CSI-FiSh: Efficient Isogeny Based Signatures Through Class Group Computations
In this paper we report on a new record class group computation of an imaginary quadratic field having 154-digit discriminant, surpassing the previous record of 130 digits. This class group is central to the CSIDH-512 isogeny based cryptosystem, and knowing the class group structure and relation lattice implies efficient uniform sampling and a canonical representation of its elements. Both operations were impossible before and allow us to instantiate an isogeny based signature scheme first sketched by Stolbunov. We further optimize the scheme using multiple public keys and Merkle trees, following an idea by De Feo and Galbraith. We also show that including quadratic twists allows to cut the public key size in half for free. Optimizing for signature size, our implementation takes 390 ms to sign/verify and results in signatures of 263 bytes, at the expense of a large public key. This is 300 times faster and over 3 times smaller than an optimized version of SeaSign for the same parameter set. Optimizing for public key and signature size combined, results in a total size of 1468 bytes, which is smaller than any other post-quantum signature scheme at the 128-bit security level.
KeywordsIsogeny based cryptography Digital signature Class group Group action Fiat-Shamir
We would like to thank the department of Electrical Engineering at KU Leuven for providing the necessary computing power through the HTCondor framework. Many thanks also to Léo Ducas for computing the HKZ basis of the relation lattice and discussions on CVP solvers.
- 2.Beullens, W.: CSI-FiSh: GitHub repository (2019). https://github.com/KULeuven-COSIC/CSI-FiSh
- 5.Bonnetain, X., Schrottenloher, A.: Submerging CSIDH. Cryptology ePrint Archive, Report 2018/537 (2018). https://eprint.iacr.org/2018/537
- 9.Couveignes, J.M.: Hard Homogeneous Spaces. IACR Cryptology ePrint Archive 2006/291 (1997). https://ia.cr/2006/291
- 10.De Feo, L.: Mathematics of isogeny based cryptography (2017). https://defeo.lu/ema2017/poly.pdf
- 13.Don, J., Fehr, S., Majenz, C., Schaffner, C.: Security of the Fiat-Shamir transformation in the quantum random-oracle model. arXiv preprint arXiv:1902.07556 (2019)
- 21.Jao, D., et al.: SIKE. Submission to . http://sike.org
- 26.Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In: TQC, LIPIcs, vol. 22, pp. 20–34. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik (2013)Google Scholar
- 29.National Institute of Standards and Technology. Post-Quantum Cryptography Standardization, December 2016. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Post-Quantum-Cryptography-Standardization
- 30.Peikert, C.: He gives c-sieves on the CSIDH. Cryptology ePrint Archive, Report 2019/725 (2019). https://eprint.iacr.org/2019/725
- 31.Rostovtsev, A., Stolbunov, A.: Public-Key Cryptosystem Based on Isogenies. IACR Cryptology ePrint Archive 2006/145 (2006). https://ia.cr/2006/145
- 35.Stolbunov, A.: Cryptographic schemes based on isogenies. Doctoral thesis, NTNU (2012)Google Scholar