-
Notifications
You must be signed in to change notification settings - Fork 2
/
de.tex
1621 lines (1425 loc) · 72.9 KB
/
de.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
\documentclass[runningheads]{llncs}
\usepackage{amsmath,amsfonts,amssymb}
\usepackage{xcolor}
\usepackage{hyperref}
\hypersetup{
unicode=true,
colorlinks=true,
citecolor=blue!70!black,
filecolor=black,
linkcolor=red!70!black,
urlcolor=blue,
pdfstartview={FitH},
}
\newcommand{\Z}{\mathbb{Z}}
\newcommand{\F}{\mathbb{F}}
\renewcommand{\O}{\mathcal{O}}
\DeclareMathOperator{\End}{End}
\DeclareMathOperator{\poly}{poly}
\DeclareMathOperator{\polylog}{polylog}
\DeclareMathOperator{\Setup}{\mathsf{Setup}}
\DeclareMathOperator{\TSetup}{\mathsf{TrustedSetup}}
\DeclareMathOperator{\Extract}{\mathsf{Extract}}
\DeclareMathOperator{\Encaps}{\mathsf{Encaps}}
\DeclareMathOperator{\Decaps}{\mathsf{Decaps}}
%\newcommand{\pp}{\mathsf{pp}}
\newcommand{\ek}{\mathsf{ek}}
\newcommand{\pk}{\mathsf{pk}}
\newcommand{\id}{\mathsf{id}}
\newcommand{\idk}{\mathsf{idk}}
\newcommand{\keyspace}{\mathcal{K}}
\newcommand{\cipherspace}{\mathcal{C}}
\newcommand{\Emid}{E_\mathrm{mid}}
\newcommand{\Qmid}{Q_\mathrm{mid}}
\title{Delay Encryption}
\author{Jeffrey Burdges\inst{1}
\and
Luca De Feo\inst{2}\orcidID{0000-0002-9321-0773}}
\institute{
Web 3, Switzerland
\and
IBM Research Zürich, Switzerland
\email{eurocrypt21@defeo.lu}
}
\begin{document}
\maketitle
\begin{abstract}
We introduce a new primitive named Delay Encryption, and give an
efficient instantation based on isogenies of supersingular curves
and pairings. %
Delay Encryption is related to Time-lock Puzzles and Verifiable
Delay Functions, and can be roughly described as ``time-lock
identity based encryption''. %
It has several applications in distributed protocols, such as
sealed bid Vickrey auctions and electronic voting.
We give an instantiation of Delay Encryption by modifying Boneh and
Frankiln's IBE scheme, where we replace the master secret key by a
long chain of isogenies, as in the isogeny VDF of De Feo, Masson,
Petit and Sanso. %
Similarly to the isogeny-based VDF, our Delay Encryption requires a
trusted setup before parameters can be safely used; our trusted
setup is identical to that of the VDF, thus the same parameters can
be generated once and shared for many executions of both protocols,
with possibly different delay parameters.
We also discuss several topics around delay protocols
based on isogenies that were left untreated by De Feo \emph{et al.},
namely: distributed trusted setup, watermarking, and implementation
issues.
\keywords{Delay functions \and Isogenies \and Pairings \and Supersingular elliptic curves}
\end{abstract}
\section{Introduction}
\label{sec:introduction}
The first appearance of \emph{delay cryptography} was in Rivest,
Shamir and Wagner's~\cite{TLP} \emph{Time-lock Puzzle}, an encryption
primitive where the holder of a trapdoor can encrypt (or decrypt)
``fast'', but where anyone not knowing the trapdoor can only decrypt
(or encrypt) ``slowly''.
Recently, a revival of delay cryptography has been promoted by
research on blockchains, in particular thanks to the introduction of
\emph{Verifiable Delay Functions (VDF)}~\cite{Boneh}: deterministic
functions $f$ that can only be evaluated ``sequentially'' and ``slowly'',
but such that verifying that $y=f(x)$ is ``fast''. %
After their definition, VDFs quickly gained attention, prompting two
independent solutions in the space of a few
weeks~\cite{Wesolowski,Pietrzak}. %
Both proposals are based on repeated squaring in groups of unknown
order, and are similar in spirit to Rivest \emph{et al.}'s Time-lock
Puzzle, however they use no trapdoor.
One year later, another VDF, based on a different algebraic structure,
was proposed by De Feo, Masson, Petit and
Sanso~\cite{10.1007/978-3-030-34578-5_10}. %
This VDF uses chains of supersingular isogenies as ``sequential slow''
functions, and pairings for efficient verification. %
Interestingly, it is not known how to build a Time-lock Puzzle from
isogenies; in this work we introduce a new primitive, in some respects
more powerful than Time-lock Puzzles, that we are able to instantiate
from isogenies.
\subsubsection{Limitations of Time-lock Puzzles.}
Time-lock Puzzles allow one to ``encrypt to the future'', i.e., to
create a puzzle $\pi$ that encapsulates a message $m$ for a set amount
of time $T$. %
They have the following two properties:
\begin{itemize}
\item Puzzle generation is efficient: there exists an algorithm which,
on input the message $m$ and the \emph{delay} $T$, generates $\pi$
in time much less than $T$.
\item Puzzle solving is predictably slow and sequential: on input
$\pi$, the message $m$ can be recovered by a circuit of depth
approximately $T$, and no circuit of depth less than $T$ can
recover $m$ reliably.
\end{itemize}
Time-lock Puzzles can be used to remove trusted parties from
protocols, replacing them with a time-consuming puzzle solving. %
Prototypical applications are auctions and electronic voting, we will
use auctions as a motivating example.
In a highest bidder auction, the easy solution in presence of a
trusted authority is to encrypt bids to the authority, who then
decrypts all the bids and selects the winner. %
Lacking a trusted authority, the standard solution is to divide the
auction in two phases: in the \emph{bidding phase} all bidders commit
to their bids using a commitment; in the \emph{tallying phase} bidders
open their commitments, and the highest bidder wins. %
However, this design has one flaw in contexts where it is required
that all bidders reveal their bids at the end of the auction. %
For example, in \emph{Vickrey auctions}, the highest bidder wins the
auction, but only pays the price of the second highest bid. %
If at the end of the auction some bidders refuse to open their
commitment, the result of the auction may be invalid.
