An Efficient Authenticated Key Exchange from Random Self-reducibility on CSIDH

Abstract

SIDH and CSIDH are key exchange protocols based on isogenies and conjectured to be quantum-resistant. Since the protocols are similar to the classical Diffie–Hellman, they are vulnerable to the man-in-the-middle attack. A key exchange which is resistant to such an attack is called an authenticated key exchange (AKE), and many isogeny-based AKEs have been proposed. However, the parameter sizes of the existing schemes should be large since they all have relatively large security losses in security proofs. This is partially because the random self-reducibility of isogeny-based decisional problems has not been proved yet.

In this paper, we show that the computational problem and the gap problem of CSIDH are random self-reducible. A gap problem is a computational problem given access to the corresponding decision oracle. Moreover, we propose a CSIDH-based AKE with small security loss, following the construction of Cohn-Gordon et al. in CRYPTO 2019, as an application of the random self-reducibility of the gap problem of CSIDH. Our AKE is proved to be the fastest CSIDH-based AKE when we aim at 110-bit security level.

Appendices

A Authenticated Key Exchange

In this section, we give a detailed proof of Theorem 17.

1.1 A.1 CCGJJ Security Model

First, we will introduce the security model, which we call CCGJJ model in this paper. This model was introduced by [7]. The most important difference between CCGJJ model and CK model [3] is that the adversary cannot reveal an oracle’s internal state, including an ephemeral secret key. In both models, we define a game between a challenger and an adversary, and if the advantage of an arbitrary efficient adversary is negligible, the protocol is regarded to be secure.

Execution Environment. Here, we describe the mathematical model of the execution environment. We assume that there exist \(\mu \) users and each user \(i\in \{1,\cdots ,\mu \}\) has long-term public key \(pk_i\) and long-term secret key \(sk_i\). We assume that each user i executes the protocol at most l times and each execution is regarded as an oracle. User i’s s-th oracle is denoted as \(\pi _i^s\). \(\pi _i^s\) uses not only user’s static key but also its ephemeral key in the execution. Note that a static key is a user’s key, so if two oracles belong to the same user, then these two oracles use the same static key, where the ephemeral keys are different with high probability. Each invocation of the protocol is called a session, and the shared secret is called a session key.

Each oracle \(\pi _i^s\) has an intended peer, denoted as \(\mathrm{Pid}_i^s\). Also, the session key of \(\pi _i^s\) is denoted as \(k_i^s\), where \(k_i^s = \emptyset \) if \(\pi _i^s\) has not computed the session key yet. The oracles send messages each other, and \(\mathrm{sent}_i^s / \mathrm{recv}_i^s\) are the messages sent/received by \(\pi _i^s\). Moreover, each oracle \(\pi _i^s\) has a role, \(\mathrm{role}_i^s \in \{\emptyset ,\mathrm{init},\mathrm{resp}\}\). Here, the role of an oracle is either an initiator (denoted as \(\mathrm{init}\)) or a responder (denoted as \(\mathrm{resp}\)). An initiator is an oracle which sends a message first, and the responder oracle follows. In Fig. 2, Alice’s oracle is the initiator and Bob’s one is the responder. Note that a responder oracle computes its session key first in the session, and the initiator follows.

To describe partnering between oracles, we define two notions:

Definition 18

(Origin oracle). \(\pi _j^t\) is an origin oracle of \(\pi _i^s\) if both oracles have completed its execution and the messages sent by \(\pi _j^t\) are equal to the messages received by \(\pi _i^s\), i.e., \(\mathrm{sent}_j^t = \mathrm{recv}_i^s\).

Definition 19

(Partner oracles). \(\pi _i^s\) and \(\pi _j^t\) are called partners if (1) \(\pi _j^t\) is an origin oracle of \(\pi _i^s\) and vice versa, (2) both oracles believe the other as an intended peer, i.e., \(\mathrm{Pid}_i^s = j\) and \(\mathrm{Pid}_j^t = i\), and (3) their roles are distinct, i.e., \(\mathrm{role}_i^s \ne \mathrm{role}_j^t\).

Attacker’s Model. Since each execution is regarded as an oracle, what attacker can do are described as queries. In CCGJJ model, attacker can issue four queries, Send, RevLTK, RegisterLTK, and RevSessKey.

Send represents the ability of the adversary to control the network, i.e., Send query allows the adversary to send arbitrary message to arbitrary oracle, or even starts an oracle. RevLTK and RevSessKey stand for Reveal Long-Term Key and Reveal Session Key. The adversary can reveal arbitrary oracle’s long-term key or session key. Here, the user whose oracle’s long-term key is revealed with this query is said to be corrupted. RegisterLTK allows the adversary to add a new user. Any oracle of users added by this query is corrupted by definition.

Moreover, the adversary can issue special queries, \(\mathsf{Test}\).

Definition 20

(Test query). Assume \(b\in \{0,1\}\) is determined beforehand. If an adversary queries a Test query to \(\pi _i^s\), \(\pi _i^s\) returns \(k_b\), where \(k_0\) is a random key and \(k_1\) is its session key. This query is denoted as \(\mathsf{Test}(i,s)\).

Here, we note that all oracles use the same bit b. Now, we define a state of an oracle, fresh.

Definition 21

(Freshness). We say \(\pi _i^s\) is fresh if following conditions hold: (1) \(\mathsf{RevSessKey}(i,s)\) has not been queried, (2) when \(\pi _j^t\) is the partner oracle of \(\pi _i^s\), neither \(\mathsf{Test}(j,t)\) nor \(\mathsf{RevSessKey}(j,t)\) has been issued, and (3) \(\mathrm{Pid}_i^s\) was not corrupted when \(\pi _i^s\) completed its execution if \(\pi _i^s\) has an origin oracle, and not corrupted at all otherwise.

The session key of a fresh oracle is not revealed by queries (it is fresh in this sense). So, if all tested oracles are fresh and the adversary can guess b correctly, we can conclude that the adversary can break the AKE’s security. The following definition of the AKE security game describe this formally. We say that an AKE is secure if all efficient adversary have negligible advantages.

Definition 22

(AKE security game). Let \(\mathcal {C}\) be a challenger and \(\mathcal {A}\) be an adversary. The security game proceeds as follows:

1. 1.

   \(\mathcal {C}\) chooses \(\mu \) static keys \((sk_i,pk_i)\ (i=1,2,\cdots ,\mu )\) and \(b\in \{0,1\}\) uniformly at random, and initializes all oracles.

2. 2.

   \(\mathcal {C}\) runs \(\mathcal {A}\) with inputs \(pk_1,\cdots ,pk_{\mu }\). The model allows \(\mathcal {A}\) to make some attacks on oracles as queries to an oracle, including Test queries. Here, \(\mathcal {A}\) must keep tested oracles fresh. Otherwise, the game aborts and \(b'\) is set to be a random bit.⁴

3. 3.

   \(\mathcal {A}\) outputs \(b'\), a guess of b.

The advantage of an adversary is

$$\begin{aligned} \mathrm{Adv}_{\mathrm{prot}}^{\mathcal {A}}(\lambda ) = \left| \Pr [b'=b]-\frac{1}{2}\right| , \end{aligned}$$

where \(\lambda \) denotes a security parameter.

1.2 A.2 Detailed Security Proof of \(\mathrm{\Pi _{CSIDH}}\ \)

In this subsection, we give a proof of Theorem 17. First, we classify the oracles into 5 types in the same way as [7].

• Type I Initiator oracles whose response message is sent by a responder which has the same ctxt and whose intended peer is honest, i.e., not corrupted when the message is received.

• Type II Other initiators whose intended peer is honest until the initiator completes the execution.

• Type III Responder oracles whose initial message is sent by a initiator which has the same ctxt up to the responder message and whose intended peer is honest when the message is received.

• Type IV Other responders whose intended peer is honest until the responder completes the execution.

• Type V Oracles that are not Type I, II, III, or IV. In other words, oracles whose intended peer is corrupted.

Note that Type I, II, III, and IV oracles are fresh, whereas Type V oracles are not fresh. So we have only to consider first four types of oracles when we make a security proof, because we don’t need to care the case when non-fresh oracles are tested.

Again, the security theorem is as follows:

Theorem 17

Let \(\mathcal {A}\) be an adversary against Protocol \(\mathrm{\Pi _{CSIDH}}\ \)in CCGJJ model under the random oracle model and assume we use \([-m,m]^n\) as a secret key space of CSIDH for positive integers m, n. Then, there are adversaries \(\mathcal {B}_1,\mathcal {B}_2,\mathcal {B}_3\) against the CSI-stDH problem such that

where \(\mu \) and l are the number of users and the maximum number of sessions per user, respectively. Moreover, the adversaries \(\mathcal {B}_1,\mathcal {B}_2,\mathcal {B}_3\) all run in essentially the same time as \(\mathcal {A}\) and make essentially the same number of queries to the hash oracle H.

In this Appendix, we give a proof of this theorem.

Proof

We prove this theorem by changing the game little by little. This technique is called “game-hopping” technique. Let \(S_j\ (j=0,1,\cdots ,5)\) be events that the adversary wins in Game j.

Game 0. Game 0 is the original security game.

Game 1. In Game 1, we abort if two initiators or responders have the same ctxt. Since the size of our key space is \((2m+1)^n\), we have

$$\begin{aligned} |\Pr [S_0] - \Pr [S_1]| \le \frac{\mu l^2}{(2m+1)^n} \end{aligned}$$

(2)

Game 2. In Game 2, the oracles change the way they choose their session keys. Intuitively, they try to choose their session key uniformly at random, not using the hash function.

For example, let \(\pi _j^t\) be a Type IV oracle with \(sk_j = [\mathfrak {b}]\) and \(pk_j = \mathfrak {B}\). Also, let \(\pi _j^t\)’s ephemeral secret key and ephemeral public key be \([\mathfrak {s}]\) and \(\mathfrak {S}\). Moreover, for \(i = \mathrm{Pid}_j^t\), let \(i's\) long-term public key and ephemeral public key be \(\mathfrak {A}\) and \(\mathfrak {R}\), respectively.

Then, \(\pi _j^t\) has to query

$$\begin{aligned} x=\hat{i}||\hat{j}||\mathcal {M}(\mathfrak {A})||\mathcal {M}(\mathfrak {B})||\mathcal {M}(\mathfrak {R})||\mathcal {M}(\mathfrak {S})||\mathcal {M}([\mathfrak {s}]\mathfrak {A})||\mathcal {M}([\mathfrak {b}]\mathfrak {R})||\mathcal {M}([\mathfrak {s}]\mathfrak {R}) \end{aligned}$$

to the hash oracle in Game 1. If x has not been queried or “registered” to the random oracle, then \(\pi _j^t\) takes its session key k uniformly at random, and “register” (x, k). If \((x,k')\) is registered to the random oracle, then \(\pi _j^t\) sets its session key to \(k'\). In the beginning of the game, no queries are registered.

Other type of the oracles choose their session key in similar ways, so we omit the description. For further details, see [7].

Random oracle model assures that no difference is observable by \(\mathcal {A}\), so we have

$$\begin{aligned} \Pr [S_1] = \Pr [S_2]. \end{aligned}$$

(3)

Game 3. In this game, Type IV oracles choose their session keys uniformly at random and do not modify the hash oracle unless whose intended peer is corrupted.

Let \(\pi _j^t\) be a type IV responder and we use the same notation as in Game 2. Then, \(\pi _j^t\) must have queried

$$\begin{aligned} \begin{array}{l} x=\hat{i}||\hat{j}||\mathcal {M}(\mathfrak {A})||\mathcal {M}(\mathfrak {B})||\mathcal {M}(\mathfrak {R})||\mathcal {M}(\mathfrak {S})||\mathcal {M}([\mathfrak {s}]\mathfrak {A})||\mathcal {M}([\mathfrak {b}]\mathfrak {R})||\mathcal {M}([\mathfrak {s}]\mathfrak {R}) \end{array} \end{aligned}$$

(4)

in Game 2. If queries of the form (4) do not happen before user i is corrupted, Game 2 and Game 3 are identical. So when we define the event \(F_i\) as the event that such queries are made, we have

$$\begin{aligned} |\Pr [S_2]-\Pr [S_3]|\le \sum _{i} \Pr [F_i]. \end{aligned}$$

In order to make our proof simple, we define event \(G_i\) as the event that queries of the form

$$\begin{aligned} \begin{array}{c} \hat{i}||\hat{j}||\mathcal {M}(\mathfrak {A})||\mathcal {M}(\mathfrak {B})||\mathcal {M}(\mathfrak {R})||\mathcal {M}(\mathfrak {S})||\mathcal {M}(\mathfrak {W})||\ \star \ ||\ \star \ , \mathfrak {W} = [\mathfrak {as}]E \end{array} \end{aligned}$$

(5)

are made before user i is corrupted. The symbol \(\star \) means an arbitrary element. Since \(\Pr [F_i] \le \Pr [G_i]\) holds, we have

$$\begin{aligned} |\Pr [S_2]-\Pr [S_3]|\le \sum _{i} \Pr [G_i]. \end{aligned}$$

(6)

We can bound the righthand side by the advantage of a CSI-stDH adversary.

CSI-stDH Adversary \(\mathcal {B}_1\). The reduction \(\mathcal {B}_1\) is an algorithm whose inputs are two elliptic curves \((E_1,E_2)=([\mathfrak {x}]E,[\mathfrak {y}]E)\in \mathcal {E}ll(\mathcal {O})^2\), and output is an elliptic curve \(E_3\). The advantage of \(\mathcal {B}_1\) is \(\Pr [E_3=[\mathfrak {xy}]E]\).

When \(\mathcal {B}_1\) is given a tuple \((E_1,E_2)\in \mathcal {E}ll(\mathcal {O})^2\), it chooses a user i uniformly at random, and sets its static public key to \(E_1\). Then, for every Type IV responder, \(\mathcal {B}_1\) sets its ephemeral public key to \([\mathfrak {\rho }]E_2\), where each \([\mathfrak {\rho }]\in \mathcal {C}l(\mathcal {O})\) is sampled in the same way as key generation for every oracle. Here, \([\mathfrak {\rho }]\) is chosen independently for every Type IV responders.

Suppose that \(G_i\) happens in Game 2. Then, a query of the form (5) is made to the random oracle before user i is corrupted. The simulator can detect this query by querying . If the answer is true, \(\mathcal {B}_1\) outputs \([\rho ]^{-1}\mathfrak {W}\), which means whenever \(G_i\) happens, the simulator can answer the CSI-stDH problem correctly. So we have

(7)

From (6),(7), it is obvious that

(8)

We note here that other hash queries in which the identity i is included can be detected using oracle.

For Game 4 and 5, the proof is similar to [7], so we just give an intuitive proof.

Game 4. In Game 4, all type III responders choose their session key at random, and do not modify the hash oracle.

Assume that the adversary \(\mathcal {B}_2\) is given a CSI-stDH instance \((E_1,E_2)\). Then, for all type I or II oracles, \(\mathcal {B}_2\) generates random elements \([\rho _1]\in \mathcal {C}l(\mathcal {O})\) independently, and sets their ephemeral public keys to \([\rho _1]E_1\). Similarly, Type III oracles have ephemeral public keys \([\rho _2]E_2\). If the adversary against Game 3 does not make any hash query corresponding to Type III oracles, the Game 4 is identical to Game 3, whereas if such query is made, \(\mathcal {B}_2\) can solve the strong CSIDH problem. Here, we have

(9)

Game 5. In Game 5, all type II initiator oracles choose their session key at random and do not modify the hash oracle unless their intended peer is corrupted. The proof is identical to that of Game 3, so we have

(10)

for an adversary \(\mathcal {B}_3\) against strong CSIDH problem.

Since all honest oracles choose their session keys uniformly at random in Game 5, the advantage of an arbitrary adversary against Game 5 is strictly 0. Then, we have

$$\begin{aligned} \Pr [S_5] = \frac{1}{2}. \end{aligned}$$

(11)

Combining (2), (3), (8), (9), (10), and (11), we have

Here, we complete the proof.    \(\square \)

B CSIDH

In this section, we introduce the detailed protocol of CSIDH.

1.1 B.1 CSIDH as an Instantiation of HHS

In CSIDH, HHS is realized with the ideal class group of an imaginary quadratic field and supersingular elliptic curves. In this subsection, we see how the ideal class group \(\mathcal {C}\ell (\mathcal {O})\) for an order \(\mathcal {O}\) acts on \(\mathcal {E}\ell \ell _p (\mathcal {O})\), the set of \(\mathbb {F}_p\)-isomorphic classes of supersingular elliptic curves whose \(\mathbb {F}_p\)-endomorphism ring is isomorphic to \(\mathcal {O}\).

Ideal Class Group. Let K be an imaginary quadratic field and \(\mathcal {O}\subset K\) be an order, a subring which is a free \(\mathbb {Z}\)-module of rank 2. Then, a fractional ideal of \(\mathcal {O}\) is an \(\mathcal {O}\)-submodule of K which can be written in the form of \(\alpha \mathfrak {a}\), where \(\alpha \in K^{\times }\) and \(\mathfrak {a}\) is an ideal of \(\mathcal {O}\). Note that a multiplication of fractional ideals is induced by the multiplication of ideals naturally. We say a fractional ideal \(\mathfrak {a}\) is invertible when there exists a fractional ideal \(\mathfrak {b}\) such that \(\mathfrak {ab}=\mathcal {O}\).

