Lossy CSI-FiSh: Efficient Signature Scheme with Tight Reduction to Decisional CSIDH-512

El Kaafarani, Ali; Katsumata, Shuichi; Pintore, Federico

doi:10.1007/978-3-030-45388-6_6

Lossy CSI-FiSh: Efficient Signature Scheme with Tight Reduction to Decisional CSIDH-512

Ali El Kaafarani^12,13,
Shuichi Katsumata¹⁴ &
Federico Pintore¹²

Conference paper
First Online: 29 April 2020

1003 Accesses
13 Citations

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12111)

Abstract

Recently, Beullens, Kleinjung, and Vercauteren (Asiacrypt’19) provided the first practical isogeny-based digital signature, obtained from the Fiat-Shamir (FS) paradigm. They worked with the CSIDH-512 parameters and passed through a new record class group computation. However, as with all standard FS signatures, the security proof is highly non-tight and the concrete parameters are set under the heuristic that the only way to attack the scheme is by finding collisions for a hash function.

In this paper, we propose an FS-style signature scheme, called Lossy CSI-FiSh, constructed using the CSIDH-512 parameters and with a security proof based on the “Lossy Keys” technique introduced by Kiltz, Lyubashevsky and Schaffner (Eurocrypt’18). Lossy CSI-FiSh is provably secure under the same assumption which underlies the security of the key exchange protocol CSIDH (Castryck et al. (Asiacrypt’18)) and is almost as efficient as CSI-FiSh. For instance, aiming for small signature size, our scheme is expected to take around $\approx 800$ ms to sign/verify while producing signatures of size $\approx 280$ bytes. This is only twice slower than CSI-FiSh while having similar signature size for the same parameter set. As an additional benefit, our scheme is by construction secure both in the classical and quantum random oracle model.

Download conference paper PDF

1 Introduction

1.1 Background

Isogeny-based cryptography is one of the promising candidates for post-quantum cryptography. While isogeny problems offer simple and efficient solutions to encryption schemes (or equivalently, key-exchange protocols) [8, 25], they turned out to be rather elusive to use for constructing signature schemes.

At the highest level, all isogeny-based signatures we know thus far are based on the Fiat-Shamir paradigm [1, 18]: prepare a hard relation $\mathcal {R}$ based on an isogeny problem, construct an identification protocol (or sigma protocol) for $\mathcal {R}$, and use a cryptographic hash function to compile the identification protocol into a signature scheme in the random oracle model (ROM). Both the two central isogeny problems—the computational supersingular isogeny (CSSI) problem [13] and the group action inverse problem (GAIP) [8]—have been the basis for constructing signatures. Those based on CSSI, proposed in [21, 42], produce signatures of size at least 12 KB even in the most optimized variant [21]. On the other hand, relying on GAIP and employing the Fiat-Shamir with aborts strategy [31], De Feo and Galbraith introduced a compact isogeny-based signature named SeaSign [12]. Despite the inefficiency in the signature generation and verification, SeaSign provides signatures of a remarkably small size (less than 1 kilobyte at the 128-bit security level).

Very recently, a new record class group computation has allowed Beullens, Kleinjung and Vercauteren [6] to improve SeaSign and obtain the first practical isogeny-based signature scheme, named CSI-FiSh. Their computation has shed light on the structure of the ideal class group determined by a specific set of CSIDH parameters, named CSIDH-512 [8]. This granted a proper uniform sampling from the ideal class group, and canonical representation of its elements, which enabled to overcome the costly remedy made by SeaSign. That is, the adoption of a redundant representation of class group elements and performing rejection sampling. The result is practical efficiency in both signature generation and verification while maintaining the short signature size offered by SeaSign. However, one important remark is that, since CSI-FiSh is specific to the special set of parameters CSIDH-512, it can offer at most the same security level provided by a hard problem defined over the CSIDH-512 parameters. Specifically, CSI-FiSh relies on the GAIP problem, which is believed to have 128-bits of classical and (at most) 64-bits of quantum security over the CSIDH-512 parameters [8, 34].

Tight Security. Fiat-Shamir (FS) signatures [1, 18] admit an intuitive and simple construction in the ROM, however, they are notorious for having a very loose reduction. Since a loose reduction forces for a stronger hardness assumption, and consequently a less efficient scheme, it has been the focus of several works to tighten the reduction loss, e.g., [3, 19, 22, 26, 32, 33, 37].

To give a more precise perception of the security loss, assume we had a FS signature that is secure based on the hardness of a particular hard problem $\Pi $. Then, the security proof of FS signatures in the classical ROM dictates that the reduction algorithm can break the underlying problem $\Pi $ with advantage $Q^{-1} \cdot \epsilon ^2$, where Q is the number of hash evaluations an adversary can perform and $\epsilon $ is the advantage of an adversary breaking the security of the FS signature. Therefore, if we want to instantiate the FS signature with provably secure parameters, we must assume the hardness of the problem $\Pi $ for a security level that is much higher than expected. For instance, if we aim for 128-bits of security for the FS signature (i.e., $\epsilon = 2^{-128}$), then assuming a modest $Q \approx 2^{40}$, we require at least 296-bits of security for the hard problem $\Pi $. Since a hard problem with a higher level of security must necessitate larger parameters, this leads to inefficient schemes.

This undesirable loss in security and efficiency is common to all standard FS signatures and CSI-FiSh is no exception. However, one large difference between CSI-FiSh and other FS signatures is that CSI-FiSh relies on a hard problem defined for a specific security level—the GAIP problem over the CSIDH-512 parameters. For the time being, no other parameter sets are known to provide the nice algebraic structure required for CSI-FiSh. This is in sharp contrast with FS signatures based on other hardness assumptions since most hardness assumptions can “absorb” the reduction loss by setting the parameters larger. Since GAIP over the CSIDH-512 parameters only offers 128-bits of classical security, we cannot argue any notion of provable security for CSI-FiSh if we aim for 128-bits of security. Concretely, if we plug in $Q \approx 2^{40}$ as above, we can only provably argue 44-bits of security for CSI-FiSh. Moreover, if we aim for quantum security, the situation is worse since the reduction algorithm can break the underlying problem $\Pi $ with only advantage $Q^{-6} \cdot \epsilon ^{3}$ [16, 30]. We note that the currently available resources would probably allow other record computations for bigger parameters for which GAIP is believed to have a much higher security level; however, the benefit of having a higher security level would likely be beaten by the significant slow-down in efficiency.

In practice, this inconvenient reduction loss in FS signatures is usually overlooked or simply ignored, and the parameters are set assuming that the best attack against the FS signature is (roughly) finding a collision in the hash function. In [6], the parameters for CSI-FiSh are set under this simplified assumption as well. Considering this undesirable gap between practice and theory, a natural question which arises is:

Can we design an isogeny-based signature scheme as efficient as CSI-FiSh with provable secure parameters?

1.2 Our Contribution

In this work, we provide a partial answer to the above problem and propose a new signature scheme, Lossy CSI-FiSh, with the following features:

It is tightly secure under a natural hardness assumption over the CSIDH-512 parameters, that is, the decisional CSIDH (D-CSIDH) assumption. We note D-CSIDH is not a new assumption introduced in this paper, as it was originally defined by Stolbunov in his PhD thesis [39, Problem 2.2] and implicitly underlies the security of the key exchange protocol CSIDH [8].^{Footnote 1}
It is almost as efficient as CSI-FiSh. Compared to CSI-FiSh, the signature size is the same, the public key is only twice as large, and the runtime of the signature generation and verification is estimated to be (at most) twice as slow. For instance, aiming for small signature size, our scheme is expected to take around $\approx 800$ ms to sign/verify while producing signatures of size $\approx 280$ bytes. This is still 150 times faster and around 3 times smaller than an optimized version of SeaSign for the same parameter set.
It is secure both in the classical and quantum ROM (QROM). In particular, we do not require a separate construction using the Unruh transform [40] to achieve security in the QROM.

We obtain our results by following the line of work that constructs lossy identification protocols to obtain tightly secure FS signatures [2, 26, 27, 41]. A lossy identification protocol comes with an additional lossy statement generator that produces lossy statements which are computationally indistinguishable from honestly generated statements for the hard relation $\mathcal {R}$ induced by some hardness assumption. Moreover, relative to the lossy statements, the protocol admits statistical soundness. That is, not even a computationally unbounded adversary can successfully impersonate a prover. Using the result of Kiltz, Lyubashevsky, and Schaffner [27] (see Theorem 2.1), a lossy identification protocol directly provides us an FS signature with a tight reduction in the classical and quantum ROM.

The idea to use a lossy identification protocol to achieve tight security for isogeny-based FS signatures was also considered by De Feo and Galbraith for SeaSign [12, Section 8]. In particular, they proposed to take a very large ideal class group (determined by a big prime p) and then only a small subset as the space of possible private keys (that results in valid public keys being chosen from a set of roughly the same cardinality). The signature generation and verification processes are not altered from the standard SeaSign scheme. The result is that the lossy variant inherits the inefficiency of the main scheme, with the increment of the prime p further aggravating the issue. It is evident that the above approach does not extend to the current version of CSI-FiSh, which requires the specific CSIDH-512 parameter set.

The lossy identification protocol proposed in this work—which arises from the observation that the D-CSIDH relation over the CSIDH-512 parameters naturally admits a lossy mode—appears to be much simpler and it smoothly leads to a practical signature scheme. Our identification protocol enjoys the same optimizations used in [12] and [6]. Using D-CSIDH instead of GAIP as the underlying assumption, we encounter an obstacle that stems from the fact that D-CSIDH does not provide natural random self-reducibility properties. However, we discuss that this issue does not have much of a big impact on the concrete choice of parameters.

Related Works. There are only a handful of efficient signature schemes that are tightly and provably secure in the (Q)ROM that we are aware of. The lattice-based Gentry-Peikert-Vaikuntanathan (GPV) signature [23] or its much-optimized successor FALCON [20] have tight security in the (Q)ROM. One notable feature is that the construction natively supports tight security in both classical and quantum ROM without incurring any overhead. Dilithium [17], which is a lattice-based FS-type signature, also has tight security in the (Q)ROM [27]. To achieve tight security, they must modify the public key of their non-tightly secure scheme to obtain a lossy mode. Unfortunately, when using a lattice-based hard problem (that is, the learning with errors problem), this comes at the cost of making the public key size at least 5 times larger and the signature size at least 2 times larger, e.g., public key and signature size grows from (1472, 2701) bytes up to (7712, 5690) bytes. As we mentioned above, SeaSign [12] goes through the lossy argument as well. They require to use of a non-standard variant of the GAIP problem and makes it difficult to assess the increase in signature and public key sizes. We like to highlight that although we go through the same paradigm of lossy arguments, Lossy CSI-FiSh is based on a standard assumption and does not incur a large blow up in size; the public key is only 2 times larger and the signature size remains the same compared to the non-tight variant CSI-FiSh. Finally, the hash-based signature SPHINCS$^+$ [4] also enjoys tight security in the (Q)ROM under several heuristic assumptions on the underlying cryptographic hash function.

Roadmap. The rest of the paper is organized as follows. In Sect. 2 we give a brief preliminary on identification protocols and class group actions. In Sects. 3 and 4 we introduce the new lossy identification protocol and we adapt it using the optimizations proposed in [6, 12] to enlarge the challenge space. In Sect. 5 we describe the signature scheme obtained through the Fiat-Shamir transform, and we compare it to CSI-FiSh in terms of bandwidth and computational complexity. In Sect. 6 we report concluding remarks.

2 Preliminaries

2.1 Identification Protocols

Given two sets X and Y, a subset $\mathcal {R}\subset X \times Y$ is a polynomially computable binary relation on $X \times Y$ if, given $(\mathsf {X}, \mathsf {W}) \in X \times Y$, we can check $(\mathsf {X}, \mathsf {W}) \in \mathcal {R}$ in time $\mathsf {poly}(| \mathsf {X}|)$. The language $\mathcal {L}_\mathcal {R}$ corresponding to $\mathcal {R}$ is the set $\{\mathsf {X}\in X \mid \exists \mathsf {W}\in Y : (\mathsf {X}, \mathsf {W}) \in \mathcal {R}\}$, where we call $\mathsf {W}$ a witness for the statement $\mathsf {X}\in \mathcal {L}_\mathcal {R}$.

An identification protocol $\mathsf {ID}$ for a relation $\mathcal {R}$ is a three-move interactive protocol between a prover and a verifier. Informally, a prover holding a statement-witness pair $(\mathsf {X}, \mathsf {W}) \in \mathcal {R}$ can prove to the verifier that they indeed possess a valid witness $\mathsf {W}$ without revealing any more than the mere fact that they know $\mathsf {W}$.

Definition 2.1

(Identification Protocol). An identification protocol $\mathsf {ID}$ for a relation $\mathcal {R}$ consists of four PPT algorithms $(\mathsf {IGen}, \mathsf{P}= (\mathsf{P}_1, \mathsf{P}_2), \mathsf{V})$, where $\mathsf{V}$ is deterministic and we assume $\mathsf{P}_1$ and $\mathsf{P}_2$ share states. Let $\mathsf{ComSet}$, $\mathsf{ChSet}$, and $\mathsf{ResSet}$ be the commitment space, challenge space, and response space, respectively. Then, an identification protocol is defined in the following way.