Time-lock Puzzles solve this problem: by having bidders encapsulate
their bid in a Time-lock Puzzle, it is guaranteed that all bids can be
decrypted in the tallying phase. %
However this solution becomes very expensive in large auctions,
because one puzzle per bidder must be solved: if several thousands of
bidders participate, the tallyers must strike a balance between
running thousands of puzzle solving computations in parallel, and
having a tallying phase that is thousands of times longer than the
bidding phase. %
Since Time-lock Puzzles use trapdoors for puzzle generation, a
potential mitigation is to have the bidders reveal their trapdoors in
the tallying phase, thus speeding up decryption; however this does not
help in presence of a large number of uncollaborative bidders.
An elegant solution introduced in~\cite{C:MalThy19} is to use
\emph{Homomorphic Time-lock Puzzles (HTLP)}, i.e., Time-lock Puzzles
where the puzzles can be efficiently combined homomorphically. %
Using these, the tallyers can efficiently evaluate the desired
tallying circuit on the unopen puzzles, and then run only a single
slow puzzle-solving algorithm. %
Unfortunately, the only efficient HTLPs introduced
in~\cite{C:MalThy19} are simply homomorphic (either additively or
multiplicatively), and they are thus only useful for voting; fully
homomorphic TLPs, which are necessary for auctions, are only known
from Fully Homomorphic Encryption~\cite{10.1007/978-3-030-36033-7_16}
or from Indistinguishability Obfuscation~\cite{C:MalThy19}, and are
thus unpractical. %
On top of that, it can be argued that Time-lock Puzzles are not the
appropriate primitive to solve the problem: why do the tallyers need
to run one of two different algorithms to open the puzzles? Are
trapdoors really necessary? %
In this work, we introduce a new primitive, \emph{Delay Encryption},
that arguably solves the problem more straightforwardly and elegantly.
\subsubsection{Delay Encryption.}
Delay Encryption is related to both Time-lock Puzzles and VDFs,
however it does not seem to be subsumed by either. %
It can be viewed as a time-lock analogue of Identity Based Encryption,
where the derivation of individual private keys is sequential and
slow. %
Instead of senders and receivers, Delay Encryption has a concept of
\emph{sessions}. %
A session is defined by a \emph{session identifier}, which must be a
hard to predict string. %
When a session identifier $\id$ is issued, anyone knowing $\id$ can
\emph{encrypt to the session for $\id$}; decryption is however
unfeasible without a \emph{session key}, which is to be derived from
$\id$. %
The defining feature of Delay Encryption is \emph{extraction}: the
process of deriving a session key from a session identifier. %
Extraction must be a sequential and slow operation, designed to run in
time $T$ and no less for almost any $\id$.
Since there are no secrets in Delay Encryption, anyone can run
extraction. %
It is thus important that session identifiers are hard to predict, and
thrown away after the first use, otherwise an attacker may precompute
session keys and immediately decrypt any ciphertext to the sessions.
Delay Encryption is different from known Time-lock Puzzles in that it
has no trapdoor, and from VDFs in that it provides a fast encryption,
rather than just a fast verification. %
It has similar applications to Homomorphic Time-lock Puzzles, it is
however more efficient and solves many problems more
straightforwardly.
\subsubsection{Applications of Delay Encryption.}
We already mentioned the two main applications of Time-lock Puzzles. %
We review here how Delay Encryption offers better solutions.
\paragraph{Vickrey auctions.}
Sealed bid auctions are easily implemented with standard commitments:
in the bidding phase each bidder commits to its bid; later, in the
tallying phase each bidder opens their commitment. %
However this solution is problematic when some bidders may refuse to
open their commitments.
Delay Encryption provides a very natural solution: at the beginning of
the auction an \emph{auction identifier} is selected using some unpredictable
and unbiased randomness, e.g., coming from a randomness beacon. %
After the auction identifier is published, all bidders encrypt to the auction
as senders of a Delay Encryption scheme. %
In the meantime, anyone can start computing the auction key using the
extraction functionality. %
When the \emph{auction key} associated with the auction identifier is known,
anyone in possession of it can decrypt all bids and determine the winner.
\paragraph{Electronic voting.} In electronic voting it is often
required that the partial tally of an election stays unknown until the
end, to avoid influencing the outcome. %
Delay Encryption again solves the problem elegantly: once the
\emph{election identifier} is published, all voters can cast their ballot by
encrypting to it. %
Only after the election key is published, anyone can verify the
outcome by decrypting the ballots. %
Of course this idea can be combined with classical techniques for
anonymity, integrity, etc.
\medskip
In both applications it is evident that the session/auction/election
identifier must be unpredictable and unbiased: if it is not, someone may start
computing the session key before anyone else can, and thus break the
delay property. %
Fortunately, this requirement is easily satisfied by using randomness
beacons, which, conveniently, can be implemented using VDFs.
\subsubsection{Contributions.}
Our main contribution is the introduction of Delay Encryption: we
formally define the primitive and its security, then argue about its
naturalness by relating it to other well known primitives such as IBE
and VDFs.
Building on Boneh and Franklin's IBE
scheme~\cite{doi:10.1137/S0097539701398521}, and on a framework
introduced in~\cite{10.1007/978-3-030-34578-5_10} for VDFs, we give an
instantiation of Delay Encryption from isogeny walks in graphs of
pairing friendly supersingular elliptic curves. %
We prove the security of our instantiation using a new assumption,
related to both the Bilinear Diffie-Hellman assumption typical of
pairing based protocols, and the Isogeny Shortcut assumption used for
isogeny based VDFs.
