1 Introduction

Let \(F: \mathcal {K}\times \mathcal {X}\rightarrow \mathcal {Y}\) be a secure pseudorandom function (PRF) [30]. An oblivious PRF, or OPRF, is a protocol between a client who has an input \(x \in \mathcal {X}\), and a server who has a key \(k \in \mathcal {K}\). At the end of the protocol the client learns F(kx) and nothing else, and the server learns nothing at all [24, 54]. Intuitively, an OPRF needs to be secure against a malicious client who is trying to learn more information about the server’s key k, and a malicious server who is trying to learn more information about the client’s input x. Earlier works [24, 41] defined an OPRF as the secure computation of the above two-party functionality, and Jarecki et al. [36, 37] later gave strong but flexible security definitions for an OPRF in the UC framework  [13].

An OPRF is said to be verifiable if the server commits to its key k by publishing some public parameters derived from k. At the end of the OPRF protocol, the client should be convinced that the obtained value \(y \in \mathcal {Y}\) satisfies \(y = F(k,x)\) with respect to the server’s committed key k. One benefit of verifiability is that it allows a group of clients to verify that the values they each obtain are all consistent with the same PRF key. Without verifiability, in applications where a client later reveals the obtained value to the server, a malicious server can link values with previous evaluations by using a different key for each evaluation.

Oblivious PRFs have many real-world applications. They are used in private-set-intersection protocols [41, 46, 47, 58,59,60], in password-management systems [23, 37], in adaptive oblivious transfer [41], in de-duplication systems [44], in password-authenticated key exchange [40], and are deployed at Cloudflare to defend against Denial of Service attacks [21]. As a result, there is an ongoing effort to standardize OPRFs at the Crypto Forum Research Group [20].

An OPRF can be built from general secure two-party computation. A much simpler and widely used OPRF, called DH-OPRF, is built from a PRF whose security is based on the Decisional Diffie-Hellman (DDH) assumption in the random-oracle model. Let \(\mathbb {G}\) be a cyclic group of prime order q, and let \(H:\mathcal {X}\rightarrow \mathbb {G}\) be a hash function. For \(k \in \mathbb {Z}_q\) and \(x \in \mathcal {X}\), the PRF is defined as \(F(k,x) = H(x)^k\). This PRF is secure, assuming DDH holds in \(\mathbb {G}\) and H is a random oracle [53]. This PRF then supports the following OPRF protocol: a client computes H(x), blinds it as \(u\leftarrow H(x)^r\) for a random , and sends u to the server. The server responds with \(v\leftarrow u^k\). The client then computes the unblinded PRF value \(y\leftarrow v^{1/r} = H(x)^k\). Appropriate modifications can make this OPRF verifiable. Security of the resulting OPRF relies on the one-more discrete-log assumption [7]. Jarecki et al. [36, 37] showed this OPRF is secure in the Universally Composable framework [13].

Another simple verifiable OPRF in the random-oracle model, called RSA-OPRF, is derived directly from RSA blind signatures [7, 17]. Since there are quantum-polynomial-time algorithms for the DDH and RSA problems, neither of these OPRFs is post-quantum secure.

Building an efficient post-quantum secure OPRF is more challenging. One solution is to use a generic post-quantum secure two-party-computation protocol to evaluate a PRF. For example, instantiating Yao’s garbled-circuits protocol with a post-quantum-secure oblivious transfer results in a post-quantum-secure two-party computation protocol [11] that can then be used to obliviously evaluate an AES circuit. The downside is that the communication in generic protocols is proportional to the circuit size, which motivates the search for efficient special-purpose OPRF protocols from post-quantum primitives. Albrecht et al. [3] recently proposed an OPRF based on the ring learning-with-errors problem and the short-integer-solution problem in one dimension.

Our Contributions. In this paper we give another path towards a simple post-quantum secure OPRF by constructing several OPRFs from hard problems on isogenies of elliptic curves, in the random-oracle model.

Our first set of constructions operates on supersingular elliptic-curve isogenies over a field \(\mathbb {F}_{p^{2}}\). Starting with a simple idea for an OPRF in the honest-but-curious setting, based on the SIDH key-exchange protocol of De Feo, Jao, and Plût  [22], we then show how to elevate this OPRF to the setting of a malicious client and malicious server, and to make the OPRF verifiable. Our security proofs are set in the UC framework [13] in the random-oracle model. We describe our construction using an abstraction we call an augmentable commitment, defined in Sect. 2. These commitments abstract away many of the complexities of working with supersingular-curves isogenies, and they may be of independent interest.

To ensure that our OPRF is secure against a malicious client, we construct a zero-knowledge proof of knowledge for proving that the first message the client sends to the server is well formed. Here, a well formed message should contain an elliptic curve, obtained by correctly applying an isogeny to some base curve, together with points on that curve, obtained by applying that same isogeny to predetermined points on the base curve. To secure against a malicious server and obtain a verifiable OPRF, we construct an additional zero-knowledge proof of knowledge for proving that four elliptic curves \((E, E_{a}, E_b, E_{ab})\) form an isogeny DDH tuple, where the prover only knows the isogenies \(\phi _a:E \rightarrow E_a\) and \(\phi _a':E_{b} \rightarrow E_{ab}\), whereas the isogeny \(\phi _a:E\rightarrow E_a\) is private to the client. Our complete protocol requires up to 2MB of communication for 128-bit security, with the main bottleneck being the cut-and-choose repetitions in our zero-knowledge proofs of knowledge. We describe this protocol, using the language of augmentable commitments, in Sect. 6.

Our second class of OPRF protocols, presented in Sect. 8, builds an OPRF from a commutative group action, such as the one obtained from isogenies of ordinary elliptic curves [19, 61] or from isogenies of supersingular curves over \(\mathbb {F}_p\) as in CSIDH [14]. Commutative group actions give rise to a generalized Diffie-Hellman problem, yet a construction similar to the DH-OPRF is not currently possible. The reason is that there is no known way to construct a hash function that maps its inputs to uniformly sampled elements in an isogeny class, without learning additional information about the output elements. This additional information would allow the client to evaluate the PRF at any point of its choice from just a single response from the server, breaking the security requirement. Therefore, an OPRF from commutative group actions requires a very different approach.

Our construction makes use of two observations. First, we adapt the Naor-Reingold PRF [54] to the setting of a commutative group action. This requires a new proof of security because the original proof of security in [54] relies on the DDH assumption and its random self-reduction. The difficulty is that the DDH problem for a commutative group action does not have the required random self-reduction. We nevertheless prove PRF security based on the DDH assumption for such group actions; however the security reduction is not as efficient as for DDH over groups. Second, we observe that, similarly to the original PRF construction [54], this group-action variant admits an oblivious evaluation. The resulting OPRF scheme makes use of a 1-out-of-2 oblivious-transfer protocol, but such protocols are already known from isogeny problems [6, 51, 63, 69]. We thus obtain an OPRF from a commutative group action.

Between the two constructions, the supersingular construction is asymptotically more efficient, in the sense that it requires asymptotically less communication between the client and the server. The reason is a sub-exponential quantum algorithm for the discrete-log problem for a commutative group action due to Kuperberg [48, 49]. Kuperberg’s attack applies to commutative group actions, which underpin our second construction, yet it does not apply to the non-commutative structure of supersingular isogenies over \(\mathbb {F}_{p^{2}}\), which underpin our first construction. As a result, the first construction allows using smaller fields, which results in less communication asymptotically (in the security parameter). Its exponential security also makes it more robust to improvements in attacks. However, the second construction has better (i.e., smaller) constants, and as a result, the second construction is more efficient concretely: 424KB of communication vs. 2MB for the first construction.

1.1 Background and Notation

Let E be a supersingular elliptic curve over \(\mathbb {F}_{p^{2}}\). Recall that every separable degree-d isogeny \(\phi :E\rightarrow E'\) has a kernel \(G=\ker (\phi )\) which is a subgroup of order d of \(E(\bar{F}_{p})\). In the special case when G is a cyclic subgroup of \(E(\mathbb {F}_{p^{2}})\), we can succinctly represent G by specifying a generator \(K\in E(\mathbb {F}_{p^{2}})\), where K is an element of the d-torsion of \(E(\mathbb {F}_{p^{2}})\).

We follow de Saint Guilhem, Orsini, Petit, and Smart  [63] and use the following notation to represent degree-d isogenies. Recall that the projective line \(\mathbb {P}_d\) is the set of all equivalence classes \([x :y]\), where \(x,y \in \mathbb {Z}/d\mathbb {Z}\), and the ideal generated by x and y is all of \(\mathbb {Z}/d\mathbb {Z}\). We specify an isogeny of degree d using an element \(k \in \mathbb {P}_d\). For \(k = [k_p :k_q] \in \mathbb {P}_d\), and generators \(P_d, Q_d\) of the d-torsion E[d], the notation \(\langle k \cdot (P_d,Q_d)\rangle \) refers to the order-d cyclic group generated by \(k_p P_d + k_q Q_d \in E[d]\).

1.2 Overview of Our Techniques

Our main result is an OPRF from isogenies on supersingular elliptic curves. We briefly summarize the main technical ideas, and refer to Sect. 27 for the details.

