the validators back on the same playground, we notice that the value (i.e. the number of sequential steps required to solve the VDP) in the solution of the VDP puzzle is independent of the solver speed. If the protocol elects the block proposer based on the value instead of the puzzle solving time, the probability that a node is elected as the block proposer can be decoupled from the VDP solver speed.

With this insight, we propose the following modification. A validator should solve its assigned VDP by trying . While it iterates through these values, another validator might have already solved its VDP for the same block height and proposed block . The header of contains the VDP solution . When validator receives this block, it compares with the value it is currently evaluating. If , then clearly the solution of the VDP assigned to validator is larger than . Validator should just discontinue his effort solving the VDP and instead accept block . Otherwise, it continues to solve its VDP until the solution is found or a timeout reached. In the special case where all the validators have the same VDP solver, this modified protocol is equivalent to the design discussed earlier in the paper.

We note that with this change, the longest chain rule no longer applies. This is because a validator with a fast VDP solver can still have advantage in generating longer chains. Instead, we resolve the forks by the chain score. First let us define the block score, which can be used as the building block for defining the chain score. Intuitively, given two blocks, the one with a smaller value in the VDP solution should have a higher block score. Thus, we can define the block score for a block at height as below. A block with a higher block score is more preferable.


Here is the VDP solution stored in the block header. is the expected minimum number of steps that one of the validator solves its VDP at height , assuming half of all validators compete to solve the VDPs. If we model the VDP solving as a Poisson process, it can be calculated by


where is the threshold in Formula (2), is the range of the hash function , and is the number of registered validators at height . The intuition behind this definition is that if less than 1/4 of the nodes are malicious, even if all of them collude, on average the expected minimal value generated by the malicious nodes should be smaller than with high probability. Thus, the blocks generated by them are likely to have negative block scores. Hence, it is useless for the malicious nodes to generate a long chain with fast VDF puzzle solvers. In contrast, notice earlier we have assumed at least 2/3 of the honest validators are online at any time. This essentially assures that at least half of the nodes () are actively extending the main chain. Thus, the expectation of on the main chain is at least . As a result, the expected score of the blocks on the main chain is positive.

The chain score can thus be simply defined as the sum of the block score:


Here is the total number of blocks on the chain. A chain with a higher score will be favored by the honest nodes.

We will omit the detailed analysis of this protocol modification in this version of the technical report. However, it is worth pointing out that an adversary with a very fast VDP solver might be able to generate a longer fork than the main chain. However, with overwhelming probability, this longer fork will have lower chain score than the main chain if the adversary controls less than 1/4 of the total stake. This is because without sufficient amount of stake, in his fork, highly likely the block score is negative for each block. Thus, an adversary should have negligible chance to revert the main chain by performing either the “nothing-at-stake” or “long range” attack.