verifiable delay functions from isogenies and pairings
play

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo - PowerPoint PPT Presentation

Aug 20, 2022 •113 likes •350 views

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S. Masson, C. Petit, A. Sanso Universit Paris Saclay UVSQ, France July 13, 2019, SIAM AG, Bern Slides online at https://defeo.lu/docet Tired of

  1. Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S. Masson, C. Petit, A. Sanso Université Paris Saclay – UVSQ, France July 13, 2019, SIAM AG, Bern Slides online at https://defeo.lu/docet

  2. Tired of *SIDH? Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 2 / 12

  3. Tired of *SIDH? Enough quantum FUD? Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 2 / 12

  4. Tired of *SIDH? Enough quantum FUD? Ready for a new buzzword? Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 2 / 12

  6. ❂ ✭ ❀ ✿ ✿ ✿ ❀ ✮ Distributed lottery Participants A, B, ..., Z want to agree on a random winning ticket. Flawed protocol Each participant x broadcasts a random string s x ; Winning ticket is H ✭ s A ❀ ✿ ✿ ✿ ❀ s Z ✮ . Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 4 / 12

  7. ❂ ✭ ❀ ✿ ✿ ✿ ❀ ✮ Distributed lottery Participants A, B, ..., Z want to agree on a random winning ticket. Flawed protocol Each participant x broadcasts a random string s x ; Winning ticket is H ✭ s A ❀ ✿ ✿ ✿ ❀ s Z ✮ . Fixes Make the hash function sloooooooooooooooooooooooooooow ; Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 4 / 12

  8. Distributed lottery Participants A, B, ..., Z want to agree on a random winning ticket. Flawed protocol Each participant x broadcasts a random string s x ; Winning ticket is H ✭ s A ❀ ✿ ✿ ✿ ❀ s Z ✮ . Fixes Make the hash function sloooooooooooooooooooooooooooow ; Make it possible to verify w ❂ H ✭ s A ❀ ✿ ✿ ✿ ❀ s Z ✮ fast . Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 4 / 12

  9. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 5 / 12

  10. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Exercise Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 5 / 12

  11. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Exercise Think of a function you like with these properties Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 5 / 12

  12. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Exercise Think of a function you like with these properties Got it? Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 5 / 12

  13. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Exercise Think of a function you like with these properties Got it? You’re probably wrong! Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 5 / 12

  14. Sequentiality Ideal functionality: y ❂ f ✭ x ✮ ❂ H ✭ H ✭ ✁ ✁ ✁ ✭ H ✭ x ✮✮✮✮ ⑤ ④③ ⑥ T times Sequential assuming hash output “unpredictability”, but how do you verify? Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 6 / 12

  15. VDFs from groups of unknown order Setup A group of unknown order, e.g.: ❩ ❂ N ❩ with N ❂ pq an RSA modulus, p ❀ q unknown (e.g., generated by some trusted authority), Class group of imaginary quadratic order. Evaluation With delay parameter T : f ✿ G � ✦ G ✦ x 2 T x ✼� Conjecturally, fastest algorithm is repeated squaring. Verification (Wesolowski 2019, Pietrzak 2019) Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 7 / 12

  16. VDFs from groups of unknown order Setup A group of unknown order, e.g.: ❩ ❂ N ❩ with N ❂ pq an RSA modulus, p ❀ q unknown (e.g., generated by some trusted authority), Class group of imaginary quadratic order. Evaluation With delay parameter T : f ✿ G � ✦ G ✦ x 2 T x ✼� Conjecturally, fastest algorithm is repeated squaring. Verification (Wesolowski 2019, Pietrzak 2019) Aha! Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 7 / 12

  17. Isogeny <3 Pairing Let ✣ ✿ E ✦ E ✵ , let P ✷ E ❬ N ❪ and Q ✷ E ✵ ❬ N ❪ . Then e N ✭ P ❀ ❫ ✣ ✭ Q ✮✮ ❂ e N ✭ ✣ ✭ P ✮ ❀ Q ✮ ✣ ✂ 1 X 1 ✂ X 2 X 1 ✂ X 2 1 ✂ ❫ e N ✣ X 1 ✂ X 2 ❋ p k e N Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 8 / 12

  18. Isogeny <3 Pairing Let ✣ ✿ E ✦ E ✵ , let P ✷ E ❬ N ❪ and Q ✷ E ✵ ❬ N ❪ . Then e N ✭ P ❀ ❫ ✣ ✭ Q ✮✮ ❂ e N ✭ ✣ ✭ P ✮ ❀ Q ✮ ✣ ✂ 1 X 1 ✂ X 2 X 1 ✂ X 2 1 ✂ ❫ e N ✣ X 1 ✂ X 2 ❋ p k e N Idea #1 Use the equation for a BLS-like signature scheme: US patent 8,250,367 (Broker, Charles, Lauter). Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 8 / 12