Let \(E/\mathbb {F}_{p^2}\) be a fixed supersingular elliptic curve, and let \(N_\mathsf {K}, N_\mathsf {M}, N_\mathsf {R}\) be positive integers such that \(E\big [N_\mathsf {K}\times N_\mathsf {M}\times N_\mathsf {R}\big ]\) is contained in \(E(\mathbb {F}_{p^2})\), where \(p, N_\mathsf {K}, N_\mathsf {M}, N_\mathsf {R}\) are pairwise relatively prime. Let us derive a PRF \(F: \mathcal {K}\times \mathcal {X}\rightarrow \mathcal {Y}\) from the SIDH key-exchange protocol of [22]. The PRF makes use of two hash functions \(H_1:\mathcal {X}\rightarrow \mathbb {P}_{N_\mathsf {M}}\) and \(H_2:\mathcal {X}\times \mathbb {F}_{p^2} \rightarrow \mathcal {Y}\), and works as follows:

  • The domain is \(\mathcal {X}\). For each \(x \in \mathcal {X}\) we obtain \(m = H_1(x) \in \mathbb {P}_{N_\mathsf {M}}\), for which there is a corresponding degree-\(N_\mathsf {M}\) isogeny \(\phi _m: E \rightarrow E_m\);

  • The key space is \(\mathcal {K}= \mathbb {P}_{N_\mathsf {K}}\). For each \(k \in \mathbb {P}_{N_\mathsf {K}}\) there is a corresponding degree-\(N_\mathsf {K}\) isogeny \(\phi _k: E \rightarrow E_k\);

  • Let \(\phi :E \rightarrow E_{m,k}\) be an isogeny with kernel \(\text {ker}(\phi _m) \times \text {ker}(\phi _k)\). Define \(F(k,x) = H_2\big (x, j(E_{m,k})\big )\).

When \(H_1\) and \(H_2\) are modeled as random oracles, and assuming \(N_\mathsf {K}\) is sufficiently large (i.e., superpolynomial in the security parameter), this function F is a secure PRF.

To make this PRF into an oblivious PRF between a client and a server, it is tempting to try the following blinding approach (also used in [62, 65] in an attempt to construct a blinded version of an earlier undeniable-signature scheme [35]):

  • The client has \(x \in \mathcal {X}\). It computes \(m = H_1(x) \in \mathbb {P}_{N_\mathsf {M}}\) which defines the degree-\(N_\mathsf {M}\) isogeny \(\phi _m:E \rightarrow E_m\) above. The client chooses a random \(r \in \mathbb {P}_{N_\mathsf {R}}\), and computes the corresponding degree-\(N_\mathsf {R}\) isogeny \(\phi _r:E \rightarrow E_r\). Next, the client constructs an isogeny \(\phi _{r,m}: E \rightarrow E_{r,m}\) whose kernel is \(\text {ker}(\phi _r) \times \text {ker}(\phi _m)\). It sends \(E_{r,m}\) to the server, along with four additional points on \(E_{r,m}\), as specified in Sect. 3. Two of these four points are computed as \(P'_\mathsf {K}= \phi _{r,m}(P_\mathsf {K})\) and \(Q'_\mathsf {K}= \phi _{r,m}(Q_{\mathsf {K}})\), where \(P_\mathsf {K}, Q_\mathsf {K}\in E\) are some fixed generators of \(E[N_\mathsf {K}]\).

  • The server has the secret key \(k \in \mathbb {P}_{N_\mathsf {K}}\), and the corresponding isogeny \(\phi _k: E \rightarrow {{\,\mathrm{\text {E}}\,}}_k\). It uses \(P'_\mathsf {K},Q'_\mathsf {K}\) to construct the curve \(E_{r,m,k}\), which is the target of an isogeny acting on E and whose kernel is \(\text {ker}(\phi _r) \times \text {ker}(\phi _m) \times \text {ker}(\phi _k)\). It sends \(E_{r,m,k}\) back to the client, along with two additional points in \(E[N_\mathsf {R}]\).

  • The client uses its knowledge of \(\phi _r\) to recover the required \(E_{m,k}\) using an appropriate dual isogeny \(\hat{\phi }':E_{r,m,k} \rightarrow E_{m,k}\). Once the client has \(E_{m,k}\), it can obtain the required PRF value F(kx) since \(F(k,x) = H_2\big (x, j(E_{m,k})\big )\).

While this is a natural construction for an OPRF, it is unfortunately completely insecure. It is vulnerable to a clever active attack due to Galbraith et al. [27], which was originally used to attack SIDH key exchange where one of the parties uses a static key. In our setting, the attack lets a malicious client send carefully crafted points \(P'_\mathsf {K}, Q'_\mathsf {K}\in E_{r,m}\) that are not the images of the fixed points \(P_\mathsf {K},Q_\mathsf {K}\in E\) under the isogeny \(\phi _{r,m} :E \rightarrow E_{r,m}\). The client can then learn information about the PRF key k from the server’s response. With enough such queries, the client can extract k from the server, thus fully breaking the OPRF.

In the SIDH key-exchange setting, there are several countermeasures against this active attack. Kirkwood et al. [45] suggest an approach, based on the Fujisaki-Okamoto [25] transformation, where the client sends encrypted information to the server. The server decrypts and uses the information from the client to validate the request. However, this approach cannot be used in an OPRF protocol because the information sent from the client reveals m to the server, which violates the OPRF privacy requirement.

Our solution is to have the client prove to the server that the points \(P'_\mathsf {K}\) and \(Q'_\mathsf {K}\) are generated correctly without leaking any information about m or r to the server. To do so, we present in Sect. 5 a special-purpose zero-knowledge protocol that allows the client to prove the correctness of the points it sends. Our protocol develops an idea sketc.hed by Galbraith [26, Section 7.2], and builds on the isogeny-based identification protocol of De Feo et al. [22].

We obtain an OPRF that is secure against a malicious client. To further secure the OPRF against a malicious server, the server needs to somehow prove to the client that its response \(E_{r,m,k}\) is consistent with its commitment \(E_{k}\) to the secret key \(k \in \mathbb {P}_{N_\mathsf {K}}\). In other words, the server needs to prove that \((E, E_{r,m}, E_k, E_{r,m,k})\) form an isogeny DDH tuple, where the server only knows \(\phi _k:E \rightarrow E_k\) and \(\phi _k': E_{r,m} \rightarrow E_{r,m,k}\). A similar protocol is needed in the constructions of [35, 62, 65] for the purpose of online signature confirmation. However, we cannot use their protocol because they assume the server knows both \(\phi _k\) and \(\phi _{r,m}:E \rightarrow E_{r,m}\). For us, this would break the OPRF privacy requirement because \(\text {ker}(\phi _{r,m})\) reveals information about \(m \in \mathbb {P}_{N_\mathsf {M}}\).

To address this, we develop in Sect. 6 a zero-knowledge proof of equality that lets the server prove the consistency of its response to the client. A key challenge is to ensure security of the OPRF, meaning that we must prevent the client from abusing the consistency check for extracting information about the key k. The result is a new private-coin protocol, that jointly meets the security requirements of both parties, and is quite different from the [22]-style public-coin protocol.

Our complete verifiable OPRF appears in Protocol 15.

Security Assumptions. Our OPRF construction is based on the hardness of isogeny problems on supersingular curves over a field \(\mathbb {F}_{p^{2}}\) for a prime p of the form \(p=f\cdot N_1\cdot \dots \cdot N_n-1\), for relatively prime \(N_i\). Specifically, for our verifiable OPRF, we use \(n=5\) prime powers.

The privacy of the client in our protocol relies on the hardness the Decisional SIDH Isogeny Problem [22, 29] adjusted from the standard SIDH setting of \(n=2\) prime powers to our setting of \(n=5\) (similarly to [35, 63, 65]). The security of the server in our protocol relies on a one-more Diffie-Hellman-type assumption in the SIDH setting. Recently, Merz, Minko, and Petit [52] presented a polynomial-time attack on certain “one-more” SIDH assumptions, introduced in [35, 65]. In Sect. 3, we present a new type of one-more SIDH assumption and discuss why it is not susceptible to this attack. Finally, our zero-knowledge proof, designed to prevent the active attack of [27], relies on the hardness of a variant of the Decisional Supersingular Product problem [22]. We discuss the security assumptions in more detail in Sect. 3 and 5.

1.3 Additional Related Work

OPRF from Oblivious-Transfer Extension. An efficient oblivious PRF can be constructed from oblivious-transfer extension [33]. The first works to do so [47, 59, 60] constructed a one-time OPRF, namely one where the client can only issue a single query to the server. Subsequent work [58] constructs a many-time OPRF from oblivious-transfer extension, but the client must choose all the query points before the OPRF key is generated. These non-adaptive OPRF schemes are sufficient for protocols for private set intersection, and can be post-quantum secure if the underlying 1-out-of-2 oblivious transfer is post-quantum secure. The constructions in this paper give an OPRF which allows the client to select the query points adaptively, at any time after the OPRF key is generated, and supports an exponential size domain.

Blind Signatures. Verifiable OPRFs share resemblance with blind signatures [17]. Both primitives allow a server holding a secret key to provide the client with a “certified" value on blinded input. However, unlike an OPRF, a blind signature does not have to be deterministic, yet it has to be publicly verifiable. Indeed, Jarecki and Liu [41] observed that earlier constructions [12] of oblivious-transfer protocols from unique blind signatures [7, 8, 17] and, similarly, from blind IBE schemes [31], give rise to OPRFs. None of these constructions are post-quantum secure. Recent works [62, 65] constructed variants of blind signatures from supersingular isogenies. As discussed above, the online verification protocols in these schemes require unblinding the message.

2 Augmentable Commitments

In this section we introduce a primitive, called augmentable commitments, that makes it easier to describe the OPRF construction and prove its security. This abstraction makes it possible to describe the scheme without cluttering the description with many elliptic curve points.

