Readme remove mentions of verifiable delay functions

[glambeth]

"In Solana, we use a far more granular verifiable delay function, a SHA 256 hash chain, to checkpoint the ledger and coordinate consensus."

A SHA 256 hash chain isn't a VDF as is takes the same amount to time to verify as it does to compute. Ben Fisch (https://eprint.iacr.org/2018/601) even mentions this in his BPASE talk at Stanford.

Am I missing something? A SHA 256 hash chain seems closer to a proof of sequential work.

[aeyakovenko]

A looping sha 266 takes n time but n/cores to verify

[garious]

Here's the code:
https://github.com/solana-labs/solana/blob/master/src/ledger.rs#L25

The thing that makes it a VDF is periodically outputting a hash so that the verification of each segment can be computed in parallel.

[glambeth]

Ah, I see. I missed this. Thanks :)

[aeyakovenko]

@glambeth so the reason for picking sha256 over something more exotic is that we don't really care about the verification/creation time ratio that much. But we really care about the potential of an ASIC speedup of creation time between different participants in the network. With SHA256, we feel that the best case ASIC + cooling attack will be under 5x-10x faster, which gives us a reasonable bound on denial of service attacks to the consensus mechanism.

[bbuenz]

@garious that still doesn't make it a VDF by the definitions of https://eprint.iacr.org/2018/601.
Definition 1 states: Verify must run in total time poly(log(t)) where t is the time it takes to evaluated. Total time roughly means total cpu time spent.

[aeyakovenko]

They formalized their definition after us ;). We can swap in other VDFs instead of sha256, the recorder is agnostic of the kind used. Our main concerns are: trustless setup, preimage resistance, low asic speed up for generation. And not so much the asymmetry between generation and validation.

[aeyakovenko]

This is a more general definition

‘’’

1 What is a Verifiable Delay Function?
A verifiable delay function (VDF) [12, 3] is a function f : X → Y that takes a prescribed time to compute, even on a parallel computer. However once computed, the output can be quickly verified by anyone. Moreover, every input x ∈ X must have a unique valid output y ∈ Y.
‘’’
http://crypto.stanford.edu/~dabo/papers/VDFsurvey.pdf

[garious]

Hi @bbuenz, what we have is a delay function that's verified much faster than the time it takes to create it. What would you recommend we call such a thing?

[bbuenz]

Feel free to call it whatever you like. If you ask me, I would call it a delay function, proof of delay[http://www.jbonneau.com/doc/BGB17-IEEESB-proof_of_delay_ethereum.pdf] or iterated sequential function (see definition in our paper). You can always split up the computation and verify in parallel that is not a particular property of sha256. I don't know your particular application but perhaps you should take a look at Sloth[https://eprint.iacr.org/2015/366.pdf] or Sloth++[https://eprint.iacr.org/2018/601.pdf] (if you want to have the option to more easily turn it into a full VDF later). Sloth is similar to a hash chain but has the property that evaluating it in the reverse direction is faster than in the forward direction. It is simple enough that it should be easy to optimize if you are worried about an adversary being able to compute it much faster. Of course another intriguing option are the Wesolowski[https://eprint.iacr.org/2018/623] and Pietrzak[https://eprint.iacr.org/2018/627.pdf] vdfs that have great evaluation/verification tradeoffs but require groups of unknown order which are probably a bit harder to properly optimize.

[Ctree35]

PoH is more likely an industrial thing instead of an academic thing since you will need many GPU cores to accelerate verification, which makes the creation and verification time measured on different metrics. For the scientific definition of VDF firstly proposed by Stanford, I strongly suggest that Solana should remove this term in their doc to avoid further confusion (or if they just want to sound "advanced"?).