# Preventing Denial of Service Attacks in IoT Networks through Verifiable Delay Functions

Vidal Attias IOTA Foundation Berlin, Germany vidal.attias@iota.org Luigi Vigneri *IOTA Foundation*Berlin, Germany
luigi.vigneri@iota.org

Vassil Dimitrov IOTA Foundation Berlin, Germany vassil@iota.org

Abstract—Permissionless distributed ledgers provide a promising approach to deal with the Internet of Things (IoT) paradigm. Since IoT devices mostly generate data transactions and micro payments, distributed ledgers that use fees to regulate the network access are not an optimal choice. In this paper, we study a feeless architecture developed by IOTA and designed specifically for the IoT. Due to the lack of fees, malicious nodes can exploit this feature to generate an unbounded number of transactions and perform denial of service attacks. We propose to mitigate these attacks through verifiable delay functions. These functions, which are non-parallelizable, hard to compute and easy to verify, have been formulated only recently. In our work, we design a denial of service prevention mechanism which addresses network heterogeneity, limited node computational capabilities and hardware-specific implementation optimizations. Verifiable delay functions have mostly been studied from a theoretical point of view, but little has been done in tangible applications. Hence, this paper can be considered as a pioneer work in the field, since it builds a bridge between this theoretical mathematical framework and a real-world problem.

Index Terms—distributed ledger, blockchain, denial of Service, verifiable delay function, Internet of Things, cryptography

#### I. INTRODUCTION

The *Internet of Things* (IoT) paradigm has initiated a revolution in human lives through enhanced user experience and new applications [1]. While IoT devices first reached consumers through small-scale proprietary networks [2], nowadays these sensors can be embedded into mobile devices, industrial equipment, environmental sensors, medical devices, and more. The widespread availability and the increasing interest in IoT applications make necessary the creation of secure networks dealing with thousands or millions of IoT sensors.

# A. Distributed ledger technologies for the IoT

Due to the limited resources (e.g., CPU, storage) available, the design of secure and efficient protocols for IoT networks is challenging, and proprietary solutions are not anymore able to cope with their evolving structure. In this paper, we investigate the recent *distributed ledger technology*<sup>1</sup> (DLT) paradigm as a secure way to deal with permissionless decentralized IoT networks. In the seminal work on *blockchain* [3], specific network nodes (*miners*) validate information through the solution of a cryptographic puzzle (*Proof of Work* [4]) in return for some

monetary rewards (*fees*). Apart from the obvious economical and environmental issues [5], this protocol is not suitable for the IoT due to fees and to the high workload each node must perform. However, the interest on the topic has favored the proliferation of many alternative DLTs, some of them focusing on the idea of managing the IoT ecosystem. In particular, in this paper we consider the IoT-oriented permissionless DLT developed by IOTA [6].

The IOTA protocol builds the *Tangle*, a directed acyclic graph, where each vertex is a *transaction*<sup>2</sup>. Each time a user wants to issue a transaction, she has to verify and approve two recent transactions which then form the edges. This way, the integrity of the Tangle is ensured by the work of the users themselves rather than by a different economic set of nodes, like in the case of blockchain's miners. Furthermore, no fees are imposed by the protocol due to the lack of miners, enabling micro and data transactions, fundamentals in IoT networks.

Unlike blockchain where the mining layer imposes a filter on which transactions can be written into the ledger, the Tangle lacks an intrinsic access control algorithm. Since the concepts of miners and users are merged, IOTA is vulnerable to *denial of service* (DoS) attacks, especially in IoT networks where resources are limited. A DoS attack is a method used to disrupt legitimate users' access to a target network or a certain resource. This is typically done by overloading the target with a massive amount of traffic. Traditionally, DoS attacks have been used to target banks, governments or online commercial retailers. However, since the cryptocurrency market represents nowadays hundreds of billions of US dollars [7], DLTs have also become a popular target for DoS attacks. Hence, securing the stability of these networks is a crucial economical question.

#### B. Challenges and contributions

In this paper, we propose a lightweight access control mechanism for DLTs. The task is particularly challenging as our design must satisfy the following requirements: (i) The mechanism cannot involve fee-based spam prevention since IoT devices often need to send data transactions, rather than monetary payments; (ii) we target heterogeneous networks where *any* node can join the network activity by issuing and writing transactions into the ledger independently of their

<sup>&</sup>lt;sup>1</sup>A DLT is a consensus of replicated, shared, and synchronized data without any central administrator or centralized data storage.

<sup>&</sup>lt;sup>2</sup>A transaction is a message that transfers data or funds between nodes.

capabilities; (iii) we consider the presence of malicious nodes trying to spam the network and perform DoS attacks.

Inspired by the seminal work in spam prevention by Dwork and Naor [8], and by the recently renewed interest in the field brought by Boneh et al. [9], we design our solution based on *verifiable delay functions* (VDFs). VDFs are functions that require a preset number of iterations to complete. While VDFs and Proof of Work (PoW) both aim the evaluator to spend some time to compute a puzzle, the former is mainly based on sequentially computing a function (iterative squaring in RSA groups [10], [11] or points addition in elliptic curves [12]) which *cannot* be parallelized, making specialized hardware not able to substantially speed up the puzzle computation. We highlight that, unlike in PoW-based blockchains, the cryptographic puzzle discussed in this paper is only used to prevent DoS attacks, and does not affect the consensus. Our contributions are threefold:

- Theory. We design a DoS prevention mechanism where nodes are required to compute exactly  $\tau$  modular squarings of a given input message. Our mechanism is based on [10] which presents characteristics in line with the IoT use case [13], as we will show in the rest of the paper.
- *Implementation*. We analyze the VDF evaluation time on different hardware (IoT, laptop, FPGA), and we optimize the time needed to verify the correctness of the puzzle through multiexponentiation techniques [14], [15].
- Analysis. We perform extensive experimental evaluations to compare VDFs and PoW on different hardware. In particular, we will show that large monetary resources cannot help to speed up the VDF evaluation.

We would like to stress here that, to the best of our knowledge, this is one of *first* studies which analyzes, optimizes and implements VDFs in a real-world problem. Furthermore, while we build our solution on top of the IOTA Tangle, we aim this work to be a source of inspiration for other IoT-oriented permissionless decentralized networks.

Finally, we mention that, in distributed systems, each identity-based protocol has to deal with the so-called *Sybil attack* [16], where participants may create counterfeit identities in order to, e.g., have a larger weight in a voting protocol or overcome the access control mechanism. In the IOTA protocol, the proliferation of Sybil nodes is mitigated through the definition of a reputation system based on stake. The details of this approach are beyond the scope of this paper, and we defer the interested reader to [17].

#### C. Outline

The rest of the paper is organized as follows: First, we present some background information about VDFs in Section II; then, in Section III we introduce the system model and the problem statement; after that, we propose our VDF-based DoS prevention mechanism and we provide its computational complexity analysis in Section IV; finally, we validate our findings through simulations in Section V, and we conclude our paper in Section VI.

#### II. VERIFIABLE DELAY FUNCTIONS

DoS prevention is a field where functions similar to VDFs have already been applied: To prevent email spamming, in the early 1990s Dwork and Naor [8] suggested using squaring roots over finite fields puzzles as functions which take a predetermined time to compute, and are straightforward to verify. However, their work was considered impractical because one has to use rather large finite fields to make the algorithm useful, and the libraries for handling multiple-precision arithmetic at the time of the suggestion of the algorithm were orders of magnitude slower than current ones.

Based on [8], Boneh *et al.* designed VDFs as functions that can be evaluated in a given amount of sequential steps and verified in an exponentially shorter time [9]. The main innovation was to propose a setup phase to set a trusted environment allowing the functions to be universally verifiable. This trusted environment sets the public parameters of the VDF, including its difficulty which determines the amount of time spent on computing. Any node who needs to solve the VDF will use the public parameters to perform certain sequential computations. Some VDFs also allow generating a *proof* to facilitate the verification from the other participants. This creates a set of three algorithms, *computation*, *proof*, and *verification*, which are formally described in [9].

To date, the main VDF constructions are based on modular exponentiations, where Pietrzak [11] and Wesolowski [10] suggest to iteratively compute  $\tau$  squarings in an RSA group, with  $\tau$  large. Modular exponentiation is a deeply studied computational problem due to its straightforward importance in many critical public key encryption algorithms. The best proven lower complexity bound remains valid even assuming unbounded parallelism [18], [19]. For this reason, it is possible to obtain extremely accurate assessments about the timing of the modular exponentiation operations (and the corresponding VDF characteristics) based on the best available ASIC designs for these particular operations. On the contrary, other VDFs, e.g., the ones based on pairing over elliptic curves [12], have been subject to much fewer research studies and its parallel complexity remains unknown.