An augmentable commitment is a commitment scheme where one can commit to a value \(x_1 \in \mathcal {X}_1\) to obtain a commitment \(\mathsf {com}\). Later, someone else can append \(x_2 \in \mathcal {X}_2\) to the commitment \(\mathsf {com}\) to obtain a new commitment \(\mathsf {com}'\) to \((x_1, x_2)\). One can also obtain \(\mathsf {com}'\) by committing in the reverse order, by first committing to \(x_2 \in \mathcal {X}_2\), and then appending \(x_1 \in \mathcal {X}_1\). We will refer to \(\mathsf {com}'\) as \(\llbracket {x_1,x_2}\rrbracket \). Regular values are append-only, in the sense that, given \(\llbracket {x_1,x_2}\rrbracket \), it should be computationally unfeasible to compute \(\llbracket {x_2}\rrbracket \) or \(\llbracket {x_1',x_2}\rrbracket \). Looking ahead, this “non-malleability” property will provide privacy for the server in our OPRF protocol. It prevents the client from learning the value of the OPRF at one point given its evaluation at another.

To hide the contents of the commitment, its creator may include in it a special type of value \(r\in \mathcal {R}\), called a blind. Such a blinded commitment \(\llbracket {r,x_1,x_2}\rrbracket \) can later be unblinded to obtain \(\llbracket {x_1,x_2}\rrbracket \), which is a binding commitment to \(x_1\) and \(x_2\), but may not be hiding. The blinding property will provide privacy for the client in our OPRF protocol, as it will prevent the server from learning the point where the OPRF is being evaluated.

We next define augmentable commitments more precisely and more generally. In the next sections we show how to use augmentable commitments to construct an OPRF scheme and how to construct them from supersingular isogenies.

Definition 1 (Augmentable Commitment Scheme)

An augmentable commitment scheme \(\mathcal {G}\) with an input space \(\mathcal {X}=\mathcal {X}_1\times \cdots \times \mathcal {X}_{n-1}\), a blinding space , a commitment space \(\mathcal {C}\), and a space of representatives \(\mathcal {J}\), consists of five algorithms

  • \(\mathsf {Setup}(1^\lambda ) \rightarrow \mathsf {com}_0\in \mathcal {C}\). The algorithm takes as input the security parameter and outputs the “empty” commitment \(\mathsf {com}_0\).

  • \(\mathsf {Blind}(\mathsf {com}_0\in \mathcal {C}, r\in \mathcal {R}) \rightarrow \mathsf {com}\in \mathcal {C}\). The algorithm takes as input the empty commitment and a blind value r, and creates an initial blinded commitment.

  • \(\mathsf {Append}\left( \mathsf {com}\in \mathcal {C}, i\in [n-1], x\in \mathcal {X}_i \right) \rightarrow \mathsf {com}'\in \mathcal {C}\). The algorithm takes as input a commitment \(\mathsf {com}\), an index of an input space, and an input from that space, and outputs a new commitment. The input commitment \(\mathsf {com}\) can be the empty commitment \(\mathsf {com}_0\), a blinded commitment output by \(\mathsf {Blind}\), or a commitment obtained from a previous call to \(\mathsf {Append}\).

  • \(\mathsf {Unblind}\left( \mathsf {com}\in \mathcal {C}, r\in \mathcal {R}\right) \rightarrow \mathsf {com}'\in \mathcal {C}\). The algorithm takes as input a commitment previously blinded with r together with the same blind value r used for blinding, and outputs an unblinded commitment.

  • \(\mathsf {Invariant}\left( \mathsf {com}\in \mathcal {C}\right) \rightarrow j\in \mathcal {J}\) returns the invariant of a commitment.

For simplicity, we avoid including explicit public parameters in the syntax of the scheme. If the scheme requires the \(\mathsf {Setup}\) algorithm to set some public parameters, we assume without the loss of generality that they are included in the empty commitment \(\mathsf {com}_0\) and in all subsequent commitments.

Note that the \(\mathsf {Blind}\) step is the only time when an element \(r\in \mathcal {R}\) of the blinding space may be committed to.

For brevity, we use the notation \(\llbracket {x_1,\dotsc ,x_t}\rrbracket \) to refer to a commitment to a sequence of elements \(x_1\in \mathcal {X}_{i_1},\dotsc ,x_t\in \mathcal {X}_{i_t}\). Specifically, if none of the distinct indices \(i_1,\dotsc ,i_t\in [n-1]\) is the blinding index, we define \(\mathsf {com}_j\leftarrow \mathsf {Append}(\mathsf {com}_{j-1}, i_j,x_j)\), and set . Similarly, if \(i_1=n\) is the index of the blinding space \(\mathcal {R}=\mathcal {X}_n\), we define \(\mathsf {com}_1\leftarrow \mathsf {Blind}(\mathsf {com}_0,x_1)\), and for \(j\in [2,t]\) we define \(\mathsf {com}_j\leftarrow \mathsf {Append}(\mathsf {com}_{j-1},x_j)\), and set .

For two commitments \(c,c'\in \mathcal {C}\), we write \(c\sim c'\) if and only if \(\mathsf {Invariant}(c)=\mathsf {Invariant}(c')\).

The commitment scheme must satisfy the following correctness property, which states that (i) commitments to the same set of elements in a different order are equivalent; and (ii) unblinding results in an a commitment to the remaining elements.

Correctness. For every \(t\in [n-1]\), every set of distinct indices \(i_1,\dotsc ,i_t \in [n-1]\), every set of values \(x_j\in \mathcal {X}_{i_j}\), and every \(r\in \mathcal {R}\), we require the following.

  1. 1.

    \(\mathsf {Invariant}(\llbracket {x_1,\dotsc ,x_t}\rrbracket )\) is independent of the ordering of \(x_1,\dotsc ,x_t\). Similarly, \(\mathsf {Invariant}(\llbracket {r, x_1,\dotsc ,x_t}\rrbracket )\) is independent of the ordering of \(x_1,\dotsc ,x_t\).

  2. 2.

    \(\mathsf {Unblind}(\llbracket {r,x_1,\dotsc ,x_t}\rrbracket , r) \sim \llbracket {x_1,\dotsc ,x_{t}}\rrbracket \).

An augmentable commitment must satisfy the following three security requirements: hiding, weak binding, and one-more unpredictability. We give formal game-based definitions of those properties in the full version of this work

Hiding. The hiding property requires that a random committed element, be it an input or a blind, computationally hides all other committed elements. More specifically, an adversary should not be able to distinguish between a commitment to a set of random values and a commitment to a set of values of his choice, provided that the commitment includes at least one additional random element, that the adversary does not know. This additional element can either be an input element or a blind, i.e., the hiding property holds with respect to both inputs and blinds, with the only difference being that blinds can also be unblinded.

Weak Binding. The binding requirement asks that no efficient adversary can produce a collision between two commitments. We actually only need a weak form of binding, in the sense that the adversary needs to produce a pair of distinct elements that create a collision with noticeable probability over a random choice of a sequence of appended elements.

One-More Unpredictability. In an augmentable commitment scheme, the result of augmenting a secret value to one randomly chosen value should not reveal the result of augmenting that same secret value to other random values. Specifically, consider a game between a challenger and adversary. The challenger chooses a secret input value k and gives the adversary \(t+1\) challenges \(m_1,\dotsc ,m_{t+1}\), each of which is a random input value to the commitment. The solution to the ith challenge is the \(\mathsf {Invariant}(\llbracket {m_i,k}\rrbracket )\) of a commitment to both the challenge value and the challenger’s secret value. Finally, the adversary may issue queries to the challenger. Each query consists of an input value m of the adversary’s choice, to which the challenger responds with \(\mathsf {Invariant}(\llbracket {m,k}\rrbracket )\), where k is the challenger’s secret value. The one-more unpredictability property requires that after issuing at most t queries the adversary should not be able to produce the solution to all \(t+1\) challenges.

Remark 2

de Saint Guilhem et al. [63] introduced an abstraction called semi-commutative masking structure that captures both commutative group actions and isogenies on supersingular elliptic curves. Our abstraction of augmentable commitments draws inspiration from theirs and shares some technical similarities with it. One difference is that our abstraction separates regular values, that are append-only, from blinds, that can be removed.

3 Augmentable Commitments from Supersingular Isogenies

In this section we show how to construct an augmentable commitment scheme from supersingular isogenies. We refer to this scheme as \(\mathcal {G}_{\mathsf {si}}\). We begin by defining a parameterization algorithm, which we use throughout our construction and our security assumptions.

Definition 3

(Parameterization \(p(\lambda ,n)\)). We define the following deterministic algorithm. On input a security parameter \(\lambda \in \mathbb {N}\) and an integer \(n\in \mathbb {N}\), compute the first n primes \(\ell _1,\dotsc ,\ell _{n}\) and choose \(e_1,\dotsc ,e_{n}\) to be positive integers such that for all \(i\in [n]\), . Choose \(f\in \mathbb {N}\) to be a cofactor such that \(p = f\cdot N_1\cdot \dotsc \cdot N_n - 1\) is a prime. Output \(p(\lambda , n)\mathrel {\mathop :}=p\).

For \(\lambda \in \mathbb {N}\), and \(p(\lambda ,n+1)=f\cdot N_1\cdot \dotsc \cdot N_{n+1}-1\), the input space of the commitment are the projective lines \(\mathbb {P}_{N_i}\) for \(i\in [n-1]\), and the blinding space is the projective line \(\mathbb {P}_{N_n}\). For now, we do not explicitly use the \(N_{n+1}\) torsion, and in particular, \(\mathbb {P}_{N_{n+1}}\) is not part of the commitment input/blinding spaces. In Sect. 5, we will use this extra torsion to construct zero knowledge proofs on our commitment scheme.

