 Ladies and gentlemen, welcome back to the auction. Please, everyone, give a warm welcome to our two bidders from Web3 Foundation, Switzerland, Jeff and from IBM Research, also Switzerland, Luca. Now let's discover today's auction item. Please admire this rare piece of beauty, this unique, totally non-fungible piece of art, a picture of a dog expressing profound statements on life, love and death. Well, actually, just a URL of the points to a place on the internet where someone's storing the JPEG. Marvelous! Luca, Jeff, are you excited to bid on this fantastic masterpiece? Yes! Let me recall the rules. This is a sealed bid auction and, thanks to crypto, you will not have to trust anyone but yourself. Each one of you is going to cryptographically commit to his bid. Later, when I tell you, you are going to open the commitments and we will learn who wins the item. Alright? To start gently, this is a second price auction. The highest bidder wins the item, but he only plays the price of the second highest bid. Do you understand? Marvelous! Jeff, Luca, are you ready? Please show your commitments. Ladies and gentlemen, a round of applause! And now let's open the commitments. Luca, will you please reveal your bid? One million IUCR coins. Wow! That's some bid. Great job, Luca. And now you, Jeff, will you please reveal your bid? Jeff, may we see your bid? No? Ladies and gentlemen, what a shocker! We have the winner! Congratulations, Luca. The pitchers is yours. Please do not forget to pay the million IUCRs before you leave. What do you mean? You don't have them? The auction is invalid? I don't think so, Luca. We also, you, bid one million IUCRs. Congratulations! Jeff? Who's Jeff? Second prize? I don't see any other prize. You are so funny, Luca. Thanks for participating, but now we must go on with the show. Please do not forget to pay the million when you go. Bye-bye! And that, my friends, is what happens when you try and run auctions without a trusted party. Now, this seems to be a difficult problem, Jeff. How do you run an auction if you cannot force the parties to open their commitments? This seems like a problem that may be solved by MPC, maybe? MPC sounds hard, maybe instead of some kind of timed commitment and perhaps instantiated with a time lock puzzle. Uh-huh, time commitments. By this, I guess you mean something like a commitment which, after some time, it opens itself? Yeah, yeah, except that the commitment isn't just going to open itself. Somebody will have to do the opening. Oh, and so this is where you use the time lock puzzles. Can you say a little bit more how you want to construct this? Yeah, so the time lock puzzle, someone constructs a puzzle, a cryptographic puzzle that they believe they have a good idea how long it takes somebody to solve and also where as a process of the construction they understand what the result will be and then they can encrypt to that. Oh, I see. So that would give you a way to encrypt your bit using the solution to the puzzle and then the other participants will need to solve the puzzle in order to decrypt your bit. That sounds very smart. But is this going to scale to many participants? No, not really, because it's the same amount. It means all this work for each participant. Wow, that's a bit crazy if we need to run options with thousands of participants. So what other solutions do we have there? Ideally, if we want this thing to be scalable, we have just one puzzle for everybody. That's interesting. I recently heard about homomorphic time lock puzzles where you have this idea where you have many puzzles and you can, without solving them, combine them homomorphically to a new puzzle which encodes the solution to the homomorphic circuit. So for example, here we could have everyone encrypt the bit inside the puzzle and then we run the maximum circuit on the puzzles homomorphically. What we get in the end is a puzzle which contains the solution to who's the winner of the option. So maybe this could be a solution. Yeah, maybe computing the maximum in a circuit sounds quite expensive. Maybe there's some other way that we can create a puzzle and then extract the key from it later. So you're suggesting something like we want to encrypt to a public key now and extract the secret key later. So this is something that sounds a little bit like identity-based encryption, right? In identity-based encryption what you do is that you can encrypt to an identity and even if the secret key is not there yet eventually the master authority will produce the secret key associated to the identity. Yeah, let's go over what identity-based encryption looks like. So in identity-based encryption you have these four algorithms you have key gen which generates the master public and secret key pair and then you have encryption which runs kind of like normal encryption but where you will encrypt using the master public key pair and the identity you want to encrypt to. And now in order to the crypt you first need to extract the secret key from the identity. So this is the operation that is called extraction that can only be performed if you know the master secret. And then once you have the extracted secret key you can take a ciphertext, the public master key and the extracted secret key and you can get back the message. So if this, so if we can do it if this extract operation is slow and doesn't require any secrets. Huh, that's interesting. So yeah, we would just need a slow extraction and then maybe everything can be public. Cute, we could call this delay encryption. All right, well let's dig into Bonnefranklin IBE because that's one of the simplest ones. Yeah, that's a good starting point indeed. So let me recall, Bonnefranklin needs a pairing-based scheme and so you have these two pairing groups generated by say G1 and G2. Our master key is a usual elitikriff key pair. So you have a secret scalar called M and a public key which is M times G2. And now when you want to encrypt what you're going to do is you're going to play it like a key encapsulation method. So the pairing will produce some secret which are then going to use