Paper 2023/1251

Verifiable random function from the Deuring correspondence and higher dimensional isogenies

Antonin Leroux, DGA-MI, University of Rennes 1
Abstract

In this paper, we introduce $\mathsf{DeuringVUF}$, a new Verifiable Unpredictable Function (VUF) protocol based on isogenies between supersingular curves. The most interesting application of this VUF is $\mathsf{DeuringVRF}$ a post-quantum Verifiable Random Function (VRF). The main advantage of this new scheme is its compactness, with combined public key and proof size of roughly 450 bytes, which is orders of magnitude smaller than other generic purpose post-quantum VRF constructions. This scheme is also the first post-quantum VRF satisfying unconditional uniqueness. We show that this scheme is practical by providing a first non-optimized C implementation that runs in roughly 20ms for verification and 175ms for evaluation. The function at the heart of our construction is the one that computes the codomain of an isogeny of big prime degree from its kernel. The evaluation can be performed efficiently with the knowledge of the endomorphism ring using a new ideal-to-isogeny algorithm introduced recently by Basso, Dartois, De Feo, Leroux, Maino, Pope, Robert and Wesolowski that uses computation of dimension $2$ isogenies between elliptic products to compute effectively the translation through the Deuring correspondence of any ideal. On the other hand, without the knowledge of the endomorphism ring, this computation appears to be hard. The security of our $\mathsf{DeuringVUF}$ holds under a new assumption call the one-more isogeny problem (OMIP). Another application of $\mathsf{DeuringVUF}$ is the first hash-and-sign signature based on isogenies in the standard model. While we don't expect the signature in itself to outperform the recent variants of SQIsign, it remains very competitive in both compactness and efficiency while providing a new framework to build isogeny-based signature that could lead to new interesting applications. We also introduce several new algorithms for the effective Deuring correspondence. In particular, we introduce an algorithm to translate an ideal of norm a big power of a small prime $\ell$ into the corresponding isogeny of dimension $1$ using isogenies between abelian variety of dimension $2$ as a tool. This algorithm can be used to improve the SQIsign signature scheme.

Note: Improved implementation results

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
VRFisogeniesdeuring correspondence
Contact author(s)
antonin leroux @ polytechnique org
History
2024-10-17: last of 3 revisions
2023-08-18: received
See all versions
Short URL
https://ia.cr/2023/1251
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2023/1251,
      author = {Antonin Leroux},
      title = {Verifiable random function from the Deuring correspondence and higher dimensional isogenies},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1251},
      year = {2023},
      url = {https://eprint.iacr.org/2023/1251}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.