Setup. The input to the setup routine is a security parameter \(\lambda \in \mathbb {N}\). It computes \(p=p(\lambda , n+1)=f\cdot N_1\cdot \dotsc N_{n+1}-1\), then chooses \(E_0\) to be a random supersingular elliptic curve over \(\mathbb {F}_{p^{2}}\) such that \(E_0(\mathbb {F}_{p^{2}})\cong \mathbb {Z}_{N_1}^2\times \dotsc \times \mathbb {Z}_{N_{n+1}}^2\times \mathbb {Z}_{f}^2\). Finally, for \(i\in [n]\), the setup routine chooses \(P^0_i,Q^0_i\) generators of \(E_0[N_i]\cong \mathbb {Z}_{N_i}^2\) and outputs the empty commitment that consists of the curve \(E_0\) and the generators \((P^0_i,Q^0_i)_{i\in [n-1]}\).

Our augmentable commitments take the form \((E,(P_i,Q_i)_{i\in I})\), where \(I\subseteq [n]\), representing the curve E by its j-invariant \(j(E)\in \mathbb {F}_{p^{2}}\) using \(2\log p\) bits. (All logarithms in this work have base two.) This defines the curve up to isomorphism, and a canonical curve in that isomorphism class can be efficiently computed. Therefore, before outputting a commitment, each of the algorithms in our construction first computes an isomorphism from the curve it has computed to the canonical curve of the same isomorphism class. It also computes the images of the points in the commitment under this isomorphism [5, 28, 63]. Thus, any published points are always on the canonical curve. Similarly to SIDH public-key compression [5, 18, 34], each basis can be represented using \(3\log N_i\) bits. Overall, the size of the commitment is at most \(5\log p\) bits.

Blinding. The \(\mathsf {Blind}\) algorithm blinds the empty commitment with a blind \(r \in \mathbb {P}_{N_n}\) as follows. First, compute a degree \(N_n\) isogeny \(\phi _r:E_0 \rightarrow E_r\) where \(E_r=E_0/\langle r\cdot (P^0_n,Q^0_n)\rangle \) and \(P^0_n,Q^0_n\) is a canonical basis for \(E_0[N_n]\). Then compute a canonical basis \(P_n,Q_n\) for \(E_r[N_n]\). This basis, together with the knowledge of the kernel of the dual isogeny \(\hat{phi}_{r}\) is what enables to later unblind the commitment. Finally output the commitment

$$\begin{aligned} \llbracket {r}\rrbracket \mathrel {\mathop :}=\Big (E_{r},\ \big (\phi _r(P^0_j),\ \phi _r(Q^0_j)\big )_{j\in [n-1]},\ P_n,\ Q_n \Big ). \end{aligned}$$

Appending. To append a value \(x_t\in \mathbb {P}_{N_j}\) to a commitment \(\llbracket {r,x_1,\dotsc ,x_{t-1}}\rrbracket =(E,(P_i,Q_i)_{i\in I})\) for some \(j\in I\cap [n-1]\), the algorithm \(\mathsf {Append}\) computes the isogeny \(\phi ':E\rightarrow E'\) with kernel \(\langle x_t\cdot (P_j, Q_j) \rangle \). The new commitment is then

$$\begin{aligned} \llbracket {r,x_1,\dotsc ,x_t}\rrbracket = \Big (E',\ \left( \phi '(P_i),\ \phi '(Q_i)\right) _{i\in I\setminus \{j\}}\Big ). \end{aligned}$$

As values are added to the commitment, the \(\mathsf {Append}\) algorithm drops the bases of the corresponding torsion groups from the commitment. However, the commitment tracks the basis for the blinding space throughout, and the \(\mathsf {Unblind}\) algorithm uses them to remove the blind r.

Unblinding. Algorithm \(\mathsf {Unblind}\) removes \(r\in \mathbb {P}_{N_n}\) from a blinded commitment \(\llbracket {r,x_1,\dotsc ,x_t}\rrbracket =(E',(P'_i, Q'_i)_{i\in I})\) by first computing the isogeny \(\phi _r:E_0\rightarrow E_r\) for \(E_r=E_0/\langle r\cdot (P^0_n,Q^0_n)\rangle \) together with the canonical basis \(P_n,Q_n\in E_r[N_n]\) as in the \(\mathsf {Blind}\) algorithm above. It then computes a representative \(\hat{r}\in \mathbb {P}_{N_n}\) of the kernel \(\langle \hat{r} \cdot (P_n,Q_n)\rangle \) for the dual isogeny \(\hat{phi}_{r :E_r \rightarrow E_0}\). Finally, it computes the unblinding isogeny \(\phi :E'\rightarrow E\) where \(E=E'/\langle \hat{r}\cdot (P'_n,Q'_n) \rangle \), and outputs \(\big ( E \big )\)—a curve isomorphic to the curve of \(\llbracket {x_1,\dotsc ,x_t}\rrbracket \).

The \(\mathsf {Invariant}\) of a commitment \((E,(P_i,Q_i)_{i\in I})\) is the j-invariant \(j(E)\in \mathbb {F}_{p^{2}}\).

The full specification of our augmentable-commitment construction \(\mathcal {G}_{\mathsf {si}}\) appears in the full version of this work We also prove there that \(\mathcal {G}_{\mathsf {si}}\) meets the correctness requirement of Definition 1. We now turn to discussing its security.

Hiding. The hiding property of our construction relies on the following variant of the Decisional Supersingular Isogeny problem.

figure a

The DSSI problem was originally introduced by De Feo et al. [22]. In its original form, it is the problem of deciding whether two supersingular curves over \(\mathbb {F}_{p^{2}}\), for \(p=\ell _1^{e_1}\cdot \ell _2^{e_2}\cdot f \pm 1\) are \(\ell _1^{e_1}\)-isogenous to one another. Galbraith and Vercauteren [29, Definition 3] introduced the above variant, in which the distinguisher is also given extra points on each curve. This problem is also discussed in [68, 69, Problem 3.4]. Our construction requires using more than 2 large torsions, and in particular we assume the problem to be hard for \(n=5\). A three-prime variant is considered in [35], a four-prime variant in [65], and an n-prime variant appears in [4, 63].

Remark 5

Petit [57] showed an attack on “unbalanced” SIDH variants that reveal the action of a secret degree-A isogeny on the B-torsion of the base curve for \(B\gg A\). Petit’s attack, as well as its recent improvement by Kutas et al. [50], further require that . Even though our augmentable commitment has a similar imbalance (with \(A=N_i\) and \(B=\Pi _{j\ne i}N_j\)), their second condition does not hold in our case. Therefore, these attacks do not currently apply to our construction.

Remark 6

The requirement that \(e(P,Q)^{N_i}=e(P',Q')\) is needed to prevent a simple distinguishing attack based on the Weil pairing. Let \(e_m:E[m]\times E[m] \rightarrow \mu _{m}\) be the Weil pairing on the m-torsion. Then it holds that [64, Proposition III.8.2]: \(e_m(\phi (P),\phi (Q)) = e_m(P,Q)^{\deg (\phi )}\), where the first pairing is computed over \(E'\). The requirement \(e(P,Q)^{N_i}=e(P',Q')\) prevents distinguishing via this relation, by making sure it holds in both cases.

In the full version of this worke prove the augmentable commitment scheme \(\mathcal {G}_{\mathsf {si}}\) is hiding under the Decisional SIDH Isogeny assumption.

Weak Binding. The binding requirement builds on the conjectured difficulty of efficiently finding a pair of distinct isogenies of the same prime-power degree with the same target curve. The following problem underpins the security of Charles, Lauter, and Goren [16] hash function.

figure b

In the full version of this worke prove the our protocol meets the weak-binding requirement under the supersingular-isogeny collision assumption.

One-More Unpredictability. Intuitively, we require that when a secret is chosen at random, then the value \(E/\langle M_1, K \rangle \), for a given randomly chosen , should not reveal the value \(E/\langle M_2, K \rangle \), for another randomly chosen .

This kind of assumption appears in the group setting. For example, consider a cyclic group \(\mathbb {G}\) of prime order q, and let be some secret. The One-More Diffie-Hellman problem [7] requires an adversary to compute the value \(v^\alpha \) for \(t+1\) randomly chosen values while allowing the adversary to make at most t queries to a CDH oracle for \(\alpha \) (i.e., an oracle that replies with \(u^\alpha \) on a query \(u\in \mathbb {G}\)). The One-More Diffie-Hellman assumption states that no adversary can solve this problem for any polynomial t with non-negligible probability.

Our starting point is a candidate of the One-More Diffie-Hellman assumption in the SIDH setting, introduced by Srinath and Chandrasekaran  [65], called the One-More SSCDH assumption. Their candidate assumption stated that given t queries to a SIDH oracle (i.e., an oracle that responds to a query \(M\in E[N_\mathsf {M}]\) with \(E'/\langle M, K \rangle \) for a secret \(K\in E[N_\mathsf {K}]\)), it is computationally infeasible to produce \(t+1\) pairs of curves \((E/\langle M \rangle , E/\langle M,\ K \rangle )\) for \(t+1\) distinct \(M\in E[N_\mathsf {M}]\).

However, this starting point is insecure. First, Merz, Minko, and Petit [52], recently showed a polynomial-time attacks on this assumption. Moreover, this assumption is also vulnerable to the active key-recovery attack on SIDH with static keys [27]. Finally, our security proof requires giving the adversary access to a decision oracle, which opens up the possibility of computation-to-decision reductions for isogeny problems [26, 29, 67]. We now explain each of these attacks and describe how our proposed one-more problem avoids them.

