verifiable delay functions and more from isogenies and
play

Verifiable Delay Functions and More from Isogenies and Pairings Luca - PowerPoint PPT Presentation

Nov 21, 2022 •199 likes •928 views

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work with J. Burdges, S. Masson, C. Petit, A. Sanso IBM Research Zrich December 4, 2019, ECC, Bochum Slides online at https://defeo.lu/docet

  1. Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work with J. Burdges, S. Masson, C. Petit, A. Sanso IBM Research Zürich December 4, 2019, ECC, Bochum Slides online at https://defeo.lu/docet

  2. ❂ ✭ ❀ ✿ ✿ ✿ ❀ ✮ ■ ■ Distributed lottery Participants A, B, ..., Z want to agree on a random winning ticket. Flawed protocol Each participant x broadcasts a random string s x ; Winning ticket is H ✭ s A ❀ ✿ ✿ ✿ ❀ s Z ✮ . Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 2 / 28 https://defeo.lu/docet

  3. ❂ ✭ ❀ ✿ ✿ ✿ ❀ ✮ ■ ■ Distributed lottery Participants A, B, ..., Z want to agree on a random winning ticket. Flawed protocol Each participant x broadcasts a random string s x ; Winning ticket is H ✭ s A ❀ ✿ ✿ ✿ ❀ s Z ✮ . Cheating participant Z waits to see all other strings, then brute-forces s Z to win lottery. Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 2 / 28 https://defeo.lu/docet

  4. ❂ ✭ ❀ ✿ ✿ ✿ ❀ ✮ Distributed lottery Participants A, B, ..., Z want to agree on a random winning ticket. Flawed protocol Each participant x broadcasts a random string s x ; Winning ticket is H ✭ s A ❀ ✿ ✿ ✿ ❀ s Z ✮ . Cheating participant Z waits to see all other strings, then brute-forces s Z to win lottery. Fixes Make the hash function sloooooooooooooooooooooooooooow ; ■ e.g., participants have 10 minutes to submit s x , ■ outcome will be known afer 20 minutes. Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 2 / 28 https://defeo.lu/docet

  5. Distributed lottery Participants A, B, ..., Z want to agree on a random winning ticket. Flawed protocol Each participant x broadcasts a random string s x ; Winning ticket is H ✭ s A ❀ ✿ ✿ ✿ ❀ s Z ✮ . Cheating participant Z waits to see all other strings, then brute-forces s Z to win lottery. Fixes Make the hash function sloooooooooooooooooooooooooooow ; ■ e.g., participants have 10 minutes to submit s x , ■ outcome will be known afer 20 minutes. Make it possible to verify w ❂ H ✭ s A ❀ ✿ ✿ ✿ ❀ s Z ✮ fast . Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 2 / 28 https://defeo.lu/docet

  6. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 3 / 28 https://defeo.lu/docet

  7. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Exercise Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 3 / 28 https://defeo.lu/docet

  8. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Exercise Think of a function you like with these properties Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 3 / 28 https://defeo.lu/docet

  9. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Exercise Think of a function you like with these properties Got it? Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 3 / 28 https://defeo.lu/docet

  10. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Exercise Think of a function you like with these properties Got it? You’re probably wrong! Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 3 / 28 https://defeo.lu/docet

  11. Sequentiality Ideal functionality: y ❂ f ✭ x ✮ ❂ H ✭ H ✭ ✁ ✁ ✁ ✭ H ✭ x ✮✮✮✮ ⑤ ④③ ⑥ T times Sequential assuming hash output “unpredictability”, but how do you verify? (you’re not allowed to say “SNARKs”) Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 4 / 28 https://defeo.lu/docet

  12. ♠♦❞ ✬ ✭ ✮ VDFs from groups of unknown order (inspired by Rivest–Shamir–Wagner time-lock puzzle) Setup A group of unknown order, e.g.: ❩ ❂ N ❩ with N ❂ pq an RSA modulus, p ❀ q unknown (e.g., generated by some trusted authority), x Class group of imaginary quadratic order. Evaluation With delay parameter T : f ✿ G � ✦ G ✦ x 2 T x ✼� Conjecturally, fastest algorithm is repeated squaring. Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 5 / 28 https://defeo.lu/docet

  13. ♠♦❞ ✬ ✭ ✮ VDFs from groups of unknown order (inspired by Rivest–Shamir–Wagner time-lock puzzle) Setup A group of unknown order, e.g.: ❩ ❂ N ❩ with N ❂ pq an RSA modulus, p ❀ q unknown x 2 (e.g., generated by some trusted authority), x Class group of imaginary quadratic order. Evaluation With delay parameter T : f ✿ G � ✦ G ✦ x 2 T x ✼� Conjecturally, fastest algorithm is repeated squaring. Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 5 / 28 https://defeo.lu/docet

