Abstract
Recently, Beullens, Kleinjung, and Vercauteren (Asiacrypt’19) provided the first practical isogenybased digital signature, obtained from the FiatShamir (FS) paradigm. They worked with the CSIDH512 parameters and passed through a new record class group computation. However, as with all standard FS signatures, the security proof is highly nontight and the concrete parameters are set under the heuristic that the only way to attack the scheme is by finding collisions for a hash function.
In this paper, we propose an FSstyle signature scheme, called Lossy CSIFiSh, constructed using the CSIDH512 parameters and with a security proof based on the “Lossy Keys” technique introduced by Kiltz, Lyubashevsky and Schaffner (Eurocrypt’18). Lossy CSIFiSh is provably secure under the same assumption which underlies the security of the key exchange protocol CSIDH (Castryck et al. (Asiacrypt’18)) and is almost as efficient as CSIFiSh. For instance, aiming for small signature size, our scheme is expected to take around \(\approx 800\) ms to sign/verify while producing signatures of size \(\approx 280\) bytes. This is only twice slower than CSIFiSh while having similar signature size for the same parameter set. As an additional benefit, our scheme is by construction secure both in the classical and quantum random oracle model.
Download conference paper PDF
1 Introduction
1.1 Background
Isogenybased cryptography is one of the promising candidates for postquantum cryptography. While isogeny problems offer simple and efficient solutions to encryption schemes (or equivalently, keyexchange protocols) [8, 25], they turned out to be rather elusive to use for constructing signature schemes.
At the highest level, all isogenybased signatures we know thus far are based on the FiatShamir paradigm [1, 18]: prepare a hard relation \(\mathcal {R}\) based on an isogeny problem, construct an identification protocol (or sigma protocol) for \(\mathcal {R}\), and use a cryptographic hash function to compile the identification protocol into a signature scheme in the random oracle model (ROM). Both the two central isogeny problems—the computational supersingular isogeny (CSSI) problem [13] and the group action inverse problem (GAIP) [8]—have been the basis for constructing signatures. Those based on CSSI, proposed in [21, 42], produce signatures of size at least 12 KB even in the most optimized variant [21]. On the other hand, relying on GAIP and employing the FiatShamir with aborts strategy [31], De Feo and Galbraith introduced a compact isogenybased signature named SeaSign [12]. Despite the inefficiency in the signature generation and verification, SeaSign provides signatures of a remarkably small size (less than 1 kilobyte at the 128bit security level).
Very recently, a new record class group computation has allowed Beullens, Kleinjung and Vercauteren [6] to improve SeaSign and obtain the first practical isogenybased signature scheme, named CSIFiSh. Their computation has shed light on the structure of the ideal class group determined by a specific set of CSIDH parameters, named CSIDH512 [8]. This granted a proper uniform sampling from the ideal class group, and canonical representation of its elements, which enabled to overcome the costly remedy made by SeaSign. That is, the adoption of a redundant representation of class group elements and performing rejection sampling. The result is practical efficiency in both signature generation and verification while maintaining the short signature size offered by SeaSign. However, one important remark is that, since CSIFiSh is specific to the special set of parameters CSIDH512, it can offer at most the same security level provided by a hard problem defined over the CSIDH512 parameters. Specifically, CSIFiSh relies on the GAIP problem, which is believed to have 128bits of classical and (at most) 64bits of quantum security over the CSIDH512 parameters [8, 34].
Tight Security. FiatShamir (FS) signatures [1, 18] admit an intuitive and simple construction in the ROM, however, they are notorious for having a very loose reduction. Since a loose reduction forces for a stronger hardness assumption, and consequently a less efficient scheme, it has been the focus of several works to tighten the reduction loss, e.g., [3, 19, 22, 26, 32, 33, 37].
To give a more precise perception of the security loss, assume we had a FS signature that is secure based on the hardness of a particular hard problem \(\Pi \). Then, the security proof of FS signatures in the classical ROM dictates that the reduction algorithm can break the underlying problem \(\Pi \) with advantage \(Q^{1} \cdot \epsilon ^2\), where Q is the number of hash evaluations an adversary can perform and \(\epsilon \) is the advantage of an adversary breaking the security of the FS signature. Therefore, if we want to instantiate the FS signature with provably secure parameters, we must assume the hardness of the problem \(\Pi \) for a security level that is much higher than expected. For instance, if we aim for 128bits of security for the FS signature (i.e., \(\epsilon = 2^{128}\)), then assuming a modest \(Q \approx 2^{40}\), we require at least 296bits of security for the hard problem \(\Pi \). Since a hard problem with a higher level of security must necessitate larger parameters, this leads to inefficient schemes.
This undesirable loss in security and efficiency is common to all standard FS signatures and CSIFiSh is no exception. However, one large difference between CSIFiSh and other FS signatures is that CSIFiSh relies on a hard problem defined for a specific security level—the GAIP problem over the CSIDH512 parameters. For the time being, no other parameter sets are known to provide the nice algebraic structure required for CSIFiSh. This is in sharp contrast with FS signatures based on other hardness assumptions since most hardness assumptions can “absorb” the reduction loss by setting the parameters larger. Since GAIP over the CSIDH512 parameters only offers 128bits of classical security, we cannot argue any notion of provable security for CSIFiSh if we aim for 128bits of security. Concretely, if we plug in \(Q \approx 2^{40}\) as above, we can only provably argue 44bits of security for CSIFiSh. Moreover, if we aim for quantum security, the situation is worse since the reduction algorithm can break the underlying problem \(\Pi \) with only advantage \(Q^{6} \cdot \epsilon ^{3}\) [16, 30]. We note that the currently available resources would probably allow other record computations for bigger parameters for which GAIP is believed to have a much higher security level; however, the benefit of having a higher security level would likely be beaten by the significant slowdown in efficiency.
In practice, this inconvenient reduction loss in FS signatures is usually overlooked or simply ignored, and the parameters are set assuming that the best attack against the FS signature is (roughly) finding a collision in the hash function. In [6], the parameters for CSIFiSh are set under this simplified assumption as well. Considering this undesirable gap between practice and theory, a natural question which arises is:
Can we design an isogenybased signature scheme as efficient as CSIFiSh with provable secure parameters?
1.2 Our Contribution
In this work, we provide a partial answer to the above problem and propose a new signature scheme, Lossy CSIFiSh, with the following features:

It is tightly secure under a natural hardness assumption over the CSIDH512 parameters, that is, the decisional CSIDH (DCSIDH) assumption. We note DCSIDH is not a new assumption introduced in this paper, as it was originally defined by Stolbunov in his PhD thesis [39, Problem 2.2] and implicitly underlies the security of the key exchange protocol CSIDH [8].^{Footnote 1}

It is almost as efficient as CSIFiSh. Compared to CSIFiSh, the signature size is the same, the public key is only twice as large, and the runtime of the signature generation and verification is estimated to be (at most) twice as slow. For instance, aiming for small signature size, our scheme is expected to take around \(\approx 800\) ms to sign/verify while producing signatures of size \(\approx 280\) bytes. This is still 150 times faster and around 3 times smaller than an optimized version of SeaSign for the same parameter set.

