15 research outputs found
A faster way to the CSIDH
Recently Castryck, Lange, Martindale, Panny, and Renes published CSIDH, a new key exchange scheme using supersingular elliptic curve isogenies. Due to its small key sizes, and the possibility of a non-interactive and a static-static key exchange, CSIDH seems very interesting for practical applications. However, the performance is rather slow. Therefore, we employ some techniques to speed up the algorithms, mainly by restructuring the elliptic curve point multiplications and by using twisted Edwards curves in the isogeny image curve computations, yielding a speed-up factor of 1.33 in comparison to the implementation of Castryck et al. Furthermore, we suggest techniques for constant-time implementations
On Lions and Elligators: An efficient constant-time implementation of CSIDH
The recently proposed CSIDH primitive is a promising candidate for post quantum static-static key exchanges with very small keys. However, until now there is only a variable-time proof-of-concept implementation by Castryck, Lange, Martindale, Panny, and Renes, recently optimized by Meyer and Reith, which can leak various information about the private key. Therefore, we present an efficient constant-time implementation that samples key elements only from intervals of nonnegative numbers and uses dummy isogenies, which prevents certain kinds of side-channel attacks. We apply several optimizations, e.g. Elligator and the newly introduced SIMBA, in order to get a more efficient implementation
A trade-off between classical and quantum circuit size for an attack against CSIDH
International audienceWe propose a heuristic algorithm to solve the underlying hard problem of the CSIDH cryptosystem (and other isogeny-based cryp-tosystems using elliptic curves with endomorphism ring isomorphic to an imaginary quadratic order O). Let â = Disc(O) (in CSIDH, â = â4p for p the security parameter). Let 0 < α < 1/2, our algorithm requires: âą A classical circuit of size 2Ă (log(|â|) 1âα). âą A quantum circuit of size 2Ă (log(|â|) α). âą Polynomial classical and quantum memory. Essentially, we propose to reduce the size of the quantum circuit below the state-of-the-art complexity 2Ă (log(|â|) 1/2) at the cost of increasing the classical circuit-size required. The required classical circuit remains subexponential, which is a superpolynomial improvement over the classical state-of-the-art exponential solutions to these problems. Our method requires polynomial memory, both classical and quantum
Threshold Schemes from Isogeny Assumptions
We initiate the study of threshold schemes based on the Hard Homogeneous Spaces (HHS) framework of Couveignes. Quantum-resistant HHS based on supersingular isogeny graphs have recently become usable thanks to the record class group precomputation performed for the signature scheme CSI-FiSh.
Using the HHS equivalent of the technique of Shamir\u27s secret sharing in the exponents, we adapt isogeny based schemes to the threshold setting. In particular we present threshold versions of the CSIDH public key encryption, and the CSI-FiSh signature schemes.
The main highlight is a threshold version of CSI-FiSh which runs almost as fast as the original scheme, for message sizes as low as 1880 B, public key sizes as low as 128 B, and thresholds up to 56; other speed-size-threshold compromises are possible
He Gives C-Sieves on the CSIDH
Recently, Castryck, Lange, Martindale, Panny, and Renes proposed
CSIDH (pronounced sea-side ) as a candidate post-quantum
commutative group action. It has attracted much attention and
interest, in part because it enables noninteractive
Diffie--Hellman-like key exchange with quite small
communication. Subsequently, CSIDH has also been used as a foundation
for digital signatures.
In 2003--04, Kuperberg and then Regev gave asymptotically
subexponential quantum algorithms for hidden shift problems, which
can be used to recover the CSIDH secret key from a public key. In
late 2011, Kuperberg gave a follow-up quantum algorithm called the
collimation sieve ( c-sieve for short), which improves the
prior ones, in particular by using exponentially less quantum memory
and offering more parameter tradeoffs. While recent works have
analyzed the concrete cost of the original algorithms (and variants)
against CSIDH, nothing of this nature was previously available for the
c-sieve.
This work fills that gap. Specifically, we generalize Kuperberg\u27s
collimation sieve to work for arbitrary finite cyclic groups, provide
some practical efficiency improvements, give a classical (i.e.,
non-quantum) simulator, run experiments for a wide range of parameters
up to the actual CSIDH-512 group order, and concretely quantify the
complexity of the c-sieve against CSIDH.
Our main conclusion is that the proposed CSIDH parameters provide
relatively little quantum security beyond what is given by the cost of
quantumly evaluating the CSIDH group action itself (on a uniform
superposition). For example, the cost of CSIDH-512 key recovery is
only about quantum evaluations using bits of
quantumly accessible classical memory (plus relatively small
other resources). This improves upon a prior estimate of
evaluations and qubits of quantum memory, for a
variant of Kuperberg\u27s original sieve.
Under the plausible assumption that quantum evaluation does not cost
much more than what is given by a recent best case analysis,
CSIDH-512 can therefore be broken using significantly less
than quantum T-gates. This strongly invalidates its claimed
NIST level 1 quantum security, especially when accounting for the
MAXDEPTH restriction. Moreover, under analogous assumptions for
CSIDH-1024 and -1792, which target higher NIST security levels, except
near the high end of the MAXDEPTH range even these instantiations fall
short of level 1
Orienteering with One Endomorphism
In supersingular isogeny-based cryptography, the path-finding problem reduces
to the endomorphism ring problem. Can path-finding be reduced to knowing just
one endomorphism? It is known that a small endomorphism enables polynomial-time
path-finding and endomorphism ring computation (Love-Boneh [36]). An
endomorphism gives an explicit orientation of a supersingular elliptic curve.
In this paper, we use the volcano structure of the oriented supersingular
isogeny graph to take ascending/descending/horizontal steps on the graph and
deduce path-finding algorithms to an initial curve. Each altitude of the
volcano corresponds to a unique quadratic order, called the primitive order. We
introduce a new hard problem of computing the primitive order given an
arbitrary endomorphism on the curve, and we also provide a sub-exponential
quantum algorithm for solving it. In concurrent work (Wesolowski [54]), it was
shown that the endomorphism ring problem in the presence of one endomorphism
with known primitive order reduces to a vectorization problem, implying
path-finding algorithms. Our path-finding algorithms are more general in the
sense that we don't assume the knowledge of the primitive order associated with
the endomorphism.Comment: 40 pages, 1 figure; 3rd revision implements small corrections and
expositional improvement
Quantum Security Analysis of CSIDH
International audienceCSIDH is a recent proposal for post-quantum non-interactive key-exchange, presented at ASIACRYPT 2018. Based on supersingular elliptic curve isogenies, it is similar in design to a previous scheme by Couveignes, Rostovtsev and Stolbunov, but aims at an improved balance between efficiency and security. In the proposal, the authors suggest concrete parameters in order to meet some desired levels of quantum security. These parameters are based on the hardness of recovering a hidden isogeny between two elliptic curves, using a quantum subexponential algorithm of Childs, Jao and Soukharev. This algorithm combines two building blocks: first, a quantum algorithm for recovering a hidden shift in a commutative group. Second, a computation in superposition of all isogenies originating from a given curve, which the algorithm calls as a black box.In this paper, we give a comprehensive security analysis of CSIDH. Our first step is to revisit three quantum algorithms for the abelian hidden shift problem from the perspective of non-asymptotic cost. There are many possible tradeoffs between the quantum and classical complexities of these algorithms and all of them should be taken into account by security levels. Second, we complete the non-asymptotic study of the black box in the hidden shift algorithm.This allows us to show that the parameters proposed by the authors of CSIDH do not meet their expected quantum security