verifiable delay functions and more from isogenies and
play

Verifiable Delay Functions and More from Isogenies and Pairings Luca - PowerPoint PPT Presentation

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work with J. Burdges, S. Masson, C. Petit, A. Sanso IBM Research Zrich December 4, 2019, ECC, Bochum Slides online at https://defeo.lu/docet


  1. Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work with J. Burdges, S. Masson, C. Petit, A. Sanso IBM Research Zürich December 4, 2019, ECC, Bochum Slides online at https://defeo.lu/docet

  2. ❂ ✭ ❀ ✿ ✿ ✿ ❀ ✮ ■ ■ Distributed lottery Participants A, B, ..., Z want to agree on a random winning ticket. Flawed protocol Each participant x broadcasts a random string s x ; Winning ticket is H ✭ s A ❀ ✿ ✿ ✿ ❀ s Z ✮ . Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 2 / 28 https://defeo.lu/docet

  3. ❂ ✭ ❀ ✿ ✿ ✿ ❀ ✮ ■ ■ Distributed lottery Participants A, B, ..., Z want to agree on a random winning ticket. Flawed protocol Each participant x broadcasts a random string s x ; Winning ticket is H ✭ s A ❀ ✿ ✿ ✿ ❀ s Z ✮ . Cheating participant Z waits to see all other strings, then brute-forces s Z to win lottery. Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 2 / 28 https://defeo.lu/docet

  4. ❂ ✭ ❀ ✿ ✿ ✿ ❀ ✮ Distributed lottery Participants A, B, ..., Z want to agree on a random winning ticket. Flawed protocol Each participant x broadcasts a random string s x ; Winning ticket is H ✭ s A ❀ ✿ ✿ ✿ ❀ s Z ✮ . Cheating participant Z waits to see all other strings, then brute-forces s Z to win lottery. Fixes Make the hash function sloooooooooooooooooooooooooooow ; ■ e.g., participants have 10 minutes to submit s x , ■ outcome will be known afer 20 minutes. Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 2 / 28 https://defeo.lu/docet

  5. Distributed lottery Participants A, B, ..., Z want to agree on a random winning ticket. Flawed protocol Each participant x broadcasts a random string s x ; Winning ticket is H ✭ s A ❀ ✿ ✿ ✿ ❀ s Z ✮ . Cheating participant Z waits to see all other strings, then brute-forces s Z to win lottery. Fixes Make the hash function sloooooooooooooooooooooooooooow ; ■ e.g., participants have 10 minutes to submit s x , ■ outcome will be known afer 20 minutes. Make it possible to verify w ❂ H ✭ s A ❀ ✿ ✿ ✿ ❀ s Z ✮ fast . Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 2 / 28 https://defeo.lu/docet

  6. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 3 / 28 https://defeo.lu/docet

  7. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Exercise Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 3 / 28 https://defeo.lu/docet

  8. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Exercise Think of a function you like with these properties Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 3 / 28 https://defeo.lu/docet

  9. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Exercise Think of a function you like with these properties Got it? Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 3 / 28 https://defeo.lu/docet

  10. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Exercise Think of a function you like with these properties Got it? You’re probably wrong! Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 3 / 28 https://defeo.lu/docet

  11. Sequentiality Ideal functionality: y ❂ f ✭ x ✮ ❂ H ✭ H ✭ ✁ ✁ ✁ ✭ H ✭ x ✮✮✮✮ ⑤ ④③ ⑥ T times Sequential assuming hash output “unpredictability”, but how do you verify? (you’re not allowed to say “SNARKs”) Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 4 / 28 https://defeo.lu/docet

  12. ♠♦❞ ✬ ✭ ✮ VDFs from groups of unknown order (inspired by Rivest–Shamir–Wagner time-lock puzzle) Setup A group of unknown order, e.g.: ❩ ❂ N ❩ with N ❂ pq an RSA modulus, p ❀ q unknown (e.g., generated by some trusted authority), x Class group of imaginary quadratic order. Evaluation With delay parameter T : f ✿ G � ✦ G ✦ x 2 T x ✼� Conjecturally, fastest algorithm is repeated squaring. Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 5 / 28 https://defeo.lu/docet

  13. ♠♦❞ ✬ ✭ ✮ VDFs from groups of unknown order (inspired by Rivest–Shamir–Wagner time-lock puzzle) Setup A group of unknown order, e.g.: ❩ ❂ N ❩ with N ❂ pq an RSA modulus, p ❀ q unknown x 2 (e.g., generated by some trusted authority), x Class group of imaginary quadratic order. Evaluation With delay parameter T : f ✿ G � ✦ G ✦ x 2 T x ✼� Conjecturally, fastest algorithm is repeated squaring. Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 5 / 28 https://defeo.lu/docet

  14. ♠♦❞ ✬ ✭ ✮ VDFs from groups of unknown order (inspired by Rivest–Shamir–Wagner time-lock puzzle) Setup A group of unknown order, e.g.: ❩ ❂ N ❩ with N ❂ pq an RSA modulus, p ❀ q unknown x 4 x 2 (e.g., generated by some trusted authority), x Class group of imaginary quadratic order. Evaluation With delay parameter T : f ✿ G � ✦ G ✦ x 2 T x ✼� Conjecturally, fastest algorithm is repeated squaring. Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 5 / 28 https://defeo.lu/docet

  15. ♠♦❞ ✬ ✭ ✮ VDFs from groups of unknown order (inspired by Rivest–Shamir–Wagner time-lock puzzle) Setup A group of unknown order, e.g.: ❩ ❂ N ❩ with N ❂ pq an RSA modulus, p ❀ q unknown x 4 x 2 (e.g., generated by some trusted authority), x Class group of imaginary quadratic order. Evaluation With delay parameter T : f ✿ G � ✦ G x 2 T ✦ x 2 T x ✼� Conjecturally, fastest algorithm is repeated squaring. Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 5 / 28 https://defeo.lu/docet

  16. VDFs from groups of unknown order (inspired by Rivest–Shamir–Wagner time-lock puzzle) Setup A group of unknown order, e.g.: ❩ ❂ N ❩ with N ❂ pq an RSA modulus, p ❀ q unknown x 4 x 2 (e.g., generated by some trusted authority), x Class group of imaginary quadratic order. Evaluation 2 T ♠♦❞ ✬ ✭ N ✮ With delay parameter T : f ✿ G � ✦ G x 2 T ✦ x 2 T x ✼� Conjecturally, fastest algorithm is repeated squaring. Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 5 / 28 https://defeo.lu/docet

  17. ✭❧♦❣✭ ✮✮ ✷ ✮ ✭ ✮ VDFs from groups of unknown order (inspired by Rivest–Shamir–Wagner time-lock puzzle) Setup Verification A group of unknown order, e.g.: Interactive proofs that y ❂ f ✭ x ✮ , (non interactivity via Fiat-Shamir): ❩ ❂ N ❩ with N ❂ pq an RSA modulus, p ❀ q unknown (e.g., generated by some trusted authority), Class group of imaginary quadratic order. Evaluation With delay parameter T : f ✿ G � ✦ G ✦ x 2 T x ✼� Conjecturally, fastest algorithm is repeated squaring. Luca De Feo (IBM Research Zürich) VDFs from Isogenies and Pairings ECC 2019 5 / 28 https://defeo.lu/docet

Recommend


More recommend