Recent Attacks on One-More SIDH Problems. The attack of Merz, Minko, and Petit [52] exploits a key difference between the One-More DH assumption in the group setting and the OMSSCDH assumption [65]. In the group setting, the adversary needs to produce valid DH tuples for random challenges. In contrast, the assumption of Srinath and Chandrasekaran [65] relaxes this requirement and allows the challenges to be adversarially chosen. In the group setting, relaxing the random-challenges requirement breaks the one-more hardness: given a single DH tuple \((v,v^\alpha )\), it is easy to produce any number of random-looking DH tuples simply by choosing and computing the DH tuple \((v^\beta , (v^\alpha )^\beta )\).

Even though the simple rerandomization that works in the group setting does not extend to the SIDH setting (due to the requirement that the challenges are all of the form \(E/\langle M \rangle \) for \(M\in E[N_\mathsf {M}]\)), Merz et al. devise a polynomial-time attack on the above OMSSCDH assumption by computing short isogenies from a given SIDH tuple. They point out that their polynomial-time attack on OMSSCDH does not translate to a polynomial-time attack on the signature scheme of Srinath and Chandrasekaran [65] nor on the signature scheme of Jao and Soukharev [35] because the challenges in these schemes are outputs of a hash function, modeled as a random oracle. This is consistent with the group setting, where the one-more assumption is only hard for random challenges.

Therefore, to avoid this attack, we provide the adversary in our one-more problem with random challenges, rather than allowing it to choose the challenge curves adversarially.

Active Attacks. The aforementioned modification prevents the specialized attack of [52]. However, the resulting problem is still vulnerable to a general active attack on SIDH with static keys due to Galbraith et al. [28]. As discussed in the introduction, by sending a sequence of queries, each of which consists of a curve \(E'\) together with a maliciously crafted basis \(P_\mathsf {K},Q_\mathsf {K}\in E'[N_\mathsf {K}]\), an adversary can recover the secret key K. We therefore require the adversary to submit kernels M as its solve queries, rather than arbitrary curves with (possibly malicious) torsion points. This requirement is enforced in the actual protocol using a zero-knowledge proof of knowledge, described in the Sect. 5.

Search-to-Decision Reductions. The security proof of our OPRF requires a stronger variant of a one-more assumption, in which the adversary is given additional access to a decision oracle that allows it to check the validity of solutions throughout its execution. In the group setting, the Gap One-More Diffie-Hellman assumption [36, 42] states that the one-more problem is hard even in the presence of such a decision oracle.

The exact same type of assumption is unsound in the SIDH setting. The issue, as shown by Galbraith and Vercauteren [29], and independently by Thormarker [67], is that the search variant of the isogeny problem can be reduced to its decisional variant. Moreover, as pointed out by Galbraith [26], a similar search-to-decision reduction applies also for the SIDH problem. (We describe this reduction for completeness in the full version of this work) The One-More SIDH problem is thus easy if the adversary is given a full-fledged decision oracle for the SIDH problem. Therefore, we need to formulate a weaker assumption, in which the adversary is given oracle access to a more restrictive decision oracle. Intuitively, we only allow the adversary to check SIDH solutions to the challenges given to it (with respect to the secret key K), rather than make arbitrary SIDH decision queries. This is a much weaker assumption, and in particular, unlike a general SIDH decision oracle, the challenger answering this more restricted form of queries can be efficiently implemented.

figure c

Remark 9

We allow the adversary to learn the action of the secret isogeny on an auxiliary torsion group \(E_0[(p+1)/(N_\mathsf {M}\cdot N_\mathsf {K})]\). (The construction of Srinath and Chandrasekaran [65, Sec. 4.4] implicitly has this type of leakage, yet their security proof seems to overlook this when reducing to their version of the OMSSCDH assumption.)

It is important that the solve query provides the adversary with the action of the secret isogeny only on this torsion. Disclosing the action of the secret isogeny on \(E[N_\mathsf {K}]\) would leak the secret. Disclosing the action of the secret isogeny on \(E[N_\mathsf {M}]\) would allow the adversary to break the one-more assumption, since the adversary would eventually learn the action of \(\phi \) on \(E[N_\mathsf {M}]\).

In the full version of this work we show that \(\mathcal {G}_{\mathsf {si}}\) is one-more unpredictable under the Auxiliary One-More SIDH assumption.

4 Oblivious PRF from Augmentable Commitments

We begin by giving an overview of our construction of an oblivious PRF from augmentable commitments. We do not yet give a formal security definition, so for now, we can think of an OPRF as a two party functionality \((x,k)\mapsto (F(k,x),\bot )\) where F is a pseudorandom function. Intuitively, each execution should allow the user to evaluate the PRF at a single point, while providing privacy for the user’s input.

Our basic protocol consists of two-rounds and is somewhat reminiscent of the DH-OPRF protocol in the group setting. Recall that in the group setting, the user, given input x, sends to the server the group element \(\mathsf {com}\leftarrow H(x)^r\), which we can view as a commitment to x. The server then computes \(\overline{\mathsf {com}}\leftarrow \mathsf {com}^ k\) and sends it back to the user, who computes \(\mathsf {com}_{\mathsf {out}}\leftarrow \overline{\mathsf {com}}^ {1/r}\). Generalizing this protocol to the language of augmentable commitments, we obtain the protocol in Fig. 1.

Fig. 1.
figure 4

The basic OPRF protocol from augmentable commitments. Note that, as presented, this basic version is not secure against malicious parties.

Full size image

Handling malicious clients. However, this basic construction has a critical problem. Our augmentable commitment scheme provides a weaker form of “one-more unpredictability”, as compared to the One-More Diffie-Hellman assumption in the group setting. Specifically, the one-more-unpredictability adversary needs to submit values, rather than commitments, as its solve queries. In contrast, the group-based one-more DH assumption is stronger, in that it considers more powerful adversaries that can query the one-more challenger on group elements rather than on scalars. (The underlying reason for this security definition is to prevent the active attacks on our isogeny-based instantiation of augmentable commitments, as discussed in the introduction and in Sect. 3). Therefore, our construction requires the user to attach, as part of its message, a zero-knowledge proof of the committed values. We present this proof system in Sect. 5. This protocol is specific for the isogeny-based construction.

Handling malicious servers. In this simple OPRF, the user cannot detect malicious servers that use a different key on each response, or even send arbitrary responses that do not correspond to a well-defined key.

A verifiable OPRF provides the user with the following guarantee. On each evaluation of the OPRF, the user obtains, in addition to the output value \(y=F(k,x)\), a function descriptor \(\mathsf {pk}\). If on two inputs \(x_1\) and \(x_2\) the user obtains two outputs \(y_1,\mathsf {pk}\) and \(y_2,\mathsf {pk}\) with a matching function descriptor, there must exist a key k such that \(y_1=F(k,x_1)\) and \(y_2=F(k,x_2)\). The function descriptor therefore commits the server to a particular function for all inputs.

In our verifiable-OPRF construction, the function descriptor is the output \(y_\epsilon \) of the OPRF on some fixed point \(\epsilon \). (We think of \(\epsilon \) as being outside the “official” domain of the OPRF.) After obliviously evaluating the OPRF on a point x and obtaining output \(y_x\), the user runs \(\lambda \) additional evaluations of the OPRF, each time setting the input at random as either x or \(\epsilon \). At the end of the \(\lambda \) evaluations, the user checks that the output of each of the \(\lambda \) evaluations matches either \(y_\epsilon \) or \(y_x\) (consistently with its random choice for that evaluation). If all \(\lambda \) checks pass, the user accepts the output \(y_x\) with respect to descriptor \(y_\epsilon \).

An issue with the above protocol is that a malicious user may abuse the \(\lambda \) evaluations to evaluate the OPRF on \(\lambda \) additional points, rather than for verification. Learning the value of the OPRF on more than one point from a single instance of the protocol would violate the server’s security requirement of the OPRF. To prevent this, we add an additional phase to our protocol: the server first commits to the outputs of the OPRF on the \(\lambda \) verification instances. The user then proves to the server that each of the \(\lambda \) verification inputs is either x or \(\epsilon \). (Doing this without revealing x to the server requires an extra layer of blinding.) This provides the server with the assurance that the user would not learn any “extra” values of the OPRF from the verification instances. The server then opens the commitment to the verification outputs, which the client verifies as above. We present this protocol in Sect. 6.

In Sect. 7 we give the full specification (Protocol 15) of our final construction.

5 Zero-Knowledge Proof for Point Verification

A critical part of the OPRF construction is a zero-knowledge proof of knowledge (ZKPK) that lets the client prove to the server that its PRF query is well formed. Using the abstraction of augmentable commitments, what is needed is a ZKPK for the contents of an augmentable commitment, or more generally to the relation:

The ZKPK we construct is specific to the instantiation of augmentable commitment from Sect. 3, and uses some of the algebraic properties of isogenies. Specifically, we design a custom ZKPK for the following relation \(\mathcal {R}_{\mathsf {iso}}\). (In the full version of this work we show how the relation \(\mathcal {R}_{\mathsf {iso}}\) enables expressing statements about the language \(R_\mathsf {com}\) for the augmentable commitment scheme \(\mathcal {G}_{\mathsf {si}}\).)

