coleleavitt/opaque-lattice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4e7eec9b912371a6758974e851b5cdffa90920ee
opaque-lattice/papers_txt/isogeny-oprf-lattice-ot.txt
Cole Leavitt dfa968ec7d initial
2026-01-06 12:49:26 -07:00

1091 lines
141 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
OPRFs from Isogenies: Designs and Analysis
Lena Heimberger Tobias Hennerbichler Fredrik Meisingseth
lena.heimberger@iaik.tugraz.at Graz University of Technology Graz University of Technology and
Graz University of Technology Graz, Austria Know-Center
Graz, Austria Graz, Austria
Sebastian Ramacher Christian Rechberger
AIT Austrian Institute of Technology Graz University of Technology
Vienna, Austria Graz, Austria
ABSTRACT CCS CONCEPTS
Oblivious Pseudorandom Functions (OPRFs) are an elementary • Security and privacy → Public key (asymmetric) techniques.
building block in cryptographic and privacy-preserving applica-
tions. While there are numerous pre-quantum secure OPRF con- KEYWORDS
structions, it is unclear which of the proposed options for post- Oblivious Pseudorandom Function, CSIDH, Isogenies, OPAQUE,
quantum secure constructions are practical for modern-day ap- Private Set Intersection, OPUS
plications. In this work, we focus on isogeny group actions, as
the associated low bandwidth leads to efficient constructions. We ACM Reference Format:
introduce OPUS, a novel Naor-Reingold-based OPRF from isoge- Lena Heimberger, Tobias Hennerbichler, Fredrik Meisingseth, Sebastian
nies without oblivious transfer, and show efficient evaluations of Ramacher, and Christian Rechberger. 2024. OPRFs from Isogenies: Designs
the Naor-Reingold PRF using CSIDH and CSI-FiSh. Additionally, and Analysis. In ACM Asia Conference on Computer and Communications
Security (ASIA CCS 24), July 15, 2024, Singapore, Singapore. ACM, New
we analyze a previous proposal of a CSIDH-based OPRF and that
York, NY, USA, 14 pages. https://doi.org/10.1145/3634737.3645010
the straightforward instantiation of the protocol leaks the servers
private key. As a result, we propose mitigations to address those
shortcomings, which require additional hardness assumptions. Our 1 INTRODUCTION
results report a very competitive protocol when combined with Cloud computing, authenticated key exchange and secure data
lattices for Oblivious Transfer. sharing are ubiquitous in modern-day computation. All of these
Our evaluation shows that OPUS and the repaired, generic con- high-level applications may use Oblivious Pseudorandom Func-
struction are competitive with other proposals in terms of runtime tions (OPRFs) as an underlying building block to strengthen security
efficiency and communication size. More concretely, OPUS achieves and guarantee privacy. Informally, OPRFs take input from a client
almost two orders of magnitude less communication overhead com- and a key from a server, then return a pseudorandom output to the
pared to the next-best lattice-based OPRF at the cost of higher client. The OPRF is secure when the client learns nothing about the
latency and higher computational cost, and the repaired construc- key, and the server learns nothing about the output or the client
tion. Finally, we demonstrate the efficiency of OPUS and the generic input. This basic functionality gives rise to various applications.
NR-OT in two use cases: first, we instantiate OPAQUE, a protocol For example, consider password authentication: To prove the
for asymmetric authenticated key exchange. Compared to classical knowledge of a pre-registered password, the client transmits their
elliptic curve cryptography, which is considered insecure in the password, ideally in a salted and hashed form. The server checks the
presence of efficient quantum computers, this results in less than transmitted password against a stored record and authenticates the
100 × longer computation on average and around 1000× more com- client if the record matches the password. However, passwords no-
munication overhead. Second, we perform an unbalanced private toriously lack entropy and may be recovered from a server record in
set intersection and show that the communication overhead can the event of a breach. In addition, this ideal setting is not always the
be roughly the same when using isogenies or elliptic curves, at the case, as attacks leaking cleartext passwords are still common. For ex-
cost of much higher runtime. Conversely, for sets of the size 210 , ample, PwnedPasswords [Hun] consolidates breaches of passwords
we report a runtime around 200× slower than the elliptic curve and finds over 90 matches when searching for plain text breaches.
PSI. This concretizes the overhead of performing PSI and using This attack vector can be mitigated by never storing passwords on
OPAQUE with isogenies for the first time. a server in the first place. A great example of a protocol solving the
password storage problem is OPAQUE, an asymmetric password-
authenticated key agreement protocol for which standardization
efforts are ongoing at the CFRG [DFHSW22].
Use cases of ORPFs expand beyond passwords and include pri-
vate set intersection (PSI), where two parties with respective datasets
This work is licensed under a Creative Commons Attribution International 4.0 License. wish to compute the overlapping elements in both sets without
ASIA CCS 24, July 15, 2024, Singapore, Singapore revealing their non-shared elements. This can be used for private
contact discovery [KRS+ 19] to protect the highly sensitive social
© 2024 Copyright held by the owner/author(s).
ACM ISBN 979-8-4007-0482-6/24/07.
https://doi.org/10.1145/3634737.3645010 graph of messenger app users from ever being uploaded to a server.
575
ASIA CCS 24, July 15, 2024, Singapore, Singapore Lena Heimberger, Tobias Hennerbichler, Fredrik Meisingseth, Sebastian Ramacher, and Christian Rechberger
While there is a variety of sound and efficient constructions represented in CSIDH as the private exponent vector. This array
for OPRFs from classical primitives, efficient and secure OPRFs of 𝑘 elements (𝑒 1, . . . , 𝑒𝑘 ) forms the private key whereas a single
from post-quantum hardness assumptions remain an open ques- element of the vector is called a key coefficient. Each key coefficient
tion. An interesting primitive for quantum-resistant OPRFs are 𝑒𝑖 is a random element in the range [−𝑚, 𝑚]. 𝑚 is a bound obtained
isogenies, which have small communication complexity but suffer log 𝑝
from the parameter generation to store approximately 22 bits.
from slow runtimes. Until now, there was only one OPRF based on The sign of the key coefficient describes the direction of the walk:
CSIDH [BKW20]. We show that the naïve approach to the imple- Walking 𝑒 steps from some point and then 𝑒 steps results in re-
mentation is not sufficient, and subsequently propose a fix using turning to the starting point. This is a result of the dual isogeny
uniform sampling for the keys as used in the signature scheme CSI- theorem, which states that for each isogeny 𝐸𝐸 , a correspond-
FiSh [BKV19]. We combine the OPRF with a lattice-based Oblivious ing isogeny 𝐸 𝐸 exists. The dual isogeny can be directly used
Transfer protocol to achieve a relatively fast construction that com- to invert the key: negating each key coefficient 𝑒𝑖 ↦→ 𝑒𝑖 results in
putes the OPRF in under 100 ms online time. Of independent inter- the inversion of 𝑘, which we will denote as 𝑘 1 . It is also possible
est, we report that the Naor-Reingold PRF is nearly constant-time to add two private keys, where their respective coefficient vectors
with respect to the input length when using the lattice reductions are added, which we will denote as 𝑘 + 𝑙, with 𝑘 and 𝑙 being CSIDH
of CSI-FiSh. Based on the work on this OPRF, we introduce OPUS, private keys. Following the notation in [LGD21], we use s 𝐸 as
a novel construction that only uses CSIDH operations. It efficiently shorthand to denote the class group action between 𝔰 = {𝔩𝑠11 · · · 𝔩𝑘𝑠𝑘 }
computes the Naor-Reingold OPRF while only using 60% of the and 𝐸 using the vector s = (𝑠 1, . . . , 𝑠𝑘 ).
group actions of the previous proposal, without needing a trusted The corresponding CSIDH public key is the Montgomery coef-
setup. Furthermore, we present the first post-quantum implemen- ficient 𝐴 ∈ F𝑝 of the supersingular curve 𝐸 : 𝑣 2 = 𝑢 3 + 𝐴𝑢 2 + 𝑢
tation of OPAQUE using two isogeny-based OPRFs. In addition, and deterministically obtained by repeatedly applying the private
we implemented and evaluate private set intersection with both key to the base curve 𝐸 0 : 𝑣 2 = 𝑢 3 + 0 · 𝑢 2 + 𝑢. Of 𝑝 possible public
OPRFs. √
keys, approximately 𝑝 of those keys are valid, meaning that they
describe supersingular curves.
2 PRELIMINARIES
2.1.2 Computational Assumptions. For the security proof, we recall
We recall (Oblivious) Pseudorandom Functions.
the key recovery problem [CLM+ 18, Problem 10] for CSIDH.
Definition 1 (Pseudorandom Function). A pseudorandom func-
Problem 1 (Key Recovery Problem). Given the two different
tion (PRF) [GGM84, GGM86] is a deterministic and polynomial time
supersingular curves 𝐸, 𝐸 ∈ E, find an s ∈ 𝐶𝑙 (O) such that s𝐸 = 𝐸 .
function 𝐹 : {0, 1}𝑘 × {0, 1}𝑥 → {0, 1}𝑛 such that 𝐹 i there is no
probabilistic polynomial-time algorithm to distinguish any output [LGD21] give a useful lemma showing that sampling elements of
𝑁 from a randomly chosen element from {0, 1}𝑛 . the class group 𝐶𝑙 (O) is statistically close to uniform which follows
directly from Problem 1.
Definition 2 (Oblivious Pseudorandom Function). An oblivious
pseudorandom function (OPRF) [FIPR05] is a protocol between two Lemma 1 (Computational Hiding in CSIDH). Given a curve 𝐸
parties. One party holds the secret key 𝐾 and the other holds their E and a distribution 𝐷 on 𝐶𝑙 (O), let 𝐷 𝐸 be the distribution on E of
secret input 𝑋 . The OPRF privately realizes the joint computation $
𝑎𝐸 for 𝑎 ←− 𝐷. If 𝐷 is statistically indistinguishable from the uniform
outputting 𝐹 (𝐾, 𝑋 ) for a PRF 𝐹 to the party holding 𝑋 , and nothing distribution on 𝐶𝑙 (O), 𝐷 𝐸 is statistically indistinguishable from
to the party holding 𝐾. the uniform distribution on E. Therefore, we say that 𝐷 statistically
hides 𝐸.
2.1 CSIDH
We recall the computational CSIDH problem from [CLM+ 18].
CSIDH [CLM+ 18], was originally proposed as a quantum-safe re-
placement for Diffie-Hellman key exchanges. It builds on the ideas Problem 2 (Computational CSIDH Problem). Given curves
of Couveignes [Cou06] and Rostovtsev-Stolbunov [RS06](CRS), but 𝐸 ∈ E, r 𝐸 ∈ E, and s 𝐸 ∈ E where r, s ∈ 𝐶𝑙 (O), find 𝐸 ∈ E such
restricts the isogeny graph to supersingular curves over F𝑝 . 𝑝 is a that 𝐸 = r s 𝐸.
Î √
prime in the form 𝑝 = 4 𝑛𝑖=1 𝑖 1 and 𝑝 ≡ 3 mod 4. For 𝜋 = 𝑝
Finally, we recall the decisional CSIDH problem from [EKP20]:
and O = Z[𝜋], each 𝑖 splits the endomorphism ring O into 𝔩𝑖
isogenies with degree 𝑖 . The isogeny 𝜙 : 𝐸𝐸 is a map from Problem 3. Decisional CSIDH Problem Given the set of curves E
an elliptic curve 𝐸 to another curve 𝐸 that preserves the point at and the ideal class group 𝐶𝑙 (O), the decisional CSIDH (D-CSIDH)
infinity and the algebraic structure [Sil86]. Hence, both curves have problem asks to distinguish between the following two distributions:
the same number of rational points. The isogeny is unique up to $ $
• (𝐸, 𝐻, 𝑎 𝐸, 𝑎 𝐻 ) with 𝐸, 𝐻
E and 𝑎
𝐶𝑙 (O).
isomorphism. It is computed using Velus formula [Vél71]. $
The heart of CSIDH is the group action , which iteratively com- • (𝐸, 𝐻, 𝐸 , 𝐻 ) where 𝐸, 𝐻, 𝐸 , 𝐻
E.
putes the 𝑖 isogenies. It acts on the set of elliptic curves E𝑝 (O, 𝜋), If for all PPT adversaries A, the advantage in distinguishing the two
denoted as E. To ensure the group action is efficient, each 𝑖 is re- distributions is negligible, we say that the C-CSIDH assumption holds.
quired to be a small, distinct, odd prime.
2.1.3 Parameterization and Security. The size of the prime 𝑝 de-
2.1.1 Private Key and Public Key. The ideal class group 𝐶𝑙 (O) acts notes the security parameter of CSIDH. There is heavy disagree-
freely and transitively on E. The element {𝔩𝑒11 · · · 𝔩𝑘𝑒𝑘 } of 𝐶𝑙 (O) is ment in the literature on the secure parameterization of CSIDH
576
OPRFs from Isogenies: Designs and Analysis ASIA CCS 24, July 15, 2024, Singapore, Singapore
[BLMP19, BS20, Pei20], as several theoretical and concrete quan- call finalization element, 𝑓 𝑖𝑛 = 𝑘 0 ◦ 𝑟 11 ◦ . . . ◦ 𝑟𝑛1 to the client.
tum attacks with subexponential complexity dispute that a prime The client now performs a final group action with the finalization
𝑝 which is 512 bits long is sufficient for security. Related work on element and the blinded group elements to obtain the result:
OPRFs [BKW20] recommends using 2260-bit prime numbers for
aggressive parameterization and 5280-bit primes for a conserva- 𝑘 1 𝑥 1 ◦ 𝑟 1 ◦ . . . ◦ 𝑘𝑛 𝑥𝑛𝑟𝑛𝑘 0 ◦ 𝑟 11 ◦ . . . ◦ 𝑟𝑛1 = 𝑘 0 ◦ 𝑘 1 𝑥 1 ◦ 𝑘𝑛 𝑥𝑛
tive instantiation based on analysis of these algorithms. Recent
work analyzing and implementing CSIDH with bigger primes con- 2.5 Notation
cludes that a bitlength of at least 2048 bits, up to 9216 bits is neces- We write a vector v as a bold, lowercase variable, which is used for
sary [CSCJR22]. private exponent vectors. For two vectors a and b, a + b and a b
For best comparability with other implementations, we use the denote coefficient-wise addition and substraction.
512-bit reference implementation of CSIDH throughout this pa- We denote the sequential application of the group action
per, but point out that the prime length may not be sufficient. An csidh(csidh(𝐸, a), b) as b (a 𝐸). Due to the commutativity of
additional benefit of this implementation is the use of hardware CSIDH, this is also equivalent to (a + b) 𝐸. We denote the zero
instructions, which speed up the computation. curve as 𝐸 0 and any other curve as 𝐸, potentially annotating it to
give more context. For example, the result of applying some key c
2.2 CSI-FiSh will be denoted 𝐸𝑐 = csidh(c, 𝐸 0 ) = c 𝐸 0 .
Building on CSIDH, the signature scheme CSI-FiSh introduces a We will use an ideal functionality keygen() to sample random,
$
uniform representation of the class group elements. In their pa- uniform CSIDH private keys. [k1, k2 ] ←
keygen() samples two
per, this is necessary for the Fiat-Shamir transformation to obtain random, independent and uniform keys. We will call a curve 𝐸 ran-
a signature scheme, but the use cases stretch beyond signatures. $
domized after sampling a private key r ←− keygen() and computing
Intuitively, increasing the bound 𝑚 of the key coefficient comes
𝐸 = r 𝐸. We remove the property after applying r 1 to the curve
closer to sampling uniformly over the class group. To sample fully
𝐸 , therefore removing the randomness.
uniform keys, CSI-FiSh computes the class number and class group
structure and reduces the key after the arithmetic operation to
2.6 Benchmarks
avoid leakage. Due to the different distribution of the class group
ideals, the group action is around 15% slower. All benchmarks, unless specified otherwise, are averaged over 100
executions with random input and have been run on a computer
2.3 The Naor-Reingold Pseudorandom Function with an AMD Ryzen 7 PRO 4750U Processor with a fixed proces-
sor speed at 1.7 GHz and 24 GiB RAM, under the Linux kernel
(NR-PRF)
6.1.44-1-lts. We will refer to this setup as the test machine. Unless
The Naor-Reingold PRF [NR04] is a generic construction for PRFs otherwise stated, the input length to the OPRF is 128 bits.
from Abelian group actions that is widely used in the literature
and practice. The PRF requires 𝑛 + 1 group elements, or keys, for 3 ATTACKING AND REPAIRING THE
𝑛 bits of PRF input. To compute the PRF, we take the initial group
element 𝑘 0 . For each input bit 𝑥𝑖 for 𝑖 ∈ [1, 𝑛], a group action is
GENERIC NAOR-REINGOLD OPRF FROM
performed if the 𝑖 𝑡 bit 𝑥𝑖 is set. For a group action denoted as ◦, CSIDH
the Naor-Reingold PRF is defined as Previous work [BKW20] describes the Naor-Reingold (NR) OPRF
for CSIDH to compare against their SIDH-based proposal. While the
𝐹 𝑁 𝑅 ((𝑘 0, 𝑘 1, . . . , 𝑘𝑛 , 𝐸 0 ), (𝑥 1, . . . , 𝑥𝑛 )) := 𝑘 0 ◦ 𝑘 1𝑥 1 ◦ . . . ◦ 𝑘𝑛𝑥𝑛
latter has been broken [BKM+ 21] and subsequently repaired [Bas23],
where the exponentiation with 𝑥𝑖 may be read as perform ◦ if input the approximations for the Naor-Reingold OPRF from CSIDH are
bit is set. widely cited in the literature and have not been studied further.
We fill this gap with a thorough investigation of both NR-PRF and
2.4 Oblivious Transfer and Naor-Reingold OPRF NR-OPRF from CSIDH. More concretely, we show in this section
The NR-PRF gives rise to oblivious evaluation using oblivious trans- that the naïve instantiation of the OPRF leads to a full key recovery
fer (OT). OT takes two messages (𝑚 0, 𝑚 1 ) from the sender, usually in a passive attack and propose a mitigation.
the server, and a choice bit 𝑐 from the receiver, usually the client.
The protocol functionality returns 𝑚𝑐 to the client and is secure 3.1 Instantiating the NR-PRF from CSIDH
when the client learns nothing about 𝑚 1𝑐 and the server learns To instantiate the NR-PRF with CSIDH, the protocol samples 𝑛 + 1
nothing about 𝑐. CSIDH private keys and computes the group action as in Section 2.3.
To compute the NR-PRF obliviously using OT, the input 𝑋 is bit- The textbook variant of the PRF outlined in Figure 1 is prohibitively
decomposed into 𝑋 = [𝑥 1, . . . , 𝑥𝑛 ] to use as an input for the OT. The slow, requiring 𝑛+1 sequential group actions to compute the PRF for
server samples 𝑛 blinding elements [𝑟 1, . . . , 𝑟𝑛 ] and inputs 𝑟𝑖 , 𝑘𝑖𝑟𝑖 𝑛 input bits. A recent paper [ADMP20] describes an effective way
to the OT, with 𝑟𝑖 perfectly hiding 𝑘𝑖 . The client queries the OT with to evaluate the PRF by splitting the evaluation into two parts: First,
each 𝑥𝑖 to obtain 𝑘𝑖 𝑥𝑖𝑟𝑖 and aggregates all results with the group a subset-product, in the case of CSIDH addition of all key elements
action to obtain the blinded group element 𝑘 1 𝑥 1 ◦ 𝑟 1 ◦ . . . ◦ 𝑘𝑛 𝑥𝑛𝑟𝑛 . where 𝑥𝑖 = 1, is computed. This first step can be parallelized. The
To finalize the computation, the server evaluates the inverse of all group action is then evaluated using the aggregated key elements
blinding elements with the key and sends the result, which we will in a second step on the base curve.
577
ASIA CCS 24, July 15, 2024, Singapore, Singapore Lena Heimberger, Tobias Hennerbichler, Fredrik Meisingseth, Sebastian Ramacher, and Christian Rechberger
𝐹 𝑁 𝑅𝐶𝑆𝐼 𝐷𝐻 ((k0, k1, . . . , kn ), (𝑥 1, . . . , 𝑥𝑛 )) :=
recomputating the PRF
k0 k1 𝑥 1 . . . kn 𝑥𝑛 𝐸 0 updating the PRF
0.3
Figure 1: Naor-Reingold PRF from CSIDH using 𝐸 0 as a start-
ing curve. We use 𝑘𝑖𝑥𝑖 as a shorthand notation for perform the
time in s
group action with 𝑘𝑖 if and only if 𝑥𝑖 is set.
0.2
𝐹 𝑁 𝑅𝐶𝑆𝐼 𝐷𝐻 𝑂𝑃𝑇 ((k0, k1, . . . , kn, 𝐸 0 ), (𝑥 1, . . . , 𝑥𝑛 )) :=
𝑛
!
∑︁
k0 + ki 𝑥 𝑖 𝐸 0 0.1
𝑖=1
Figure 2: Optimized two-step Naor-Reingold PRF from 0
CSIDH. The first step is a subset-sum of the required keys 0 50 100 150 200 250
and the second step is the application of the group action to updated bits
the base curve 𝐸 0 .
Figure 4: Runtime divergence between updating 𝑥 bits of the
PRF vs. recomputing the full 256 bits of the PRF.
·105
1.5
without optimization
with optimization 𝐹 𝑁 𝑅𝐶𝑆𝐼 𝐹𝑖𝑆𝑂𝑃𝑇 ((k0, k1, . . . , kn, 𝐸 0 ), (𝑥 1, . . . , 𝑥𝑛 )) :=
𝑛
!