to do a symmetric encryption. And so what you want to put in the pairing is on the one side the master public key, so M times G2, and on the other side you want to put something that's related to the identity. So what you will do is that you will encode the identity to an elitikriff point and then apply a secret random scalar which is going to be an ephemeral secret and so call this U for example. And then this gives you the symmetric key to use and then you also produce a ciphertext which is going to be the ephemeral U times G2 and this is you are going to send to the decryptor. And now for the encryption you just swap the rules of the secret U and the secret 10 inside the pairing equation. So on one side of the pairing you will put the ciphertext U times G2 and on the other side you need to put M times the identity. So this is something that can only be done by the one who knows the master secret and so the extraction will consist in computing just a scalar multiplication master secret times the identity. So this extraction operation is very very fast which isn't what we want but there is an isogenic based verifiable delay function where the verification equation looks like BLS except that the actual delayed compute the slow delay computation is evaluating a long sequence of isogenes and this replaces the scalar multiplication. That's a very cute idea. So you're using the fact that scalar multiplication are very fast but isogenes you can make very long chains of isogenes which can be as low as you want and which essentially behave a little bit like scalar multiplications particularly are compatible with elliptic curve pairings. So let's see if we put in Boney and Franklin the isogene here instead of the extraction our secret instead of being a scalar will be a long chain of isogenes which is going to be slow. So to derive the master public key you will apply this long sequence of isogenes and the extraction will be again applying the long sequence of isogenes to the identity. Encryption will still be fast because you don't need to apply the isogenes you just use something that was completed a key generation and now all you need to do to make this work is that you just don't make anything secret like the isogenes can be public because you need to just run the evaluation. There is one thing that is somewhat secret the identity of the auction has to be secret or has to come into existence be discovered when the auction starts so the timing of this randomness is important. Hey, these guys apparently just discovered a new primitive and they seem poised to put us auctioneers out of work but so what exactly is this delay encryption primitive? The analogy with IBE runs even deeper than it may seem at first sight. In IBE you have this extraction function which extracts the secret key from an identity and here in delay encryption what you do is just ask this extraction functionality to be sequentially slow. Then all the rest runs exactly like in IBE and you will just have no sequence. Everyone is capable of running the extraction you don't need any master authority to do this. But now if we look deeper into this analogy something interesting appears. IBE is known to of course imply public encryption but also in an interesting way it does imply signatures. The way you sign with IBE is that you encode the message to an identity and then you extract the secret key from this identity and this secret key will be the signature and then to verify you just encrypt and encrypt to this identity. Now you can try and play the same trick with delay encryption and so first of all of course from delay encryption you will get some variants of time lock puzzles the same way that you get public encryption from IBE. But more interestingly you can obtain proof of work from delay encryption the extraction will be the work and the way you verify that work has been done is exactly the same. You will run encryption and encryption to the output of the proof of work. And now if you add one more requirement if you ask the output of extraction to be uniquely determined by the input then in this case what you will get is exactly verifiable delay functions. And so if you apply this transformation to Bonnie and Franklin IBE what you will get are BLS signatures and in an analogous way if you apply this transformation to the delay encryption that these guys just discovered what you will get is the DeFeo, Masson, Petit and Sanso verifiable delay function. So this seems all very nice from a theoretical point of view the pieces seem to fit well together but in practice there is this sequentiality assumption on chains, long chains of small degree isogenous and how do we know that this operation really is sequential? Jeff, what's your take on this? Yeah, so evaluating one of these degree two isogenes in this sequence it means evaluating two degree two polynomials these things can be optimized in relatively well understood ways. There is also optimizing the finite field this is also reasonably well understood so any massive shifts it's believable that this would come from some kind of you know, fairly major breakthrough and of course we actually have to see what people can do in specialized hardware Yeah, and so since you spoke of specialized hardware the first thing that comes to my mind is FPGAs of course so what do you think it would be in FPGA to run one isogen evaluation? So the most similar thing that's happened so far is the Ethereum's effort to do RSA squareings in an RSA group of unknown order which is different from what we're talking about those on FPGAs they get down to 25 nanoseconds ours of course we're with lots of field optimizations and whatever else each multiplication will be much faster than that but maybe 50 nanoseconds we'll have to see. But my understanding is the ring sizes are more or less comparable between RSA and this Yeah, the field here is somewhat smaller but it's 1500 bits but yeah. That's very interesting and so how many like if you are thinking about the 10 nanoseconds something like that how many isogenes you would need to run through in order