  14. ♠♦❞ ✬ ✭ ✮ VDFs from groups of unknown order (inspired by Rivest–Shamir–Wagner time-lock puzzle) Setup A group of unknown order, e.g.: ❩ ❂ N ❩ with N ❂ pq an RSA modulus, p ❀ q unknown x 4 x 2 (e.g., generated by some trusted authority), x Class group of imaginary quadratic order. Evaluation With delay parameter T : f ✿ G � ✦ G ✦ x 2 T x ✼� Conjecturally, fastest algorithm is repeated squaring. Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 5 / 28 https://defeo.lu/docet

  15. ♠♦❞ ✬ ✭ ✮ VDFs from groups of unknown order (inspired by Rivest–Shamir–Wagner time-lock puzzle) Setup A group of unknown order, e.g.: ❩ ❂ N ❩ with N ❂ pq an RSA modulus, p ❀ q unknown x 4 x 2 (e.g., generated by some trusted authority), x Class group of imaginary quadratic order. Evaluation With delay parameter T : f ✿ G � ✦ G x 2 T ✦ x 2 T x ✼� Conjecturally, fastest algorithm is repeated squaring. Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 5 / 28 https://defeo.lu/docet

  16. VDFs from groups of unknown order (inspired by Rivest–Shamir–Wagner time-lock puzzle) Setup A group of unknown order, e.g.: ❩ ❂ N ❩ with N ❂ pq an RSA modulus, p ❀ q unknown x 4 x 2 (e.g., generated by some trusted authority), x Class group of imaginary quadratic order. Evaluation 2 T ♠♦❞ ✬ ✭ N ✮ With delay parameter T : f ✿ G � ✦ G x 2 T ✦ x 2 T x ✼� Conjecturally, fastest algorithm is repeated squaring. Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 5 / 28 https://defeo.lu/docet

  17. ✭❧♦❣✭ ✮✮ ✷ ✮ ✭ ✮ VDFs from groups of unknown order (inspired by Rivest–Shamir–Wagner time-lock puzzle) Setup Verification A group of unknown order, e.g.: Interactive proofs that y ❂ f ✭ x ✮ , (non interactivity via Fiat-Shamir): ❩ ❂ N ❩ with N ❂ pq an RSA modulus, p ❀ q unknown (e.g., generated by some trusted authority), Class group of imaginary quadratic order. Evaluation With delay parameter T : f ✿ G � ✦ G ✦ x 2 T x ✼� Conjecturally, fastest algorithm is repeated squaring. Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 5 / 28 https://defeo.lu/docet

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S.

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S.

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S. Masson, C. Petit, A. Sanso Universit Paris Saclay UVSQ, France July 13, 2019, SIAM AG, Bern Slides online at https://defeo.lu/docet Tired of

350 views • 23 slides
VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

Confrence de lancement de l'ANR Ciao, Fvrier 2020, Bordeaux, France VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things down VERIFIABLE DELAY FUNCTIONS [Boneh, Bonneau, Bnz, Fisch 2018] A VDF is

616 views • 32 slides
Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of Virginia Why do these matter? Alternative consensus protocols Applications to public randomness generation Leader election Bitcoin Proof of Work

355 views • 19 slides
Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University

Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University

NutMiC19, June, 2019 Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University What is a VDF? (verifiable delay function) Intuition: a function X Y that (1) takes time T to evaluate, even with

694 views • 30 slides
Verifiable Delay Functions Joe Netti Overview of VDFs (Boneh, Bonneau, et al. 2019) Goal: Prove

Verifiable Delay Functions Joe Netti Overview of VDFs (Boneh, Bonneau, et al. 2019) Goal: Prove

Verifiable Delay Functions Joe Netti Overview of VDFs (Boneh, Bonneau, et al. 2019) Goal: Prove the passage of time VDF Properties: 1. slow to calculate (delay), fast to verify (polynomial time). 2. Parallelization does not speed up

185 views • 15 slides
Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, Ben Fisch Crypto 2018 1

Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, Ben Fisch Crypto 2018 1

Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, Ben Fisch Crypto 2018 1 What is a VDF? Verifier 2 What is a VDF? Setup( , T ) public parameters pp pp specify domain X and range Y Eval( pp , x )

638 views • 37 slides
Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions

Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions

Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions Veronika Kuchta and Mark Manulis CANS 2013, Paraty, Brazil November 21, 2013 Overview Unique Signature Schemes Verifiable Random Functions Unique

420 views • 13 slides
Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz,

Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz,

Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz, Damien Robert Damien Robert Rational isogenies 2 1 Theta functions Complex abelian varieties Quasi-periodicity: Damien Robert Rational

734 views • 23 slides
Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas

Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas

Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas Decru , and Benjamin Smith NutMiC 2019, Paris June 24, 2019 Background 2006: hash functions based on supersingular elliptic curves (Charles,

564 views • 52 slides
Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng Isogenies

952 views • 67 slides
Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng Isogenies

896 views • 78 slides
Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018

Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018

Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018 Brisbane, Australia ECC vs. post-quantum ECC W. Castryck (GIF): https://www.esat.kuleuven.be/cosic/?p=7404 Alice 2 " -isogenies, Bob 3 $