∑︁
reduce_mod (k0 + ki 𝑥𝑖 ), 𝑐𝑛 𝐸 0
time in seconds
1
𝑖=1
Figure 5: Optimized two-step Naor-Reingold PRF from
CSIDH. The first step is a subset-sum of the required keys
0.5 and the second step is the application of the group action to
the base curve 𝐸 0 .
of sampling a correct point is 𝑖1
0
0 100 200 300 400 500 𝑖
. Therefore, the optimization
PRF input length in bits is particularly of interest for an aggressive parameter choice in
CSIDH.
Figure 3: Runtime divergence between the traditional Naor- Additionaly, this PRF is updatable; that is, if parts of the input
Reingold CSIDH PRF in blue and the same PRF with our change, updating the output requires a single group action to update
optimization in green for different bit lengths. the PRF. This is useful for applications requiring to hash multiple
inputs, so the individual inputs differ in less than 𝑛2 bits. In Figure 4,
we show that the effort between recomputing the OPRF and up-
The subset-sum computation requires a tiny tweak in the CSIDH
dating a previous result holds fairly clearly to our expectations: It
implementation1 , from 8-bit to 32-bit key elements to avoid over-
is cheaper to update the OPRF when less than 128 bits differ and
flows. Other than adding addition and subtraction subroutines, the
otherwise recomputation is more efficient. Note that the divergence
implementation is the same. In Figure 3, we benchmark the PRF
in the runtime is due to non-uniform keys in CSIDH.
computation for input sizes between 1 and 512 bits. We see that
the two-step computation approach reduces the evaluation time. 3.1.1 Instantiation from CSI-FiSh. The PRF is even more efficient
This is due to two factors: one, the key coefficients are in the range with CSI-FiSh, as the keys can be added and then reduced modulo
[5, 5] and will partially cancel out when added, reducing the re- the class group number as depicted in Figure 5 The reduction step
quired steps on the isogeny graph. Two, the optimization saves 𝑛 1 leads to an almost constant-time computation. In Figure 6, we show
computations of the first step of the algorithm, which is computing the improvement in runtime when using a reduction, leading to an
a point of the correct order. A smaller value of 𝑖 corresponds to a almost constant time complexity when computing the PRF, inde-
higher cost in computing a point of correct order, as the probability pendent of the input. More concretely, the difference between the
1 All CSIDH benchmarks use the reference implementation from https://yx7.cc/code/ lowest and the highest execution time is 0.0032s for the optimized
csidh/csidh-latest.tar.xz, which is from 27-06-2021. variant and 0.4377s for the aggregation variant.
578
OPRFs from Isogenies: Designs and Analysis ASIA CCS 24, July 15, 2024, Singapore, Singapore
aborts [Lyu09]. To translate the technique to the CSIDH setting,
aggregation only SeaSign uses somewhat short, long-term secret keys k with coeffi-
0.6 aggregation and reduction cients 𝑘𝑖 ∈ [𝐵, 𝐵]𝑘 for some 𝐵 and large, ephemeral secret keys
r with each coefficient 𝑟𝑖 ∈ [(𝛿 + 1)𝐵, (𝛿 + 1)𝐵]𝑘 , rejecting any r
where the vector r k contains a coefficient is outside of the range
time in seconds
[−𝛿𝐵, 𝛿𝐵]. In the NR-OT setting, the long-term sender keys are the
0.4 short keys s and the ephemeral keys are sampled as r. While using
tactics from SeaSign is a good mitigation, it puts a computational
load on the server and introduces the drawbacks of lattice signa-
tures in the scheme. Additionally, the large ephemeral keys add
0.2 communication overhead to the protocol.
Most of these issues are mitigated by using the sampling algo-
rithm from the signature scheme CSI-FiSh [BKV19] introduced
in Section 2.2. The protocol would largely remain the same, with
0 ki + ri being a reduced element of the class group.
0 100 200 300 400 500
PRF input length in bits 3.3.1 Trusted Setup in Oblivious Transfer. Another roadblock on
the way to a secure NR-OT instantiation is the underlying OT.
Figure 6: Comparing PRF runtimes using aggregation only The estimations for the communication complexity of the NR-
and aggregation and a reduction modulo the class group OT [BKW20] use an isogeny-based OT protocol [LGD21] that re-
number before applying the group action. quires a supersingular curve with an unknown endomorphism ring.
A recent paper [BCC+ 23] proposes an algorithm for the generation
of supersingular curves with unknown endomorphism over F𝑝 2 .
3.2 Oblivious NR-PRF from CSIDH
However, there are no known efficient algorithms for the curves
The OPRF in [BKW20] is not rigorously described; they initially over F𝑝 used by CSIDH, which is denoted as an open problem in
give a description of the NR-PRF in Protocol 24 of the same paper. the same paper. Therefore, using the OPRF protocol requires either
In a later paragraph, they state instantiating their protocol with an efficient construction of curves with unknown endomorphism
CSIDH results in a NR-OPRF similar to the protocol in Section 2.3. over F𝑝 or a different OT protocol without a trusted setup.
Since the protocol uses OT, we will call it NR-OT henceforth. Using
our addition trick from Section 2.3, a correct intuition to compute 3.3.2 Alternate OT protocols using CSIDH. The semi-honest proto-
the OPRF is to instantiate the OT with (ri, ki + ri ) and finalizing col of [dSGOPS20] gives similar performance to the OT protocol
Í
the OT by sending k0 𝑛𝑖=1 ri . of [LGD21], but requiring two trusted curves for the setup. A good
alternative may be the single-bit OT of [ADMP20], which requires
3.2.1 Analyzing the Construction. While the OPRF above produces
a key distribution closer to uniform than CSIDH and therefore
a correct result, due to the non-uniform representation of the CSIDH
uses the CSI-FiSh key sampling algorithm for the entire protocol.
private key, the construction leaks the server key. 2 A passive ad-
The main issue with this protocol is that the number of isogeny
versary, that is, an adversary who carries out the protocol faithfully,
computations depends on the length of the client input and the
can observe the distribution of the blinded keys.
bitlength of the input log2 𝑝 = 𝜎. The overall number of isogeny
3.2.2 Key Leakage Example. Consider the key coefficient 𝑘𝑖 = 𝑦, computations would be 𝛾 (5𝜎 + 5). For an input length of 128 bits
with 𝑦 ∈ [𝑚, −𝑚] (for a discussion on bounds, see Section 2.1). and a key size of 256 bits, this would amount to 164480 isogeny
When it is blinded with a random element 𝑟𝑖 , the blinded element computations, which is prohibitive.
𝑟𝑖 + 𝑘𝑖 is always within the range [𝑦 𝑚, 𝑦 + 𝑚], as the blinding co- Hence, to instantiate the protocol chose a two-round OT pro-
efficient is uniformly sampled within the same range 𝑟𝑖 ∈ [−𝑚, 𝑚]. tocol based on additive homomorphic encryption [BDK+ 20], as it
Over several iterations, 𝑟𝑖 will change and reveal more and more in- provides an implementation and is round-optimal. In addition, the
formation about the key, giving the information outright when the protocol offers batching, making it more efficient for multiple OT
difference between the blinding results is 2𝑚. To obtain the correct invocations, and expects the input to be given as a GMP integer,
coefficient 𝑦, take the largest result 𝑙 and compute 𝑦 := 𝑙 𝑚. which is how CSI-FiSh encodes the private key. The protocol is
implemented in C++ using Microsoft SEAL [SEA21] for the ho-
3.3 Fixing the NR-OPRF momorphic operations. Using the BFV [Bra12, FV12] scheme, it
Signature schemes using the Fiat-Shamir Transformation[FS87] follows in three steps, with □ denoting homomorphic operations
require uniform keys as well. For CSIDH, the signature scheme on encrypted messages.
SeaSign [DG19] mitigates the non-uniform mitigation by rejection (1) The client encrypts their choice bit 𝑐𝑏 = Enc(𝑝𝑘, 𝑏) and
sampling, concretely using the Fiat-Shamir transformation with sends it to the server.
2 In personal communication, authors of [BKW20] confirmed that the specific instan- (2) The server computes 𝑐𝑚𝑏 = (𝑚 0  (1 ⊟ 𝑐𝑏 )) ⊞ (𝑚 1  𝑐𝑏 ) and
tiation of their construction using class groups (or isogenies) blinds the class group sends 𝑐𝑚𝑏 to the client.
element representing the key by multiplying a random element, but that the non- (3) The client decrypts the ciphertext to obtain 𝑚𝑏 = Dec(𝑠𝑘, 𝑐𝑚𝑏 )
uniform key distribution leads to the CSIDH instantiation of protocol [BKW20] being
"currently broken". Using the OT and CSI-FiSh, the full protocol is displayed in Figure 7.
579
ASIA CCS 24, July 15, 2024, Singapore, Singapore Lena Heimberger, Tobias Hennerbichler, Fredrik Meisingseth, Sebastian Ramacher, and Christian Rechberger
Server Client
Table 2: Comparison of OPUS complexity on the test machine.
keys 𝐾 = k0 , . . . , kn input 𝑋 = [𝑥 1 , . . . , 𝑥𝑛 ] The overall time is the addition of the time from the client
R ← [0] K ← [0] and the server, as the protocol is sequential.
for 𝑖 ∈ [1, 𝑛] : for 𝑖 ∈ [1, 𝑁 ] :
$
ri ←
keygen()
Bit- Keygen Comp.
k i ri ← ri + k i Client Server Overall
ki ri ← reduce_mod(ki ri )
length PRF PRF
R ← R + ri ri 𝑥𝑖 K ← K + 𝑥𝑖 ki + ri 3.00s 5.73s 8.73s
k i ri 𝑥 𝑖 k i + ri
128 0.11ms 168ms
2 8.06 kiB 16.06 kiB 24.13 kiB
1 -OT 5.83s 11.30s 17.13s
256 0.26ms 234ms
k ← reduce_mod(K) 16.1 kiB 32.1 kiB 48.13 kiB
𝐸 𝑓 𝑖𝑛 ← (k0 R) 𝐸 0 𝐸 𝑓 𝑖𝑛 𝐸 ← k 𝐸 𝑓 𝑖𝑛
11.47s 22.42s 33.89s
512 0.51ms 326ms
32.06 kiB 64.06 kiB 96.13 kiB
return 𝐸
Figure 7: Full protocol of evaluating the NR-OPRF with CSI-
FiSh and 𝑁 OT calls. The function reduce_mod describes the
reduction modulo the class group number. 4 OPUS: OBLIVIOUS PSEUDORANDOM
FUNCTION USING CSIDH
While the above construction is relatively efficient, it would be of
interest to build a similar OPRF exclusively from a single type of
Table 1: Comparison between PRF and OPRF execution time
problem, i.e., isogenies, without the need for hard lattice problems.
locally on the test machine for our NR-OT OPRF. The net-
To avoid sending any private keys over the network, we propose
work traffic is always denoted as sent kilobytes. OT keygen
OPUS, a novel OPRF that only sends evaluated curves, that is,
is a separate column for key generation measuring the client
CSIDH public keys. In the protocol, both parties iteratively blind
communication and computation time.
their intermediate results, with the client getting anything useful
only in the end, beforehand computing over randomized curves.
Input- Keygen Comp. This eliminates the need for a trusted setup, which is the main
Client Server OT keygen
length PRF PRF obstacle hampering other OPRF protocols from CSIDH. The main
90ms 91ms 429ms operations in OPUS are blinding and key addition. In each step, the
128 204ms 43ms client blinds a curve, starting with 𝐸 0 , with a random class group
128 kiB 256 kiB 256 kiB
97ms 97ms 428ms element rc,i and sends it to the server, which returns the curve
256 378ms 43ms blinded again with its own, fresh blinding element 𝑟𝑠,𝑖 and once with
256 kiB 512 kiB 256 kiB
101ms 101ms 427ms the own blinding element and the key. Now, the client decides based
512 763ms 45ms on the 𝑖 𝑡 bit of the input with which curve the computation should
384 kiB 768 kiB 256 kiB
continue, blinding again to ensure the server learns nothing about
their choice. By the hiding Lemma 1, this perfectly protects the
client input and the server keys from malicious parties, see Figure 8.
3.3.3 Performance. Using the lattice-based OT, the NR-OT OPRF
becomes relatively efficient. This is due to two factors: first, the 4.1 Efficiency
added keys are reduced modulo the class number, which results in Once again, the OPRF is made more efficient with the addition trick
a very fast PRF runtime, see Section 3.1.1. This results in a protocol from Section 2.3, as both client and server aggregate the blinding
that only requires two group actions to complete. Second, while keys in vector 𝑅 to quickly reduce the number of group actions.
the lattice OT requires a lot of communication, it is relatively fast. Overall, OPUS needs 2𝑛 + 1 group action computations for the
server and 𝑛 + 1 for the client. Experimental runtimes can be found
3.3.4 Conclusion. The construction repairs the issues from the in Table 2.
initial proposal [BKW20], namely by using an OT protocol that The low communication cost gives lower bandwidth require-
does not require a trusted setup and using the sampling approach ments. This is also of benefit in cloud environments and when data
from CSI-FiSh for uniform keys. This introduces two new issues: is transmitted over cellular networks. An additional advantange
First, the OT protocol allows the clients choice bit to be neither of OPUS is that the server carries the highest computational load,
0 nor 1, which may result in a response that is a superposition of while the client only has to perform 𝑛 + 1 CSIDH computations.
messages. Hence, the security model is weaker, as a semi-honest Aside from the isogeny computations, the main performance
client would only be passively secure. Second, when using uniform issue in OPUS is the large number of rounds. To address this con-
sampling, the class group structure is only available for primes of cern, we rented virtual machines around the world and used them
length 512 [BKV19] or 1024 [DFK+ 23], which may not provide a as clients performing OPUS with a server in London. As clear
sufficient security margin as discussed in Section 2.1.3. from Figure 9, the runtime of OPUS directly corresponds to the
580
OPRFs from Isogenies: Designs and Analysis ASIA CCS 24, July 15, 2024, Singapore, Singapore
Server Client
$
{k0 , k1 , · · · , kn } ←
keygen() input 𝑋 ← {𝑥 1 , · · · , 𝑥𝑛 },
rs ← [0] rc ← [0], 𝐸𝑐𝑙𝑖𝑒𝑛𝑡𝐸 0
foreach i ∈ {1, . . . , 𝑛}: foreach i ∈ {1, . . . , 𝑛}:
$
rc,i ←
keygen()
$ 𝐸𝑏𝑙𝑖𝑛𝑑𝑒𝑑
rs,i ←
keygen() 𝐸𝑏𝑙𝑖𝑛𝑑𝑒𝑑 ← rc,i 𝐸𝑐𝑙𝑖𝑒𝑛𝑡
𝐸𝑠,𝑖,0 ← rs,i 𝐸𝑏𝑙𝑖𝑛𝑑𝑒𝑑
𝐸𝑠,𝑖,1 ← ki 𝐸𝑠,𝑖,0
rs ← rs rs,i 𝐸𝑠,𝑖,0 , 𝐸𝑠,𝑖,1 𝐸𝑐𝑙𝑖𝑒𝑛𝑡𝐸𝑠,𝑖,𝑥𝑖
rc ← rc rc,i
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Finalize and Unblind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
rc,0 𝐸𝑐𝑙𝑖𝑒𝑛𝑡 rc,0 ←
$
keygen()
𝐸𝑠 
𝐸𝑠 ← (k0 + rs ) rc,0 𝐸𝑐𝑙𝑖𝑒𝑛𝑡 𝐸𝑐𝑙𝑖𝑒𝑛𝑡 ← rc rc,0 𝐸𝑠
return 𝐸𝑐𝑙𝑖𝑒𝑛𝑡
Figure 8: The full protocol of our novel OPRF 𝑂𝑃𝑈 𝑆.
Delhi This discloses the users identity when revealing the OPRF result.
For example, the PrivacyPass protocol [DGS+ 18] hands out tokens
to the user after they completed a CAPTCHA. These tokens can
300
Sydney be redeemed instead of completing a new CAPTCHA. By using
ping in milliseconds
a different key for each challenge, the browser can distinguish
Tokio tokens handed out for different challenges and track the user across
Santiago websites.
200
To mitigate this attack, some OPRFs are verifiable, which means
LosAngeles the functionality ensures a server uses a certain key that it previ-
ously committed to for the evaluation. Adding verifiability to OPUS
100 SouthCarolina is difficult as the communication is entirely over randomized curves,
similar to the challenges imposed by the requirements for malicious
TelAviv
security. Another OPRF based on isogenies over F𝑝 2 [Bas23] uses a
Netherlands proof of parallel isogeny, which provides a zero-knowledge proof to
London
0 show that two curves were computed by applying the same secret
0 10 20 30 40 50 60 key to two starting curves and torsion points. Unfortunately, this
OPRF execution in seconds does not carry over to CSIDHs F𝑝 and cannot be applied OPUS or
Figure 9: Online runtimes of clients in different cities com- the NR-OT. A recent survey [BFGP23] details strategies and gives
puting OPUS with a bit length of 128 with a server in London. an overview of zero-knowledge proofs for isogenies. While it seems
All machines run on Debian 11 using the simplest Google possible, we leave the task of constructing a verifiable OPRF for
Cloud instance. future work.
5 SECURITY ANALYSIS
round-trip time of the ping. In a real-life setting, this overhead may To prove our novel OPRF secure against a semi-honest adversary
be mitigated by running several, distributed instances of a server. in the ROM, we will first show that the OPUS is a PRF. We now
show that the protocol OPUS in Figure 8 generates output in corre-
4.2 Verifiability spondence to the CSIDH NR-PRF 𝐹 𝑁 𝑅 from Section 2.3.
When the OPRF is used as a building block in a protocol, and the Proposition 1 (OPUS produces correct NR-PRF outputs).
resulting OPRF output is utilized at a later stage, it is crucial to For all keys k ∈ K and inputs x ∈ {0, 1}𝑛 , the output of an honest
safeguard user anonymity by preventing any link between the computation of OPUS is an evaluation of the CSIDH-based 𝐹 𝑁 𝑅 . That
result and the OPRF evaluation. For instance, a malicious server is P[𝐹𝑂𝑃𝑈 𝑆 (k, x) = 𝐹 𝑁 𝑅 (k, x)] = 1, with the probability being over
may tag an individual by using a distinct key for OPRF evaluation. the internal randomness of OPUS.
581
ASIA CCS 24, July 15, 2024, Singapore, Singapore Lena Heimberger, Tobias Hennerbichler, Fredrik Meisingseth, Sebastian Ramacher, and Christian Rechberger
Experiment om-PRF: This notion, as shown by Everspaugh et al., implies the weaker
$ one-more unpredictability security notion of OPRFs. Note though,
• (𝑝𝑘, 𝑠𝑘) ← K, 𝑞, 𝑐 ← 0 that in Figure 10, the PRF-Srv oracle is modelled as a single query.
• (𝑖 1, . . . , 𝑖 , 𝑏 ) ← A RoR,PRF-Srv In our case, this algorithm takes part in a multi-round protocol,
• If > 𝑞 or 𝑐 or ∃𝛼 ≠ 𝛽 : 𝑖𝛼 = 𝑖 𝛽 return 0. whereas the output depends on client-provided random values
• Return 𝛽 =
Éℓ
𝛼=1 𝑏𝑖𝛼 which on their own depend on previous outputs of PRF-Srv. We
RoR(𝑚): will however keep the notation for simplicity and assume that all
$ $ the required information to produce a transcript is passed as part
𝑞𝑞 + 1, 𝑏𝑞
{0, 1} 𝑍 0 ←
R, 𝑍 1 ← 𝐹𝑘 (𝑚)
of 𝑚. We now show that OPUS is one-more pseudorandom based
• Return 𝑍𝑏𝑞
on the D-CSIDH assumption:
PRF-Srv(𝑚):
Theorem 1. If the D-CSIDH assumption holds, then OPUS is one-
𝑐 ←𝑐 +1
more pseudorandom.
• Return PRF-Srv𝑘 (𝑚)
Proof. The basic idea is to replace the use of the secret key 𝑘𝑖
Figure 10: Security game for one-more pseudorandomness. step-by-step with randomly sampled curves.
• Game 0: The initial game.
• Game 𝑖: Everything is as before, but compute 𝐸𝑠,𝑖,1 by sam-
Correctness of OPUS. Given input 𝑋 = (𝑥 1, . . . , 𝑥𝑛 ) and keys pling uniformly at random from E.
𝐾 = (k0, . . . , kn ), the client C initializes 𝐸𝐸 0 . For each 𝑖 ∈ [1, 𝑛], • Transition 𝑖 1 to 𝑖: an adversary that can distinguish be-
C generates a random key rc,i and sends a randomized curve rc,i 𝐸 tween game 𝑖 1 and 𝑖, can also solve D-CSIDH. Indeed, let
to the server S, which samples their randomness rs,i and returns (𝐸, 𝐻, 𝐸 , 𝐻 ) be from a D-CSIDH challenger. We set 𝐸𝑠,𝑖,0 ←
𝐸𝑖,0 ← rs,i 𝐸 and 𝐸𝑖,1 ← ki rs,i 𝐸 to C. If 𝑥𝑖 = 1, C sets 𝐸𝐸𝑖,0 𝐻 and 𝐸𝑠,𝑖,1 ← 𝐻 which interpolates between the two
and 𝐸𝐸𝑖,1 otherwise. Clearly, repeating this step 𝑛 times is games.3
equivalent to computing In Game 𝑛, the adversary can only guess as none of the 𝑘 1, . . . 𝑘𝑛
Í𝑛 Í𝑛 Í𝑛 𝑥𝑖  𝐸  .
