Skip to main content
SpringerLink
Log in

Verifiable Delay Functions from Supersingular Isogenies and Pairings

  • Conference paper
  • First Online:
Advances in Cryptology – ASIACRYPT 2019 (ASIACRYPT 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11921))

Abstract

We present two new Verifiable Delay Functions (VDF) based on assumptions from elliptic curve cryptography. We discuss both the advantages and drawbacks of our constructions, we study their security and we demonstrate their practicality with a proof-of-concept implementation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://chia.net/.

  2. 2.

    Note that this is different from a trapdoor VDF, as defined by Wesolowski [75], where the trapdoor is used to efficiently compute the evaluation.

  3. 3.

    An isogeny is separable if it induces a separable extension of function fields. We will only use separable isogenies in this work.

  4. 4.

    We note that a distorsion map \(X_1\rightarrow X_2\) may be used to define a self-pairing on \(X_1\), however efficient distortion maps only exist for very few supersingular curves. Fortunately, we will not need distorsion maps.

  5. 5.

    In the elliptic curve cryptography literature, this is typically called hashing into the groups.

  6. 6.

    For this VDF, there is no practical reason to choose any other prime than \(\ell =2\).

  7. 7.

    An isogeny walk is called non-backtracking if no isogeny step is followed by its dual, or, equivalently, if the full walk corresponds to a cyclic isogeny.

References

  1. Azarderakhsh, R., et al.: Supersingular isogeny key encapsulation (2017). http://sike.org

  2. Barbulescu, R., Gaudry, P., Guillevic, A., Morain, F.: Improving NFS for the discrete logarithm problem in non-prime finite fields. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 129–155. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_6

    Chapter  MATH  Google Scholar 

  3. Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006). https://doi.org/10.1007/11693383_22

    Chapter  Google Scholar 

  4. Bernstein, D., Sorenson, J.: Modular exponentiation via the explicit Chinese remainder theorem. Math. Comput. 76(257), 443–454 (2007). https://doi.org/10.1090/S0025-5718-06-01849-7

    Article  MathSciNet  MATH  Google Scholar 

  5. Bernstein, D.J., Lange, T., Martindale, C., Panny, L.: Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 409–441. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_15

    Chapter  Google Scholar 

  6. Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 227–247. Springer, Heidelberg (2019)

    Google Scholar 

  7. Biasse, J.-F., Iezzi, A., Jacobson, M.J.: A note on the security of CSIDH. In: Chakraborty, D., Iwata, T. (eds.) INDOCRYPT 2018. LNCS, vol. 11356, pp. 153–168. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05378-9_9

    Chapter  Google Scholar 

  8. Biasse, J.-F., Jao, D., Sankar, A.: A quantum algorithm for computing isogenies between supersingular elliptic curves. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 428–442. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13039-2_25

    Chapter  Google Scholar 

  9. Blake, I.F., Seroussi, G., Smart, N., et al.: Advances in Elliptic Curve Cryptography, London Mathematical Society Lecture Note Series, vol. 317. Cambridge University Press, New York (2005)

    Book  Google Scholar 

  10. Boneh, D., Bonneau, J., Bünz, B., Fisch, B.: Verifiable delay functions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 757–788. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_25

    Chapter  Google Scholar 

  11. Boneh, D., Bünz, B., Fisch, B.: A survey of two verifiable delay functions. Cryptology ePrint Archive, Report 2018/712 (2018). https://eprint.iacr.org/2018/712

  12. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Cryptol. 17(4), 297–319 (2004). https://doi.org/10.1007/s00145-004-0314-9

    Article  MathSciNet  MATH  Google Scholar 

  13. Bonnetain, X., Schrottenloher, A.: Quantum security analysis of CSIDH and ordinary isogeny-based schemes. Cryptology ePrint Archive, Report 2018/537 (2018). https://eprint.iacr.org/2018/537

  14. Broker, R.M., Charles, D.X., Lauter, K.E.: Cryptographic applications of efficiently evaluating large degree isogenies, US Patent 8,250,367, August 2012

    Google Scholar 

  15. Buchmann, J., Hamdy, S.: A survey on IQ cryptography. In: Proceedings of Public Key Cryptography and Computational Number Theory, pp. 1–15 (2001)

    Google Scholar 

  16. Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15

    Chapter  Google Scholar 

  17. Charles, D.X., Goren, E.Z., Lauter, K.E.: Cryptographic hash functions from expander graphs. J. Cryptol. 22(1), 93–113 (2009). https://doi.org/10.1007/s00145-007-9002-x