The key generation algorithm $\mathsf {IGen}$ takes the security parameter $1^\lambda $ as input, and outputs a statement-witness pair $(\mathsf {X}, \mathsf {W}) \in \mathcal {R}$.
The prover, on input $(\mathsf {X}, \mathsf {W})$, first executes $\mathsf {com}\leftarrow \mathsf{P}_1( \mathsf {X}, \mathsf {W})$, and then sends the commitment $\mathsf {com}$ to the verifier.
The verifier chooses a random challenge $\mathsf {ch}\leftarrow \mathsf{ChSet}$ and sends $\mathsf {ch}$ to the prover.
The prover, given $\mathsf {ch}$, runs $\mathsf {resp}\leftarrow \mathsf{P}_2( \mathsf {X}, \mathsf {W}, \mathsf {com}, \mathsf {ch})$ and returns a response $\mathsf {resp}$ to the verifier. Finally, the verifier runs $\mathsf{V}(\mathsf {X}, \mathsf {com}, \mathsf {ch}, \mathsf {resp})$ and outputs 1 if they accept, 0 otherwise.

The protocol transcript $(\mathsf {com}, \mathsf {ch}, \mathsf {resp}) \in \mathsf{ComSet}\times \mathsf{ChSet}\times \mathsf{ResSet}$ is said to be valid in case $\mathsf{V}(\mathsf {X}, \mathsf {com}, \mathsf {ch}, \mathsf {resp})$ outputs 1.

We require the following properties from an identification protocol $\mathsf {ID}$. Some of them may seem non-standard, however, they are all necessary to argue security of the Fiat-Shamir transform in the (quantum) random oracle model. We note that some of the properties are simplified and stronger than those in [27], e.g. we ignore negligible correctness errors. This is done without loss of generality, since our proposed identification protocol satisfies all the stronger properties.

Correctness. The following holds for all $(\mathsf {X}, \mathsf {W}) \in \mathcal {R}$:

$$\begin{aligned} \Pr \left[ \begin{array}{rl} \mathsf{V}(\mathsf {X}, \mathsf {com}, \mathsf {ch}, \mathsf {resp}) = 1 \end{array} \left| \begin{array}{cl} \mathsf {com}\leftarrow \mathsf{P}_1( \mathsf {X}, \mathsf {W}), \\ \mathsf {ch}\leftarrow \mathsf{ChSet}, \\ \mathsf {resp}\leftarrow \mathsf{P}_2( \mathsf {X}, \mathsf {W}, \mathsf {com}, \mathsf {ch}) \end{array}\right. \right] = 1. \end{aligned}$$

(Perfect) Honest-Verifier Zero-Knowledge (HVZK). There exists a PPT simulator algorithm $\mathsf {Sim}$ that takes as inputs a statement $\mathsf {X}\in \mathcal {L}_\mathcal {R}$ and a challenge $\mathsf {ch}\in \mathsf{ChSet}$, and outputs a commitment $\mathsf {com}$ and a response $\mathsf {resp}$ such that $(\mathsf {com}, \mathsf {ch}, \mathsf {resp})$ is a valid transcript for $\mathsf {X}$. Moreover, the output distribution of $\mathsf {Sim}$ on input $(\mathsf {X}, \mathsf {ch})$ is equal to the distribution of those outputs generated via an honest execution conditioned on the verifier using $\mathsf {ch}$ as the challenge. We note we can consider relaxed variants of HVZK where the distributions are only required to be computationally indistinguishable.

Min-Entropy. The identification protocol $\mathsf {ID}$ has $\alpha $ bits of min-entropy if

$$ \Pr _{(\mathsf {X},\mathsf {W}) \leftarrow \mathsf {IGen}(1^\lambda )}\left[ \begin{array}{rl} \text {min-entropy}(\mathsf {com}\mid \mathsf {com}\leftarrow \mathsf{P}_1(\mathsf {X},\mathsf {W})) \ge \alpha ) \end{array} \right] \ge 1-2^{-\alpha }. $$

(Optional) Perfect Unique Response. With overwhelming probability over the random choice of $(\mathsf {X}, \mathsf {W}) \leftarrow \mathsf {IGen}(1^\lambda )$, for any $\mathsf {com}\in \mathsf{ComSet}$ and $\mathsf {ch}\in \mathsf{ChSet}$, there exists a unique response $\mathsf {resp}\in \mathsf{ResSet}$ that leads to a valid transcript $(\mathsf {com}, \mathsf {ch}, \mathsf {resp})$. This property is required when aiming for strong unforgeability (i.e., $\mathsf {su\text {-}cma}$) of the FS signature scheme. As we will see, our identification protocol supports this property by default.

(Optional) Commitment Revocability. With overwhelming probability over the random choice of $(\mathsf {X}, \mathsf {W}) \leftarrow \mathsf {IGen}(1^\lambda )$, for any $\mathsf {ch}\in \mathsf{ChSet}$ and $\mathsf {resp}\in \mathsf{ResSet}$, there exists a unique commitment $\mathsf {com}\in \mathsf{ComSet}$ that makes $(\mathsf {com}, \mathsf {ch}, \mathsf {resp})$ a valid transcript. Such a commitment can be publicly computed by means of an algorithm taking $(\mathsf {X}, \mathsf {ch},\mathsf {resp})$ as input. This property is unnecessary from a security stand point and only allows for shorter signatures. Again, our identification protocol supports this property by default.

To achieve a tight security proof for Fiat-Shamir signatures (formally defined later), we further require the identification protocol to satisfy some notion of lossiness defined below.

Definition 2.2

(Lossy Identification Protocol). An identification protocol $\mathsf {ID}$ is called lossy - and denoted by $\mathsf {ID}_{\mathsf {ls}}$ - if it admits an extra PPT algorithm $\mathsf{LossyIGen}$, named lossy key generation algorithm, that on input $1^\lambda $ outputs $\mathsf {X}_{\mathsf {ls}} \in X \setminus \mathcal {L}_\mathcal {R}$.

We require a lossy identification protocol $\mathsf {ID}_{\mathsf {ls}}$ to satisfy the following two properties.

Indistinguishability of Lossy Statements. We ask that a statement generated with the lossy key generation algorithm is indistinguishable from a statement generated by the real key generation algorithm. Let us define the following advantage for an adversary $\mathcal {A}$:

$$\begin{aligned} \mathsf {Adv}^{\mathsf {lossy}}_{\mathcal {A}}(\lambda ) :=&| \Pr [\mathcal {A}(\mathsf {X}_\mathsf {ls}) = 1 \mid \mathsf {X}_\mathsf {ls}\leftarrow \mathsf{LossyIGen}(1^\lambda ) ] - \\& \Pr [\mathcal {A}(\mathsf {X}) = 1 \mid (\mathsf {X}, \mathsf {W}) \leftarrow \mathsf {IGen}(1^\lambda ) ] | \end{aligned}$$

We say the lossy identification protocol satisfies indistinguishability of lossy statements if for any PPT (or quantum PT) adversary we have $\mathsf {Adv}^{\mathsf {lossy}}_{\mathcal {A}}(\lambda ) = \mathsf {negl}(\lambda )$.

Statistical Lossy Soundness. The definition of statistical lossy soundness relies on the following game, named lossy impersonation game, played by an adversary $\mathcal {A}$ and a challenger.

Setup: The challenger runs $ \mathsf {X}_{\mathsf {ls}} \leftarrow \mathsf{LossyIGen}(1^\lambda )$ and provides the adversary $\mathcal {A}$ the lossy statement $\mathsf {X}_{\mathsf {ls}}$.
Commitment and challenge selection: On input $\mathsf {X}_{\mathsf {ls}}$ the adversary $\mathcal {A}$ selects a commitment $\mathsf {com}\in \mathsf{ComSet}$ and sends it to the challenger. The challenger responds by returning a random challenge $\mathsf {ch}\in \mathsf{ChSet}$.
Output: $\mathcal {A}$ outputs a response $\mathsf {resp}\in \mathsf{ResSet}$. The adversary $\mathcal {A}$ wins the game if $(\mathsf {com},\mathsf {ch},\mathsf {resp})$ is a valid transcript for $\mathsf {X}_{\mathsf {ls}}$.

We say $\mathsf {ID}_{\mathsf {ls}}$ is $\epsilon _{\mathsf {ls}}$-lossy sound if for any unbounded (possibly quantum) adversary $\mathcal {A}$ the winning probability in the above game is less than $\epsilon _{\mathsf {ls}}$.

2.2 Digital Signature Schemes

Here we introduce the definition of standard signature schemes.

Definition 2.3

A signature scheme $\Pi _\mathsf{S}$ consists of three PPT algorithms

$(\mathsf {S}.\mathsf {KeyGen}, \mathsf {S}.\mathsf {Sign}, \mathsf {S}.\mathsf {Vrfy})$ such that:

$\mathsf {S}.\mathsf {KeyGen}(1^\lambda ) \rightarrow (\mathsf {vk}, \mathsf {sk})$: On input a security parameter $1^\lambda $, the key generation algorithm outputs a pair of verification and signing keys $(\mathsf {vk},\mathsf {sk})$;
$\mathsf {S}.\mathsf {Sign}(\mathsf {sk},\mathsf {M}) \rightarrow \sigma $: On input a signing key $\mathsf {sk}$ and a message $\mathsf {M}$, the signing algorithm outputs a signature $\sigma $;
$\mathsf {S}.\mathsf {Vrfy}(\mathsf {vk},\mathsf {M},\sigma ) \rightarrow 1/0$: On input a verification key $\mathsf {vk}$, a message $\mathsf {M}$ and a signature $\sigma $, the verification key outputs 1 (accept) or 0 (reject).

We require a signature scheme $\Pi _\mathsf{S}$ to satisfy the following two properties.

Correctness. For every security parameter $1^\lambda $, with $\lambda \in \mathbb {N}$, and every message $\mathsf {M}$ the following holds:

$$\begin{aligned} \Pr \left[ \begin{array}{rl} \mathsf {S}.\mathsf {Vrfy}(\mathsf {vk},\mathsf {M}, \sigma )=1 \end{array} \left| \begin{array}{cl} (\mathsf {vk},\mathsf {sk}) \leftarrow \mathsf {S}.\mathsf {KeyGen}(1^\lambda ), \\ \sigma \leftarrow \mathsf {S}.\mathsf {Sign}(\mathsf {sk},\mathsf {M}) \\ \end{array}\right. \right] = 1. \end{aligned}$$

Unforgeability. We define the strong unforgeability under chosen message attack $\mathsf {su\text {-}cma}$ by the following game played by an adversary $\mathcal {A}$ and a challenger.

Setup: The challenger runs $ (\mathsf {vk}, \mathsf {sk}) \leftarrow \mathsf {S}.\mathsf {KeyGen}(1^\lambda )$ and provides the adversary $\mathcal {A}$ the verification key $\mathsf {vk}$. It also prepares an empty set $\mathcal {S}= \emptyset $.
Signing Queries: The adversary $\mathcal {A}$ may adaptively submit messages $\mathsf {M}$ to the challenger. The challenger responds by returning $\sigma \leftarrow \mathsf {S}.\mathsf {Sign}(\mathsf {sk}, \mathsf {M})$ to $\mathcal {A}$. It then updates the set $\mathcal {S}\leftarrow \mathcal {S}\cup \{ (\mathsf {M}, \sigma ) \}$.
Output: Finally, $\mathcal {A}$ outputs a forgery $(\mathsf {M}^*, \sigma ^*)$. We say the adversary $\mathcal {A}$ wins if $(\mathsf {M}^*, \sigma ^*) \not \in \mathcal {S}$ and $\mathsf {S}.\mathsf {Vrfy}( \mathsf {vk}, \mathsf {M}^*, \sigma ^* ) = 1$.

We define the advantage of $\mathcal {A}$ as the probability it wins the above game, that is, $\mathsf {Adv}^{\mathsf {su\text {-}cma}}_{\mathcal {A}}(1^\lambda ) :=\Pr [ \mathcal {A}\; \text {wins} ]$.

Definition 2.4

($\mathsf {Su\text {-}cma}$ Security). We say a signature scheme $\Pi _\mathsf{S}$ is $\mathsf {su\text {-}cma}$ secure if for all PPT adversaries $\mathcal {A}$, we have $\mathsf {Adv}^{\mathsf {su\text {-}cma}}_{\mathcal {A}}(\lambda ) = \mathsf {negl}(\lambda )$.

2.3 Pseudorandom Functions

Consider a mapping $\mathsf {PRF}: \mathcal {K} \times \mathcal {X} \rightarrow \mathcal {Y}$, where $\mathcal K$ is a key space. We say $\mathsf {PRF}$ is a pseudorandom function if for all PPT (or quantum) adversaries, their advantage defined below is negligible:

$$\begin{aligned} \mathsf {Adv}^{\mathsf {PRF}}_{\mathcal {A}}(\lambda ) := \left| \Pr [\mathcal {A}^{\mathsf {PRF}(K, \cdot )}(1^\lambda ) = 1 \mid K \leftarrow \mathcal {K} ] - \Pr [ \mathcal {A}^{\mathsf {RF}(\cdot )}(1^\lambda ) = 1 ] \right| , \end{aligned}$$

where $\mathsf {RF}: \mathcal {X} \rightarrow \mathcal {Y} $ is a perfect random function. In practice, any standard hash function (e.g., SHA-3) is believed to be a (quantumly) secure $\mathsf {PRF}$.

2.4 Fiat-Shamir Transformation

The original Fiat-Shamir transformation [1, 18] turns a (not necessarily lossy) identification protocol $\mathsf {ID}$ into a digital signature scheme by means of a cryptographic hash function $\mathsf {H}: \{0,1\}^* \rightarrow \mathsf{ChSet}$ modeled as a classical random oracle (RO). For each parallel execution of $\mathsf {ID}$, the challenge is obtained as $\mathsf {H}(\mathsf {com},\mathsf {M})$, where $\mathsf {M}$ is the message to sign. Then the resulting digital signature $\sigma $ is a t-tuple composed by t commitments and the corresponding responses, where t is set in such a way that $|\mathsf{ChSet}|^t$ is exponentially large. Recently, the Fiat-Shamir transformation has been extended to the quantum random oracle model (QROM) as well [16, 27, 30].

In this work, we will be interested in Fiat-Shamir transformations for a specific type of identification protocol (namely, lossy identification protocol) which admits tight security proofs. For a general identification protocol, it is well-known that the Fiat-Shamir signature incurs a prohibitively large reduction loss: the advantage of breaking the underlying hard problem degrades as $O(Q^{-1} \cdot \epsilon ^2)$ in the classical ROM and as $O(Q^{-6} \cdot \epsilon ^3)$ in the quantum ROM, where Q is the number or random oracle queries made by the adversary and $\epsilon $ is the advantage against the Fiat-Shamir signature scheme.

The following result is taken from the recent work of Kiltz, Lyubashevsky, and Schaffner [27].

Theorem 2.1

Assume the identification protocol $\mathsf {ID}$ is lossy, perfect HVZK, has $\alpha $ bits of min-entropy, has perfect unique response, and is $\epsilon _{\mathsf {ls}}$-lossy sound. The Fiat-Shamir transformation provides a signature scheme such that, for any quantum adversary $\mathcal {A}$ against $\mathsf {su\text {-}cma}$ security that issues at most $Q_H$ queries to the quantum random oracle, there exists quantum adversaries $\mathcal {B}$ and $\mathcal {D}$ such that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {su\text {-}cma}}_{\mathcal {A}}(\lambda ) \le \mathsf {Adv}^{\mathsf {lossy}}_{\mathcal {B}}(\lambda ) + 8 (Q_H + 1)^2 \cdot \epsilon _\mathsf {ls}+ 2^{-\alpha + 1} + \mathsf {Adv}^{\mathsf {PRF}}_{\mathcal {D}}(\lambda ), \end{aligned}$$

and $\mathsf {Time}(\mathcal {B}) = \mathsf {Time}(\mathcal {D}) = \mathsf {Time}(\mathcal {A}) + Q_H \approx \mathsf {Time}(\mathcal {A})$.

In the classical setting, the only difference is that the bound depends linearly on $Q_H$ instead of quadratically.

The above theorem is obtained by derandomizing the Fiat-Shamir signature by a pseudorandom function $\mathsf {PRF}$ and plugging it in Theorem 3.1 of [27]. We note that some simplification to Theorem 3.1 of [27] is made since our proposed lossy identification protocol achieves perfect HVZK and perfect unique response.

2.5 Class Group Actions and Hardness Assumption

The action of ideal class groups on elliptic curves was firstly proposed for cryptographic purposes by Couveignes [9], and Rostovtsev and Stolbunov [35, 38]. Their approach was then revised by De Feo, Kieffer and Smith [14], who were unable to turn it intro practicality despite the introduction of remarkable mathematically-driven speed-ups. The efficiency issues were overcome by Castryck et al. [8], that introduced the CSIDH key-exchange protocol restricting to supersingular elliptic curves. In the following, we will give a brief background on ideal class groups and their action on supersingular curves. For a more detailed overview we suggest the consultation of [8] and Cox’s book [10].

Let $\mathbb {F}_p$ denote a prime field, with p being an odd prime. Given two elliptic curves $E, E'$ defined over $\mathbb {F}_p$, an isogeny $\varphi : E \rightarrow E'$ is a non-constant morphism mapping $0_E$ to $0_E'$. Hence each coordinate of $\varphi (x,y)$ can be expressed as a fraction of two polynomials belonging to $\overline{\mathbb {F}}_p[x,y]$. If their coefficients are contained in $\mathbb {F}_p$, then we say that $\varphi $ is defined over $\mathbb {F}_{p}$. A separable isogeny (it induces a separable extension of function fields) having $\{0_E\}$ as kernel is an isomorphism; an isogeny having the same domain and range is an endomorphism.

The set of all endomorphisms of an elliptic curve E, together with the zero map, form a ring under pointwise addition and composition. Such a ring is called the endomorphism ring of E and it is denoted by $\mathrm {End}(E)$. If $\mathrm {End}(E)$ is abelian, the curve is said to be ordinary, otherwise it is said to be supersingular. The restriction $\mathrm {End}_p(E)$ to the endomorphisms defined over $\mathbb {F}_p$ constitutes a subring, which is isomorphic to an order in the quadratic field $\mathbb {K}=\mathbb {Q}(\sqrt{-p})$. An order is a subring of $\mathbb {Q}(\sqrt{-p})$ which is also a finitely-generated $\mathbb {Z}$-module containing a basis of $\mathbb {K}$ as a $\mathbb {Q}$-vector space. The set $\mathbb {Z}[\sqrt{-p}]=\{m+n\sqrt{-p} \mid m,n \in \mathbb {Z}\}$ satisfies the above three conditions and we will denote it by $\mathcal {O}$. We then consider the set $\mathcal {E\ell \ell }_p(\mathcal {O},\pi )$ containing all supersingular curves E defined over $\mathbb {F}_p$ - modulo isomorphisms defined over $\mathbb {F}_p$ - such that there exists an isomorphism between $\mathcal {O}$ and $\mathrm {End}_p(E)$ mapping $\sqrt{-p} \in \mathcal {O}$ into the Frobenius endomorphism $(x,y) \mapsto (x^p,y^p)$. As shown in [8], each isomorphism class in $\mathcal {E\ell \ell }_p(\mathcal {O},\pi )$ can be uniquely represented by a single element of $\mathbb {F}_p$ if $p \ge 5$ is a prime such that $p \equiv 3 \pmod 8$.

A fractional ideal $\mathfrak {a}$ of $\mathcal {O}$ is a finitely generated $\mathcal {O}$-submodule of $\mathbb {K}$. When $\mathfrak {a}$ is contained in $\mathcal {O}$, it is said to be integral; when $\mathfrak {a}=\alpha \mathcal {O}$ for some $\alpha \in \mathbb {K}$, it is said to be principal; when there exists another fractional ideal $\mathfrak {b}$ such that $\mathfrak {a}\mathfrak {b}=\mathcal {O}$, it is called invertible. The invertible fractional ideals of $\mathcal {O}$ form an abelian group. Its quotient by the subgroup composed by principal fractional ideals is a finite group called ideal class group of $\mathcal {O}$, usually denoted by $\mathcal {C\ell (O)}$. Its cardinality is the class number of $\mathcal {O}$.

The ideal class group $\mathcal {C\ell (O)}$ acts freely and transitively on the set $\mathcal {E\ell \ell }_p(\mathcal {O},\pi )$ via the group action $\star $:

$$\begin{aligned} \star : \mathcal {C\ell (O)} \times \mathcal {E\ell \ell }_p(\mathcal {O},\pi )\,{\rightarrow }\,&\mathcal {E\ell \ell }_p(\mathcal {O},\pi ) \\ (\mathfrak {a}, E) \qquad \quad \mapsto&\mathfrak {a} \star E. \end{aligned}$$

For simplicity, we will use representatives instead of equivalence classes to denote elements of $\mathcal {C\ell (O)}$ and $\mathcal {E\ell \ell }_p(\mathcal {O},\pi )$. When p is of the form $4\ell _1\ell _2 \cdots \ell _s-1$, with $\ell _1,\dots ,\ell _s$ small odd primes, a special integral ideal $\mathfrak {I}_{\ell _i} \subset \mathcal {O}$ corresponds to each prime $\ell _i$. These ideals allow an easy computation of the group action. In particular, the action of $\mathfrak {I}_{\ell _i}$ on a curve $E \in \mathcal {E\ell \ell }_p(\mathcal {O},\pi )$ is determined by an isogeny having as kernel the unique rational $\ell _i$-torsion subgroup of E.

The general variant of the CSIDH key-exchange scheme relies on the heuristic that the equivalence classes of the ideals $\mathfrak {I}_{\ell _1}, \dots , \mathfrak {I}_{\ell _s}$, together with their inverses, generate the entire ideal class group $\mathcal {C\ell (O)}$. In [8], Castryck et al. propose different sets of parameters for CSIDH, each of them supposedly achieving a specific quantum security level. For the smallest^{Footnote 2} set of parameters, named CSIDH-512 since $p \simeq 2^{512}$, the class group structure of $\mathcal {C\ell (O)}$ has been recently computed by Beullens et al. [6]. They showed that $\mathcal {C\ell (O)}$ is a cyclic group of odd order N, where $N \simeq 2^{257.1}$ and $\mathcal {C\ell (O)}=\langle \mathfrak {I}_3 \rangle $. As a consequence, this group admits a canonical representation (as $\mathbb {Z}_N$) and an efficient uniform sampling of its elements. For simplicity, in the following we will denote by $\mathfrak {g}$ the generator $\mathfrak {I}_3$.

Hardness Assumption. The group action inverse problem (GAIP) is the hardness assumption originally introduced by [8], which underlies the security of both SeaSign [12] and CSI-FiSh [6]. Although we will not directly use GAIP in our construction, we provide it as a base point to compare the assumption we introduce.

Definition 2.5

(Group Action Inverse Problem (GAIP)). Given two supersingular elliptic curves, $E, E_1 \in \mathcal {E\ell \ell }_p(\mathcal {O},\pi )$, find an element $\mathfrak {a} \in \mathcal {C\ell (O)}$ such that $\mathfrak {a} \star E=E_1$.

3 Base Lossy Identification Protocol from CSIDH-512

The CSI-FiSh signature is obtained by applying the Fiat-Shamir transformation to an identification protocol originally sketched by Couveignes [9] and Stolbunov [39]. In this section, we introduce our base lossy identification protocol for any set of CSIDH parameters for which the ideal class group $\mathcal {C\ell (O)}$ is cyclic, with a known order N and generator $\mathfrak {g}$. We further discuss the corresponding hardness assumption on which its security relies. Such a scheme considers an exponent $a \in \mathbb {Z}_N$, the private key, and two pairs of curves, where the second pair, the public key, is determined by the action of $\mathfrak {g}^a$ on the first pair. For the concrete instantiation in Sect. 5, we use the CSIDH-512 parameters.

3.1 Hardness Assumption: Decisional CSIDH

We construct a lossy identification protocol based on the decisional CSIDH (D-CSIDH) problem, originally defined by Stolbunov in his PhD thesis [39, Problem 2.2].

Definition 3.1

(Decisional CSIDH Problem). Given the set $\mathcal {E\ell \ell }_p(\mathcal {O},\pi )$ and the ideal class group $\mathcal {C\ell (O)}$, the decisional CSIDH (D-CSIDH) problem asks to distinguish between the following two distributions:

$(E, H, \mathfrak {a} \star E, \mathfrak {a} \star H)$, where the supersingular elliptic curves E and H are sampled uniformly from $\mathcal {E\ell \ell }_p(\mathcal {O},\pi )$, while $\mathfrak {a}$ is sampled uniformly from $\mathcal {C\ell (O)}$;
$(E, H, E', H')$ where $E, H, E', H'$ are supersingular elliptic curves sampled uniformly from $\mathcal {E\ell \ell }_p(\mathcal {O},\pi )$.

We denote by $\mathsf {Adv}^\mathsf{D\text {-}CSIDH}_{\mathcal {A}}(\lambda )$ the advantage of an adversary $\mathcal {A}$ distinguishing the two distributions. We say that the D-CSIDH assumption holds if for every PPT (or possibly quantum) adversary $\mathcal {A}$, $\mathsf {Adv}^\mathsf{D\text {-}CSIDH}_{\mathcal {A}}(\lambda )$ is negligible.

The D-CSIDH assumption forms the foundation of the security of the key exchange protocol proposed by [8], called CSIDH. However, to be completely accurate, the security of CSIDH not always is equivalent to the D-CSIDH problem we defined above. The reason for this is that when the structure of the ideal class group is not known, we cannot properly sample a uniform ideal from $\mathcal {C\ell (O)}$ (and hence a uniform elliptic curve from the set $\mathcal {E\ell \ell }_p(\mathcal {O},\pi )$). Namely, in that case, a party will sample an ideal that is heuristically shown to be close to uniformly random over $\mathcal {C\ell (O)}$. Then, to show security of CSIDH, we must assume the hardness of D-CSIDH for that particular heuristically uniform distribution. Notably, we do not get a reduction from the above D-CSIDH assumption defined for truly uniform samples over $\mathcal {C\ell (O)}$. Hence, for the D-CSIDH assumption to be useful both in a theoretical and practical sense, it is desirable to have an efficient uniform sampler from the ideal class group $\mathcal {C\ell (O)}$. In this case, the security of CSIDH will indeed be equivalent to the D-CSIDH assumption.

As for the definition of D-CSIDH, we would like to simply keep it agnostic to the existence of an efficient sampler from the ideal class group $\mathcal {C\ell (O)}$. However, throughout the paper, we will always consider a cyclic class group $\mathcal {C\ell (O)}$ with known order and generator (i.e., the one derived from the CSIDH-512 parameters) so as to be able to efficiently sample uniformly over $\mathcal {C\ell (O)}$.

3.2 Construction of Base Lossy Identification Protocol

The base lossy identification protocol we are going to describe requires $\mathcal {C\ell (O)}$ to be efficiently sampleable. As anticipated, we will restrict to the case where $\mathcal {C\ell (O)}$ is cyclic, with a known order N and generator $\mathfrak {g}$. This reduces sampling from $\mathcal {C\ell (O)}$ to uniformly sampling from $\mathbb {Z}_N$, and considering the corresponding power of $\mathfrak {g}$.

