The naive way of constructing this makes it then take 20 minutes computation to verify, which isn't that attractive if you imagine the verifier is some lame mobile client and the attacker is a mining farm. 
Yeah, although in my case it was totally fine. As it's not really required (or expected) that everyone verifies, it's just an option if you want. And had the nice property of being drop-dead simple
Quote
I keep seeing people propose this an their proposals always turn out to be totally broken, but in fact there is a way to do this that I call tapering.
Step 1. A block is 3xVDFed to pick a random value.
Step 2. The next block is 2xVDFed to pick a single bit: if it's one, go back to step 1 for the next block.
Step 3. The next block is VDFed to pick a single bit: if it's one, go back to step 1 for the next block.
Step 4. The last step 1 outcome is accepted.
This will terminate in a couple steps on average.
Step 1. A block is 3xVDFed to pick a random value.
Step 2. The next block is 2xVDFed to pick a single bit: if it's one, go back to step 1 for the next block.
Step 3. The next block is VDFed to pick a single bit: if it's one, go back to step 1 for the next block.
Step 4. The last step 1 outcome is accepted.
This will terminate in a couple steps on average.
Oh, I see. That's pretty clever, never thought of something like that.