verifiable delay functions from isogenies and pairings
play

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo - PowerPoint PPT Presentation

Aug 20, 2022 •113 likes •350 views

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S. Masson, C. Petit, A. Sanso Universit Paris Saclay UVSQ, France July 13, 2019, SIAM AG, Bern Slides online at https://defeo.lu/docet Tired of

  1. Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S. Masson, C. Petit, A. Sanso Université Paris Saclay – UVSQ, France July 13, 2019, SIAM AG, Bern Slides online at https://defeo.lu/docet

  2. Tired of *SIDH? Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 2 / 12

  3. Tired of *SIDH? Enough quantum FUD? Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 2 / 12

  4. Tired of *SIDH? Enough quantum FUD? Ready for a new buzzword? Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 2 / 12

  6. ❂ ✭ ❀ ✿ ✿ ✿ ❀ ✮ Distributed lottery Participants A, B, ..., Z want to agree on a random winning ticket. Flawed protocol Each participant x broadcasts a random string s x ; Winning ticket is H ✭ s A ❀ ✿ ✿ ✿ ❀ s Z ✮ . Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 4 / 12

  7. ❂ ✭ ❀ ✿ ✿ ✿ ❀ ✮ Distributed lottery Participants A, B, ..., Z want to agree on a random winning ticket. Flawed protocol Each participant x broadcasts a random string s x ; Winning ticket is H ✭ s A ❀ ✿ ✿ ✿ ❀ s Z ✮ . Fixes Make the hash function sloooooooooooooooooooooooooooow ; Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 4 / 12

  8. Distributed lottery Participants A, B, ..., Z want to agree on a random winning ticket. Flawed protocol Each participant x broadcasts a random string s x ; Winning ticket is H ✭ s A ❀ ✿ ✿ ✿ ❀ s Z ✮ . Fixes Make the hash function sloooooooooooooooooooooooooooow ; Make it possible to verify w ❂ H ✭ s A ❀ ✿ ✿ ✿ ❀ s Z ✮ fast . Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 4 / 12

  9. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 5 / 12

  10. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Exercise Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 5 / 12

  11. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Exercise Think of a function you like with these properties Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 5 / 12

  12. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Exercise Think of a function you like with these properties Got it? Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 5 / 12

  13. Verifiable Delay Functions (Boneh, Bonneau, Bünz, Fisch 2018) Wanted Function (family) f ✿ X ✦ Y s.t.: Evaluating f ✭ x ✮ takes long time: ■ uniformly long time, ■ on almost all random inputs x , ■ even afer having seen many values of f ✭ x ✵ ✮ , ■ even given massive number of processors; Verifying y ❂ f ✭ x ✮ is efficient: ■ ideally, exponential separation between evaluation and verification. Exercise Think of a function you like with these properties Got it? You’re probably wrong! Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 5 / 12

  14. Sequentiality Ideal functionality: y ❂ f ✭ x ✮ ❂ H ✭ H ✭ ✁ ✁ ✁ ✭ H ✭ x ✮✮✮✮ ⑤ ④③ ⑥ T times Sequential assuming hash output “unpredictability”, but how do you verify? Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 6 / 12

  15. VDFs from groups of unknown order Setup A group of unknown order, e.g.: ❩ ❂ N ❩ with N ❂ pq an RSA modulus, p ❀ q unknown (e.g., generated by some trusted authority), Class group of imaginary quadratic order. Evaluation With delay parameter T : f ✿ G � ✦ G ✦ x 2 T x ✼� Conjecturally, fastest algorithm is repeated squaring. Verification (Wesolowski 2019, Pietrzak 2019) Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 7 / 12

  16. VDFs from groups of unknown order Setup A group of unknown order, e.g.: ❩ ❂ N ❩ with N ❂ pq an RSA modulus, p ❀ q unknown (e.g., generated by some trusted authority), Class group of imaginary quadratic order. Evaluation With delay parameter T : f ✿ G � ✦ G ✦ x 2 T x ✼� Conjecturally, fastest algorithm is repeated squaring. Verification (Wesolowski 2019, Pietrzak 2019) Aha! Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 7 / 12

  17. Isogeny <3 Pairing Let ✣ ✿ E ✦ E ✵ , let P ✷ E ❬ N ❪ and Q ✷ E ✵ ❬ N ❪ . Then e N ✭ P ❀ ❫ ✣ ✭ Q ✮✮ ❂ e N ✭ ✣ ✭ P ✮ ❀ Q ✮ ✣ ✂ 1 X 1 ✂ X 2 X 1 ✂ X 2 1 ✂ ❫ e N ✣ X 1 ✂ X 2 ❋ p k e N Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 8 / 12

  18. Isogeny <3 Pairing Let ✣ ✿ E ✦ E ✵ , let P ✷ E ❬ N ❪ and Q ✷ E ✵ ❬ N ❪ . Then e N ✭ P ❀ ❫ ✣ ✭ Q ✮✮ ❂ e N ✭ ✣ ✭ P ✮ ❀ Q ✮ ✣ ✂ 1 X 1 ✂ X 2 X 1 ✂ X 2 1 ✂ ❫ e N ✣ X 1 ✂ X 2 ❋ p k e N Idea #1 Use the equation for a BLS-like signature scheme: US patent 8,250,367 (Broker, Charles, Lauter). Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 8 / 12

  19. Isogeny VDF Assume ❞❡❣ ✣ ❂ 2 T e N ✭ ✣ ✭ P ✮ ❀ ✣ ✭ Q ✮✮ ❂ e N ✭ P ❀ Q ✮ 2 T 2 T ♠♦❞ p k � 1 ; Right side: known group structure: 2 T ✦ Lef side: can evaluate ✣ in less than T steps? Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 9 / 12

  20. Isogeny VDF ( ❋ p -version) Setup Pairing friendly supersingular curve E ❂ ❋ p Isogeny ✣ ✿ E ✦ E ✵ of degree 2 T , Point P ✷ E ❬✭ N ❀ ✙ � 1 ✮❪ , image ✣ ✭ P ✮ . Evaluation Input: random Q ✷ E ✵ ❬✭ N ❀ ✙ ✰ 1 ✮❪ , Output: ❫ ✣ ✭ Q ✮ . Verification e N ✭ P ❀ ❫ ❄ ✣ ✭ Q ✮✮ ❂ e N ✭ ✣ ✭ P ✮ ❀ Q ✮ ✿ Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 10 / 12

  21. Isogeny VDF ( ❋ p -version) Trusted Setup Pairing friendly supersingular curve E ❂ ❋ p with unknown endomorphism ring!!! Isogeny ✣ ✿ E ✦ E ✵ of degree 2 T , Point P ✷ E ❬✭ N ❀ ✙ � 1 ✮❪ , image ✣ ✭ P ✮ . Evaluation Input: random Q ✷ E ✵ ❬✭ N ❀ ✙ ✰ 1 ✮❪ , Output: ❫ ✣ ✭ Q ✮ . Verification e N ✭ P ❀ ❫ ❄ ✣ ✭ Q ✮✮ ❂ e N ✭ ✣ ✭ P ✮ ❀ Q ✮ ✿ Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 10 / 12

  22. Sequentiality? Wesolowski, Pietrzak: ✦ x 2 x ✼� ✦ x x ☛ i � 1 Isogenies: x ✼� x � ☛ i No speedup? Even with unlimited parallelism? Really? See Bernstein, Sorenson. Modular exponentiation via the explicit Chinese remainder theorem. Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 11 / 12

  23. Thank you https://defeo.lu/ @luca_defeo Luca De Feo (UVSQ) VDFs from Isogenies and Pairings SIAM AG 2019 12 / 12

Recommend

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work with J. Burdges, S. Masson, C. Petit, A. Sanso IBM Research Zrich December 4, 2019, ECC, Bochum Slides online at https://defeo.lu/docet

928 views • 72 slides
VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

Confrence de lancement de l'ANR Ciao, Fvrier 2020, Bordeaux, France VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things down VERIFIABLE DELAY FUNCTIONS [Boneh, Bonneau, Bnz, Fisch 2018] A VDF is

616 views • 32 slides
Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of Virginia Why do these matter? Alternative consensus protocols Applications to public randomness generation Leader election Bitcoin Proof of Work

355 views • 19 slides
Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University

Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University

NutMiC19, June, 2019 Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University What is a VDF? (verifiable delay function) Intuition: a function X Y that (1) takes time T to evaluate, even with

694 views • 30 slides
Verifiable Delay Functions Joe Netti Overview of VDFs (Boneh, Bonneau, et al. 2019) Goal: Prove

Verifiable Delay Functions Joe Netti Overview of VDFs (Boneh, Bonneau, et al. 2019) Goal: Prove

Verifiable Delay Functions Joe Netti Overview of VDFs (Boneh, Bonneau, et al. 2019) Goal: Prove the passage of time VDF Properties: 1. slow to calculate (delay), fast to verify (polynomial time). 2. Parallelization does not speed up

185 views • 15 slides
Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, Ben Fisch Crypto 2018 1

Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, Ben Fisch Crypto 2018 1

Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, Ben Fisch Crypto 2018 1 What is a VDF? Verifier 2 What is a VDF? Setup( , T ) public parameters pp pp specify domain X and range Y Eval( pp , x )

638 views • 37 slides
Computing optimal pairings on abelian varieties with theta functions 06/06/2013 AGCT David

Computing optimal pairings on abelian varieties with theta functions 06/06/2013 AGCT David

Computing optimal pairings on abelian varieties with theta functions 06/06/2013 AGCT David Lubicz, Damien Robert June 6, 2013 Pairings on curves Abelian varieties Theta functions Pairings with theta functions Performance Outline 1

833 views • 33 slides
Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions

Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions

Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions Veronika Kuchta and Mark Manulis CANS 2013, Paraty, Brazil November 21, 2013 Overview Unique Signature Schemes Verifiable Random Functions Unique