    Article  MathSciNet  MATH  Google Scholar 

  18. Childs, A., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014)

    Article  MathSciNet  Google Scholar 

  19. Cohen, B.: Proofs of space and time. In: Blockchain Protocol Analysis and Security Engineering (2017). https://cyber.stanford.edu/sites/default/files/bramcohen.pdf

  20. Cohen, B., Pietrzak, K.: Simple proofs of sequential work. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 451–467. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_15

    Chapter  Google Scholar 

  21. Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_21

    Chapter  Google Scholar 

  22. Cox, D.A.: Primes of the form \(x^2 + ny^2\): Fermat, Class Field Theory, and Complex Multiplication. Wiley, New York (1997)

    Book  Google Scholar 

  23. De Feo, L.: Mathematics of isogeny based cryptography (2017). http://arxiv.org/abs/1711.04062

  24. De Feo, L., Galbraith, S.D.: SeaSign: compact isogeny signatures from class group actions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 759–789. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_26

    Chapter  Google Scholar 

  25. De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)

    MathSciNet  MATH  Google Scholar 

  26. Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(\mathbb{F}_p\). Des. Codes Crypt. 78(2), 425–440 (2016). https://doi.org/10.1007/s10623-014-0010-1

    Article  MathSciNet  MATH  Google Scholar 

  27. Doliskani, J., Pereira, G.C.C.F., Barreto, P.S.L.M.: Faster cryptographic hash function from supersingular isogeny graphs. Cryptology ePrint Archive, Report 2017/1202 (2017). https://eprint.iacr.org/2017/1202

  28. Drake, J.: Minimal VDF randomness beacon. Ethereum Res. (2018). https://ethresear.ch/t/minimal-vdf-randomness-beacon/3566

  29. Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_10

    Chapter  Google Scholar 

  30. Eisenträger, K., Hallgren, S., Lauter, K., Morrison, T., Petit, C.: Supersingular isogeny graphs and endomorphism rings: reductions and solutions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 329–368. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_11

    Chapter  Google Scholar 

  31. Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. J. Cryptol. 23(2), 224–280 (2010). https://doi.org/10.1007/s00145-009-9048-z

    Article  MathSciNet  MATH  Google Scholar 

  32. Galbraith, S.D.: Mathematics of Public Key Cryptography. Cambridge University Press, New York (2012)

    Book  Google Scholar 

  33. Galbraith, S.D., Hess, F., Smart, N.P.: Extending the GHS weil descent attack. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 29–44. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_3

    Chapter  Google Scholar 

  34. Galbraith, S.D., Hess, F., Vercauteren, F.: Aspects of pairing inversion. IEEE Trans. Inf. Theor. 54(12), 5719–5728 (2008). https://doi.org/10.1109/TIT.2008.2006431

    Article  MathSciNet  MATH  Google Scholar 

  35. Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_3

    Chapter  Google Scholar 

  36. Galbraith, S.D., Petit, C., Silva, J.: Identification protocols and signature schemes based on supersingular isogeny problems. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 3–33. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_1

    Chapter  Google Scholar 

  37. Guralnick, R.M., Müller, P.: Exceptional polynomials of affine type. J. Algebra 194(2), 429–454 (1997). https://doi.org/10.1006/jabr.1997.7028

    Article  MathSciNet  MATH  Google Scholar 

  38. Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2

    Chapter  MATH  Google Scholar 

  39. Jao, D., LeGrow, J., Leonardi, C., Ruiz-Lopez, L.: A polynomial quantum space attack on CRS and CSIDH. In: MathCrypt 2018 (2018)

    Google Scholar 

  40. Jao, D., Soukharev, V.: A subexponential algorithm for evaluating large degree isogenies. In: Hanrot, G., Morain, F., Thomé, E. (eds.) ANTS 2010. LNCS, vol. 6197, pp. 219–233. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14518-6_19

    Chapter  Google Scholar 

  41. Jao, D.Y., Montgomery, P.L., Venkatesan, R., Boyko, V.: Systems and methods for generation and validation of isogeny-based signatures, US Patent 7,617,397, November 2009

    Google Scholar 

  42. Jao, D.Y., Venkatesan, R.: Use of isogenies for design of cryptosystems, US Patent 7,499,544, March 2009

    Google Scholar 

  43. Kirschmer, M., Voight, J.: Algorithmic enumeration of ideal classes for quaternion orders. SIAM J. Comput. 39(5), 1714–1747 (2010). https://doi.org/10.1137/080734467

    Article  MathSciNet  MATH  Google Scholar 

  44. Kitaev, A.Y.: Quantum measurements and the Abelian stabilizer problem. arXiv preprint quant-ph/9511026 (1995). https://arxiv.org/abs/quant-ph/9511026