𝑖=1 rs,i + 𝑖=1 rc,i + 𝑖=1 ki 0 are used in the protocol execution. □
The computation is finalized by C blinding the result again with Proofing the security of OPUS in the universal composability
the term rc,0 and sending it to the server, which applies k0 as well model and in an adaptive setting, is currently open and future
as the sum of the inverse blinding terms rs such that work. To achieve adaptve security, it would be required at least to
Í Í Í Í   produce the output of OPUS via a random oracle, i.e., by outputting
(k0 𝑛𝑖=1 rs,i ) rc,0 + 𝑛𝑖=1 rs,i + 𝑛𝑖=1 rc,i + 𝑛𝑖=1 ki 𝑥𝑖 𝐸 0 ,
𝐻 (𝑚, 𝐸𝑐𝑙𝑖𝑒𝑛𝑡 ), as observed by Jarecki et al. [JKX18].
which is equivalent to
Í𝑛 Í𝑛 𝑥𝑖  𝐸 . 6 CASE STUDY: OPAQUE
𝑖=0 rc,i + k0 + 𝑖=1 ki 0
The OPAQUE [JKX18] protocol introduces a Password-Authenticated
The client is left to compute the inverse of their respective blinding Key Exchange (PAKE) protocol that does not reveal the users pass-
elements such that word to the server. Instead, it performs an OPRF calculation with
Í𝑛 Í𝑛 Í𝑛 𝑥𝑖  𝐸 , the server, using the hash of the password as the users input and a
𝑖=0 (rc,i ) 𝑖=0 rc,i + 𝑘 0 + 𝑖=1 ki 0
PRF key provided by the server. Hence, offline dictionary attacks
which is equivalent to computing effectively require compromise of the servers PRF key and are oth-
Í erwise rendered impossible. OPAQUE is unable to prevent online
(k0 + 𝑖=1 ki 𝑥𝑖 ) 𝐸 0 .
attacks, yet they incur additional costs for the attacker as they have
Therefore, OPUS correctly evaluates the NR-PRF for honest parties. to perform the clients side of the OPRF evaluation. To make online
□ attacks even more costly, additional client hardening steps (e.g.,
memory hard functions) can be employed as discussed in [JKX18].
Consequently, we obtain the following corollary from [BKW20, OPAQUE consists of two phases: Password Registration and
Theorem 23]: Password Authentication with Key Generation. Authentication and
Corollary 1. Assuming computational CSIDH (cf. Problem 2) key generation are accomplished by either combining the OPRF
holds, then OPUS is a secure pseudorandom function. with an asymmetric PAKE (aPAKE) or an Authenticated Key Ex-
change (AKE) protocol. In our implementation, we focus on the
For the security proof, we consider the one-more pseudoran- composition using the AKE protocol, since no CSIDH-based aPAKE
domess security game of Everspaugh et al. [ECS+ 15] in the fully protocols are available. During registration, both parties generate a
oblivious setting. long-term asymmetric keypair, later used during authentication to
Definition 3. A OPRF 𝐹𝑘 : M → R provides one-more pseu- perform the AKE protocol. Using the output of the OPRF, the client
dorandomess if for any PPT adversory A the advantage in the derives a symmetric key and uses it to encrypt its private key. For
one-more pesudorandomness experiment defined in Figure 10, 3We could set 𝐸
0 ← 𝐸 and 𝐸 would represent the public key of the server. As we do
| Pr[om-PRF = 1] 12 | is negligible. not have a public key, though, this step is not required.
582
OPRFs from Isogenies: Designs and Analysis ASIA CCS 24, July 15, 2024, Singapore, Singapore
Client Server Client Server
$ username, password
username, password {k0 , . . . , k256 } ←
keygen()
username Retrieve User Record for given username
username
Hash(password) k
Hash(password) k OPUS
OPUS
out
out c, n
y ← Hash(password| |out)
y ← Hash(password| |out)
rw ← HkdfExtract(y| |PWHash(y) ) rw ← HkdfExtract(y| |PWHash(y) )
(ekT , dkT ) ← KEM.KeyGen()
(ekC , dkC ) ← KEM.KeyGen() (ekS , dkS ) ← KEM.KeyGen()
(IpkC | |IpkS | |IskC ) ← AuthDecrw (c, n)
(vkC , skC ) ← SIG.KeyGen() (vkS , skS ) ← SIG.KeyGen()
!
IpkC ← (ekC , vkC ) IpkS ← (ekS , vkS ) 𝜎C ← SIG.SignskC (ekT ) SIG.VerifyvkC (ekT , 𝜎C ) = 1
IskC ← (dkC , skC ) IskS ← (dkS , skS ) ekT , 𝜎C (K, C, 𝜏 ) ← KEM.EncapekC ()
IpkS (KT , CT , 𝜏T ) ← KEM.EncapekT ()
K ← KEM.DecapdkC (C, 𝜏 ) K1 ← Exts (K); K2 ← Exts (KT )
$ 256 $ 256
n←
{0, 1} s←
{0, 1} KT ← KEM.DecapdkT (CT , 𝜏T ) sid ← username| |hostname| |IpkC | |IpkS | |ekT | |C| |CT
c ← AuthEncrw (IpkC | |IpkS | |IskC , n) K1 ← Exts (K); K2 ← Exts (KT ) kS | |k ← FK1 (sid) ⊕ FK2 (sid)
sid ← username| |hostname| |IpkC | |IpkS | |ekT | |C| |CT 𝜎 ← SIG.SignskS (sid)
c, n, IpkC User Record: IpkS | |IskS | |IpkC | |c| |n| |s| |k kC | |k ← FK1 (sid) ⊕ FK2 (sid) b←𝜎 ⊕k
Store User Record for given username 𝜎 ←b⊕k C, CT , 𝜏, 𝜏T , b, s
!
SIG.VerifyvkS (sid, 𝜎 ) = 1
Figure 11: Description of PQ OPAQUE Password Registration
Output kC as shared secret key Output kS as shared secret key
Figure 12: Description of PQ OPAQUE Password Authentica-
tion and Key Generation
Table 3: Comparison between the execution time of li-
simplicity, our implementation includes the client and server public bopaque and our two OPAQUE instantiations. The execution
key in the encryption process. The ciphertext is sent and stored on time is averaged over 100 runs. Reg. refers to the registration
the server. During authentication the server fetches the ciphertext and Auth. to the authentication phase of the protocol.
and sends it to the client, where it is decrypted after performing the
OPRF again, requiring the user to only remember their password,
Function libopaque PQ PQ / libopaque
but not the long-term keypair, to authenticate. A shared key is then
OPUS NR-OT OPUS NR-OT
generated by performing the AKE protocol.
Reg. Client 119.37ms 39.82s 11.59s × 333.62 × 97.10
Reg. Server 95.63ms 39.84s 11.61s × 416.62 × 121.42
6.1 Post-Quantum OPAQUE Implementation Auth. Client 96.54ms 31.21s 3.25s × 323.27 × 33.69
Constructing a post-quantum version of the OPAQUE protocol re- Auth. Server 120.32ms 32.01s 2.74s × 268.15 × 22.80
quires the replacement of the used OPRF and AKE protocols with
suitable post-quantum variants. We instantiate two PQ versions,
one using our novel OPRF OPUS and the other one using our NR- 6.2 Comparison to Pre-Quantum
OT OPRF. Both versions use a post-quantum secure replacement implementation
of the X3DH protocol, proposed by Hashimoto et al [HKKP21], as To measure the performance difference, we compare our implemen-
the AKE. We chose this AKE since it provides security against Key tation to libopaque,4 an open-source, pre-quantum implementa-
Compromise Impersonation (KCI) attacks and forward secrecy, as tion of OPAQUE. The average execution time for the client and
required by the OPAQUE protocol, and is suitable for implementa- the server is shown in Table 3, while the communication cost is
tion using CSIDH-based primitives. The protocol is based on a Key shown in Table 4. Our implementation is the first PQ-secure in-
Encapsulation Mechanism (KEM) scheme and a signature scheme. stantiation of the OPAQUE protocol. While it leads to a increase
We chose the CSIDH-based CSIKE [Qi22] as the KEM, since it is in execution time and communication cost, this concretizes the
IND-CCA secure as required by the used AKE. As the signature overhead of switching to post-quantum cryptography for advanced
scheme, we chose CSI-FiSh [BKV19], as there already is an im- protocols.
plementation available. The full protocol flow for the OPAQUE
Password Registration and Password Authentication is detailed in 7 CASE STUDY: PRIVATE SET INTERSECTION
Figure 11 and Figure 12 respectively. Exts and FK are PRF using In a private set intersection (PSI), two or more parties, commonly
KMAC256 instead of HMAC256, since we require variable length a server and a client, hold data sets 𝑆 and 𝐶. After performing the
output. The PRF uses s and K as the respective keys, with different PSI protocol, one or both parties learn 𝑆𝐶 without revealing
labels to differentiate between Exts and FK . anything about the other parties set. In the client-server case, the
Note that the security of PAKE is defined in the UC setting and sets are very often unbalanced, as the server set is much larger
OPAQUE is proven secure for UC-secure OPRFs. As this is left open than the client set |𝑆 | ≫ |𝐶 |. A well-studied application of PSI is
as future work for OPUS, we consider the evaluation of OPUS with
in an OPAQUE as an outlook for future applications of OPUS. 4 https://github.com/stef/libopaque
583
ASIA CCS 24, July 15, 2024, Singapore, Singapore Lena Heimberger, Tobias Hennerbichler, Fredrik Meisingseth, Sebastian Ramacher, and Christian Rechberger
Table 4: Comparison between the communication overhead Table 5: PSI comparison using ECNR, NR-OT, and OPUS as
of libopaque and our PQ OPAQUE instantiations the OPRF for set intersection. The ECNR column combines
base and online for better comparability.
Function libopaque PQ PQ / libopaque
OPUS NR-OT OPUS NR-OT parameters setup online
|𝑆 | |𝐶 | |𝑆 | |𝐶 | |𝑆 | |𝐶 |
Reg. Client 224B 64kiB 817kiB × 294.4 × 3733
× 770 × 2307.4 0.26s 0.51s 0.06s 0.10s
Reg. Server 64B 48kiB 144kiB 20 20
Auth. Client 160B 17kiB 769kiB × 106.1 × 4920.2 134 bytes 1 byte 128 kiB 0.75MiB
NR-OT
× 208.2 × 515.7 1.63s 1.88s 3.11s 3.15s
Auth. Server 320B 65kiB 161kiB 25 25
263 bytes 1 byte 4MiB 8.5 MiB
45.04s 45.28s 99.66s 99.71s
210 210
Private Contact Discovery, where clients want to know which of 4.31 MiB 1 byte 128 MiB 256.6 MiB
their contacts also use the same service [KRS+ 19]. 0.26s 0.26s 15.47s 15.91s
To perform PSI using OPRFs, the holder of the larger set com- 20 20
133 bytes 0 bytes 17.07 kiB 9.04 kiB
OPUS
putes the PRF for each set entry and, optionally, inserts the results 8.71s 8.71s 328.46s 329.14s
in an efficient data structure, e.g. a cuckoo filter. Then, the OPRF is 25 25
262 bytes 0 bytes 546.25 kiB 290.26 kiB
computed in the online phase. The client uses their set entries as 303.38s 303.38s 16367.12s 16367.60s
input and the server oblivious evaluates them with the same key 210 210
4.31 kiB 0 bytes 34.14 MiB 18.08 MiB
as in the keyed PRF and checks whether the result is in the filter.
