Oblivious Pseudorandom Functions from Isogenies

“…First, consider a "real" world case where A corrupts C(x) and directly interacts with honest S(k) which follows the specification of protocol Π. In this case, we use real Π,A,C (x, K, 1 κ ) to denote the joint output distribution of A(x) and S(k) 10 where k ← K. Now consider an alternative "ideal" world case where we introduce a simulator Sim interacting with A on one hand and with S(x) via F VOPRF on the other hand. Once again, one may wish to interpret the simulator as an attacker-in-the-middle interacting with F VOPRF external to the view of A.…”

“…Related Work & Discussion. Subsequent to this work, Boneh et al [10] constructed a post-quantum (V)OPRF with comparatively good efficiency from isogenies. Their construction also uses the random oracle model, but is also proven secure in the universal composability (UC) model unlike the construction in this work.…”

Round-Optimal Verifiable Oblivious Pseudorandom Functions from Ideal Lattices

“…First, consider a "real" world case where A corrupts C(x) and directly interacts with honest S(k) which follows the specification of protocol Π. In this case, we use real Π,A,C (x, K, 1 κ ) to denote the joint output distribution of A(x) and S(k) 10 where k ← K. Now consider an alternative "ideal" world case where we introduce a simulator Sim interacting with A on one hand and with S(x) via F VOPRF on the other hand. Once again, one may wish to interpret the simulator as an attacker-in-the-middle interacting with F VOPRF external to the view of A.…”

“…Related Work & Discussion. Subsequent to this work, Boneh et al [10] constructed a post-quantum (V)OPRF with comparatively good efficiency from isogenies. Their construction also uses the random oracle model, but is also proven secure in the universal composability (UC) model unlike the construction in this work.…”

Round-Optimal Verifiable Oblivious Pseudorandom Functions from Ideal Lattices

“…The PPOPRF is implemented using the ristretto255 primeorder group abstraction. 10 All hash functions are implemented using SHA-256. All symmetric encryption is implemented using AES-GCM AEAD with 128-bit keys.…”

STAR: Secret Sharing for Private Threshold Aggregation Reporting

“…Isogeny-based cryptography has since grown considerably, when Jao and De Feo [JD11] noticed that it allows one to build "post-quantum" cryptosystems, supposed to resist an adversary equipped with a quantum computer. There is today a wealth of other public-key protocols [CLM + 18, DKPS19, Cos20] (including a Round 3 candidate [JAC + 17] for NIST's standardisation effort), signature schemes [BKV19, DG19, GPS20, DKL + 20] or other cryptosystems [DMPS19,BKW20] built on the presumed hardness of finding isogenies connecting supersingular elliptic curves.…”

The supersingular isogeny path and endomorphism ring problems are equivalent