Let the set X be composed by pairs $((E_1^{(0)},E_2^{(0)}),(E_1^{(1)},E_2^{(1)}))$, where $E_1^{(0)}$, $E_2^{(0)}$, $E_1^{(1)}$, $E_2^{(1)}$ belong to $\mathcal {E\ell \ell }_p(\mathcal {O},\pi )$. By Y we denote the set of witnesses $\{a \in \mathbb {Z}_N \}$, with N being the cardinality of $\mathcal {C\ell (O)}$. We consider the following binary relation $\mathcal {R}$ on $X \times Y$:

$$\begin{aligned} \mathcal {R}=\{ (((E_1^{(0)},E_2^{(0)}),(E_1^{(1)},E_2^{(1)})),a) \mid E_1^{(1)}= \mathfrak {g}^{a} \star E_1^{(0)}, E_2^{(1)} =\mathfrak {g}^{a} \star E_2^{(0)}\} \end{aligned}$$

(1)

We note that the language $\mathcal {L}_\mathcal {R}$ is strictly contained in X, i.e. X contains lossy statements. On the other hand, each statement in X is a valid instance of the D-CSIDH problem.

The lossy identification protocol $\mathsf {ID}^\mathsf{base}_{\mathsf {ls}}$ deduced from relation $\mathcal {R}$ consists of a challenge set $\mathsf{ChSet}=\{0,1\}$ and five algorithms $(\mathsf {IGen}, \mathsf{LossyIGen}, \mathsf {P}_1,\mathsf {P}_2, \mathsf {V})$, detailed in the following. We note that $E_0 \in \mathcal {E\ell \ell }_p(\mathcal {O},\pi )$ is the base curve, specified by the system parameters, and defined by the equation $y^2=x^3+x$ over $\mathbb {F}_p$.

Algorithm $\mathsf {IGen}$ uniformly samples $a,b,c \in \mathbb {Z}_N$ and outputs a statement-witness pair $(\mathsf {X},\mathsf {W}) \in \mathcal {R}$, where $\mathsf {X}=((E_1^{(0)}=\mathfrak {g}^{b} \star E_0, E_2^{(0)}=\mathfrak {g}^{c} \star E_0),(E_1^{(1)}=\mathfrak {g}^{a} \star E_1^{(0)}, E_2^{(1)}=\mathfrak {g}^{a}\star E_2^{(0)}))$, and $\mathsf {W}=a$.
Algorithm $\mathsf{LossyIGen}$ uniformly samples $a,a',b,c \in \mathbb {Z}_N$ and outputs a lossy statement $\mathsf {X}_{\mathsf {ls}}=((E_1^{(0)}=\mathfrak {g}^b \star E_0, E_2^{(0)}=\mathfrak {g}^c \star E_0),(E_1^{(1)}=\mathfrak {g}^{a} \star E_1^{(0)}, E_2^{(1)}=\mathfrak {g}^{a'} \star E_2^{(0)}))$.
On input $(\mathsf {X},\mathsf {W})$, $\mathsf {P}_1$ generates a random integer $r \in \mathbb {Z}_N$ and returns the commitment $\mathsf {com}=(F_1=\mathfrak {g}^r \star E_1^{(0)},F_2=\mathfrak {g}^r \star E_2^{(0)})$.
On input $(\mathsf {X},\mathsf {W},\mathsf {com},\mathsf {ch})$, where $\mathsf {ch}\in \mathsf{ChSet}$, $\mathsf {P}_2$ outputs the response $\mathsf {resp}$ which is r if $\mathsf {ch}=0$, $r-a$ if $\mathsf {ch}=1$.
On input $(\mathsf {X},\mathsf {com},\mathsf {ch},\mathsf {resp})$, the verification algorithm $\mathsf {V}$ checks that
$$\begin{aligned} {\left\{ \begin{array}{ll} (\mathfrak {g}^\mathsf {resp}\star E_1^{(0)}=F_1,\mathfrak {g}^\mathsf {resp}\star E_2^{(0)}=F_2) &{} \text{ if } \mathsf {ch}=0\\ (\mathfrak {g}^{\mathsf {resp}} \star E_1^{(1)}=F_1,\mathfrak {g}^{\mathsf {resp}} \star E_2^{(1)}=F_2) &{} \text{ if } \mathsf {ch}=1\\ \end{array}\right. } \end{aligned}$$
(2)

The interaction between a prover and a verifier within the identification protocol is summarised in Fig. 1.

3.3 Security of Base Lossy Identification Protocol $\mathsf {ID}^\mathsf{Base}_{\mathsf {ls}}$

We show that the proposed lossy identification protocol $\mathsf {ID}^\mathsf{base}_{\mathsf {ls}}$ satisfies all the desired properties presented in Sect. 2.1. Properties for standard identification protocols - namely, correctness, perfect unique response, and commitment revocability - are straightforward to prove, with the last two verified by noticing that the group action $\star $ is transitive and free. Moreover, for the Honest-Verifier Zero-Knowledge property, consider a simulator $\mathsf {Sim}$ defined as follows:

$\mathsf {Sim}( \mathsf {X}, \mathsf {ch})$: on input a statement $\mathsf {X}= ((E_1^{(0)},E_2^{(0)}),$ $(E_1^{(1)},E_2^{(1)})) \in \mathcal {L}_\mathcal {R}$ and a challenge bit $\mathsf {ch}\in \{ 0,1 \} $, the simulator samples a random $u \in \mathbb {Z}_N$ and outputs either of the following tuples, depending on whether $\mathsf {ch}= 0$ or $\mathsf {ch}=1$:
$$ \big ( (\mathfrak {g}^u \star E_1^{(0)}, \mathfrak {g}^u \star E_2^{(0)}), \mathsf {ch}= 0,u \big ), \quad \big ( (\mathfrak {g}^{u} \star E_1^{(1)}, \mathfrak {g}^{u} \star E_2^{(1)}), \mathsf {ch}= 1,u \big ). $$

It can be checked that the transcripts output by the simulator $\mathsf {Sim}$ are indistinguishable from honest transcripts, since both have uniformly random distributed values as responses. Finally, by construction, we have $\log N$ bits of min-entropy.

The remaining issue is showing that $\mathsf {ID}^\mathsf{base}_{\mathsf {ls}}$ satisfies the lossy properties (see Definition 2.2). Specifically, it has indistinguishability of lossy statements and statistical lossy soundness.

Lemma 3.1

Our lossy identification protocol $\mathsf {ID}^\mathsf{base}_{\mathsf {ls}}$ satisfies indistinguishability of lossy statements assuming the hardness of the D-CSIDH problem. Specifically, an adversary $\mathcal {A}$ with advantage $\mathsf {Adv}^{\mathsf {lossy}}_{\mathcal {A}}(\lambda )$ can be turned into an adversary $\mathcal {B}$ against the D-CSIDH problem with advantage $\mathsf {Adv}^\mathsf{D\text {-}CSIDH}_\mathcal {B}(\lambda ) = \mathsf {Adv}^\mathsf{lossy}_\mathcal {A}(\lambda )$ and the same running time.

Proof

The statement is an immediate consequence of the D-CSIDH problem. In particular, the distribution induced by $\mathsf {IGen}$ corresponds to valid D-CSIDH instances and that of $\mathsf{LossyIGen}$ corresponds to random D-CSIDH instances.

Lemma 3.2

Our lossy identification protocol $\mathsf {ID}^\mathsf{base}_{\mathsf {ls}}$ satisfies statistical $\epsilon _\mathsf {ls}$-lossy soundness for $\epsilon _\mathsf {ls}= 1/2 + 1/2N$, where $N = \left| \mathcal {C\ell (O)} \right| $.

Proof

First of all, a simple calculation shows that the set of valid statements $\mathcal {L}_\mathcal {R}$ has size $N^3$. Therefore, since $\mathsf{LossyIGen}$ outputs a uniformly random image in the set X, which has size $N^4$, we have $\Pr [ \mathsf {X}_\mathsf {ls}\leftarrow \mathsf{LossyIGen}(1^\lambda ): \mathsf {X}_\mathsf {ls}\in \mathcal {L}_\mathcal {R}] = 1/N$. Furthermore, for an adversary $\mathcal {A}$ against the lossy impersonation game, the following holds:

$$\begin{aligned} \Pr [\mathcal {A}\text { wins}] =&\Pr [\mathcal {A}\text { wins} \mid \mathsf {X}_\mathsf {ls}\not \in \mathcal {L}_\mathcal {R}] \Pr [\mathsf {X}_\mathsf {ls}\not \in \mathcal {L}_\mathcal {R}] +\\ {}&\Pr [\mathcal {A}\text { wins} \mid \mathsf {X}_\mathsf {ls}\in \mathcal {L}_\mathcal {R}] \Pr [\mathsf {X}_\mathsf {ls}\in \mathcal {L}_\mathcal {R}] \\ \le&\Pr [\mathcal {A}\text { wins} \mid \mathsf {X}_\mathsf {ls}\not \in \mathcal {L}_\mathcal {R}] \cdot \Big ( 1-\frac{1}{N} \Big ) + \frac{1}{N}. \end{aligned}$$

We show that for any statement $\mathsf {X}_\mathsf {ls}\not \in \mathcal {L}_\mathcal {R}$ and commitment $\mathsf {com}\in \mathsf{ComSet}$, there exists at most one challenge $\mathsf {ch}\in \mathsf{ChSet}$ that admits a valid response $\mathsf {resp}\in \mathsf{ResSet}$. Since this implies $\Pr [\mathcal {A}\text { wins} \mid \mathsf {X}_\mathsf {ls}\not \in \mathcal {L}_\mathcal {R}] \le 1/ |\mathsf{ChSet}| = 1/2$, we obtain $(1/2 + 1/2N)$-lossy soundness as desired.

Given a statement $\mathsf {X}_\mathsf {ls}=((E_1^{(0)},E_2^{(0)}),(E_1^{(1)},E_2^{(1)})) \not \in \mathcal {L}_\mathcal {R}$, let us assume there exist two valid transcripts for $\mathsf {X}_\mathsf {ls}$. Namely, consider $(\mathsf {com},\mathsf {ch},\mathsf {resp})$ and $(\mathsf {com},\mathsf {ch}',\mathsf {resp}')$, with $\mathsf {ch}\ne \mathsf {ch}'$ and $\mathsf {com}= (F_1, F_2)$. Then, it is possible to extract a witness $\mathsf {W}$ such that $(\mathsf {X}_\mathsf {ls},\mathsf {W}) \in \mathcal {L}_\mathcal {R}$. Indeed, assuming $\mathsf {ch}=0$, the responses $\mathsf {resp}, \mathsf {resp}'$ must satisfy

$$\begin{aligned} {\left\{ \begin{array}{ll} \mathfrak {g}^{\mathsf {resp}} \star E_1^{(0)}=F_1, &{} \mathfrak {g}^{\mathsf {resp}} \star E_2^{(0)}=F_2, \\ \mathfrak {g}^{\mathsf {resp}'} \star E_1^{(1)}=F_1, &{} \mathfrak {g}^{\mathsf {resp}'} \star E_2^{(1)}=F_2. \end{array}\right. } \end{aligned}$$

(3)

Therefore, $\mathsf {resp}- \mathsf {resp}'$ is the desired witness, that is, $ E_1^{(1)} = g^{\mathsf {resp}- \mathsf {resp}'}\star E_1^{(0)}$ and $ E_2^{(1)} = g^{\mathsf {resp}- \mathsf {resp}'}\star E_2^{(0)}$. However, this is a contradiction to $\mathsf {X}_\mathsf {ls}\not \in \mathcal {L}_\mathcal {R}$. Therefore, there can exist at most one challenge that possesses a valid response. This concludes the proof.

3.4 Lossy Soundness Amplification of $\mathsf {ID}^\mathsf{Base}_\mathsf {ls}$

As typically done, we use standard parallel repetition of the base lossy identification protocol $\mathsf {ID}^\mathsf{base}_\mathsf {ls}$ to make the lossy soundness $\epsilon _\mathsf {ls}$ negligibly small, as required when setting the concrete parameters for the relative FS signature according to Theorem 2.1. Specifically, on input $(\mathsf {X}, \mathsf {W})$, the prover runs parallel execution of the protocol with the verifier, where the verifier uses independent challenges in each execution.

We make this standard procedure explicit since, unlike sigma-protocols with 2-special soundness, lossy soundness is not closed under parallel repetition. That is, even if we run t parallel instances of our base protocol $\mathsf {ID}^\mathsf{base}_\mathsf {ls}$, this will not result in a protocol with $(\epsilon _\mathsf {ls})^t$-lossy soundness. Namely, we have the following result.

Lemma 3.3

Consider running t parallel rounds of the base lossy identification protocol $\mathsf {ID}^\mathsf{base}_{\mathsf {ls}}$ (with the same statement-witness pair). Then it satisfies statistical $\epsilon _\mathsf {ls}$-lossy soundness for $\epsilon _\mathsf {ls}= 1/2^t \cdot (1-1/N) + 1/N$, where $N = \left| \mathcal {C\ell (O)} \right| $. In particular, we have $\epsilon _\mathsf {ls}\le 1/2^t + 1/N$.

Proof

The proof is straightforward. In case $\mathsf {X}_\mathsf {ls}\notin \mathcal {L}_\mathcal {R}$, we can argue that the adversary has at most $1/2^t$ probability in winning the lossy impersonation game. Recalling that $\mathsf {X}_\mathsf {ls}\in \mathcal {L}_\mathcal {R}$ happens with probability 1/N over the random choice of $\mathsf{LossyIGen}$, we can upper bound the advantage of $\mathcal {A}$ by $\epsilon _\mathsf {ls}= 1/2^t (1 - 1/N) + 1/N$. This concludes the proof.

All other properties are closed under parallel repetition and inherited directly from $\mathsf {ID}^\mathsf{base}_\mathsf {ls}$.

4 Optimized Lossy Identification Protocol from CSIDH-512

We show several methods to optimize our base lossy identification protocol, following closely the work of [6, 12]. We first prepare a slight variant of the D-CSIDH assumption, which will form the basis of our optimized schemes.

