Verifiable Delay Functions from Isogenies and Pairings Luca De Feo - - PowerPoint PPT Presentation

verifiable delay functions from isogenies and pairings
SMART_READER_LITE
LIVE PREVIEW

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo - - PowerPoint PPT Presentation

Aug 20, 2022 113 likes •350 views

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S. Masson, C. Petit, A. Sanso Universit Paris Saclay UVSQ, France July 13, 2019, SIAM AG, Bern Slides online at https://defeo.lu/docet Tired of

slide-1
SLIDE 1

Verifiable Delay Functions from Isogenies and Pairings

Luca De Feo joint work with J. Burdges, S. Masson, C. Petit, A. Sanso

Université Paris Saclay – UVSQ, France

July 13, 2019, SIAM AG, Bern Slides online at https://defeo.lu/docet

slide-2
SLIDE 2

Tired of *SIDH?

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 2 / 12

slide-3
SLIDE 3

Tired of *SIDH? Enough quantum FUD?

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 2 / 12

slide-4
SLIDE 4

Tired of *SIDH? Enough quantum FUD? Ready for a new buzzword?

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 2 / 12

slide-5
SLIDE 5
slide-6
SLIDE 6

Distributed lottery

Participants A, B, ..., Z want to agree on a random winning ticket.

Flawed protocol

Each participant x broadcasts a random string sx; Winning ticket is H✭sA❀ ✿ ✿ ✿ ❀ sZ ✮. ❂ ✭ ❀ ✿ ✿ ✿ ❀ ✮

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 4 / 12

slide-7
SLIDE 7

Distributed lottery

Participants A, B, ..., Z want to agree on a random winning ticket.

Flawed protocol

Each participant x broadcasts a random string sx; Winning ticket is H✭sA❀ ✿ ✿ ✿ ❀ sZ ✮.

Fixes

Make the hash function sloooooooooooooooooooooooooooow; ❂ ✭ ❀ ✿ ✿ ✿ ❀ ✮

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 4 / 12

slide-8
SLIDE 8

Distributed lottery

Participants A, B, ..., Z want to agree on a random winning ticket.

Flawed protocol

Each participant x broadcasts a random string sx; Winning ticket is H✭sA❀ ✿ ✿ ✿ ❀ sZ ✮.

Fixes

Make the hash function sloooooooooooooooooooooooooooow; Make it possible to verify w ❂ H✭sA❀ ✿ ✿ ✿ ❀ sZ ✮ fast.

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 4 / 12

slide-9
SLIDE 9

Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018)

Wanted

Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭x✮ takes long time:

■ uniformly long time, ■ on almost all random inputs x, ■ even afer having seen many values of f ✭x ✵✮, ■ even given massive number of processors;

Verifying y ❂ f ✭x✮ is efficient:

■ ideally, exponential separation between evaluation and verification. Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 5 / 12

slide-10
SLIDE 10

Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018)

Wanted

Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭x✮ takes long time:

■ uniformly long time, ■ on almost all random inputs x, ■ even afer having seen many values of f ✭x ✵✮, ■ even given massive number of processors;

Verifying y ❂ f ✭x✮ is efficient:

■ ideally, exponential separation between evaluation and verification.

Exercise

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 5 / 12

slide-11
SLIDE 11

Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018)

Wanted

Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭x✮ takes long time:

■ uniformly long time, ■ on almost all random inputs x, ■ even afer having seen many values of f ✭x ✵✮, ■ even given massive number of processors;

Verifying y ❂ f ✭x✮ is efficient:

■ ideally, exponential separation between evaluation and verification.

Exercise Think of a function you like with these properties

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 5 / 12

slide-12
SLIDE 12

Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018)

Wanted

Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭x✮ takes long time:

■ uniformly long time, ■ on almost all random inputs x, ■ even afer having seen many values of f ✭x ✵✮, ■ even given massive number of processors;

Verifying y ❂ f ✭x✮ is efficient:

■ ideally, exponential separation between evaluation and verification.

Exercise Think of a function you like with these properties Got it?

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 5 / 12

slide-13
SLIDE 13

Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018)

Wanted

Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭x✮ takes long time:

■ uniformly long time, ■ on almost all random inputs x, ■ even afer having seen many values of f ✭x ✵✮, ■ even given massive number of processors;

Verifying y ❂ f ✭x✮ is efficient:

■ ideally, exponential separation between evaluation and verification.

Exercise Think of a function you like with these properties Got it? You’re probably wrong!