0.01s 0s 0.23s 0.05s
Performing PSI without a verifiable OPRF may lead to a tag- 20 20
133 bytes 0 bytes 12.04 kiB 16 bytes
ging attack where a malicious server uses different keys for each
ECNR
0.02s 0s 0.21s 0.06s
client when performing the OPRF, leading to the identification 25 25
262 bytes 0 bytes 137.05 kiB 512 bytes
of the results later (see also Section 4.2). This is why previous
0.3s 0s 0.64s 0.57s
work by [KRS+ 19] relaxes the security assumption and assumes 210 210
4.36 kiB 0 bytes 4.04 MiB 16 kiB
a malicious client and a semi-honest server. They also postulate
three goals for unbalanced PSI: The server should perform the
computationally most expensive tasks, all expensive tasks are only
performed once and updates are fast. We now instantiate their PSI
framework with both isogeny-based OPRFs and compare it to our
implementation. Of independent interest, we propose a small opti- conditional on updating the bit length of both the hash function
mization for the setup of the elliptic curve Naor-Reingold(ECNR) and the base OT length, but unfortunately do not integrate the
PSI protocol in the full version using precomputation tricks. The extensions in their implementation.
results can be found in Table 5. To perform PSI with OPUS, we use parallel execution to amortize
the round cost. Observe that the protocol is relatively stateless, as
7.1 PSI with ECNR a curve is either awaiting evaluation or in transit. More concretely,
The ECNR-PSI protocol is divided into three phases: First setup on a client side, the client either awaits a server result or performs
phase, where a Cuckoo filter is filled with the PRF results of server a blinding/unblinding evaluation. This can be parallelized by at-
set entries and sent to the client. Then, a base phase, where some taching an ID to the curve to note the element that is evaluated.
initial, data-independent Oblivious Transfer is performed. Using Since we assume that the server is semi-honest, the client can trust
cheap symmetric cryptography, the parties generate many more OT the server that the ID is correct. In Figure 13, the ID is denoted
pairs from this base OT using a technique called OT Extension. Then, as 𝑖. To keep track of the current index, we attach a state variable
in the online phase, the OPRF is performed using the extended OT 𝑗. Then, the only state kept on the client about an element is the
pairs. This is currently the most efficient PSI protocol. [KRS+ 19] corresponding unblinding key.
7.2 PSI with NR-OT 7.3 PSI with OPUS
The implementation with the NR-OT is relatively close to the ECNR The server pregenerates all blinding keys and computes the un-
files. The setup phase is identical other than replacing the com- blinding element at the time an element is first seen. This simplifies
munication interface with the one provided by the PQ-OT imple- the implementation and also ensures that no intermediate values
mentation. Since the PQ-OT implementation does not provide an are leaked when the client decides to finish the computation prema-
implementation for OT extensions, we skip the base phase and turely by setting 𝑗 = 𝑛. Using the stateless approach, we forego the
only implement an online phase. In the online phase, the OPRF is limitation imposed by the required rounds in the protocols, as we
performed with all client elements. simply evaluate other set elements while an element is in transit.
The communication overhead may be lower when using OT In our measurements, the client seems to perform badly in the
extensions, which uses symmetric cryptography to generate more setup phase. This is a measurement artifact as most of the time is
OT pairs from a few base OT queries. [BDK+ 20] show that the spent waiting for the cuckoo filter from the server due to the choice
IKNP protocol [IKNP03] is secure against quantum adversaries of network connection.
584
OPRFs from Isogenies: Designs and Analysis ASIA CCS 24, July 15, 2024, Singapore, Singapore
7.4 Result and Overhead
Server
$
Client
We compare against the EC-NR implementation of [KRS+ 19] as it is
{k0 , k1 , · · · , kn } ←
keygen()
the most performant implementation of OPRFs for set intersection.
𝑙 inputs {𝑆 1 , · · · , 𝑆𝑙 } 𝑚 inputs {𝐶 1 , · · · , 𝐶𝑚 }
𝐶𝐹 = cuckoofilter()
While we were able to remedy the round cost of OPUS, the high
foreach i ∈ {1, . . . , 𝑙 }: number of group action computations still make the protocol less
CF.insert(PRF(𝑋𝑙 ) ) CF 𝐸𝑐𝑙𝑖𝑒𝑛𝑡 = [ ] efficient than the NR-OT protocol. However, OPUS requires less
foreach i ∈ {1, . . . , 𝑚}: foreach i ∈ {1, . . . , 𝑚}: than 14× the bandwidth of the NR-OT protocol, making it more
rs,i ← [0] rc,i ← [0], 𝐸𝑐𝑙𝑖𝑒𝑛𝑡,𝑖𝐸 0 attractive for use-cases where bandwidth criteria are of concern.
foreach j ∈ {1, . . . , 𝑛}: foreach j ∈ {1, . . . , 𝑛}:
$
We point out that recent work [HSW23] optimizes the PSI pro-
rc,i,j ←
keygen()
tocol with sublinear communication size of the servers client data-
rs,i,j ←
$
keygen() (𝐸𝑏𝑙𝑖𝑛𝑑𝑒𝑑 , 𝑖, 𝑗 ) 𝐸𝑏𝑙𝑖𝑛𝑑𝑒𝑑 ← rc,i,j 𝐸𝑐𝑙𝑖𝑒𝑛𝑡
base, which may make the ECNR protocol more efficient.
𝐸𝑠,𝑖,0 ← rs,i,j 𝐸𝑏𝑙𝑖𝑛𝑑𝑒𝑑
𝐸𝑠,𝑖,1 ← ki 𝐸𝑠,𝑖,0
rs,i ← rs,i rs,i,j (𝐸𝑠,𝑖,0 , 𝐸𝑠,𝑖,1 , 𝑖, 𝑗 ) 𝐸𝑐𝑙𝑖𝑒𝑛𝑡,𝑖𝐸𝑠,𝑖,𝑐𝑖,𝑗
rc,i ← rc,i rc,i,j
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Finalize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 RELATED WORK
OPUS and the generic NR-OPRF from isogenies are only two of
(rc,i,0 𝐸𝑐𝑙𝑖𝑒𝑛𝑡,𝑖 , 𝑖, 𝑚) rc,i,0 ←
$
keygen()
several recent proposals. In Table 6 we provide a comparison of
𝐸𝑠,𝑖 ← (k0 + rs ) rc,i,0 𝐸𝑐𝑙𝑖𝑒𝑛𝑡,𝑖 (𝐸𝑠,𝑖 , 𝑖, 𝑗 ) 
𝐸𝑐𝑙𝑖𝑒𝑛𝑡 .append( rc,i rc,i,0 𝐸𝑠,𝑖 ) these proposals which we discuss in more detail below. Note that
return 𝐶𝐹 .contains(𝐸𝑐𝑙𝑖𝑒𝑛𝑡 ) the estimates for the communication complexity may change dras-
tically as the concrete security of CSIDH remains an open research
Figure 13: Amortizing the round cost of OPUS by reducing question (cf. Section 2.1.3).
the state and adding labels. The CSIDH proposals of this paper only cover Naor-Reingold
style OPRFs. SIDH, which also uses isogenies but operates over
F𝑝 2 , uses isogenies of degree two and three and is not commutative,
enables the construction of a Diffie-Hellman style OPRF [Bas23,
BKW20]. The resulting OPRF is round-optimal and gives rise to
a verifiable construction, which the Naor-Reingold Constructions
7.3.1 Updatable OPRF. For very large sets, the probability that (including ours) do not offer, but requires a 9000 bit prime due to the
several elements are quite similar is relatively high. It would be SIDH attack mitigations [FMP23]. A drawback of the SIDH-based
thus be beneficial to take an existing evaluation and update the construction is that an epensive trusted setup is necessary [BCC+ 23].
value where the bits differ. This could yield a runtime improvement: On the lattice side, an initial proposal for round-optimal, ver-
consider two inputs 𝑋 1, 𝑋 2 and the evaluation 𝑌1 = OPUS(𝑋 1 ), with ifiable OPRFs [ADDS21] has a very large overhead imposed by
𝑋 1 ⊕ 𝑋 2 having a low Hamming weight. A potential improvement heavy zero-knowledge proofs. A proof-of-concept implementation
could come from an updatable form of OPUS, where 𝑌1 is updated is available in Sage and takes around one second for an offline
at the indices. For example, imagine 𝑋 1 and 𝑋 2 only differ at the computation, being around nine times faster than OPUS. However,
first bit, which is set in 𝑋 2 but not 𝑋 1 , and the third bit, which is the implementation is not necessarily complete, as it omits proofs
not set in 𝑋 2 but is set in 𝑋 1 . Then, OPUS(𝑋 2 ) can be computed as and samples from a uniform instead of a Gaussian distribution.
OPUS(𝑋 1 ) = 𝑘 1 𝑘 31 OPUS(𝑋 2 ). This results directly from the A recent lattice OPRF [ADDG23] improves the communication
commutativity of CSIDH. cost in a malicious setting. The provided implementation in Rust
The simple realization of this functionality has the client reveal does not include the non-interactive zero-knowledge proofs needed
the indices where two inputs 𝑋 1, 𝑋 2 differ. The parties then engage for a malicious client security and therefore is only semi-honest,
in a reduced execution of OPUS, where the server responds with while the communication estimates in Table 6 include proofs from
(r ki 1 𝐸, ki r 𝐸) for the given indices 𝑖. The client iteratively a malicious client. Comparing the runtime of OPUS to [ADDG23]
updates the PRF by selecting the correct output. Note that the is a bit more nuanced. While the former needs ≈ 15s for the key
finalization step is still necessary for the unblinding to ensure that generation, the NR-OT OPRF is vastly faster, as it only requires
no intermediate results are leaked, but without adding k0 . 0.14ms for the same operation. The communication complexity of
While this produces another PRF result, the simple protocol the lattice OPRF is also largely dominated by the key generation,
violates the OPRF security guarantee of the server learning nothing which accounts for 108.5 MB of the communication cost. For the
about the client input, since the server knows the index where actual OPRF, only 36 kB of communication are necessary, which is
two evaluations differ. An extended version sends some dummy slightly more than OPUS. A big advantage of the construction is the
indices as well and requires the server to respond with (r k 1 lower round complexity. The current impelmentation gives around
𝐸, r 𝐸, k r 𝐸), with r 𝐸 being used if the index was a dummy 14.4s of execution time, making the NR-OPRF with a CSIDH security
index. This approach would reduce the latency introduced by the parameter 𝑝 = 512 vastly faster. However, the authors describe an
rounds and the group actions, but requires either very similar inputs optimization that could lead to both OPRFs matching in speed.
or extensive preprocessing by the client to ensure the results are Dinur et al. [DGH+ 21] propose a very efficient, semi-honest
updated ideally. OPRF using preprocessing and dedicated symmetric primitives.