4.1 Hardness Assumption: Fixed-Curve Multi-decisional CSIDH

We consider a slight variant of D-CSIDH, where we are given many D-CSIDH tuples, with the first two elliptic curves of each tuple being fixed. Formally, we consider the following problem, which is equivalent to D-CSIDH when $S=1$.

Definition 4.1

(Fixed-Curve Multi-decisional CSIDH Problem). Let S be a positive integer. Given the ideal class group $\mathcal {C\ell (O)}$ and the set $\mathcal {E\ell \ell }_p(\mathcal {O},\pi )$, the fixed-curve multi-decisional CSIDH (FCMD-CSIDH) problem with parameter S asks to distinguish between the following two distributions^{Footnote 3}:

$(E, H, ( \mathfrak {a}_i\,\star \,E, \mathfrak {a}_i\,\star \,H )_{i \in [S]}$), where the supersingular elliptic curves E and H are sampled uniformly from $\mathcal {E\ell \ell }_p(\mathcal {O},\pi )$, and $\mathfrak {a}_i$ for $i \in [S]$ are sampled uniformly from $\mathcal {C\ell (O)}$;
$(E, H, ( E'_i, H'_i )_{i \in [S]})$ where $E, H, E'_i, H'_i$ for $i\in [S]$ are supersingular elliptic curves sampled uniformly from $\mathcal {E\ell \ell }_p(\mathcal {O},\pi )$.

We denote by $\mathsf {Adv}^\mathsf{FCMD\text {-}CSIDH}_{\mathcal {A}, S}(\lambda )$ the advantage of an adversary $\mathcal {A}$ distinguishing the two distributions. We say that the FCMD-CSIDH assumption with parameter S holds if for any PPT (or possibly quantum) adversary $\mathcal {A}$, $\mathsf {Adv}^\mathsf{FCMD\text {-}CSIDH}_{\mathcal {A}, S}(\lambda )$ is negligible.

A tight reduction from the (one-instance) decisional CSIDH problem to the fixed-curve multi-decisional CSIDH problem with parameter S would have been desirable, however, this seems to be highly challenging (as long as we view the group action $\star $ as a black box). This is in sharp contrast with the classical decisional DH problem, which admits a nice random self-reducibility property. The main reason why D-CSIDH does not possess this property seems to stem from the fact that the group action only allows to add a known constant to the exponent of $\mathfrak {g}$ when considering a curve $\mathfrak {g}^a * E$. In other words, we do not have an analogous of the mapping $g^a \mapsto (g^a)^r$ exploited in the classical DH setting.

Therefore, we only have a trivial non-tight reduction from the D-CSIDH problem to the FCMD-CSIDH problem with parameter S. This is formally stated in the following lemma.

Lemma 4.1

(D-CSIDH to FCMD-CSIDH). Let S be a positive integer. Let $\mathcal {C\ell (O)}$ be the ideal class group of an order $\mathcal {O}$ in $\mathbb {Q}(\sqrt{-p})$, with p a prime, and $\mathcal {E\ell \ell }_p(\mathcal {O},\pi )$ be the corresponding set of supersingular elliptic curves. Then, for any adversary $\mathcal {A}$ for the FCMD-CSIDH problem with parameter S, there exists an adversary $\mathcal {B}$ for the D-CSIDH problem such that

$$\begin{aligned} \mathsf {Adv}^\mathsf{FCMD\text {-}CSIDH}_{\mathcal {A}, S} \le S \cdot \mathsf {Adv}^\mathsf{D\text {-}CSIDH}_{\mathcal {B}}, \end{aligned}$$

and $\mathsf {Time}(\mathcal {B}) \approx \mathsf {Time}(A)$.

Proof

The proof is elementary. We consider $S + 1$ hybrid games where, in the j-th game^{Footnote 4}, an adversary is given $(E, H, ( E'_i, H'_i )_{i \in [S]})$, where $( E'_i, H'_i )_{i \in [ j ]}$ is random over $\mathcal {E\ell \ell }_p(\mathcal {O},\pi )^2$ and $( E'_i, H'_i )_{i \in [S] \backslash [ j ]}$ is of the form $(\mathfrak {a_i}\,\star \,E, \mathfrak {a_i}\,\star \,H)$ for a random $\mathfrak {a_i} \in \mathcal {C\ell (O)}$. We then simply show that each game is indistinguishable using the D-CSIDH problem to conclude the proof. However, one thing we remark is that in order for the D-CSIDH adversary $\mathcal {B}$ to simulate the view to the FCMD-CSIDH adversary $\mathcal {A}$, $\mathcal {B}$ must be able to sample uniformly from $\mathcal {C\ell (O)}$. This justifies once more our restriction to cyclic ideal class groups $\mathcal {C\ell (O)}$ having known order and generator.

We leave it as an interesting open problem to achieve a tight reduction. We believe a technique which allows such a reduction will most likely have applications elsewhere.

Impact on Signature Scheme (and Identification Protocol). Although this loose reduction is not desirable, fortunately, the integer S will not have a tremendous impact on the concrete choice of parameters for our signature scheme (and identification protocol). This is because S is only a parameter chosen at the setup of the scheme, which is in particular independent of the adversary. This should be compared to standard non-tight Fiat-Shamir signatures which incurs a reduction loss of $Q^{-1} \cdot \epsilon ^2$ in the classical ROM and $Q^{-6}\cdot \epsilon ^3$ in the quantum ROM, where Q is an adversarially dependent parameter denoting the number of RO queries. In particular, in the original paper of CSI-FiSh [6], S is a constant set between 1 to $2^{18}-1$. Depending on the value of S, we have a tradeoff between the runtimes of several algorithms and size of public keys and signatures. We refer to Sect. 5 for more details.

4.2 Enlarging Challenge Space of Base Lossy Identification Protocol

We show a variant of our base lossy identification protocol which is obtained adapting the idea from [6, 12] to enlarge the challenge space. In particular, we will use the FCMD-CSIDH problem with parameter S instead of the D-CSIDH problem to define the language used in the identification protocol. Formally, the set of (possibly non-valid) statements is:

$$ X=\big \{ \big ( (E_1^{(0)},E_2^{(0)}),(E_1^{(1)},E_2^{(1)}),\dots ,(E_1^{(S)},E_2^{(S)})) \mid E_1^{(i)},E_2^{(i)} \in \mathcal {E\ell \ell }_p(\mathcal {O} \big ) \big \}, $$

while the set of witnesses is $Y=\{(a_1,\dots ,a_{S}) \mid a_1,\dots ,a_{S} \in \mathbb {Z}_N \}.$ We then consider the following binary relation on $X \times Y$:

$$ \mathcal {R}=\{ (((E_1^{(0)},E_2^{(0)}),(E_1^{(1)},E_2^{(1)}), \dots , (E_1^{(S)},E_2^{(S)})),(a_1,\dots ,a_{S})) \in X \times Y \mid $$

$$\mathfrak {g}^{a_i}\,\star \,E_1^{(0)}=E_1^{(i)}, \mathfrak {g}^{a_i}\,\star \,E_2^{(0)}=E_2^{(i)} \;\; \text {for} \;\; i \in [S] \}. $$

The lossy identification protocol with enlarged challenge space $\mathsf {ID}^\mathsf{enCh}_{\mathsf {ls}}$ deduced from the above relation $\mathcal {R}$ is a simple adaptation of the base scheme $\mathsf {ID}^\mathsf{base}_{\mathsf {ls}}$. We provide the details below for completeness, where the challenge space is enlarged to $\mathsf{ChSet}= \{ 0, 1, \cdots , S \}$. Note that S is a parameter chosen by the scheme. Our base scheme is obtained by setting $S = 1$.

Algorithm $\mathsf {IGen}$ uniformly samples $( a_i )_{i \in [S]},b,c \in \mathbb {Z}_N$ and outputs a statement-witness pair $(\mathsf {X},\mathsf {W}) \in \mathcal {R}$, where
$$ \mathsf {X}=\Big ( (E_1^{(0)}=\mathfrak {g}^{b}\,\star \,E_0, E_2^{(0)}=\mathfrak {g}^{c}\,\star \,E_0), \big ( E_1^{(i)}=\mathfrak {g}^{a_i}\,\star \,E_1^{(0)}, E_2^{(i)}=\mathfrak {g}^{a_i}\,\star \,E_2^{(0)} \big )_{i\in [S]} \Big ), $$
and $\mathsf {W}=(a_i)_{i \in [N]}$.
Algorithm $\mathsf{LossyIGen}$ uniformly samples $( a_i, a'_i )_{i \in [S]}, b, c \in \mathbb {Z}_N$ and outputs a lossy statement
$$ \mathsf {X}=\Big ( (E_1^{(0)}=\mathfrak {g}^{b}\,\star \,E_0, E_2^{(0)}=\mathfrak {g}^{c}\,\star \,E_0), \big ( E_1^{(i)}=\mathfrak {g}^{a_i}\,\star \,E_1^{(0)}, E_2^{(i)}=\mathfrak {g}^{a'_i}\,\star \,E_2^{(0)} \big )_{i\in [S]} \Big ), $$
On input $(\mathsf {X},\mathsf {W})$, $\mathsf {P}_1$ generates a random integer $r \in \mathbb {Z}_N$ and returns the commitment $\mathsf {com}=(F_1=\mathfrak {g}^r\,\star \,E_1^{(0)},F_2=\mathfrak {g}^r\,\star \,E_2^{(0)})$.
On input $(\mathsf {X},\mathsf {W},\mathsf {com},\mathsf {ch})$, where $\mathsf {ch}\in \mathsf{ChSet}$, $\mathsf {P}_2$ outputs the response $\mathsf {resp}$ which is r if $\mathsf {ch}=0$, $r-a_{\mathsf {ch}}$ if $\mathsf {ch}> 0$.
On input $(\mathsf {X},\mathsf {com},\mathsf {ch},\mathsf {resp})$, the verification algorithm $\mathsf {V}$ checks that
$$\begin{aligned} \mathfrak {g}^{\mathsf {resp}}\,\star \,E_1^{(\mathsf {ch})}=F_1, \quad \mathfrak {g}^{\mathsf {resp}} \star E_2^{(\mathsf {ch})}=F_2 \end{aligned}$$

Security of Lossy Identification Protocol $\mathsf {ID}^\mathsf{enCh}_{\mathsf {ls}}$. The proposed lossy identification protocol $\mathsf {ID}^\mathsf{enCh}_{\mathsf {ls}}$ inherits most of the desired standard properties presented in Sect. 2.1 from the base lossy identification protocol $\mathsf {ID}^\mathsf{base}_{\mathsf {ls}}$. Namely, correctness, min-entropy, perfect unique response, and commitment revocability trivially follow from those of $\mathsf {ID}^\mathsf{base}_{\mathsf {ls}}$. Moreover, the Honest-Verifier Zero-Knowledge property holds similarly as well. Simply consider a simulator $\mathsf {Sim}$ which, on input $\mathsf {X}\in \mathcal {L}_\mathcal {R}$ and $\mathsf {ch}\in \{ 0, 1, \cdots , S \}$, outputs $((g^u\,\star \,E_1^{(\mathsf {ch})}, g^u\,\star \,E_2^{(\mathsf {ch})}), \mathsf {ch}, u)$, where u is randomly sampled from $\mathbb {Z}_N$.

We next show that $\mathsf {ID}^\mathsf{enCh}_{\mathsf {ls}}$ satisfies the lossy properties (see Definition 2.2). Specifically, it has indistinguishability of lossy statements and statistical lossy soundness.

Lemma 4.2

Our lossy identification protocol $\mathsf {ID}^\mathsf{enCh}_{\mathsf {ls}}$ satisfies indistinguishability of lossy statements assuming the hardness of the FCMD-CSIDH problem with parameter S. Specifically, an adversary $\mathcal {A}$ with advantage $\mathsf {Adv}^{\mathsf {lossy}}_{\mathcal {A}}(\lambda )$ can be turned into an adversary $\mathcal {B}$ against the FCMD-CSIDH problem with advantage $\mathsf {Adv}^\mathsf{FCMD\text {-}CSIDH}_{\mathcal {B}, S}(\lambda ) = \mathsf {Adv}^{\mathsf {lossy}}_{\mathcal {A}}(\lambda )$ and same running time.

Proof

The proof is analogous to that of Lemma 3.1.

Lemma 4.3

The lossy identification protocol $\mathsf {ID}^\mathsf{enCh}_{\mathsf {ls}}$ satisfies statistical $\epsilon _\mathsf {ls}$-lossy soundness for $\epsilon _\mathsf {ls}=(1/(S+1))\prod _{i=1}^{S}((N-i)/N)+ (1 - \prod _{i=1}^{S}((N-i)/N))$, where $N = \left| \mathcal {C\ell (O)} \right| $.

Proof

The general strategy is similar to that used for proving Lemma 3.3. We separate the set X in such a way that in one of the subsets the adversary $\mathcal {A}$ has exactly $1/(S + 1)$ probability in winning the lossy impersonation game. We then argue that $\mathsf{LossyIGen}$ outputs a statement belonging to this subset with overwhelming probability. However, unlike the proof in Lemma 3.3, we will not be able to simply use $X \backslash \mathcal {L}_\mathcal {R}$ as such a subset. This is because a computationally unbounded adversary may be able, for some of the instances in $X \backslash \mathcal {L}_\mathcal {R}$, to forge a response for any $\mathsf {ch}\in \mathsf{ChSet}$.

Recall the set X we consider is of the following form:

$$ \Big ( (E_1^{(0)}, E_2^{(0)}), \big ( E_1^{(i)}=\mathfrak {g}^{a_i}\,\star \,E_1^{(0)}, E_2^{(i)}=\mathfrak {g}^{a'_i}\star E_2^{(0)} \big )_{i\in [S]} \Big ), $$

where $(E_1^{(0)}, E_2^{(0)})$ are arbitrary elements in $\mathcal {E\ell \ell }_p(\mathcal {O},\pi )$, and $a_i, a_i'$ are arbitrary elements in $\mathbb {Z}_N$. We define the set $X_\mathsf{BAD}$ as the subset of X which satisfies the following conditions for all distinct $i,j \in [S]$:

$$\begin{aligned} {\left\{ \begin{array}{ll} a_i \ne a_i', \\ a_j-a_i \ne a_j' - a_i'. \end{array}\right. } \end{aligned}$$

(4)

Below, we first compute $| X_\mathsf{BAD}|$ and then show that $\Pr [\mathcal {A}\text { wins} \mid \mathsf {X}_\mathsf {ls}\in X_\mathsf{BAD}]$ is at most $1/(S + 1)$.

First, fix arbitrary $(E_1^{(0)}, E_2^{(0)})$. Then, let us consider fixing arbitrary $(a_1, a_1') \in (\mathbb {Z}_N)^2$, conditioned on conditions (4). Then, there exist at most $N(N-1)$ choices of such pairs. Let us further consider fixing arbitrary $(a_2, a_2') \in (\mathbb {Z}_N)^2$, conditioned on conditions (4). Then, since we have to also satisfy $a_2 - a_1 \ne a_2' - a_1'$, there exist at most $N(N-2)$ choices of such pairs. Continuing this procedure, each pair $(a_i, a_i') \in (\mathbb {Z}_N)^2$, with $i \in [S]$, has exactly $N(N-i)$ freedom. Therefore, we have $|X_\mathsf{BAD}| = N^{2+S}(N - 1) \cdots (N-S)$ and $\Pr [\mathsf {X}_\mathsf {ls}\leftarrow \mathsf{LossyIGen}: \mathsf {X}_\mathsf {ls}\in X_\mathsf{BAD}]$ equal to $(N-1)\cdots (N-S)/N^S$.

Let us now compute $\Pr [\mathcal {A}\text { wins} \mid \mathsf {X}_\mathsf {ls}\in X_\mathsf{BAD}]$. Assume there exist two valid transcripts for $\mathsf {X}_{\mathsf {ls}}$. Namely, consider $(\mathsf {com},\mathsf {ch},\mathsf {resp})$ and $(\mathsf {com},\mathsf {ch}',\mathsf {resp}')$, with $\mathsf {ch}\ne \mathsf {ch}'$ and $\mathsf {com}= (F_1, F_2)$. Then, we have

$$\begin{aligned} {\left\{ \begin{array}{ll} \mathfrak {g}^{\mathsf {resp}}\,\star \,E_1^{(\mathsf {ch})}=F_1, &{} \mathfrak {g}^{\mathsf {resp}}\,\star \,E_2^{(\mathsf {ch})}=F_2, \\ \mathfrak {g}^{\mathsf {resp}'}\,\star \,E_1^{(\mathsf {ch}')}=F_1, &{} \mathfrak {g}^{\mathsf {resp}'}\,\star \,E_2^{(\mathsf {ch}')}=F_2. \end{array}\right. } \end{aligned}$$

Therefore, we can deduce

$$ \mathfrak {g}^{\mathsf {resp}- \mathsf {resp}'}\,\star \,E_1^{(\mathsf {ch})} = E_1^{(\mathsf {ch}')} \quad \text {and} \quad \mathfrak {g}^{\mathsf {resp}- \mathsf {resp}'}\,\star \,E_2^{(\mathsf {ch})} = E_2^{(\mathsf {ch}')}. $$

However, this clearly contradicts conditions (4). Therefore, there can exist at most one challenge that admits a valid response in case $X_\mathsf {ls}\in X_\mathsf{BAD}$. In particular, this proves $\Pr [\mathcal {A}\text { wins} \mid \mathsf {X}_\mathsf {ls}\in X_\mathsf{BAD}] \le 1/(S+1)$.

Combining everything together, we conclude.

$$\begin{aligned}&\Pr [\mathcal {A}\text { wins}] \\ =&\Pr [\mathcal {A}\text { wins} \mid \mathsf {X}_\mathsf {ls}\in X_\mathsf{BAD}]\Pr [\mathsf {X}_\mathsf {ls}\in X_\mathsf{BAD}] + \Pr [\mathcal {A}\text { wins} \mid \mathsf {X}_\mathsf {ls}\not \in X_\mathsf{BAD}]\Pr [\mathsf {X}_\mathsf {ls}\not \in X_\mathsf{BAD}] \\ \le&\frac{1}{S+1}\cdot \frac{(N-1)\cdots (N-S)}{N^S}+ \Big ( 1 - \frac{(N-1)\cdots (N-S)}{N^S} \Big ). \end{aligned}$$

4.3 (Almost) Doubling Challenge Space of Lossy Identification Scheme $\mathsf {ID}^\mathsf{EnCh}_{\mathsf {ls}}$

Following the work of [6] and their exploitation of quadratic twists, we show a simple method to almost double the challenge space of the previous scheme $\mathsf {ID}^\mathsf{enCh}_{\mathsf {ls}}$. The new scheme $\mathsf {ID}^\mathsf{denCh}_{\mathsf {ls}}$ (with a doubly-enlarged challenge set) has statement-witness pairs almost identical to those of $\mathsf {ID}^\mathsf{enCh}_\mathsf {ls}$. The statement remains the same, while the witness contains two extra-coordinates, namely $b,c \in \mathbb {Z}_N$ such that $\mathfrak {g}^b\,\star \,E_0=E_1^{(0)}$, $\mathfrak {g}^c\,\star \,E_0=E_2^{(0)}$. The algorithm $\mathsf {IGen}$ is adjusted according to this modification, while the lossy key generation algorithm $\mathsf{LossyIGen}$ and prover’s first move $\mathsf {P}_1$ are defined exactly the same.

The challenge set $\mathsf{ChSet}$ now admits also negative values, in particular it is the set $\{0,\pm 1, \dots , \pm S\}$. The third move $\mathsf {P}_2$ and the Verification algorithm $\mathsf {V}$ are hence converted to deal with these new challenge values:

On input $(\mathsf {X},\mathsf {W},\mathsf {com},\mathsf {ch})$, where $\mathsf {ch}\in \mathsf{ChSet}$, $\mathsf {P}_2$ outputs the response $\mathsf {resp}$ which is r if $\mathsf {ch}=0$, $r-a_{\mathsf {ch}}$ if $\mathsf {ch}> 0$ and $r+b+c+a_{|\mathsf {ch}|}$ if $\mathsf {ch}< 0$.
On input $(\mathsf {X},\mathsf {com},\mathsf {ch},\mathsf {resp})$, the verification algorithm $\mathsf {V}$ checks that $\mathfrak {g}^{\mathsf {resp}}\,\star \,E_1^{(\mathsf {ch})}=F_1$, $\mathfrak {g}^{\mathsf {resp}}\,\star \,E_2^{(\mathsf {ch})}=F_2$ if $\mathsf {ch}\ge 0$, and
$$\begin{aligned} \mathfrak {g}^{\mathsf {resp}}\,\star \,E_1^{(|\mathsf {ch}|),\mathsf {tw}}=F_2, \quad \mathfrak {g}^{\mathsf {resp}}\,\star \,E_2^{(|\mathsf {ch}|),\mathsf {tw}}=F_1 \end{aligned}$$
if $\mathsf {ch}< 0$.

We note that the symbols $E_1^{(|\mathsf {ch}|),\mathsf {tw}}$, $E_2^{(|\mathsf {ch}|),\mathsf {tw}}$ denote the quadratic twists of the curve $E_1^{(|\mathsf {ch}|)}$ and $E_2^{(|\mathsf {ch}|)}$, respectively. In particular $E_1^{(|\mathsf {ch}|),\mathsf {tw}}=\mathfrak {g}^{-a_{|\mathsf {ch}|}-b}\,\star \,E_0$, and $E_2^{(|\mathsf {ch}|),\mathsf {tw}}=\mathfrak {g}^{-a_{|\mathsf {ch}|}-c}\,\star \,E_0$.

Remark 4.1

We exploit the quadratic twist in a slightly different way compared to [6]. This has the effect of allowing us to base security on the FCMD-CSIDH assumption rather than the more restricted FCMD-CSIDH assumption where $E_1^{(0)}$ is fixed to be the special elliptic curve $E_0$. The variant proposed in [6, Section 2.5] in order to extend the challenge set to negative values relies on the fact that the public key and the commitment are computed starting from the specific elliptic curve $E_0$. Consequently, the security of their derived sigma protocol requires the GAIP problem to be hard for this specific $E_0$ as the base point. This is in contrast to all other schemes provided in [6] which only need the standard GAIP problem.

Security of Lossy Identification Scheme $\mathsf {ID}^\mathsf{denCh}_{\mathsf {ls}}$. The proposed lossy identification protocol $\mathsf {ID}^\mathsf{denCh}_{\mathsf {ls}}$ inherits all the standard properties of a lossy identification protocol (see Definition 2.1) from the previous scheme $\mathsf {ID}^\mathsf{enCh}_{\mathsf {ls}}$. Moreover, since the statement output by $\mathsf {IGen}$ and $\mathsf{LossyIGen}$ is identical to $\mathsf {ID}^\mathsf{enCh}_\mathsf {ls}$, the protocol $\mathsf {ID}^\mathsf{denCh}_{\mathsf {ls}}$ satisfies indistinguishability of lossy statements assuming the hardness of the FCMD-CSIDH problem.

Finally, the statistical lossy soundness is addressed in the following lemma. As it can be seen, the shape of $\epsilon _\mathsf {ls}$ remains unchanged with respect to Lemma 4.3.

Lemma 4.4

Our lossy identification protocol $\mathsf {ID}^\mathsf{denCh}_{\mathsf {ls}}$ satisfies statistical $\epsilon _\mathsf {ls}$-lossy soundness for $\epsilon _\mathsf {ls}=(1/(2S+1)) \cdot \prod _{i=1}^{S}((N-i)/N)+(1 - \prod _{i=1}^{S}((N-i)/N))$, where $N = \left| \mathcal {C\ell (O)} \right| $.

Proof

The proof is almost identical to that of Lemma 4.3. We consider exactly the same partition $X_\mathsf{BAD}$, $X \backslash X_\mathsf{BAD}$ for the set of statements X which was introduced in Lemma 4.3. The only difference is that three extra-cases arise from the extension of the challenge space when computing $\Pr [\mathcal {A}\text { wins} \mid \mathsf {X}_\mathsf {ls}\in X_\mathsf{BAD}] $. Namely, consider $(\mathsf {com},\mathsf {ch},\mathsf {resp})$ and $(\mathsf {com},\mathsf {ch}',\mathsf {resp}')$, with $\mathsf {ch}\ne \mathsf {ch}'$ and $\mathsf {com}= (F_1, F_2)$, as valid transcripts for $\mathsf {X}_\mathsf {ls}$. If $\mathsf {ch}$ and $\mathsf {ch}'$ are both negative, we have that $\mathsf {resp}- \mathsf {resp}'$ satisfies

$$\begin{aligned} {\left\{ \begin{array}{ll} \mathfrak {g}^{\mathsf {resp}-\mathsf {resp}'}\,\star \,E_1^{(|\mathsf {ch}|),\mathsf {tw}}= E_1^{(|\mathsf {ch}'|),\mathsf {tw}} \\ \mathfrak {g}^{\mathsf {resp}-\mathsf {resp}'}\,\star \,E_2^{(|\mathsf {ch}|),\mathsf {tw}}= E_2^{(|\mathsf {ch}'|),\mathsf {tw}} \end{array}\right. } \end{aligned}$$

i.e. $a_{|\mathsf {ch}|}-a_{|\mathsf {ch}'|}=a'_{|\mathsf {ch}|}-a'_{|\mathsf {ch}'|}$. When $\mathsf {ch}> 0$ and $\mathsf {ch}' <0 $, for the value $\mathsf {resp}- \mathsf {resp}'$ it holds

$$\begin{aligned} {\left\{ \begin{array}{ll} \mathfrak {g}^{\mathsf {resp}-\mathsf {resp}'}\,\star \,E_1^{(\mathsf {ch})} = E_2^{(|\mathsf {ch}'|),\mathsf {tw}} \\ \mathfrak {g}^{\mathsf {resp}-\mathsf {resp}'}\,\star \,E_2^{(\mathsf {ch})} = E_1^{(|\mathsf {ch}'|),\mathsf {tw}} \end{array}\right. } \end{aligned}$$

which implies the analogous relation $a_{\mathsf {ch}}-a_{|\mathsf {ch}'|}=a'_{\mathsf {ch}}-a'_{|\mathsf {ch}'|}$. The last case to be taken into account has $\mathsf {ch}=0$ and $\mathsf {ch}' <0$, for which we deduce

$$\begin{aligned} {\left\{ \begin{array}{ll} \mathfrak {g}^{\mathsf {resp}-\mathsf {resp}'}\,\star \,E_1^{(0)} = E_2^{(|\mathsf {ch}'|),\mathsf {tw}} \\ \mathfrak {g}^{\mathsf {resp}-\mathsf {resp}'}\,\star \,E_2^{(0)} = E_1^{(|\mathsf {ch}'|),\mathsf {tw}} \end{array}\right. } \end{aligned}$$

and then the relation $a_{|\mathsf {ch}'|}=a'_{|\mathsf {ch}'|}$.

Therefore, combining this with conditions (4) in Lemma 4.3, we conclude that in case $X_\mathsf {ls}\in X_\mathsf{BAD}$, there can exist at most one $\mathsf {ch}\in \{0,\pm 1, \dots , \pm S\}$ which leads to a valid response $\mathsf {resp}$. This concludes the proof.

4.4 Lossy Soundness Amplification of $\mathsf {ID}^\mathsf{DenCh}_\mathsf {ls}$

For completeness, we provide the following lemma.