  19. Isogeny VDF Assume ❞❡❣ ✣ ❂ 2 T e N ✭ ✣ ✭ P ✮ ❀ ✣ ✭ Q ✮✮ ❂ e N ✭ P ❀ Q ✮ 2 T 2 T ♠♦❞ p k � 1 ; Right side: known group structure: 2 T ✦ Lef side: can evaluate ✣ in less than T steps? Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 9 / 12

  20. Isogeny VDF ( ❋ p -version) Setup Pairing friendly supersingular curve E ❂ ❋ p Isogeny ✣ ✿ E ✦ E ✵ of degree 2 T , Point P ✷ E ❬✭ N ❀ ✙ � 1 ✮❪ , image ✣ ✭ P ✮ . Evaluation Input: random Q ✷ E ✵ ❬✭ N ❀ ✙ ✰ 1 ✮❪ , Output: ❫ ✣ ✭ Q ✮ . Verification e N ✭ P ❀ ❫ ❄ ✣ ✭ Q ✮✮ ❂ e N ✭ ✣ ✭ P ✮ ❀ Q ✮ ✿ Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 10 / 12

  21. Isogeny VDF ( ❋ p -version) Trusted Setup Pairing friendly supersingular curve E ❂ ❋ p with unknown endomorphism ring!!! Isogeny ✣ ✿ E ✦ E ✵ of degree 2 T , Point P ✷ E ❬✭ N ❀ ✙ � 1 ✮❪ , image ✣ ✭ P ✮ . Evaluation Input: random Q ✷ E ✵ ❬✭ N ❀ ✙ ✰ 1 ✮❪ , Output: ❫ ✣ ✭ Q ✮ . Verification e N ✭ P ❀ ❫ ❄ ✣ ✭ Q ✮✮ ❂ e N ✭ ✣ ✭ P ✮ ❀ Q ✮ ✿ Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 10 / 12

  22. Sequentiality? Wesolowski, Pietrzak: ✦ x 2 x ✼� ✦ x x ☛ i � 1 Isogenies: x ✼� x � ☛ i No speedup? Even with unlimited parallelism? Really? See Bernstein, Sorenson. Modular exponentiation via the explicit Chinese remainder theorem. Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 11 / 12

  23. Thank you https://defeo.lu/ @luca_defeo Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 12 / 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work with J. Burdges, S. Masson, C. Petit, A. Sanso IBM Research Zrich December 4, 2019, ECC, Bochum Slides online at https://defeo.lu/docet

928 views • 72 slides
VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

Confrence de lancement de l'ANR Ciao, Fvrier 2020, Bordeaux, France VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things down VERIFIABLE DELAY FUNCTIONS [Boneh, Bonneau, Bnz, Fisch 2018] A VDF is

616 views • 32 slides
Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of Virginia Why do these matter? Alternative consensus protocols Applications to public randomness generation Leader election Bitcoin Proof of Work

355 views • 19 slides
Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University

Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University

NutMiC19, June, 2019 Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University What is a VDF? (verifiable delay function) Intuition: a function X Y that (1) takes time T to evaluate, even with

694 views • 30 slides
Verifiable Delay Functions Joe Netti Overview of VDFs (Boneh, Bonneau, et al. 2019) Goal: Prove

Verifiable Delay Functions Joe Netti Overview of VDFs (Boneh, Bonneau, et al. 2019) Goal: Prove

Verifiable Delay Functions Joe Netti Overview of VDFs (Boneh, Bonneau, et al. 2019) Goal: Prove the passage of time VDF Properties: 1. slow to calculate (delay), fast to verify (polynomial time). 2. Parallelization does not speed up

185 views • 15 slides
Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, Ben Fisch Crypto 2018 1

Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, Ben Fisch Crypto 2018 1

Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, Ben Fisch Crypto 2018 1 What is a VDF? Verifier 2 What is a VDF? Setup( , T ) public parameters pp pp specify domain X and range Y Eval( pp , x )

638 views • 37 slides
Computing optimal pairings on abelian varieties with theta functions 06/06/2013 AGCT David

Computing optimal pairings on abelian varieties with theta functions 06/06/2013 AGCT David

Computing optimal pairings on abelian varieties with theta functions 06/06/2013 AGCT David Lubicz, Damien Robert June 6, 2013 Pairings on curves Abelian varieties Theta functions Pairings with theta functions Performance Outline 1

833 views • 33 slides
Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions

Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions

Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions Veronika Kuchta and Mark Manulis CANS 2013, Paraty, Brazil November 21, 2013 Overview Unique Signature Schemes Verifiable Random Functions Unique

420 views • 13 slides
Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz,

Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz,

Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz, Damien Robert Damien Robert Rational isogenies 2 1 Theta functions Complex abelian varieties Quasi-periodicity: Damien Robert Rational

734 views • 23 slides
Optimal pairings on abelian varieties 2014/10/10 ECC 2014, Chennai David Lubicz, Damien Robert

Optimal pairings on abelian varieties 2014/10/10 ECC 2014, Chennai David Lubicz, Damien Robert

Optimal pairings on abelian varieties 2014/10/10 ECC 2014, Chennai David Lubicz, Damien Robert Inria Bordeaux Sud-Ouest Millers algorithm Pairings on abelian varieties Theta functions Pairings with theta functions Performance Outline