Let be a prime as in Defintion 3. For clarity, we denote \(N_\mathsf {S}\mathrel {\mathop :}=N_{n+1}\). Let E be a supersingular elliptic curve defined over \(\mathbb {F}_{p^{2}}\). Define the relation:

$$\begin{aligned} \mathcal {R}_{\mathsf {iso}}\mathrel {\mathop :}=\Big \{ \Big (j(E),\ P_\mathsf {K},\ Q_\mathsf {K},\ j(E'),\ P_\mathsf {K}',\ Q_\mathsf {K}',\ d\Big ),\ V \Big \}\,, \end{aligned}$$
(1)

where the statement \(\Big (j(E),\ P_\mathsf {K},\ Q_\mathsf {K},\ j(E'),\ P_\mathsf {K}',\ Q_\mathsf {K}',\ d\Big )\) contains:

  • a j-invariant \(j(E)\in \mathbb {F}_{p^{2}}\) of a supersingular elliptic curve \(E/\mathbb {F}_{p^{2}}\),

  • points \(P_\mathsf {K},Q_\mathsf {K}\in E[N_\mathsf {K}]\) for some \(N_\mathsf {K}\) relatively prime to \(N_\mathsf {S}\),

  • a j-invariant \(j(E')\in \mathbb {F}_{p^{2}}\) of a supersingular elliptic curve \(E'/\mathbb {F}_{p^{2}}\),

  • points \(P_\mathsf {K}',Q_\mathsf {K}'\in E'[N_\mathsf {K}]\), and

  • a positive integer d relatively prime to \(N_\mathsf {S}\) and \(N_\mathsf {K}\),

The witness V is a point of order d in \(E(\mathbb {F}_{p^{2}})\) such that \(E' = E/\langle V \rangle \) and the isogeny \(\phi :E\rightarrow E'\) satisfies \(P_\mathsf {K}' = \phi (P_\mathsf {K})\) and \(Q_\mathsf {K}'=\phi (Q_\mathsf {K})\). Note that by definition, \(N_\mathsf {K}\), d, and \(N_\mathsf {S}\) all divide \((p+1)\) and are relatively prime.

The Protocol. We design a ZKPK for the relation \(\mathcal {R}_{\mathsf {iso}}\) where the verifier (server) has the statement \(\Big (j(E),\ P_\mathsf {K},\ Q_\mathsf {K},\ j(E'),\ P_\mathsf {K}',\ Q_\mathsf {K}',\ d\Big )\) and the verifier (client) proves knowledge of the witness V. We first describe a protocol that has perfect completeness, constant soundness error, and honest-verifier computational zero knowledge. Repeating the protocol in parallel \(\lambda \) times makes the soundness error negligible. Indeed, the repetitions required in this protocol (as well as in the one in the next section) are responsible for the bulk of the communication in our OPRF construction.

The protocol is based on the idea sketc.hed by Galbraith [26, Sec 7.2], which builds on the isogeny-based identification protocol of De Feo et al. [22].

Remark 10

In the following, when we refer to the prover “committing” to one or more elements, we refer to a standard commitment scheme (as opposed to our augmentable commitment scheme) such as a standard hash-based commitment in the random-oracle model.

First, the prover chooses a random point S of order \(N_\mathsf {S}\). The prover then computes an isogeny \(\sigma \) with domain E and kernel \(\langle S\rangle \) and an isogeny \(\sigma '\) with domain \(E'\) and kernel \(\langle \phi (S)\rangle \). Let \(\tilde{E}\) and \(\tilde{E}'\) be the target curves of the isogenies \(\sigma \) and \(\sigma '\) respectively. For consistency of notation, we denote points on the curve \(\tilde{E}\) as \(\tilde{P}\), \(\tilde{Q}\) etc. Similarly, we denote points on the curve \(\tilde{E}'\) as \(\tilde{P}'\), \(\tilde{Q}'\) etc. The prover can also calculate the isogeny \(\tilde{\phi }:\tilde{E}\rightarrow \tilde{E}' \) using the image of the generator V of \(\phi \) under \(\sigma \).

The prover chooses a random basis \(\tilde{P}_\mathsf {S},\tilde{Q}_\mathsf {S}\) of the \(N_\mathsf {S}\)-torsion subgroup of \(\tilde{E}\). The prover then computes the kernel of the dual isogeny \(\hat{\sigma }\) and expresses its generator as \(s\cdot (\tilde{P}_\mathsf {S},\cdot \tilde{Q}_\mathsf {S})\) for some \(s\in \mathbb {P}_{N_\mathsf {S}}\). (Note that the kernel of \(\hat{\sigma '}\) is then generated by \(s\cdot (\tilde{\phi }(\tilde{P}_\mathsf {S}), \tilde{\phi }(\tilde{Q}_\mathsf {S}))\).)

The prover commits separately to (1) the curve \(\tilde{E}\) together with the points \(\tilde{P}_\mathsf {S},\tilde{Q}_\mathsf {S}\), (2) the curve \(\tilde{E}'\) together with the points \(\tilde{P}_\mathsf {S}'=\tilde{\phi }(\tilde{P}_\mathsf {S}),\tilde{Q}_\mathsf {S}'=\tilde{\phi }(\tilde{Q}_\mathsf {S})\), (3) the scalar s, (4) a random generator \(\tilde{V}\) of \(\ker (\tilde{\phi })\), and (5–8) the images of \(P_\mathsf {K},Q_\mathsf {K}\) under \(\sigma \) and of \(P_\mathsf {K}',Q_\mathsf {K}'\) under \(\sigma '\). (Committing to all those elements makes the protocol online-extractable without rewinding, which is necessary for UC security.)

Each execution of the protocol will verify the validity of only one of the two points \(P'_\mathsf {K}\) and \(Q'_\mathsf {K}\) according to a random choice made by the verifier. Additionally, according to another random three-way choice of the verifier, the prover will reveal one of three isogenies (i.e., either \(\sigma \), \(\sigma '\), or \(\tilde{\phi }\)) along with some points. The following diagram illustrates the commitments opened in each of the three cases where the verifier chooses to verify the validity of the point \(P'_\mathsf {K}\):

figure d

  • In the , the prover reveals the curve \(\tilde{E}\), the random generators \(\tilde{P}_\mathsf {S}\), \(\tilde{Q}_\mathsf {S}\) of \(\tilde{E}[N_\mathsf {S}]\), the element \(\tilde{s}\in \mathbb {P}_{N_\mathsf {S}}\) , and the point \(\tilde{P}_\mathsf {K}= \sigma (P_\mathsf {K})\in \tilde{E}[N_\mathsf {K}]\). The verifier computes the isogeny \(\hat{\sigma }:\tilde{E}\rightarrow \tilde{E}/\langle \tilde{s}\cdot (\tilde{P}_\mathsf {S},s_q\tilde{Q}_\mathsf {S}) \rangle \), and checks that \(\hat{\sigma }(\tilde{P}_\mathsf {K}) = [N_\mathsf {S}^2]P_\mathsf {K}\), where \([N_\mathsf {S}^2]\) is the multiplication by \(N_\mathsf {S}^2\) map.

  • Similarly, in the , the prover reveals the curve \(\tilde{E}'\), the random generators \(\tilde{P}'_\mathsf {S}=\tilde{\phi }(\tilde{P}_\mathsf {S})\), \(\tilde{Q}'_\mathsf {S}=\tilde{\phi }(\tilde{Q}_\mathsf {S})\) of \(\tilde{E}'[N_\mathsf {S}]\), the element \(\tilde{s}\in \mathbb {P}_{N_\mathsf {S}}\), and the point \(\tilde{P}'_\mathsf {K}=\sigma '(P'_\mathsf {K})\). The verifier computes the isogeny \(\hat{\sigma }':\tilde{E}'\rightarrow \tilde{E}'/\langle \tilde{s}\cdot (\tilde{P}'_\mathsf {S},\tilde{Q}'_\mathsf {S}) \rangle \), and checks that \(\hat{\sigma }'(\tilde{P}'_\mathsf {K}) = [N_\mathsf {S}]P'_\mathsf {K}\), where \([N_\mathsf {S}]\) is the multiplication by \(N_\mathsf {S}\) map.

  • Finally, in the , the prover reveals the curves \(\tilde{E}\) and \(\tilde{E}'\), a random generator \(\tilde{V}\) of \(\ker (\tilde{\phi })\), and the points \(\tilde{P}_\mathsf {S},\tilde{Q}_\mathsf {S}\in \tilde{E}[N_\mathsf {S}]\), \(\tilde{P}_\mathsf {K}\in \tilde{E}[N_\mathsf {K}]\), \(\tilde{P}'_\mathsf {K}\in \tilde{E}'[N_\mathsf {K}]\), and \(\tilde{P}'_\mathsf {S},\tilde{Q}'_\mathsf {S}\in \tilde{E}'[N_\mathsf {S}]\). The verifier computes the isogeny \(\tilde{\phi }:\tilde{E}\rightarrow \tilde{E}/\langle \tilde{V} \rangle \) and checks that \(\tilde{\phi }(\tilde{P}_\mathsf {K}) = \tilde{P}'_\mathsf {K}\), \(\tilde{\phi }(\tilde{P}_\mathsf {S}) = \tilde{P}'_\mathsf {S}\) and \(\tilde{\phi }(\tilde{Q}_\mathsf {S}) = \tilde{Q}'_\mathsf {S}\).

Remark 11

In our protocol, as well as in the security game for the underlying assumption, we specifically choose to reveal the image of only a single generator of the \(N_\mathsf {K}\)-torsion under the secret random isogeny \(\sigma \). The reason for this choice is to prevent a distinguishing attack using the Weil pairing. Had we revealed both images \(\tilde{P}_\mathsf {K}=\sigma (P_\mathsf {K}),\tilde{Q}_\mathsf {K}=\sigma (Q_\mathsf {K})\), then the verifier would have obtained the two relations \(e(\tilde{P}_\mathsf {K}, \tilde{V}) = e(P_\mathsf {K}, V)^{v\cdot \deg (\sigma )}\) and \(e(\tilde{Q}_\mathsf {K}, \tilde{V}) = e(Q_\mathsf {K}, V)^{v\cdot \deg (\sigma )}\), which would allow to verifier to distinguish V from random. By revealing only one out of the two points \(\tilde{P}_\mathsf {K}, \tilde{Q}_\mathsf {K}\), and by revealing a random generator \(v\cdot \sigma (V)\) instead of \(\sigma (V)\), the protocol prevents tis pairing attack.