Additionally, we cover some topics related to isogeny-based delay
functions which apply to both our Delay Encryption and to VDFs, which
were left untreated by~\cite{10.1007/978-3-030-34578-5_10}:
\begin{enumerate}
\item We show how to realize the trusted setup needed in all
isogeny-based delay protocols in a distributed manner, and propose
an efficient implementation based on a new zero-knowledge proof of
isogeny knowledge ---whose security we are only able to prove
heuristically using a non-falsifiable assumption.
\item We show how to claim ``ownership'' of a delay function
evaluation (aka extraction, in the Delay Encryption jargon), by
attaching a ``watermark'' to the result of the evaluation. %
Watermarking can be used in distributed consensus protocols to
reward the party who bears the load of evaluating the delay
function.
\item We provide new elliptic curve representations and isogeny
formulas optimized for the operations occurring in isogeny based
delay functions. %
Based on these, we estimate the length of the isogeny walk needed to
achieve a certain delay, and the size of the associated public
parameters.
\end{enumerate}
\paragraph{Plan.}
Delay Encryption is defined in Section~\ref{sec:definitions}, and our
instantiation is given in Section~\ref{sec:delay-encrypt-from}. %
Each of the following sections discusses one topic related to both
Delay Encryption and VDFs based on isogenies:
Section~\ref{sec:distr-trust-setup} discusses the trusted setup,
Section~\ref{sec:watermarking} covers watermarking,
Section~\ref{sec:secure-impl-isog} introduces the new isogeny formulas
and makes some practical considerations.
\section{Definitions}
\label{sec:definitions}
Our definition of Delay Encryption uses an API similar to a Key
Encapsulation Mechanism: it consists of four algorithms ---$\Setup$,
$\Extract$, $\Encaps$ and $\Decaps$--- with the following interface.
\begin{description}
\item[$\Setup(\lambda, T) \to (\ek,\pk)$.] %
Takes a \emph{security parameter} $\lambda$, a \emph{delay
parameter} $T$, and produces public parameters consisting of an
\emph{extraction key} $\ek$ and an \emph{encryption key} $\pk$. %
$\Setup$ must run in time $\poly(\lambda,T)$; the encryption key
$\pk$ must have size $\poly(\lambda)$, but the evaluation key $\ek$
is allowed to have size $\poly(\lambda,T)$.
\item[$\Extract(\ek,\id) \to \idk$.] %
Takes the extraction key $\ek$ and a \emph{session identifier}
$\id\in\{0,1\}^*$, and outputs a \emph{session key} $\idk$. %
$\Extract$ is expected to run in time \emph{exactly} $T$, see below.
\item[$\Encaps(\pk,\id)\to (c,k)$.] %
Takes the encryption key $\pk$ and a \emph{session identifier}
$\id\in\{0,1\}^*$, and outputs a \emph{ciphertext}
$c\in\cipherspace$ and a \emph{key} $k\in\keyspace$. %
$\Encaps$ must run in time $\poly(\lambda)$.
\item[$\Decaps(\pk,\id,\idk,c)\to k$.] %
Takes the encryption key $\pk$, a \emph{session identifier}
$\id$, a \emph{session key} $\idk$, a ciphertext $c\in\cipherspace$,
and outputs a key $k\in\keyspace$. %
$\Decaps$ must run in time $\poly(\lambda)$.
\end{description}
When $\Encaps$ and $\Decaps$ are combined with a symmetric encryption
scheme keyed by $k$, they become the encryption and decryption
routines of a hybrid encryption scheme, which can then be used as in
the applications described previously. %
Alternatively we could have used a PKE-like API directly, however we
prefer the KEM one as it is closer to known instantiations.
A Delay Encryption scheme is correct if for any
$(\ek,\pk)=\Setup(\lambda,T)$ and any $\id$
\[\idk=\Extract(\ek,\id)
\;\wedge\;
(c,k) = \Encaps(\pk,\id)
\;\Rightarrow\;
\Decaps(\pk,\id,\idk,c) = k.\]
The security of Delay Encryption is defined similarly to that of
public key encryption schemes, and in particular of identity-based
ones; however one additional property is required of $\Extract$: that
for a randomly selected identifier $\id$, the probability that any
algorithm outputs $\idk$ in time less than $T$ is negligible. %
We now give the formal definition.
\paragraph{The security game.} It is apparent from the definitions
that Delay Encryption has no secrets: after public parameters $(\ek,\pk)$
are generated, anyone can run any of the algorithms. %
Thus, the usual notion of indistinguishability will only be defined
with respect to the delay parameter $T$: no adversary is able to
distinguish a key $k$ from a random string in time $T-o(T)$, but
anyone can in time $T$. %
Properly defining what is meant by ``time'' requires fixing a
computation model. %
Here we follow the usual convention from VDFs, and assume a model of
parallel computation: in this context, ``time $T$'' may mean $T$ steps
of a parallel Turing machine, or an arithmetic circuit of depth $T$. %
Crucially, we do not bound the amount of parallelism of the Turing
machine, or the breadth of the circuit, i.e., we focus on
\emph{sequential delay} functions.
We consider the following $\Delta$-IND-CPA game. %
Note that the game involves no oracles, owing to the fact that the
scheme has no secrets. %
%
\begin{description}
\item[Precomputation.] The adversary receives $(\ek,\pk)$ as input, and
outputs an algorithm $\mathcal{D}$. %
\item[Challenge.] The challenger selects a random $\id$ and computes
a key encapsulation $(c,k_0)\gets\Encaps(\pk,\id)$. %
It then picks a uniformly random $k_1\in\keyspace$, and a random bit
$b\in\{0,1\}$. %
Finally, it outputs $(c,k_b,\id)$.
\item[Guess.] Algorithm $\mathcal{D}$ is run on input
$(c,k_b,\id)$. %
The adversary wins if $\mathcal{D}$ terminates in time less than
$\Delta$, and the output is such that $\mathcal{D}(c,k_b,\id) = b$.
\end{description}
We stress that the game is intrinsically non-adaptive, in the sense
that no computation is ``free'' after the adversary has seen the
challenge.