# III. SYSTEM MODEL AND PROBLEM STATEMENT

We formalize here the system model inspired by the IOTA network [6]. We assume a network  $\mathcal N$  with n nodes. A node can be either standard (e.g., IoT device, smartphone, laptop) or specialized (e.g., FPGA, ASIC) hardware, and is connected to  $m \ll n$  neighbors. Every node is involved in the generation and the verification of transactions, which transfer tokens between two nodes, or simply carry data. While the verification task is fundamental to reach consensus in the network, in this work we are interested in the transaction generation which can be exploited to target specific nodes through DoS attacks. As this transaction generation is not limited by any fee, without an appropriate access control mechanism, a node could theoretically generate an infinite number of transactions per second, leading to network disruption.

We assume that a node has to evaluate a function f before issuing a transaction. Let the value  $\theta_i(f)$  represent the throughput at node i when evaluating function f. For instance, assume that f is SHA-256, the hash function used in Bitcoin: The ASIC Ebit E10 can compute 18,000,000 MHash/s ( $\theta_{ASIC} = 1.8 \times 10^{13}$ ), while a standard CPU i7 3930K can only compute 66 MHash/s ( $\theta_{CPU} = 6.6 \times 10^7$ ). Depending on the function used, the unit of measurement may change. The goal of our work is described in the following:

Problem statement. Choose a function f such that the maximum speedup in throughput S is minimized, i.e.,

$$\arg\min_{f} S(f) \triangleq \frac{\max_{i \in \mathcal{N}} \theta_{i}(f)}{\min_{i \in \mathcal{N}} \theta_{i}(f)}.$$
 (1)

This task is particularly challenging in heterogeneous networks, where devices with very different capabilities are present. Consider, for example, a DoS prevention mechanism based on the solution of a PoW: Specifically, before issuing a transaction each node is required to find an input for a hash function which output begins with a certain amount of zeros in its binary representation. The only known way of finding such an input is trying randomly the inputs until finding a suitable output. The more zeros are required, the more difficult the PoW is. However, if the PoW is too easy, then an ASIC can speed up the solution of the puzzle by several orders of magnitude and outperform non-specialized hardware; on the other hand, if the PoW is too difficult, then DoS attacks are prevented, but low power devices will not have enough computational power to issue transactions in a reasonable time. In the following section, we propose a DoS protection mechanism where the function f is a VDF.

# IV. PROTOCOL DESIGN

In this section, we present our DoS prevention mechanism (Figure 1) which is defined by the following algorithms:

- Evaluation. When node i decides to generate transaction n, it is required to solve a VDF such that its input is the hash of transaction n-1 issued by the same node.
- Proof. Node i also generates a proof to facilitate the verification task, which gossips along with the transaction.
- Verification. When a new transaction is received, node j
  verifies whether the VDF has been solved correctly. If yes,
  it forwards the transaction (and the proof) to its neighbors,
  or discards it otherwise.

All nodes share the following public inputs<sup>3</sup>:

- *VDF difficulty*. A difficulty  $\tau \in \mathbb{N}$ , which indicates the number of sequential operations to solve. This difficulty can be adapted according to, e.g., node's reputation to mitigate Sybil attacks.
- RSA modulus. A modulus  $N = p \cdot q$  which has bit-length  $\lambda$  (typically 1024, 2048, or 3072), and is the product of



Fig. 1: VDF integration in the IOTA protocol: The evaluator node uses its last transaction as the input for the new VDF (above); a verifier node receives the transaction and the proof from node i, and verifies the correctness of the VDF (below). The *protocol* cloud represents the values known by all nodes.

two prime numbers of the same order. Due to the similarity with the Rivest-Shamir-Adleman (RSA) cryptosystem [20], we refer to N as RSA modulus. The security of the entire mechanism relies on the length of N: the longer is the modulus, the more difficult is to find its factorization. For further information about RSA modulus factorization, we refer the interested reader to [21]. How to securely generate the RSA modulus without any sort of centralization is an active research topic [22]–[24].