to get a delay of I don't know one hour for example? So with these kind of guesstimated numbers so far it looks like we're talking 70 billion but remember there's a each of these degree two isogenes it has a feel it shows up and each of these curves is different and this curve parameter so we're talking something like 12 terabytes to store all of these curve parameters so there's another feature of this VDF and of the delay encryption instantiated this way which is that you need to be pulling these curve parameters from memory and that memory bandwidth it could either be good or bad but if it matches with your computation speed once both have been well optimized this is probably good for the VDF because it means an adversary has to break two things instead of just one. Wow! 12 terabytes of storage that's insane so you mean that maybe not the verifier but the evaluator needs to store all these data and every nanoseconds it needs to take out of the memory one field element and bring it to the CPU to do the computation this is an insane amount of bandwidth this is like gigabytes gigabytes per second and these are not the speeds that you can reach with just common hardware so this is a very interesting technological challenge but so we may try and build the best hardware for this but how do we know that NSA doesn't go a hundred times faster so any sort of delay primitive whether it's time lock puzzles or VDF or whatever should have a safety margin a security margin and this is often ignored in a lot of papers which is a real mistake but if you know the evaluator runs at one speed you should assume if you know the honest evaluator runs at one speed or sorry the honest prover runs at one speed then you expect the dishonest prover can possibly run considerably faster ten times faster maybe a hundred times faster and this just needs to be so you have two speeds you have this this big T-speed of the honest evaluator and this little T-speed of the malicious evaluator and their ratio is just a thing you need to bake into the design of the protocol and how confident you are in that ratio really comes out of how you build the hardware ok so if we get back to the auction example this means that if you think that little T is the best the anyone on earth can do like NSA can do you will need to receive the bids before this little T time but then you will need to wait a much longer time big T to know who was the little T has to be little yes so you have whatever your little T your ratio of little T and big T is and then you have to choose little T large enough for the various network back and forth messages that your protocol needs well this is an interesting technological challenge but I hear there is another technological challenge this isogenic based delay functions be them delay encryption or verifiable delay functions they all seem to need a sort of trusted setup don't they yes so you we have this one curve super singular curve with jn variant 1728 which we know about and we don't want this to be one of the endpoints of our vdf because then someone could could compute other isogenes between different curves that would provide shortcuts instead what we need to do is to before setting up the vdf we need to do a random walk in the isogenic graph and find a and find a curve find some other random curve and then forget the walk so that this curve has no known connection to the super singular curve with jn variant 1728 so the problem is really with this special jn variant 1728 curve and maybe with other special jn variants but if I take a random curve then it's fine I can run these protocols and they are assumed to be safe and so really the only difficulty is that the random walk between this special starting point and the random super singularity curve must be kept secret and so this is where the trust lies so maybe we can use the amount of trust needed by doing this in npc maybe like for example what you think of this like you have n participants and so the first participant starts from 1728 and then walks to some new curve then the second participant starts from this new arrival point and does his own random walk and gets to some new reality curve and then so on and so on so in the end if at least one of the participants has been honest and thrown away the information on the path no one should know the path to the beginning right? Yes so the only caveat here is you don't want any of these participants to sort of reset the path back to the super singular curve of jn variant 1728 so they all need to provide a zero knowledge proof that they actually started with the previous guy's curve Aha yeah that's right that's interesting and so what options do we have for zero knowledge proof let me think so we have SIDH kind of proof of knowledge but that first of all I don't think they apply to this case because SIDH curves are not really set up the same way they're not at the same base field they are very special so they're probably not going to be useful then we have seaside style of proofs like seasine sea fish style of proofs but also those they are just limited to curves over the prime field which is not going to be the case here so these things are trying to be post-quantum and we don't need post-quantum here you're right you're right about this so maybe we can exploit the pairing equation which are already exploiting for the delay function and the verifiable delay for the delay encryption excuse me and the verifiable delay function so maybe we can exploit the pairing equation to prove knowledge of a secret work that seems to be that can be much more efficient than every any other proofs we have of course it won't be post-quantum but none of this is post-quantum that seems to be a kind of complete solution to the problem so we may really have a new interest in primitive to explore what do you think? that's a nice and complete solution it seems so we really have a new protocol to explore it seems that as an auctioneer I'm out of work so I may become a cryptographer now well thanks everyone for being with us today and see you at the next delay conference