766 views • 19 slides
Verifiable Cloud Outsourcing for Network Func9ons (+

Verifiable Cloud Outsourcing for Network Func9ons (+

Verifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services) Vyas Sekar vNFO joint with Seyed Fayazbakhsh,

434 views • 28 slides
Interconnect Gate delay Wire delay The delay in VLSI circuits have two components Gate delay (

Interconnect Gate delay Wire delay The delay in VLSI circuits have two components Gate delay (

Advanced Digital IC-Design Propagation Delay Lumped C p Distributed model C model Interconnect Gate delay Wire delay The delay in VLSI circuits have two components Gate delay ( t pHL / t pLH ) Wire (interconnect) delay ( t w ) The Wire

492 views • 20 slides
Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable

Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable

Leonard Lensink, Sjaak Smetsers and Marko van Eekelen Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable Java Code from Verified PVS Specifications Overview Motivation Code generation

544 views • 26 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
Minimal multiple blocking sets Anurag Bishnoi (with S. Mattheus and J. Schillewaert) Free

Minimal multiple blocking sets Anurag Bishnoi (with S. Mattheus and J. Schillewaert) Free

Minimal multiple blocking sets Anurag Bishnoi (with S. Mattheus and J. Schillewaert) Free University of Berlin https://anuragbishnoi.wordpress.com/ Finite Geometries, Irsee September 2017 Blocking Sets A subset B of points in a projective

623 views • 33 slides
Choice Set Optimization Under Discrete Choice Models of Group Decisions Kiran Tomlinson and

Choice Set Optimization Under Discrete Choice Models of Group Decisions Kiran Tomlinson and

Choice Set Optimization Under Discrete Choice Models of Group Decisions Kiran Tomlinson and Austin R. Benson Department of Computer Science, Cornell University ICML 2020 Discrete choice models Goal Model human choices 1 / 19 Discrete choice

1.2k views • 77 slides
The Cosmic Microwave Background as a Backlight David Spergel Princeton Marseilles July 2014

The Cosmic Microwave Background as a Backlight David Spergel Princeton Marseilles July 2014

The Cosmic Microwave Background as a Backlight David Spergel Princeton Marseilles July 2014 Planck vs. ACT Consitent Parameters P -217x217 WMAP9+ACT PLANCK+WP Spectral Index 0.97430.0087 0.973 0.011 0.96030.0073 Matter Density

870 views • 43 slides
Heap Models For Exploit Systems IEEE Security and Privacy LangSec Workshop 2015 Julien Vanegue

Heap Models For Exploit Systems IEEE Security and Privacy LangSec Workshop 2015 Julien Vanegue

Heap Models For Exploit Systems IEEE Security and Privacy LangSec Workshop 2015 Julien Vanegue Bloomberg L.P. New York, USA. May 24, 2015 Big picture : The Automated Exploitation Grand Challenge A Security Exploit is a program taking

451 views • 23 slides
Subgradient method Geoff Gordon & Ryan Tibshirani Optimization 10-725 / 36-725 1 Remember

Subgradient method Geoff Gordon & Ryan Tibshirani Optimization 10-725 / 36-725 1 Remember

Subgradient method Geoff Gordon & Ryan Tibshirani Optimization 10-725 / 36-725 1 Remember gradient descent We want to solve x R n f ( x ) , min for f convex and differentiable Gradient descent: choose initial x (0) R n , repeat: x

669 views • 33 slides
1 2 3 4 5 6 7 $ sed -n 22,27p glibc/malloc/malloc.c This is a version (aka ptmalloc2) of

1 2 3 4 5 6 7 $ sed -n 22,27p glibc/malloc/malloc.c This is a version (aka ptmalloc2) of

1 2 3 4 5 6 7 $ sed -n 22,27p glibc/malloc/malloc.c This is a version (aka ptmalloc2) of malloc/free/realloc written by Doug Lea and adapted to multiple threads/arenas by Wolfram Gloger. There have been substantial changes made after the

734 views • 47 slides
Scaling for Humongous amounts of data with MongoDB Alvin Richards Technical Director

Scaling for Humongous amounts of data with MongoDB Alvin Richards Technical Director

Scaling for Humongous amounts of data with MongoDB Alvin Richards Technical Director alvin@10gen.com @jonnyeight alvinonmongodb.com Getting from here to there... http://bit.ly/OT71M4 2 ...probably using one of these http://bit.ly/QDUIUF

769 views • 56 slides
APEX Extragalactic Surveys Attila Kovcs The Case for APEX in the ALMA Era Zero Spacing APEX

APEX Extragalactic Surveys Attila Kovcs The Case for APEX in the ALMA Era Zero Spacing APEX

APEX Extragalactic Surveys Attila Kovcs The Case for APEX in the ALMA Era Zero Spacing APEX Beam is larger than ALMA FOV Arrays 50 pixels in FOV = 50 antennas in mapping speed Bolometers Larger bandwidth Outline CO Surveys SZ Survey

589 views • 55 slides

More recommend