Lemma 4.5

Consider running t parallel rounds of the lossy identification protocol $\mathsf {ID}^\mathsf{denCh}_{\mathsf {ls}}$ (with the same statement-witness pair). Then it satisfies statistical $\epsilon _\mathsf {ls}$-lossy soundness for $\epsilon _\mathsf {ls}=(1/{(2S+1)^t}) \cdot \prod _{i=1}^{S}((N-i)/N)+(1 - \prod _{i=1}^{S}((N-i)/N))$, where $N = \left| \mathcal {C\ell (O)} \right| $.

Proof

The proof is analogous to Lemma 3.3.

5 Lossy CSI-FiSh: Tightly Secure Signature from CSIDH-512

5.1 Construction of Lossy CSI-FiSh

We depict our Lossy CSI-FiSh signature scheme, whose security is based on the FCMD-CSIDH assumption with parameter S, in Algorithms 1 to 3. It is obtained by applying the Fiat-Shamir transformation on the (soundness-amplified) lossy identification protocol $\mathsf {ID}^\mathsf{denCh}_{\mathsf {ls}}$ introduced in Sect. 4.3. We note that we use a (quantumly secure) $\mathsf {PRF}$ to derandomize the signature generation, to comply with the hypothesis of Theorem 2.1. In practice, one can simply use any standard hash function (e.g., SHA-3).^{Footnote 5} Moreover, we use the extra property of commitment revocability (see Definition 2.1) of our lossy identification protocol $\mathsf {ID}^\mathsf{denCh}_{\mathsf {ls}}$ and let the verifier recover $\mathsf {com}$ from $\mathsf {resp}$ and $\mathsf {ch}$. This allows us to send t-hash values rather than 2t-elliptic curves over $ \mathcal {E\ell \ell }_p(\mathcal {O},\pi )$, and greatly reduces the signature size.

The values S and t are parameters of the signature scheme and can be chosen by the user allowing for different tradeoffs between security, efficiency and signature size. Roughly, the only condition which S and t must satisfy is $t \cdot \log _2 S \approx \lambda $ in the classical setting, where $\lambda $ is the desired security level. In the quantum setting, we will require $t \cdot \log _2 S \approx \lambda + \log _2 Q_H$, where $Q_H$ is the number of hash evaluations an adversary can make. For fixed S and t, the resulting signature size is $t \cdot (\lceil \log _2 N \rceil + \lceil \log _2 S \rceil )$. A selection of candidate parameters is provided in Sect. 5.2.

The following asserts the tight security of Lossy CSI-FiSh based on the FCMD-CSIDH assumption. Observe that the computational advantages appear with a constant factor (one). Moreover, viewing S as a constant parameter, Lossy CSI-FiSh admits tight security based on the D-CSIDH assumption as well.

Theorem 5.1

Let Lossy CSI-FiSh be the signature scheme depicted in Algorithms 1, 2, and 3. Then, for any quantum adversary $\mathcal {A}$ against $\mathsf {su\text {-}cma}$ security of Lossy CSI-FiSh that issues at most $Q_H$ queries to the quantum random oracle, there exists a quantum adversary $\mathcal {B}$ against the FCMD-CSIDH problem with parameter S and an quantum adversary $\mathcal {D}$ against the $\mathsf {PRF}$ such that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {su\text {-}cma}}_{\mathcal {A}}(\lambda )&\le \mathsf {Adv}^{\mathsf {FCMD\text {-}CSIDH}}_{\mathcal {B}, S}(\lambda ) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathcal {D}}(\lambda ) + \frac{2}{N} + \\&+ 8 (Q_H + 1)^2 \cdot \Big ( \frac{1}{ (2 S + 1)^t} \cdot \prod _{i \in [S]} \frac{N - i}{N} + \Big ( 1 - \prod _{i \in [S]} \frac{N - i}{N} \Big ) \Big ) \end{aligned}$$

and $\mathsf {Time}(\mathcal {B}) = \mathsf {Time}(\mathcal {D}) = \mathsf {Time}(\mathcal {A}) + Q_H \approx \mathsf {Time}(\mathcal {A})$. Moreover, we can replace $\mathcal {B}$ by a quantum adversary $\mathcal {B}'$ against the D-CSIDH problem such that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {FCMD\text {-}CSIDH}}_{\mathcal {B}, S}(\lambda ) \le S \cdot \mathsf {Adv}^{\mathsf {D\text {-}CSIDH}}_{\mathcal {B}'}(\lambda ) \end{aligned}$$

and $\mathsf {Time}(\mathcal {B}) \approx \mathsf {Time}(B')$.

In the classical setting, the only difference is that the above bound depends linearly on $Q_H$ instead of quadratically. That is, we can replace $8 (Q_H + 1)^2$ with $Q_H + 1$.^{Footnote 6}

Proof

The theorem is a consequence of Theorem 2.1, Lemmas 4.1, and 4.5, along with the additional security claims made in Sect. 4. Note that the lossy identification protocol $\mathsf {ID}^\mathsf{denCh}_{\mathsf {ls}}$ has N bits of min entropy, where N is the cardinality of $\mathcal {C\ell (O)}$.

Remark 5.1

(Shorter Secret Key). Since the secret key $\mathsf {sk}$ is composed of random values, we can use standard tricks to derive them from the $\mathsf {PRF}$ key. In particular, we only require one $\mathsf {PRF}$ key, e.g., a 16-byte seed for SHA-3, as the secret key. This modification has (almost) no effect on the overall concrete security. In order to simplify the readability, in Algorithm 1 we do not make the use of the PRF explicit while uniformly sampling in $\mathbb {Z}_N$.

5.2 Instantiations and Comparison to CSI-FiSh

In this section, we specialise the Lossy CSI-FiSh to the CSIDH-512 parameters, and we consider distinct possible values for t and S both in the classical and quantum setting. For each choice of (S, t), Theorem 5.1 dictates how many bits of classical/quantum security the scheme guarantees. Clearly, different choices for (S, t) will lead to different bandwidth and computational efficiency.

Here, the term $\gamma $-bit of security for a cryptographic scheme is defined as the non-existence of an adversary that breaks the scheme with a success ratio bigger than $2^{-\gamma }$, where the success ratio is the quotient between the adversary’s success probability and its running time [3]. In the light of Theorem 5.1, the number of bits of security guaranteed by the signature scheme Lossy CSI-FiSh is upper bounded by the security of the FCMD-CSIDH problem. In line with [8], in the following we assume that the best methodology to solve the D-CSIDH problem (and hence FCMD-CSIDH) is solving one of the corresponding GAIP instances.

Aligning with [6], we consider a hash function that is a factor $2^u$ slower than a standard hash function (as, for example, SHA3) and vary u to obtain tradeoffs between security and efficiency. Moreover, for the sake of easy comparison, we consider the same values for S and u that are used in [6]. Below, we first provide discussions on the size of the public key and signature size of Lossy CSI-FiSh, both in the classical and quantum setting. We then discuss the efficiency of our scheme with respect to the running times of signature generation and verification. The analysis on runtime will be the same for both the classical and quantum setting.

Classical Setting. The best known classical algorithm to solve the GAIP problem applies the meet-in-the-middle strategy, and hence has a time complexity $O(\sqrt{N})$, where N is the cardinality of $\mathcal {C\ell (O)}$. The class group computation executed in [6] has shown that $N \simeq 2^{257.1}$ for CSIDH-512 parameters. This means that the D-CSIDH problem guarantees at most 128 bits of classical security and then, in turn, the FCMD-CSIDH problem guarantees at most 128-bits when $S=1$, and at most $128/\log _2{S}$ bits when $S > 1$ (see Lemma 4.1).

By Theorem 5.1, for all classical adversaries running in time at most $2^{128}$ and making at most $2^{128}$ (random) queries $Q_H$, it holds:

$$\begin{aligned} \frac{\mathsf {Adv}^{\mathsf {su\text {-}cma}}_{\mathcal {A}}(\lambda )}{\mathsf {Time}(\mathcal {A})}&\le S \cdot \frac{\mathsf {Adv}^{\mathsf {D\text {-}CSIDH}}_{\mathcal {B}'}(\lambda )}{\mathsf {Time}(\mathcal {B}')} + \frac{\mathsf {Adv}^{\mathsf {PRF}}_{\mathcal {D}}(\lambda )}{\mathsf {Time}(\mathcal {D})} + \\ {}&\quad \quad ~~ + 2^{-u} \cdot \Big ( \frac{1}{ (2 S + 1)^t} \cdot \prod _{i \in [S]} \frac{N - i}{N} + \Big ( 1 - \prod _{i \in [S]} \frac{N - i}{N} \Big ) \Big ) \\&\simeq S\cdot 2^{-128}+2^{-256}+ 2^{-u} \cdot (2S + 1)^{-t}, \end{aligned}$$

where we ignore the min-entropy since it does not give any significant contribution, being smaller than $2^{256}$. Furthermore, $1-\prod _{i \in [S]} (N-i)/N$ is less than $2^{-242}$ even for the biggest value of S considered in the following, i.e. $2^{15}-1$. Hence, the last term can be safely approximated as $2^{-u}\cdot (2S+1)^{-t}$. Now, since each of the values of S is of the form $2^w-1$, we deduce that $2^{-u}\cdot (2S+1)^{-t}$ must be bounded by $2^{-129}$ to reach $-128+w$ bits of security. For a fixed value of u, the smallest value of t for which the above inequality is satisfied is uniquely defined.

In the following Table 1 we report: for each choice of S and u, the minimum value of t for which we obtain the maximal security guaranteed by Lossy CSI-FiSh, the number of bits of such security level, the sizes of signatures and the sizes of public keys for Lossy CSI-FiSh and CSI-FiSh. The column “bits of security” is dismissed for CSI-FiSh as it does not provide provable concrete security. We highlight that for a fixed triple (S, t, u), the signatures produced with our scheme Lossy CSI-FiSh have exactly the same size as those produced with CSI-FiSh. Finally, we note that the values for CSI-FiSh reported in Table 1 slightly differ from those of [6, Table 3], where some approximations were made (e.g., $2S-1$ was approximated with 2S), while our parameters are chosen without any approximation.

Table 1. Comparison between Lossy CSI-FiSh and CSI-FiSh.

Full size table

The differences on the public key sizes between Lossy CSI-FiSh and CSI-FiSh have a double cause:

in Lossy CSI-FiSh the starting curves $E_1^{(0)}, E_2^{(0)}$ are computed by each user and are part of the public key, while in CSI-FiSh the starting curve $E_0$ is part of the public parameters of the scheme;
for each coordinate $a_i$ of the private key, with $i \in [S]$, Algorithm 1 computes two curves that will become part of the public key, while in CSI-FiSh only $\mathfrak {g}^{a_i}\,\star \,E_0$ is appended to the public key.

Recalling that each curve in $\mathcal {E\ell \ell }_p(\mathcal {O},\pi )$ can be uniquely represented by an element of $\mathbb {F}_p$, with $p \simeq 2^{512}$, for a given S the size of a CSI-FiSh’s public key is $S \cdot 512$ while the size of a public key produced with Lossy CSI-FiSh has length equal to $(S+2) \cdot 512$, with the increment given by the extra term more visible for small values of S.

Quantum Setting. The best known quantum algorithm for the GAIP problem is Kuperberg’s algorithm for the hidden shift problem [28, 29], which has a subexponential complexity. The concrete security estimates, however, are still an active area of research [5, 7, 34]. In the following we will consider 56 bits of quantum security as a conservative choice, and 64 bits as a more optimistic choice for the D-CSIDH problem. Consequently, we consider quantum adversaries running in time at most $2^{56}$ in the conservative variant, and $2^{64}$ in the more optimist one. Analogously, we upper bound the number of possible queries $Q_H$ by $2^{56}$ in the former case, and by $2^{64}$ in the latter. In both cases, the upper bound on the security of Lossy CSI-FiSh depends quadratically in $Q_H$.

Considering the optimistic variant, the following inequality holds due to Theorem 5.1:

$$\begin{aligned} \frac{\mathsf {Adv}^{\mathsf {su\text {-}cma}}_{\mathcal {A}}(\lambda )}{\mathsf {Time}(\mathcal {A})}&\le S \cdot \frac{\mathsf {Adv}^{\mathsf {D\text {-}CSIDH}}_{\mathcal {B}'}(\lambda )}{\mathsf {Time}(\mathcal {B}')} + \frac{\mathsf {Adv}^{\mathsf {PRF}}_{\mathcal {D}}(\lambda )}{\mathsf {Time}(\mathcal {D})} \\&\quad ~~ + 8\cdot (Q_H + 1) \cdot 2^{-u} \cdot \Big ( \frac{1}{ (2 S + 1)^t} \cdot \prod _{i \in [S]} \frac{N - i}{N} + \Big ( 1 - \prod _{i \in [S]} \frac{N - i}{N} \Big ) \Big ) \\&\simeq S \cdot 2^{-64} + 2^{-256}+ 2^{67-u} \cdot (2S + 1)^{-t}, \end{aligned}$$

where the approximation is validated by the same argument as in the classical setting. We require $2^{67-u} \cdot (2S+1)^{-t}$ to be bounded by $2^{-65}$ in order to reach $-64+w$ bits of quantum security, with $S=2^w-1$. Analogously, in the conservative variant, we require $2^{59-u}\cdot (2S+1)^{-t}$ to be bounded by $2^{-57}$ in order to reach $-56+w$ bits of quantum security, with $S=2^w-1$.

Table 2. Parameters and achieved quantum security level for Lossy CSI-FiSh.

Full size table

In the following Table 2 we differentiate the Conservative and Optimistic variants, reporting the values of t for each choice of S and u, the security levels guaranteed in the two cases, and signatures and public keys sizes. We note that the size of the public key only depends on S, hence it achieves the same size as in the classical setting (see Table 1).