We say a Delay Encryption scheme is \emph{$\Delta$-Delay
Indistinguishable under Chosen Plaintext Attacks} if any
adversary running the precomputation in time
$\poly(\lambda,T)$ has negligible advantage in winning the game. %
Obviously, the interesting schemes are those where $\Delta = T-o(T)$.
\begin{remark}
Although it would be possible to define an analogue of chosen
ciphertext security for Delay Encryption, by giving algorithm
$\mathcal{D}$ access to a decryption oracle for $\id$, it is not
clear what kind of real world attacks this security notion could
model. Indeed, an instantaneous decryption oracle for $\id$ would go
against the idea that the session key $\idk$ needed for decryption
is not known to anyone before time $T$.
Similarly, one could imagine giving $\mathcal{D}$ access to an
extraction oracle, to allow it instantaneous adaptive extraction
queries after the challenge (note that in the precomputation phase
the adversary is free to run polynomially many non-adaptive
extractions). However it is not clear what component of a real world
system could provide such instantaneous extraction in practice,
since extraction is a public (and slow) operation.
\end{remark}
\subsection{Relationship with other primitives}
\paragraph{Delay Encryption and Identity Based Encryption.}
Although there is no formal relationship between Identity Based
Encryption (IBE) and Delay Encryption, the similarity is evident.
Recall that an IBE scheme is a public key encryption with three
parties: a dealer who possesses a master private/public key pair, a
receiver who has an \emph{identity} that acts as its public key (e.g.,
its email address), and a sender who wants to send a message to the
receiver. %
In IBE, the dealer runs an \emph{extraction} on the identity to
generate the receiver's secret key. %
The sender encrypts messages to the receiver using both the identity
and the master public key. %
The receiver decrypts using the master public key and the private key
provided by the dealer.
Delay Encryption follows the same blueprint, but has no secrets:
there is no master key anymore, but only a set of public parameters $(\ek,\pk)$. %
Receiver identities become session identifiers $\id$: public but
unpredictable. %
The dealer is replaced by the public functionality
$\Extract(\ek,\id)$: sequential and slow. %
Senders encrypt messages to the sessions by using $\pk$ and $\id$. %
After extraction has produced $\idk$, anyone can decrypt messages
``sent'' to $\id$ by using $\idk$.
The similarity with IBE is not fortuitous. %
Indeed, the instantiation we present next is obtained from Boneh and
Franklin's IBE scheme~\cite{doi:10.1137/S0097539701398521}, by
replacing the master secret with a public, slow to evaluate, isogeny.
This is analogous to the way De~Feo \emph{et al.}'s
VDF~\cite{10.1007/978-3-030-34578-5_10} is obtained from the
Boneh--Lynn--Shacham signature scheme~\cite{boneh+lynn+shacham04}.
The similarity with IBE will be mirrored both in the reductions we
discuss next, and in the security proof of our instantiation.
\paragraph{Delay Encryption and Verifiable Delay Functions.}
Boneh and Franklin attribute to Naor the observation that IBE implies
signatures. %
The construction is straightforward: messages are encoded to
identities; to sign a message $\id$, simply output the derived private
key $\idk$ associated to it. %
To verify a signature $(\id,\idk)$: run encapsulation to $\id$
obtaining a random $(c,k)$, decapsulate $(\id,\idk,c)$ to obtain $k'$,
and accept the signature if $k=k'$. %
The signature scheme is existentially unforgeable if the IBE scheme is
indistinguishable under chosen ciphertext attacks.
Precisely the same construction shows that Delay Encryption implies
(sequential) Proof of Work. %
Furthermore, if we define \emph{extraction soundness} as the property
that adversaries have negligible chance of finding $\idk\ne\idk'$ such
that
\[\Decaps(\pk,\id,\idk,c) = \Decaps(\pk,\id,\idk',c),\]
then we see that extraction sound Delay Encryption implies Verifiable
Delay Functions. %
It is easily verified that the derived VDF is $\Delta$-sequential if
the Delay Encryption scheme is $\Delta$-IND-CPA.
The signature scheme derived from Boneh and Franklin's IBE is
equivalent to the Boneh--Lynn--Shacham scheme. %
Unsurprisingly, the instantiation of Delay Encryption that we give in
the next section is extraction sound, and the derived VDF is
equivalent to De~Feo \emph{et al.}'s VDF.
\paragraph{Delay Encryption and Time-lock Puzzles.}
Both Delay Encryption and Time-lock Puzzles permit a form of
\emph{encryption to the future}: encrypt a message now, so that it can
only be decrypted at a set time in the future. %
There is no formal definition of Time-lock Puzzles commonly agreed
upon in the literature, it is thus difficult to say what they exactly
are and how they compare to Delay Encryption.
Bitansky \emph{et al.}~\cite{10.1145/2840728.2840745} define
Time-lock Puzzles as two algorithms
\begin{itemize}
\item $\mathsf{Gen}(\lambda,T, s) \to Z$ that takes as input a delay parameter
$T$ and a solution $s\in\{0,1\}^\lambda$, and outputs a puzzle $Z$;
\item $\mathsf{Solve}(Z) \to s$ that takes as input a puzzle $Z$ and
outputs the solution $s$;
\end{itemize}
under the constraints that $\mathsf{Gen}$ runs in time
$\poly(\lambda,\log T)$ and that no algorithm computes $s$ from $Z$ in
parallel time significantly less than $T$.
