Skip to content

Add pure-Rust VDF verifier crate (no GMP/C dependencies)#1378

Draft
richardkiss wants to merge 1 commit intomainfrom
vdf-verify
Draft

Add pure-Rust VDF verifier crate (no GMP/C dependencies)#1378
richardkiss wants to merge 1 commit intomainfrom
vdf-verify

Conversation

@richardkiss
Copy link
Copy Markdown
Contributor

@richardkiss richardkiss commented Mar 4, 2026

Summary

This PR adds a new chia-vdf-verify crate to the workspace that provides pure-Rust VDF (Verifiable Delay Function) proof verification using Wesolowski's protocol.

Key changes:

  • New crate at crates/chia-vdf-verify/ with complete VDF verification implementation
  • Uses malachite-nz and malachite-base for arbitrary precision integer arithmetic (no GMP or C dependencies)
  • Includes 110+ test vectors for comprehensive validation
  • All tests pass and clippy checks complete successfully

Benefits:

  • Pure Rust: Eliminates C++/GMP dependencies required by chiavdf
  • Cross-platform: Significantly simplifies builds, especially on Windows
  • Verification only: Focused on proof verification (not proof generation)
  • Well-tested: Comprehensive test suite with real-world vectors

Performance:

  • Approximately 1.5-2x slower than C/GMP implementation
  • Trade-off for simplified builds and pure-Rust ecosystem

Python bindings:

  • Code includes PyO3 bindings (feature-gated with python feature)
  • Not yet integrated into main chia_rs PyO3 module
  • Integration can be done in a follow-up PR if desired

Source:
Based on https://github.com/richardkiss/chia-vdf-verify (malachite branch)

Test plan

  • cargo build -p chia-vdf-verify succeeds
  • cargo test -p chia-vdf-verify passes (26 unit tests + 21 integration tests)
  • cargo clippy -p chia-vdf-verify passes
  • Edition 2024 compatibility (fixed gen reserved keyword issue)

Made with Cursor

@richardkiss
Add pure-Rust VDF verifier crate
7556213 
Adds chia-vdf-verify crate with Wesolowski VDF proof verification using
malachite-nz for arbitrary precision integers. This provides a pure-Rust
alternative to chiavdf's C++/GMP implementation for verification only.

Key features:
- No C/C++ dependencies or GMP linking requirements
- Uses malachite-nz for big integer operations
- Includes 110+ test vectors for validation
- Passes all tests and clippy checks

Performance is approximately 1.5-2x slower than C/GMP implementation but
eliminates cross-platform build complexity, especially on Windows.

Python bindings are feature-gated but not yet integrated into the main
chia_rs PyO3 module (to be done in a follow-up).

Made-with: Cursor
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Mar 4, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedcargo/​malachite-nz@​0.9.1841009710070
Addedcargo/​malachite-base@​0.9.11001009310070

View full report

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Mar 4, 2026

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Medium
Install-time scripts: cargo malachite-nz

Install script: Package overview

Source: undefined

From: crates/chia-vdf-verify/Cargo.tomlcargo/malachite-nz@0.9.1

ℹ Read more on: This package | This alert | What is an install script?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/malachite-nz@0.9.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Native binaries present: cargo malachite-nz

Location: Package overview

From: crates/chia-vdf-verify/Cargo.tomlcargo/malachite-nz@0.9.1

ℹ Read more on: This package | This alert | Why is native code a concern?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/malachite-nz@0.9.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@richardkiss