The zero-knowledge property of our protocol is based on the hardness of a variant of the Decisional Supersingular Product problem (DSSP), introduced by De Feo et al. [22]. As our protocol also needs to verify the action of the secret isogeny on the \(N_\mathsf {K}\)-torsion, we need to slightly strengthen the assumption by giving the adversary additional points. More specifically, we consider the following:

figure h

In the full version of this work we formally define sigma protocols, give the full details of the above protocol, and prove that it is special computational honest-verifier zero knowledge, under the Auxiliary Decisional Supersingular Product assumption. We also discuss how to transform this sigma protocol into a non-interactive zero-knowledge proof of knowledge (\(\mathsf {NIZKPK}\)) in the random-oracle model using standard techniques.

Concrete Efficiency. We estimate the size of the resulting \(\mathsf {NIZKPK}\). In a single execution of the above protocol, the prover sends 8 hash-based commitments in its first message. Of the three possible openings, the “blue” one, that consists of 2 j-invariants and 7 points, is the largest one. The opening also includes 5 random nonces used for the hash-based commitments, each of which is \(\lambda \)-bits long. The size of a j-invariant in \(\mathbb {F}_{p^{2}}\) is \(2\log p\) bits. A naive representation of each point over \(\mathbb {F}_{p^{2}}\) would have also been \(2\log p\) bits (x-coordinate and a sign bit). However, Azarderakhsh et al. [5] observed that a point in an \(N_i\)-torsion can be represented using only \(2\log N_i\) bits. Since in our construction \(\log N_i \le \log p /4\), the prover can send all 7 points in less than \(4\log p\) bits, and together with the j-invariant, the size of the prover’s last message is less than \(6\log p\) bits. (In the non-interactive proof, the verifier’s only message is a random challenge, which is derived from a random oracle and thus does not increase the size of the proof.) Since each execution of the protocol has soundness error 5/6, we must repeat the protocol \(\lambda /\log (6/5)=3.8\lambda \) times. Overall, we estimate the size of the proof as \(3.8\lambda \cdot (13\lambda + 6\log p)\).

6 Zero-Knowledge Proof of Equality of Isogenies

Recall that to make our OPRF verifiable, the server must convince the verifier that it has evaluated the OPRF consistently with its evaluation on some fixed point. This boils down to proving the commitments satisfy the following relation

Moreover, the proof must be zero-knowledge, and in particular, the user should not learn any additional information about the key beyond what it already knows from \(\overline{\mathsf {com}}_0\) and \(\overline{\mathsf {com}}_1\).

The idea behind Protocol 13 below is as follows. The user (verifier) sends to the server \(\lambda \) augmentable commitments, each of which is obtained by appending a random value \(v_i\) to either \(\mathsf {com}_1\) or \(\mathsf {com}_2\), chosen at random. The user saves the values \(v_i\) and the random choices \(b_i\in \{0,1\}\).

Next, the server (prover) appends its secret value k to each of the \(\lambda \) commitments, and sends to the user a hash-based commitment \(h=H(j_1,\dotsc ,j_\lambda ,s_{\mathsf {out}})\) to their invariants, where .

The user then reveals to the server the random values \(v_1,\dotsc ,v_\lambda \), and the server uses them to check that each of the \(\lambda \) commitments received in the first round has indeed been obtained by appending \(v_i\) to one of \(\mathsf {com}_1\) or \(\mathsf {com}_2\). This protects the server against a malicious user that tries to learn additional information about k by sending commitments that are not \(\mathsf {com}_1\) or \(\mathsf {com}_2\).

Once this check passes, the server sends to the user the opening \(s_{\mathsf {out}}\) to the hash-based commitment. Finally, the user computes the expected values of the invariants \(j'_1,\dotsc ,j'_\lambda \) as \(j'_i=\mathsf {Invariant}(\mathsf {Append}(\overline{\mathsf {com}}_{b_i},v_i))\) and checks that \(h=H(j'_1,\dotsc ,j'_\lambda ,s_{\mathsf {out}})\).

This protocol is generic for augmentable commitments, but we think that its instantiation with the isogeny-based construction of augmentable commitments may be of independent interest.

figure i

In the full version of this worke prove the following lemma, which shows the soundness of this protocol, and we prove the zero-knowledge property of this protocol as part of security proof of the full protocol.

Lemma 14

Suppose that \(\mathcal {G}\) is a secure augmentable commitment scheme, and let \(\mathsf {com}_0=\llbracket {r_0,m_0}\rrbracket \) and \(\mathsf {com}_1=\llbracket {r_1,m_1}\rrbracket \) be two commitments. Then for every efficient prover \(P^*\), the probability that the honest verifier of Protocol 13 accepts on input \((\mathsf {com}_0,\mathsf {com}_1,\overline{\mathsf {com}}_0, \overline{\mathsf {com}}_1)\notin L_{\mathsf {eq}}\) when interacting with prover \(P^*\) is negligible. Here \(L_{\mathsf {eq}}\) is the corresponding language of \(R_{\mathsf {eq}}\).

Concrete Efficiency. We estimate the communication complexity of the protocol. The communication is dominated by the verifier having to send \(\lambda \) augmentable commitments and \(\lambda \) values \(v_i\in \mathcal {V}\). The size of each supersingular-isogeny-based augmentable commitment is at most \(5\log p\) bits. Moreover, a commitment that includes \(v_i\in \mathcal {V}\) as one of its values does not include a basis for the \(N_\mathsf {V}\)-torsion, which cancels out having to send the \(v_i\) values in the next message. Therefore, we can bound the overall communication complexity by \(5\lambda \log p\) plus the size of the proofs of knowledge \(\pi _0\) and \(\pi _1\).

7 Putting It All Together

We now combine the basic protocol from Sect. 4 with the two protocols from Sect. 5 and 6 to obtain a maliciously secure verifiable OPRF.

Protocol 15 implements the OPRF ideal functionality \({\mathcal {F}_{\mathsf {VOPRF}}}\) as defined in the full version of this work (That definition is based on [36] with some of the later modifications from [38, 40].)

In the full version of this worke prove the following theorem.

Theorem 16

Suppose that \(\mathcal {G}\) is a secure augmentable commitment scheme. Then Protocol 15 realizes ideal functionality \({\mathcal {F}_{\mathsf {VOPRF}}}\) in the random-oracle model.

The main ideas of the proof are as follows. The privacy of the user’s input easily follows from the hiding property of the underlying augmentable commitment scheme. The main challenge is to simulate the honest server. To this end, the simulator in the ideal world chooses a random secret key for the honest server, and uses it to simulate the interaction of the real-world adversary with that server. Specifically, each time the environment activates the honest server, the simulator responds to an adversary’s message by appending its secret key to the commitment sent by the adversary.

The only way the environment can distinguish this from the real world is to find an inconsistency between the value of the OPRF computed via an honest-user honest-server interaction, and the value of the OPRF computed by the adversary directly as \(H_2(x,\mathsf {Invariant}(\llbracket {m,k}\rrbracket ))\) for \(m=H_1(x)\). To prevent this inconsistency, whenever the adversary makes this type of query to the random oracle \(H_2\), the simulator evaluates the ideal-world OPRF at point x and programs the random oracle \(H_2\) to the output value of the PRF. However, the ticketing mechanism of the OPRF ideal functionality limits the number of times the simulator can evaluate the ideal-world OPRF by the number of activations of the honest server. The simulation would therefore fail if the adversary correctly predicts the value \(\mathsf {Invariant}(\llbracket {m,k}\rrbracket )\) on a number of points greater than the number of server activations. However, this would violate the one-more unpredictability property of the underlying augmentable commitment scheme.

The full proof appears in the full version of this work

Concrete Efficiency and Parameter Estimation The communication complexity of the complete OPRF protocol is dominated by the communication complexity of the zero-knowledge proofs. More specifically, the protocol includes 3 \(\mathsf {NIZKPK}\)s for the relation \(R_\mathsf {com}\), the size of each of which we have estimated in Sect. 5 to be \(3.8\lambda \cdot (13\lambda + 6\log p)\). In addition, the complete protocol executes the proof-of-equality sub-protocol once. In Sect. 6 we estimated the communication complexity of that sub-protocol as \(5\lambda \log p\). Therefore, we can bound the communication complexity of the complete protocol as \(73\lambda \log p + 148\lambda ^2\).

figure j

We set \(p(\lambda )\) based on the best known attacks on our assumptions. For standard SIDH problems (including the Decisional SIDH problem and the Decisional Supersingular Product problem), the best known attacks are meet-in-the-middle attacks that run in time \(O(\sqrt{N_i})\) [55]. Although quantum collision-finding algorithms [66] have a better asymptotic running time of \(O(\root 3 \of {N_i})\), recent work [1, 34] suggests that the classical algorithm outperform the quantum ones when attacking SIDH, due to the large memory requirement of the quantum algorithms. One caveat is that our one-more assumption admits a better attack than SIDH: Merz et al. [52] showed an attack on the schemes of [35, 65] that runs in time \(N_i^{2/5}\). This exponential-time attack, unlike the aforementioned polynomial-time attack from the same paper  [52], also applies to our one-more assumption. We therefore set \(N_i\approx 2^{5\lambda /2}\) for \(\lambda \)-bit security. (The torsion used for the zero-knowledge proof does not need to be increased as it is used only within a non-interactive proof.) Overall, for \(n=5\) prime powers, the prime p is \(12\lambda \)-bits long.

