Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Economic Security of VDF-Based Randomness Beacons: Models, Thresholds, and Design Guidelines

Zhenhang Shang, Kani Chen

Abstract

Randomness beacons based on Verifiable Delay Functions (VDFs) are increasingly proposed for blockchains and distributed systems, promising publicly verifiable delay and bias resistance. Existing analyses, however, treat adversaries purely as cryptographic entities and overlook that real attackers are economically motivated. A VDF may be sequentially secure, yet still vulnerable if a rational adversary can profit by purchasing faster hardware and exploiting reward spikes such as MEV opportunities. We develop a formal framework for economic security of VDF-based randomness beacons. Modeling the attacker as a rational agent facing hardware speedup, operating costs, and stochastic rewards, we cast the attack decision as an optimal-stopping problem and prove that optimal behavior has a monotone threshold structure. This yields tight necessary and sufficient conditions relating delay parameters to adversarial cost and reward distributions. We extend the analysis to grinding, selective abort, and multi-adversary competition, demonstrating how each amplifies effective rewards and increases required delays. Using realistic cloud costs, hardware benchmarks, and MEV data, we show that many proposed VDF delays, on the order of a few seconds, are economically insecure under plausible conditions. We conclude with deployable guidelines and introduce Economically Secure Delay Parameters (ESDPs) to support principled parameter selection in practical systems.

Economic Security of VDF-Based Randomness Beacons: Models, Thresholds, and Design Guidelines

Abstract

Randomness beacons based on Verifiable Delay Functions (VDFs) are increasingly proposed for blockchains and distributed systems, promising publicly verifiable delay and bias resistance. Existing analyses, however, treat adversaries purely as cryptographic entities and overlook that real attackers are economically motivated. A VDF may be sequentially secure, yet still vulnerable if a rational adversary can profit by purchasing faster hardware and exploiting reward spikes such as MEV opportunities. We develop a formal framework for economic security of VDF-based randomness beacons. Modeling the attacker as a rational agent facing hardware speedup, operating costs, and stochastic rewards, we cast the attack decision as an optimal-stopping problem and prove that optimal behavior has a monotone threshold structure. This yields tight necessary and sufficient conditions relating delay parameters to adversarial cost and reward distributions. We extend the analysis to grinding, selective abort, and multi-adversary competition, demonstrating how each amplifies effective rewards and increases required delays. Using realistic cloud costs, hardware benchmarks, and MEV data, we show that many proposed VDF delays, on the order of a few seconds, are economically insecure under plausible conditions. We conclude with deployable guidelines and introduce Economically Secure Delay Parameters (ESDPs) to support principled parameter selection in practical systems.

Paper Structure

This paper contains 76 sections, 9 theorems, 40 equations, 3 figures.

Table of Contents

  1. Introduction
  2. Contributions
  3. Roadmap
  4. Background and Preliminaries
  5. Verifiable Delay Functions
  6. VDF-Based Randomness Beacons
  7. Verifiable Random Functions (VRFs).
  8. Rational Cryptography and Economic Security
  9. Threat Model and Cryptographic Security
  10. System Model
  11. Adversary Capabilities
  12. Attack Surfaces
  13. Early revelation.
  14. Biasing and grinding.
  15. Selective abort.
  16. ...and 61 more sections

Key Result

theorem 1

Under Assumption assump:markov and constant cost $c>0$, there exists a measurable region $\mathcal{A} \subseteq [0,T] \times \mathcal{V} \times [t_0, t^\text{H}]$ such that an optimal adversarial strategy $(a^\star_t)$ is given by the threshold policy Moreover, $\mathcal{A}$ is monotone in $v$ in the following sense: if $(s,v,t) \in \mathcal{A}$ and $v' > v$, then $(s,v',t) \in \mathcal{A}$. $\bl

Figures (3)

  • Figure 1: Expected profit per attack as a function of delay $T$ for different reward levels, assuming $c = 0.05$ USD/s and $\delta = 3$. The economically secure region lies below the horizontal axis. Delays of a few seconds are far from sufficient when $\mathbb{E}[V]$ reaches tens of USD.
  • Figure 2: Required delay $\Delta^\star$ as a function of the bound on adversarial reward $V_{\max}$, with $\delta = 3$ and $c = 0.05$ USD/s. For example, $V_{\max}=100$ USD requires $\Delta^\star \approx 6{,}000$ s (about 100 minutes) to be economically secure under this hardware model.
  • Figure 3: Illustrative required delay $T^\star_{\mathrm{grind}}(G)$ as a function of grinding space size $G$ on a log scale (base 2), assuming $\mu = 10$ USD, $\delta = 3$, $c = 0.05$ USD/s, and sublinear cost scaling $c_{\mathrm{eff}}(G) = c G^{1/2}$. Grinding increases the effective reward via $V_{\max}$, and depending on hardware scaling, may still require substantially larger delays.

Theorems & Definitions (14)

  • definition 1: Cryptographic VDF Security
  • definition 2: Economic VDF Security
  • definition 3: Single-Round Economic Security
  • theorem 1: Threshold Optimal Policy
  • corollary 1: Linear Threshold Condition
  • definition 4: Robust Economic Security
  • theorem 2: Interval-Robust Bound
  • theorem 3: $\epsilon$-Robust Design with Moment Bounds
  • theorem 4: Compositional Single-Round Bound
  • theorem 5: Cumulative Economic Security
  • ...and 4 more