 Hi, I'm Dima, I'm a PhD student at Stanford, and today I will be talking about Oblivious pseudorandom functions from Isogenes. This is joined to work with Katie Wu and Dan Bonet. Thank you for watching this virtual presentation, and I hope you enjoy it. An Oblivious pseudorandom function is a two-party protocol in which a client holds an input X and the server holds a PRF key K. At the end of the protocol, the client learns the value of the PRF at that single input, and the server learns nothing about the client's input. In a verifiable OPRF, the server first publishes some sort of public key that binds it to a particular PRF key. Then in the execution of the protocol, the client can use this public key to check the response from the server and be sure that the PRF output it has obtained has been computed correctly using the PRF key bound by this public key. This prevents a malicious server from equivocating and guarantees multiple clients across multiple executions that all their outputs have been computed consistently using a single key. Oblivious PRFs have found many applications, both as part of larger cryptographic protocols such as private set intersection and in real-world systems. For example, Google's recent password checkup service uses an Oblivious PRF to check whether a user's password has been leaked online as part of breaches at other companies. An Oblivious PRF is also a main building block in password-authenticated key exchange protocols such as the recent OPEC protocol that is being standardized by the Internet Research Task Force. And just to mention one other application, Cloudflare protects websites from the out-of-service by having the users mint and then present anonymous authentication tokens that prove that they are real users. The Oblivious PRF is used in order to avoid linking different sessions in which the users mint and present their tokens. In terms of existing constructions, the original paper by Friedman, Ishai, Pinkas and Reingold that introduced the notion of Oblivious PRF also showed that the Naor-Reingold DDH-based PRF admits an Oblivious Evaluation Protocol. There is another very simple and useful Oblivious PRF. Consider the function h of x to the k. It was shown to be a secure PRF from DDH in the random oracle model, and later Jarekian Liu gave an Oblivious Evaluation Protocol for this function, secure under the one more D. Fee-Hulman assumption in the random oracle model. Later, this was turned into a verifiable Oblivious PRF, as well as shown to be universally composable. And there are also constructions from RSA-based blind signatures, which is a closely related notion. However, since there are quantum polynomial time algorithms for the DDH and RSA problems, none of those Oblivious PRFs is post-quantum secure. Constructing a post-quantum secure Oblivious PRF is more challenging. One approach is to evaluate AES using a generic two-party secure computation protocol, such as Garbled Circuit instantiated with a post-quantum secure Oblivious Transfer. And recently, Albert et al. gave a direct construction from Lattice. In this work, we construct Oblivious PRFs from Isogenes. Our first construction is a verifiable OPRF from super-singular Isogenes in the SIDH setting. We prove its security in the random oracle model from standard SIDH type assumptions, as well as a new one more assumption that we introduce. Our security proofs are in the universally composable framework. And we estimate the communication cost of our protocol to be under 2 megabytes for a 128-bit level of security. In this talk, we're going to focus mostly on this first construction. Our second construction is an Oblivious PRF from Commutative Group Actions, which can be instantiated from Isogenes using the C-Side Group Action. This construction follows an orangle construction from groups. Its security follows from Group Action DDH assumption, and its communication cost is under 450 kilobytes for a 128-bit level of security. The plan for the talk is to first introduce a new abstraction called Augmentable Commitments, then use this abstraction to present our construction of an Oblivious PRF, then we'll see how to instantiate this abstraction using Isogenes, and at the end we'll see a little bit of our second construction from Commutative Group Actions, and at the end we'll conclude and discuss some open problems. Let me begin by presenting a new abstraction that we introduce in our paper called Augmentable Commitments. This abstraction serves to separate the high level from the low level details in our protocol. An Augmentable Commitment has an input space, which is a product space of n-1 separate input spaces, and an extra blinding space r. The Augmentable Commitment consists of four algorithms. The first is a set-up algorithm that takes as input the security parameter and outputs some initial commitment. This initial commitment, COM0, can be blinded using a value r from the blinding space. The third algorithm is an append algorithm that takes as input a commitment and a value a in one of the input spaces and outputs a new commitment. This algorithm can be called sequentially to append multiple values to the same commitment as long as those values belong to different parts of the input space. And finally, the unblind algorithm takes as input a commitment and a blind value r and outputs a new unblinded commitment. I want to mention that this abstraction is inspired by another recent abstraction framework for isogenies called Semicommutable Masking by Del Pesh et al. The Augmentable Commitment Scheme must satisfy two correctness properties. The first one is commutativity, namely that adding the same values in different orders results in the same commitment. To be precise, equality actually only holds up to some equivalence relation, but we ignore this fact for simplicity in this talk and talk about the commitments as though they're equal. The second correctness property is that blinding and unblinding should behave as you expect it to, namely that unblinding a commitment that was previously blinded with the same value should undo the effect of blinding and leave you with the same commitment as if it was never blinded. The Augmentable Commitment Scheme must satisfy three security properties, which we state here informally. The hiding property states that a randomly blinded commitment to any set of values is computationally indistinguishable from a randomly blinded commitment to any other set of values, belonging to the same input spaces. Intuitively, this means that randomly blinding a commitment hides its contents. Moreover, a similar property holds with respect to appending random values. So the main difference between normal values and blinding values is that blinding values can later be unblinded, whereas append is final. The second property is called weak binding, and it says that it should be computationally hard to find collisions between commitments to two sets of values. And the last property is called one more unpredictability, and I'm going to expand on this a little bit more. Here we assume for simplicity that the input space of the commitment is of dimension two, and its two parts are m and k. One more unpredictability is captured by the following game, played between an adversary and a challenger. The challenger chooses a random value k from one of the commitments input spaces. The adversary then submits two types of queries. The first type of query is called challenge query, to which the challenger responds by a randomly sampled element m from the commitments other input space. The second type of query is a solve query. Here the adversary submits any element m in the commitments input space m, and the challenger responds by a commitment obtained by committing to both the given element m and the secret value k. The goal of the adversary is to make at most t solve queries and then come up with t plus one correct commitments, where a correct commitment is a commitment to a pair of values, one of which is one of the challenge values mi, and the other one is the challenger's secret value k. So clearly the adversary can easily come up with t correct values by simply making t solve queries on t different challenges. However, it should be difficult to come up with this extra value number t plus one. We will now see how to construct an oblivious PRF from this new abstraction of augmentable commitments. Given the augmentable commitment abstraction, we can devise a simple oblivious PRF protocol. The client first takes its prf input x and hashes it into an element m in one of the input spaces of the augmentable commitments. It then creates a blind augmentable commitment to m using randomness r and sends the resulting commitment to the server. The server then appends its secret key k to this message and sends the resulting commitment back to the client. Finally, the client takes the response from the server, unblinds it, and hashes the result to obtain the prf output y. The hiding property of the commitment protects the privacy of the client's input, whereas the one more unpredictability property guarantees that the client learns the value of the prf only at a single point. However, this simple protocol is not maliciously secure. The reason is that we need to remember that the one more unpredictability property of the augmentable commitment is guaranteed to hold only as long as the secret key is appended to well formed commitments. Looking ahead, this captures the fact that our SIDH based construction of the augmentable commitments is particularly vulnerable to active attacks. Therefore, if a malicious client sends a malformed commitment as its first message and the server just responds by appending its key to this message, then the response may leak additional information about the key breaking security. In order to prevent such an active attack by the client, we modify the protocol by having the client attach a zero knowledge proof of knowledge of the opening of the commitment it sends to the server. By checking the zero knowledge proof, the server can be certain that the client's message is a well formed commitment and it therefore can safely append its key to this message. To make our protocol efficient, we develop a custom zero knowledge proof of knowledge specifically for the isogenic based augmentable commitment we construct. I'm going to talk a little bit more about this zero knowledge proof later on in the talk. The case of a malicious server poses a similar risk. Here, the concern is that such a server can send a respond that doesn't correspond to a well defined PRF key leaving the client with an inconsistent output or just use different keys between different executions of the protocol. To defend against such malicious servers, we make our oblivious PRF protocol verifiable. We first fix some dummy values M bottom and R bottom and the server publishes as its public key what would have been the valid response had the client send those dummy values to the server. The server also attaches a zero knowledge proof of knowledge of the key K relative to this response. Then during the execution of the protocol after the server sends its response to the client, the server and the client jointly run a sub protocol that proves consistency between the response of the server and that predetermined response which is part of the public key. The sub protocol proves that the same key used for the dummy response in the public key has been used in order to respond to the client's message and I refer you to the paper for additional details about the sub protocol. The next thing we'll see is how to construct augmentable commitments from isogenes. Let's review the basics of isogen base crypto trying to make things as self-contained as possible. An isogen is a non-constant rational map between two elliptic curves over some finite field and this rational map is also a group homomorphism between the group of points on each of the elliptic curves and the endomorphism is just an isogen from a curve to itself. The fundamental hard problem that underlines isogen base crypto is finding an isogen between two given isogenous curves. It is useful to classify elliptic curves according to the type of ring their endomorphisms form. If this ring is commutative we say that the elliptic curve is ordinary and if this ring is non commutative we say that the curve is super singular. This distinction turns out to be important to how hard the isogen problem for that type of curve is. For ordinary curves the commutative structure can be exploited in order to solve the isogenic problem in quantum sub-exponential time using Kupperberg's algorithm. For a super singular curve there is no such commutative structure and therefore the best algorithms for the isogenic problem run in exponential time even on a quantum computer. Here are a few more useful facts. First every isogen from a curve E is uniquely determined up to isomorphism by its kernel which is a subgroup of the group of points on that curve E. Moreover the degree of the isogeny as a rational map is the order of the kernel subgroup. Next isogenies of smooth degrees are efficiently computable using Vellou's formulas. And finally every isogeny from a curve E to E prime admits a dual isogeny from the curve E prime to E which we denote by phi hat. Now let's see the construction of an augmentable commitment scheme from super singular isogenies. Our setup follows the footsteps of many previous works and generalizes the classic SIDH construction to the multi-prime variant. The setup first chooses a prime P such that P plus one is the smooth product of many distinct prime powers. It also chooses E0 a super singular curve over the field FB squared and the choice of the prime P guarantees that the order of the group of points on this curve is smooth. This group can be decomposed into subgroups each subgroup corresponding to a different prime power Ni. And for each such subgroup the setup algorithm generates a basis of two points that generate that subgroup. Finally the setup algorithm outputs the initial commitment to be that starting curve E0 and the set of basis is for each of those Ni order subgroups. The resulting commitment scheme then has n minus 1 input spaces where input space i is the ring of integers modulo the prime power Ni. And the blinding space are the integers mod the last prime power and sub n. To append a value a from the jth input space to a commitment we first map this value a to a subgroup of the njth torsion and then compute the isogeny whose kernel is this subgroup. We then output a new commitment the curve in this new commitment is the image curve of that computer isogeny and we also publish new bases which are the images of the original bases under this isogeny. An important point is that we drop the jth basis from the list of bases that we publish so every time we append a value the set of bases shrinks by one. As an example consider this two-dimensional case. Note that each time an isogeny is computed the corresponding bases are dropped and also recall that because the subgroups are chosen from co-prime torsion groups then the diagram is commutative and therefore the two different paths result in the same curve up to isomorphism. Blinding is a little bit trickier because we need to do an extra step that will allow us to unblind later on. To blind using a value r we map this value into a subgroup of the nr torsion group and then we compute the isogeny whose kernel is this subgroup. As before we compute the images of all the other bases under this isogeny however the new extra step is that we also publish a new basis for the nr torsion chosen as some canonical basis of that curve. To continue with this illustration suppose we want to append additional values to this blinded commitment. If we want to append a green value b we can use the green basis points to compute a green isogeny and at this point we drop the green basis. If we later want to append a blue value a we compute a blue isogeny at which point we're left with only the red basis. To unblind this commitment the unblinding algorithm first recomputes the original blinding isogeny phi r. It then computes the dual of this isogeny phi r hat and computes the representation u of the kernel of this dual isogeny in the basis pr prime qr prime that was chosen for the curve er. Finally it uses this representation u to compute what we can think of as the translation of the dual isogeny to the present curve eabr. Applying this translation of the dual isogeny results in a curve isomorphic to a curve obtained by simply appending the values a and b to the initial commitment without ever blinding. Let's now discuss the security assumptions necessary to satisfy the security requirements of the constructed augmentable commitment scheme. The hiding property follows from the decisional sidh assumption a standard isogeny assumption adopted as in few several works before to the multi prime setting. The weak binding property follows from the difficulty of finding collisions in the super singular isogeny graph for a random starting vertex as used in the isogeny based hash function. And finally the one more unpredictability requires a new assumption. Here we need to be especially careful for several reasons. First a similar assumption was recently broken. Second sidh is vulnerable to a class of active attacks and we care about those in our setting. And finally unlike in the group setting the presence of search to decision reductions for isogenies makes gap assumptions particularly dangerous. In our paper we explain how we work around all these pitfalls. I now want to briefly discuss efficiency. The main communication bottleneck of our protocol are the two zero knowledge proofs. And even though we haven't seen them in detail at their core both of these protocols only offer a constant soundness error. Therefore driving down the overall soundness error of our protocol requires repeating the zero knowledge proofs multiple times. This increases the communication cost accordingly. Nevertheless the total communication cost of our protocol is under two megabytes. The final thing I want to talk about very briefly is the second construction of oblivious PRFs from group actions. The second construction starts from generalizing to group actions then a or wrangled prf. It uses a commutative group action of a group g on a set s and fixes some initial element s0. The key to the prf is n plus one group elements. Given this key and an n-bit input x we apply the group element from the key selectively according to the input bits of x. This can be shown to be secure under the group action ddh assumption. This prf can then be obliviously evaluated using practically the same protocol as in the group case by combining it with an oblivious transfer. Both the prf and the oblivious transfer can be instantiated using the seaside group action. We can use recent oblivious transfer constructions from seaside that are maliciously secure. To summarize in this work we presented two new oblivious prf constructions from isogenes. The first one is an sidh-based verifiable oblivious prf the communication cost of which is less than two megabytes. The second oprf construction is a generic construction from group actions that can be instantiated for example from seaside. Since commutative group actions admit sub-exponential attacks the asymptotic security of the second construction is worse than that of the first one. However the constants here end up being smaller which results in a lower communication cost. And to finish with a couple of open problems first it would be interesting to try and extend one of these constructions into the threshold setting that would allow splitting the key between more than one server. And finally it would be interesting to improve on the zero knowledge proofs that are used in our sidh-based construction. Such improvements could drastically reduce the communication cost. And with this I'll conclude. Thank you for listening to my talk.