  45. Kohel, D.: Endomorphism rings of elliptic curves over finite fields. Ph.D. thesis, University of California at Berkley (1996)

    Google Scholar 

  46. Kohel, D.R., Lauter, K., Petit, C., Tignol, J.P.: On the quaternion-isogeny path problem. LMS J. Comput. Math. 17(A), 418–432 (2014)

    Article  MathSciNet  Google Scholar 

  47. Koshiba, T., Takashima, K.: Pairing cryptography meets isogeny: a new framework of isogenous pairing groups. Cryptology ePrint Archive, Report 2016/1138 (2016). https://eprint.iacr.org/2016/1138

  48. Koshiba, T., Takashima, K.: New assumptions on isogenous pairing groups with applications to attribute-based encryption. In: Lee, K. (ed.) ICISC 2018. LNCS, vol. 11396, pp. 3–19. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12146-4_1

    Chapter  Google Scholar 

  49. Kuperberg, G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005)

    Article  MathSciNet  Google Scholar 

  50. Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In: Severini, S., Brandao, F. (eds.) 8th Conference on the Theory of Quantum Computation, Communication and Cryptography (TQC 2013). Leibniz International Proceedings in Informatics (LIPIcs), vol. 22, pp. 20–34. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Dagstuhl (2013). https://doi.org/10.4230/LIPIcs.TQC.2013.20

  51. Lenstra, A.K., Wesolowski, B.: A random zoo: sloth, unicorn, and trx. IACR Cryptology ePrint Archive 2015, 366 (2015). https://doi.org/cr.org/2015/366

  52. Long, L.: Binary quadratic forms. Chia Network (2018). https://github.com/Chia-Network/vdf-competition/blob/master/classgroups.pdf

  53. Mahmoody, M., Moran, T., Vadhan, S.: Publicly verifiable proofs of sequential work. In: Proceedings of the 4th Conference on Innovations in Theoretical Computer Science, pp. 373–388. ACM (2013)

    Google Scholar 

  54. Menezes, A., Vanstone, S., Okamoto, T.: Reducing elliptic curve logarithms to logarithms in a finite field. In: Proceedings of the Twenty-Third Annual ACM Symposium on Theory of Computing, STOC 1991, pp. 80–89. ACM, New York (1991). https://doi.org/10.1145/103418.103434

  55. Mestre, J.F.: La méthode des graphes. Exemples et applications. In: Proceedings of the International Conference on Class Numbers and Fundamental Units of Algebraic Number Fields (Katata, 1986). Nagoya University, Nagoya (1986). http://boxen.math.washington.edu/msri06/refs/mestre-method-of-graphs/mestre-fr.pdf

  56. Micali, S., Rabin, M., Vadhan, S.: Verifiable random functions. In: 40th Annual Symposium on Foundations of Computer Science (Cat. No. 99CB37039), pp. 120–130, October 1999. https://doi.org/10.1109/SFFCS.1999.814584

  57. Petit, C., Lauter, K.: Hard and easy problems for supersingular isogeny graphs. Cryptology ePrint Archive, Report 2017/962 (2017). http://eprint.iacr.org/2017/962

  58. Pierrot, C., Wesolowski, B.: Malleability of the Blockchain’s entropy. Crypt. Commun. 10(1), 211–233 (2018). https://doi.org/10.1007/s12095-017-0264-3

    Article  MathSciNet  MATH  Google Scholar 

  59. Pietrzak, K.: Simple verifiable delay functions. In: Blum, A. (ed.) 10th Innovations in Theoretical Computer Science Conference (ITCS 2019). Leibniz International Proceedings in Informatics (LIPIcs), vol. 124, pp. 60:1–60:15. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Dagstuhl (2018). https://doi.org/10.4230/LIPIcs.ITCS.2019.60

  60. Pizer, A.K.: Ramanujan graphs and Hecke operators. Bull. Am. Math. Soc. (N.S.) 23(1) (1990). https://doi.org/10.1090/S0273-0979-1990-15918-X

    Article  MathSciNet  Google Scholar 

  61. Pizer, A.K.: Ramanujan graphs. In: Computational Perspectives on Number Theory (Chicago, IL, 1995), AMS/IP Studies in Advanced Mathematics, vol. 7. American Mathematical Society, Providence (1998)

    Google Scholar 

  62. Rabin, M.O.: Transaction protection by beacons. J. Comput. Syst. Sci. 27(2), 256–267 (1983). https://doi.org/10.1016/0022-0000(83)90042-9

