 Hi, I'm Lior, and I will talk about why generically-speed-in-gap-repeated-squaring gives equivalent to factoring. I will do so by presenting sharp thresholds for all generic ring delay functions. This is joint work with Gil Segev. Ok, so let's start by reviewing what exactly are delay functions. Informally, a cryptographic delay function is a function which is efficiently computable, but only in a manner which is inherently sequential. Concretely, a delay function takes an additional delay parameter, which specifies how long it should take to compute a function. For a delay parameter t, the function should be computable in time polynomial in t. However, it should not be possible to evaluate the function on a randomly chosen input in time less than t, even if we allow for a pre-processing stage and for a polynomial number of parallel processors. One reason for why delay functions are interesting is that they serve as a building block for other very useful cryptographic primitives. A prominent example is that of time-lock puzzles introduced by Rivesh Shamir and Wagner in 96. In our terminology, a time-lock puzzle is a delay function, which allows for fast sampling of input-output pairs whereby fast we mean in time polylogarithmic in the delay parameter t. Another example is the more recent notion of verifiable delay functions, formalized by Bonnetal in 2018. A verifiable delay function, or a VDF for short, is a delay function which allows for fast verification of input-output pairs, possibly giving an additional short proof of their validity. These two refinements of delay functions, time-lock puzzles and VDFs, have many very useful applications. Examples include time-lock encryption, sealed deductions, fair contract signing, publicly verifiable randomness beacons, resource-efficient blockchains, and computational time stamping, and many more applications exist for these useful primitives. Perhaps the simplest example of a delay function is the iterated hashing function. This function is obtained by iteratively applying cryptographic hash function, such as SHA, onto the input. A main advantage of the iterated hashing function is that it enjoys a formal security argument in an idealized model. Concretely, its sequentiality can be proven unconditionally when the hash function age is modeled as a random oracle. The downside of this delay function, however, is that it seems to be understructured to enable extensions to time-lock puzzles or to VDFs. It should be mentioned that asymptotically speaking, it has been suggested to use extremely verifiable computation to enable fast verification. But at least at the moment, this approach doesn't seem to enable any concretely efficient instantiations. Given the fact that iterated hashing seems to be understructured to enable extensions to time-lock puzzles and to VDFs, we wish to have more structured constructions of delay functions which may allow for such extensions. The main candidate that we currently have for a delay function that offers such structure is the repeated squaring function. This function is defined with respect to a group G. Given the delay parameter T and the group element X as input, the output of the function is X raised to the power of 2 to the T. Note that if the group operation is computable in time polynomial in the security parameter lambda, then this function is indeed computable in time T times polylambda by T-repeated squaring. The repeated squaring function indeed offers the sufficient structure needed for time-lock puzzles and for VDFs. It was actually first proposed by Rivetsch-Amerian Wagner as the basis for their time-lock puzzle, and it was recently and elegantly augmented with 16 proofs yielding efficient VDF constructions. The sequentiality of the repeated squaring function is based on the assumption that there are groups in which it is impossible to significantly speed up the function's computation even with pre-processing and with parallel processors. Of course, a necessary condition for this assumption to hold is that the group's order is unknown. The main candidate that we currently have in cryptography for such groups is the family of RSA groups. Additional candidates are the class groups of imaginary quadratic fields, but they are not as well studied cryptographically. It should be emphasized that the sequentiality assumption for repeated squaring in RSA groups is exactly this, an assumption. And prior to this work, there was no formal security argument supporting this assumption as there is for the iterated hashing function. So the main question that we deal with in this work is can we base the sequentiality of repeated squaring in RSA groups to other better established assumptions such as the factoring assumption or the RSA assumption? Our main contribution is answering this question in the affirmative within the generic ring model. Our results are actually more general. We put forth the notion of a sequentiality depth of generic ring functions and proved that it serves as a sharp threshold for the number of sequential ring operations required to compute the function. Concretely, our main theorem states that squaring is hard in the standard model, then for any generic ring function of sequentiality depth d, exactly d sequential ring operations are unnecessary and sufficient in order to generically evaluate the function. That is, the function can be generically evaluated on any input using d sequential ring operations, but on the other hand, the function cannot be generically evaluated on a random input using less than d sequential ring operations even with the pre-processing stage and the polynomial number of parallel processors. Since, as we will see, the repeated squaring function relative to a delay parameter t has sequentiality depth, which is exactly t, an immediate corollary of our theorem is that generically speeding up the repeated squaring function is equivalent to factoring in the standard model. We also have analogous results for the pseudo-randomness of generic ring functions based on our new notion of pseudo-randomness depth. For the specific case of repeated squaring, the two notions, pseudo-randomness depth and sequentiality depth, coincide, and we in fact show that the output of the repeated squaring function on a random input is pseudo-random for generic ring algorithms performing less than t sequential ring operations. The remainder of this talk will follow this outline. First, we will present and discuss the generic ring model in which we prove our results. Then we will define