It is secure both in the classical and quantum ROM (QROM). In particular, we do not require a separate construction using the Unruh transform [40] to achieve security in the QROM.
We obtain our results by following the line of work that constructs lossy identification protocols to obtain tightly secure FS signatures [2, 26, 27, 41]. A lossy identification protocol comes with an additional lossy statement generator that produces lossy statements which are computationally indistinguishable from honestly generated statements for the hard relation \(\mathcal {R}\) induced by some hardness assumption. Moreover, relative to the lossy statements, the protocol admits statistical soundness. That is, not even a computationally unbounded adversary can successfully impersonate a prover. Using the result of Kiltz, Lyubashevsky, and Schaffner [27] (see Theorem 2.1), a lossy identification protocol directly provides us an FS signature with a tight reduction in the classical and quantum ROM.
The idea to use a lossy identification protocol to achieve tight security for isogenybased FS signatures was also considered by De Feo and Galbraith for SeaSign [12, Section 8]. In particular, they proposed to take a very large ideal class group (determined by a big prime p) and then only a small subset as the space of possible private keys (that results in valid public keys being chosen from a set of roughly the same cardinality). The signature generation and verification processes are not altered from the standard SeaSign scheme. The result is that the lossy variant inherits the inefficiency of the main scheme, with the increment of the prime p further aggravating the issue. It is evident that the above approach does not extend to the current version of CSIFiSh, which requires the specific CSIDH512 parameter set.
The lossy identification protocol proposed in this work—which arises from the observation that the DCSIDH relation over the CSIDH512 parameters naturally admits a lossy mode—appears to be much simpler and it smoothly leads to a practical signature scheme. Our identification protocol enjoys the same optimizations used in [12] and [6]. Using DCSIDH instead of GAIP as the underlying assumption, we encounter an obstacle that stems from the fact that DCSIDH does not provide natural random selfreducibility properties. However, we discuss that this issue does not have much of a big impact on the concrete choice of parameters.
Related Works. There are only a handful of efficient signature schemes that are tightly and provably secure in the (Q)ROM that we are aware of. The latticebased GentryPeikertVaikuntanathan (GPV) signature [23] or its muchoptimized successor FALCON [20] have tight security in the (Q)ROM. One notable feature is that the construction natively supports tight security in both classical and quantum ROM without incurring any overhead. Dilithium [17], which is a latticebased FStype signature, also has tight security in the (Q)ROM [27]. To achieve tight security, they must modify the public key of their nontightly secure scheme to obtain a lossy mode. Unfortunately, when using a latticebased hard problem (that is, the learning with errors problem), this comes at the cost of making the public key size at least 5 times larger and the signature size at least 2 times larger, e.g., public key and signature size grows from (1472, 2701) bytes up to (7712, 5690) bytes. As we mentioned above, SeaSign [12] goes through the lossy argument as well. They require to use of a nonstandard variant of the GAIP problem and makes it difficult to assess the increase in signature and public key sizes. We like to highlight that although we go through the same paradigm of lossy arguments, Lossy CSIFiSh is based on a standard assumption and does not incur a large blow up in size; the public key is only 2 times larger and the signature size remains the same compared to the nontight variant CSIFiSh. Finally, the hashbased signature SPHINCS\(^+\) [4] also enjoys tight security in the (Q)ROM under several heuristic assumptions on the underlying cryptographic hash function.
Roadmap. The rest of the paper is organized as follows. In Sect. 2 we give a brief preliminary on identification protocols and class group actions. In Sects. 3 and 4 we introduce the new lossy identification protocol and we adapt it using the optimizations proposed in [6, 12] to enlarge the challenge space. In Sect. 5 we describe the signature scheme obtained through the FiatShamir transform, and we compare it to CSIFiSh in terms of bandwidth and computational complexity. In Sect. 6 we report concluding remarks.
2 Preliminaries
2.1 Identification Protocols
Given two sets X and Y, a subset \(\mathcal {R}\subset X \times Y\) is a polynomially computable binary relation on \(X \times Y\) if, given \((\mathsf {X}, \mathsf {W}) \in X \times Y\), we can check \((\mathsf {X}, \mathsf {W}) \in \mathcal {R}\) in time \(\mathsf {poly}( \mathsf {X})\). The language \(\mathcal {L}_\mathcal {R}\) corresponding to \(\mathcal {R}\) is the set \(\{\mathsf {X}\in X \mid \exists \mathsf {W}\in Y : (\mathsf {X}, \mathsf {W}) \in \mathcal {R}\}\), where we call \(\mathsf {W}\) a witness for the statement \(\mathsf {X}\in \mathcal {L}_\mathcal {R}\).
An identification protocol \(\mathsf {ID}\) for a relation \(\mathcal {R}\) is a threemove interactive protocol between a prover and a verifier. Informally, a prover holding a statementwitness pair \((\mathsf {X}, \mathsf {W}) \in \mathcal {R}\) can prove to the verifier that they indeed possess a valid witness \(\mathsf {W}\) without revealing any more than the mere fact that they know \(\mathsf {W}\).
Definition 2.1
(Identification Protocol). An identification protocol \(\mathsf {ID}\) for a relation \(\mathcal {R}\) consists of four PPT algorithms \((\mathsf {IGen}, \mathsf{P}= (\mathsf{P}_1, \mathsf{P}_2), \mathsf{V})\), where \(\mathsf{V}\) is deterministic and we assume \(\mathsf{P}_1\) and \(\mathsf{P}_2\) share states. Let \(\mathsf{ComSet}\), \(\mathsf{ChSet}\), and \(\mathsf{ResSet}\) be the commitment space, challenge space, and response space, respectively. Then, an identification protocol is defined in the following way.

The key generation algorithm \(\mathsf {IGen}\) takes the security parameter \(1^\lambda \) as input, and outputs a statementwitness pair \((\mathsf {X}, \mathsf {W}) \in \mathcal {R}\).

The prover, on input \((\mathsf {X}, \mathsf {W})\), first executes \(\mathsf {com}\leftarrow \mathsf{P}_1( \mathsf {X}, \mathsf {W})\), and then sends the commitment \(\mathsf {com}\) to the verifier.

The verifier chooses a random challenge \(\mathsf {ch}\leftarrow \mathsf{ChSet}\) and sends \(\mathsf {ch}\) to the prover.

The prover, given \(\mathsf {ch}\), runs \(\mathsf {resp}\leftarrow \mathsf{P}_2( \mathsf {X}, \mathsf {W}, \mathsf {com}, \mathsf {ch})\) and returns a response \(\mathsf {resp}\) to the verifier. Finally, the verifier runs \(\mathsf{V}(\mathsf {X}, \mathsf {com}, \mathsf {ch}, \mathsf {resp})\) and outputs 1 if they accept, 0 otherwise.
The protocol transcript \((\mathsf {com}, \mathsf {ch}, \mathsf {resp}) \in \mathsf{ComSet}\times \mathsf{ChSet}\times \mathsf{ResSet}\) is said to be valid in case \(\mathsf{V}(\mathsf {X}, \mathsf {com}, \mathsf {ch}, \mathsf {resp})\) outputs 1.
We require the following properties from an identification protocol \(\mathsf {ID}\). Some of them may seem nonstandard, however, they are all necessary to argue security of the FiatShamir transform in the (quantum) random oracle model. We note that some of the properties are simplified and stronger than those in [27], e.g. we ignore negligible correctness errors. This is done without loss of generality, since our proposed identification protocol satisfies all the stronger properties.
Correctness. The following holds for all \((\mathsf {X}, \mathsf {W}) \in \mathcal {R}\):
(Perfect) HonestVerifier ZeroKnowledge (HVZK). There exists a PPT simulator algorithm \(\mathsf {Sim}\) that takes as inputs a statement \(\mathsf {X}\in \mathcal {L}_\mathcal {R}\) and a challenge \(\mathsf {ch}\in \mathsf{ChSet}\), and outputs a commitment \(\mathsf {com}\) and a response \(\mathsf {resp}\) such that \((\mathsf {com}, \mathsf {ch}, \mathsf {resp})\) is a valid transcript for \(\mathsf {X}\). Moreover, the output distribution of \(\mathsf {Sim}\) on input \((\mathsf {X}, \mathsf {ch})\) is equal to the distribution of those outputs generated via an honest execution conditioned on the verifier using \(\mathsf {ch}\) as the challenge. We note we can consider relaxed variants of HVZK where the distributions are only required to be computationally indistinguishable.
MinEntropy. The identification protocol \(\mathsf {ID}\) has \(\alpha \) bits of minentropy if
(Optional) Perfect Unique Response. With overwhelming probability over the random choice of \((\mathsf {X}, \mathsf {W}) \leftarrow \mathsf {IGen}(1^\lambda )\), for any \(\mathsf {com}\in \mathsf{ComSet}\) and \(\mathsf {ch}\in \mathsf{ChSet}\), there exists a unique response \(\mathsf {resp}\in \mathsf{ResSet}\) that leads to a valid transcript \((\mathsf {com}, \mathsf {ch}, \mathsf {resp})\). This property is required when aiming for strong unforgeability (i.e., \(\mathsf {su\text {}cma}\)) of the FS signature scheme. As we will see, our identification protocol supports this property by default.
(Optional) Commitment Revocability. With overwhelming probability over the random choice of \((\mathsf {X}, \mathsf {W}) \leftarrow \mathsf {IGen}(1^\lambda )\), for any \(\mathsf {ch}\in \mathsf{ChSet}\) and \(\mathsf {resp}\in \mathsf{ResSet}\), there exists a unique commitment \(\mathsf {com}\in \mathsf{ComSet}\) that makes \((\mathsf {com}, \mathsf {ch}, \mathsf {resp})\) a valid transcript. Such a commitment can be publicly computed by means of an algorithm taking \((\mathsf {X}, \mathsf {ch},\mathsf {resp})\) as input. This property is unnecessary from a security stand point and only allows for shorter signatures. Again, our identification protocol supports this property by default.
To achieve a tight security proof for FiatShamir signatures (formally defined later), we further require the identification protocol to satisfy some notion of lossiness defined below.
Definition 2.2
(Lossy Identification Protocol). An identification protocol \(\mathsf {ID}\) is called lossy  and denoted by \(\mathsf {ID}_{\mathsf {ls}}\)  if it admits an extra PPT algorithm \(\mathsf{LossyIGen}\), named lossy key generation algorithm, that on input \(1^\lambda \) outputs \(\mathsf {X}_{\mathsf {ls}} \in X \setminus \mathcal {L}_\mathcal {R}\).
We require a lossy identification protocol \(\mathsf {ID}_{\mathsf {ls}}\) to satisfy the following two properties.
Indistinguishability of Lossy Statements. We ask that a statement generated with the lossy key generation algorithm is indistinguishable from a statement generated by the real key generation algorithm. Let us define the following advantage for an adversary \(\mathcal {A}\):
We say the lossy identification protocol satisfies indistinguishability of lossy statements if for any PPT (or quantum PT) adversary we have \(\mathsf {Adv}^{\mathsf {lossy}}_{\mathcal {A}}(\lambda ) = \mathsf {negl}(\lambda )\).
Statistical Lossy Soundness. The definition of statistical lossy soundness relies on the following game, named lossy impersonation game, played by an adversary \(\mathcal {A}\) and a challenger.

Setup: The challenger runs \( \mathsf {X}_{\mathsf {ls}} \leftarrow \mathsf{LossyIGen}(1^\lambda )\) and provides the adversary \(\mathcal {A}\) the lossy statement \(\mathsf {X}_{\mathsf {ls}}\).

Commitment and challenge selection: On input \(\mathsf {X}_{\mathsf {ls}}\) the adversary \(\mathcal {A}\) selects a commitment \(\mathsf {com}\in \mathsf{ComSet}\) and sends it to the challenger. The challenger responds by returning a random challenge \(\mathsf {ch}\in \mathsf{ChSet}\).

Output: \(\mathcal {A}\) outputs a response \(\mathsf {resp}\in \mathsf{ResSet}\). The adversary \(\mathcal {A}\) wins the game if \((\mathsf {com},\mathsf {ch},\mathsf {resp})\) is a valid transcript for \(\mathsf {X}_{\mathsf {ls}}\).
We say \(\mathsf {ID}_{\mathsf {ls}}\) is \(\epsilon _{\mathsf {ls}}\)lossy sound if for any unbounded (possibly quantum) adversary \(\mathcal {A}\) the winning probability in the above game is less than \(\epsilon _{\mathsf {ls}}\).
2.2 Digital Signature Schemes
Here we introduce the definition of standard signature schemes.
Definition 2.3
A signature scheme \(\Pi _\mathsf{S}\) consists of three PPT algorithms
\((\mathsf {S}.\mathsf {KeyGen}, \mathsf {S}.\mathsf {Sign}, \mathsf {S}.\mathsf {Vrfy})\) such that:

\(\mathsf {S}.\mathsf {KeyGen}(1^\lambda ) \rightarrow (\mathsf {vk}, \mathsf {sk})\): On input a security parameter \(1^\lambda \), the key generation algorithm outputs a pair of verification and signing keys \((\mathsf {vk},\mathsf {sk})\);

\(\mathsf {S}.\mathsf {Sign}(\mathsf {sk},\mathsf {M}) \rightarrow \sigma \): On input a signing key \(\mathsf {sk}\) and a message \(\mathsf {M}\), the signing algorithm outputs a signature \(\sigma \);

\(\mathsf {S}.\mathsf {Vrfy}(\mathsf {vk},\mathsf {M},\sigma ) \rightarrow 1/0\): On input a verification key \(\mathsf {vk}\), a message \(\mathsf {M}\) and a signature \(\sigma \), the verification key outputs 1 (accept) or 0 (reject).
We require a signature scheme \(\Pi _\mathsf{S}\) to satisfy the following two properties.
Correctness. For every security parameter \(1^\lambda \), with \(\lambda \in \mathbb {N}\), and every message \(\mathsf {M}\) the following holds:
Unforgeability. We define the strong unforgeability under chosen message attack \(\mathsf {su\text {}cma}\) by the following game played by an adversary \(\mathcal {A}\) and a challenger.

Setup: The challenger runs \( (\mathsf {vk}, \mathsf {sk}) \leftarrow \mathsf {S}.\mathsf {KeyGen}(1^\lambda )\) and provides the adversary \(\mathcal {A}\) the verification key \(\mathsf {vk}\). It also prepares an empty set \(\mathcal {S}= \emptyset \).

Signing Queries: The adversary \(\mathcal {A}\) may adaptively submit messages \(\mathsf {M}\) to the challenger. The challenger responds by returning \(\sigma \leftarrow \mathsf {S}.\mathsf {Sign}(\mathsf {sk}, \mathsf {M})\) to \(\mathcal {A}\). It then updates the set \(\mathcal {S}\leftarrow \mathcal {S}\cup \{ (\mathsf {M}, \sigma ) \}\).

Output: Finally, \(\mathcal {A}\) outputs a forgery \((\mathsf {M}^*, \sigma ^*)\). We say the adversary \(\mathcal {A}\) wins if \((\mathsf {M}^*, \sigma ^*) \not \in \mathcal {S}\) and \(\mathsf {S}.\mathsf {Vrfy}( \mathsf {vk}, \mathsf {M}^*, \sigma ^* ) = 1\).
We define the advantage of \(\mathcal {A}\) as the probability it wins the above game, that is, \(\mathsf {Adv}^{\mathsf {su\text {}cma}}_{\mathcal {A}}(1^\lambda ) :=\Pr [ \mathcal {A}\; \text {wins} ]\).
Definition 2.4
(\(\mathsf {Su\text {}cma}\) Security). We say a signature scheme \(\Pi _\mathsf{S}\) is \(\mathsf {su\text {}cma}\) secure if for all PPT adversaries \(\mathcal {A}\), we have \(\mathsf {Adv}^{\mathsf {su\text {}cma}}_{\mathcal {A}}(\lambda ) = \mathsf {negl}(\lambda )\).
2.3 Pseudorandom Functions
Consider a mapping \(\mathsf {PRF}: \mathcal {K} \times \mathcal {X} \rightarrow \mathcal {Y}\), where \(\mathcal K\) is a key space. We say \(\mathsf {PRF}\) is a pseudorandom function if for all PPT (or quantum) adversaries, their advantage defined below is negligible:
where \(\mathsf {RF}: \mathcal {X} \rightarrow \mathcal {Y} \) is a perfect random function. In practice, any standard hash function (e.g., SHA3) is believed to be a (quantumly) secure \(\mathsf {PRF}\).
2.4 FiatShamir Transformation
The original FiatShamir transformation [1, 18] turns a (not necessarily lossy) identification protocol \(\mathsf {ID}\) into a digital signature scheme by means of a cryptographic hash function \(\mathsf {H}: \{0,1\}^* \rightarrow \mathsf{ChSet}\) modeled as a classical random oracle (RO). For each parallel execution of \(\mathsf {ID}\), the challenge is obtained as \(\mathsf {H}(\mathsf {com},\mathsf {M})\), where \(\mathsf {M}\) is the message to sign. Then the resulting digital signature \(\sigma \) is a ttuple composed by t commitments and the corresponding responses, where t is set in such a way that \(\mathsf{ChSet}^t\) is exponentially large. Recently, the FiatShamir transformation has been extended to the quantum random oracle model (QROM) as well [16, 27, 30].
In this work, we will be interested in FiatShamir transformations for a specific type of identification protocol (namely, lossy identification protocol) which admits tight security proofs. For a general identification protocol, it is wellknown that the FiatShamir signature incurs a prohibitively large reduction loss: the advantage of breaking the underlying hard problem degrades as \(O(Q^{1} \cdot \epsilon ^2)\) in the classical ROM and as \(O(Q^{6} \cdot \epsilon ^3)\) in the quantum ROM, where Q is the number or random oracle queries made by the adversary and \(\epsilon \) is the advantage against the FiatShamir signature scheme.
The following result is taken from the recent work of Kiltz, Lyubashevsky, and Schaffner [27].
Theorem 2.1
Assume the identification protocol \(\mathsf {ID}\) is lossy, perfect HVZK, has \(\alpha \) bits of minentropy, has perfect unique response, and is \(\epsilon _{\mathsf {ls}}\)lossy sound. The FiatShamir transformation provides a signature scheme such that, for any quantum adversary \(\mathcal {A}\) against \(\mathsf {su\text {}cma}\) security that issues at most \(Q_H\) queries to the quantum random oracle, there exists quantum adversaries \(\mathcal {B}\) and \(\mathcal {D}\) such that
and \(\mathsf {Time}(\mathcal {B}) = \mathsf {Time}(\mathcal {D}) = \mathsf {Time}(\mathcal {A}) + Q_H \approx \mathsf {Time}(\mathcal {A})\).
In the classical setting, the only difference is that the bound depends linearly on \(Q_H\) instead of quadratically.
The above theorem is obtained by derandomizing the FiatShamir signature by a pseudorandom function \(\mathsf {PRF}\) and plugging it in Theorem 3.1 of [27]. We note that some simplification to Theorem 3.1 of [27] is made since our proposed lossy identification protocol achieves perfect HVZK and perfect unique response.
2.5 Class Group Actions and Hardness Assumption
The action of ideal class groups on elliptic curves was firstly proposed for cryptographic purposes by Couveignes [9], and Rostovtsev and Stolbunov [35, 38]. Their approach was then revised by De Feo, Kieffer and Smith [14], who were unable to turn it intro practicality despite the introduction of remarkable mathematicallydriven speedups. The efficiency issues were overcome by Castryck et al. [8], that introduced the CSIDH keyexchange protocol restricting to supersingular elliptic curves. In the following, we will give a brief background on ideal class groups and their action on supersingular curves. For a more detailed overview we suggest the consultation of [8] and Cox’s book [10].
Let \(\mathbb {F}_p\) denote a prime field, with p being an odd prime. Given two elliptic curves \(E, E'\) defined over \(\mathbb {F}_p\), an isogeny \(\varphi : E \rightarrow E'\) is a nonconstant morphism mapping \(0_E\) to \(0_E'\). Hence each coordinate of \(\varphi (x,y)\) can be expressed as a fraction of two polynomials belonging to \(\overline{\mathbb {F}}_p[x,y]\). If their coefficients are contained in \(\mathbb {F}_p\), then we say that \(\varphi \) is defined over \(\mathbb {F}_{p}\). A separable isogeny (it induces a separable extension of function fields) having \(\{0_E\}\) as kernel is an isomorphism; an isogeny having the same domain and range is an endomorphism.