One might be tempted to construct a Time-lock Puzzle from Delay
Encryption by defining $\mathsf{Gen}$ as follows:
\begin{enumerate}
\item Compute $(\ek,\pk) \gets \Setup(\lambda,T)$;
\item Sample a random $\id\in\{0,1\}^\lambda$;
\item Compute $(c,k) \gets \Encaps(\pk, \id)$;
\item Compute $m = E_k(s)$;
\item Return $(\ek,\pk,\id,c,m)$;
\end{enumerate}
where $E_k$ is a symmetric encryption scheme. %
Then $\mathsf{Solve}$ is naturally defined as
\begin{enumerate}
\item Compute $\idk \gets \Extract(\ek,\id)$;
\item Compute $k \gets \Decaps(\pk,\id,\idk,c)$;
\item Return $s = D_k(m)$;
\end{enumerate}
where $D_k$ is the decryption routine associated to $E_k$. %
However this fails to define a Time-lock Puzzle in the sense above,
because $\Setup$ can take time $\poly(\lambda,T)$ instead of
$\poly(\lambda,\log T)$. %
If we take $\Setup$ out of $\mathsf{Gen}$, though, we obtain something
very similar to what Bitansky \emph{et al.} call Time-lock Puzzles
\emph{with pre-processing}, albeit slightly weaker.%
\footnote{Bitansky \emph{et al.} require pre-processing to run in
sequential time $T\cdot\poly(\lambda)$, but parallel time only
$\poly(\lambda,\log T)$.}
We see no technical obstruction to having $\Setup$ run in time
$\poly(\lambda,\log T)$, and thus being a strictly stronger primitive
than Time-lock Puzzles. %
However our instantiation does not satisfy this stronger notion of
Delay Encryption, and, lacking any other candidate, we prefer to keep
our definitions steeping in reality.
\medskip
To summarize, Delay Encryption is a natural analogue of Identity Based
Encryption in the world of time delay cryptography. %
It requires Proofs of Work to exist, and a mild strengthening of it
(which we are able to instantiate) implies Verifiable Delay
Functions. %
It also implies a weak form of Time-lock Puzzles, and a strengthening
of it (of which we know no instantiation) implies standard Time-lock
Puzzles. %
At the same time, no dependency is known between Time-lock Puzzles and
Verifiable Delay Functions, indicating that Delay Encryption is
possibly a stronger primitive than both.
\section{Delay Encryption from isogenies and pairings}
\label{sec:delay-encrypt-from}
We instantiate Delay Encryption from the same framework De Feo,
Masson, Petit and Sanso used to instantiate Verifiable Delay
Functions~\cite{10.1007/978-3-030-34578-5_10}. %
We briefly recall it here for completeness.
An elliptic curve $E$ over a finite field $\F_{p^n}$ is said to be
supersingular if the trace of its Frobenius endomorphism is divisible
by $p$, i.e., if $\#E(\F_{p^n})=1\mod p$. %
Over the algebraic closure of $\F_p$, there is only a finite number of
isomorphism classes of supersingular curves, and every class contains
a curve defined over $\F_{p^2}$. %
We will only work with supersingular curves $E/\F_{p^2}$ whose group
of $\F_{p^2}$-rational points is isomorphic to ${(\Z/(p+1)\Z)}^2$. %
For these curves, if $N$ is a divisor of $p+1$, we will denote by
$E[N]$ the subgroup of $\F_{p^2}$-rational points of $N$-torsion,
which is isomorphic to ${(\Z/N\Z)}^2$. %
We will write $E[N]^\circ$ for the subset of points in $E[N]$ of order
exactly $N$; when $N$ is prime, this is simply a shorthand for
$E[N] \setminus \{\O\}$.
However, among these curves some will be curves $E/\F_p$ defined over
$\F_p$, seen as curves over $\F_{p^2}$ (in algebraic jargon, with
scalars extended from $\F_p$ to $\F_{p^2}$). %
For this special case, if $N$ is an odd divisor of $p+1$, the
$\F_{p^2}$-rational torsion subgroup $E[N]$ contains two distinguished
subgroups: the subgroup $E[N]\cap E(\F_p)$ of points of order $N$
defined over $\F_p$, which we also denote by $E[(N,\pi-1)]$; and the
subgroup of points of order $N$ not in $E(\F_p)$, but with
$x$-coordinate in $\F_p$, which we denote by $E[(N,\pi+1)]$. %
Again, we write $E[(N,\pi-1)]^\circ$ and $E[(N,\pi+1)]^\circ$ for the
subsets of points of order exactly $N$.
An isogeny is a group morphism of elliptic curves with finite
kernel. %
In particular, isogenies preserve supersingularity. %
Isogenies can be represented by ratios of polynomials, and, like
polynomials, have a \emph{degree}. %
Isogenies of degree $\ell$ are also called $\ell$-isogenies; the
degree is multiplicative with respect to composition, thus
$\deg\phi\circ\psi=\deg\phi\cdot\deg\psi$. %
The degree is an important invariant of isogenies, roughly measuring
the amount of information needed to represent them.
An isogeny graph is a graph whose vertices are isomorphism classes of
elliptic curves, and whose edges are isogenies, under some
restrictions. %
Isogeny-based cryptography mainly uses two types of isogeny graphs:
\begin{itemize}
\item The \emph{full supersingular graph} of (the algebraic closure of)
$\F_p$, whose vertices
are all isomorphism classes of supersingular curves over $\F_{p^2}$,
and whose edges are all isogenies of a prime degree $\ell$;
typically $\ell=2,3$.
\item The \emph{$\F_p$-restricted supersingular graph}, or
\emph{supersingular CM graph} of $\F_p$, whose vertices are all
$\F_p$-isomorphism classes of supersingular curves over $\F_p$, and
whose edges are $\ell$-isogenies for all primes $\ell$ up to some
bound; typically $\ell\lessapprox\lambda\log\lambda$, where
$\lambda$ is the security parameter.
\end{itemize}
Any $\ell$-isogeny $\phi:E\to E'$ has a unique \emph{dual}
$\ell$-isogeny $\hat\phi:E'\to E$ such that
\begin{equation}
\label{eq:adjoin}
e_N'(\phi(P),Q) = e_N(P,\hat\phi(Q)),
\end{equation}
for any integer $N$ and any points $P\in E[N]$, $Q\in E'[N]$, where
$e_N$ is the Weil pairing on $E$, and $e'_N$ the one on $E'$. %
The same equation, with the same $\hat\phi$, also holds for any other
known pairing, such as the Tate and Ate pairings.