generic ring delay functions and the notion of sequentiality depth. We will then see our main result establishing a sharp threshold on the number of sequential ring operations required to generically evaluate generic ring functions. And finally, we will conclude with some closing remarks and open problems. So let's start by presenting the generic ring model. This model was introduced by Agawal and Maurer, and roughly speaking, it captures algorithms that operate on ring elements, but without exploiting their concrete representation. In essence, this is captured by model and ring operations as oracle queries, and exposing to the algorithm only the qualities among ring elements in the computation. The generic ring model is a special case of Maurer's generic model of computation, and queries within this model are specified by pointing to elements previously seen in the computation. Of course, not all computations are generic. Jaeger and Schwenk proved that generically computing the Jacobi symbols of elements in the ring ZN of integer's model WEN is as hard as factoring, even though this can be computed efficiently in a non-generic manner. Nevertheless, unlike computing Jacobi symbols, the sequentiality of repeated squaring is unbroken generically or otherwise, and as Jaeger and Schwenk themselves point out, the generic ring model still captures a wide variety of practical constructions and cryptanalytic attacks. We will revisit this point at the end of the talk. Let's go ahead and define the generic ring model more formally. A generic computation in this model is associated with a table B of ring elements managed by the oracle. This table is initialized with the additive and the multiplicative identity elements in the ring as its first entries, then followed by the ring elements which the algorithm receives as input. The generic algorithm can then produce two types of queries to the oracle, group operation queries and equality queries. To issue a query, the algorithm specifies the indices of the two elements that it wishes to compare or to which it wants to apply one of the four possible operations, the two ring operations and their inverses. In response to a ring operation query, the oracle computes the result in the ring and places it in the next vacant entry of the table B. In response to an equality query, the oracle simply compares the two corresponding ring elements and answers accordingly. When a generic algorithm wishes to output a ring element, it outputs the index of the corresponding entry of the table B. Note that the model naturally extends to capture parallel computations by allowing algorithms to issue many parallel ring operation queries at once. A special case of generic ring algorithms that we will be interested in is that of straight line programs or SLPs for short. These are deterministic generic ring algorithms which do not issue any equality queries. Each ring element which is computed by a generic ring algorithm, either as an output or as an intermediate value, is obtained from the input elements in a sequence of ring operations and their inverses. Hence, informally, it can be seen as a rational function of the input elements. More formally, to avoid the problem of division by zero, each such ring element is associated with a pair of polynomials where the natural interpretation is that the first polynomial is the numerator of the rational function and the second one is the denominator. Formally, each ring element given to the generic algorithm as input is associated with a different formal variable. Then, the polynomials associated with ring elements that are computed by the algorithm are defined in a recursive manner. The polynomials associated with the result of a ring operation query are obtained using standard rational functions arithmetic from the two pairs of polynomials associated with the ring elements given as arguments to the query. You can see a formal definition on the slide. Observe that using this interpretation, the output of a straight-line program can be seen as a fixed rational function in the input elements. This is in contrast to the general case of generic ring algorithms who compute a rational function which may depend on their randomness and on the equality pattern among ring elements throughout the computation. A work closely related to ours is that of Agarwal and Maurer. They proved that generically computing roots of random elements in RSA groups is equivalent to standard model factoring. There are three main conceptual and technical differences between our work and that of Agarwal and Maurer. First, we prove fine-grained threshold theorems where as Agarwal and Maurer proved an impossibility result which holds for all polynomial generic ring algorithms. Second, our results consider parallel algorithms. This is of no consequence for improving lower bounds for the class of all polyquery algorithms but make sense when considering fine-grained lower bounds as is the case in our work. Finally, we also consider a pseudo-randomness-based security notion in addition to the unpredictability-flavored security notion. Still, as we will later see, in order to prove our results there is a generalization of the main technical lemma of Agarwal and Maurer. Roughly, it states that a polynomial which has many roots in the ring Zn of integers model n can be used to factor n. We will present the lemma in more detail shortly. Let's move on to discuss generic ring delay functions and the notion of sequentiality depth. A generic ring delay function df is a deterministic generic ring algorithm with an input for some parameter k. For simplicity, we assume here that the function's output consists of a single ring element. We also focus here on the specific case where the ring is Zn where n is in RSA models. The sequentiality guarantee of a generic ring delay function is defined via the following security experiment. First, a modulus generation algorithm, mod-gen, is invoked in order to generate the RSA group modulus n. Then, the preprocessing attacker a0 produces some state st and the k-tuple x of ring elements is chosen uniformly at random from Zn. The online attacker a1 receives the state st and the input x and outputs some ring element y' We say that a0 and a1 win in the experiment if this y' is equal to the true output y of df on input x. We say that a generic ring delay function is t-sequential if for every pair a0 and a1 of generic ring algorithms such that a0 makes a polynomial number of queries and a1 consists of at most a polynomial number of parallel