Verifiable delay functions and delay encryptions from hyperelliptic curves

Verifiable delay functions (VDFs) and delay encryptions (DEs) are two important primitives in decentralized systems, while existing constructions are mainly based on time-lock puzzles. A disparate framework has been established by applying isogenies and pairings on elliptic curves. Following this line, we first employ Richelot isogenies and non-degenerate pairings from hyperelliptic curves for a new verifiable delay function, such that no auxiliary proof and interaction are needed for the verification. Then, we demonstrate that our scheme satisfies all security requirements, in particular, our VDF can resist several attacks, including the latest attacks for SIDH. Besides, resorting to the same techniques, a secure delay encryption from hyperelliptic curves is constructed by modifying Boneh and Frankiln’s IBE scheme, which shares the identical setup with our VDF scheme. As far as we know, these schemes are the first cryptographic applications from high-genus isogenies apart from basic protocols, i.e., hash functions and key exchange protocols.

Verifiable delay function (VDF), first introduced by Boneh et al. (2018), is a function \(f: {\mathcal {X}} \rightarrow {\mathcal {Y}}\) that requires a prescribed amount of time for evaluations, even if many parallel computation resources are employed, while the result can be verified efficiently. The most crucial requirement demands that evaluation, as a slow function, must be realized in at least T sequential steps and no acceleration exists. Such scheme allows a prover to demonstrate that a certain amount of time has elapsed. Furthermore, the VDFs with more functionality, e.g., tight VDFs (Döttling et al. 2020) and continuous VDFs (Ephraim et al. 2020), were also proposed for particular situations.

Due to efficient verifications, VDFs have been applied broadly in cryptography, especially for the decentralized setting. A direct application is to construct a trustworthy randomness beacon (Rabin 1983), where the beacon is given by a VDF with a long delay on the entropy source, so the malicious participant can not obtain his advantages to adjust the market within a short time. Furthermore, based on the “commit-and-reveal” paradigm, multiparty randomness can be achieved by replacing commitments with VDFs, illustrated in Lenstra and Wesolowski (2017). Another usage of VDFs is to lower the energy consumption of blockchains based on proofs-of-work. Namely, an ingenious method (Cohen and Pietrzak 2018) combines proofs-of-resources with incremental VDFs to achieve Consensus from Proof of Resources. Moreover, proof of data replication (Armknecht et al. 2016; Juels and Kaliski 2007) and computational timestamping (Kiayias et al. 2017) can be realized with VDFs, where more discussions can be found in Boneh et al. (2018).

After the proposal of VDF (Boneh et al. 2018), various instantiations have been established, where VDF can be directly achieved using incrementally verifiable computation (Valiant 2008). Apart from the high-level ideas, class groups and injective rational maps have been leveraged for establishing VDFs (Boneh et al. 2018; Wesolowski 2020).

In practice, computing modular exponentiation is an elegant choice for sequentially slow evaluation functions, where extracting modular square roots in \(\mathbb {F}_p\) (Dwork and Naor 1992) and repeated squaring in an RSA group (Rivest et al. 1996) were instantiated for this problem. Thus, a natural idea is to modify the above functions for practical VDF schemes. Specifically, the first can be efficiently verified by a modular square, so it turns out to be a VDF immediately (Boneh et al. 2018). Regrettably, the delay parameter of this approach is only about \(O(\log p)\), which would be smaller considering the parallelism of field multiplications, where Lenstra and Wesolowski (2017) introduced Sloth to realize parallel computation for modular square roots.

In contrast, the second was generated from the famous time-lock puzzles (Rivest et al. 1996), i.e., utilizing RSA modulus \(N=pq\), the puzzle is \(y=x^{2^T} \bmod N\) from a random \(x \in \mathbb {Z}^*_N\). Besides, one obtaining \(\varphi (N)\) can evaluate y efficiently via reducing the exponent \(e \equiv 2^T \bmod \varphi (N)\), while others must compute T sequential modular squares. Following this line, Wesolowski (2020) established an efficient interactive protocol to verify the output y publicly, being non-interactive via the Fiat–Shamir paradigm (Fiat and Shamir 1986). Namely, the verifier sends a random small prime \(\ell\), and the prover replies with \(z=x^{\lfloor 2^T /\ell \rfloor }\), then the verifier accepts when \(y=z^\ell x^r\) with \(r= 2^T \bmod \ell\). To reduce the proof size, Pietrzak (2019) introduced another interactive protocol via substituting \(\mathbb {Z}_N^*\) by the group \(QR_N^+:=\{\left| x\right| ; x= z^2 \bmod N, z \in \mathbb {Z}_N^*\}\) with two strong primes p and q, so that the prover outputs a proof with \(O(\log T)\) group elements and the verification only needs \(O(\log T)\) with the “halving protocol”. Recently, Loe et al. (2022) presented P-VDF without the large proofs, where they leveraged the Blum integer \(N = pq\) with \(p \equiv q \equiv 3 \bmod 4\) such that the verification relies on the factorization of N. As a result, the efficiency of verification is the fastest among all existing VDFs while we must generate Blum integers for different instantiations.

One notable breakthrough was established in 2019, when De Feo et al. (2019) presented a new framework of VDFs from the BLS signature (Boneh et al. 2001). In this paradigm, the long sequences of isogenies were employed as the slow evaluation functions, while the results can be efficiently verified via non-degenerate pairings, then two schemes were first instantiated from isogenies between elliptic curves over \(\mathbb {F}_p\) and \(\mathbb {F}_{p^2}\), respectively. More specifically, they employed chains of low-degree isogenies for a “slow” evaluation function since the isogeny computation still takes T sequential steps, while the pairing can be evaluated in \(poly(\log N)\) time.

Substituting pairings by the succinct non-interactive arguments (SNARGs), the first post-quantum secure isogeny-based VDF (Chávez-Saab et al. 2021) was constructed without trusted setups, while the verification terminated in quasi-logarithmic time.

Motivated by original time-lock puzzles and VDFs, a new primitive named delay encryption (DE) (Burdges and De Feo 2021) was introduced by Burdges and De Feo, viewed as a time-lock version of Identity-based Encryptions (IBE). Yet it is called an encryption scheme, there are no secrets, and the critical concept is session, which is generated by a session identifier and is hard to predict. In particular, the function \(\textsf{Extract}\), as the defining algorithm of generating a session key from an identifier, must run sequentially and slowly. Surprisingly, the instantiations of certain VDFs can be employed for DEs immediately. Namely, the initial construction in Burdges and De Feo (2021) followed the same roadmap from isogeny-based VDF (De Feo et al. 2019) by modifying the IBE scheme (Boneh and Franklin 2003), and it is facile to construct DE from P-VDF (Loe et al. 2022). For cryptographic deployments, some protocols derived from time-lock puzzles, i.e., Vickrey auctions and electronic votings, would obtain additional advantages via utilizing DEs.

Nowadays, isogenies on hyperelliptic curves (Flynn and Ti 2019) have been a hotspot for the shortest key sizes. Although it was a mathematical problem (Lubicz and Robert 2012; Smith 2006) investigated for decades, its cryptographic constructions are relatively new topics. Due to the complicated formulae, efficient implementations are crucial problems with abundant improvements (Bruin et al. 2014; Cosset and Robert 2015; Flynn 2015; Kunzweiler 2022), while only hash functions (Castryck et al. 2020) and key exchange protocols (Flynn and Ti 2019) have been presented for practical constructions. It is shown that the cryptosystem based on isogenies between hyperelliptic Jacobians has a smaller key size than that on elliptic curves (Costello and Smith 2020; Flynn and Ti 2019), thus it is natural to construct more functional applications from isogenies on hyperelliptic curves.

Our contributions Following the framework of isogeny-based VDF, we establish the verifiable delay function and delay encryption from hyperelliptic curves, which are the first cryptographic applications utilizing isogenies on supersingular hyperelliptic curves. More specifically, our contributions are summarized as follows.

• We first employ Richelot isogenies and non-degenerate pairings on hyperelliptic curves to establish a verifiable delay function without additional interaction, where the output is verified via pairings such that no proof is required. Then, we demonstrate that our scheme satisfies all security requirements, i.e., the parameters of our scheme are fixed to resist several known attacks. In particular, the defining property “sequentiality” holds under the assumption of high-genus isogeny shortcut problem, as a generalization of that for elliptic curves. As an additional contribution, we illustrate that isogeny-based VDF can resist recent attacks on SIDH.

• Following the same framework, we modify Boneh and Frankiln’s IBE scheme for a \(\varDelta\)-IND-CPA secure delay encryption from hyperelliptic curves with the same instantiations, i.e., the session key is obtained through T sequential Richelot isogenies. Afterwards, we show that the scheme is secure having analogous merits and demerits as our VDF scheme.

Organization The rest of this paper is organized as follows. The “Preliminaries on hyperelliptic curves and isogenies” section provides necessary preliminaries on hyperelliptic curves and Richelot isogenies. In “Syntax of verifiable delay functions and delay encryptions” section, the definition and security requirements of VDFs and DEs are reviewed. The verifiable delay function from hyperelliptic curves is depicted in “Verifiable delay functions from hyperelliptic curves” section, followed by the security analysis. The “Delay encryptions from hyperelliptic curves” section presents the delay encryption from hyperelliptic curves. The last section concludes our work.

In this section, we recall some necessary mathematical backgrounds of hyperelliptic curves, pairings, and isogenies.

Hyperelliptic curves

Let \(\overline{\mathbb {F}}_q\) be the algebraic closure of the finite field \(\mathbb {F}_{q}\) with characteristic \(p >3\). A hyperelliptic curve C of genus 2 over \(\mathbb {F}_{q}\) is given by the following equation:

where f(x) is a squarefree polynomial of degree 5 or 6 such that there are no solutions \((x, y) \in \overline{\mathbb {F}}_q \times \overline{\mathbb {F}}_q\) simultaneously satisfying the equation \(y^2 = f(x)\) and the partial derivative equations \(y= 0\) and \(f'(x) = 0\). For any algebraic extension \(\mathbb {F}_{q^k}\) of \(\mathbb {F}_{q}\), we consider the set

called the set of \(\mathbb {F}_{q^k}\)-rational points on C.

The set \(C({\mathbb {F}_{q^k}})\) does not form a group, but we can embed C into an abelian variety of dimension 2, which is called the Jacobian of C and denoted by \(J_C\). The Jacobian \(J_C\) is isomorphic to the divisor class group of degree zero \(\textrm{Pic}_C^0\). Let \({\mathcal {O}}\) be the identity element of \(J_C\).

Every divisor in Jacobian \(J_C\) over a field K can be expressed in Mumford representation as a pair (u(x), v(x)) of polynomials in K[x], such that u(x) is monic, and u(x) divides \(f(x)-v(x)^2\) with \(\deg v(x) < \deg u(x) \le 2\). Let \(P_1=(x_1,y_1), P_2=(x_2,y_2)\) be two points on the hyperelliptic curve C, then the Mumford representation (u(x), v(x)) associated with two points satisfies \(u(x_i)=0\) and \(v(x_i)=y_i\), for \(i =1,2\). For \(r \in \mathbb {N}\), we define \(J_C[r]:=\{ D \in J_C \mid rD={\mathcal {O}} \}\) as the r-torsion subgroup of \(J_C\).

Hyperelliptic pairings

Pairings on hyperelliptic curves are useful tools in cryptology. The definitions of two familiar pairings on hyperelliptic curves are summarized as follows.

Let C be a hyperelliptic curve of genus 2 over \(\mathbb {F}_{q}\), and \(J_C\) be the corresponding Jacobian. Let r be a divisor of \(\#J_C\), and coprime to q. The embedding degree is the smallest positive integer k such that \(r \mid (q^k-1)\). The group of r-th roots of unity in \(\mathbb {F}_{q^k}^*\) is denoted by \(\mu _r=\{ z \in \mathbb {F}^*_{q^k} \mid z^r =1 \}\).

The Weil pairing is a non-degenerate bilinear map

which is denoted as \(e_r(D_1,D_2)\). The Tate-Lichtenbaum pairing is a non-degenerate bilinear map

which is denoted as \(\left\langle D_1,D_2 \right\rangle _r\). To achieve cryptographic applications, we consider the reduced (or modified) pairing

Similar to the pairings of elliptic curves, Miller’s algorithm (Cohen et al. 2005; Miller 2004) is used to compute hyperelliptic pairings. For more detailed discussions, it refers to Galbraith et al. (2007).

Richelot isogenies

It is well-known that we can compute an isogenous elliptic curve from a given kernel through Vélu’s formula (Vélu 1971), which is the foundation of isogeny-based cryptography. Nevertheless, with the growth of genus, there is no efficient algorithm to evaluate isogenies between Jacobians.

Since the Jacobian \(J_C\) of a curve C is a principally polarized abelian variety (PPAV), we could consider isogeny of principally polarized abelian varieties, which is a finite dominant homomorphism of abelian varieties A, and the kernel of isogeny is a finite isotropic group. The Richelot isogeny is the simplest isogeny whose kernel is contained in the 2-torsion subgroup \(J_C[2]\) from a genus-2 hyperelliptic curve. Smith (2006) summarized the Richelot isogenies on Jacobians of genus 2, whose kernel is maximal isotropic with regards to the 2-Weil pairing.

Proposition 1

(Smith 2006) Let R be a proper, nontrivial subgroup of \(J_C[2]\). If R is the kernel of an isogeny between principally polarized abelian surfaces, then R is a maximal 2-Weil isotropic subgroup of \(J_C[2]\) (that is, the 2-Weil pairing restricts trivially to R, and R is not properly contained in any other such subgroup).

Now, we present some facts about Richelot isogenies for our construction. Let \(C: y^2=f(x)\) be a genus-2 hyperelliptic curve and \(J_C\) be its Jacobian, where \(f(x)=c_0\prod _{i=1}^{6} (x-\alpha _i)\)^{Footnote 1}. Then, all 2-torsion divisors of \(J_C\) are

where the square brackets denote the equivalence classes of divisors. For a maximal isotropic subgroup with regards to the 2-Weil pairing, the group contains three non-trivial elements such that all \(\alpha _i\), \(1\le i\le 6\), occur exactly once in all the representations of divisors. Thus, there are fifteen disparate isogenous PPAVs from a Jacobian, which are determined by the sets of pairwise coprime quadratic factors of f(x).

Definition 1

A quadratic splitting of a squarefree degree 6 (resp. degree 5) polynomial \(f(x) \in \mathbb {F}_q[x]\) is an unordered triple \((G_1,G_2,G_3) \in \overline{\mathbb {F}}_q[x]\) of quadratic (resp. two quadratic and a linear) polynomials satisfying \(f(x)=G_1(x)G_2(x)G_3(x)\) under the equivalence

The next proposition provides the codomain of Richelot isogeny, where we refer Bruin and Doerksen (2011), Cassels and Flynn (1996), Smith (2006) for more details.

Proposition 2

(Smith 2006) Let \(C:y^2=G_1(x)G_2(x)G_3(x) \in \mathbb {F}_q[x]\) be a genus 2 curve such that the maximal 2-Weil isotropic subgroup G is determined by \(\{G_1,G_2,G_3\}\), where \(G_i(x)=g_{i,2}x^2+g_{i,1}x+g_{0,i}\) for \(i\in \{1,2,3\}\). Let \(\phi : J_C \rightarrow A\) be the isogeny with kernel G and

1. 1.

   If \(\delta \ne 0\), then A is isomorphic to the Jacobian of a genus-2 curve

   $$\begin{aligned} C': y^2=\delta ^{-1}H_1(x)\cdot H_2(x) \cdot H_3(x) \end{aligned}$$

   with \(H_1:=G_2' G_3- G_2G_3', H_2:=G_3' G_1- G_3G_1', H_3:=G_1' G_2- G_1G_2',\) where \(G_i'\) is the derivative of \(G_i\). Moreover, the dual isogeny is determined by \(\{ H_1,H_2,H_3\}\).

2. 2.

   If \(\delta =0\), then A is isomorphic to a product of elliptic curves \(E_1\times E_2\), where two elliptic curves are defined by

   $$\begin{aligned} E_1: y^3=\prod _{i=1}^{3}(a_{i,1}x+a_{i,2}) \quad \text {and} \quad E_2: y^3=\prod _{i=1}^{3}(a_{i,2}x+a_{i,1}), \end{aligned}$$

   such that \(a_{i,1}, a_{i,2}\) satisfy \(G_i= a_{i,1}(x-t_1)^2+ a_{i,2}(x-t_2)^2\) for some \(t_1,t_2 \in \mathbb {F}_q\).

Remark 1

For the second case, the map \(\phi\) is induced by \(\phi _1\times \phi _2\), where

It is essential to evaluate the image of divisors in \(J_C\) under the isogeny \(\phi\) for the first case of the above proposition. Nevertheless, Richelot isogenies work on the hyperelliptic curve, as the morphisms between hyperelliptic curves. For this aim, we map two points to a unique divisor on \(J_C\), then the divisor is directly calculated from the image points. Furthermore, the above method can be realized via the Richelot correspondence \({\mathcal {R}} \subset C \times C'\) with

for \((u,v) \in C\) and \((u_1,v_1)\in C'\). This correspondence presents the connection of points on hyperelliptic curves, but there are always two solutions for these equations. To fill the gap, Kunzweiler (2022) established an algorithm to uniquely determine the image on \(J_{C'}\). Namely, two solutions determine a divisor, then two divisors from different points, generating the preimage divisor on \(J_C\), compose the unique divisor, which is the image under Richelot isogenies.

In this section, we review the model of verifiable delay functions (VDFs) and delay encryptions (DEs), followed by the security requirements.

Verifiable delay functions

The definition of verifiable delay function has been first established in Boneh et al. (2018). In general, a VDF contains three algorithms:

1. 1.

   \(\textsf{Setup}(\lambda ,T)\rightarrow (ek,vk)\): is an algorithm whose inputs are the security parameter \(\lambda\) and a delay parameter T. The outputs are an evaluation key ek and a verification key vk. We require that \(\textsf{Setup}\) runs in polynomial time of \(\lambda\) and T. Then, the input space \({\mathcal {X}}\) and the output space \({\mathcal {Y}}\) are determined by (ek, vk), where we assume that \({\mathcal {X}}\) is efficiently sampleable.

2. 2.

   \(\textsf{Eval}(ek,s) \rightarrow (a,\tau )\): is a procedure to evaluate on input \(s \in {\mathcal {X}}\). The outputs consist of \(a \in {\mathcal {Y}}\) from s, and a (possibly empty) proof \(\tau\). The requirement of this procedure is the time of computation can not be less than T.

3. 3.

   \(\textsf{Verify}(vk, s,a,\tau ) \rightarrow\) {True, False}: is a procedure to verify whether a is the correct output for s with the help of proof \(\tau\) if necessary. In general, it is an efficient algorithm compared with \(\textsf{Eval}\), i.e., running in \(ploy(\lambda ,T)\).

The VDF should satisfy three security properties: Correctness, Soundness, and Sequentiality. The formal definitions of security requirements are depicted below.

Correctness This property requires that every output of \(\textsf{Eval}\) must be accepted by \(\textsf{Verify}\).

Definition 2

The VDFs are correct if for any \(\lambda , T\), public parameters (ek, vk), and input s, if \((a,\tau ) \leftarrow \textsf{Eval}(ek,s)\), then \(\textsf{Verify}(vk,s,a,\tau )\) outputs \(\textsf{true}\).

Soundness It states that the incorrect output \(({\tilde{a}},{\tilde{\tau }})\), generated by any adversary without performing \(\textsf{Eval}\), can not be accepted by the \(\textsf{Verify}\).

Definition 3

(Soundness) A VDF is sound if for any \(\lambda , T\), public parameters (ek, vk), and input s, if \(({\tilde{a}},{\tilde{\tau }}) \ne \textsf{Eval}(ek,s)\), then \(\textsf{Verify}(vk,s,{\tilde{a}},{\tilde{\tau }})\) outputs \(\textsf{true}\) with negligible probability.

Sequentiality This is the defining property of VDFs. Namely, this property demands that it is impossible to evaluate the VDF faster than running \(\textsf{Eval}\), even given a boundless amount of parallel computers and precomputations, which are generated after the setup of public parameters. Whereas, the adversary with \(|{\mathcal {Y}}|\) processors can evaluate outputs by simultaneously trying all output in \({\mathcal {Y}}\). Therefore, it is crucial to bound the adversary’s ability of parallelism. For more detailed discussions, please refer to Boneh et al. (2018), De Feo et al. (2019).

Definition 4

(Sequentiality) A VDF is sequential if no pair of randomized algorithms \({\mathcal {A}}_0\), which runs in total time \(ploy(T,\lambda )\), and \({\mathcal {A}}_1\), which runs in parallel time less than T, can win the following sequential game with non-negligible probability.

1. 1.

   \((ek,vk){\mathop {\leftarrow }\limits ^{R}} \textsf{Setup}(\lambda ,T)\);

2. 2.

   \(L{\mathop {\leftarrow }\limits ^{R}} {\mathcal {A}}_0(\lambda ,ek,vk,T)\);

3. 3.

   \(s {\mathop {\leftarrow }\limits ^{R}} {\mathcal {X}}\);

4. 4.

   \({\tilde{a}} {\mathop {\leftarrow }\limits ^{R}} {\mathcal {A}}_1 (L,ek,vk,s)\),

where winning is defined as outputing \({\tilde{a}}=a\), where \((a,\tau )= \textsf{Eval}(ek,s)\).

Construction framework Inspired by pairing-based BLS signature scheme (Boneh et al. 2001), a construction framework of VDFs (De Feo et al. 2019) has been proposed, i.e., the framework is depicted as follows.

Let \(e_X: X_1 \times X_2 \rightarrow G \subset \mathbb {F}_{q^k}\) and \(e_Y: Y_1 \times Y_2 \rightarrow G \subset \mathbb {F}_{q^k}\) be non-degenerate pairings, where \(X_1\), \(X_2\), \(Y_1\), \(Y_2\), G are subgroups of order N, and k is denoted by the embedding degree. In addition, suppose that there is a pair of bijections \(\phi : X_1 \rightarrow Y_1\) and \({\hat{\phi }}:Y_2 \rightarrow X_2\) such that the following diagram is commutative.

Let P be the generator of \(X_1\), then the system parameters are initialized by \((N,X_1,X_2,Y_1,Y_2,e_X,e_Y, P, \phi (P))\).

Delay encryptions

Motivated by VDFs, Burdges and De Feo (2021) introduced delay encryptions (DE), first instantiated with supersingular isogenies and pairings by modifying the famous IBE scheme (Boneh and Franklin 2003). DE is similar to the time-lock puzzles (Rivest et al. 1996), while the protocol outputs a session key rather than the proofs.

A DE consists of four algorithms:

1. 1.

   \(\textsf{Setup} (\lambda , T) \rightarrow (ek, pk)\). Take a security parameter \(\lambda\), a delay parameter T as inputs, and produce public parameters consisting of an extraction key ek and an encryption key pk. \(\textsf{Setup}\) must run in time \(poly(\lambda , T)\) and the encryption key pk must have size \(poly(\lambda )\), but the evaluation key ek is allowed to have size \(poly(\lambda , T)\).

2. 2.

   \(\textsf{Extract} (ek, id) \rightarrow idk\). Take the extraction key ek and a session identifier \(id \in \{0,1\}^*\) as inputs, and output a session key idk. \(\textsf{Extract}\) is expected to run in time exactly T.

3. 3.

   \(\textsf{Encaps} (pk, id) \rightarrow (c, k)\). Take the encryption key pk and a session identifier \(id \in \{0,1\}^*\) as inputs, and output a ciphertext c and a key k. \(\textsf{Encaps}\) must run in time \(poly(\lambda )\).

4. 4.

   \(\textsf{Decaps} (pk, id, idk, c) \rightarrow k\). Take the encryption key pk, a session identifier id, a session key idk, and a ciphertext c as inputs, and output a key k. \(\textsf{Decaps}\) must run in time \(poly(\lambda )\).

A DE scheme is correct if for any \((\textsf{ek}, \textsf{pk}) = \textsf{Setup}(\lambda , T)\) and any \({id} \in \{ 0,1\}^*\),

As an encryption scheme, the security of DE is similar to that of most public key encryption schemes, i.e., in particular of the IBE schemes. Whereas, one additional requirement of DE is that it is negligible to output idk for a random identifier id in time less than T. The security games of DE are depicted in Burdges and De Feo (2021).

In this section, we establish the concrete VDF under the framework in “Syntax of verifiable delay functions and delay encryptions” section, utilizing the Richelot isogenies and Weil pairings from supersingular hyperelliptic curves, then the security analysis is presented.

Our scheme

Following the framework in De Feo et al. (2019), we introduce the VDF from genus-2 hyperelliptic curves.

The prime is the form \(p=2^T \ell f-1\) such that \(p+1\) has a large prime factor \(\ell\). Then, we leverage the algorithm in Burdges and De Feo (2021) to generate two trusted setups, i.e., two supersingular elliptic curves \(E_1,E_2\) over \(\mathbb {F}_{p^2}\), and transform the above curves into a supersingular hyperelliptic curve C, then the Jacobian \(J_C\) is obtained. Let \(e_\ell (\cdot ,\cdot )\) be a non-degenerate Weil pairing on \(J_C[\ell ]\).

From the supersingularity of \(J_C\), we have \(\# J_C (\mathbb {F}_{p^2})= (p+1)^4\), and \(J_C [2^T]\cong {\textsf{C}}_{2^T}^4\) is a subgroup with four generators, where \({\textsf{C}}_n\) is a cyclic group of order n. Flynn and Ti (2019) demonstrated that the maximal \(2^n\)-isotropic subgroups of \(J_C\) must be isomorphic to \({\textsf{C}}_{2^n} \times {\textsf{C}}_{2^j} \times {\textsf{C}}_{2^{n-j}}\), where \(0 \le j \le \lfloor n/2 \rfloor\). To fulfill the condition of maximal isotropy, the secret selection method has been established in Flynn and Ti (2019), so we leverage this algorithm to create the kernel subgroup G with three generators \(Q_1,Q_2,Q_3\) such that the isogeny \(\phi :C\rightarrow C'\) is fixed^{Footnote 2}, i.e., the hyperelliptic curve \(C'\) is decided by \(\phi\) with kernel G. Immediately, the dual isogeny \({\hat{\phi }}\) is determined.

In practice, we decompose the isogeny into a sequence of T Richelot isogenies so that the dual isogeny \({\hat{\phi }}\) can be evaluated in the linear time of T.

Remark 2

We know that every 2-dimension supersingular PPAV is isomorphic to either the Jacobian of a genus-2 hyperelliptic curve or a product of two elliptic curves, and the second case occurs with a probability \(10/(p+10)\) (Castryck et al. 2020). Upon our choice, the probability of the intermediate PPAVs isomorphic to a product of elliptic curves is negligible. Even if this event has occurred, we can simply choose another kernel group \(G'\) to evaluate a new isogeny with overwhelming probability.

Since the prime is in the particular form, we could sample an \(\ell\)-torsion divisor \(P \in J_C [\ell ]\), and \(X_1=\left\langle P \right\rangle\) is a subgroup of order \(\ell\). From the isogeny \(\phi : J_C\rightarrow J_{C'}\), we know that \(\phi (P) \in J_{C'}\) is still an \(\ell\)-torsion divisor. We set \(Y_1= \left\langle \phi (P) \right\rangle\). After that, we output the evaluation key and verification key as \({\hat{\phi }}\) and \((J_C, J_{C'}, P, \phi (P))\), respectively.

Similarly, \(J_{C'}[\ell ]\) has four generators and let \(e'_\ell (\cdot ,\cdot )\) be a non-degenerate Weil pairing. Since the map \(R \mapsto e_\ell '(R,\phi (P))\) is surjective, there exists at least one divisor \(Q \in J_{C'}\) such that \(e_\ell '(\phi (P), Q) \ne 1,\) i.e., \(Q \notin \left\langle \phi (P)\right\rangle\). We can randomly sample a divisor \(Q \in J_{C'}[\ell ]{\setminus } \left\langle \phi (P)\right\rangle\), and set \(Y_2=\left\langle Q \right\rangle \subset J_{C'}[\ell ]\). For every divisor \(S\in Y_2\), \(e_\ell '(Q,S)=1\) is always holds while \(e_\ell '(\phi (P),S)=1\) can not be satisfied unless \(S={\mathcal {O}}\). In the same way, we have \(X_2=\left\langle {\hat{\phi }}(Q) \right\rangle\).

Remark 3

1. 1.

   This divisor Q can be obtained with probability \((\ell -1)/\ell\). If it fails, we can sample another divisor with overwhelming probability.

2. 2.

   Since the degree of isogeny is coprime to \(\ell\), we can also select a generator \(Q'\) in \(J_C[\ell ]\) and obtain the image \(\phi (Q')\) under the isogeny \(\phi\).

The four groups \(X_1,X_2,Y_1,Y_2\) are all cyclic groups, so it is facile to uniformly sample a point from these subgroups. The function \(\textsf{Eval}\) takes a random divisor \(S\in Y_2\) and outputs the image \({\hat{\phi }}(S)\) under the isogeny \({\hat{\phi }}\). For the verification \(\textsf{Verify}\), first check

otherwise, the verification fails. After that, \({\hat{\phi }}(S)\) passes the verification if

Our VDF scheme is depicted in Fig. 1.

Verifiable delay functions from hyperelliptic curves

Full size image

Security analysis

Now we present the security analysis of our VDF scheme, i.e., three properties are all satisfied.

Theorem 1

Our scheme is correct and sound.

Proof

Assume \(S=aQ \in Y_2\) for \(a\in \mathbb {Z}/\ell \mathbb {Z}\), then the honest output \({\hat{\phi }}(S)=a {\hat{\phi }}(Q) \in X_2\), so it holds that \(e_\ell ({\hat{\phi }}(Q), {\hat{\phi }}(S))=1\). The equation

comes from Mumford (1970). Thus, the legitimate output can pass the verification.

For the soundness, we know that \(e_\ell ({\hat{\phi }}(Q), \cdot )\) is degenerate on \(X_2\). However, the map \(S'\mapsto e_\ell ({\hat{\phi }}(Q),S')\) is surjective, so a random divisor \(S' \in J_{C'}[\ell ]\) satisfies \(e_\ell ({\hat{\phi }}(Q), S')=1\) with a probability \(1/\ell\). The second equation \(e_\ell (P,S')= e_\ell ' (\phi (P),S)\) is satisfied if and only if \(e_\ell (P,S')=e_\ell (P,{\hat{\phi }}(S))\), which indicates \(e_\ell (P,S'-{\hat{\phi }}(S)) =1\). Then, from the surjectivity of \(e_\ell (P,S')\), we know it occurs with a probability \(1/\ell\).

Thus the verification succeeds with a probability \(1/\ell ^2\) when the output is a random divisor \(S'\in J_{C'}[\ell ]\). \(\square\)

Remark 4

The perfect soundness for isogeny-based VDF (De Feo et al. 2019) is invalid here. There are four generators in \(J_{C'}[\ell ]\), so two equations for verification can not determine a unique divisor.

Although Sequentiality is the most crucial property, it is hard to illustrate that there is no algorithm of “running in parallel time less than T”. We now shift our attention to the following problem for isogenies between hyperelliptic curves, which has been introduced for elliptic curves in De Feo et al. (2019).

Definition 5

Let \(J_C\) be the Jacobian over \(\mathbb {F}_{p^2}\), isomorphic to a supersingular PPAV. Fixed an isogeny \(\phi : J_C\rightarrow J_{C'}\) with the maximal \(2^T\)-isotropic subgroup G and allowed a precomputation in time \(poly(\lambda ,T)\), evaluate \({\hat{\phi }}(S)\) on a random divisor \(S \in Y_2\) in parallel time less than T.

To set parameter sizes, we discuss several attacks on the high-genus isogeny shortcut problems, similar to the attacks mentioned in Burdges and De Feo (2021) and De Feo et al. (2019). The complexities of attacks are summarized in Table 1.

Pairing inversion The simplest attacks focus on the properties of Weil pairings. Namely, for given \(P, \phi (P),S\), to compute \({\hat{\phi }}(S) \in J_C[\ell ]\) is enough to obtain a divisor \(S' \in J_C[\ell ]\), more specifically, \(S' \in X_2\), such that \(e_\ell (P,S')=e_\ell '(\phi (P),S)\), i.e., to solve the pairing inverse problem \(e_\ell (P,\cdot )=e_\ell '(\phi (P),S)\).

Due to the surjection of Weil pairings \(e_\ell (P,\cdot )\), the equation

is satisfied with probability \(1/\ell\) for a random divisor \(S' \in X_2\). Thus, a better strategy is to randomly sample a divisor \(S_0 \in Y_2\), then find \(m \in \mathbb {Z}/\ell \mathbb {Z}\) such that \(e_\ell '(\phi (P),S)=e_\ell (P,S_0)^m\), then the divisor \(m S_0\) is one legitimate output for verification. Therefore, the security of DLP impacts the hardness of the pairing inversion problem.

From \(\textsf{Setup}\), the embedding degree is 2, indicating the best algorithm is the Number Field Sieve (NFS) for \(\mathbb {F}_{p^2}\), whose (heuristic) complexity is \(L_p(1/3)\). With the progress on NFS, the DLP in \(\mathbb {F}_{p^2}\) for a prime of around 300 bits has been solved in Barbulescu et al. (2015), then Barbulescu and Duquesne (2019) have selected the parameters for pairings under several security levels. It is suggested to utilize prime p of around 1500 bits and \(\ell\) of 256 bits for 128-bit security. Unfortunately, the pairing inversion problem is insecure under quantum computers.

Computing shortcuts One natural attack comes from finding a “simple” isogeny between \(J_C\) and \(J_{C'}\), agreeing with \(\phi\) on \(J_C[\ell ]\), but requiring less parallel time to evaluate.

However, considering supersingular PPAVs, there are no generic algorithms to compute \((\ell _0,\ell _0)\)-isogenies for odd primes \(\ell _0\). When \(\ell _0=3,5\), explicit formulae of \((\ell _0,\ell _0)\)-isogenies exist for some special cases (Bruin et al. 2014; Flynn 2015), but the formulae become more complicated when \(\ell _0\) is a large prime, including the algorithms introduced in Cosset and Robert (2015). Furthermore, the structures of the \((\ell _0,\ell _0)\)-isogenous graphs are more complicated than those for elliptic curves, and we only know a few properties for \(\ell _0=2\). Therefore, it is tough to utilize \((\ell _0,\ell _0)\)-isogeny with odd primes \(\ell _0\) for finding an isogenous path between supersingular Jacobians. For Richelot isogenies, some properties are discussed in Florit and Smith (2022), and only the local neighborhoods in the (2, 2)-isogeny graph have been exploited in Florit and Smith (2022), thus the generic properties of global Richelot isogeny graphs are still hard mathematical problems.

To break our scheme, the attack needs to compute another isogenous map between supersingular hyperelliptic curves, i.e., isogenous to the product of g supersingular elliptic curves, thus a natural idea is to find another isogeny between two superspecial abelian varieties, as the more specifical PPAVs isogenous to g supersingular elliptic curves. In general, Costello and Smith (2020) demonstrated that for two superspecial abelian varieties \(A_1\) and \(A_2\), finding a path \(\phi :A_1 \rightarrow A_2\) in the \((\ell _0,\ldots ,\ell _0)\)-isogeny graph requires \({\tilde{O}}(p^{g-1})\) field operations on a classical computer, and \({\tilde{O}}(\sqrt{p^{g-1}})\) field operations on a quantum computer. Therefore, computing a shortcut of known Richelot isogenies between two supersingular hyperelliptic curves requires more than \({\tilde{O}}(\sqrt{p^{g-1}})\) field operations for quantum computers, thus it is negligible to compute another path between two isogenous hyperelliptic curves of known isogenies.

Even if we have obtained a short isogeny \(\psi : J_C \rightarrow J_{C'}\), we must find \(\omega\) such that \(\omega \circ {\hat{\psi }}= {\hat{\phi }}\) on \(J_{C'}[\ell ]\). More specifically, \(\omega\) satisfies \(\omega \circ {\hat{\psi }}\mid _{Y_2}= {\hat{\phi }}\mid _{Y_2}\). Yet the structure of \(J_C[\ell ]\) is clear, it is inefficient to determine map \(\omega\) with the property of endomorphism. To simplify this problem, we restrict our attention to the subgroup \(X_2\). If \({\hat{\psi }}(Y_2)=X_2\), \(\omega\) is determined via computing discrete logarithms on \(X_2\), while it hardly occurs. In general, we have \({\hat{\psi }}(Y_2)\ne X_2\), then \(\omega\) induces a group isomorphism from \({\hat{\psi }}(Y_2)\) to \(X_2\), where computing discrete logarithms on \(X_2\) is also involved. As a result, the problem of searching \(\omega\) is more complicated than pairing inversion problems.

Parallel isogeny evaluation Finally, another obvious attack would utilize more parallel resources for evaluating chains of isogenies, whose aim is to accelerate evaluations of the sequential and slow function \(\textsf{Eval}\). However, Richelot isogenies utilize unique maximal 2-Weil isotropic subgroups for the next isogeny, requiring a maximal 2-Weil isotropic subgroup in Jacobians, so all existing algorithms go through all T intermediate PPAVs. In addition, for chains of 2-isogenies, replacing two 2-isogenies by one 4-isogeny is the generic technique for SIDH (De Feo et al. 2014), which will reduce the total cost by a constant factor, while there is no algorithm to evaluate \((2^n,2^n)\)-isogenies directly.

Consequently, the implementations of Richelot isogenies must be in a straight line, similar to the iterative isogenies for isogeny-based VDFs. Hence, an adversary can not accelerate the computation even using poly(T) processors at present.

Other known attacks In Kunzweiler et al. (2021), an adaptive attack has been proposed, where the gist is the symplectic basis related to Weil pairings. In general, finding the symplectic basis is equivalent to solving DLP for Weil pairings, which is practical for smooth order \(\ell _0^n\). Whereas, our scheme leverages the divisors of large prime order, then determining the symplectic basis of order \(\ell\) is at least as hard as the pairing inversion problems.

Recently, Castryck and Decru (2023) established an attack for SIDH, then Robert (2023) generalized this method to the PPAVs of all genera. However, this strategy employs all generators of torsion groups in two PPAVs and leverages the parameter tweaks for the smooth prime factorization, then the secret isogeny is recovered. In our VDF, the isogeny has been fixed with the output, i.e., we already have an isogeny path, and the ultimate goal is to evaluate the isogeny faster, so it may work for computing shortcuts. Luckily, this attack can not apply to VDFs straightforwardly. On the one hand, only two generators of \(J_C[\ell ]\) with the corresponding images in \(J_{C'}\) are known, such that there are not enough divisors to apply this attack. On the other hand, the prime p is particularly selected such that \(p+1\) has a large prime factor \(\ell\), so the parameter tweaks have few choices since the guess processions search for small isogenies upon the factorization of the difference value of divisors of \(2^T\) and \(\ell f\). Hence, for the huge difference between \(2^T\) and \(\ell f\), the first guessing isogeny is of large degree, almost identical to \(2^T\), which makes it almost impossible to find a legitimate isogeny since there is one unique choice among all likely isogenies, whose degree is close to \(2^T\). Consequently, this attack has no influence on our scheme. Similarly, yet two generators with the corresponding images are fixed, the isogeny-based VDF (De Feo et al. 2019) can resist the attacks for genus one SIDH (Castryck and Decru 2023; Maino et al. 2023; Robert 2023).

Parameters and comparison

Based on the above analysis, we choose a 256-bit prime \(\ell\), then set \(T=1244\) and \(f=63\) to obtain the prime \(p=2^{1244}\cdot 63\ell-1\) of 1506 bits, as the same prime in De Feo et al. (2019) for the security level of 128 bits. It is believed that computing discrete logarithm in a subgroup of order \(\ell\) in a finite field \(\mathbb {F}_{p^2}\) requires more than \(2^{128}\) operations.

As for the implementation, Weil pairings can be realized by pairing-based cryptography, where Miller’s algorithm (Miller 2004) is suggested. Moreover, one can substitute Weil pairings by Tate pairings, then half of Miller loops are saved at the expense of one final exponentiation. However, Richelot isogenies is a relatively new topic, and we refer to the relevant algorithms in Castryck and Decru (2023), Castryck et al. (2020), Flynn and Ti (2019) and Kunzweiler (2022). In general, isogenies between high genus PPAVs are more inefficient than elliptic curve isogenies, which means that our VDFs may obtain larger delay effect under the same parameter set than isogeny-based VDF (De Feo et al. 2019).

The overall comparison of different VDF schemes is depicted in Table 2. Compared with other VDFs, e.g., Pietrzak (2019) and Wesolowski (2020), one notable advantage is the empty proof, where the pairings play the role of proof. Note that Leo’s VDF (Loe et al. 2022) can achieve empty proof, but it is a prerequisite to generate a fresh Blum integer for every VDF, while the prime in our scheme can be applied for all schemes. Apart from that, our VDF is non-interactive such that the output can be verified without interactions. Nevertheless, the computation of Richelot isogenies is inefficient, and the time needed for setup is almost the same as evaluation, which is also the drawback of isogeny-based VDFs. To this problem, a possible solution may come from Kummer varieties, where Kummer lines have been employed for acceleration (Chen et al. 2023), which needs more development in this realm. Moreover, the property of perfect soundness fails for our design, which is the shortage compared with isogeny-based VDFs (De Feo et al. 2019).

Since the original DE has been derived from isogeny-based VDFs (Burdges and De Feo 2021), we present new DE from hyperelliptic curves in a similar roadmap. The IBE scheme (Boneh and Franklin 2003) is modified for our construction, i.e., the master secret is substituted by a long chain of Richelot isogenies, so that the decryption key from a fixed identity is a slow operation.

Our design

Setup is almost identical to the VDFs in Fig. 1, where the prime \(p=2^T\ell f-1\) and Jacobian \(J_C\) are fixed, then an isogeny \(\phi : J_C \rightarrow J_{C'}\) with the image of an \(\ell\)-torsion divisor is established. To depict other routines, we would introduce two hash functions. Let \({\textsf{H}}_1: \{0,1\}^\lambda \rightarrow J_{C'}[\ell ]\) be used to hash id to divisors of order \(\ell\), and \({\textsf{H}}_2: \mathbb {F}_{q^k} \rightarrow \{0,1\}^\lambda\) be a key derivation. The detailed protocol is described in Fig. 2, where the notations coincide with those in Fig. 1.

Delay encryption from hyperelliptic curves

Full size image

Remark 5

If Weil pairing \(e_\ell '(Q,\phi (P))=1\), Q is substituted by \({\textsf{H}}_1(\textsf{id}||Q)\), where the failure probability is \(1/\ell\). Moreover, this strategy applies to all involved evaluations of \({\textsf{H}}_1\).

The correctness of our scheme is satisfied by the following equation

Remark 6

Note that two hash identities \(Q,Q'\) such that \(e_\ell '(\phi (P),Q)=e_\ell '(\phi (P),Q')\) determine the same s for \(\textsf{Encaps}\) and \(\textsf{Decaps}\), then the adversary only compute the image of one divisor from them under \({\hat{\phi }}\). Whereas, from the analysis in the proof of Theorem 1, it occurs with probability \(1/\ell\), which is still negligible.

Security analysis

To illustrate the security of our scheme, we follow the line in Burdges and De Feo (2021). We first generalize the bilinear isogeny shortcut games to high genus as follows:

Precomputation The adversary receives \(p,\ell ,J_C, J_{C'},\phi\) and outputs an algorithm \({\mathcal {B}}\).

Challenge The challenger outputs uniformly random \(P_0 \in J_C[\ell ]\) and \(Q_0 \in J_{C'}[\ell ]\).

Guess Algorithm \({\mathcal {B}}\) runs on the pair \((P_0,Q_0)\). Then the adversary wins if \({\mathcal {B}}\) outputs

Similarly, we say the high-genus bilinear isogeny shortcut game is \(\varDelta\)-hard if no adversary running the precomputation in time \(poly(\lambda , T)\) produces an algorithm \({\mathcal {B}}\) that wins in time less than \(\varDelta\) with non-negligible probability. Consequently, the following theorem illustrates that our scheme satisfies \(\varDelta\)-IND-CPA if the above game is hard.

Theorem 2

The delay encryption scheme from hyperelliptic curves is \(\varDelta\)-IND-CPA secure, assuming the \(\varDelta '\)-hardness of the high-genus bilinear isogeny shortcut game with \(\varDelta \in \varDelta '-o(\varDelta ')\), where \({\textsf{H}}_1\) and \({\textsf{H}}_2\) are assumed as the random oracles.

Proof

The proof of this theorem is almost identical to that of delay encryption from elliptic curves in Burdges and De Feo (2021), so we omit the proof for brevity. \(\square\)

For the security of the high-genus bilinear isogeny shortcut game, it follows the analysis of three attacks in “Security analysis” section. Consequently, the parameters are the same as those for our VDFs from hyperelliptic curves with analogous merits and demerits.

In this work, we present the first VDF and DE from hyperelliptic curves by utilizing Richelot isogenies and non-degenerate pairings, which broaden the cryptographic applications of high-genus isogenies. In particular, we employ the framework in isogeny-based VDF for two schemes with analogous merits and demerits as those from isogeny-based ones, while our scheme is secure under generalized assumptions on high-genus isogenies. To further implement those schemes, the study on efficient Richelot isogenies would be welcome, which is the main obstacle to the implementation of isogeny-based cryptography from hyperelliptic curves. Apart from that, the cryptographic applications from high-genus isogenies may share the smallest key sizes among post-quantum cryptosystems, thus it is natural to enrich this cryptosystem with abundant cryptographic constructions.

Data sharing is not applicable to this article as no datasets were generated or analyzed during the current study.

1. If \(\deg (f)=5\), we define \(\alpha _6= \infty\) and \(x-\alpha _6=0\cdot x+1\)

2. There are several choices of G for given n, j, and the decomposition of the isogeny derived from given G is not unique, where the details can be found in Flynn and Ti (2019, Sect. 2.2).

Not applicable.

This work is supported by the National Natural Science Foundation of China (No. 62272491) and the Guangdong Major Project of Basic and Applied Basic Research (2019B030302008) and the National R &D Key Program of China under Grant (2022YFB2701500).

Authors and Affiliations

1. School of Computer Science and Engineering, Sun Yat-sen University, Guangzhou, 510006, China

   Chao Chen & Fangguo Zhang

2. Guangdong Province Key Laboratory of Information Security Technology, Guangzhou, 510006, China

   Chao Chen & Fangguo Zhang

Contributions

CC is completed the main work of the paper and drafted the manuscript. FZ is participated in problem discussions and improvements of the manuscript. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Fangguo Zhang.

Competing interests

The authors declare that there is no conflict of interest regarding the publication of this article.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions