Security Analysis of Group Action Inverse Problem with Auxiliary Inputs with Application to CSIDH Parameters

  • Taechan KimEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11975)


In this paper, we consider the security of a problem called Group Action Inverse Problem with Auxiliary Inputs (GAIPwAI). The Group Action Inverse Problem (GAIP) plays an important role in the security of several isogeny-based cryptosystems, such as CSIDH, SeaSign and CSI-FiSh.

Briefly speaking, given two isogenous supersingular curves E and \(E'\) over \(\mathbb F_p\), where \(E'\) is defined by an ideal \(\mathfrak a\) in the \(\mathbb F_p\)-endomorphism ring of E and denoted by \(E' = [\mathfrak a]*E\), GAIP requires finding \(\mathfrak a \subset {\text {End}}_{\mathbb F_p}(E)\). Its best classical algorithm is based on the baby-step-giant-step method and it runs in time \(O(p^{1/4})\).

In this paper, we show that if E and \(E'\) are given together with \([\mathfrak a^d]*E\) for a positive divisor d that divides the order of the class group of \({\mathbb Z}[\sqrt{-p}]\), then \(\mathfrak a\) can be computed in \(O\big ( ( p^{1/2} /d)^{1/2} + d^{1/2} \big )\) time complexity. In particular, when \(d \approx p^{1/4}\), it can be solved in time \(O( p^{1/8} )\) which is significantly less than \(O( p^{1/4} )\).

Applying the idea to CSIDH-512 parameters, we show that, if an additional isogenous curve \([\mathfrak a^d] * E\) is given, the security level of this cryptosystem reduces to 68-bit security instead of 128-bit security as originally believed.


Isogeny-based cryptography Cryptanalysis Post-quantum cryptography CSIDH Cheon’s algorithm 


  1. 1.
    Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith, S., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 227–247. Springer, Cham (2019). Scholar
  2. 2.
    Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). Scholar
  3. 3.
    Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004). Scholar
  4. 4.
    Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005). Scholar
  5. 5.
    Buchmann, J.A., Düllmann, S.: On the computation of discrete logarithms in class groups. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 134–139. Springer, Heidelberg (1991). Scholar
  6. 6.
    Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). Scholar
  7. 7.
    Cheon, J.H.: Security analysis of the strong Diffie-Hellman problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006). Scholar
  8. 8.
    Cheon, J.H.: Discrete logarithm problems with auxiliary inputs. J. Cryptol. 23(3), 457–476 (2010)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Cheon, J.H., Kim, T.: A new approach to the discrete logarithm problem with auxiliary inputs. LMS J. Comput. Math. 19(1), 115 (2016)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Cheon, J.H., Kim, T., Song, Y.S.: A group action on \({\mathbb{Z}}_p^{\times }\) and the generalized DLP with auxiliary inputs. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 121–135. Springer, Heidelberg (2014). Scholar
  11. 11.
    Childs, A.M., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. CoRR, abs/1012.4019 (2010)Google Scholar
  12. 12.
    Couveignes, J.M.: Hard homogeneous spaces. IACR Cryptol. ePrint Arch. 2006, 291 (2006)Google Scholar
  13. 13.
    De Feo, L., Galbraith, S.D.: SeaSign: compact isogeny signatures from class group actions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 759–789. Springer, Cham (2019). Scholar
  14. 14.
    Galbraith, S.D.: Mathematics of Public Key Cryptography. Cambridge University Press, Cambridge (2012)CrossRefGoogle Scholar
  15. 15.
    Hafner, J.L., McCurley, K.S.: A rigorous subexponential algorithm for computation of class groups. J. Am. Math. Soc. 2(4), 837–850 (1989)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Kim, M., Cheon, J.H., Lee, I.: Analysis on a generalized algorithm for the strong discrete logarithm problem with auxiliary inputs. Math. Comput. 83(288), 1993–2004 (2014)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Kim, T.: Extended tower number field sieve: a new complexity for medium prime case. IACR Cryptol. ePrint Arch. 2015, 1027 (2015)Google Scholar
  18. 18.
    Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. IACR Cryptol. ePrint Arch. 2006, 145 (2006)Google Scholar
  19. 19.
    V’elu, J.: Isogénies entre courbes elliptiques. C. R. Acad. Sci. Paris 273, 238–241 (1971)MathSciNetGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.NTT Secure Platform LaboratoriesTokyoJapan

Personalised recommendations