The framework of De Feo \emph{et al.} uses chains of small degree
isogenies as delay functions, and the pairing
equation~\eqref{eq:adjoin} as an efficient means to verify the
computation. %
Formally, they propose two related instantiations of VDF, following
the same pattern: they both use the same base field $\F_p$, where $p$
is a prime of the form $p+1=N\cdot f$ with $N$ prime, chosen so that discrete
logarithms in the group of $N$-th roots of unity in $\F_{p^2}$ (the
target group $G_T$ of the pairing) are hard (i.e., $N\approx 2^{2\lambda}$
and $p\sim 2^{\lambda^3}$). %
They have a common trusted setup, independent of the delay parameter,
and the usual functionalities of a VDF:
\begin{description}
\item[Trusted setup] selects a random supersingular elliptic curve $E$
over $\F_p$.
\item[Setup] takes as input $p,N,E$, a delay parameter $T$, and
performs a walk in an $\ell$-isogeny graph to produce a degree
$\ell^T$ isogeny $\phi:E\to E'$.
It also computes a point $P\in E(\F_p)$ of order $N$. %
It outputs $\phi,E',P,\phi(P)$.
\item[Evaluation] takes as input a random point $Q\in E'[N]$ and outputs
$\hat\phi(Q)$.
\item[Verification] uses Eq.~\eqref{eq:adjoin} to check that the value
output by evaluation is $\hat\phi(Q)$ as claimed.
\end{description}
The two variants only differ in the way the isogeny walk is set up,
and in minor details of the verification; these differences will be
irrelevant to us.
The delay property of this VDF rests, roughly speaking, on the
assumption that a chain of $T$ isogenies of small prime degree $\ell$
cannot be computed more efficiently than by going through each of the
isogenies one at a time, sequentially. %
The case $\ell=2$ is very similar to repeated squaring in groups of
unknown order as used by other VDFs~\cite{Wesolowski,Pietrzak} and
Time-lock Puzzles~\cite{TLP}: in groups, one iterates $T$ times the
function $x\mapsto x^2$, a polynomial of degree $2$; in isogeny graphs, one
iterates rational fractions of degree $2$. %
See Section~\ref{sec:secure-impl-isog} for more details.
It is important to remark that both setup and evaluation in these VDFs
are ``slow'' algorithms, indeed both need to evaluate an isogeny chain
(either $\phi$, or $\hat\phi$) at one input point of order $N$; this
is in stark contrast with VDFs based on groups of unknown order, where
the setup, and thus its complexity, is independent of the delay
parameter $T$.
\subsection{Instantiation}
The isogeny-based VDF of De Feo \emph{et al.}\ can be understood as a
modification on the Boneh--Lynn--Shacham~\cite{boneh+lynn+shacham04}
signature scheme, where the secret key is replaced by a long chain of
isogenies: signing becomes a ``slow'' operation and thus realizes the
evaluation function, whereas verification stays efficient.
Similarly, we obtain a Delay Encryption scheme by modifying the IBE
scheme of Boneh and Franklin~\cite{doi:10.1137/S0097539701398521}: the
master secret is replaced by a long chain of isogenies, while session
identifiers play the role of identities, so that producing the
decryption key for a given identity becomes a slow operation.
Concretely, setup is identical to that of the VDF. %
A prime of the form $p=4\cdot N\cdot f - 1$ is fixed according to the
security parameter, then setup is actually split into two algorithms:
a $\TSetup$ independent of the delay parameter $T$ and reusable for
arbitrarily many untrusted setups, and a $\Setup$ which depends on
$T$.
\begin{description}
\item[$\TSetup(\lambda)$.]\
Generate a nearly uniformly random supersingular curve
$E/\F_p$ by starting from the curve $y^2=x^3+x$ and performing a
random walk in the $\F_p$-restricted supersingular graph. %
Output $E$.
\item[$\Setup(E,T)$.]\
\begin{enumerate}
\item Perform an $\ell$-isogeny walk $\phi:E\to E'$ of length $T$;
\item Select a random point $P\in E(\F_p)$ of order $N$, and compute
$\phi(P)$;
\item Output $\ek:=(E',\phi)$ and $\pk:=(E',P,\phi(P))$.
\end{enumerate}
\end{description}
We stress that known homomorphic Time-lock Puzzles~\cite{C:MalThy19}
also require a one-shot trusted setup. %
Furthermore, unlike constructions based on RSA groups,
there is no evidence that trusted setup is unavoidable for
isogeny-based delay functions, and indeed removing this trusted setup
is an active area of
research~\cite{10.1007/978-3-030-45724-2_18,love2020supersingular}.
The isogeny chain $\phi$ in $\Setup$ can be generated by any of the
two methods proposed by De Feo \emph{et al.}, the difference will be
immaterial for Delay Encryption; as discussed
in~\cite{10.1007/978-3-030-34578-5_10}, a (deterministic) walk limited
to curves and isogenies defined over $\F_p$ will be more efficient,
however a generic (pseudorandom) walk over $\F_{p^2}$ will offer some
partial protection against quantum attacks.
Before defining the other routines, we need two hash functions. %
The first, $H_1:\{0,1\}^\lambda\to E'[N]^\circ$, will be used to hash session
identifiers to points of order $N$ in $E'/\F_{p^2}$ (although the
curve $E'$ may be defined over $\F_p$). %
The second, $H_2:\F_{p^2}\to\{0,1\}^\lambda$, will be a key derivation
function. %
\begin{description}
\item[$\Extract(E,E',\phi,\id)$.]\
\begin{enumerate}
\item Let $Q = H_1(\id)$;
\item Output $\hat\phi(Q)$.
\end{enumerate}
\item[$\Encaps(E,E',P,\phi(P),\id)$.]\
\begin{enumerate}
\item Select a uniformly random $r\in\Z/N\Z$;
\item Let $Q = H_1(\id)$;
\item Let $k=e_N'(\phi(P),Q)^r$;
\item Output $(rP,H_2(k))$.
\end{enumerate}
\item[$\Decaps(E,E',\hat\phi(Q),rP)$.]\
\begin{enumerate}
\item Let $k = e_N(rP,\hat\phi(Q))$.