585
ASIA CCS 24, July 15, 2024, Singapore, Singapore Lena Heimberger, Tobias Hennerbichler, Fredrik Meisingseth, Sebastian Ramacher, and Christian Rechberger
Table 6: Comparison with all other post-quantum OPRF proposals. DM denotes the dark matter PRF [BIP+ 18, CCKK21]. The
instances aim at a security level of roughly 128 bits and use log2 𝑝 = 512 for the isogeny protocols.
comm. model no no trusted full impl.
work assumption rounds cost (C-S) preproc. setup available verifiable
[ADDS21] R(LWE)+SIS 2 2MB - ✓ ✓ ✓ p
[ADDS21] R(LWE)+SIS 2 > 128GB - ✓ ✓ p ✓
[SHB23] multivariate 3 𝛾 · 13 kB - p ✓ p ✓
[DGH+ 21] DM 2 308 B - p p p p
[ADDG23] DM+lattices 2 16.9MB - ✓ ✓ ✓ ✓
[Bas23] Isogenies F𝑝 2 2 3.0MB - ✓ p p p
[Bas23] Isogenies F𝑝 2 2 8.7MB - ✓ p p ✓
NR-OT Isogenies F𝑝 + lattices 2 20.54 kB - ✓ p p p
NR-OT Isogenies F𝑝 + lattices 4 34.88 kB - ✓ p p p
NR-OT Isogenies F𝑝 + lattices + HE OT 2 640 kB - ✓ ✓ ✓ p
OPUS CSIDH 258 24.7 kB - ✓ ✓ ✓ p
They also require a trusted third party to generate correlated ran- Of independent interest, we also discuss the Naor-Reingold PRF
domness. The implementation is unfortunately not publicly avail- in CSIDH further and give a concrete strategy that gives rise to
able. A different path is taken by Seres et al.[SHB23], who use their optimizations in all of our protocols and also enables somewhat fast
result that key-recovery of the Legendre PRF is equivalent to solv- offline computation of both our novel OPRF and the Naor-Reingold
ing sparse multivariate equations over a prime field to construct OPRF. All the code to obtain our benchmarks and the CSV files
an OPRF. It requires a preprocessing step to distribute correlated for the figures are available with the submission and will be made
randomness amongst the participants of the protocol. public with the publication of this paper.
To show the real-world impact of our protocols, we benchmarked
the OPRFs for two use-cases: first, asymmetric password authen-
tication using OPAQUE, where we report an overhead of around
9 CONCLUSION
35× for authentication and 123× for registration. Second, we im-
In this paper, we have shown that the computational complexity of plement private set intersection with the OPRFs. To the best of our
Naor-Reingold OPRFs can be significantly reduced by using prop- knowledge, these are the first implementations of a post-quantum
erties of the CSIDH group action. We introduced OPUS, an OPRF version of OPAQUE and PSI using isogenies.
that gains its hardness directly from the underlying CSIDH group
action. The new construction explores the generic construction of
Naor-Reingold protocols, which traditionally use oblivious trans- Future Work. While our results are immediately useful for a
fer to send blinded private keys. In comparison to previous work, variety of protocols requiring OPRFs, the slow group action is
OPUS has three strong advantages: First, it can be used stand-alone still hindering large-scale deployment. Based on our findings, we
without requiring any trusted setup. The only hardness assumption envision future studies for the applicability of OPUS and the NR-OT
is CSIDH which improves over previous propsals [BKW20]. Second, OPRF, especially in settings with low bandwidth.
the simple structure also makes it straightforward to extend to a The recent call for threshold cryptography by NIST [BDV20]
threshold and distributed OPRFs. Third, OPUS requires 40% fewer opens a new avenue for post-quantum threshold schemes which
isogeny computations than the best previous CSIDH-based OPRF distribute the secret key amongst several servers but only requires
proposals. When using no preprocessing, no trusted setup, and a that 𝑡 out of 𝑛 honest servers are required to produce an OPRF
semi-honest client and server, OPUS requires 83× less communi- result. For CSIDH, a recent paper [DM20] demonstrates threshold
cation than the next-best approach which uses LWR. The main key sharing. Their results should be directly applicable to OPUS
drawback of our construction is the large number of rounds, which and the NR-OT to obtain a threshold OPRF.
can be amortized over several executions. On the implementation side, we point out that the current imple-
We also revisited the previous proposal CSIDH-based OPRF from mentations are neither optimized nor side-channel free, and that the
Boneh et al. [BKW20] and showed that the implementation is more code is not audited. We expect a side-channel free implementation
complex than described in the original paper: A straightforward to be relatively easy for OPUS, as it only requires side-channel free
implementation leaks the entire server key after a few evaluations. key addition and group actions, as well as the conditional assign-
To secure the construction, it is necessary to use CSI-FiSh, which ment of 𝐸𝑐𝑙𝑖𝑒𝑛𝑡 . On a theoretical side, elliptic curves with trusted
introduces several new hardness assumptions, concretely lattice setup over F𝑝 would greatly add to the current research, as it eases
assumptions for either rejection sampling or reducing the private concretizing the overhead of the OT for the NR-OT proposal over
key, and also also adds additional overhead. OPUS using only isogenies.
586
OPRFs from Isogenies: Designs and Analysis ASIA CCS 24, July 15, 2024, Singapore, Singapore
ACKNOWLEDGMENTS [BKW20] Dan Boneh, Dmitry Kogan, and Katharine Woo. Oblivious pseudoran-
dom functions from isogenies. In Shiho Moriai and Huaxiong Wang,
We wholeheartedly thank Carsten Baum for many helpful discus- editors, ASIACRYPT 2020, Part II, volume 12492 of LNCS, pages 520550.
sions concerning OPUS and OPRFs. In addition, we are gracious of Springer, Heidelberg, December 2020.
[BLMP19] Daniel J. Bernstein, Tanja Lange, Chloe Martindale, and Lorenz Panny.
the very helpful feedback of the reviewers of PKC2022 and CCS2023 Quantum circuits for the CSIDH: Optimizing quantum evaluation of
on an earlier draft of this work. Furthermore, we thank Serge Bazan- isogenies. In Yuval Ishai and Vincent Rijmen, editors, EUROCRYPT 2019,
ski for some helpful suggestions and Yifan Zheng for spotting two Part II, volume 11477 of LNCS, pages 409441. Springer, Heidelberg, May
2019.
errors in an earlier draft of this paper. Finally, we thank the authors [Bra12] Zvika Brakerski. Fully homomorphic encryption without modulus
of [BKW20] for clarifications on their instantiation. This work was switching from classical GapSVP. In Reihaneh Safavi-Naini and Ran
partly funded by the Digital Europe Program under grant agree- Canetti, editors, CRYPTO 2012, volume 7417 of LNCS, pages 868886.
Springer, Heidelberg, August 2012.
ment number 101091642 (“QCI-CAT”), from the European Unions [BS20] Xavier Bonnetain and André Schrottenloher. Quantum security analysis
Horizon Europe research and innovation programme under the of CSIDH. In Anne Canteaut and Yuval Ishai, editors, EUROCRYPT 2020,
Part II, volume 12106 of LNCS, pages 493522. Springer, Heidelberg, May
project “Quantum Security Networks Partnership” (QSNP, grant 2020.
agreement number 101114043), and the “DDAI” COMET module [CCKK21] Jung Hee Cheon, Wonhee Cho, Jeong Han Kim, and Jiseung Kim. Adven-
within the COMET Competence Centers for Excellent Technolo- tures in crypto dark matter: Attacks and fixes for weak pseudorandom
functions. In Juan Garay, editor, PKC 2021, Part II, volume 12711 of
gies Programme, funded by the Austrian Federal Ministries BMK LNCS, pages 739760. Springer, Heidelberg, May 2021.
and BMDW, the Austrian Research Promotion Agency (FFG), the +
[CLM 18] Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, and
province of Styria (SFG) and partners from industry and academia. Joost Renes. CSIDH: An efficient post-quantum commutative group ac-
tion. In Thomas Peyrin and Steven Galbraith, editors, ASIACRYPT 2018,
The COMET Programme is managed by FFG. Part III, volume 11274 of LNCS, pages 395427. Springer, Heidelberg,
December 2018.
REFERENCES [Cou06] Jean-Marc Couveignes. Hard homogeneous spaces. Cryptology ePrint
Archive, Report 2006/291, 2006. https://eprint.iacr.org/2006/291.
[ADDG23] Martin R. Albrecht, Alex Davidson, Amit Deo, and Daniel Gardham. [CSCJR22] Jorge Chávez-Saab, Jesús-Javier Chi-Domínguez, Samuel Jaques, and
Crypto dark matter on the torus: Oblivious PRFs from shallow PRFs Francisco Rodríguez-Henríquez. The SQALE of CSIDH: sublinear Vélu
and FHE. Cryptology ePrint Archive, Report 2023/232, 2023. https: quantum-resistant isogeny action with low exponents. Journal of
//eprint.iacr.org/2023/232. Cryptographic Engineering, 12(3):349368, September 2022.
[ADDS21] Martin R. Albrecht, Alex Davidson, Amit Deo, and Nigel P. Smart. Round- [DFHSW22] Alex Davidson, Armando Faz-Hernández, Nick Sullivan, and Christo-
optimal verifiable oblivious pseudorandom functions from ideal lattices. pher A. Wood. Oblivious Pseudorandom Functions (OPRFs) using Prime-
In Juan Garay, editor, PKC 2021, Part II, volume 12711 of LNCS, pages Order Groups. Internet-Draft draft-irtf-cfrg-voprf-12, Internet Engineer-
261289. Springer, Heidelberg, May 2021. ing Task Force, August 2022. Work in Progress.
[ADMP20] Navid Alamati, Luca De Feo, Hart Montgomery, and Sikhar Patranabis. +
[DFK 23] Luca De Feo, Tako Boris Fouotsa, Péter Kutas, Antonin Leroux, Simon-
Cryptographic group actions and applications. In Shiho Moriai and Philipp Merz, Lorenz Panny, and Benjamin Wesolowski. SCALLOP:
Huaxiong Wang, editors, ASIACRYPT 2020, Part II, volume 12492 of Scaling the CSI-FiSh. In PKC 2023, Part I, LNCS, pages 345375. Springer,
LNCS, pages 411439. Springer, Heidelberg, December 2020. Heidelberg, May 2023.
[Bas23] Andrea Basso. A post-quantum round-optimal oblivious PRF from [DG19] Luca De Feo and Steven D. Galbraith. SeaSign: Compact isogeny sig-
isogenies. Cryptology ePrint Archive, Report 2023/225, 2023. https: natures from class group actions. In Yuval Ishai and Vincent Rijmen,
//eprint.iacr.org/2023/225. editors, EUROCRYPT 2019, Part III, volume 11478 of LNCS, pages 759
[BCC+ 23] Andrea Basso, Giulio Codogni, Deirdre Connolly, Luca De Feo, Tako Boris 789. Springer, Heidelberg, May 2019.
Fouotsa, Guido Maria Lido, Travis Morrison, Lorenz Panny, Sikhar Pa- +
[DGH 21] Itai Dinur, Steven Goldfeder, Tzipora Halevi, Yuval Ishai, Mahimna
tranabis, and Benjamin Wesolowski. Supersingular curves you can trust. Kelkar, Vivek Sharma, and Greg Zaverucha. MPC-friendly symmet-
In Carmit Hazay and Martijn Stam, editors, Advances in Cryptology ric cryptography from alternating moduli: Candidates, protocols, and
- EUROCRYPT 2023 - 42nd Annual International Conference on the applications. In Tal Malkin and Chris Peikert, editors, CRYPTO 2021,
Theory and Applications of Cryptographic Techniques, Lyon, France, Part IV, volume 12828 of LNCS, pages 517547, Virtual Event, August
April 23-27, 2023, Proceedings, Part II, volume 14005 of Lecture Notes 2021. Springer, Heidelberg.
in Computer Science, pages 405437. Springer, 2023. +
[DGS 18] Alex Davidson, Ian Goldberg, Nick Sullivan, George Tankersley, and Fil-
[BDK+ 20] Niklas Büscher, Daniel Demmler, Nikolaos P. Karvelas, Stefan Katzen- ippo Valsorda. Privacy pass: Bypassing internet challenges anonymously.
beisser, Juliane Krämer, Deevashwer Rathee, Thomas Schneider, and PoPETs, 2018(3):164180, July 2018.
Patrick Struck. Secure two-party computation in a quantum world. In [DM20] Luca De Feo and Michael Meyer. Threshold schemes from isogeny
Mauro Conti, Jianying Zhou, Emiliano Casalicchio, and Angelo Spog- assumptions. In Aggelos Kiayias, Markulf Kohlweiss, Petros Wallden,
nardi, editors, ACNS 20, Part I, volume 12146 of LNCS, pages 461480. and Vassilis Zikas, editors, PKC 2020, Part II, volume 12111 of LNCS,
Springer, Heidelberg, October 2020. pages 187212. Springer, Heidelberg, May 2020.
[BDV20] Luís T. A. N. Brandão, Michael Davidson, and Apostol Vassilev. Nist [dSGOPS20] Cyprien Delpech de Saint Guilhem, Emmanuela Orsini, Christophe Pe-
roadmap toward criteria for threshold schemes for cryptographic primi- tit, and Nigel P. Smart. Semi-commutative masking: A framework
tives, 2020. for isogeny-based protocols, with an application to fully secure two-
[BFGP23] Ward Beullens, Luca De Feo, Steven D. Galbraith, and Christophe Petit. round isogeny-based OT. In Stephan Krenn, Haya Shulman, and
Proving knowledge of isogenies a survey. Cryptology ePrint Archive, Serge Vaudenay, editors, Cryptology and Network Security - 19th
Paper 2023/671, 2023. https://eprint.iacr.org/2023/671. International Conference, CANS 2020, Vienna, Austria, December 14-16,
[BIP+ 18] Dan Boneh, Yuval Ishai, Alain Passelègue, Amit Sahai, and David J. Wu. 2020, Proceedings, volume 12579 of Lecture Notes in Computer Science,
Exploring crypto dark matter: New simple PRF candidates and their ap- pages 235258. Springer, 2020.
plications. In Amos Beimel and Stefan Dziembowski, editors, TCC 2018, +
[ECS 15] Adam Everspaugh, Rahul Chatterjee, Samuel Scott, Ari Juels, and Thomas
Part II, volume 11240 of LNCS, pages 699729. Springer, Heidelberg, Ristenpart. The pythia PRF service. In Jaeyeon Jung and Thorsten Holz,
November 2018. editors, USENIX Security 2015, pages 547562. USENIX Association,
[BKM+ 21] Andrea Basso, Péter Kutas, Simon-Philipp Merz, Christophe Petit, August 2015.
and Antonio Sanso. Cryptanalysis of an oblivious PRF from super- [EKP20] Ali El Kaafarani, Shuichi Katsumata, and Federico Pintore. Lossy CSI-
singular isogenies. In Mehdi Tibouchi and Huaxiong Wang, edi- FiSh: Efficient signature scheme with tight reduction to decisional
tors, ASIACRYPT 2021, Part I, volume 13090 of LNCS, pages 160184. CSIDH-512. In Aggelos Kiayias, Markulf Kohlweiss, Petros Wallden,
Springer, Heidelberg, December 2021. and Vassilis Zikas, editors, PKC 2020, Part II, volume 12111 of LNCS,
[BKV19] Ward Beullens, Thorsten Kleinjung, and Frederik Vercauteren. CSI-FiSh: pages 157186. Springer, Heidelberg, May 2020.
Efficient isogeny based signatures through class group computations. In [FIPR05] Michael J. Freedman, Yuval Ishai, Benny Pinkas, and Omer Reingold. Key-
Steven D. Galbraith and Shiho Moriai, editors, ASIACRYPT 2019, Part I, word search and oblivious pseudorandom functions. In Joe Kilian, editor,
volume 11921 of LNCS, pages 227247. Springer, Heidelberg, December TCC 2005, volume 3378 of LNCS, pages 303324. Springer, Heidelberg,
2019.
587
ASIA CCS 24, July 15, 2024, Singapore, Singapore Lena Heimberger, Tobias Hennerbichler, Fredrik Meisingseth, Sebastian Ramacher, and Christian Rechberger
February 2005. [KRS+ 19] Daniel Kales, Christian Rechberger, Thomas Schneider, Matthias Senker,
[FMP23] Tako Boris Fouotsa, Tomoki Moriya, and Christophe Petit. M-SIDH and and Christian Weinert. Mobile private contact discovery at scale. In
MD-SIDH: Countering SIDH attacks by masking information. LNCS, Nadia Heninger and Patrick Traynor, editors, USENIX Security 2019,
pages 282309. Springer, Heidelberg, June 2023. pages 14471464. USENIX Association, August 2019.
[FS87] Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to [LGD21] Yi-Fu Lai, Steven D. Galbraith, and Cyprien Delpech de Saint Guil-
identification and signature problems. In Andrew M. Odlyzko, editor, hem. Compact, efficient and UC-secure isogeny-based oblivious
CRYPTO86, volume 263 of LNCS, pages 186194. Springer, Heidelberg, transfer. In Anne Canteaut and François-Xavier Standaert, editors,
August 1987. EUROCRYPT 2021, Part I, volume 12696 of LNCS, pages 213241.
[FV12] Junfeng Fan and Frederik Vercauteren. Somewhat practical fully homo- Springer, Heidelberg, October 2021.
morphic encryption. Cryptology ePrint Archive, Report 2012/144, 2012. [Lyu09] Vadim Lyubashevsky. Fiat-Shamir with aborts: Applications to lattice and
https://eprint.iacr.org/2012/144. factoring-based signatures. In Mitsuru Matsui, editor, ASIACRYPT 2009,
[GGM84] Oded Goldreich, Shafi Goldwasser, and Silvio Micali. On the cryp- volume 5912 of LNCS, pages 598616. Springer, Heidelberg, December
tographic applications of random functions. In G. R. Blakley and 2009.
David Chaum, editors, CRYPTO84, volume 196 of LNCS, pages 276 [NR04] Moni Naor and Omer Reingold. Number-theoretic constructions of
288. Springer, Heidelberg, August 1984. efficient pseudo-random functions. Journal of the ACM, 51(2):231262,
[GGM86] Oded Goldreich, Shafi Goldwasser, and Silvio Micali. How to construct 2004.
random functions. Journal of the ACM, 33(4):792807, October 1986. [Pei20] Chris Peikert. He gives C-sieves on the CSIDH. In Anne Canteaut and
[HKKP21] Keitaro Hashimoto, Shuichi Katsumata, Kris Kwiatkowski, and Thomas Yuval Ishai, editors, EUROCRYPT 2020, Part II, volume 12106 of LNCS,
Prest. An efficient and generic construction for signals handshake pages 463492. Springer, Heidelberg, May 2020.
(x3dh): Post-quantum, state leakage secure, and deniable. Cryptology [Qi22] Mingping Qi. An efficient post-quantum kem from csidh. Journal of
ePrint Archive, Paper 2021/616, 2021. https://eprint.iacr.org/2021/616. Mathematical Cryptology, 16(1):103113, 2022.
[HSW23] Laura Hetz, Thomas Schneider, and Christian Weinert. Scaling mobile [RS06] Alexander Rostovtsev and Anton Stolbunov. Public-Key Cryptosystem
private contact discovery to billions of users. Cryptology ePrint Archive, Based On Isogenies. Cryptology ePrint Archive, Report 2006/145, 2006.
Paper 2023/758, 2023. https://eprint.iacr.org/2023/758. https://eprint.iacr.org/2006/145.
[Hun] Troy Hunt. Pwned websites. see https://haveibeenpwned.com/ [SEA21] Microsoft SEAL (release 3.7). https://github.com/Microsoft/SEAL, Sep-
pwnedwebsites. tember 2021. Microsoft Research, Redmond, WA.
[IKNP03] Yuval Ishai, Joe Kilian, Kobbi Nissim, and Erez Petrank. Extending [SHB23] István András Seres, Máté Horváth, and Péter Burcs. The legendre pseu-
oblivious transfers efficiently. In Dan Boneh, editor, CRYPTO 2003, dorandom function as a multivariate quadratic cryptosystem: security
volume 2729 of LNCS, pages 145161. Springer, Heidelberg, August and applications. In AAECC. Springer, 01 2023.
2003. [Sil86] Joseph H. Silverman. The arithmetic of elliptic curves, volume 106 of
[JKX18] Stanislaw Jarecki, Hugo Krawczyk, and Jiayu Xu. OPAQUE: An asymmet- Graduate texts in mathematics. Springer, 1986.
ric PAKE protocol secure against pre-computation attacks. In Jesper Buus [Vél71] J. Vélu. Isogénies entre courbes elliptiques. Comptes-Rendus de
Nielsen and Vincent Rijmen, editors, EUROCRYPT 2018, Part III, volume lAcadémie des Sciences, Série I, 273:238241, juillet 1971.
10822 of LNCS, pages 456486. Springer, Heidelberg, April / May 2018.
588
Reference in New Issue View Git Blame Copy Permalink