On Verifiable Delay Functions (VDF): How to Slow Burning Down the Planet (Verifiably)

Transcript

1. On Verifiable Delay Functions (VDF): How to Slow Burning Down

   the Planet (Verifiably) @asanso Joint work with De Feo, Masson, Petit

2. Can two women have a baby in 4.5 months?©Ron Rivest

3. Agenda • Definition • Applications • Constructions • Conclusions ★

4. Who is this guy, BTW? { Security Researcher @Adobe Research

   Switzerland { Google Security Hall of Fame, Facebook Security Whitehat, GitHub Security Bug Bounty, Microsoft Honor Roll, etc { Found vulnerabilities in OpenSSL ,Google Chrome, Safari { Co-Author of “OAuth 2 in Action” { Phd Student Ruhr Universität { Obsessed by prime numbers

5. What is a VDF? A function that: 1. Takes T

   steps to evaluate even with unbounded parallelism 2. The output can be verified efficiently ★

6. What is a VDF? • Function • Delay • Verifiable

   ✓

7. Cryptographic Hash functions • Deterministic • Hard to guess •

   Infeasible to find two different messages with the same hash value • Infeasible to generate a message that yields a given hash value () ★

8. VDF minus any property is “easy” • Not Verifiable :

   • No Delay : Easy (many example in cryptography e.g. Discrete Log) • Not Function : Proof of sequential work

9. VDF • Setup • Evaluation • Verification

10. VDF Application #1 Generate verifiable randomness Only 3 balls drawn!

    Five Numbers Shown!!

11. VDF Application #1 Distribute generation (broken) Public Bulletin Board Blockchain

    Alice Bob Chloe Zoe ro r1 r2 rn Rand = ro ⨁ r1 ⨁ r2 ⨁ … . rn Problem: Zoe has controls of the output ★

12. VDF Application #1 Distribute generation Public Bulletin Board Blockchain Alice

    Bob Chloe Zoe ro r1 r2 rn Hash(r0 ,r1 ,r2 ,…,rn ) ★ VDF Rand Output

13. VDF Application #2 Blockchains

14. VDF Application #2 Blockchains

15. VDF Application #2 Blockchains

16. VDF History https://vdfresearch.org/ - 2018 (12 June) : Seminal paper

    by Boneh, Bonneau, Bünz, Fisch (BBBF), no actual VDF implementation - 2018 (20 June) : Wesolowski’s VDF - 2018 (22 June) : Pietrzak’s VDF - 2019 (20 February) : Isogenies VDF by De Feo, Masson, Petit, Sanso (FMPS)
17. None
18. None

19. VDF #1 and #2 Wesolowski & Pietrzak

20. RSA Refresher N = p * q (p and q

    big prime numbers) e public exponent (e.g. 65537) Encryption secrete (mod N)

21. Time Lock puzzle (RSW ‘96) N = p * q

    (p and q big prime numbers) and keep p and q secret (group of unkown order) Evaluate s2* (mod N) With 2T being huge Caveat whoever knows the factorization of N can cheat. How? è µ = 2T (mod φ(N)) Compute sµ instead Order= φ(N) = (p-1)(q-1)

22. MIT LCS35 Time Capsule Crypto- Puzzle • Designed by Ron

    Rives in 1999: “We estimate that the puzzle will require 35 years of continuous computation to solve” • Solved by Bernard Fabrot in 2019 (3.5 years of computation) • Almost concurrently solved by a team at Supranational (led by Simon Peffers) using a novel squaring algorithm ( ran for 2 months!!!), designed by Erdinç Öztürk from Sabanci University

23. Wesolowski & Pietrzak Time Lock Puzzle + Fast Verification (without

    revealing the group’s order)

24. Wesolowski’s VDF (Interactive version) Given (g,h) Alice wants to prove

    to Bob that h = g2* Alice Bob Choose a random prime l l Find q and r s.t. 2T = ql+r = q Compute r = 2T (mod l) Accept if = ℎ ★ Why? è

25. Wesolowski’s VDF (Non interactive version) Apply Fiat-Shamir heuristic l =

    next_prime(hash(g,h,T))

26. Pietrzak’s vs. Wesolowski’s VDF Pietrzak Wesolowski Faster Proof Computation Faster

    Proof Verification Shorter proof

27. Groups of Unknown Order •RSA group è Needs trusted setup!

    •RSA UFO (Unknown Factorization Objects) è Expensive (N ~ 30k bit)! •Class groups of imaginary quadratic field è No trusted setup a bit slower than plain RSA

28. Isogeny VDF (De Feo, Masson, Petit, Sanso) Isogeny

29. History of Elliptic Curve (Cryptography) • Diophantus (Arithmetica ~3rd century

    AD) • Henri Poincaré (1901) • André Weil (1929) • Hendrik Lenstra (1984) • Koblitz and independently Miller (1985)

30. What is an Elliptic Curve An elliptic curve is the

    set of solutions defined by an equation of the form y2 = x3 + ax + b

31. Elliptic Curve Cryptography P Q R

32. Elliptic Curve Addition P Q R -R = P ⊕

    R ★

33. Elliptic Curve Point Multiplication P R -R = 2P ★

34. Elliptic Curve over Finite Fields y2 = x3 + 4x

    + 20 over Finite Field of size 191

35. Isogeny Based Cryptograhy ★ © Craig Costello

36. History of isogeny- based cryptography - 1996: Couveignes introduces isogeny

    in cryptography (paper rejected Eurocrypt) - 2006: Rostovtsev & Stolbunov independently rediscover Couveignes ideas - 2007: Charles, Goren & Lauter propose supersingular for a “provably secure” hash function - 2011: Jao, De Feo introduce SIDH, an efficient post-quantum key exchange (SIDH) - 2012: …

37. Isogeny VDF ★ © science.sciencemag.org

38. ★ ©Luca De Feo

39. VDF Comparison

40. Proof of Work (simplified) VDF Application #2 Blockchains () 0000

    … … Find s.t. = 0000 … … .

41. Proof of Stake + Random (VDF)

42. Ethereum 2.0 Proof of Stake + Wesolowski’s VDF RSA Group

    + Multi Party Computation (MPC)

43. Chia Proof of Space + Wesolowski’s VDF Class groups of

    imaginary quadratic field

44. Polkadot Isogenies VDF ?

45. Other VDF Applications • Protection again DOS • CAPTCHA protection

    • Workflow steps

46. Can two women have a baby in 4.5 months?©Ron Rivest

47. Questions?