Estimated Performance. The costs of key generation, signing and verifying are dominated by the class group actions to be executed in each algorithm. For fixed S and t, the number of actions for each of them is as follows:

key generation (Algorithm 1) requires $2S+2$ actions, while S of them are those also computed by the key generation algorithm of CSI-FiSh;
both signing (Algorithm 2) and verifying (Algorithm 3) need 2t actions, exactly twice as many as required by the corresponding algorithms of CSI-FiSh.

As it can be seen, the key generation would be slighter slower than twice the key generation of CSI-FiSh, while the signature generation and verification would be twice that of CSI-FiSh. To provide a concrete benchmark, we estimate the running times using the two triples $(2^{15}-1,7,16)$ and $(2^3-1,28,16)$ reporting the values of S, t and u for two instances from [6, Table 3]. These two parameter settings are chosen in order to achieve a small signature size and a small sum of signature and public key size, respectively. For the first (resp. second) triple, CSI-FiSh takes the following: 28 m (resp. 400 ms) for key generation, 395 ms (resp. 1.48 s) for signature generation, and 393 ms (resp. 1.48 s) for signature verification^{Footnote 7}. Therefore, we can estimate that for Lossy CSI-FiSh it will take the following for the respective tuples: $\sim 56$ m (resp. ${\sim }920$ ms) for key generation, ${\sim }800$ ms (resp. 3 s) for signature generation and verification. Here for estimating the runtime of key generation, we simply scaled the runtime of CSI-FiSh by a factor $(2 S + 2) \cdot S^{-1}$.

Finally, we provide one potential optimization for lowering the computation time required by the signing and verifying algorithms of Lossy CSI-FiSh. We recall that, in order to efficiently compute the action of $\mathfrak {g}^a$ on a given curve, with $a \in \mathbb {Z}_N$, it is necessary to find an equivalent representation of $\mathfrak {g}^a$ as a product of small powers of the special ideals $\mathfrak {I}_{\ell _i}$ (see Sect. 2.5). In [6], an algorithm solving an approximate Closest Vector Problem (CVP) has been proposed to this task. Therefore, the computation of a class group action consists of two steps: finding the equivalent representation and computing the isogenies corresponding to the ideals’ powers. Here, we observe that in Lossy CSI-FiSh most of the group actions are pairwise coupled, i.e. they use the same exponent. The result is that the signing and verifying algorithms do not need to execute the finding-equivalent-representation step for each of the class actions. Therefore, this may potentially lead to more efficient algorithms depending on the exact runtime of finding the equivalent representation. We leave it as future work to implement and verify the validity of this observation.

6 Conclusions and Open Problems

In this work, we construct a new signature scheme based on the CSIDH-512 parameters, called Lossy CSI-FiSh. It is provably secure and tightly reduces to the D-CSIDH (or FCMD-CSIDH) assumption. Lossy CSI-FiSh inherits most of the efficiency of CSI-FiSh and shows that a slight modification to CSI-FiSh allows to set the concrete parameters in a provably secure manner with minimal cost. In particular, the signature size is as small as CSI-FiSh while the signature generation and verification are around a factor of two slower. We hope that further research will allow to improve the efficiency. Optimisations may be specialized for the scheme (like, for example, halving the number of approximate CVP-problems to be solved in the key generation) or, more generally, be designed for CSI-FiSh. Indeed, the latter would likely have an impact also on our scheme.

One of the biggest open problems is to devise a (lossy or non-lossy) identification protocol that allows for the challenge set to be $\mathbb {Z}_N$ rather than the small set $\{ -S, \cdots , S \}$, as also mentioned in [6]. This will allow for an analogue of the highly efficient Schnorr signature [36] based on the discrete logarithm problem. Another challenging yet interesting open problem is to show any type of random self-reducibility property for the D-CSIDH problem. We believe such a technique will lend hands to other tightly-secure primitives (e.g., tightly-secure key exchange protocols) and perhaps shed light to Cramer-Shoup-like techniques [11] in the isogeny setting.

Notes

1.
Roughly, this is parallel to the relation between the Diffie-Hellman (DH) protocol and the decisional DH assumption [15]. For a more formal discussion, we refer to Sect. 3.1.
2.
The parameter set having the smallest value for the prime p.
3.
With [S] we denote the set $\{1,\dots ,S\}$.
4.
j varies from 0 to S, and with [0] we denote the set $\{0\}$.
5.
We note that assuming that a standard cryptographic hash function acts as a $\mathsf {PRF}$ does not add to our set of assumptions, since we are already working in the ROM.
6.
We can get rid of the constant 8 in the classical setting since it is due to the reduction from the generic quantum search problem. See [24, 43] for example.
7.
Their benchmarking experiments were performed on a Dell OptiPlex 3050 machine with Intel Core i5-7500T CPU @ 2.70 GHz.

References

Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the Fiat-Shamir transform: minimizing assumptions for security and forward-security. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_28
CrossRef Google Scholar
Abdalla, M., Fouque, P.-A., Lyubashevsky, V., Tibouchi, M.: Tightly-secure signatures from lossy identification schemes. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 572–590. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_34
CrossRef Google Scholar
Bellare, M., Rogaway, P.: The exact security of digital signatures-how to sign with RSA and Rabin. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_34
CrossRef Google Scholar
Bernstein, D.J., Hülsing, A., Kölbl, S., Niederhagen, R., Rijneveld, J., Schwabe, P.: The SPHINCS signature framework. In: ACM-CCS, pp. 17–43 (2019). Submission to the NIST PQC project
Google Scholar
Bernstein, D.J., Lange, T., Martindale, C., Panny, L.: Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 409–441. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_15
CrossRef Google Scholar
Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 227–247. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_9
CrossRef Google Scholar
Bonnetain, X., Schrottenloher, A.: Quantum security analysis of CSIDH and ordinary isogeny-based schemes. Cryptology ePrint Archive, Report 2018/537 (2018)
Google Scholar
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15
CrossRef Google Scholar
Couveignes, J.-M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006)
Google Scholar
Cox, D.A.: Primes of the form $x^2+ny^2$ (2011)
Google Scholar
Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055717
CrossRef Google Scholar
De Feo, L., Galbraith, S.D.: SeaSign: compact isogeny signatures from class group actions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 759–789. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_26
CrossRef Google Scholar
Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2
CrossRef MATH Google Scholar
De Feo, L., Kieffer, J., Smith, B.: Towards practical key exchange from ordinary isogeny graphs. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 365–394. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_14
CrossRef Google Scholar
Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
CrossRef MathSciNet Google Scholar
Don, J., Fehr, S., Majenz, C., Schaffner, C.: Security of the Fiat-Shamir transformation in the quantum random-Oracle model. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 356–383. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_13
CrossRef MATH Google Scholar
Ducas, L., et al.: CRYSTALS-Dilithium: a lattice-based digital signature scheme. IACR TCHES 1, 238–268 (2018)
CrossRef Google Scholar
Fiat, A., Shamir, A.: How To prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
CrossRef Google Scholar
Fleischhacker, N., Jager, T., Schröder, D.: On tight security proofs for Schnorr signatures. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 512–531. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_27
CrossRef Google Scholar
Fouque, P.-A., et al.: Falcon: Fast-Fourier lattice-based compact signatures over NTRU
Google Scholar
Galbraith, S.D., Petit, C., Silva, J.: Identification protocols and signature schemes based on supersingular isogeny problems. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 3–33. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_1
CrossRef Google Scholar
Garg, S., Bhaskar, R., Lokam, S.V.: Improved bounds on security reductions for discrete log based signatures. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 93–107. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_6
CrossRef Google Scholar
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: 40th ACM STOC, pp. 197–206 (2008)
Google Scholar
Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_15
CrossRef Google Scholar
Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2
CrossRef MATH Google Scholar
Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: ACM CCS, pp. 155–164 (2003)
Google Scholar
Kiltz, E., Lyubashevsky, V., Schaffner, C.: A concrete treatment of Fiat-Shamir signatures in the quantum random-Oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 552–586. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_18
CrossRef MATH Google Scholar
Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In: TQC, vol. 22, pp. 20–34 (2013)
Google Scholar
Kuperberg, G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005)
CrossRef MathSciNet Google Scholar
Liu, Q., Zhandry, M.: Revisiting post-quantum Fiat-Shamir. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 326–355. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_12
CrossRef Google Scholar
Lyubashevsky, V.: Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_35
CrossRef Google Scholar
Micali, S., Reyzin, L.: Improving the exact security of digital signature schemes. J. Cryptol. 15(1), 1–18 (2002). https://doi.org/10.1007/s00145-001-0005-8
CrossRef MathSciNet MATH Google Scholar
Paillier, P., Vergnaud, D.: Discrete-log-based signatures may not be equivalent to discrete log. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 1–20. Springer, Heidelberg (2005). https://doi.org/10.1007/11593447_1
CrossRef Google Scholar
Peikert, C.: He gives C-Sieves on the CSIDH. Cryptology ePrint Archive: Report 2019/725 (2019)
Google Scholar
Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive: Report 2006/145 (2006)
Google Scholar
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22
CrossRef Google Scholar
Seurin, Y.: On the exact security of Schnorr-type signatures in the random Oracle model. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 554–571. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_33
CrossRef MATH Google Scholar
Stolbunov, A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010)
CrossRef MathSciNet Google Scholar
Stolbunov, A.: Cryptographic schemes based on isogenies (2012)
Google Scholar
Unruh, D.: Non-interactive zero-knowledge proofs in the quantum random Oracle model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 755–784. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_25
CrossRef MATH Google Scholar
Unruh, D.: Post-quantum security of Fiat-Shamir. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 65–95. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_3
CrossRef Google Scholar
Yoo, Y., Azarderakhsh, R., Jalali, A., Jao, D., Soukharev, V.: A post-quantum digital signature scheme based on supersingular isogenies. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 163–181. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_9
CrossRef Google Scholar
Zhandry, M.: How to construct quantum random functions. In: 53rd FOCS, pp. 679–687 (2012)
Google Scholar

Download references

Acknowledgement

The second author was supported by JST CREST Grant Number JPMJCR19F6.

Author information

Authors and Affiliations

Mathematical Institute, University of Oxford, Oxford, UK
Ali El Kaafarani & Federico Pintore
PQShield, Oxford, UK
Ali El Kaafarani
National Institute of Advanced Industrial Science and Technology (AIST), Tokyo City, Japan
Shuichi Katsumata

Authors

Ali El Kaafarani
View author publications
You can also search for this author in PubMed Google Scholar
Shuichi Katsumata
View author publications
You can also search for this author in PubMed Google Scholar
Federico Pintore
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Federico Pintore .

Editor information

Editors and Affiliations

University of Edinburgh, Edinburgh, UK
Aggelos Kiayias
University of Edinburgh, Edinburgh, UK
Markulf Kohlweiss
University of Edinburgh, Edinburgh, UK
Petros Wallden
University of Edinburgh, Edinburgh, UK
Vassilis Zikas

Rights and permissions

Reprints and Permissions

Copyright information

About this paper

Cite this paper

El Kaafarani, A., Katsumata, S., Pintore, F. (2020). Lossy CSI-FiSh: Efficient Signature Scheme with Tight Reduction to Decisional CSIDH-512. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds) Public-Key Cryptography – PKC 2020. PKC 2020. Lecture Notes in Computer Science(), vol 12111. Springer, Cham. https://doi.org/10.1007/978-3-030-45388-6_6

Download citation

DOI: https://doi.org/10.1007/978-3-030-45388-6_6
Published: 29 April 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-45387-9
Online ISBN: 978-3-030-45388-6
eBook Packages: Computer ScienceComputer Science (R0)

Published in cooperation with
https://iacr.org/

Abstract

1 Introduction

1.1 Background

1.2 Our Contribution

2 Preliminaries

2.1 Identification Protocols

Definition 2.1

Definition 2.2

2.2 Digital Signature Schemes

Definition 2.3

Definition 2.4

2.3 Pseudorandom Functions

2.4 Fiat-Shamir Transformation

Theorem 2.1

2.5 Class Group Actions and Hardness Assumption

Definition 2.5

3 Base Lossy Identification Protocol from CSIDH-512

3.1 Hardness Assumption: Decisional CSIDH

Definition 3.1

3.2 Construction of Base Lossy Identification Protocol

3.3 Security of Base Lossy Identification Protocol \(\mathsf {ID}^\mathsf{Base}_{\mathsf {ls}}\)

Lemma 3.1

Proof

Lemma 3.2

Proof

3.4 Lossy Soundness Amplification of \(\mathsf {ID}^\mathsf{Base}_\mathsf {ls}\)

Lemma 3.3

Proof

4 Optimized Lossy Identification Protocol from CSIDH-512

4.1 Hardness Assumption: Fixed-Curve Multi-decisional CSIDH

Definition 4.1

Lemma 4.1

Proof

4.2 Enlarging Challenge Space of Base Lossy Identification Protocol

Lemma 4.2

Proof

Lemma 4.3

Proof

4.3 (Almost) Doubling Challenge Space of Lossy Identification Scheme \(\mathsf {ID}^\mathsf{EnCh}_{\mathsf {ls}}\)

Remark 4.1

Lemma 4.4

Proof

4.4 Lossy Soundness Amplification of \(\mathsf {ID}^\mathsf{DenCh}_\mathsf {ls}\)

Lemma 4.5

Proof

5 Lossy CSI-FiSh: Tightly Secure Signature from CSIDH-512

5.1 Construction of Lossy CSI-FiSh

Theorem 5.1

Proof

Remark 5.1

5.2 Instantiations and Comparison to CSI-FiSh

6 Conclusions and Open Problems

Notes

References

Acknowledgement

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

search

Navigation