The set of all invertible fractional ideals \(I(\mathcal {O})\) forms an abelian group under the above multiplication, and the set of all principle ideals \(P(\mathcal {O})\) is a normal subgroup of \(I(\mathcal {O})\). So we can define a quotient group \(\mathcal {C}l(\mathcal {O}) = I(\mathcal {O})/P(\mathcal {O})\), which is called the ideal class group of \(\mathcal {O}\). We denote the class containing \(\mathfrak {a}\in I(\mathcal {O})\) by \([\mathfrak {a}]\). For more details, see [20].

The Action on Supersingular Elliptic Curves. For an order \(\mathcal {O}\) in an imaginary quadratic field K, we define \(\mathcal {E}\ell \ell _p (\mathcal {O})\) as a set of isomorphism classes of elliptic curves E over \(\mathbb {F}_p\) such that \(\mathrm{End}_{\mathbb {F}_p}(E)\simeq \mathcal {O}\). Here, \(\mathrm{End}_{\mathbb {F}_p}(E)\) is the ring of \(\mathbb {F}_p\)-endomorphisms of E.

Now, we define a group action of \(\mathcal {C}l(\mathcal {O})\) on \(\mathcal {E}\ell \ell _p (\mathcal {O})\). Fix \([\mathfrak {a}]\in \mathcal {C}l(\mathcal {O})\) and \(E\in \mathcal {E}\ell \ell _p (\mathcal {O})\), then there uniquely exist nonnegative integer r and \([\mathfrak {a}_s]\in \mathcal {C}l(\mathcal {O})\) such that \([\mathfrak {a}] = [(\pi \mathcal {O})]^r [\mathfrak {a}_s]\) and \(\mathfrak {a}_s \not \subseteq \pi \mathcal {O}\), where \(\pi \) denotes the Frobenius map. For such \([\mathfrak {a}_s]\), we take an isogeny \(\psi \) from E with \(\ker \psi = \bigcap _{\alpha \in \mathfrak {a}_s} \ker \alpha \). Then, for \([\mathfrak {a}]\), we take an isogeny \(\pi ^r\psi \), and whose codomain is denoted as \([\mathfrak {a}]E\). We can easily show that this correspondence enjoys the conditions to be a group action. A Hard Homogeneous Space can be constructed by this action.

1.2 B.2 Detailed Description of CSIDH

Let \(\ell _1\dots \ell _n\) be small distinct odd primes such that \(p=4\ell _1\cdots \ell _n-1\) is a prime for some n. We can efficiently compute the class group action of \(\mathfrak {l}_i = (\ell _i, \pi -1)\) and \(\mathfrak {l}_i^{-1} = (\ell _i, \pi +1)\), since we have only to find a \(\ell _i\)-torsion point.

Moreover, it is assumed heuristically that the map which maps \((e_1,\dots ,e_n) \in [-m,m]^n\) to \(\mathfrak {l}_1^{e_1}\mathfrak {l}_2^{e_2}\cdots \mathfrak {l}_n^{e_n} \in \mathcal {C}\ell (\mathbb {Z}[\sqrt{-p}])\) is almost bijective, when m enjoys \((2m+1)^n \ge \#\mathcal {C}l(\mathbb {Z}[\sqrt{-p}])\). So we can choose \(e_1,\dots , e_n\) instead of \([\mathfrak {a}]\), and its action can be computed efficiently. In this case, the size of the key space is approximately \((2m+1)^n\).

Here, we describe how the protocol proceeds between Alice and Bob. Fix \(E_0\in \mathcal {E}ll_p(\mathbb {Z}[\sqrt{-p}])\) as a public parameter. First, Alice chooses \(e_i\in [-m,m]\) for \(i=1,2,\dots ,n\) uniformly at random, and computes \(E_A = [\mathfrak {a}]E_0\), where \([\mathfrak {a}] = [\mathfrak {l}_1^{e_1}\mathfrak {l}_2^{e_2}\cdots \mathfrak {l}_n^{e_n}]\). Then, Alice sends \(E_A\) to Bob. Bob also computes \(E_B = [\mathfrak {b}]E_0\), and sends it to Alice. Finally, Alice computes \([\mathfrak {a}]E_B\), and Bob computes \([\mathfrak {b}]E_A\). The shared secret is \(\mathcal {M}([\mathfrak {a}]E_B) = \mathcal {M}([\mathfrak {b}]E_A)\), where \(\mathcal {M}\) denotes the Montgomery coefficient.

