VDF Based POS (Shower Thought)


I was thinking about a different approaches to POS and came up with something (maybe) interesting last night. All stuff about using VDFs for RNG has got me thinking about their utility recently.

If you have N validators which each have

  1. Staked some amount of eth (min staking required)
  2. A VDF

Where the VDF takes time t to evaluate (requires asic) and time << t to validate (Does not require asic), where the block time \approx t.

At the beginning of the block creation session…

  1. Each Validator gathers up transactions from non-validator nodes, forming their own blocks. Previous block hash must be included in this block.
  2. These blocks are then hashed/signed with the validator key and then run through the VDF.
  3. The VDF outputs are then all collected by all validators, VDF outputs are arranged into a big block sorted by order with the previous block hash. Blocks are verified. Consensus is reached. Validators ensure no illegal transactions are present.
  4. Slashing conditions apply. Validators are paid out based on their staked eth.
  5. GOTO step 1

It’s similar to POW, but instead of the resource being power it’s time. In order to fabricate a blockchain of higher merit you would need time T to build from block height B.

T = t * B

For a 51% attack you need 51% of all the validators eth, if you were to pull it of the chain would probably just fork your wealth away.

Anyways, just a shower thought… might be interesting to some people, might not be. Digging the Tex formatting in this forum :slight_smile:


While VDFs are good to guarantee that some minimum amount of time has elapsed, they are not so good as a direct clocking mechanism. The reason is that an attacker could build an ASIC that is A times faster than the commodity hardware available to honest players, where A is small but still greater than 1.


Your idea sounds similar to Solana’s proof of history concept, except that Solana’s delay function is a simple iterated hash, presumably because there were no good VDF candidates at the time.

I agree with Justin. It’s interesting but I never really understood the appeal of it. What benefit(s) do you see?


Right, but if an attacker made a VDF that was marginally faster than honest players it wouldn’t really matter. They would just produce their personal block a little faster.

If an attacker made a VDF that was 2t that means the block time would be 2t, however the attacker would also need 51% (or some high amount) of eth to make the longest chain with the most wealth. Players with the slower VDFs would not be able to produce their blocks in time to be included in the big block.

Slower honest players would have the most wealth and the chain would basically fork itself.

Mr. fast VDF is more then welcome to validate on the “longest chain” but it’s basically an orphan.


It’s similar to POW where the older the block, the more final it becomes.


Hm what would the fork choice rule be? If one fork had a longer VDF length, and the other had more staker participation, which would the network prefer? For comparison Solana uses BFT consensus, so their fork choice rule requires 2/3 voter approval.

It seems like VDFs only add security of an honest (and online) party controls the fastest ASIC. If an attacker’s ASIC was slightly faster, forks would take longer to build, but given enough time they could still build arbitrarily long forks which pass the VDF length test.

I’m not saying the scheme would be insecure, just not sure if it would be more secure than a traditional PoS chain using Nakamoto consensus, like Cardano.


Fork choice would be some hybrid of the longest chain and most wealth. If there’s a super long chain with hardly any validators and eth then that’s not good. If there’s a chain that’s 100x less blocks and most of the wealth that’s not good either. So it would just be some formula for fork choice that included block height and wealth.

Chain security would be compromised if an attacker had the most wealth and the fastest ASIC. At which point it’s possible to fork away the wealth.

You don’t want to have an ASIC n times faster because then honest players wont be able to produce their blocks fast enough, and won’t be able to fit their blocks into the big blocks in time. At which point the network would just fork and you would loose your money.

Is it not possible to just generate a fake Cardano chain longer than the mainnet chain? I know it’s impossible with POW because you would need to redo all the work.

Edit: I don’t know much about Ouroboros