88 research outputs found
He Gives C-Sieves on the CSIDH
Recently, Castryck, Lange, Martindale, Panny, and Renes proposed
CSIDH (pronounced sea-side ) as a candidate post-quantum
commutative group action. It has attracted much attention and
interest, in part because it enables noninteractive
Diffie--Hellman-like key exchange with quite small
communication. Subsequently, CSIDH has also been used as a foundation
for digital signatures.
In 2003--04, Kuperberg and then Regev gave asymptotically
subexponential quantum algorithms for hidden shift problems, which
can be used to recover the CSIDH secret key from a public key. In
late 2011, Kuperberg gave a follow-up quantum algorithm called the
collimation sieve ( c-sieve for short), which improves the
prior ones, in particular by using exponentially less quantum memory
and offering more parameter tradeoffs. While recent works have
analyzed the concrete cost of the original algorithms (and variants)
against CSIDH, nothing of this nature was previously available for the
c-sieve.
This work fills that gap. Specifically, we generalize Kuperberg\u27s
collimation sieve to work for arbitrary finite cyclic groups, provide
some practical efficiency improvements, give a classical (i.e.,
non-quantum) simulator, run experiments for a wide range of parameters
up to the actual CSIDH-512 group order, and concretely quantify the
complexity of the c-sieve against CSIDH.
Our main conclusion is that the proposed CSIDH parameters provide
relatively little quantum security beyond what is given by the cost of
quantumly evaluating the CSIDH group action itself (on a uniform
superposition). For example, the cost of CSIDH-512 key recovery is
only about quantum evaluations using bits of
quantumly accessible classical memory (plus relatively small
other resources). This improves upon a prior estimate of
evaluations and qubits of quantum memory, for a
variant of Kuperberg\u27s original sieve.
Under the plausible assumption that quantum evaluation does not cost
much more than what is given by a recent best case analysis,
CSIDH-512 can therefore be broken using significantly less
than quantum T-gates. This strongly invalidates its claimed
NIST level 1 quantum security, especially when accounting for the
MAXDEPTH restriction. Moreover, under analogous assumptions for
CSIDH-1024 and -1792, which target higher NIST security levels, except
near the high end of the MAXDEPTH range even these instantiations fall
short of level 1
Counting superspecial Richelot isogenies by reduced automorphism groups (Theory and Applications of Supersingular Curves and Supersingular Abelian Varieties)
The recent cryptanalysis by Costello and Smith [10] employed the subgraphs whose vertices consist of decomposed principally polarized abelian varieties, hence it is important to study the subgraphs in isogeny-based cryptography. Katsura and Takashima [22] initiated the investigation of the decomposed abelian surface subgraphs in the genus-2 case. This paper surveys the work, aiming to provide a kind of handbook for applying our results to cryptography
CSIDH on the surface
For primes pâĄ3mod4, we show that setting up CSIDH on the surface, i.e., using supersingular elliptic curves with endomorphism ring Z[(1+âpââââ)/2], amounts to just a few sign switches in the underlying arithmetic. If pâĄ7mod8 then horizontal 2-isogenies can be used to help compute the class group action. The formulas we derive for these 2-isogenies are very efficient (they basically amount to a single exponentiation in Fp) and allow for a noticeable speed-up, e.g., our resulting CSURF-512 protocol runs about 5.68% faster than CSIDH-512. This improvement is completely orthogonal to all previous speed-ups, constant-time measures and construction of cryptographic primitives that have appeared in the literature so far. At the same time, moving to the surface gets rid of the redundant factor Z3 of the acting ideal-class group, which is present in the case of CSIDH and offers no extra security
RISC-V Instruction Set Extensions for Multi-Precision Integer Arithmetic
peer reviewedMulti-Precision Integer (MPI) arithmetic is a performance-critical component of many public-key cryptosystems, including besides classical ones (e.g., RSA, ECC) also isogeny-based post-quantum schemes. In this paper, we analyze and compare two widely-used MPI representations, namely full-radix and reduced-radix, for the efficient implementation of modular arithmetic operations on the 64-bit RISC-V (RV64GC) architecture. We also evaluate how the execution times of both can be further improved with Instruction Set Extensions (ISEs). The ISEs we propose are able to accelerate a CSIDH-512 class group action by a factor of 1.71 compared to a standard software implementation on a 64-bit Rocket core. This speed-up comes at the cost of a hardware overhead of about 10%.U-AGR-7110 - C21/IS/16326754/PABLO - FRIDGEN Gilber
