Verifiable delay functions and delay encryptions from hyperelliptic curves

Verifiable delay functions (VDFs) and delay encryptions (DEs) are two important primitives in decentralized systems, while existing constructions are mainly based on time-lock puzzles. A disparate framework has been established by applying isogenies and pairings on elliptic curves. Following this line, we first employ Richelot isogenies and non-degenerate pairings from hyperelliptic curves for a new verifiable delay function, such that no auxiliary proof and interaction are needed for the verification. Then, we demonstrate that our scheme satisfies all security requirements, in particular, our VDF can resist several attacks, including the latest attacks for SIDH. Besides, resorting to the same techniques, a secure delay encryption from hyperelliptic curves is constructed by modifying Boneh and Frankiln’s IBE scheme, which shares the identical setup with our VDF scheme. As far as we know, these schemes are the first cryptographic applications from high-genus isogenies apart from basic protocols, i.e., hash functions and key exchange protocols.


Introduction
Verifiable delay function (VDF), first introduced by Boneh et al. (2018), is a function f : X → Y that requires a prescribed amount of time for evaluations, even if many parallel computation resources are employed, while the result can be verified efficiently.The most crucial requirement demands that evaluation, as a slow function, must be realized in at least T sequential steps and no acceleration exists.Such scheme allows a prover to demonstrate that a certain amount of time has elapsed.Furthermore, the VDFs with more functionality, e.g., tight VDFs (Döttling et al. 2020) and continuous VDFs (Ephraim et al. 2020), were also proposed for particular situations.
Due to efficient verifications, VDFs have been applied broadly in cryptography, especially for the decentralized setting.A direct application is to construct a trustworthy randomness beacon (Rabin 1983), where the beacon is given by a VDF with a long delay on the entropy source, so the malicious participant can not obtain his advantages to adjust the market within a short time.Furthermore, based on the "commit-and-reveal" paradigm, multiparty randomness can be achieved by replacing commitments with VDFs, illustrated in Lenstra and Wesolowski (2017).Another usage of VDFs is to lower the energy consumption of blockchains based on proofs-of-work.Namely, an ingenious method (Cohen and Pietrzak 2018) combines proofs-of-resources with incremental VDFs to achieve Consensus from Proof of Resources.Moreover, proof of data replication (Armknecht et al. 2016;Juels and Kaliski 2007) and computational timestamping (Kiayias et al. 2017) can be realized with VDFs, where more discussions can be found in Boneh et al. (2018).
After the proposal of VDF (Boneh et al. 2018), various instantiations have been established, where VDF can be directly achieved using incrementally verifiable computation (Valiant 2008).Apart from the high-level ideas, class groups and injective rational maps have been leveraged for establishing VDFs (Boneh et al. 2018;Wesolowski 2020).
In practice, computing modular exponentiation is an elegant choice for sequentially slow evaluation functions, where extracting modular square roots in F p (Dwork and Naor 1992) and repeated squaring in an RSA group (Rivest et al. 1996) were instantiated for this problem.Thus, a natural idea is to modify the above functions for practical VDF schemes.Specifically, the first can be efficiently verified by a modular square, so it turns out to be a VDF immediately (Boneh et al. 2018).Regrettably, the delay parameter of this approach is only about O(log p) , which would be smaller considering the parallelism of field multiplications, where Lenstra and Wesolowski (2017) introduced Sloth to realize parallel computation for modular square roots.
In contrast, the second was generated from the famous time-lock puzzles (Rivest et al. 1996), i.e., utilizing RSA modulus N = pq , the puzzle is y = x 2 T mod N from a random x ∈ Z * N .Besides, one obtaining ϕ(N ) can evaluate y efficiently via reducing the exponent e ≡ 2 T mod ϕ(N ) , while others must compute T sequential modular squares.Following this line, Wesolowski (2020) established an efficient interactive protocol to verify the output y publicly, being non-interactive via the Fiat-Shamir paradigm (Fiat and Shamir 1986).Namely, the verifier sends a random small prime ℓ , and the prover replies with z = x ⌊2 T /ℓ⌋ , then the verifier accepts when y = z ℓ x r with r = 2 T mod ℓ .To reduce the proof size, Pietrzak (2019) introduced another interactive protocol via substituting Z * N by the group QR + N := {|x|; x = z 2 mod N , z ∈ Z * N } with two strong primes p and q, so that the prover outputs a proof with O(log T ) group elements and the verification only needs O(log T ) with the "halving protocol".Recently, Loe et al. (2022) presented P-VDF without the large proofs, where they leveraged the Blum integer N = pq with p ≡ q ≡ 3 mod 4 such that the verification relies on the factorization of N. As a result, the efficiency of verification is the fastest among all existing VDFs while we must generate Blum integers for different instantiations.
One notable breakthrough was established in 2019, when De Feo et al. (2019) presented a new framework of VDFs from the BLS signature (Boneh et al. 2001).In this paradigm, the long sequences of isogenies were employed as the slow evaluation functions, while the results can be efficiently verified via non-degenerate pairings, then two schemes were first instantiated from isogenies between elliptic curves over F p and F p 2 , respectively.More specifi- cally, they employed chains of low-degree isogenies for a "slow" evaluation function since the isogeny computation still takes T sequential steps, while the pairing can be evaluated in poly(log N ) time.
Substituting pairings by the succinct non-interactive arguments (SNARGs), the first post-quantum secure isogeny-based VDF (Chávez-Saab et al. 2021) was constructed without trusted setups, while the verification terminated in quasi-logarithmic time.
Motivated by original time-lock puzzles and VDFs, a new primitive named delay encryption (DE) (Burdges and De Feo 2021) was introduced by Burdges and De Feo, viewed as a time-lock version of Identity-based Encryptions (IBE).Yet it is called an encryption scheme, there are no secrets, and the critical concept is session, which is generated by a session identifier and is hard to predict.In particular, the function Extract , as the defining algorithm of generating a session key from an identifier, must run sequentially and slowly.Surprisingly, the instantiations of certain VDFs can be employed for DEs immediately.Namely, the initial construction in Burdges and De Feo (2021) followed the same roadmap from isogeny-based VDF (De Feo et al. 2019) by modifying the IBE scheme (Boneh and Franklin 2003), and it is facile to construct DE from P-VDF (Loe et al. 2022).For cryptographic deployments, some protocols derived from time-lock puzzles, i.e., Vickrey auctions and electronic votings, would obtain additional advantages via utilizing DEs.
Nowadays, isogenies on hyperelliptic curves (Flynn and Ti 2019) have been a hotspot for the shortest key sizes.Although it was a mathematical problem (Lubicz and Robert 2012;Smith 2006) investigated for decades, its cryptographic constructions are relatively new topics.Due to the complicated formulae, efficient implementations are crucial problems with abundant improvements (Bruin et al. 2014;Cosset and Robert 2015;Flynn 2015;Kunzweiler 2022), while only hash functions (Castryck et al. 2020) and key exchange protocols (Flynn and Ti 2019) have been presented for practical constructions.It is shown that the cryptosystem based on isogenies between hyperelliptic Jacobians has a smaller key size than that on elliptic curves (Costello and Smith 2020;Flynn and Ti 2019), thus it is natural to construct more functional applications from isogenies on hyperelliptic curves.
Our contributions Following the framework of isogenybased VDF, we establish the verifiable delay function and delay encryption from hyperelliptic curves, which are the first cryptographic applications utilizing isogenies on supersingular hyperelliptic curves.More specifically, our contributions are summarized as follows.
• We first employ Richelot isogenies and non-degenerate pairings on hyperelliptic curves to establish a verifiable delay function without additional interaction, where the output is verified via pairings such that no proof is required.Then, we demonstrate that our scheme satisfies all security requirements, i.e., the parameters of our scheme are fixed to resist several known attacks.In particular, the defining property "sequentiality" holds under the assumption of highgenus isogeny shortcut problem, as a generalization of that for elliptic curves.As an additional contribution, we illustrate that isogeny-based VDF can resist recent attacks on SIDH.• Following the same framework, we modify Boneh and Frankiln's IBE scheme for a ∆-IND-CPA secure delay encryption from hyperelliptic curves with the same instantiations, i.e., the session key is obtained through T sequential Richelot isogenies.Afterwards, we show that the scheme is secure having analogous merits and demerits as our VDF scheme.
Organization The rest of this paper is organized as follows.The "Preliminaries on hyperelliptic curves and isogenies" section provides necessary preliminaries on hyperelliptic curves and Richelot isogenies.In "Syntax of verifiable delay functions and delay encryptions" section, the definition and security requirements of VDFs and DEs are reviewed.The verifiable delay function from hyperelliptic curves is depicted in "Verifiable delay functions from hyperelliptic curves" section, followed by the security analysis.The "Delay encryptions from hyperelliptic curves" section presents the delay encryption from hyperelliptic curves.The last section concludes our work.

Preliminaries on hyperelliptic curves and isogenies
In this section, we recall some necessary mathematical backgrounds of hyperelliptic curves, pairings, and isogenies.

Hyperelliptic curves
Let F q be the algebraic closure of the finite field F q with characteristic p > 3 .A hyperelliptic curve C of genus 2 over F q is given by the following equation: where f(x) is a squarefree polynomial of degree 5 or 6 such that there are no solutions (x, y) ∈ F q × F q simulta- neously satisfying the equation y 2 = f (x) and the partial derivative equations y = 0 and f ′ (x) = 0 .For any alge- braic extension F q k of F q , we consider the set called the set of F q k-rational points on C.
The set C(F q k ) does not form a group, but we can embed C into an abelian variety of dimension 2, which is called the Jacobian of C and denoted by J C .The Jacobian J C is isomorphic to the divisor class group of degree zero Pic 0 C .Let O be the identity element of J C .Every divisor in Jacobian J C over a field K can be expressed in Mumford representation as a pair (u(x), v(x)) of polynomials in K[x], such that u(x) is monic, and Let P 1 = (x 1 , y 1 ), P 2 = (x 2 , y 2 ) be two points on the hyperelliptic curve C, then the Mumford representation (u(x), v(x)) associated with two points satisfies u(

Hyperelliptic pairings
Pairings on hyperelliptic curves are useful tools in cryptology.The definitions of two familiar pairings on hyperelliptic curves are summarized as follows.
Let C be a hyperelliptic curve of genus 2 over F q , and J C be the corresponding Jacobian.Let r be a divisor of #J C , and coprime to q.The embedding degree is the smallest positive integer k such that r | (q k − 1) .The group of r-th roots of unity in The Weil pairing is a non-degenerate bilinear map which is denoted as e r (D 1 , D 2 ) .The Tate-Lichtenbaum pairing is a non-degenerate bilinear map which is denoted as D 1 , D 2 r .To achieve cryptographic applications, we consider the reduced (or modified) pairing Similar to the pairings of elliptic curves, Miller's algorithm (Cohen et al. 2005;Miller 2004) is used to compute hyperelliptic pairings.For more detailed discussions, it refers to Galbraith et al. (2007).

Richelot isogenies
It is well-known that we can compute an isogenous elliptic curve from a given kernel through Vélu's formula (Vélu 1971), which is the foundation of isogeny-based cryptography.Nevertheless, with the growth of genus, there is no efficient algorithm to evaluate isogenies between Jacobians.
Since the Jacobian J C of a curve C is a principally polar- ized abelian variety (PPAV), we could consider isogeny of principally polarized abelian varieties, which is a finite dominant homomorphism of abelian varieties A, and the kernel of isogeny is a finite isotropic group.The Richelot isogeny is the simplest isogeny whose kernel is contained in the 2-torsion subgroup J C [2] from a genus-2 hyperel- liptic curve.Smith (2006) summarized the Richelot isogenies on Jacobians of genus 2, whose kernel is maximal isotropic with regards to the 2-Weil pairing.
Proposition 1 (Smith 2006) Let R be a proper, nontrivial subgroup of J C [2] .If R is the kernel of an isogeny between principally polarized abelian surfaces, then R is a maximal 2-Weil isotropic subgroup of J C [2] (that is, the 2-Weil pairing restricts trivially to R, and R is not properly contained in any other such subgroup).Now, we present some facts about Richelot isogenies for our construction.Let C : y 2 = f (x) be a genus-2 hyperelliptic curve and J C be its Jacobian, where Then, all 2-torsion divisors of J C are where the square brackets denote the equivalence classes of divisors.For a maximal isotropic subgroup with regards to the 2-Weil pairing, the group contains three non-trivial elements such that all α i , 1 ≤ i ≤ 6 , occur exactly once in all the representations of divisors.Thus, there are fifteen disparate isogenous PPAVs from a Jacobian, which are determined by the sets of pairwise coprime quadratic factors of f(x).
Definition 1 A quadratic splitting of a squarefree degree 6 (resp.degree 5 (resp.two quadratic and a linear) polynomials satisfying The next proposition provides the codomain of Richelot isogeny, where we refer Bruin and Doerksen (2011), Cassels and Flynn (1996), Smith (2006) for more details.

Proposition
2 (Smith 2006) where G ′ i is the derivative of G i .Moreover, the dual isogeny is determined by where two elliptic curves are defined by Remark 1 For the second case, the map φ is induced by φ 1 × φ 2 , where It is essential to evaluate the image of divisors in J C under the isogeny φ for the first case of the above prop- osition.Nevertheless, Richelot isogenies work on the hyperelliptic curve, as the morphisms between hyperelliptic curves.For this aim, we map two points to a unique divisor on J C , then the divisor is directly calculated from the image points.Furthermore, the above method can be realized via the Richelot correspondence R ⊂ C × C ′ with for (u, v) ∈ C and (u 1 , v 1 ) ∈ C ′ .This correspondence pre- sents the connection of points on hyperelliptic curves, but there are always two solutions for these equations.
To fill the gap, Kunzweiler (2022) established an algorithm to uniquely determine the image on J C ′ .Namely, two solutions determine a divisor, then two divisors from different points, generating the preimage divisor on J C , compose the unique divisor, which is the image under Richelot isogenies.

Syntax of verifiable delay functions and delay encryptions
In this section, we review the model of verifiable delay functions (VDFs) and delay encryptions (DEs), followed by the security requirements.

Verifiable delay functions
The definition of verifiable delay function has been first established in Boneh et al. (2018).In general, a VDF contains three algorithms: 1. Setup( , T ) → (ek, vk) : is an algorithm whose inputs are the security parameter and a delay parameter T.
The outputs are an evaluation key ek and a verification key vk.We require that Setup runs in polyno- mial time of and T.Then, the input space X and the output space Y are determined by (ek, vk), where we assume that X is efficiently sampleable.2. Eval(ek, s) → (a, τ ) : is a procedure to evaluate on input s ∈ X .The outputs consist of a ∈ Y from s, and a (possibly empty) proof τ .The requirement of this procedure is the time of computation can not be less than T. 3. Verify(vk, s, a, τ ) → {True, False}: is a procedure to verify whether a is the correct output for s with the help of proof τ if necessary.In general, it is an effi- cient algorithm compared with Eval , i.e., running in ploy( , T ).
The VDF should satisfy three security properties: Correctness, Soundness, and Sequentiality.The formal definitions of security requirements are depicted below.
Correctness This property requires that every output of Eval must be accepted by Verify.
Soundness It states that the incorrect output (ã, τ ) , gen- erated by any adversary without performing Eval , can not be accepted by the Verify.
Sequentiality This is the defining property of VDFs.Namely, this property demands that it is impossible to evaluate the VDF faster than running Eval , even given a boundless amount of parallel computers and precomputations, which are generated after the setup of public parameters.Whereas, the adversary with |Y| processors can evaluate outputs by simultaneously trying all output in Y .Therefore, it is crucial to bound the adversary's abil- ity of parallelism.For more detailed discussions, please refer to Boneh et al. (2018), De Feo et al. (2019).
Definition 4 (Sequentiality) A VDF is sequential if no pair of randomized algorithms A 0 , which runs in total time ploy(T , ) , and A 1 , which runs in parallel time less than T, can win the following sequential game with nonnegligible probability.
Construction framework Inspired by pairing-based BLS signature scheme (Boneh et al. 2001), a construction framework of VDFs (De Feo et al. 2019) has been proposed, i.e., the framework is depicted as follows.
Let e X : G are subgroups of order N, and k is denoted by the embedding degree.In addition, suppose that there is a pair of bijections φ : X 1 → Y 1 and φ : Y 2 → X 2 such that the follow- ing diagram is commutative.
Let P be the generator of X 1 , then the system param- eters are initialized by (N , X 1 , X 2 , Y 1 , Y 2 , e X , e Y , P, φ(P)).

Delay encryptions
Motivated by VDFs, Burdges and De Feo (2021) introduced delay encryptions (DE), first instantiated with supersingular isogenies and pairings by modifying the famous IBE scheme (Boneh and Franklin 2003).DE is similar to the time-lock puzzles (Rivest et al. 1996), while the protocol outputs a session key rather than the proofs.
A DE consists of four algorithms: 1. Setup( , T ) → (ek, pk) .Take a security parameter , a delay parameter T as inputs, and produce public parameters consisting of an extraction key ek and an encryption key pk.Setup must run in time poly( , T ) and the encryption key pk must have size poly( ) , but the evaluation key ek is allowed to have size poly( , T ). 2. Extract(ek, id) → idk .Take the extraction key ek and a session identifier id ∈ {0, 1} * as inputs, and output a session key idk.Extract is expected to run in time exactly T. 3. Encaps(pk, id) → (c, k) .Take the encryption key pk and a session identifier id ∈ {0, 1} * as inputs, and output a ciphertext c and a key k.Encaps must run in time poly( ). 4. Decaps(pk, id, idk, c) → k .Take the encryption key pk, a session identifier id, a session key idk, and a ciphertext c as inputs, and output a key k.Decaps must run in time poly( ).
A DE scheme is correct if for any (ek, pk) = Setup( , T ) and any id ∈ {0, 1} * , As an encryption scheme, the security of DE is similar to that of most public key encryption schemes, i.e., in particular of the IBE schemes.Whereas, one additional requirement of DE is that it is negligible to output idk for a random identifier id in time less than T. The security games of DE are depicted in Burdges and De Feo (2021).

Verifiable delay functions from hyperelliptic curves
In this section, we establish the concrete VDF under the framework in "Syntax of verifiable delay functions and delay encryptions" section, utilizing the Richelot isogenies and Weil pairings from supersingular hyperelliptic curves, then the security analysis is presented.

Our scheme
Following the framework in De Feo et al. ( 2019), we introduce the VDF from genus-2 hyperelliptic curves.
The prime is the form p = 2 T ℓf − 1 such that p + 1 has a large prime factor ℓ .Then, we leverage the algorithm in Burdges and De Feo (2021) to generate two trusted setups, i.e., two supersingular elliptic curves E 1 , E 2 over F p 2 , and transform the above curves into a supersingular hyperelliptic curve C, then the Jacobian J C is obtained.Let e ℓ (•, •) be a non-degenerate Weil pairing on J C [ℓ].
From the supersingularity of J C , we have 2 T is a subgroup with four generators, where C n is a cyclic group of order n.Flynn and Ti (2019) demonstrated that the maximal 2 n -isotropic subgroups of J C must be isomorphic to C 2 n × C 2 j × C 2 n−j , where 0 ≤ j ≤ ⌊n/2⌋ .To fulfill the condition of maximal isotropy, the secret selection method has been established in Flynn and Ti (2019), so we leverage this algorithm to create the kernel subgroup G with three generators Q 1 , Q 2 , Q 3 such that the isogeny φ : C → C ′ is fixed2 , i.e., the hyperelliptic curve C ′ is decided by φ with kernel G. Immediately, the dual isog- eny φ is determined.
In practice, we decompose the isogeny into a sequence of T Richelot isogenies so that the dual isogeny φ can be evaluated in the linear time of T.

Remark 2
We know that every 2-dimension supersingular PPAV is isomorphic to either the Jacobian of a genus-2 hyperelliptic curve or a product of two elliptic curves, and the second case occurs with a probability 10/(p + 10) (Castryck et al. 2020)

. Upon our choice, the probability of the intermediate PPAVs isomorphic to a product of elliptic curves is negligible. Even if this event has occurred, we can simply choose another kernel group G ′ to evaluate a new isogeny with overwhelming probability.
Since the prime is in the particular form, we could sample an ℓ-torsion divisor P ∈ J C [ℓ] , and X 1 = �P� is a subgroup of order ℓ .From the isogeny φ : J C → J C ′ , we know that φ(P) ∈ J C ′ is still an ℓ-torsion divisor.We set Y 1 = �φ(P)� .After that, we output the evaluation key and verification key as φ and (J C , J C ′ , P, φ(P)) , respectively.

Remark 3
1.This divisor Q can be obtained with probability (ℓ − 1)/ℓ .If it fails, we can sample another divisor with overwhelming probability.
2. Since the degree of isogeny is coprime to ℓ , we can also select a generator Q ′ in J C [ℓ] and obtain the image φ(Q ′ ) under the isogeny φ.
The four groups X 1 , X 2 , Y 1 , Y 2 are all cyclic groups, so it is facile to uniformly sample a point from these subgroups.The function Eval takes a random divisor S ∈ Y 2 and outputs the image φ(S) under the isogeny φ .For the verification Verify , first check otherwise, the verification fails.After that, φ(S) passes the verification if Our VDF scheme is depicted in Fig. 1.

Security analysis
Now we present the security analysis of our VDF scheme, i.e., three properties are all satisfied.
Theorem 1 Our scheme is correct and sound.

Remark 4
The perfect soundness for isogeny-based VDF (De Feo et al. 2019) is invalid here.There are four generators in , so two equations for verification can not determine a unique divisor.
Although Sequentiality is the most crucial property, it is hard to illustrate that there is no algorithm of "running in parallel time less than T".We now shift our attention to the following problem for isogenies between hyperelliptic curves, which has been introduced for elliptic curves in De Feo et al. (2019).
Definition 5 Let J C be the Jacobian over F p 2 , iso- morphic to a supersingular PPAV.Fixed an isogeny φ : J C → J C ′ with the maximal 2 T -isotropic subgroup G and allowed a precomputation in time poly( , T ) , evalu- ate φ(S) on a random divisor S ∈ Y 2 in parallel time less than T.
To set parameter sizes, we discuss several attacks on the high-genus isogeny shortcut problems, similar to the attacks mentioned in Burdges andDe Feo (2021) andDe Feo et al. (2019).The complexities of attacks are summarized in Table 1.
Pairing inversion The simplest attacks focus on the properties of Weil pairings.Namely, for given P, φ(P), S , to compute φ(S) ∈ J C [ℓ] is enough to obtain a divisor S ′ ∈ J C [ℓ] , more specifically, S ′ ∈ X 2 , such that e ℓ (P, S ′ ) = e ′ ℓ (φ(P), S) , i.e., to solve the pairing inverse problem e ℓ (P, •) = e ′ ℓ (φ(P), S).Due to the surjection of Weil pairings e ℓ (P, •) , the equation is satisfied with probability 1/ℓ for a random divisor S ′ ∈ X 2 .Thus, a better strategy is to randomly sam- ple a divisor S 0 ∈ Y 2 , then find m ∈ Z/ℓZ such that e ′ ℓ (φ(P), S) = e ℓ (P, S 0 ) m , then the divisor mS 0 is one legitimate output for verification.Therefore, the security of DLP impacts the hardness of the pairing inversion problem.
From Setup , the embedding degree is 2, indicating the best algorithm is the Number Field Sieve (NFS) for (2) e ℓ (P, S ′ ) = e ′ ℓ (φ(P), S) F p 2 , whose (heuristic) complexity is L p (1/3) .With the progress on NFS, the DLP in F p 2 for a prime of around 300 bits has been solved in Barbulescu et al. (2015), then Barbulescu Duquesne (2019) have selected the parameters for pairings under several security levels.It is suggested to utilize prime p of around 1500 bits and ℓ of 256 bits for 128-bit security.Unfortunately, the pairing inversion problem is insecure under quantum computers.
Computing shortcuts One natural attack comes from finding a "simple" isogeny between J C and J C ′ , agree- ing with φ on J C [ℓ] , but requiring less parallel time to evaluate.
To break our scheme, the attack needs to compute another isogenous map between supersingular hyperelliptic curves, i.e., isogenous to the product of g supersingular elliptic curves, thus a natural idea is to find another isogeny between two superspecial abelian varieties, as the more specifical PPAVs isogenous to g supersingular elliptic curves.In general, Costello and Smith (2020) demonstrated that for two superspecial abelian varieties A 1 and A 2 , finding a path φ : A 1 → A 2 in the (ℓ 0 , . . ., ℓ 0 )-isogeny graph requires Õ(p g−1 ) field operations on a classical computer, and Õ( p g−1 ) field operations on a quantum computer.Therefore, computing a shortcut of known Richelot isogenies between two supersingular hyperelliptic curves requires more than Õ( p g−1 ) field operations for quantum computers, thus it is negligible to compute another path between two isogenous hyperelliptic curves of known isogenies.
Even if we have obtained a short isogeny ψ : is clear, it is inefficient to determine map ω with the property of endomorphism.To simplify this problem, we restrict our attention to the subgroup ω is determined via computing discrete logarithms on X 2 , while it hardly occurs.In general, we have ψ(Y 2 ) � = X 2 , then ω induces a group isomorphism from ψ(Y 2 ) to X 2 , where computing discrete logarithms on X 2 is also involved.As a result, the problem of searching ω is more complicated than pairing inversion problems.
Parallel isogeny evaluation Finally, another obvious attack would utilize more parallel resources for evaluating chains of isogenies, whose aim is to accelerate evaluations of the sequential and slow function Eval .However, Richelot isogenies utilize unique maximal 2-Weil isotropic subgroups for the next isogeny, requiring a maximal 2-Weil isotropic subgroup in Jacobians, so all existing algorithms go through all T intermediate PPAVs.In addition, for chains of 2-isogenies, replacing two 2-isogenies by one 4-isogeny is the generic technique for SIDH (De Feo et al. 2014), which will reduce the total cost by a constant factor, while there is no algorithm to evaluate (2 n , 2 n )-isogenies directly.
Consequently, the implementations of Richelot isogenies must be in a straight line, similar to the iterative isogenies for isogeny-based VDFs.Hence, an adversary can not accelerate the computation even using poly(T) processors at present.
Other known attacks In Kunzweiler et al. (2021), an adaptive attack has been proposed, where the gist is the symplectic basis related to Weil pairings.In general, finding the symplectic basis is equivalent to solving DLP for Weil pairings, which is practical for smooth order ℓ n 0 .Whereas, our scheme leverages the divisors of large prime order, then determining the symplectic basis of order ℓ is at least as hard as the pairing inversion problems.
Recently, Castryck and Decru (2023) established an attack for SIDH, then Robert (2023) generalized this method to the PPAVs of all genera.However, this strategy employs all generators of torsion groups in two PPAVs and leverages the parameter tweaks for the smooth prime factorization, then the secret isogeny is recovered.In our VDF, the isogeny has been fixed with the output, i.e., we already have an isogeny path, and the ultimate goal is to evaluate the isogeny faster, so it may work for computing shortcuts.Luckily, this attack can not apply to VDFs straightforwardly.On the one hand, only two generators of J C [ℓ] with the corresponding images in J C ′ are known, such that there are not enough divisors to apply this attack.On the other hand, the prime p is particularly selected such that p + 1 has a large prime factor ℓ , so the parameter tweaks have few choices since the guess processions search for small isogenies upon the factorization of the difference value of divisors of 2 T and ℓf .Hence, for the huge difference between 2 T and ℓf , the first guessing isogeny is of large degree, almost identical to 2 T , which makes it almost impossible to find a legitimate isogeny since there is one unique choice among all likely isogenies, whose degree is close to 2 T .Consequently, this attack has no influence on our scheme.Similarly, yet two generators with the corresponding images are fixed, the isogeny-based VDF (De Feo et al. 2019) can resist the attacks for genus one SIDH (Castryck and Decru 2023;Maino et al. 2023;Robert 2023).

Parameters and comparison
Based on the above analysis, we choose a 256-bit prime ℓ , then set T = 1244 and f = 63 to obtain the prime p = 2 1244 • 63ℓ − 1 of 1506 bits, as the same prime in De Feo et al. ( 2019) for the security level of 128 bits.It is believed that computing discrete logarithm in a subgroup of order ℓ in a finite field F p 2 requires more than 2 128 operations.
As for the implementation, Weil pairings can be realized by pairing-based cryptography, where Miller's algorithm (Miller 2004) is suggested.Moreover, one can substitute Weil pairings by Tate pairings, then half of Miller loops are saved at the expense of one final exponentiation.However, Richelot isogenies is a relatively new topic, and we refer to the relevant algorithms in Castryck and Decru (2023), Castryck et al. (2020), Flynn andTi (2019) and Kunzweiler (2022).In general, isogenies between high genus PPAVs are more inefficient than elliptic curve isogenies, which means that our VDFs may obtain larger delay effect under the same parameter set than isogeny-based VDF (De Feo et al. 2019).
The overall comparison of different VDF schemes is depicted in Table 2. Compared with other VDFs, e.g., Pietrzak (2019) and Wesolowski (2020), one notable advantage is the empty proof, where the pairings play the role of proof.Note that Leo's VDF (Loe et al. 2022) can achieve empty proof, but it is a prerequisite to generate a fresh Blum integer for every VDF, while the prime in our scheme can be applied for all schemes.Apart from that, our VDF is non-interactive such that the output can

Delay encryptions from hyperelliptic curves
Since the original DE has been derived from isogenybased VDFs (Burdges and De Feo 2021), we present new DE from hyperelliptic curves in a similar roadmap.The IBE scheme (Boneh and Franklin 2003) is modified for our construction, i.e., the master secret is substituted by a long chain of Richelot isogenies, so that the decryption key from a fixed identity is a slow operation.

Our design
Setup is almost identical to the VDFs in Fig. 1, where the prime p = 2 T ℓf − 1 and Jacobian J C are fixed, then an isogeny φ : J C → J C ′ with the image of an ℓ-torsion divi- sor is established.To depict other routines, we would introduce two hash functions.Let H 1 : {0, 1} → J C ′ [ℓ] be used to hash id to divisors of order ℓ , and H 2 : F q k → {0, 1} be a key derivation.The detailed pro- tocol is described in Fig. 2, where the notations coincide with those in Fig. 1.
The correctness of our scheme is satisfied by the following equation

Remark 6
Note that two hash identities Q, Q ′ such that e ′ ℓ (φ(P), Q) = e ′ ℓ (φ(P), Q ′ ) the same s for Encaps and Decaps , then the adversary only compute the image of one divisor from them under φ .Whereas, from the analysis in the proof of Theorem 1, it occurs with probability 1/ℓ , which is still negligible.

Security analysis
To illustrate the security of our scheme, we follow the line in Burdges and De Feo (2021).We first generalize the bilinear isogeny shortcut games to high genus as follows: Precomputation The adversary receives p, ℓ, J C , J C ′ , φ and outputs an algorithm B.
Challenge The challenger outputs uniformly random Guess Algorithm B runs on the pair (P 0 , Q 0 ) .Then the adversary wins if B outputs Similarly, we say the high-genus bilinear isogeny shortcut game is ∆-hard if no adversary running the precompu- tation in time poly( , T ) produces an algorithm B that wins in time less than ∆ with non-negligible probability.Consequently, the following theorem illustrates that our scheme satisfies ∆-IND-CPA if the above game is hard.
Theorem 2 The delay encryption scheme from hyperelliptic curves is ∆-IND-CPA secure, assuming the ∆ ′ -hard- ness of the high-genus bilinear isogeny shortcut game with ∆ ∈ ∆ ′ − o(∆ ′ ) , where H 1 and H 2 are assumed as the ran- dom oracles.

Proof
The proof of this theorem is almost identical to that of delay encryption from elliptic curves in Burdges and De Feo (2021), so we omit the proof for brevity.
For the security of the high-genus bilinear isogeny shortcut game, it follows the analysis of three attacks in "Security analysis" section.Consequently, the parameters are the same as those for our VDFs from hyperelliptic curves with analogous merits and demerits.

Conclusion
In this work, we present the first VDF and DE from hyperelliptic curves by utilizing Richelot isogenies and non-degenerate pairings, which broaden the cryptographic applications of high-genus isogenies.In particular, we employ the framework in isogeny-based VDF for two schemes with analogous merits and demerits as those from isogeny-based ones, while our scheme is secure under generalized assumptions on high-genus isogenies.To further implement those schemes, the study on efficient Richelot isogenies would be welcome, which is the main obstacle to the implementation of isogeny-based cryptography from hyperelliptic curves.Apart from that, the cryptographic applications from high-genus isogenies may share the smallest key sizes among post-quantum B(P 0 , Q 0 ) = e ℓ (P 0 , φ(Q 0 )) = e ′ ℓ (φ(P 0 ), Q 0 ).
cryptosystems, thus it is natural to enrich this cryptosystem with abundant cryptographic constructions.

Table 1
Complexities of the attacks on the sequentiality of our VDF, consisting of the cases for classical and quantum computers

Table 2
Comparison of VDFs.For simplity, all times are assumed to be bounded by a constant factor, where T and are the delay parameter and security parameter, respectively