• Cryptographic hash function. A hash function H(m) such that  $H(m): \{0,1\}^* \mapsto [0,2k]$ , where m is a binary message, and k is a security parameter. A typical value for k is 128, and one could use SHA-256. Having this in mind, we also define  $H_{prime}(m)$  which gives the smallest prime greater or equal to H(m) for a given message m:

$$H_{prime}(m) = \min\{x \in \mathbb{N} \mid x \geq H(m) \land x \text{ prime}\}.$$

This hash function will be used in the evaluation and the proof of the VDF.

Our VDF design also addresses resource constraints in terms of (i) bandwidth and (ii) computational capabilities: (i) Little overhead (in bytes) should be added to the transaction as increasing the transaction size would lead to a lower throughput; (ii) any device must be able to verify the correctness of the VDF solution in short time. We choose to build our mechanism on top of the Wesolowski construction [10] as it currently provides the best tradeoff between verification time and lightness of the outputs [13]. We rigorously describe the VDF evaluation and proof in Section IV-A, the VDF verification in Section IV-B, and we provide a computational complexity analysis in Section IV-C.

# A. Evaluation and proof generation

Each time a node decides to issue a transaction, it has to evaluate a VDF. The evaluation takes as an input a binary message  $m \in \{0,1\}^*$ , which we enforce to be the previous transaction issued by the same node<sup>4</sup>. In this way, the protocol ensures the sequentiality of the VDFs evaluations because a

<sup>&</sup>lt;sup>3</sup>Depending on the degree of decentralization targeted, these inputs can either be preset by the network manager or generated in a distributed way by the nodes.

<sup>&</sup>lt;sup>4</sup>In the case the node is issuing its first transaction, it will use the timestamp included inside the transaction.

node has to wait for a VDF to complete before starting a new evaluation. In other terms, it is not possible to evaluate several VDFs in parallel to overcome node's allowed throughput. The challenge for the solver is computing y such that

$$y = x^{2^{\tau}} \bmod N, \tag{2}$$

with  $x \triangleq H(m)$ . This can be done only using  $\tau$  sequential squarings. We stress that it is crucial that the factorization of N remain unknown, otherwise the computation of Eq. (2) could be reduced to extremely simpler modular exponentiations.

Unlike PoW, in VDFs there is no trivial way to verify whether a node has correctly solved Eq. (2). To favor this task, we impose that the node computes the following numbers:

- $l = H_{prime}(x+y)$ , that is the smallest prime number larger than the hash of the sum of the VDF input x and output y;
- $\pi = x^{\lfloor 2^{\tau}/l \rfloor}$ , that is an exponentiation of x by the result of a long division of  $2^{\tau}$  by l.

The resulting proof is the pair  $\{l,\pi\}$ , which has a size of  $\lambda+2k$  bits. The summation between x and y ensures that the challenge has been successfully solved. Furthermore, to reduce transaction size, we can avoid sending the output y: In fact, a verifier can easily recompute y from the knowledge of l and  $\pi$ . We will elaborate on this idea in the next paragraph. Algorithm 1 summarizes the evaluation and the proof.

Algorithm 1: Evaluation and proof of the VDF

```
\begin{array}{l} \text{input} \, : m \in \{0,1\}^*, \, \tau \in \mathbb{N} \\ \text{output:} \, \pi \in [0,N-1], \, l \, \, \text{prime} \in [0,2^{2k}-1] \\ x \leftarrow H(m) \\ y \leftarrow h \\ \text{for} \, k \leftarrow 1 \, to \, \tau \, \, \text{do} \\ \mid \, y \leftarrow y^2 \\ \text{end} \\ l \leftarrow H_{prime}(x+y) \\ \pi = x^{\lfloor 2^{\tau}/l \rfloor} \\ \text{return} \, (\pi,l) \end{array}
```

# B. Verification

In the previous subsection, we have introduced the proof necessary to verify the VDF solution in short time. The first step is to reconstruct the VDF output y using

$$y = (\pi^l \cdot x^r) \bmod N, \tag{3}$$

where  $r=2^{\tau} \mod l$ . To verify that the solver has correctly computed y, the verifier will simply check if  $H_{prime}(x+y)=l$ . The verification task is described in Algorithm 2.

As an additional remark, the multi-exponentiation part of the verification phase given by Eq. (3) takes the vast majority of the total verification time. Hence, optimizing this computation can be crucial. In our simulations, we propose a way to speed up this task through a multi-exponentiation technique based on the algorithm presented in [14].

