Verifiable Delay Function (VDF)
Verifiable Delay Functions from Supersingular Isogenies and Pairings
AsiaCrypto'20
Why VDF ASIC is OK?
Ref
1. Sequential vs parallel:
VDFs are inherently sequential
i.e. massive parallelism does not help at all (the exact opposite to PoW mining)
To give you an idea, the optimal parallel time circuit for modular multiplication (the basis for the RSA-based VDF we are considering) likely only uses a few mm^2 of die area (e.g. 3 mm^2).
2. Power consumption:
Current estimates suggest that a VDF evaluation would consume about 10 Watts.
Assuming we have 10,000 VDF evaluations at any point in time (I am expecting only ~1,000, but let’s be conservative) that would amount to 0.1 MW.
Compare this to today’s Ethereum mining which is about 2.3 GW (23,000 times more power intensive).
3. Security margins:
From the point of view of the VDF-based randomness beacon, the protocol can bake in a conservative security margin in terms of the speed advantage an attacker can have without getting any influence over the randomness.
This is the$ A_{max} parameter defined here, and it will be carefully chosen.
4. In-protocol rewards:
For the VDF-based randomness beacon to function smoothly, I estimate in-protocol rewards to be ~$5K per day.
Over a decade that corresponds to $18.5m.
This is too low for a rational actor to build a somewhat faster proprietary ASIC to grab the in-protocol rewards.
This is especially true if a ~$20m state-of-the-art commodity VDF ASIC is built in the first place. (In terms of the upfront R&D costs, the Ethereum Foundation is looking to pool funds with Filecoin and others.)
Wesolowski VDF
https://gyazo.com/425679579525d2558f5b699494e15c00
Fiat–Shamir heuristic
Pietrzak VDF
RSA Modulus Generation
RSA modulus construction that can support thousands of parties and offers security against an arbitrary number of corrupted parties.