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 5 / 12

slide-14
SLIDE 14

Sequentiality

Ideal functionality: y ❂ f ✭x✮ ❂ H✭H✭✁ ✁ ✁ ✭H✭x✮✮✮✮

⑤ ④③ ⑥

T times

Sequential assuming hash output “unpredictability”, but how do you verify?

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 6 / 12

slide-15
SLIDE 15

VDFs from groups of unknown order

Setup

A group of unknown order, e.g.: ❩❂N❩ with N ❂ pq an RSA modulus, p❀ q unknown (e.g., generated by some trusted authority), Class group of imaginary quadratic order.

Evaluation

With delay parameter T: f ✿ G ✦ G x ✼ ✦ x 2T Conjecturally, fastest algorithm is repeated squaring.

Verification (Wesolowski 2019, Pietrzak 2019)

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 7 / 12

slide-16
SLIDE 16

VDFs from groups of unknown order

Setup

A group of unknown order, e.g.: ❩❂N❩ with N ❂ pq an RSA modulus, p❀ q unknown (e.g., generated by some trusted authority), Class group of imaginary quadratic order.

Evaluation

With delay parameter T: f ✿ G ✦ G x ✼ ✦ x 2T Conjecturally, fastest algorithm is repeated squaring.

Verification (Wesolowski 2019, Pietrzak 2019)

Aha!

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 7 / 12

slide-17
SLIDE 17

Isogeny <3 Pairing

Let ✣ ✿ E ✦ E ✵, let P ✷ E❬N❪ and Q ✷ E ✵❬N❪. Then eN ✭P❀ ❫ ✣✭Q✮✮ ❂ eN ✭✣✭P✮❀ Q✮ X1 ✂ X2 X1 ✂ X2 X1 ✂ X2 ❋pk

✣ ✂ 1 1 ✂ ❫ ✣ eN eN

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 8 / 12

slide-18
SLIDE 18

Isogeny <3 Pairing

Let ✣ ✿ E ✦ E ✵, let P ✷ E❬N❪ and Q ✷ E ✵❬N❪. Then eN ✭P❀ ❫ ✣✭Q✮✮ ❂ eN ✭✣✭P✮❀ Q✮ X1 ✂ X2 X1 ✂ X2 X1 ✂ X2 ❋pk

✣ ✂ 1 1 ✂ ❫ ✣ eN eN

Idea #1

Use the equation for a BLS-like signature scheme: US patent 8,250,367 (Broker, Charles, Lauter).

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 8 / 12

slide-19
SLIDE 19

Isogeny VDF

Assume ❞❡❣ ✣ ❂ 2T eN ✭✣✭P✮❀ ✣✭Q✮✮ ❂ eN ✭P❀ Q✮2T Right side: known group structure: 2T ✦ 2T ♠♦❞ pk 1; Lef side: can evaluate ✣ in less than T steps?

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 9 / 12

slide-20
SLIDE 20

Isogeny VDF (❋p-version)

Setup

Pairing friendly supersingular curve E❂❋p Isogeny ✣ ✿ E ✦ E ✵ of degree 2T, Point P ✷ E❬✭N❀ ✙ 1✮❪, image ✣✭P✮.

Evaluation

Input: random Q ✷ E ✵❬✭N❀ ✙ ✰ 1✮❪, Output: ❫ ✣✭Q✮.

Verification eN✭P❀ ❫ ✣✭Q✮✮

❂ eN✭✣✭P✮❀ Q✮✿

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 10 / 12

slide-21
SLIDE 21

Isogeny VDF (❋p-version)

Trusted Setup

Pairing friendly supersingular curve E❂❋p with unknown endomorphism ring!!! Isogeny ✣ ✿ E ✦ E ✵ of degree 2T, Point P ✷ E❬✭N❀ ✙ 1✮❪, image ✣✭P✮.

Evaluation

Input: random Q ✷ E ✵❬✭N❀ ✙ ✰ 1✮❪, Output: ❫ ✣✭Q✮.

Verification eN✭P❀ ❫ ✣✭Q✮✮

❂ eN✭✣✭P✮❀ Q✮✿

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 10 / 12

slide-22
SLIDE 22

Sequentiality?

Wesolowski, Pietrzak: x ✼ ✦ x 2 Isogenies: x ✼ ✦ x x☛i 1 x ☛i No speedup? Even with unlimited parallelism? Really? See Bernstein, Sorenson. Modular exponentiation via the explicit Chinese remainder theorem.

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 11 / 12

slide-23
SLIDE 23

Thank you

https://defeo.lu/ @luca_defeo

Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 12 / 12