# Algorithm 2: Verification of the VDF

```
\begin{array}{l} \textbf{input} \ : x, \tau, \pi, l \\ \textbf{output:} \ True \ \text{or} \ False \\ x \leftarrow H(m) \\ r \leftarrow 2^{\tau} \ \text{mod} \ l \\ y \leftarrow \pi^l \cdot x^r \text{mod} \ N \\ \textbf{if} \ l = H_{prime}(x+y) \ \textbf{then} \\ \mid \ \textbf{return} \ True \\ \textbf{else} \\ \mid \ \textbf{return} \ False \\ \textbf{end} \end{array}
```

# C. Computational complexity analysis

The computational complexity of the proposed protocol depends on the time complexities needed to evaluate y both by the solver through Eq. (2), and by the verifier through Eq. (3).

1) Computational complexity of the evaluation: The computation of Eq. (2) consists of a single computational primitive, i.e., modular squaring. The most important thing is that the computational process is strictly sequential, that is every new modular squaring operation can start only when the previous squaring operation is completed.

Result 1: The solver of Eq. (2) is required to exactly solve  $\tau$  modular squarings.

To date, there is no known algorithm capable to guarantee parallel execution of the modular squaring function. Although there are few chances to find a rigorous proof that this function does not admit parallel execution, the majority of cryptographers accept this conjecture as correct [25]. Indeed, in this field many results are based on conjectures that seem plausible: For instance, this is the case of RSA, based on the conjecture that the factorization problem is computationally intractable; for large RSA key sizes, no efficient method for solving this problem is known.

2) Computational complexity of the verification: The computation of Eq. (3) can be accomplished in various ways. It is important to point out that the two modular exponentiations do not have to be computed separately. The easiest way to see why this is the case is to consider the computation of  $z = x^2 \cdot y^2$ . If one computes separately  $x^2$ ,  $y^2$ , and their product, one would need three multiplications, whereas representing z as  $(x \cdot y)^2$  needs only two multiplication steps.

We have the following result:

Result 2: The number of operations for the verifier to compute Eq. (3) requires at most

$$\mathcal{O}\left(\frac{2k}{\log_2 2k}\right) \tag{4}$$

multiplications over  $\lambda$ -bit numbers.

*Proof:* The best algorithms for evaluating  $y=\pi^l\cdot x^r$  are based on finding very short vector addition chains for the

vector  $\{l,r\}$ . It is well known that the length of the vector addition chain is asymptotically equal to the length of the scalar addition chain for the largest component of the vector. Therefore, the number of operations for the verifier to compute Eq. (3) is equal to

$$\log_2(\max\{l,r\}) + \mathcal{O}\left(\frac{\log_2(\max\{l,r\})}{\log_2(\log_2(\max\{l,r\}))}\right)$$

multiplications [26]. Note that  $\max\{l, r\} \le 2^{2k}$  since r < l by definition, and l is at most  $2^{2k}$ . Then, after simple calculations, one can get obtain the bound of Eq. (4).

From the above, we can deduct the following result:

Result 3: The time needed to verify the correctness of the VDF output is independent of its difficulty  $\tau$ .

The previous results are important as they can provide a clear understanding of the physical limits of the verification time, which is directly linked to the potential maximum number of transactions per second allowed in the network. We will elaborate more on this in the next section, where we perform experimental simulations.

#### V. SIMULATION RESULTS

In this section, we evaluate the performance of our VDF-based DoS prevention mechanism. The algorithms related to the VDF, namely Algorithms 1-2, have been implemented in C++ using the GMP library for multi-precision modular arithmetic. The code is executed on a laptop using an Intel i7-7820HQ @ 2.90GHz (CPU) and on a Raspberry Pi 3 Model B (IoT). As for completeness, we consider the most up-to-date FPGA solving VDFs according to the results of the VDF Alliance FPGA contest [27]. Unless otherwise stated, in the simulations we use a modulus size  $\lambda = 2048$ , and a security parameter k = 128.

Recall the problem statement that requires to find a function f to minimize the maximum speedup in throughput. In Figure 2 we compare two functions, our VDF and a PoW based on SHA-256. Specifically, we display the speedup in throughput for different devices computing either VDF or PoW as a function of their estimated price per hour, which is computed by amortizing the hardware flat price over one year added to the power consumption (we take the electricity price in China as a reference). Data related to PoW are taken from [28]. The slowest devices are taken as a baseline.