SIDH-sign: an efficient SIDH PoK-based signature
We analyze and implement the SIDH PoK-based construction from De Feo, Dobson, Galbraith, and Zobernig. We improve the SIDH-PoK built-in functions to allow an efficient constant-time implementation. After that, we combine it with Fiat-Shamir transform to get an SIDH PoK-based signature scheme that we short label as SIDH-sign. We suggest SIDH-sign-p377, SIDH-sign-p546, and SIDH-sign-p697 as instances that provide security compared to NIST L1, L3, and L5. To the best of our knowledge, the three proposed instances provide the best performance among digital signature schemes based on isogenies
Two remarks on the vectorization problem
We share two small but general observations on the vectorization problem for group actions, which appear to have been missed by the existing literature. The first observation is pre-quantum: explicit examples show that, for classical adversaries, the vectorization problem cannot in general be reduced to the parallelization problem. The second observation is post-quantum: by combining a method for solving systems of linear disequations due to Ivanyos with a Kuperberg-style sieve, one can solve the hidden shift problem, and therefore the vectorization problem, for any finite abelian -torsion group in polynomial time and using mostly classical work; here are any fixed non-negative integers and is any fixed prime number
Post-Quantum Variants of ISO/IEC Standards: Compact Chosen Ciphertext Secure Key Encapsulation Mechanism from Isogenies
ISO/IEC standardizes several chosen ciphertext-secure key encapsulation mechanism (KEM) schemes in ISO/IEC 18033-2. However, all ISO/IEC KEM schemes are not quantum resilient. In this paper, we introduce new isogeny-based KEM schemes (i.e., CSIDH-ECIES-KEM and CSIDH-PSEC-KEM) by modifying Diffie-Hellman-based KEM schemes in ISO/IEC standards. The main advantage of our schemes are compactness. The key size and the ciphertext overhead of our schemes are smaller than these of SIKE, which is submitted to NIST\u27s post-quantum cryptosystems standardization, for current security analyses
SCALLOP:Scaling the CSI-FiSh
International audienceWe present SCALLOP: SCALable isogeny action based on Oriented supersingular curves with Prime conductor, a new group action based on isogenies of supersingular curves. Similarly to CSIDH and OSIDH, we use the group action of an imaginary quadratic orderâs class group on the set of oriented supersingular curves. Compared to CSIDH, the main benefit of our construction is that it is easy to compute the class-group structure; this data is required to uniquely representâand efficiently act by â arbitrary group elements, which is a requirement in, e.g., the CSI-FiSh signature scheme by Beullens, Kleinjung and Vercauteren. The index-calculus algorithm used in CSI-FiSh to compute the class-group structure has complexity L(1/2), ruling out class groups much larger than CSIDH-512, a limitation that is particularly problematic in light of the ongoing debate regarding the quantum security of cryptographic group actions.Hoping to solve this issue, we consider the class group of a quadratic order of large prime conductor inside an imaginary quadratic field of small discriminant. This family of quadratic orders lets us easily determine the size of the class group, and, by carefully choosing the conductor, even exercise significant control on itâin particular supporting highly smooth choices. Although evaluating the resulting group action still has subexponential asymptotic complexity, a careful choice of parameters leads to a practical speedup that we demonstrate in practice for a security level equivalent to CSIDH-1024, a parameter currently firmly out of reach of index-calculus-based methods. However, our implementation takes 35 seconds (resp. 12.5 minutes) for a single group-action evaluation at a CSIDH-512-equivalent (resp. CSIDH-1024-equivalent) security level, showing that, while feasible, the SCALLOP group action does not achieve realistically usable performance yet
Radical VĂ©lu Isogeny Formulae
We provide explicit radical -isogeny formulae for all odd integers . The formulae are compact closed-form expressions which require one th root computation and basic field operations. The formulae are highly efficient to compute a long chain of -isogenies, and have the potential to be extremely beneficial for speeding up certain cryptographic protocols such as CSIDH. Unfortunately, the formulae are conjectured, but we provide ample supporting evidence which strongly suggests their correctness.
For CSIDH-512, we notice an additional 35% speed-up when using radical isogenies up to , compared to the work by Castryck, Decru, Houben and Vercauteren, which uses radical isogenies up to only. The addition of our radical isogenies also speeds up the computation of larger class group actions in a comparable fashion
- âŠ