In the previous post we discussed about Verifiable Delay Functions. Here is a quick summary of what we discussed in the first part:

In this post we will switch gear and we will focus on a particular construction: the isogenies VDF (a construction defined by Luca De Feo Christophe Petit and myself ). We try to keep the description as easy as possible simplifying many things, without trying not to worry too much about mathematical rigor (that risks to become mathematical:)), so mathematicians out there I beg your pardon! .

.

With a lot of simplification, an elliptic curve is the set of solutions defined by an equation of the form

y² = x 3 + ax + b

q .

To start doing cryptography with elliptic curves you need a given curve (e.g. NIST curve as P-256 or DJB's Curve 25519) and a fixed base point in the curve. Now to build any crypto system based on elliptic curve we need some operation to work with.

So here some geometric intuition of how we define points addition on a given elliptic curve. Given two pointsand, you draw a line (and given the fact the equation is cubic) the line will hit a curve on a third point, then you take the reflection of itand this defines the result.

But wait, what about a scalar point multiplication? Well continuing with the geometric intuition, if P and Q become more and more near ( P+Q will be lie 2P ) and the line will become a tangent line.

Mathematics of Post Quantum Cryptography

So as you can see above isogeny-based cryptography is one of the candidates, as you can also read in this excellent blog post from Cloudflare

Isogeny-based cryptography

isogeny is a morphism (simply a mapping) described by a rational functions from an elliptic curve E 1 to a second elliptic curve E 2 that preserves point addition. Now if you remember the previous section about elliptic curve cryptography the gist was that we were exchanging points on a (single) curve. This definition of isogeny hints the fact that for isogeny-based cryptography we might instead "exchanging" curves. Well indeed this is actually the case. But let's slow down and go in order. Actually our isogeny story starts backward in 2006 (I hope you'll understand why later) when Charles, Goren and Lauter defined the supersingular elliptic curves. A supersingular elliptic curve is a special form of elliptic curve that is a bit "rare" (the "normal" elliptic curve are called ordinary). This supersingular elliptic curves are basically not suitable for standard elliptic curve cryptography (due something called the MOV attack but would take us too afield to describe it). Said that supersingular elliptic curves are the only one that seems to be useful in isogeny based cryptography!! The intuition of CGL was to use isogenies defined on the supersingular domain in order to walk throughout the graph of supersingular elliptic curve: So what is an isogeny? I guess it is time to define it. So here we go: anis a(simply a) described by afrom an elliptic curveto a second elliptic curvethatNow if you remember the previous section about elliptic curve cryptography the gist was that we were exchanging points on a (single) curve. This definition of isogeny hints the fact that for isogeny-based cryptography we might instead "exchanging" curves. Well indeed this is actually the case. But let's slow down and go in order.Actually our isogeny story starts backward in 2006 (I hope you'll understand why later) whenanddefined the CGL hash function . This hash function is a function defined on the graph ofelliptic curves. A supersingular elliptic curve is a special form of elliptic curve that is a bit "rare" (the "normal" elliptic curve are called). This supersingular elliptic curves are basically not suitable for standard elliptic curve cryptography (due something called the MOV attack but would take us too afield to describe it). Said that supersingular elliptic curves are the only one that seems to be useful in isogeny based cryptography!! The intuition of CGL was to use isogenies defined on the supersingular domain in order to walk throughout the graph of supersingular elliptic curve:

CGL hash function

algebraic closure of the finite field GF(p) (with p being prime) hence GF(p ² ) (remember E is supersingular so the embedding degree is 2), the number of nodes in the above graph will be about p/12 (so in the same magnitude of p ). Now suppose we want to hash a binary message M . First define a starting supersingular elliptic curve then for each bit of the message if the bit is equal to 0 we got to one of the 2 not backtracking route and if the bit is equal to 1 we take the other route/isogeny. This way of proceeding has the outcome of having a random walk in this graph (this is a really well known strategy to build hash functions). The already cited paper by Jao and De Feo used the same machinery to build a Diffie Hellman key exchange (SIDH), you can read about it in this The idea behind CGL is actually pretty neat. Before to describe it we need some notation. Each vertex of the graph above is a different elliptic curve, and each edge is an isogeny between two curves. We also need to mention that in this situation a 2-degree-isogenies (the one used in CGL) starting from a node (elliptic curve) will give you 3 possible routes (isogenies). Apart the starting point we take in consideration only 2 out of this 3 possibilities because we do not want to backtrack (doing this is easy). Last technicality is that given a supersingular curve defined in theof the finite field(with p being prime) hence(rememberis supersingular so the embedding degree is 2), the number of nodes in the above graph will be about(so in the same magnitude of). Now suppose we want to hash a binary message. First define a starting supersingular elliptic curve then for each bit of the message if the bit is equal towe got to one of the 2 not backtracking route and if the bit is equal towe take the other route/isogeny. This way of proceeding has the outcome of having a random walk in this graph (this is a really well known strategy to build hash functions). The already cited paper by Jao and De Feo used the same machinery to build a Diffie Hellman key exchange (), you can read about it in this excellent blog post . The peculiarity of this kind of construction is that it seems this problem is resistant to attackers that can leverage quantum computer. But what has all this to do with a VDF?

Verifiable Delay Functions from Supersingular Isogenies and Pairings

CGL hashing function and SIDH to build an efficient VDF. We can try to force the prover to do a huge walk in the graph and then quickly verify that he did not cheat. The walking part is not a big issue (at the end of the day is what both CGL and SIDH do) but what about the verification? This is indeed where the problems start. It is well known that one of the problem that SIDH suffers is the parameter validation during the key exchange as highlightedPairing-based cryptography. Pairing brought some exiting constructions into the game stuff like Joux's tripartite key exchange or We already described VDFs in the previous post where we also mentioned the existence of 3 VDF constructions. If you want to learn about the 2 constructions based on repeated squaring I'd suggest to read this trail of bits blogpost . This post is dedicated to the isogenies VDF . The idea here is to use the same ideas of thefunction andto build an efficient VDF. We can try to force the prover to do a huge walk in the graph and then quickly verify that he did not cheat. The walking part is not a big issue (at the end of the day is what both CGL and SIDH do) but what about the verification? This is indeed where the problems start. It is well known that one of the problem that SIDH suffers is the parameter validation during the key exchange as highlighted in this paper. For the record this is why SIDH can be used only with ephemeral keys. So we still need a way to validate. So in order to show you the validation we use in the paper I need to introduce yet another cryptographic tool (the last one I swear) called bilinear pairings . Bilinear pairing is at the basic of yet another branch of cryptography called. Pairing brought some exiting constructions into the game stuff likeor BLS signature . Well there is a nice connections between isogenies and pairing showed here (image taken from Luca De Feo's slides ) :

Weil pairing and isogenies

Well it seems that this connections might be useful for our VDFs use case. Let's see how:

Setup: the setup phase of this VDF consists of

Choosing a prime number N Selecting a supersingular curve E Performing a random non-backtracking walk of length T having as outcome the isogeny \(\phi\) and it's dual \(\hat\phi\) (every isogeny has a dual isogeny) Choosing a point P and compute \(\phi(P)\) Output \(\hat\phi,E,E',P,\phi(P)\)

Eval:

Receiving a random point Q Compute \(\hat\phi(Q)\)

Verify

Use the Weil pairing and isogenies formula above to verify that \(\ e_N(P,\hat\phi(Q)) = e_N(\phi(P),Q)\)

T

summarises

GF(p)

GF(p)

GF(p

²)

GF(p

² )

GF(p)

GF(p)

VDF comparison

T

Conclusions

isogenies VDF. In case you want to look into the details refer to you can find some Sage code in https://github.com/isogenies-vdf/isogenies-vdf-sage (kudos to Simon Masson ). This is a really high level simplified description of the. In case you want to look into the details refer to the paper and in case you want to play with it

So believe me or not whenever you connect to a website using https (that I hope is the normality in 2019) your browser (and the website server) are actually doing this weird operations describe above just to allow you to have a safe experience (confidentiality of your data, integrity, yadi-yadi-ya). What is important to remember is that both the browser and the server involved in the TLS handshake exchange points in order to agree on a shared secret. But now what? Well here is the bad news called. Indeed it turns out that all this beautiful math is easily broken by quantum computer algorithm specifically by Shor's algorithm (in particular this algorithm breaks the Discrete Logarithm Problem on Elliptic Curves aka). In the course of the last years NIST started a standardisation process with the aim to have a set of algorithms that will be able to resist to the quantum menace. The set of candidates are now reduced to a few instances and the mathematics behind them is the followingIt must be noted that the pairing computation in thestep is independent from thetimeThis slide taken from Luca De Feo's presenation convenientlyeverything:Now for the isogenist out there I have to also mention that we defined a VDF also for the supersingular curves defined onso without stepping up into the extension field. Now while the VDF's mechanism it might seems similar (and it actually is) the mathematical setting behind thecase and thecase change drammatically. Indeed while in thecase we work on a, for thecase we are in thedomain. Our VDF construction in thecase shares similarities with the key exchange protocol CSIDH and with the VDF based on classbySome closing remarks, looking at the VDF comparison table below:The main advantage of theis that the the, so there is no need to spend extra time to compute it (and store it, did you listen blockchain creators ? you can save space :p ) and as well the Fiat-Shamir transform doesn't need to be part of the game. One other pro about theis the fact that it is(indeed while this VDF employs isogenies it is not quantum resistantdue the use of pairings), this means that an adversary armed with a quantum computer needs to break each VDF instance separately. One other thing that theinherits from BLS signature is the fact that it is also a Verfiable Random Function (VRF) ). With so manyyou would expect there is some little price to pay. This is indeed the case. The main ones are basically two: the setup time is on the same magnituedas the evaluation (said that this is a one of operation), and as for the other VDFs defined in the RSA groups in order to operate it needs either aor a. Said that at NutMiC 2019 Dan Boneh publicly announced a soon to come paper that might solve theissue!