From the plot, we can clearly see that specialized hardware is able to exploit PoW parallelizability, which leads to a dramatic speedup. On the other hand, VDF bounds the possible speedup to less than three orders of magnitude: While it is not possible to reduce or parallelize the sequential steps of VDF, an FPGA can actually exploit optimized arithmetic operations within each single modular squaring. We believe that the speedup for VDF can be considered a worst-case scenario, and other IoT devices may show significant better results: The reason why *existing* VDFs do not offer a good performance on this kind of IoT is the fact that they all use a large number of multi-word divisions. On a Raspberry Pi, these divisions have



Fig. 2: Speedup for different devices as a function of their cost (hardware plus electricity consumption) in USD per hour to compute VDF or PoW. We also show the speedup of combining 1000 devices in a pool (empty markers). The baseline is the weakest device for VDF and PoW.

to be entirely implemented at software level, which slows the execution time many times. Although these considerations do not apply to SHA-256, which requires very basic operations such as bit shift or multiplications, the effectiveness of our solution remains clear. We have also performed simulations with other hashing functions, and they show similar outcomes.

We additionally consider pools of 1000 devices of the same type, and we display them in the same figure through empty markers. As PoW is linearly paralellizable, the speedup increases by a factor of 1000x when using 1000 machines; conversely, hardware farms cannot contribute to increase the speedup for VDFs, where only the estimated cost goes up. This result alone should justify the choice of using VDFs as a DoS prevention mechanism in IoT networks.

Figure 3 shows the verification time of the VDF in case of IoT and CPU. The x-axis represents the challenge  $\tau \in \{2^{10}; 2^{11}; 2^{12}; 2^{13}; 2^{14}\}$ , i.e., the number of squarings needed to evaluate the VDF, and the y-axis shows the time spent in the verification task in *ms*. The figure also shows the impact of the modulus length  $\lambda \in \{1024; 2048; 4096\}$  on the verification time. The plot validates *Result 3*, as the verification time is indeed independent of the difficulty  $\tau$ . The performance speed up between CPU and IoT shows a factor of 20 in terms of verification time, being between 1 and 3 ms for the former and between 25 to 75 ms for the latter. The limited resources of IoT devices are confirmed once again to be an important aspect to consider in the design of our DoS prevention mechanism.

In Figure 4, we show the verification time for laptop using different multi-exponentiation techniques to compute Eq. (3): Naive implementation computes  $\pi^l$  and  $x^r$  separately and then multiplies each term; Lenstra's algorithm is based on the technique described in [14], [15], and we use a window-scanning size of 2 bits. We compare three security level k (128, 192 or 256 bits) and two modulus length  $\lambda$  (2048 and 4096). From the figure, we can observe that the Lenstra's



Fig. 3: Verification time as a function of the modular squarings  $\tau$  for different modulus size  $\lambda$  (k=128).



Fig. 4: Verification time using multi-exponentiation techniques for different security levels k and modulus sizes  $\lambda$  on a CPU.

algorithm performs between 12% to 18% better than the naive implementation when using a 4096 bits modulus and between 4% to 8% when using a 2048 bit modulus. One of the most promising possibilities for further improving the verification time is to use some of the currently proposed parallel algorithms for multi-exponentiations [29]. This is a topic of an on-going research within our group.

# VI. CONCLUSION

In this paper we have proposed the usage of a VDF to mitigate DoS attacks in IoT-oriented DLTs. Throughout the paper, we have formulated a rate limiting protocol based on a modular exponentiation VDF, which introduces low overhead in the network; additionally, we have provided some fundamental analytical findings, and we have validated our design through actual implementation. We stress that, since VDFs are a new field of research, which has been mostly studied from a theoretical point of view, little to no experimental results are available to date, and our paper is a pioneer in this domain.

Due to the novelty of the VDFs, many are the possible future directions. To remain in the scope of the paper, we can mention a few: Software optimization to efficiently solve VDFs on IoT devices; development of VDFs that do not employ multiword division operations; tradeoff analysis between nodes computational capabilities and energy consumption; optimization of the verification time through multi-exponentiation and parallelization.

