 Hello, I'm Lior, and I'm going to talk about generic group delay functions and why they require hidden order groups. This is joint work with Will Segev and Ido Shachaf. Let's start by reviewing what exactly are delay functions. Roughly speaking, a cryptographic delay function is a function which is efficiently computable, yet only in a manner which is inherently sequential. Concretely, a delay function takes as input an additional delay parameter which specifies how long it should take to compute a function. For a delay parameter, t, the function should be computable in time polynomial in t, so for example, 40 or t cube. However, it should not be possible to evaluate the function on a randomly chosen input in time which is strictly less than t. This less requirement should hold even if we allow for a preprocessing stage and for attackers with a polynomial number of problem processors. One reason to care about delay functions is that they serve as a fundamental building block for other very useful cryptographic primitives. A prime example is that of time lock puzzles introduced by the West Chameleon Wagner in 1996. In our terminology, a time lock puzzle is a delay function which admits fast sampling of input-output pairs whereby fast we mean in time polylogarithmic in the delay parameter t. Another more recent example is that of verifiable delay functions formalized by Bonnet Al in 2018. A verifiable delay function, or VDF for short, is a delay function which allows for fast verification of input-output pairs, possibly given an additional short proof of durability. Again, fast verification means in time polylogarithmic in the delay parameter t. These two refinements of delay functions, time lock puzzles and VDFs, have many very useful applications. Okay, so perhaps the simplest example of a delay function is the iterated hashing function. This function is obtained by iteratively applying a cryptographic hash function such as Shah onto the input. So if the input is X, we apply the hash function H to obtain H of X, then we apply H again, two H effects, and so forth until we have invoked H three times. The output of the delay function is then the output of the less invocation of H. One advantage of the iterated hashing function is that its sequentiality can be proven unconditionally when the hash function H is modeled as a random oracle. The downside of this delay function, however, is that it seems to be understructured to enable extensions to time lock puzzles or to VDFs. That is, it does not seem to support fast generation of input output pairs for time lock puzzles nor fast verification for VDFs. So we are interested in more structured constructions of delay functions which may enable extensions to time lock puzzles and to VDFs. Luckily, this is where the repeated squaring function comes into the picture. The repeated squaring function is defined with respect to a group G. Given the delay parameter T and the group element X as input, the output of the function is X raised to the power of two to the T. Note that if the group operation is computable in time polynomial in the security parameter lambda, then this function is indeed computable in time T times polylambda by T repeated squaring. Unlike the iterated hashing function, this function does have sufficient structure to enable extensions to time lock puzzles and to VDFs. Indeed, it was first proposed by Rivesh Chameer and Wagner as the basis for their time lock puzzle, and it was recently and elegantly augmented with the same proofs yielding efficient VDF constructions. Now, the sequentiality of this function is based on the assumption that there are groups in which it is impossible to significantly speed up the function's computation, even with pre-processing and parallel processors. As we will later see, a necessary condition for this assumption to hold is that the group's order is unknown. Currently, we have two main candidates for such groups, RSA groups, which are thoroughly studied, but typically require a trusted setup to generate their model i in a way that keeps the order unknown. And as a second candidate, we have the class groups of imaginary quadratic fields. These do not require any trusted setup, but they are not as well studied from a cryptographic point of view as other groups might be. With these caveats of RSA groups and class groups in mind, a natural direction to look at is that of cyclic groups. These groups have many possible instantiations, which are both very well studied cryptographically and do not require any trusted setup. The bad news is that these are known order groups. One can easily derive the group's order from the group's representation. And it's not hard to see that this makes the repeated squaring function insecure in these groups. One can simply reduce 2 to the t, model the order of the group, and then raise x to the power of the result. This computation runs in time which is essentially independent of the delay parameter t, and by elementary group theory it is always correct. One can observe that this problem applies not only to the repeated squaring function, but to any simple enough function that raises the input elements to some fixed exponents. However, hope is not lost since we can do much more with cyclic groups than just raised elements to the power of fixed exponents. For instance, a computation in a cyclic group can choose its next operation as a function of the equality pattern and among group elements it has observed so far. So this raises the following question. Are there constructions of delay functions in known order cyclic groups? Our main contribution is answering this question negatively for the class of generic group delay functions. That is, we show that there are no constructions of generic group delay functions in cyclic groups of known order. Note that this immediately implies that there are no generic constructions or puzzles or VDFs in these groups either. This impossibility actually also extends to multiple linear groups, but we will not have the time to cover this in detail in this talk, so I'll see the paper for details. What we will show in this talk is that for any generic group delay function, whereby generic, we mean that it does not exploit in any way the representation of the underlying group. There is an attacker that breaks the sequentiality of this function given the order of the group. We will follow this outline. We will start by defining and discussing the generic group model within which we prove our impossibility result. Then we will define in more detail delay functions within this model. The main part of this talk will be presenting a simplified version of our attack, and finally, we will conclude with some closing remarks. So let's begin by discussing the generic group model. Roughly speaking, the generic group model captures algorithms that do not exploit the representation of the underlying group in any way. This is captured via an oracle that manages the excess of algorithms to the group. Concretely, we use the generic group model of Maurer. In this model, group elements do not have unique explicit representations, and instead, algorithms specify their queries by pointing to the relevant group elements. So, for example, an algorithm may ask the oracle to apply the group operation to the fourth and the seventh group elements that appeared in the computation so far. We will formally define the model in the next slide. Before that, I want to stress that this model is different from the model of Schup in which group elements do have explicit random representations. These two models were shown to be equivalent up to a polynomial factor for certain problems, such as the discrete logarithm problem. But generally speaking, the two models are incomparable. Finally, I would like to argue the choosing model as a model for proving a random possibility result is the right choice in the following sense. Schup's random encoding function, the function which maps group elements to the random representations, does yield a delay function. So, we cannot really hope to prove our impossibility result in Schup's model. However, this delay function is essentially the iterated hashing function. And as we already mentioned, this function does not seem to enable extensions to time-lock puzzles or to PDFs. Moreover, this function does not use the algebraic hardness of the group in any manner. So, one cannot really hope to instantiate it using a concrete group. Let's go ahead and define the model that we use more formally. A basic observation which underlines the model is that any cyclic group of order n is isomorphic to the edited group Zn of integers modulo n. Hence, each group element can be identified with the corresponding Zn element. With that in mind, a generic computation can be associated with a table B of Zn elements managed by the oracle. This table is initialized with the Zn elements that correspond to the input elements to the algorithm. And as a standard, we will assume that all algorithms receive the same generator of the group as input. This is captured by assuming that the table B is always initialized with the integer 1 as its first entry. The generic algorithm can then produce two types of queries to the oracle. Group operation queries and equality queries. To issue a query, the algorithm specifies the indices of the two elements that it wishes to compile or to which it wants to apply the group operation. In response to a group operation query, the oracle adds up the two corresponding Zn elements and places the result in the next vacant entry of the table B. In response to an equality query, the oracle simply compares the two corresponding Zn elements from the table and answers accordingly. When a generic algorithm wishes to output a group element, it outputs the index of the corresponding entry of the table B. In addition to group elements, algorithms may receive as input or include in their output also explicit bit strings. In our setting, for example, algorithms will always get the order n and the delay parameter t explicitly as input. Finally, note that the model captures interactive computations. A generic algorithm can pass group elements to another by pointing to entries in the table B. The model also supports parallel computations by allowing algorithms to issue many parallel oracle queries at once. Now that we have the generic group model in mind, let's define more formally generic group delay functions. A generic group delay function is a triplet of generic algorithms. The setup algorithm takes in the group order n and the delay parameter t and samples public parameters pp to the function. The sample algorithm takes in n, t and pp and samples an input x to the function. And the deterministic evaluation algorithm eval takes in n, t, pp and x and outputs the value y of the delay function at input x with public parameters pp. Note that pp, x and y can all include explicit bit strings in addition to group elements. On the slide you can see for example the repeated squaring function in this syntax. This is just a simple example, but in general the sequence of group operation queries issued by the evaluation algorithm may depend on the equality pattern among group elements throughout the computation since this information is observable by a generic algorithm. The sequentiality of a generic group delay function is defined via the following experiment. First the modgen algorithm is invoked on the security parameter lambda to sample an order n for the group and the setup algorithm samples the public parameters. Then the preprocessing attacker a0 produces some state st which may depend on the public parameters. Afterwards the sample algorithm samples an input x to the function and this input is fed together with the state st to the online attacker a1. a1 outputs some output y' and we compare this output to the actual output y of eval on the input x. We say that a0 and a1 win if y' is indeed equal to the actual output y of eval. We say that the delay function is tp-sequential if for every pair a0 and a1 of generic algorithms such that a0 makes a polynomial number of queries and a1 consists of at most p parallel processors each of which making at most t-sequential queries the probability that a0 and a1 win in the experiment is negligible in the security parameter lambda. We can now move on to present our attack against any generic group delay function in groups of load order. I should stress that this is a simplified version of the attack but it captures the gist of it. In any case I will point out the simplifying assumptions that we make here but do not make in our full-fledged attack. So with the definition of generic group delay functions in mind our result is the following. Let df be a delay function such that the public parameters include KPP group elements the input of the function includes KIN group elements and the output of the function includes KOUT group elements and let q be the number of equality queries issued by the evaluation algorithm eval. Then we will show an attack which correctly computes the function on every input with probability 1 while using KPP plus KIN times max KOUT and q parallel processors each of which issuing roughly KPP plus KIN sequential queries. Our attack here will not require any pre-processing stage and you can see for example what this means for the repeated current function but for any function which admits a time lock puzzle or a VDF construction our attacker's number of sequential queries is essentially independent of t. This is true since this number is linear in KPP plus KIN and FEST generation or verification means that KPP plus KIN needs to be at most polylogarithmic in t. To gain some intuition let's start with a very simplified warm-up. Consider what happens when the attacker gets not only oracle access to the table B of ZN elements but also the ZN elements themselves explicitly. So here we have a simple evaluation algorithm and then attacker A that gets implicit access to X1 and X2 but also the corresponding ZN values 15 and 8. The attack in this case is simply to emulate locally the execution of eval. Knowing the explicit ZN values of X1 and X2 allows the attacker A to hold the local copy of the table B to update it according to the code of eval and finally to compute the ZN value corresponding to the output without any oracle queries. So are we done? Not quite. Recall that outputting a group element in the generic group model means putting the corresponding ZN element in some entry of the table B and outputting a pointer to this entry. But since the first entry of the table is 1 the attacker A can put any ZN element in the table with roughly log n group operation queries. If n is at most exponential in the security parameter lambda this means that the attacker makes roughly lambda sequential queries. As a first step towards the actual attack consider the case where the attacker gets only implicit access to the group element but the eval algorithm does not make any quality queries. In this case what an attacker can do is to locally run a symbolic emulation of eval. The emulation replaces each group element with a formal variable. In the example on the slide these are the formal variables capital X1 and X2. Group operation queries are replaced with polynomial addition model n. Again you can see that on the slide. Finally the output is obtained as a polynomial in these formal variables. So after the emulation the attacker holds a description of the output as a polynomial in the input elements. What is left is placing in the table B the result of evaluating this polynomial at the input elements. In the example on the slide we can do this using two group operation queries. We first add X1 to itself to put 2X1 in the table and then add the result to X2. More generally given a K-variate linear polynomial f and indirect oracle access to KZN elements X1 through XK a generic algorithm can evaluate f on X1 through XK using graphly log n plus log K group operation queries. This is done by first evaluating each monomial separately which can be done using graphly log n queries since a monomial here is simply a ZN element times a formal variable and we can do this in parallel with one processor per monomial. Then we need to sum up all of the evaluated monomials which can be done with log K sequential queries using K parallel processors. In our case the number of group elements and hence of formal variables is KPP plus KN yielding a total of about log n plus log KPP plus KN sequential queries which as we said is essentially independent of T. The main challenge that remains is how to answer equality queries in the polynomial based emulation. To give you a sense of why this might be difficult consider two possible naive solutions. The first is simply to reply to an equality query affirmatively if and only if the two associated polynomials are identical. However, it might be the case that the elements being compared are actually equal ZN elements even though they are distinct as formal polynomials in the input elements. In this case the emulation will deviate from eval and the computed output will not be the correct one. A second approach might be to guess which of the equality queries should be affirmatively answered. This might work if the number of equality queries is small but we want to handle evaluation algorithms that issue any polynomial number of equality queries. The key observation that we will use is that even though this number of equality queries might be large only a small number of non-trivial equality queries may be affirmatively answered and it will become clear what we mean by non-trivial in the following slides. This brings us to our attack. Let's assume for this talk that the order N is a prime number. So this means that each affirmatively answered equality query induces a linear equation over a finite field and by basically linear algebra since we have KPP plus KE informal variables at most KPP plus KE linearly independent equality queries may be affirmatively answered. Using this observation, the idea is to run KPP plus KE plus one iterations of some emulation such that in each iteration either the emulation coincides with eval and we compute the correct output or we learn some new linear equation. So for this talk we will assume also that the output of eval is a single group element and that there are no public parameters. Both of these assumptions are easy to get rid of and you can see the paper for details. Before presenting the attack, a last bit of notation. Bald X denotes the vector of capital X1 through XKM and this notation for a set L of linear equations means running the polynomial based emulation of eval while answering equality queries affirmatively if and only if the induced linear equation is in the linear span of the set L. As before the output of the emulation is also a linear polynomial. We now turn to present our attack. The attacker A gets his input the order N, the delay parameter T, and the input elements X1 through XKM and operates as follows. First it initializes a set L to hold the linear equations that it will learn throughout its execution and then it repeats the following loop until termination. It runs the polynomial based emulation of eval while answering equality queries according to L as we discussed in the previous slide and obtains a polynomial Y describing the output. Each equality query in this emulation induces a linear equation when we assume that equality holds. Let L1 through LM denote the linear equations induced by the negatively answered equality queries in this emulation. A then checks if any of these equations hold by evaluating them at the input elements using group operation queries and comparing the results to zero and adds all equations that hold to L. If none of these equations hold A evaluates Y at the input elements, outputs a pointer to the result and terminates. Why is our attacker successful? For a given iteration consider the linear equations L1 through LM. There are two possibilities. Either at least one equation checks out and do we add it to L or none of them do in which case the emulation is accurate and we are done. So we wish to argue that there cannot be too many iterations in which we add equations to L. This is the case since by the definition of the polynomial based emulation the equations L1 through LM are not in the linear span of the set L at the beginning of the iteration. Hence, since we have k-in variables this means that the attack succeeds after at most k-in plus one iterations. Our full-fledged attacker handles delay functions with public parameters, explicit bit strings in the input and output, multiple output elements, composite order groups and even groups with multilinear maps. You can find the details in the paper. Okay, so this concludes the impossibility result and let's wrap up with some closing remarks. One point that I want to make is that one can look at our attack as an extension of the classic iteration-based paradigm for proving impossibility results in idealized models like the random oracle model. The key idea in the random oracle model and in similar models also is that local modifications to the oracle have no global effects. Our setting, however, is quite different. In the generic group model local information does have a global effect due to the algebraic structure of the group. So a locally modified oracle in the generic group model might not be a valid one since it might be inconsistent with the algebraic structure. This is where our new technique of exposing linear relations comes into the picture and we use it in order to achieve two goals in a way that is quite different from the manner in which these goals are achieved in the random oracle model. So first of all, we use the linear relations which we expose in order to modify the oracle in a way that is algebraically consistent with the group structure. And second, we use them to bound the number of necessary iterations in the attack by algebraic arguments which is also quite different from what is done in the random oracle model. So this concludes the talk. What we saw was that there are no generic group delay functions in cyclic groups of known order which means that there are no generic group dialog puzzles or VDFs in these groups either. And we also mentioned that this result extends to multi-linear groups as well and you can find the proof of that in the paper. Our attack relied on a new technique in the generic group model of exposing linear relations and it is an interesting open question whether this technique might have additional applications either for proving additional lower bounds in the generic group model or in other related well-structured idealized models as well. Okay, so that's it and thank you for listening.