\item Output $H_2(k)$.
\end{enumerate}
\end{description}
Correctness of the scheme follows immediately from
Eq.~\eqref{eq:adjoin} and the bilinearity of the pairing. %
\begin{remark}
Notice that two hashed identities $Q,Q'$ such that
$Q-Q'\in \langle P\rangle$ are equivalent for encapsulation and
decapsulation purposes, and thus an adversary only needs to compute
the image of one of them under $\hat\phi$. %
However, if we model $H_1$ as a random oracle, the probability of
two identities colliding remains negligible (about $1/N$).
Alternatively, if $E'$ is defined over $\F_p$, one can restrict the
image of $H_1$ to $E'[(N,\pi+1)]$, like
in~\cite{10.1007/978-3-030-34578-5_10}.
\end{remark}
\subsection{Security}
To prove security of their VDF schemes, De~Feo \emph{et al.} defined
the following \emph{isogeny shortcut game}:
\begin{description}
\item[Precomputation.] The adversary receives $N,p,E,E',\phi$, and
outputs an algorithm $\mathcal{S}$ (in time $\poly(\lambda,T)$).
\item[Challenge.] The challenger outputs a uniformly random
$Q\in E'[N]$.
\item[Guess.] The algorithm $\mathcal{S}$ is run on input $Q$. The
adversary wins if $\mathcal{S}$ terminates in time less than
$\Delta$, and $\mathcal{S}(Q) = \hat\phi(Q)$.
\end{description}
However, it is clear that the $\Delta$-hardness of this game is
insufficient to prove $\Delta$-IND-CPA security of our Delay
Encryption scheme. %
Indeed, while the hardness of the isogeny shortcut obviously
guarantees that the output of $\Extract$ cannot be computed in time
less than $\Delta$, there is at least one other way to decapsulate a
ciphertext $rP$, which consists in evaluating $\phi(rP)$ and computing
$k=e_N'(\phi(rP), Q)$. %
Computing $\phi(rP)$ is expected to be at least as ``slow'' as
computing $\hat\phi(Q)$, however this fact is not captured by the
isogeny shortcut game.
Instead, we define a new security assumption, analogous to the
Bilinear Diffie-Hellman assumption used in standard pairing-based
protocols. %
The \emph{bilinear isogeny shortcut game} is defined as follows:
\begin{description}
\item[Precomputation.] The adversary receives $p,N,E,E',\phi$, and
outputs an algorithm $\mathcal{S}$.
\item[Challenge.] The challenger outputs uniformly random
$R\in E[(N,\pi-1)]$ and $Q\in E'[N]$.
\item[Guess.] Algorithm $\mathcal{S}$ is run on $(R,Q)$. The adversary
wins if $\mathcal{S}$ outputs
$\mathcal{S}(R,Q) = e_N'(\phi(R),Q) = e_N(R,\hat\phi(Q))$.
\end{description}
We say that the bilinear isogeny shortcut game is $\Delta$-hard if no
adversary running the precomputation in time $\poly(\lambda,T)$
produces an algorithm $\mathcal{S}$ that wins in time less than
$\Delta$ with non-negligible probability. %
The reduction to $\Delta$-IND-CPA of our Delay Encryption scheme
closely follows the proof of security of Boneh and Franklin's IBE
scheme.
\begin{theorem}
The Delay Encryption scheme presented above is $\Delta$-IND-CPA
secure, assuming the $\Delta'$-hardness of the bilinear isogeny
shortcut game, with $\Delta\in\Delta' - o(\Delta')$, when $H_1$ and
$H_2$ are modeled as random oracles.
Concretely, suppose there is a $\Delta$-IND-CPA adversary
$\mathcal{A}$ with advantage $\epsilon$ and complexity $\poly(\lambda,T)$,
making $q$ queries
to $H_2$ (including the queries made by the sub-algorithm
$\mathcal{D}$). Then there is a $\poly(\lambda,T)$ algorithm $\mathcal{B}$
that wins the bilinear isogeny shortcut game with probability at
least $2\epsilon/q$ and delay $\Delta' = \Delta + q\cdot\poly(\lambda)$.
\end{theorem}
\begin{proof}
In the precomputation phase, when $\mathcal{B}$ receives the
parameters $p$, $N$, $E$, $E'$, $\phi$, it draws a random $P\in E(\F_p)$ of
order $N$, and evaluates $\phi(P)$. %
It then passes $p,N,E,E',\phi,P,\phi(P)$ to $\mathcal{A}$ for its
own precomputation phase. %
Whenever $\mathcal{A}$ makes calls to $H_1$ or $H_2$, algorithm
$\mathcal{B}$ checks whether the input has already been requested,
in which case it responds with the same answer previously given,
otherwise it responds with a uniformly sampled output and records
the query.
When $\mathcal{A}$ requests its challenge, $\mathcal{B}$ does the
same, receiving $R\in E[(N,\pi-1)]$ and $Q\in E'[N]$. %
If $R$ or $Q$ is the point at infinity, it outputs $1$ and
terminates. %
Otherwise it draws a random string $s\in\{0,1\}^\lambda$, a random
$\id\in\{0,1\}^\lambda$ that was not already queried to $H_1$, it
programs the random oracle so that $H_1(\id) = Q$, and challenges
$\mathcal{A}$ with the tuple $(R,s,\id)$.
During the guessing phase, whenever $\mathcal{A}$ (actually,
$\mathcal{D}$) makes a call to $H_1$ or $H_2$, algorithm $\mathcal{B}$
(actually, $\mathcal{S})$ responds as before. %
Finally, when $\mathcal{D}$ outputs its guess, $\mathcal{S}$ simply
returns a random entry among those that were queried to $H_2$.
Let $\mathcal{H}$ be the event that $\mathcal{A}$ (or $\mathcal{D}$)
queries $H_2$ on input $e_N(R,\hat\phi(Q))$. %
We prove that $\Pr(\mathcal{H}) \ge 2\epsilon$, which immediately
gives the claim of the theorem. %
To this end, we first prove that $\Pr(\mathcal{H})$ in the
simulation is equal to $\Pr(\mathcal{H})$ in the real attack; then
we prove that $\Pr(\mathcal{H})\ge 2\epsilon$ in the real attack.
To prove the first claim, it suffices to show that the simulation is
indistinguishable from the real world for $\mathcal{A}$. %
Indeed, public parameters are distributed identically to a Delay
Encryption scheme, and the point $R$ that is part of the challenge
is necessarily a multiple of $P$, since $E[(N,\pi-1)]$ is cyclic. %
The proof that the two probabilities are equal, then proceeds as in
\cite[Lemma~4.3, Claim~1]{doi:10.1137/S0097539701398521}.
The proof that $\Pr(\mathcal{H})\ge 2\epsilon$ is identical to
\cite[Lemma~4.3, Claim~2]{doi:10.1137/S0097539701398521}. %
This proves the part of the statement on the winning probability of
$\mathcal{B}$.
If Algorithm $\mathcal{D}$ runs in time less than $\Delta$,
algorithm $\mathcal{S}$ runs in the same time, plus the time
necessary for drawing the random string $s$ and for answering
queries to $H_2$. %
Depending on the computational model, a lookup in the table for
$H_2$ can take anywhere from $O(1)$ (e.g., RAM model) to $O(q)$
(e.g., Turing machine). %
We err on the safe side, and estimate that $\mathcal{S}$ runs in
time less than $\Delta + q\cdot\poly(\lambda)$.
\end{proof}
\subsection{Known Attacks}
We now shift our attention to attacks. %
As discussed in~\cite{10.1007/978-3-030-34578-5_10}, there are three
types of known attacks: \emph{shortcut} attacks, discrete logarithm
attacks, and attacks on the computation.
Parameters for a Delay Encryption scheme must be chosen so that all
known attacks have exponential difficulty in the security parameter
$\lambda$. %
Given that (total) attacks successfully compute decapsulation in
exponential time in $\lambda$, it is evident that the delay parameter
$T$ must grow at most subexponentially in $\lambda$.
\paragraph{Shortcut attacks} aim at computing a shorter path
$\psi:E\to E'$ in the isogeny graph from the knowledge of
$\phi:E\to E'$. %
The name should not be confused with the isogeny shortcut game
described above, as shortcut attacks are only one of the possible ways
to beat the game.
De Feo \emph{et al.}\ show that shortcut attacks are possible when the
endomorphism ring of at least one of $E$ or $E'$ is known. %
Indeed, in this case, the isogeny $\phi$ can be translated to an ideal
class in the endomorphism ring, then smoothing techniques similar
to~\cite{kohel2014quaternion} let us convert the ideal to one of
smaller norm, and finally to an isogeny $\psi:E\to E'$ of smaller
degree.
The only way out of these attacks is to select the starting curve $E$
as a uniformly random supersingular curve over $\F_p$, then no
efficient algorithm is known to compute $\End(E)$, nor $\End(E')$. %
Unfortunately, the only way we currently know to sample nearly
uniformly in the supersingular class over $\F_p$, is,
paraphrasing~\cite{galbraith2018computational}, to choose the
endomorphism ring first and then compute $E$ given $\End(E)$.
Thus, the solution put forth in~\cite{10.1007/978-3-030-34578-5_10} is
to generate the starting curve $E$ via a trusted setup that first
selects $\End(E)$, and then outputs $E$ and throws away the
information about its endomorphism ring. %
We stress that, given a random supersingular curve $E$, computing
$\End(E)$ is a well known hard problem, upon which almost most of
isogeny-based cryptography is founded. %
We explain in the next section how to mitigate the inconvenience of
having a trusted setup, using a distributed protocol.
As stressed in~\cite{10.1007/978-3-030-34578-5_10}, there is no
evidence that ``hashing'' in the supersingular class, i.e., sampling
nearly uniformly without gaining knowledge of the endomorphism ring,
should be a hard problem. %
But there is no evidence it should be easy either, and several
attempts have failed
already~\cite{10.1007/978-3-030-45724-2_18,love2020supersingular}.
Another possibility hinted at in~\cite{10.1007/978-3-030-34578-5_10}
would be to generate ordinary pairing friendly curves with large
isogeny class, as the shortcut attack is then thwarted by the
difficulty of computing the order of the class group of the
endomorphism ring. %
However finding such curves possibly seems an even harder problem than
hashing to the supersingular class.
\paragraph{Discrete logarithm attacks} compute $\hat\phi(Q)$ by
directly solving the pairing equation~\eqref{eq:adjoin}. %
In our case, we can even directly attack the key encapsulation. %
Indeed, knowing $rP$, we obtain $r$ through a discrete logarithm, and
then compute $k=e_N'(\phi(P),Q)^r$.
Thanks to the efficiently computable pairing, the discrete logarithm
can actually be solved in $\F_{p^2}$, which justifies taking $p,N$
large enough to resist finite field discrete logarithm computations. %
Obviously, this also shows that our scheme is easily broken by quantum
computers. %
See~\cite{10.1007/978-3-030-34578-5_10}, however, for a discussion of
how a setup with pseudo-random walks over $\F_{p^2}$ resists quantum
attacks in a world where quantum computers are available, but much
slower than classical ones.
\paragraph{Attacks on the computation} do not seek to deviate from the
description of the protocol, but simply try to speed up $\Extract$
beyond the way officially prescribed by the scheme. %
In this sort of attacks, the adversary may be given more resources
than the legitimate user: for example, it may be allowed a very large
precomputation, or it may dispose of an unbounded amount of
parallelism, or it may have access to an architecture not available to
the user (e.g., a quantum computer).
These attacks are the most challenging to analyze, because standard
com\-plexity-theoretical techniques are of little help here. %
% (see, however~\cite{todo})
On some level, this goal is unachievable: given a sufficiently
abstract computational model, and a sufficiently powerful adversary,