Advertisement

Quantum Circuits for the CSIDH: Optimizing Quantum Evaluation of Isogenies

  • Daniel J. BernsteinEmail author
  • Tanja LangeEmail author
  • Chloe MartindaleEmail author
  • Lorenz PannyEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11477)

Abstract

Choosing safe post-quantum parameters for the new CSIDH isogeny-based key-exchange system requires concrete analysis of the cost of quantum attacks. The two main contributions to attack cost are the number of queries in hidden-shift algorithms and the cost of each query. This paper analyzes algorithms for each query, introducing several new speedups while showing that some previous claims were too optimistic for the attacker. This paper includes a full computer-verified simulation of its main algorithm down to the bit-operation level.

Keywords

Elliptic curves Isogenies Circuits Constant-time computation Reversible computation Quantum computation Cryptanalysis 

References

  1. [1]
    Azarderakhsh, R., Jao, D., Kalach, K., Koziel, B., Leonardi, C.: Key compression for isogeny-based cryptosystems. In: AsiaPKC@AsiaCCS, pp. 1–10. ACM (2016)Google Scholar
  2. [5]
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006).  https://doi.org/10.1007/11745853_14CrossRefGoogle Scholar
  3. [7]
    Bernstein, D.J., Hamburg, M., Krasnova, A., Lange, T.: Elligator: elliptic-curve points indistinguishable from uniform random strings. In: ACM Conference on Computer and Communications Security, pp. 967–980. ACM (2013)Google Scholar
  4. [8]
    Bernstein, D.J., Lange, T.: Analysis and optimization of elliptic-curve single-scalar multiplication. In: Finite Fields and Applications 2007, pp. 1–19. AMS (2008)Google Scholar
  5. [9]
    Bernstein, D.J., Lange, T.: Montgomery curves and the Montgomery ladder. In: Bos, J.W., Lenstra, A.K. (eds.) Topics in Computational Number Theory Inspired by Peter L. Montgomery, pp. 82–115. Cambridge University Press, Cambridge (2017)Google Scholar
  6. [10]
    Bonnetain, X., Naya-Plasencia, M.: Hidden shift quantum cryptanalysis and implications. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 560–592. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-03326-2_19CrossRefGoogle Scholar
  7. [11]
    Bonnetain, X., Schrottenloher, A.: Quantum security analysis of CSIDH and ordinary isogeny-based schemes (2018). IACR Cryptology ePrint Archive 2018/537Google Scholar
  8. [15]
    Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-03332-3_15CrossRefGoogle Scholar
  9. [17]
    Childs, A.M., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014)MathSciNetCrossRefGoogle Scholar
  10. [18]
    Costello, C., Hisil, H.: A simple and compact algorithm for SIDH with arbitrary degree isogenies. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part II. LNCS, vol. 10625, pp. 303–329. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70697-9_11CrossRefGoogle Scholar
  11. [19]
    Costello, C., Jao, D., Longa, P., Naehrig, M., Renes, J., Urbanik, D.: Efficient compression of SIDH public keys. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 679–706. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56620-7_24CrossRefGoogle Scholar
  12. [20]
    Couveignes, J.-M.: Hard Homogeneous Spaces (1997). IACR Cryptology ePrint Archive 2006/291Google Scholar
  13. [22]
    De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014). IACR Cryptology ePrint Archive 2011/506Google Scholar
  14. [23]
    De Feo, L., Kieffer, J., Smith, B.: Towards practical key exchange from ordinary isogeny graphs. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 365–394. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-03332-3_14CrossRefGoogle Scholar
  15. [28]
    Grassl, M., Langenberg, B., Roetteler, M., Steinwandt, R.: Applying Grover’s algorithm to AES: quantum resource estimates. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 29–43. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-29360-8_3CrossRefzbMATHGoogle Scholar
  16. [29]
    Hafner, J.L., McCurley, K.S.: A rigorous subexponential algorithm for computation of class groups. J. Am. Math. Soc. 2(4), 837–850 (1989)MathSciNetCrossRefGoogle Scholar
  17. [34]
    Hişil, H.: Elliptic curves, group law, and efficient computation. Ph.D. thesis, Queensland University of Technology (2010). https://eprints.qut.edu.au/33233/
  18. [36]
    Jao, D., Azarderakhsh, R., Campagna, M., Costello, C., De Feo, L., Hess, B., Jalali, A., Koziel, B., LaMacchia, B., Longa, P., Naehrig, M., Renes, J., Soukharev, V., Urbanik, D.: SIKE. Submission to [55]. http://sike.org
  19. [37]
    Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25405-5_2CrossRefzbMATHGoogle Scholar
  20. [38]
    Jao, D., LeGrow, J., Leonardi, C., Ruiz-Lopez, L.: A subexponential-time, polynomial quantum space algorithm for inverting the CM group action. J. Math. Cryptol. (2018, to appear)Google Scholar
  21. [42]
    Kieffer, J.: Étude et accélération du protocole d’échange de clés de Couveignes-Rostovtsev-Stolbunov. Mémoire du Master 2, Université Paris VI (2017). https://arxiv.org/abs/1804.10128
  22. [45]
    Kohel, D.: Endomorphism rings of elliptic curves over finite fields. Ph.D. thesis, University of California at Berkeley (1996). http://iml.univ-mrs.fr/~kohel/pub/thesis.pdf
  23. [46]
    Kuperberg, G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005)MathSciNetCrossRefGoogle Scholar
  24. [47]
    Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In: TQC. LIPIcs, vol. 22, pp. 20–34. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2013)Google Scholar
  25. [49]
    Meyer, M., Reith, S.: A faster way to the CSIDH (2018). IACR Cryptology ePrint Archive 2018/782Google Scholar
  26. [50]
    Micciancio, D.: Improving lattice based cryptosystems using the Hermite normal form. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 126–145. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44670-2_11CrossRefGoogle Scholar
  27. [51]
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986).  https://doi.org/10.1007/3-540-39799-X_31CrossRefGoogle Scholar
  28. [53]
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)MathSciNetCrossRefGoogle Scholar
  29. [54]
    Moody, D., Shumow, D.: Analogues of Vélu’s formulas for isogenies on alternate models of elliptic curves. Math. Comput. 85(300), 1929–1951 (2016)CrossRefGoogle Scholar
  30. [55]
  31. [58]
    Petit, C.: Faster algorithms for isogeny problems using torsion point images. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part II. LNCS, vol. 10625, pp. 330–353. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70697-9_12CrossRefGoogle Scholar
  32. [61]
    Regev, O.: A subexponential time algorithm for the dihedral hidden subgroup problem with polynomial space (2004). https://arxiv.org/abs/quant-ph/0406151
  33. [62]
    Renes, J.: Computing isogenies between Montgomery curves using the action of (0, 0). In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 229–247. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-79063-3_11CrossRefGoogle Scholar
  34. [63]
    Roetteler, M., Naehrig, M., Svore, K.M., Lauter, K.: Quantum resource estimates for computing elliptic curve discrete logarithms. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part II. LNCS, vol. 10625, pp. 241–270. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70697-9_9CrossRefGoogle Scholar
  35. [64]
    Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies (2006). IACR Cryptology ePrint Archive 2006/145Google Scholar
  36. [67]
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)MathSciNetCrossRefGoogle Scholar
  37. [68]
    Stolbunov, A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010)MathSciNetCrossRefGoogle Scholar
  38. [70]
    Tibouchi, M.: Elligator squared: uniform points on elliptic curves of prime order as uniform random strings. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 139–156. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45472-5_10CrossRefGoogle Scholar
  39. [72]
    Vélu, J.: Isogénies entre courbes elliptiques. Comptes Rendus de l’Académie des Sciences de Paris 273, 238–241 (1971)zbMATHGoogle Scholar
  40. [74]
    Wilf, H.S.: Generatingfunctionology. Academic Press (1994). https://www.math.upenn.edu/~wilf/DownldGF.html
  41. [75]
    Zanon, G.H.M., Simplicio, M.A., Pereira, G.C.C.F., Doliskani, J., Barreto, P.S.L.M.: Faster isogeny-based compressed key agreement. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 248–268. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-79063-3_12CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of Illinois at ChicagoChicagoUSA
  2. 2.Department of Mathematics and Computer ScienceTechnische Universiteit EindhovenEindhovenThe Netherlands

Personalised recommendations