Abstract
In this paper, we consider the security of a problem called Group Action Inverse Problem with Auxiliary Inputs (GAIPwAI). The Group Action Inverse Problem (GAIP) plays an important role in the security of several isogeny-based cryptosystems, such as CSIDH, SeaSign and CSI-FiSh.
Briefly speaking, given two isogenous supersingular curves E and \(E'\) over \(\mathbb F_p\), where \(E'\) is defined by an ideal \(\mathfrak a\) in the \(\mathbb F_p\)-endomorphism ring of E and denoted by \(E' = [\mathfrak a]*E\), GAIP requires finding \(\mathfrak a \subset {\text {End}}_{\mathbb F_p}(E)\). Its best classical algorithm is based on the baby-step-giant-step method and it runs in time \(O(p^{1/4})\).
In this paper, we show that if E and \(E'\) are given together with \([\mathfrak a^d]*E\) for a positive divisor d that divides the order of the class group of \({\mathbb Z}[\sqrt{-p}]\), then \(\mathfrak a\) can be computed in \(O\big ( ( p^{1/2} /d)^{1/2} + d^{1/2} \big )\) time complexity. In particular, when \(d \approx p^{1/4}\), it can be solved in time \(O( p^{1/8} )\) which is significantly less than \(O( p^{1/4} )\).
Applying the idea to CSIDH-512 parameters, we show that, if an additional isogenous curve \([\mathfrak a^d] * E\) is given, the security level of this cryptosystem reduces to 68-bit security instead of 128-bit security as originally believed.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith, S., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 227–247. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_9
Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_14
Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_4
Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_26
Buchmann, J.A., Düllmann, S.: On the computation of discrete logarithms in class groups. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 134–139. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-38424-3_9
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15
Cheon, J.H.: Security analysis of the strong Diffie-Hellman problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_1
Cheon, J.H.: Discrete logarithm problems with auxiliary inputs. J. Cryptol. 23(3), 457–476 (2010)
Cheon, J.H., Kim, T.: A new approach to the discrete logarithm problem with auxiliary inputs. LMS J. Comput. Math. 19(1), 115 (2016)
Cheon, J.H., Kim, T., Song, Y.S.: A group action on \({\mathbb{Z}}_p^{\times }\) and the generalized DLP with auxiliary inputs. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 121–135. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43414-7_6
Childs, A.M., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. CoRR, abs/1012.4019 (2010)
Couveignes, J.M.: Hard homogeneous spaces. IACR Cryptol. ePrint Arch. 2006, 291 (2006)
De Feo, L., Galbraith, S.D.: SeaSign: compact isogeny signatures from class group actions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 759–789. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_26
Galbraith, S.D.: Mathematics of Public Key Cryptography. Cambridge University Press, Cambridge (2012)
Hafner, J.L., McCurley, K.S.: A rigorous subexponential algorithm for computation of class groups. J. Am. Math. Soc. 2(4), 837–850 (1989)
Kim, M., Cheon, J.H., Lee, I.: Analysis on a generalized algorithm for the strong discrete logarithm problem with auxiliary inputs. Math. Comput. 83(288), 1993–2004 (2014)
Kim, T.: Extended tower number field sieve: a new complexity for medium prime case. IACR Cryptol. ePrint Arch. 2015, 1027 (2015)
Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. IACR Cryptol. ePrint Arch. 2006, 145 (2006)
V’elu, J.: Isogénies entre courbes elliptiques. C. R. Acad. Sci. Paris 273, 238–241 (1971)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Kim, T. (2020). Security Analysis of Group Action Inverse Problem with Auxiliary Inputs with Application to CSIDH Parameters. In: Seo, J. (eds) Information Security and Cryptology – ICISC 2019. ICISC 2019. Lecture Notes in Computer Science(), vol 11975. Springer, Cham. https://doi.org/10.1007/978-3-030-40921-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-40921-0_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-40920-3
Online ISBN: 978-3-030-40921-0
eBook Packages: Computer ScienceComputer Science (R0)