#### REFERENCES

- [1] A. B. Pawar and S. Ghumbre, "A survey on IoT applications, security challenges and counter measures," in *CAST*, 2016, pp. 294–299.
- [2] A. et al., "Internet of Things: Evolution and technologies from a security perspective," Sustainable Cities and Society, p. 101728, mar 2020.
- [3] S. Nakamoto, "Bitcoin: A Peer-to-Peer Electronic Cash System," Tech. Rep.
- [4] A. Back, "Hashcash-A Denial of Service Counter-Measure," Tech. Rep., 2002.
- [5] B. et al., "Can We Afford Integrity by Proof-of-Work? Scenarios Inspired by the Bitcoin Currency," in *The Economics of Information Security and Privacy*, 2013, pp. 135–156.
- [6] S. Popov, "The Tangle," Tech. Rep., 2018.
- [7] A. ElBahrawy, L. Alessandretti, A. Kandler, R. Pastor-Satorras, and A. Baronchelli, "Evolutionary dynamics of the cryptocurrency market," *Royal Society Open Science*, no. 11, 2017.
- [8] C. Dwork and M. Naor, "Pricing via processing or combatting junk mail," in *Advances in Cryptology — CRYPTO*' 92, Brickell and F. Ernest, Eds., 1993, pp. 139–147.
- [9] D. Boneh, J. Bonneau, B. Bünz, and B. Fisch, "Verifiable delay functions," in CRYPTO 2018, 2018, pp. 757–788.
- [10] B. Wesolowski, "Efficient verifiable delay functions," in EUROCRYPT 2019, Ishai, Yuval, Rijmen, and Vincent, Eds., 2019, pp. 379–407.
- [11] K. Pietrzak, "Simple verifiable delay functions," in ITCS, 2019.
- [12] L. De Feo, S. Masson, C. Petit, and A. Sanso, "Verifiable delay functions from supersingular isogenies and pairings," in *Advances in Cryptology* – *ASIACRYPT 2019*, 2019, pp. 248–277.
- [13] V. Attias, L. Vigneri, and V. Dimitrov, "Implementation Study of Two Verifiable DelayFunctions," in *Tokenomics*, 2020, pp. 1–6.
- [14] S. M. Yen, C. S. Laih, and A. K. Lenstra, "Multi-exponentiation," IEE Proceedings: Computers and Digital Techniques, pp. 325–326, 1994.
- [15] B. Möller, "Algorithms for multi-exponentiation," in Selected Areas in Cryptography, 2001, pp. 165–180.
- [16] J. R. Douceur, "The sybil attack," in Peer-to-Peer Systems, 2002.
- [17] IOTA Foundation, "The Coordicide," Tech. Rep., 2019.
- [18] A. Borodin, W. L. Ruzzo, and M. Tompat, "Lower bounds on the length of universal traversal sequences," *Journal of Computer and System Sciences*, 1992.
- [19] V. Dimitrov, G. Jullien, and W. Miller, "An algorithm for modular exponentiation," *Information Processing Letters*, pp. 155–159, 1998.
- [20] R. L. Rivest, A. Shamir, and L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems," *Communications of the ACM*, pp. 120–126, 1978.
- [21] Cybernetica, "Cryptographic Algorithms Lifecycle Report 2016," Tech. Rep., 2016.
- [22] D. Boneh and M. Franklin, "Efficient generation of shared RSA Keys," in Advances in Cryptology — CRYPTO '97, 1997, pp. 425–439.
- [23] T. K. Frederiksen, Y. Lindell, V. Osheter, and B. Pinkas, "Fast distributed rsa key generation for semi-honest and malicious adversaries," in *CRYPTO 2018*, 2018, pp. 331–361.
- [24] I. Damgård and G. L. Mikkelsen, "Efficient, robust and constant-round distributed RSA key generation," in *Theory of Cryptography*, 2010.
- [25] "VDF Research." [Online]. Available: https://vdfresearch.org
- [26] N. Pippenger, "On the Evaluation of Powers and Monomials," SIAM Journal on Computing, pp. 230–250, 1980.
- [27] VDF Alliance, "VDF FPGA Contest." [Online]. Available: https://github.com/supranational/vdf-fpga
- [28] Bitcoin Wiki, "Mining hardware comparison Bitcoin Wiki," [Online]. Available: https://en.bitcoin.it/wiki/Mining{\_}hardware{\_}comparison
- [29] F. Borges, P. Lara, and R. Portugal, "Parallel algorithms for modular multi-exponentiation," Applied Mathematics and Computation, 2017.