processors each of which making at most t-sequential queries The probability that a0 and a1 win in the experiment is negligible in the security parameter λ. Note that the notion of a generic ring delay function can be extended by allowing for explicit inputs and outputs which are not ring elements. Our results easily extend to such functions as well but for simplicity we do not consider such functions in this talk. We are now ready to present our notion of sequentiality depth. Recall that this notion will serve as a threshold for the number of sequential ring operation queries needed in order to compute a generic ring function. So a natural place to start is the number of sequential queries needed in order to quote-unquote trivially evaluate the function while taking into account parallelism and preprocessing. So for example, the repeated squaring function can be trivially evaluated using t-ring operations. This function can be evaluated using t-plus-2 sequential rounds of ring operations using four parallel processors. This function can be evaluated using t-plus-2 sequential queries on two processors but there is an equivalent function which is simply x2 over x3 which can be evaluated using just one query. So we would like the sequentiality depth of this function to be 1. Finally, consider the function 2 to the t times x. This function can be evaluated using log t-plus-1 queries. However, log t of them are independent of the input x and can be performed during a preprocessing stage. So we would like the sequentiality depth of this function to be just 1. So with these examples in mind the idea is the following. We will say that a generic ring function df has sequentiality depth d if there is a generic ring algorithm which, after preprocessing computes a somehow equivalent function in exactly d-sequential queries. We will now formally define the sequentiality depth of straight line functions. The sequentiality depth of a straight line function df is defined via the following experiment. The experiment starts off in a similar manner to the one that we saw a few slides ago. First an RSA model is sampled and then the preprocessing attacker a0 outputs a state st. But then, instead of sampling concrete ring elements as input we look at the output of a1 as a rational function in the input elements. That is, we look at the pair of polynomials p of x and q of x which correspond to the output of a1 as described before. Here we assume that a1 is a straight line program and hence for any fixing of n, t and the state st the output of a1 is a fixed partial functional function in the ring elements which it receives as input. We say that a0 and a1 win if the polynomials p and q are non-trivial and the polynomial p times q prime minus p prime times q is the zero polynomial model when where p prime and q prime are the polynomials which correspond to the output of the function df. Intuitively this last requirement states that a1 computes a function which is equivalent to the one computed by df. Note that since df is a straight line program, for any fixing of n and t, the output of df can indeed be described by the fixed pair of polynomials p prime and q prime. We say that df has sequentiality depth at least d if for every pair a0 and a1 such that a0 makes a polynomial number of queries and a1 makes at most d sequential rounds of ring operation queries on a polynomial number of parallel processors the probability that a0 and a1 win is negligible. In other words, if a1 makes less than d sequential queries it does not compute a function which is trivially equivalent to the one computed by df. We will say that df has sequentiality depth d if its sequentiality depth is at least d but not at least d plus 1. It's not hard to see that if df is a simple enough polynomial then its sequentiality depth is roughly the log of its degree. In particular, the sequentiality depth of repeated squaring with delay parameter t is indeed exactly t. But in general, we leave it as an open question to characterize the sequentiality depth of general multivariate rational functions. Finally, due to time restrictions, you can see the paper for a generalized definition of the sequentiality depth of general generic ring functions and not just straight line programs. So now we can present our main threshold theorem and a rough outline for the proof. So our main theorem is the following let df be a generic ring delay function of sequentiality depth d. Then for any pair g0 and g1 of polynomial time generic ring algorithms such that g1 issues less than d differential rounds of ring operation queries there is a standard model algorithm a with the following guarantee if g0 and g1 win in the sequentiality game of df with non negligible probability that is g1 manages to compute the output of df on a randomly chosen input with non negligible probability then a factors n with probability which is 1 minus epsilon in time which is polynomial in the security parameter and in log 1 over epsilon for every choice of epsilon in other words our theorem means that if there is a generic attacker which computes df in the ring zn with less than d sequential ring operation queries then this attacker can be used to factor n we note that this result is tight since in the paper we also show that assuming that factoring n is hard then df can be computed using d sequential ring operation queries the proof proceeds in several steps first we present a technical lemma which the following steps rely on then we prove the theorem for the simplified case in which the function df is given by a straight line program and the attacker is also a straight line program so it's deterministic and does not make any quality queries and there is no pre-processing stage then in step 2 we discuss how to revise the proof to accommodate it to attackers that do make quality queries we will see these steps in the coming slides what remains is to extend the proof to attackers that use a pre-processing stage and randomization and to arbitrary generic ring delay functions that may also issue equality queries due to time limitations we will not see these final two steps in this talk and you can see the paper for more details our main technical lemma is a generalization of the lemma presented by Agarwal and Mahuil it states that for any straight line program s which receives K-ring elements as input runs in time t issues at most q-sequential ring operation queries on w processors and whose output corresponds to the polynomials p and q such that p is not the zero polynomial and the