Plugging in \(\log p=12\lambda \) into the expression for the communication complexity we have calculated above, we obtain that the total communication complexity is bounded by \(1024\lambda ^2\) bits. For \(\lambda =128\), the communication complexity is under 2MB.

8 Naor-Reingold OPRF from an Abelian Group Action

We now turn to constructing an OPRF from an abelian group action, such as the action obtained from isogenies of ordinary elliptic curves or from isogenies of supersingular curves over \(\mathbb {F}_p\) as in CSIDH [14].

First, we show that the Naor-Reingold PRF [54] can be adapted to work with an abelian group action that satisfies a DDH-like assumption. Second, we show that the technique used to build an OPRF from the Naor-Reingold PRF carries over to the setting of an abelian group action.

A technical difficulty is that the proof of security of the Naor-Reingold PRF in [54] makes use of the random self reduction of the DDH problem in a prime order group. The DDH problem for an arbitrary abelian group action does not have the required random self reduction. We therefore need to give a new security proof for the Naor-Reingold PRF. We are able to prove security based on the DDH assumption for a group action; however the security reduction is not as efficient as the proof of Naor-Reingold in a prime order group.

Recall that an action of a group G on a set X is a map \(G\times X\rightarrow X\) such that \((gh)\cdot x=g\cdot (h\cdot x)\) for every \(g,h\in G\) and \(x\in X\), and \(e\cdot x=x\) for every \(x\in X\), where \(e\in G\) is the identity element of G.

Let G be an abelian finite group acting on S transitively and faithfully (we recall the definitions of these properties in the full version of this work, and let \(s_0 \in S\) be some fixed element. We define the Naor-Reingold PRF, with key space \(\mathcal {K}= G^{n+1}\) and input space \(\mathcal {X}= \{0,1\}^n\), as follows:

(2)

The security of this PRF requires the following group-action variant of the DDH assumption to hold in G:

Definition 17

(Group-Action DDH  [19, 61]). Let G be an abelian group acting on a set S transitively and faithfully, and let \(s \in S\). We say that the Group-Action DDH assumption holds in (Gs) if the two distributions

are computationally indistinguishable.

Theorem 18

Suppose that the Group-Action DDH assumption holds in \((G, s_0)\). Then the Naor-Reingold PRF \(F_{\mathsf {NR}}\) is a secure pseudorandom function.

Proof sketch

Boneh et al. [9, Sec. 4.1] show that the Naor-Reingold PRF is a special case of the augmented cascade. Therefore, to prove that (2) is a secure PRF, it suffices to show that for every polynomially bounded Q, the function

$$\begin{aligned} P(g, s_1,\ldots ,s_Q) = \big ( s_1,\ g\cdot s_1, \ldots , s_Q,\ g \cdot s_Q \big ) \end{aligned}$$

is a secure pseudorandom generator (PRG), where \(g \in G\) and \(s_1, \ldots , s_Q \in S\). This can be done by a simple sequence of \((Q+1)\) hybrid distributions, where at hybrid i, for \(i=1,\ldots ,Q\), the quantity \(g \cdot s_i\) is replaced by random element \(t_i\) in S. A distinguisher for any pair of consecutive hybrid distributions gives an attack on the Group-Action DDH assumption for \((G, s_0)\). Overall, the reduction incurs a factor of Q loss between an attacker on the PRG and the derived attacker on the Group-Action DDH assumption. The proof of the theorem now follows by [9, Thm. 3].

Next, we observe that because the group G is abelian, we can evaluate \(F_{\mathsf {NR}}\) obliviously with the following protocol, first described in [24] in a group of prime order.

Protocol 19

A client that holds input \((x_1,\ldots ,x_n) \in \{0,1\}^n\) and a server that holds input \((k_0,k_1, \ldots , k_n) \in G^{n+1}\) proceed as follows:

  1. 1.

    For each \(i=1,\ldots ,n\), the server chooses a random \(r_i\) in G.

  2. 2.

    For each \(i=1,\ldots ,n\), the client and server engage in a 1-out-of-2 oblivious-transfer protocol that gives to the client \(r_i\) if \(x_i=0\), and \(k_ir_i\) if \(x_i=1\). The client stores the output as \(b_i \in G\).

  3. 3.

    The server sends \(s'=(k_0\prod _{i=1}^n r_i^{-1})\cdot s_0\) to the client.

  4. 4.

    The client evaluates \((\prod _{i=1}^n b_i)\cdot s'\) to obtain \(F_{\mathsf {NR}}\) evaluated at \((x_1,\ldots ,x_n)\).

The same security argument from [24, Sec. 5] also applies to this OPRF.

Instantiation from Isogenies. We can now instantiate the above construction using isogenies. Couveignes [19], Rostovtsev and Stolbunov [61] first proposed using a group action on the set of ordinary elliptic curves. More recently, Castryck et al. [14] proposed CSIDH, a construction that uses the set of supersingular elliptic curves defined over a prime field \(\mathbb {F}_p\). Whereas the full endomorphism ring of such curves is non-commutative (and therefore does not give rise to a commutative group action), the subring of \(\mathbb {F}_p\)-rational endomorphisms is an order in an imaginary quadratic field, which gives rise to a commutative group action as in the ordinary case. The main advantage of using the CSIDH group action, over using the group action of ordinary curves, is that it is much more efficient.

More specifically, let \(\mathrm {Ell}_p(\mathcal {O})\) be the set of supersingular elliptic curves over \(\mathbb {F}_p\) whose \(\mathbb {F}_p\)-rational endomorphism ring \(\mathcal {O}\) is an order in an imaginary quadratic field. The class group \(\text {Cl}(\mathcal {O})\), which is an abelian group, acts transitively and faithfully on \(\mathrm {Ell}_p(\mathcal {O})\). (See the full version of this workor additional background.) For \([\mathfrak {a}_0],\dotsc ,[\mathfrak {a}_n]\in \text {Cl}(\mathcal {O})\) and \(E_0\in \mathrm {Ell}_p(\mathcal {O})\), let

$$\begin{aligned} F_{\mathsf {NR}}(([\mathfrak {a}_0],[\mathfrak {a}_1],\ldots ,[\mathfrak {a}_n], E_0), (x_1,\ldots ,x_n)) = j([\mathfrak {a}_n]^{x_n}\ldots [\mathfrak {a}_1]^{x_1}[\mathfrak {a}_0]\cdot E_0)\,. \end{aligned}$$

Assuming the hardness of Group-Action DDH problem in the class group, Theorem 18 then implies that \(F_{\mathsf {NR}}\) is a PRF. Moreover, instantiating Protocol 19 with the isogeny-based oblivious-transfer protocol of Lai, Galbraith, and de Saint Guilhelm [51], which is secure against malicious adversaries, gives an OPRF protocol from a commutative group action on elliptic curves.

Remark 20

Recently, Castryck, Sotáková, and Vercauteren [15] showed that the DDH problem is easy in ideal-class-group actions when the class number is even. Such groups are therefore unsuited for the above construction. As a countermeasure to their attack, they suggest working with supersingular elliptic curves over \(\mathbb {F}_p\) for \(p\equiv 3\pmod 4\), which is already the case for CSIDH [14]. In that setting, the Group-Action DDH problem is conjectured to be hard.

Remark 21

Our construction targets the case of commutative group actions. We mention a recent work by Ji et al. [43], that studies the case of non-commutative group actions. The above reduction does not seem to carry over to the non-commutative case, which might explain why Ji et al. require a different assumption.

Efficiency. To compute the communication complexity of this instantiation, first assume without loss of generality that \(n=\lambda \) (since otherwise we can compose the PRF with a \(\lambda \)-bit hash function). The protocol requires \(n=\lambda \) executions of the OT protocol [51]. Each such execution communicates 3 elliptic curves over \(\mathbb {F}_p\), 4 encryptions of class-group elements, and an additional \(\lambda \)-bit string. Overall, this adds up to \(\lambda \cdot (3\log p + 4\cdot \log p/2 + \lambda ) = 5\lambda \log p + \lambda ^2\) bits.

Kuperberg’s algorithm [48, 49] for solving the commutative-group-action discrete-log problem, runs in time \(\exp (\sqrt{\log (p)})\), which requires setting \(p=\Omega (\lambda ^2)\). As a result, the overall communication complexity of this protocol is asymptotically \(\Omega (\lambda ^3)\), compared to \(O(\lambda ^2)\) communication in the protocol from the previous sections. While the initial CSIDH paper [14] suggested that using a 512-bit prime might be sufficient, recent analysis [10, 56] recommends using primes as large as 5280-bits long. This leads to Protocol 19 having communication complexity of 424KB.

9 Conclusions and Open Problems

We constructed two OPRFs from isogenies on elliptic curves. Our main construction of a verifiable OPRF from isogenies on supersingular elliptic curves is based on a new one-more SIDH assumption. Our construction achieves malicious security by virtue of two new zero-knowledge proofs, and introduces a new abstraction called Augmentable Commitments, which may help simplify the exposition of future SIDH-based constructions. We also presented a second construction from commutative group actions.

Future Work. It would be interesting to extend our OPRF to support threshold PRF evaluation, where the PRF key is distributed across multiple servers. Threshold OPRFs [38] have applications to management of passwords and keys [2, 32, 39]. It would also be good to reduce the communication cost of our zero-knowledge proofs, as that would improve the overall efficiency of the OPRF.