C Random Self-reducibility of the CSI-stDH Problem

In this section, we prove the random self-reducibility of the CSI-stDH problem. Here, we use another definition of the random self-reducibility. First, we define the CSI-stMDH problem, the multi-instance version of the CSI-stDH problem.

Problem 18

(Commutative Supersingular Isogeny strong Multi Diffie–Hellman (CSI-stMDH) Problem). Assume that a large prime p which enjoys \(p\equiv 3\mod 4\) and an elliptic \(E \in \mathcal {E}ll_p(\mathcal {O})\) for \(\mathcal {O}=\mathbb {Z}[\sqrt{-p}]\) are given. Then, given \((\mathfrak {X} = [\mathfrak {x}] E; (\mathfrak {Y}_i = [\mathfrak {y}_i] E)_{i \in [S]})\), the CSI-stMDH problem with parameter S is to compute \([\mathfrak {x} \mathfrak {y}_j] E\) for the index j chosen by the solver. Here, the solver is given accesses to the decision oracle CSI-stDH\(_{\mathfrak {x}}(\cdot , \cdot )\).

For an adversary \(\mathcal {A}\) whose output is \(E'\), the advantage of \(\mathcal {A}\) is defined as .

In this subsection, we say that the CSI-stDH is random self-reducible if we can reduce the CSI-stDH problem to the CSI-stMDH problem tightly. The only difference from the Definition 3 is that we fix the first curve \(\mathfrak {X}\). Though we can prove the random self-reducibility of the CSI-stDH problem in a similar way following the Definition 3, we use this definition here so that we can see the analogy with the security proof of \(\mathrm{\Pi _{CSIDH}}\) easily. Actually, \(\mathfrak {X}\) corresponds to the user i’s long-term public key in the security proof in Sect. A, and \(\mathfrak {Y}_i\)’s correspond to the ephemeral public keys of the oracles whose intended peer is i.

Here, our goal is to prove the random self-reducibility of CSI-stDH problem, i.e., the existence of tight reduction from the CSI-stDH problem to the CSI-stMDH problem:

Corollary 19

(Random Self-Reducibility of the CSI-stDH Problem). For arbitrary adversary \(\mathcal {A}\) against the CSI-stMDH problem with parameter S, there is an adversary \(\mathcal {B}\) against the CSI-stDH problem such that

hold.

Proof

For an instance \((\mathfrak {X}, \mathfrak {Y}) = ([\mathfrak {x}]E, [\mathfrak {y}]E)\) of the CSI-stDH problem, \(\mathcal {B}\) generates random ideal classes \([\eta _i] \in C\ell (\mathcal {O})\) for \(i \in [S]\). Then, \(\mathcal {B}\) generates a CSI-stMDH instance \((\mathfrak {X}; (\eta _i \mathfrak {Y})_{i\in [S]})\) and inputs this to \(\mathcal {A}\). If \(\mathcal {A}\) outputs \(\mathfrak {Z}_j\) for \(j \in [S]\), \(\mathcal {A}\) outputs \([\eta _j]^{-1} \mathfrak {Z}_j\). For query made by \(\mathcal {A}\), \(\mathcal {B}\) queries it to its own oracle. Here, if \(\mathcal {A}\) succeeds, \(\mathcal {B}\) answers the CSI-stMDH problem correctly, which completes the proof.    \(\square \)

Remark 20

If we use the Definition 3 for the definition of the random self-reducibility, we also rerandomize the first curve \(\mathfrak {X}\) as \(\mathfrak {X}_i = [\xi _i] \mathfrak {X}\) for randomly chosen \([\xi _i] \in \mathcal {C}\ell (\mathcal {O})\). Here, to prove the random self-reducibility, we should answer to the decision queries for every i. However, since

$$\begin{aligned} E_2 = [\xi _i \mathfrak {x}] E_1 \Leftrightarrow [\xi _i^{-1}]E_2 = [\mathfrak {x}] E_1, \end{aligned}$$

we have , thus we can simulate the oracles perfectly.