probability that p of x is zero for a random x is at least mu there is an algorithm a which runs in time polynomial in K, t, q and w and factors n with probability which is at least mu over K squared times q times w note that if s runs in polynomial time and makes a polynomial number of ring operation queries in total and if the fraction of roots of p in z n is non-negligible then a runs in polynomial time and has a non-negligible success probability so as a first step let's consider the case where df is a straight line program of sequentiality depth d and the attacker s is also a straight line program which runs in time t with w parallel processors and issues less than these sequential rounds of ring operation queries we denote the success probability of s by epsilon let's denote by p and q the polynomials which correspond to the output of df and by p prime q prime the ones which correspond to the output of s consider the straight line program s prime whose output can be described as the polynomial p times q prime minus q times p prime we will not see this here but if d, t and w are all polynomials in the security parameter then s prime runs in time which is polynomial in the security parameter as well and also issues a polynomial number of ring operation queries now observe that since s makes less than d sequential ring operation queries and since df has sequentiality depth d then by definition of sequentiality depth it means that the polynomial f computed by s prime which is p times q prime minus q times p prime is not the zero polynomial moreover for any input x on which s is successful in computing f of x it means that the value of the polynomial f at the point x is zero hence by the success probability of s in computing df the probability that f of x is zero for randomly chosen x is at least epsilon this means that by our lemma there is a standard model factor in algorithm a which runs in time which is polynomial in t, w and d and factors n with probability polynomial in epsilon, d, t, and w if all of these parameters are polynomials in the security parameter then a breaks the factoring assumption now let's consider a slightly more general case in which the attacker s can perform equality queries the analysis in this case is based on the observation that there can be essentially two types of equality queries one is so called biased equality queries which are queries that are answered in the same manner for example a query which is answered negatively for almost all inputs is a biased query as we will see biased queries can be compiled out of the attack in some sense the second type of queries is so called balanced queries these are just queries which are not biased as we will see if the attacker issues a balanced query then this query can be used directly to factor n regardless of the success probability in quickly evaluating the delay function now let's consider two cases the first case is that all equality queries issued by the attacker s are biased that is each of them is answered in the same manner for almost all inputs in this case in the reduction we can simply learn the answers to all equality queries by checking them on a random input then we can convert the attacker back to a straight line program by prefixing the answers to all equality queries to be the answers that we got on the random input with high probability these will be consistent with answers on most inputs and hence this will not affect the success probability of the attacker by too much the second case is that the attacker issues at least one balanced equality query let's consider the first balanced query and let's compile out all equality queries preceding it as we did in the first case now this balanced equality query is a query comparing two ring elements and we can look at the pairs of polynomials pq and p'q' corresponding to these elements consider the straight line program s' computing the polynomial p times q' minus p' times q since the equality query is balanced this polynomial is non-trivial and has many roots in zn it is non-trivial since otherwise the equality query would have been answered affirmatively on all inputs and it would not have been balanced it has many roots in zn since otherwise the equality query would have been answered negatively on almost all inputs and again the query would not have been balanced hence we can invoke our technical lemma to derive a successful factoring algorithm let's conclude with some closing remarks and open questions prior to our work there was quite a gap when it came to the repeated squaring assumption on the one hand this was purely an assumption with no security argument supporting it but on the other hand the assumption remained essentially unbroken for decades our work narrows this gap for the natural class of generic attacks even though as we mentioned there are examples for inherently non-generic algorithms our results can be seen as having two main implications on the one hand they direct cryptanalytic efforts to non-generic directions while on the other hand they are a somewhat necessary step in the quest for similar results in less restrictive models one natural direction in this respect is to try and prove similar results in an algebraic ring model extending the algebraic group model recently proposed by Fuchs-Bauer-Kilts and Loss in that regard it should be mentioned that this random work cut Loss and Soo proved an incomparable result to ours showing that within an enhanced algebraic group model speed and gap repeated squaring in the group of quadratic residues Model N, where N is the product of two safe primes is equivalent to factoring N so it's interesting whether this result can be extended to the ring ZN but it does seem that additional techniques are required for that another interesting open problem is what security arguments can be made in support of the sequentiality of other candidate delay functions such as repeated squaring in class groups I saw journey-based candidates and this torque-based VDO function in prime fields ok, let's conclude we presented a sharp threshold for the sequentiality of all functions within the generic ring model we put forth the notion of sequentiality depth and saw that assuming that factoring is hard this notion indeed serves as a sharp threshold for the number of sequential rings required to compute any generic ring function we mentioned analogous results for the pseudo-randomness of generic ring functions and you can see the paper for details so that's all I have for you today and thank you for listening