420 views • 13 slides
Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz,

Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz,

Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz, Damien Robert Damien Robert Rational isogenies 2 1 Theta functions Complex abelian varieties Quasi-periodicity: Damien Robert Rational

734 views • 23 slides
Optimal pairings on abelian varieties 2014/10/10 ECC 2014, Chennai David Lubicz, Damien Robert

Optimal pairings on abelian varieties 2014/10/10 ECC 2014, Chennai David Lubicz, Damien Robert

Optimal pairings on abelian varieties 2014/10/10 ECC 2014, Chennai David Lubicz, Damien Robert Inria Bordeaux Sud-Ouest Millers algorithm Pairings on abelian varieties Theta functions Pairings with theta functions Performance Outline

676 views • 50 slides
Abelian varieties, theta functions and cryptography Part 2 Damien Robert 1 1 LFANT team, INRIA

Abelian varieties, theta functions and cryptography Part 2 Damien Robert 1 1 LFANT team, INRIA

Abelian varieties, theta functions and cryptography Part 2 Damien Robert 1 1 LFANT team, INRIA Bordeaux Sud-Ouest 08/12/2010 (Bordeaux) Outline Abelian varieties and cryptography 1 Tieta functions 2 3 Arithmetic 4 Pairings 5 Isogenies

664 views • 43 slides
Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas

Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas

Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas Decru , and Benjamin Smith NutMiC 2019, Paris June 24, 2019 Background 2006: hash functions based on supersingular elliptic curves (Charles,

564 views • 52 slides
Computing optimal pairings on abelian varieties with theta functions 10/02/2011 (Luminy) David

Computing optimal pairings on abelian varieties with theta functions 10/02/2011 (Luminy) David

Computing optimal pairings on abelian varieties with theta functions 10/02/2011 (Luminy) David Lubicz 1,2 , Damien Robert 3 1 CLAR 2 IRMAR, Universit de Rennes 1 1 LFANT Team, IMB &amp; Inria Bordeaux Sud-Ouest Motivations Millers

313 views • 30 slides
A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview

A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview

Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks

744 views • 72 slides
Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng Isogenies

952 views • 67 slides
Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng Isogenies

896 views • 78 slides
Implement all the pairings in software! CARAMBA Seminar Diego F. Aranha Department of

Implement all the pairings in software! CARAMBA Seminar Diego F. Aranha Department of

Implement all the pairings in software! CARAMBA Seminar Diego F. Aranha Department of Engineering Aarhus University Bilinear pairings 1 Bilinear pairings e ( P + R , Q ) = e ( P , Q ) e ( R , Q ) and e ( P , Q + S ) = e ( P , Q ) e (

1.52k views • 55 slides
Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of

Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of

Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of Computing University of Campinas Bilinear pairings 1 Bilinear pairings e ( P + R , Q ) = e ( P , Q ) e ( R , Q ) and e ( P , Q + S ) = e ( P , Q

1.02k views • 58 slides
Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018

Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018

Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018 Brisbane, Australia ECC vs. post-quantum ECC W. Castryck (GIF): https://www.esat.kuleuven.be/cosic/?p=7404 Alice 2 &quot; -isogenies, Bob 3 $

766 views • 19 slides
Verifiable Cloud Outsourcing for Network Func9ons (+

Verifiable Cloud Outsourcing for Network Func9ons (+

Verifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services) Vyas Sekar vNFO joint with Seyed Fayazbakhsh,

434 views • 28 slides
Interconnect Gate delay Wire delay The delay in VLSI circuits have two components Gate delay (

Interconnect Gate delay Wire delay The delay in VLSI circuits have two components Gate delay (

Advanced Digital IC-Design Propagation Delay Lumped C p Distributed model C model Interconnect Gate delay Wire delay The delay in VLSI circuits have two components Gate delay ( t pHL / t pLH ) Wire (interconnect) delay ( t w ) The Wire

492 views • 20 slides
Pairings implementation in the PARI computer algebra system (explained by a mere programmer)

Pairings implementation in the PARI computer algebra system (explained by a mere programmer)

Pairings implementation in the PARI computer algebra system (explained by a mere programmer) jerome.milan (at) lix.polytechnique.fr Outline 1 Motivations and context 2 Pairings over elliptic curves 3 Pairing computation 4 Implementation in PARI

739 views • 51 slides
Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable

Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable

Leonard Lensink, Sjaak Smetsers and Marko van Eekelen Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable Java Code from Verified PVS Specifications Overview Motivation Code generation

544 views • 26 slides
Group pairings with equivalent rigidity properties for bar-joint and point-hyperplane frameworks

Group pairings with equivalent rigidity properties for bar-joint and point-hyperplane frameworks

Group pairings with equivalent rigidity properties for bar-joint and point-hyperplane frameworks Bernd Schulze (with Katie Clinch, Anthony Nixon and Walter Whiteley) Lancaster University June 13, 2019 Bernd Schulze Group pairings with

746 views • 49 slides

More recommend