676 views • 50 slides
Abelian varieties, theta functions and cryptography Part 2 Damien Robert 1 1 LFANT team, INRIA

Abelian varieties, theta functions and cryptography Part 2 Damien Robert 1 1 LFANT team, INRIA

Abelian varieties, theta functions and cryptography Part 2 Damien Robert 1 1 LFANT team, INRIA Bordeaux Sud-Ouest 08/12/2010 (Bordeaux) Outline Abelian varieties and cryptography 1 Tieta functions 2 3 Arithmetic 4 Pairings 5 Isogenies

664 views • 43 slides
Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas

Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas

Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas Decru , and Benjamin Smith NutMiC 2019, Paris June 24, 2019 Background 2006: hash functions based on supersingular elliptic curves (Charles,

564 views • 52 slides
Computing optimal pairings on abelian varieties with theta functions 10/02/2011 (Luminy) David

Computing optimal pairings on abelian varieties with theta functions 10/02/2011 (Luminy) David

Computing optimal pairings on abelian varieties with theta functions 10/02/2011 (Luminy) David Lubicz 1,2 , Damien Robert 3 1 CLAR 2 IRMAR, Universit de Rennes 1 1 LFANT Team, IMB &amp; Inria Bordeaux Sud-Ouest Motivations Millers

313 views • 30 slides
A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview

A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview

Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks

744 views • 72 slides
Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng Isogenies

952 views • 67 slides
Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng Isogenies

896 views • 78 slides
A Fixed Point Theorem for Non-Monotonic Functions Esik 1 and P. Rondogiannis 2 an Zolt 1

A Fixed Point Theorem for Non-Monotonic Functions Esik 1 and P. Rondogiannis 2 an Zolt 1

A Fixed Point Theorem for Non-Monotonic Functions Esik 1 and P. Rondogiannis 2 an Zolt 1 University of Szeged, Hungary 2 University of Athens, Greece July 15-18, 2013 (Szeged and Athens) PLS9 1 / 23 Outline Outline 1 Negation in Logic

350 views • 23 slides
Population Protocols and Predicates Pierre Ganty IMDEA Software Institute The computer science

Population Protocols and Predicates Pierre Ganty IMDEA Software Institute The computer science

Population Protocols and Predicates Pierre Ganty IMDEA Software Institute The computer science debate: Journals vs Conferences Tired Rested Journals Conferences The computer science debate: Journals vs Conferences Tired Rested Journals

1.29k views • 73 slides
A Command-Line Driver Generator or What I did when I got tired of writing command-line

A Command-Line Driver Generator or What I did when I got tired of writing command-line

Using a generated command-line driver Using the tool How the tool works Future work A Command-Line Driver Generator or What I did when I got tired of writing command-line interfaces myself... Jacob Sparre Andersen JSA Research &amp;

717 views • 16 slides
Local search algorithms CS271P, Winter 2018 Introduction to Artificial Intelligence Prof.

Local search algorithms CS271P, Winter 2018 Introduction to Artificial Intelligence Prof.

Local search algorithms CS271P, Winter 2018 Introduction to Artificial Intelligence Prof. Richard Lathrop Reading: R&amp;N 4.1-4.2 Local search algorithms In many optimization problems, the path to the goal is irrelevant; the goal state

388 views • 34 slides
Lecture 06: Signals and Signal Handlers Introduction to Signals A signal is a small

Lecture 06: Signals and Signal Handlers Introduction to Signals A signal is a small

Lecture 06: Signals and Signal Handlers Introduction to Signals A signal is a small message that notifies a process that an event of some type occurred. Signals are often sent by the kernel, but they can be sent from other processes as

335 views • 10 slides
Creating a Character in Uncharted: Drakes Fortune Christian Gyrling Naughty Dog Who Am I?

Creating a Character in Uncharted: Drakes Fortune Christian Gyrling Naughty Dog Who Am I?

Creating a Character in Uncharted: Drakes Fortune Christian Gyrling Naughty Dog Who Am I? Programmer at Naughty Dog Created the enemy characters in Uncharted Co-authored the AI. Talk Overview The Problem

903 views • 59 slides
Verbal cues for teaching Keep elbows in original position. Relax fingers and grip. Lift

Verbal cues for teaching Keep elbows in original position. Relax fingers and grip. Lift

Verbal cues for teaching Keep elbows in original position. Relax fingers and grip. Lift shoulders away from floor. Press firmly into forearms; press away from floor. Control your movements. Verbal cuescontd No hopping

182 views • 4 slides
Welcome to Preservation: Strategies to Preserve and Refinance HUD Supported Affordable Rental

Welcome to Preservation: Strategies to Preserve and Refinance HUD Supported Affordable Rental

Welcome to Preservation: Strategies to Preserve and Refinance HUD Supported Affordable Rental Properties The Office of Recapitalization HUD Office of Multifamily Housing Programs December 2, 2014 Webinar Format Webinar will last no more

1.09k views • 51 slides

More recommend