    Article  MathSciNet  MATH  Google Scholar 

  63. Regev, O.: A subexponential time algorithm for the dihedral hidden subgroup problem with polynomial space. arXiv:quant-ph/0406151, June 2004. http://arxiv.org/abs/quant-ph/0406151

  64. Renes, J.: Computing isogenies between montgomery curves using the action of (0, 0). In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 229–247. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_11

    Chapter  Google Scholar 

  65. Rivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto. Technical report, Cambridge, MA, USA (1996)

    Google Scholar 

  66. Silverman, J.H.: The Arithmetic of Elliptic Curves. GTM, vol. 106. Springer, New York (2009). https://doi.org/10.1007/978-0-387-09494-6

    Book  MATH  Google Scholar 

  67. Sutherland, A.: Elliptic curves. Lecture Notes From a Course (18.783) at MIT (2017). http://math.mit.edu/classes/18.783/2017/lectures

  68. Syta, E., et al.: Scalable bias-resistant distributed randomness. In: IEEE Symposium on Security and Privacy, pp. 444–460. IEEE Computer Society (2017)

    Google Scholar 

  69. The Sage Developers: SageMath, the Sage Mathematics Software System (Version 8.0) (2018). https://www.sagemath.org

  70. Vélu, J.: Isogénies entre courbes elliptiques. Comptes Rendus de l’Académie des Sciences de Paris 273, 238–241 (1971)

    MathSciNet  MATH  Google Scholar 

  71. Vignéras, M.-F.: Arithmétique des Algèbres de Quaternions. LNM, vol. 800. Springer, Heidelberg (1980). https://doi.org/10.1007/BFb0091027

    Book  MATH  Google Scholar 

  72. Voight, J.: Quaternion Algebras (2018). https://math.dartmouth.edu/~jvoight/quat-book.pdf

  73. Washington, L.C.: Elliptic Curves: Number Theory and Cryptography, 2nd edn. CRC Press, New York (2008)

    Book  Google Scholar 

  74. Waterhouse, W.C.: Abelian varieties over finite fields. Annales Scientifiques de l’École Normale Supérieure 2(4), 521–560 (1969)

    Article  MathSciNet  Google Scholar 

  75. Wesolowski, B.: Efficient verifiable delay functions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 379–407. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_13

    Chapter  Google Scholar 

  76. Yoo, Y., Azarderakhsh, R., Jalali, A., Jao, D., Soukharev, V.: A post-quantum digital signature scheme based on supersingular isogenies. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 163–181. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_9

    Chapter  Google Scholar 

Download references

Acknowledgments

We would like to thank Bill Allombert, Razvan Barbulescu, Jeff Burdges, Wouter Castryck, Jeroen Demeyer, Andreas Enge, Steven Galbraith, Matthew Green, Philipp Jovanovic, Jean Kieffer, Enea Milio, Aurel Page, Lorenz Panny, Damien Robert, Barak Shani and Benjamin Wesolowski for fruitful discussions. We are grateful to the anonymous reviewers for their attentive reading and their helpful comments.

Luca De Feo was supported by the French Programme d’Investissements d’Avenir under the national project RISQ no P141580-3069086/DOS0044212.

Author information

Authors and Affiliations

  1. Université Paris Saclay – UVSQ, LMV, CNRS UMR 8100, Versailles, France

    Luca De Feo

  2. Thales and Université de Lorraine, Nancy, France

    Simon Masson

  3. University of Birmingham, Birmingham, UK

    Christophe Petit

  4. Adobe Inc. and Ruhr Universität Bochum, Bochum, Germany

    Antonio Sanso

Authors
  1. Luca De Feo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Simon Masson
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christophe Petit
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Antonio Sanso
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Luca De Feo .

Editor information

Editors and Affiliations

  1. University of Auckland, Auckland, New Zealand

    Steven D. Galbraith

  2. Security Fundamentals Lab, NICT, Tokyo, Japan

    Shiho Moriai

Rights and permissions

Reprints and permissions

Copyright information

© 2019 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

De Feo, L., Masson, S., Petit, C., Sanso, A. (2019). Verifiable Delay Functions from Supersingular Isogenies and Pairings. In: Galbraith, S., Moriai, S. (eds) Advances in Cryptology – ASIACRYPT 2019. ASIACRYPT 2019. Lecture Notes in Computer Science(), vol 11921. Springer, Cham. https://doi.org/10.1007/978-3-030-34578-5_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-34578-5_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-34577-8

  • Online ISBN: 978-3-030-34578-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation