 Hi everyone, welcome to Virtual Asia Crypt. I'm Navid and I'll talk about cryptographic group actions and applications. This is a joint work with Luca, Hart and Shikhar. As you might have guessed at this point, this talk is gonna be on isogeny-based cryptography, but I'm gonna try my best to say as little as possible about isogeny-based assumptions. In fact, the main purpose of this work is to provide the railroad for non-isogeny people like me to build cryptographic applications from isogeny-based assumptions. In case you wonder how this is possible, bear with me for 20 minutes or so, and you will see how easily you can build cryptographic applications from isogeny-based assumptions. This talk is divided into three parts, motivation, abstractions and applications. Speaking about cryptographic assumptions, we have a variety of concrete assumptions to build cryptographic primitives. In one side, we have group-based assumptions such as discrete log and decisional DeVielman assumption, or DDH, which have been used to construct primitives ranging from collision-resistant hash functions to hash-proof systems. In the middle, we have factoring-related assumptions, such as RSA, which is widely used for secure data transmission. On the right, we see code-based or lattice-based assumptions, such as learning with errors or LWE, which implies powerful cryptographic applications such as leveled fully homomorphic encryption. A relatively recent yet an important family of assumptions are isogeny-based assumptions, which have been used to construct candidate post-quantum cryptosystems with some desirable features such as relatively small key size. However, these assumptions have not been extensively explored in terms of cryptographic applications. From mainstream cryptographic assumptions such as DDH and LWE, it's been known how to build a variety of cryptographic applications. For instance, we know how to construct trapdoor functions or identity-based encryption from these assumptions. On top of that, we know how to build slightly less known primitives such as private information retrieval or circular secure encryption schemes from DDH or LWE. Even further, we have a construction of relatively strong oblivious transfer protocol, namely statistically sender private OT from these assumptions. Unfortunately, none of these primitives is known from isogeny-based assumptions. A higher level question that one may ask is, why should we care about isogeny-based assumptions and their cryptographic implications? First of all, these assumptions have apparent resistance against quantum algorithms. In fact, one of the third round in this post-quantum candidate is an isogeny-based scheme. Secondly, we have a limited set of candidate post-quantum assumptions, and so if for some reason one or more candidate assumptions cannot be used to design cryptosystems, we may rely on isogeny-based assumptions. Another reason to care about isogeny-based assumptions is that they may allow us to build powerful cryptographic applications, in particular because the power of these assumptions from a cryptographic standpoint has not been thoroughly explored. Okay, that's cool. We have many reasons to build isogeny-based crypto applications, and there are plenty of primitives that have not been constructed from these assumptions. So let's get ready to do isogeny-based crypto. Unfortunately, doing isogeny-based crypto is not easy. In a paper that was published in 2018 by Galbraith and Verkateran, they pointed out some difficulties of doing isogeny-based crypto, and I'm going to mention a couple of them. First of all, unlike most of the other concrete cryptographic assumptions, significant math background is needed to fully comprehend isogeny-based assumptions. In addition, unlike lattices, isogenies are not very expressive, and for certain isogeny-based assumptions, we do not even have a good representation for set or group elements. Now the question is, given these difficulties, can we hope for easier ways to do isogeny-based crypto? If we take a look at the history of cryptographic assumptions, pairings have had a kind of similar situation. For instance, bilingual maps became popular in crypto, in part because they allowed the realization of cryptographic primitives while they have been presented in a generic and easy-to-use manner. In addition, they abstracted out mathematical details underlying way-or-tate pairing. Therefore, the question that we're going to answer in the context of isogeny-based crypto is that, is there any simple abstraction for some isogeny-based assumptions? We positively answered this question by providing an abstract framework that captures a well-known relatively recent isogeny-based assumption called seaside and its derivatives. In short, we did some exploration and we found a starfish at seaside. Specifically, we propose a framework based on hard group actions which provides new abstractions to capture limitations of some isogeny-based assumptions. These cryptographic group actions can be based on seaside or its derivatives such as sea fish. On the application level, we show new exciting cryptographic applications from isogeny-based assumptions. It should be noted that this framework assumes virtually no background on seaside or any specific isogeny-based assumption. Let me first recall a couple of mathematical definitions. Given a group G and a set X, we say that G acts on X if there's a function from G times X to X with two properties. The first property is that the identity element of the group should map every set element X to itself. The second property is that for any two group elements G and H, the action of GH on X should be equal to the action of G on H star X. Basically, in a group action, each group element determines a bijection from X to itself. To see a simple example of group action, let H be a prime-order group of order p with generator little h. And let Zp star be the multiplicative group module p. Consider the group action star where Zp star acts on H as follows. Given an element Z of Zp star and an element H of the group H, Z star H maps H to H to the Z. So Zp star acts on H by simple exponentiation. For this action, Zp star is the group of action and H is the set of action, although H itself is a group. Next, let me define a useful property for group actions, which is regularity. Given a group action where G acts on X, we say that the action is regular. If for any two set elements X and X prime, there is a unique group element G that maps X to X prime. Regularity in a group action implies desirable properties. First, if a group action is regular and the group is finite, then the size of G and X are equal. So both have the same number of elements. In addition, for a regular group action, if we sample a uniformly chosen group element G, then action of G on any X is uniformly distributed. Hereafter, unless I stated otherwise, we assume that all group actions are abelian and regular. Now I'm going to define an abstraction called effective group action, which we will use for our framework. In a nutshell, an effective group action is a group action with some algorithmic properties. We say that a group action is effective if we have efficient algorithms for the following. For the group G, we require efficient membership and equality testing, along with polynomial time algorithms for sampling uniformly from the group. In addition, the group operation and inversion should be efficiently computable. For the set X, we require efficient membership testing and unique representation. And finally, in an effective group action, evaluating action G star X should be efficiently computable for any pair G and X. What we are going to do next is to augment this abstraction with some cryptographic property, such as one-wayness or weak-suitor randomness. Let's start with one-wayness. An effective group action is one-way if no attacker can find G, given access to the pair X and G star X, where G is a randomly chosen group element. Recall that the action is regular, and there will be only one group element that maps X to Y. Let's see a simple example of a one-way effective group action. Assume that H be a group of order P with generator little H. If discrete log holds over the group H, then the action that we saw earlier defined by exponentiation is a one-way effective group action. In other words, given generator H and the action of a random Z on H, no attacker can find Z. It is worth mentioning that here, the set of the action is a group, and thus one-wayness does not hold against quantum algorithms. In a similar fashion, we can also augment an effective group action with weak-suitor randomness. We define a weak-suitor random EGA as follows. An EGA is a weak-suitor random EGA if no attacker can distinguish samples of the form XIs, G star XIs, from samples of the form XIs, YIs, where XIs are chosen uniformly from the set, G is chosen uniformly from the group and is hidden from the adversary, and YIs are also uniformly chosen from the set X. Again, to see a simple example, assume that H be a group of order P. If DDH assumption holds over the group H, then the action defined by exponentiation is a weak-suitor random EGA. In other words, HIs and the action of Z on HIs are computationally indistinguishable from all random pairs. The second example is more important and is central to our work. Let me briefly mention that seaside is a recent isogeny-based assumption that were introduced by Kastrik et al. in Asia Crypt 2018. A variant of seaside assumption plausibly implies a weak-suitor random EGA. As I promised before, I'm not going to cover details of the assumption, but what is important to keep in mind is that a variant of seaside implies a weak-suitor random EGA. For some of you who are familiar, Seafish is basically a variant of seaside in which the group structure is known. Okay, we saw the definition of weak-suitor random EGA and we saw two examples, one based on DDH assumption and one based on a variant of seaside. A natural question is, can we immediately translate DDH-based cryptographic applications to isogeny-based constructions just by replacing the exponentiation with the action that comes from isogeny-based assumption? The answer is usually no. For an isogeny-based action, we don't have a meaningful multiplication of two set elements and X and X prime, whereas in the DDH-based action, one can easily compute the product of H and H prime for any two elements in the group H. This multiplication is crucial for many DDH-based crypto applications. To know more on this, you can take a look at some great slides prepared by Stephen Galbraith on similarities and differences between Diffie-Hellman and isogeny-crypto. Going back to seaside, there is a variant of this assumption in which the group structure is not known, and hence this variant cannot be modeled as an effective group action. To overcome this issue, we introduce another abstraction called restricted effective group action or REGA, which satisfies some of the axioms of an EGA. As an instance, evaluating the action may not be possible for any given pair GNX. One can also augment this abstraction with cryptographic properties such as one-wayness or weak pseudo-randomness. To keep this talk simple, I will not cover the details of a restricted EGA, but the main takeaway is that there are basically two variants of seaside, one with known group structure which plausibly implies a weak pseudo-random EGA and one with unknown group structure which plausibly implies a weak pseudo-random restricted EGA. Hereafter, I will be focusing on the applications of EGA. In this slide, we see an overview of our results. We show that a weak pseudo-random EGA implies many powerful primitives, such as hash-proof systems, dual-mode public encryption, and statistically-centered private oblivious transfer protocols, which were not previously known from isogeny-based assumptions. From these new implications, we can construct CCA secure encryption scheme in the standard model and around optimal oblivious transfer in the CRS model, which were not known from isogeny-based assumptions. We also introduce a new assumption called linear hidden shift assumption that plausibly holds over some group actions, and it enables us to realize symmetric encryption schemes that are secure with respect to encryptions of functions of the secret key. This primitive enables us to realize many other primitives such as designated verifier and ISIC. For the rest of this presentation, I will talk about the implications that are colored with blue. First, we see how to realize an SSBOT from a weak pseudo-random EGA. Let me recall the definition of SSBOT. An SSBOT is a protocol between two parties, sender and receiver. The sender has two messages, M0 and M1, and the receiver has a bit beta. In the first part of the protocol, the receiver sends a message OTR depending on its own bit, and it also saves a private state ST. In the next step, the sender responds with a message that we call it OTS. At the end of the protocol, we require that the receiver should be able to recover the message and beta using OTS and its own private state ST. There are two security requirements for an SSBOT. The first requirement is receiver's privacy, which says that the message from the receiver when the bit beta is zero should be computationally indistinguishable from the message of the receiver when the bit is one. The second requirement is sender's privacy, which says that at least one of M0 or M1 should be statistically hidden for any maliciously chosen message from the receiver. Before going into the construction, let me define a couple of terms that I'm going to use. For a tuple of four set elements, X0, X1, Y0, Y1, if the discrete log of Y0 with respect to X0 is equal to the discrete log of Y1 with respect to X1, I'm going to call this a DDH tuple. Therefore, in a DDH tuple, the same group element maps X0 to Y0 and X1 to Y1. Next, we define a simple hash function based on the one-wayness of an EGA. The public parameters for the hash function are two uniformly chosen set elements X0 and X1. The hash function takes a group element G and the single bit B as its input, and it outputs the action of G on XB. Because the action is regular, this is a two-to-one function. In addition, a collision for this function would reveal the discrete log of X1 with respect to X0. Therefore, H is a two-to-one hash function. We can extend this hash function further by applying the group action component-wise. If X0, X1 is a pair of group elements, I use X sub vector B to denote a vector whose ith component is X sub BI. Based on this notation, consider the following extended hash function, which takes a vector of group elements and a vector of bits as its input, and outputs the action of vector G on the vector XB component-wise. A similar argument to the previous case implies that H is a two-to-one hash function. Based on this hash function, we can construct a public encryption with some extra properties from any week pseudo-random EGA. I'll mention these properties, but I'm not going to cover the details of construction of public encryption. This encryption scheme with some extra properties will be crucial for the construction of SSPOT. The first property is that all public keys, including maliciously chosen ones, live in X4. In addition, if a public key PK is a DDH tuple, we can recover M given an encryption of M under PK. On the other hand, if a public key PK is not a DDH tuple, even a computationally unbounded attacker should not be able to recover M given an encryption of M under PK. Therefore, an encryption of M under public key PK in formation theoretically hides M when PK is not a DDH tuple. Given a public key encryption with dimension properties, I'm going to describe a construction of two-message SSPOT protocol. This construction basically follows the blueprint of DDH base protocol from Naur and Pinkas. Back to our setting, the receiver has a bit beta and the sender has two-message M0 and M1. The receiver first samples two-set elements X0 and X1. It then samples a group element S and sets Y to be S star X0. It also sets Z beta as S star X beta. Next, the receiver sets Z1-beta as U star X1-beta where U is a uniformly chosen group element. It finally sends the tuple containing X0, X1, Y, Z0 and Z1 to the sender. Looking ahead, if beta is 0, the first four components form a DDH tuple. Otherwise, the first three along with the last component form a DDH tuple. On the other side, the sender first checks whether Z0 is equal to Z1. And if so, it imports a protocol. Later, we'll see why this check is necessary. The sender creates two public keys based on the receiver's message. It sets PK0 as the first four components of the receiver's message. And it sets PK1 as the first three components plus the last one. The sender then encrypts M0 under PK0 and M1 under PK1. Finally, it sends these two ciphertexts C0 and C1 to the receiver. The receiver can recover the message by applying the decryption algorithm on C beta. The correctness of the scheme is easy to verify. So if beta is 0, then PK0 is a DDH tuple and the receiver can recover M0. Likewise, if beta is 1, then PK1 is a DDH tuple and M1 can be decoded by the receiver. Now let's take a look at why this protocol satisfies the security requirements. The receiver's privacy follows from a simple hybrid argument. The message from the receiver in either of the cases is computationally indistinguishable from random based on the weak pseudo-randomness of the action, and hence the protocol satisfies the receiver's privacy. The sender's privacy can be argued using the properties that we have for the public key encryption. Let X0, X1, Y, Z0 and Z1 be an arbitrary message from the receiver. First, observe that if both of the public keys created by the sender are DDH tuples, then Z0 is gonna be equal to Z1, and we know that by construction the sender aborts when this happens. By counter-positive, if Z0 and Z1 are not equal, then for at least one beta we know that PK beta is not a DDH tuple. And in this case, by the property of public encryption that I mentioned before, we know that the message in beta is information theoretically hidden. That will conclude the construction of SSPOT from any weak pseudo-random EGA. For the remaining part, I'll talk about an assumption that plausibly holds over some group actions. As we saw before, usually the set X does not have a group structure, and so a weak pseudo-random EGA does not seem to be very amenable to some advanced cryptographic constructions, such as circular or KDM secure encryption schemes, which concerns with encryptions of a function of secret key. So we introduce an assumption that enables us to realize some new cryptographic applications, such as circular security. As before, let star be an effective group action where G acts on X, and let N be a parameter that is larger than log of size of G. In addition, I'm going to use this dot product notation to denote the subset sum over group elements, although we do not necessarily have an in-ear product space. First, I'm going to define the search LHS problem. Informally, the search LHS problem asks for finding a binary vector S, given polynomially many samples of the following form. In each sample, we are given a random vector GI, a random set element XI, and the action of GI dot S on XI. In a compact notation, if we put these vectors of group elements in a matrix called G, the search LHS problem asks for finding S, given G, X, and the action of GS on X, where G is a possibly tall matrix of group elements, and X is a vector of set elements. Now let's see a few observations regarding the search LHS problem. First of all, if there is no action, the secret S can be found by a quantum algorithm. We can generate an explicit representation of the group G by generalized Schroer's algorithm, and then we can use the resulting representation to solve a linear system of equations. Therefore, if star is not one way, LHS can be broken using a quantum algorithm. As some of you might notice, the LHS assumption is similar to LWE, except that we use the group action instead of noise to computationally hide the secret. As a final point, let me emphasize that unlike LWE, we cannot combine components of GS star X, because X may not be a group. Next, we have the decision version of the LHS assumption. Informally, the decision version of the LHS assumption states that G, X, and GS star X is computationally indistinguishable from all random elements. An interesting property of the LHS problem is that it has a search-to-decision reduction, which means that given a distinguisher against the decision problem, we can find the binary vector S. The reduction is inspired by the search-to-decision reduction of Impaliatso and Naor for knapsack functions. Finally, as we saw in the overview, LHS assumption can be used to construct a symmetric KDMC scheme, which in conjunction with PKE implies other primitives, such as designated verifier Nizek. The construction follows the blueprint of the DDS-based scheme of Bonnet et al. from 2008. I conclude the talk with a few interesting open problems. The first problem is to construct abstractions for other isogenic-based assumptions, such as side and psych. Another interesting problem is to construct further cryptographic applications from a weak pseudo-random EGA, which in turn would imply new primitives from isogenic-based assumptions. The remaining two problems are related to LHS assumption. The first one is to construct public key encryption from LHS assumption. Intuitively, lack of a structure to combine set elements seems to be a barrier for building public key encryption, so it's likely that we need new techniques to realize public key encryption from LHS. The final problem is to investigate the security of LHS problem, both in terms of generic and concrete attacks. I encourage you to read the full paper, which is on a print, and thanks for your attention.