On Verifiable Delay Functions (VDF): How to Slow Burning Down the Planet (Verifiably)

Slide 1

Slide 1 text

On Verifiable Delay Functions (VDF): How to Slow Burning Down the Planet (Verifiably) @asanso Joint work with De Feo, Masson, Petit

Slide 2

Slide 2 text

Can two women have a baby in 4.5 months?©Ron Rivest

Slide 3

Slide 3 text

Agenda • Definition • Applications • Constructions • Conclusions ★

Slide 4

Slide 4 text

Who is this guy, BTW? { Security Researcher @Adobe Research Switzerland { Google Security Hall of Fame, Facebook Security Whitehat, GitHub Security Bug Bounty, Microsoft Honor Roll, etc { Found vulnerabilities in OpenSSL ,Google Chrome, Safari { Co-Author of “OAuth 2 in Action” { Phd Student Ruhr Universität { Obsessed by prime numbers

Slide 5

Slide 5 text

What is a VDF? A function that: 1. Takes T steps to evaluate even with unbounded parallelism 2. The output can be verified efficiently ★

Slide 6

Slide 6 text

What is a VDF? • Function • Delay • Verifiable ✓

Slide 7

Slide 7 text

Cryptographic Hash functions • Deterministic • Hard to guess • Infeasible to find two different messages with the same hash value • Infeasible to generate a message that yields a given hash value () ★

Slide 8

Slide 8 text

VDF minus any property is “easy” • Not Verifiable : • No Delay : Easy (many example in cryptography e.g. Discrete Log) • Not Function : Proof of sequential work

Slide 9

Slide 9 text

VDF • Setup • Evaluation • Verification

Slide 10

Slide 10 text

VDF Application #1 Generate verifiable randomness Only 3 balls drawn! Five Numbers Shown!!

Slide 11

Slide 11 text

VDF Application #1 Distribute generation (broken) Public Bulletin Board Blockchain Alice Bob Chloe Zoe ro r1 r2 rn Rand = ro ⨁ r1 ⨁ r2 ⨁ … . rn Problem: Zoe has controls of the output ★

Slide 12

Slide 12 text

VDF Application #1 Distribute generation Public Bulletin Board Blockchain Alice Bob Chloe Zoe ro r1 r2 rn Hash(r0 ,r1 ,r2 ,…,rn ) ★ VDF Rand Output

Slide 13

Slide 13 text

VDF Application #2 Blockchains

Slide 14

Slide 14 text

VDF Application #2 Blockchains

Slide 15

Slide 15 text

VDF Application #2 Blockchains

Slide 16

Slide 16 text

VDF History https://vdfresearch.org/ - 2018 (12 June) : Seminal paper by Boneh, Bonneau, Bünz, Fisch (BBBF), no actual VDF implementation - 2018 (20 June) : Wesolowski’s VDF - 2018 (22 June) : Pietrzak’s VDF - 2019 (20 February) : Isogenies VDF by De Feo, Masson, Petit, Sanso (FMPS)

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

VDF #1 and #2 Wesolowski & Pietrzak

Slide 20

Slide 20 text

RSA Refresher N = p * q (p and q big prime numbers) e public exponent (e.g. 65537) Encryption secrete (mod N)

Slide 21

Slide 21 text

Time Lock puzzle (RSW ‘96) N = p * q (p and q big prime numbers) and keep p and q secret (group of unkown order) Evaluate s2* (mod N) With 2T being huge Caveat whoever knows the factorization of N can cheat. How? è µ = 2T (mod φ(N)) Compute sµ instead Order= φ(N) = (p-1)(q-1)

Slide 22

Slide 22 text

MIT LCS35 Time Capsule Crypto- Puzzle • Designed by Ron Rives in 1999: “We estimate that the puzzle will require 35 years of continuous computation to solve” • Solved by Bernard Fabrot in 2019 (3.5 years of computation) • Almost concurrently solved by a team at Supranational (led by Simon Peffers) using a novel squaring algorithm ( ran for 2 months!!!), designed by Erdinç Öztürk from Sabanci University

Slide 23

Slide 23 text

Wesolowski & Pietrzak Time Lock Puzzle + Fast Verification (without revealing the group’s order)

Slide 24

Slide 24 text

Wesolowski’s VDF (Interactive version) Given (g,h) Alice wants to prove to Bob that h = g2* Alice Bob Choose a random prime l l Find q and r s.t. 2T = ql+r = q Compute r = 2T (mod l) Accept if = ℎ ★ Why? è

Slide 25

Slide 25 text

Wesolowski’s VDF (Non interactive version) Apply Fiat-Shamir heuristic l = next_prime(hash(g,h,T))

Slide 26

Slide 26 text

Pietrzak’s vs. Wesolowski’s VDF Pietrzak Wesolowski Faster Proof Computation Faster Proof Verification Shorter proof

Slide 27

Slide 27 text

Groups of Unknown Order •RSA group è Needs trusted setup! •RSA UFO (Unknown Factorization Objects) è Expensive (N ~ 30k bit)! •Class groups of imaginary quadratic field è No trusted setup a bit slower than plain RSA

Slide 28

Slide 28 text

Isogeny VDF (De Feo, Masson, Petit, Sanso) Isogeny

Slide 29

Slide 29 text

History of Elliptic Curve (Cryptography) • Diophantus (Arithmetica ~3rd century AD) • Henri Poincaré (1901) • André Weil (1929) • Hendrik Lenstra (1984) • Koblitz and independently Miller (1985)

Slide 30

Slide 30 text

What is an Elliptic Curve An elliptic curve is the set of solutions defined by an equation of the form y2 = x3 + ax + b

Slide 31

Slide 31 text

Elliptic Curve Cryptography P Q R

Slide 32

Slide 32 text

Elliptic Curve Addition P Q R -R = P ⊕ R ★

Slide 33

Slide 33 text

Elliptic Curve Point Multiplication P R -R = 2P ★

Slide 34

Slide 34 text

Elliptic Curve over Finite Fields y2 = x3 + 4x + 20 over Finite Field of size 191

Slide 35

Slide 35 text

Slide 36

Slide 36 text

History of isogeny- based cryptography - 1996: Couveignes introduces isogeny in cryptography (paper rejected Eurocrypt) - 2006: Rostovtsev & Stolbunov independently rediscover Couveignes ideas - 2007: Charles, Goren & Lauter propose supersingular for a “provably secure” hash function - 2011: Jao, De Feo introduce SIDH, an efficient post-quantum key exchange (SIDH) - 2012: …

Slide 37

Slide 37 text

Slide 38

Slide 38 text

★ ©Luca De Feo

Slide 39

Slide 39 text

VDF Comparison

Slide 40

Slide 40 text

Proof of Work (simplified) VDF Application #2 Blockchains () 0000 … … Find s.t. = 0000 … … .

Slide 41

Slide 41 text

Proof of Stake + Random (VDF)

Slide 42

Slide 42 text

Ethereum 2.0 Proof of Stake + Wesolowski’s VDF RSA Group + Multi Party Computation (MPC)

Slide 43

Slide 43 text

Chia Proof of Space + Wesolowski’s VDF Class groups of imaginary quadratic field

Slide 44

Slide 44 text

Polkadot Isogenies VDF ?

Slide 45

Slide 45 text

Other VDF Applications • Protection again DOS • CAPTCHA protection • Workflow steps