►
From YouTube: Towards Production VDFs - Justin Drake
A
So
so
my
goal
is
to
try
and
bring
PDFs
to
production,
so
I
guess.
The
goal
of
today
specifically
is
to
try
and
tackle
some
of
the
open
academic
problems
that
we
would
like
to
make
progress
on
before
we
actually
build
the
vdf,
so
the
academics
are
not
completely
of
the
hook,
but
I'm
also
going
to
talk
about
briefly
the
the
progress
that
we
have
so
far.
A
We
shall
see
one
of
the
interesting
things
of
VDS
is
that
they
can
be
used
for
many
different
things,
not
not
just
randomness,
which
is
one
of
the
more
obvious
applications,
but
they
can
be
used
for
prefer
space
proof
of
application
for
space-time,
so
known
as
using
them
for
proof
of
history.
We
have
some
people
here
from
injective
protocol,
there's
a
decentralized
exchange
that
wants
to
use
them
for
anti
front-running,
and
you
can
also
use
them
for
fancy
stuff,
like
expiring,
zero
knowledge
proof.
A
So
you,
you
provide
a
zero
knowledge
proof
to
someone
proving
a
statements
and
they
won't
be
able
to
pass
that
proof
to
another
person,
because
it
will
have
expired
by
that
time
and
if
you
use
time
lock
puzzles,
you
can
also
make
the
zero
knowledge
part
of
the
of
the
zero
knowledge
proof
expire.
So
you
give
someone
a
statement
with
some
private
data
and
then
an
hour
later
they
can
recover
their
private
data
and
you
can
use
them
for
everything.
A
So,
in
terms
of
progress
that
we
have
made,
one
of
the
big
milestones
is
that
we
have
a
new
startup
called
super
national
with
Simon
who's
working
full-time
on
on
the
vdf
project
management,
and
this
is
funded
fifty-fifty
by
protocol
labs
and
different
foundation.
So
the
video
project
is
quite
expensive
and
so
we're
looking
to
set
up
a
more
formal,
vdf
alliance.
At
the
moment,
it's
mostly
protocol
labs
and
different
foundation,
but
hopefully
other
people
will
join.
A
Another
big
effort
is
the
RSA
NPC,
so
we're
looking
to
go
down
the
route
of
RSA
groups,
and
for
that
we
need
an
RSA
NPC
and
we
want
it
to
be
scalable
to
hundreds
of
participants.
So
today
we
have
the
the
hero
team
that
will
be
presenting
and
we
hope
to
also
fund
them
to
to
design
an
NPC
that
can
be
used
to
generate
a
2,000
bit
RSA
modulus
and
one
of
the
nice
things
is
that
the
modulus
can
be
used
for
accumulated
as
well.
So
this
is
a
very
nice
piece
of
public
good.
A
A
So,
okay,
today,
okay,
academic,
vdf
day
we're
going
to
try
and
tackle
all
the
outstanding
problems.
So
we're
gonna
have
three
themes:
vdf
provers
modular
multipliers
and
RSA
NPC.
For
each
theme
there
will
be
a
kind
of
a
feature
talk
and
then,
in
the
afternoon,
we'll
have
breakout
sessions
to
solve
the
problems.
A
A
Well,
actually,
during
last
vdf
day,
that's
that's
when
we
discussed
the
iterated
whistle
our
ski,
which
gives
it
a
different
trade-off
between
the
previous.
So
the
whistle
our
ski
prover
has
very
short
proofs,
but
it
takes
more
time
to
generate
them
and
on
the
other
extreme,
you
have
the
kids
lack
prover,
which
has
much
larger
proofs,
but
they're
very
fast,
generate
and
I
guess
we're
looking
to
explore
the
the
trade-off
space
a
bit
more
and
today.
A
Benjamin
will
also
present
another
hybrid,
which
is
the
Cheetahs
a
crystal
a
ski
hardwood,
and
so
one
one
of
the
open
questions
is:
can
you
come
up
with
a
new
you're
building
block?
That
would
be
fantastic
and
then
maybe
we
could
try
and
combine
them
with
the
other
pure
building
blocks,
to
build
more
hybrids
or
you
know.
Can
you
build
a
new
way
of
combining
the
existing
ideas
to
have
a
new
set
of
trade-offs.
A
A
This
would
be
some
of
the
ideal
properties
of
the
prover
that
we
want
with
one
the
proof
size
to
be
less
than
one
kilobyte
verification
less
than
ten
milliseconds,
and
we
want
the
approval
latency,
which
is
the
the
amount
of
extra
time
you
need
to
build.
The
proof
after
you've
done
the
evaluation
to
be
less
than
than
1%.
A
So
let
me
just
briefly
give
you
an
architecture,
diagram
of
a
possible
candidate
for
for
the
ASIC
at
the
vdf
ASIC,
so
that
you
can.
You
can
get
a
little
bit
of
flavor.
So
we
have
this
squarer,
which
is
going
to
be
the
repeated
square,
the
evaluator,
and
it
will
all
run
roughly
at
at
1
gigahertz
and
the
the
way
that
the
proved
is
a
build
is
that
they
they
collect
checkpoints
along
the
way
and
these
checkpoints
you
have
the
option
to
store
them
in
memory.
So
we
have.
A
We
have
this
this
memory,
a
relatively
small
amount
of
memory,
maybe
one
megabyte
or
a
few
megabytes,
and
with
these
checkpoints
you
want
to
build
the
proof
and
generally
the
the
proof
involves
something
other
than
the
squarer.
You
need
to
be
able
to
multiply
whether
two
inputs
are
are
different
and
so
you're
going
to
have
a
performance
penalty
on
the
multiplier.
A
Let's
say
that
the
motive
is
half
half
the
speed
and
because
the
circuits
tend
to
be
quite
large,
it's
possible
that
we
can
only
have
one
single
multiplier
for
the
prover
and
then
we're
looking
to
have
an
arm
core
in
the
in
the
the
vdf
ASIC.
So
the
nice
thing
here
is
that
you'll
be
able
to
program
the
Armco
and
and
choose
the
previous
scheme
that
you
that
you
want
and
the
specific
algorithm
to
to
do
the
proving.
So
if,
in
the
future,
we
find
better
algorithms
we'll
be
able
to
make
use
of
that
yeah.
A
A
Right
wrist,
five
would
make
more
sense.
Yes,
absolutely
all
I
did
and
and
then
you
know,
we
have
a
few
connecting
bits
between
between
the
arm
and
over
between
the
CPU
and
and
the
multiplier.
And
you
know
one
more
subtle
consideration
when
you're
looking
at
approvers
is
that
you
want
to
have
enough
parallelism
in
the
algorithm
so
that
you
can
feed
the
input
FIFO
fast
enough
to
make
full
use
of
the
multiplier.
A
A
A
A
So
in
the
theorem,
specifically,
if
the
evaluation
time
is
a
hundred
minutes,
we
we
don't
want
to
random
number
every
hundred
minutes.
We
want
a
random
number,
every
let's
say
ten
minutes.
So
what
we
do
is
that
we
have
ten
randomness
beacon
in
parallel
and
each
rig
has
ten
a
six,
and
so
you
have.
It
does
start
becoming
expensive
if
the
chips
are
very
big.
A
A
A
Yeah,
so
the
the
point
that
was
be
yeah,
the
point
that
was
being
made
is
that
with
VDS,
you
have
this
really
nice
property
of
uniqueness.
So
if
you
have
a
unique
input,
you
also
have
a
unique
output,
and
so
what
that
means
from
a
practical
standpoint
when
you
design
the
protocols
is
that
you
have
a
minimal
honesty,
assumption
or
minimal
liveness
assumption.
A
So
the
this,
the
second
theme
is
modular
multipliers,
so
we're
going
to
have
a
talk
which
will
present
kind
of
a
new
way
to
do
modular
multiplication,
which
is
especially
low
latency
with
as
I
understand,
new
mathematics,
and
so
one
of
the
problems
will
be.
Can
you
take
these
new
ideas
and
and
improve
upon
them?
Another
interesting
question
is:
can
we
have
can
we
prove
lower
bounds
on
the
second
depth
of
the
basic
operation,
which
is
the
modular
squaring
it
turns
out?
A
If
you,
if
you
have
a
model
such
as
the
the
two
input
gate
model,
then
you
can
really
trivially
prove
the
second
death
lower
bound
of
12,
and
the
reason
is
that
you
have
the
2,000
bits
for
your
input
that
you're
squaring
2,000
bits
for
the
modular.
So
that's
4,000
bits
and
if
you
only
have
two
input
gates
the
fastest
way
to
mix
in
all
the
all.
A
The
signals
is
using
this
binary
tree,
which
will
have
depth
12,
and
every
single
input
bit
can
influence
the
most
significant
bit
of
the
result
of
the
square,
and
so
hence
you
have
this
load
of
12
and
the
question
is:
can
you
improve
upon
that
one?
One
of
the
good
news
is
that
the
this,
this
lower
bound
of
12
is
actually
not
too
far
away
from
what
we
can
do
in
practice,
but
it
would
be
nice
to
squeeze
that
as
much
as
possible
and
the
the
third
theme
is
going
to
be
the
the
rsam
PC.
A
A
A
A
Yes
right,
so
the
point
is
being
brought
up
is
that
the
actual
specific
dynamics
of
the
NPC
will
influence
how
many
people
participate
for
us,
we
have
a
synchronous
NPC,
which
means
that
everyone
is
to
be
online
at
the
same
point
in
time.
The
the
goal
in
terms
of
scalability
is
that
we
won
the
whole
NPC
to
last
ten
minutes
or
less
so
yeah.
It
will
be
interesting
to
try
and
get
hundreds
of
people
online.
At
the
same
time,
its
timeslot.
A
A
A
Right
so
the
question
was:
do
we
want
to
generate
like
a
normal,
RSA,
modulus
or
strong
one
and
having
a
strong
one
would
be
better
because
it
has
all
these
additional
properties,
but
from
what
I
understand,
the
MPC
also
becomes
much
more
complicated
and
expensive.
If
we
could
have
a
strong
one?
Okay,
then
we.
A
So
my
understanding
is
that,
for
the
two
main
use
cases
that
we're
looking
into
RSA
accumulators
and
RSA
PDFs,
a
plain
RSA
modulus
works.
Is
that
correct:
okay,
okay,
yeah?
So
you
can
relax
your
something
okay
and
tomorrow,
if,
if
you're
interested
we're
having
a
more
non-academic
more
practical
vdf
day,
so
we're
trying
to
figure
out
some
of
the
logistical
issues
of
pulling
this.
This
crazy
project
and
one
of
them
will
be
in
the
morning
the
RSA
ceremony
logistics.
A
So
you
know
discussing
the
sibyl's
and
how
do
we
get
enough
people
and
how
do
you
make
sure
that
they
descend
decentralized,
enough,
etc,
etc?
And
then,
in
the
afternoon,
we're
going
to
have
a
session
on
the
logistics
of
the
circuit
competition?
And
there
will
have
several
talks.
One
from
Chia
that
just
completed
vdf
competition
will
have
Simon
from
supranational,
discuss
some
of
the
plans
that
we
have
for
our
circuit
competition
and
we'll
have
a
representative
from
synopsis.