The set of all endomorphisms of an elliptic curve E, together with the zero map, form a ring under pointwise addition and composition. Such a ring is called the endomorphism ring of E and it is denoted by \(\mathrm {End}(E)\). If \(\mathrm {End}(E)\) is abelian, the curve is said to be ordinary, otherwise it is said to be supersingular. The restriction \(\mathrm {End}_p(E)\) to the endomorphisms defined over \(\mathbb {F}_p\) constitutes a subring, which is isomorphic to an order in the quadratic field \(\mathbb {K}=\mathbb {Q}(\sqrt{p})\). An order is a subring of \(\mathbb {Q}(\sqrt{p})\) which is also a finitelygenerated \(\mathbb {Z}\)module containing a basis of \(\mathbb {K}\) as a \(\mathbb {Q}\)vector space. The set \(\mathbb {Z}[\sqrt{p}]=\{m+n\sqrt{p} \mid m,n \in \mathbb {Z}\}\) satisfies the above three conditions and we will denote it by \(\mathcal {O}\). We then consider the set \(\mathcal {E\ell \ell }_p(\mathcal {O},\pi )\) containing all supersingular curves E defined over \(\mathbb {F}_p\)  modulo isomorphisms defined over \(\mathbb {F}_p\)  such that there exists an isomorphism between \(\mathcal {O}\) and \(\mathrm {End}_p(E)\) mapping \(\sqrt{p} \in \mathcal {O}\) into the Frobenius endomorphism \((x,y) \mapsto (x^p,y^p)\). As shown in [8], each isomorphism class in \(\mathcal {E\ell \ell }_p(\mathcal {O},\pi )\) can be uniquely represented by a single element of \(\mathbb {F}_p\) if \(p \ge 5\) is a prime such that \(p \equiv 3 \pmod 8\).
A fractional ideal \(\mathfrak {a}\) of \(\mathcal {O}\) is a finitely generated \(\mathcal {O}\)submodule of \(\mathbb {K}\). When \(\mathfrak {a}\) is contained in \(\mathcal {O}\), it is said to be integral; when \(\mathfrak {a}=\alpha \mathcal {O}\) for some \(\alpha \in \mathbb {K}\), it is said to be principal; when there exists another fractional ideal \(\mathfrak {b}\) such that \(\mathfrak {a}\mathfrak {b}=\mathcal {O}\), it is called invertible. The invertible fractional ideals of \(\mathcal {O}\) form an abelian group. Its quotient by the subgroup composed by principal fractional ideals is a finite group called ideal class group of \(\mathcal {O}\), usually denoted by \(\mathcal {C\ell (O)}\). Its cardinality is the class number of \(\mathcal {O}\).
The ideal class group \(\mathcal {C\ell (O)}\) acts freely and transitively on the set \(\mathcal {E\ell \ell }_p(\mathcal {O},\pi )\) via the group action \(\star \):
For simplicity, we will use representatives instead of equivalence classes to denote elements of \(\mathcal {C\ell (O)}\) and \(\mathcal {E\ell \ell }_p(\mathcal {O},\pi )\). When p is of the form \(4\ell _1\ell _2 \cdots \ell _s1\), with \(\ell _1,\dots ,\ell _s\) small odd primes, a special integral ideal \(\mathfrak {I}_{\ell _i} \subset \mathcal {O}\) corresponds to each prime \(\ell _i\). These ideals allow an easy computation of the group action. In particular, the action of \(\mathfrak {I}_{\ell _i}\) on a curve \(E \in \mathcal {E\ell \ell }_p(\mathcal {O},\pi )\) is determined by an isogeny having as kernel the unique rational \(\ell _i\)torsion subgroup of E.
The general variant of the CSIDH keyexchange scheme relies on the heuristic that the equivalence classes of the ideals \(\mathfrak {I}_{\ell _1}, \dots , \mathfrak {I}_{\ell _s}\), together with their inverses, generate the entire ideal class group \(\mathcal {C\ell (O)}\). In [8], Castryck et al. propose different sets of parameters for CSIDH, each of them supposedly achieving a specific quantum security level. For the smallest^{Footnote 2} set of parameters, named CSIDH512 since \(p \simeq 2^{512}\), the class group structure of \(\mathcal {C\ell (O)}\) has been recently computed by Beullens et al. [6]. They showed that \(\mathcal {C\ell (O)}\) is a cyclic group of odd order N, where \(N \simeq 2^{257.1}\) and \(\mathcal {C\ell (O)}=\langle \mathfrak {I}_3 \rangle \). As a consequence, this group admits a canonical representation (as \(\mathbb {Z}_N\)) and an efficient uniform sampling of its elements. For simplicity, in the following we will denote by \(\mathfrak {g}\) the generator \(\mathfrak {I}_3\).
Hardness Assumption. The group action inverse problem (GAIP) is the hardness assumption originally introduced by [8], which underlies the security of both SeaSign [12] and CSIFiSh [6]. Although we will not directly use GAIP in our construction, we provide it as a base point to compare the assumption we introduce.
Definition 2.5
(Group Action Inverse Problem (GAIP)). Given two supersingular elliptic curves, \(E, E_1 \in \mathcal {E\ell \ell }_p(\mathcal {O},\pi )\), find an element \(\mathfrak {a} \in \mathcal {C\ell (O)}\) such that \(\mathfrak {a} \star E=E_1\).
3 Base Lossy Identification Protocol from CSIDH512
The CSIFiSh signature is obtained by applying the FiatShamir transformation to an identification protocol originally sketched by Couveignes [9] and Stolbunov [39]. In this section, we introduce our base lossy identification protocol for any set of CSIDH parameters for which the ideal class group \(\mathcal {C\ell (O)}\) is cyclic, with a known order N and generator \(\mathfrak {g}\). We further discuss the corresponding hardness assumption on which its security relies. Such a scheme considers an exponent \(a \in \mathbb {Z}_N\), the private key, and two pairs of curves, where the second pair, the public key, is determined by the action of \(\mathfrak {g}^a\) on the first pair. For the concrete instantiation in Sect. 5, we use the CSIDH512 parameters.
3.1 Hardness Assumption: Decisional CSIDH
We construct a lossy identification protocol based on the decisional CSIDH (DCSIDH) problem, originally defined by Stolbunov in his PhD thesis [39, Problem 2.2].
Definition 3.1
(Decisional CSIDH Problem). Given the set \(\mathcal {E\ell \ell }_p(\mathcal {O},\pi )\) and the ideal class group \(\mathcal {C\ell (O)}\), the decisional CSIDH (DCSIDH) problem asks to distinguish between the following two distributions:

\((E, H, \mathfrak {a} \star E, \mathfrak {a} \star H)\), where the supersingular elliptic curves E and H are sampled uniformly from \(\mathcal {E\ell \ell }_p(\mathcal {O},\pi )\), while \(\mathfrak {a}\) is sampled uniformly from \(\mathcal {C\ell (O)}\);

\((E, H, E', H')\) where \(E, H, E', H'\) are supersingular elliptic curves sampled uniformly from \(\mathcal {E\ell \ell }_p(\mathcal {O},\pi )\).
We denote by \(\mathsf {Adv}^\mathsf{D\text {}CSIDH}_{\mathcal {A}}(\lambda )\) the advantage of an adversary \(\mathcal {A}\) distinguishing the two distributions. We say that the DCSIDH assumption holds if for every PPT (or possibly quantum) adversary \(\mathcal {A}\), \(\mathsf {Adv}^\mathsf{D\text {}CSIDH}_{\mathcal {A}}(\lambda )\) is negligible.
The DCSIDH assumption forms the foundation of the security of the key exchange protocol proposed by [8], called CSIDH. However, to be completely accurate, the security of CSIDH not always is equivalent to the DCSIDH problem we defined above. The reason for this is that when the structure of the ideal class group is not known, we cannot properly sample a uniform ideal from \(\mathcal {C\ell (O)}\) (and hence a uniform elliptic curve from the set \(\mathcal {E\ell \ell }_p(\mathcal {O},\pi )\)). Namely, in that case, a party will sample an ideal that is heuristically shown to be close to uniformly random over \(\mathcal {C\ell (O)}\). Then, to show security of CSIDH, we must assume the hardness of DCSIDH for that particular heuristically uniform distribution. Notably, we do not get a reduction from the above DCSIDH assumption defined for truly uniform samples over \(\mathcal {C\ell (O)}\). Hence, for the DCSIDH assumption to be useful both in a theoretical and practical sense, it is desirable to have an efficient uniform sampler from the ideal class group \(\mathcal {C\ell (O)}\). In this case, the security of CSIDH will indeed be equivalent to the DCSIDH assumption.
As for the definition of DCSIDH, we would like to simply keep it agnostic to the existence of an efficient sampler from the ideal class group \(\mathcal {C\ell (O)}\). However, throughout the paper, we will always consider a cyclic class group \(\mathcal {C\ell (O)}\) with known order and generator (i.e., the one derived from the CSIDH512 parameters) so as to be able to efficiently sample uniformly over \(\mathcal {C\ell (O)}\).
3.2 Construction of Base Lossy Identification Protocol
The base lossy identification protocol we are going to describe requires \(\mathcal {C\ell (O)}\) to be efficiently sampleable. As anticipated, we will restrict to the case where \(\mathcal {C\ell (O)}\) is cyclic, with a known order N and generator \(\mathfrak {g}\). This reduces sampling from \(\mathcal {C\ell (O)}\) to uniformly sampling from \(\mathbb {Z}_N\), and considering the corresponding power of \(\mathfrak {g}\).
Let the set X be composed by pairs \(((E_1^{(0)},E_2^{(0)}),(E_1^{(1)},E_2^{(1)}))\), where \(E_1^{(0)}\), \(E_2^{(0)}\), \(E_1^{(1)}\), \(E_2^{(1)}\) belong to \(\mathcal {E\ell \ell }_p(\mathcal {O},\pi )\). By Y we denote the set of witnesses \(\{a \in \mathbb {Z}_N \}\), with N being the cardinality of \(\mathcal {C\ell (O)}\). We consider the following binary relation \(\mathcal {R}\) on \(X \times Y\):
We note that the language \(\mathcal {L}_\mathcal {R}\) is strictly contained in X, i.e. X contains lossy statements. On the other hand, each statement in X is a valid instance of the DCSIDH problem.
The lossy identification protocol \(\mathsf {ID}^\mathsf{base}_{\mathsf {ls}}\) deduced from relation \(\mathcal {R}\) consists of a challenge set \(\mathsf{ChSet}=\{0,1\}\) and five algorithms \((\mathsf {IGen}, \mathsf{LossyIGen}, \mathsf {P}_1,\mathsf {P}_2, \mathsf {V})\), detailed in the following. We note that \(E_0 \in \mathcal {E\ell \ell }_p(\mathcal {O},\pi )\) is the base curve, specified by the system parameters, and defined by the equation \(y^2=x^3+x\) over \(\mathbb {F}_p\).

Algorithm \(\mathsf {IGen}\) uniformly samples \(a,b,c \in \mathbb {Z}_N\) and outputs a statementwitness pair \((\mathsf {X},\mathsf {W}) \in \mathcal {R}\), where \(\mathsf {X}=((E_1^{(0)}=\mathfrak {g}^{b} \star E_0, E_2^{(0)}=\mathfrak {g}^{c} \star E_0),(E_1^{(1)}=\mathfrak {g}^{a} \star E_1^{(0)}, E_2^{(1)}=\mathfrak {g}^{a}\star E_2^{(0)}))\), and \(\mathsf {W}=a\).

Algorithm \(\mathsf{LossyIGen}\) uniformly samples \(a,a',b,c \in \mathbb {Z}_N\) and outputs a lossy statement \(\mathsf {X}_{\mathsf {ls}}=((E_1^{(0)}=\mathfrak {g}^b \star E_0, E_2^{(0)}=\mathfrak {g}^c \star E_0),(E_1^{(1)}=\mathfrak {g}^{a} \star E_1^{(0)}, E_2^{(1)}=\mathfrak {g}^{a'} \star E_2^{(0)}))\).

On input \((\mathsf {X},\mathsf {W})\), \(\mathsf {P}_1\) generates a random integer \(r \in \mathbb {Z}_N\) and returns the commitment \(\mathsf {com}=(F_1=\mathfrak {g}^r \star E_1^{(0)},F_2=\mathfrak {g}^r \star E_2^{(0)})\).

On input \((\mathsf {X},\mathsf {W},\mathsf {com},\mathsf {ch})\), where \(\mathsf {ch}\in \mathsf{ChSet}\), \(\mathsf {P}_2\) outputs the response \(\mathsf {resp}\) which is r if \(\mathsf {ch}=0\), \(ra\) if \(\mathsf {ch}=1\).

On input \((\mathsf {X},\mathsf {com},\mathsf {ch},\mathsf {resp})\), the verification algorithm \(\mathsf {V}\) checks that
$$\begin{aligned} {\left\{ \begin{array}{ll} (\mathfrak {g}^\mathsf {resp}\star E_1^{(0)}=F_1,\mathfrak {g}^\mathsf {resp}\star E_2^{(0)}=F_2) &{} \text{ if } \mathsf {ch}=0\\ (\mathfrak {g}^{\mathsf {resp}} \star E_1^{(1)}=F_1,\mathfrak {g}^{\mathsf {resp}} \star E_2^{(1)}=F_2) &{} \text{ if } \mathsf {ch}=1\\ \end{array}\right. } \end{aligned}$$(2)
The interaction between a prover and a verifier within the identification protocol is summarised in Fig. 1.
3.3 Security of Base Lossy Identification Protocol \(\mathsf {ID}^\mathsf{Base}_{\mathsf {ls}}\)
We show that the proposed lossy identification protocol \(\mathsf {ID}^\mathsf{base}_{\mathsf {ls}}\) satisfies all the desired properties presented in Sect. 2.1. Properties for standard identification protocols  namely, correctness, perfect unique response, and commitment revocability  are straightforward to prove, with the last two verified by noticing that the group action \(\star \) is transitive and free. Moreover, for the HonestVerifier ZeroKnowledge property, consider a simulator \(\mathsf {Sim}\) defined as follows:

\(\mathsf {Sim}( \mathsf {X}, \mathsf {ch})\): on input a statement \(\mathsf {X}= ((E_1^{(0)},E_2^{(0)}),\) \((E_1^{(1)},E_2^{(1)})) \in \mathcal {L}_\mathcal {R}\) and a challenge bit \(\mathsf {ch}\in \{ 0,1 \} \), the simulator samples a random \(u \in \mathbb {Z}_N\) and outputs either of the following tuples, depending on whether \(\mathsf {ch}= 0\) or \(\mathsf {ch}=1\):
$$ \big ( (\mathfrak {g}^u \star E_1^{(0)}, \mathfrak {g}^u \star E_2^{(0)}), \mathsf {ch}= 0,u \big ), \quad \big ( (\mathfrak {g}^{u} \star E_1^{(1)}, \mathfrak {g}^{u} \star E_2^{(1)}), \mathsf {ch}= 1,u \big ). $$
It can be checked that the transcripts output by the simulator \(\mathsf {Sim}\) are indistinguishable from honest transcripts, since both have uniformly random distributed values as responses. Finally, by construction, we have \(\log N\) bits of minentropy.
The remaining issue is showing that \(\mathsf {ID}^\mathsf{base}_{\mathsf {ls}}\) satisfies the lossy properties (see Definition 2.2). Specifically, it has indistinguishability of lossy statements and statistical lossy soundness.
Lemma 3.1
Our lossy identification protocol \(\mathsf {ID}^\mathsf{base}_{\mathsf {ls}}\) satisfies indistinguishability of lossy statements assuming the hardness of the DCSIDH problem. Specifically, an adversary \(\mathcal {A}\) with advantage \(\mathsf {Adv}^{\mathsf {lossy}}_{\mathcal {A}}(\lambda )\) can be turned into an adversary \(\mathcal {B}\) against the DCSIDH problem with advantage \(\mathsf {Adv}^\mathsf{D\text {}CSIDH}_\mathcal {B}(\lambda ) = \mathsf {Adv}^\mathsf{lossy}_\mathcal {A}(\lambda )\) and the same running time.
Proof
The statement is an immediate consequence of the DCSIDH problem. In particular, the distribution induced by \(\mathsf {IGen}\) corresponds to valid DCSIDH instances and that of \(\mathsf{LossyIGen}\) corresponds to random DCSIDH instances.
Lemma 3.2
Our lossy identification protocol \(\mathsf {ID}^\mathsf{base}_{\mathsf {ls}}\) satisfies statistical \(\epsilon _\mathsf {ls}\)lossy soundness for \(\epsilon _\mathsf {ls}= 1/2 + 1/2N\), where \(N = \left \mathcal {C\ell (O)} \right \).
Proof
First of all, a simple calculation shows that the set of valid statements \(\mathcal {L}_\mathcal {R}\) has size \(N^3\). Therefore, since \(\mathsf{LossyIGen}\) outputs a uniformly random image in the set X, which has size \(N^4\), we have \(\Pr [ \mathsf {X}_\mathsf {ls}\leftarrow \mathsf{LossyIGen}(1^\lambda ): \mathsf {X}_\mathsf {ls}\in \mathcal {L}_\mathcal {R}] = 1/N\). Furthermore, for an adversary \(\mathcal {A}\) against the lossy impersonation game, the following holds:
We show that for any statement \(\mathsf {X}_\mathsf {ls}\not \in \mathcal {L}_\mathcal {R}\) and commitment \(\mathsf {com}\in \mathsf{ComSet}\), there exists at most one challenge \(\mathsf {ch}\in \mathsf{ChSet}\) that admits a valid response \(\mathsf {resp}\in \mathsf{ResSet}\). Since this implies \(\Pr [\mathcal {A}\text { wins} \mid \mathsf {X}_\mathsf {ls}\not \in \mathcal {L}_\mathcal {R}] \le 1/ \mathsf{ChSet} = 1/2\), we obtain \((1/2 + 1/2N)\)lossy soundness as desired.
Given a statement \(\mathsf {X}_\mathsf {ls}=((E_1^{(0)},E_2^{(0)}),(E_1^{(1)},E_2^{(1)})) \not \in \mathcal {L}_\mathcal {R}\), let us assume there exist two valid transcripts for \(\mathsf {X}_\mathsf {ls}\). Namely, consider \((\mathsf {com},\mathsf {ch},\mathsf {resp})\) and \((\mathsf {com},\mathsf {ch}',\mathsf {resp}')\), with \(\mathsf {ch}\ne \mathsf {ch}'\) and \(\mathsf {com}= (F_1, F_2)\). Then, it is possible to extract a witness \(\mathsf {W}\) such that \((\mathsf {X}_\mathsf {ls},\mathsf {W}) \in \mathcal {L}_\mathcal {R}\). Indeed, assuming \(\mathsf {ch}=0\), the responses \(\mathsf {resp}, \mathsf {resp}'\) must satisfy
Therefore, \(\mathsf {resp} \mathsf {resp}'\) is the desired witness, that is, \( E_1^{(1)} = g^{\mathsf {resp} \mathsf {resp}'}\star E_1^{(0)}\) and \( E_2^{(1)} = g^{\mathsf {resp} \mathsf {resp}'}\star E_2^{(0)}\). However, this is a contradiction to \(\mathsf {X}_\mathsf {ls}\not \in \mathcal {L}_\mathcal {R}\). Therefore, there can exist at most one challenge that possesses a valid response. This concludes the proof.
3.4 Lossy Soundness Amplification of \(\mathsf {ID}^\mathsf{Base}_\mathsf {ls}\)
As typically done, we use standard parallel repetition of the base lossy identification protocol \(\mathsf {ID}^\mathsf{base}_\mathsf {ls}\) to make the lossy soundness \(\epsilon _\mathsf {ls}\) negligibly small, as required when setting the concrete parameters for the relative FS signature according to Theorem 2.1. Specifically, on input \((\mathsf {X}, \mathsf {W})\), the prover runs parallel execution of the protocol with the verifier, where the verifier uses independent challenges in each execution.
We make this standard procedure explicit since, unlike sigmaprotocols with 2special soundness, lossy soundness is not closed under parallel repetition. That is, even if we run t parallel instances of our base protocol \(\mathsf {ID}^\mathsf{base}_\mathsf {ls}\), this will not result in a protocol with \((\epsilon _\mathsf {ls})^t\)lossy soundness. Namely, we have the following result.
Lemma 3.3
Consider running t parallel rounds of the base lossy identification protocol \(\mathsf {ID}^\mathsf{base}_{\mathsf {ls}}\) (with the same statementwitness pair). Then it satisfies statistical \(\epsilon _\mathsf {ls}\)lossy soundness for \(\epsilon _\mathsf {ls}= 1/2^t \cdot (11/N) + 1/N\), where \(N = \left \mathcal {C\ell (O)} \right \). In particular, we have \(\epsilon _\mathsf {ls}\le 1/2^t + 1/N\).
Proof
The proof is straightforward. In case \(\mathsf {X}_\mathsf {ls}\notin \mathcal {L}_\mathcal {R}\), we can argue that the adversary has at most \(1/2^t\) probability in winning the lossy impersonation game. Recalling that \(\mathsf {X}_\mathsf {ls}\in \mathcal {L}_\mathcal {R}\) happens with probability 1/N over the random choice of \(\mathsf{LossyIGen}\), we can upper bound the advantage of \(\mathcal {A}\) by \(\epsilon _\mathsf {ls}= 1/2^t (1  1/N) + 1/N\). This concludes the proof.
All other properties are closed under parallel repetition and inherited directly from \(\mathsf {ID}^\mathsf{base}_\mathsf {ls}\).
4 Optimized Lossy Identification Protocol from CSIDH512
We show several methods to optimize our base lossy identification protocol, following closely the work of [6, 12]. We first prepare a slight variant of the DCSIDH assumption, which will form the basis of our optimized schemes.
4.1 Hardness Assumption: FixedCurve Multidecisional CSIDH
We consider a slight variant of DCSIDH, where we are given many DCSIDH tuples, with the first two elliptic curves of each tuple being fixed. Formally, we consider the following problem, which is equivalent to DCSIDH when \(S=1\).
Definition 4.1
(FixedCurve Multidecisional CSIDH Problem). Let S be a positive integer. Given the ideal class group \(\mathcal {C\ell (O)}\) and the set \(\mathcal {E\ell \ell }_p(\mathcal {O},\pi )\), the fixedcurve multidecisional CSIDH (FCMDCSIDH) problem with parameter S asks to distinguish between the following two distributions^{Footnote 3}:

\((E, H, ( \mathfrak {a}_i\,\star \,E, \mathfrak {a}_i\,\star \,H )_{i \in [S]}\)), where the supersingular elliptic curves E and H are sampled uniformly from \(\mathcal {E\ell \ell }_p(\mathcal {O},\pi )\), and \(\mathfrak {a}_i\) for \(i \in [S]\) are sampled uniformly from \(\mathcal {C\ell (O)}\);

\((E, H, ( E'_i, H'_i )_{i \in [S]})\) where \(E, H, E'_i, H'_i\) for \(i\in [S]\) are supersingular elliptic curves sampled uniformly from \(\mathcal {E\ell \ell }_p(\mathcal {O},\pi )\).
We denote by \(\mathsf {Adv}^\mathsf{FCMD\text {}CSIDH}_{\mathcal {A}, S}(\lambda )\) the advantage of an adversary \(\mathcal {A}\) distinguishing the two distributions. We say that the FCMDCSIDH assumption with parameter S holds if for any PPT (or possibly quantum) adversary \(\mathcal {A}\), \(\mathsf {Adv}^\mathsf{FCMD\text {}CSIDH}_{\mathcal {A}, S}(\lambda )\) is negligible.
A tight reduction from the (oneinstance) decisional CSIDH problem to the fixedcurve multidecisional CSIDH problem with parameter S would have been desirable, however, this seems to be highly challenging (as long as we view the group action \(\star \) as a black box). This is in sharp contrast with the classical decisional DH problem, which admits a nice random selfreducibility property. The main reason why DCSIDH does not possess this property seems to stem from the fact that the group action only allows to add a known constant to the exponent of \(\mathfrak {g}\) when considering a curve \(\mathfrak {g}^a * E\). In other words, we do not have an analogous of the mapping \(g^a \mapsto (g^a)^r\) exploited in the classical DH setting.
Therefore, we only have a trivial nontight reduction from the DCSIDH problem to the FCMDCSIDH problem with parameter S. This is formally stated in the following lemma.
Lemma 4.1
(DCSIDH to FCMDCSIDH). Let S be a positive integer. Let \(\mathcal {C\ell (O)}\) be the ideal class group of an order \(\mathcal {O}\) in \(\mathbb {Q}(\sqrt{p})\), with p a prime, and \(\mathcal {E\ell \ell }_p(\mathcal {O},\pi )\) be the corresponding set of supersingular elliptic curves. Then, for any adversary \(\mathcal {A}\) for the FCMDCSIDH problem with parameter S, there exists an adversary \(\mathcal {B}\) for the DCSIDH problem such that
and \(\mathsf {Time}(\mathcal {B}) \approx \mathsf {Time}(A)\).
Proof
The proof is elementary. We consider \(S + 1\) hybrid games where, in the jth game^{Footnote 4}, an adversary is given \((E, H, ( E'_i, H'_i )_{i \in [S]})\), where \(( E'_i, H'_i )_{i \in [ j ]}\) is random over \(\mathcal {E\ell \ell }_p(\mathcal {O},\pi )^2\) and \(( E'_i, H'_i )_{i \in [S] \backslash [ j ]}\) is of the form \((\mathfrak {a_i}\,\star \,E, \mathfrak {a_i}\,\star \,H)\) for a random \(\mathfrak {a_i} \in \mathcal {C\ell (O)}\). We then simply show that each game is indistinguishable using the DCSIDH problem to conclude the proof. However, one thing we remark is that in order for the DCSIDH adversary \(\mathcal {B}\) to simulate the view to the FCMDCSIDH adversary \(\mathcal {A}\), \(\mathcal {B}\) must be able to sample uniformly from \(\mathcal {C\ell (O)}\). This justifies once more our restriction to cyclic ideal class groups \(\mathcal {C\ell (O)}\) having known order and generator.
We leave it as an interesting open problem to achieve a tight reduction. We believe a technique which allows such a reduction will most likely have applications elsewhere.
Impact on Signature Scheme (and Identification Protocol). Although this loose reduction is not desirable, fortunately, the integer S will not have a tremendous impact on the concrete choice of parameters for our signature scheme (and identification protocol). This is because S is only a parameter chosen at the setup of the scheme, which is in particular independent of the adversary. This should be compared to standard nontight FiatShamir signatures which incurs a reduction loss of \(Q^{1} \cdot \epsilon ^2\) in the classical ROM and \(Q^{6}\cdot \epsilon ^3\) in the quantum ROM, where Q is an adversarially dependent parameter denoting the number of RO queries. In particular, in the original paper of CSIFiSh [6], S is a constant set between 1 to \(2^{18}1\). Depending on the value of S, we have a tradeoff between the runtimes of several algorithms and size of public keys and signatures. We refer to Sect. 5 for more details.
4.2 Enlarging Challenge Space of Base Lossy Identification Protocol
We show a variant of our base lossy identification protocol which is obtained adapting the idea from [6, 12] to enlarge the challenge space. In particular, we will use the FCMDCSIDH problem with parameter S instead of the DCSIDH problem to define the language used in the identification protocol. Formally, the set of (possibly nonvalid) statements is:
while the set of witnesses is \(Y=\{(a_1,\dots ,a_{S}) \mid a_1,\dots ,a_{S} \in \mathbb {Z}_N \}.\) We then consider the following binary relation on \(X \times Y\):
The lossy identification protocol with enlarged challenge space \(\mathsf {ID}^\mathsf{enCh}_{\mathsf {ls}}\) deduced from the above relation \(\mathcal {R}\) is a simple adaptation of the base scheme \(\mathsf {ID}^\mathsf{base}_{\mathsf {ls}}\). We provide the details below for completeness, where the challenge space is enlarged to \(\mathsf{ChSet}= \{ 0, 1, \cdots , S \}\). Note that S is a parameter chosen by the scheme. Our base scheme is obtained by setting \(S = 1\).

Algorithm \(\mathsf {IGen}\) uniformly samples \(( a_i )_{i \in [S]},b,c \in \mathbb {Z}_N\) and outputs a statementwitness pair \((\mathsf {X},\mathsf {W}) \in \mathcal {R}\), where
$$ \mathsf {X}=\Big ( (E_1^{(0)}=\mathfrak {g}^{b}\,\star \,E_0, E_2^{(0)}=\mathfrak {g}^{c}\,\star \,E_0), \big ( E_1^{(i)}=\mathfrak {g}^{a_i}\,\star \,E_1^{(0)}, E_2^{(i)}=\mathfrak {g}^{a_i}\,\star \,E_2^{(0)} \big )_{i\in [S]} \Big ), $$and \(\mathsf {W}=(a_i)_{i \in [N]}\).

Algorithm \(\mathsf{LossyIGen}\) uniformly samples \(( a_i, a'_i )_{i \in [S]}, b, c \in \mathbb {Z}_N\) and outputs a lossy statement
$$ \mathsf {X}=\Big ( (E_1^{(0)}=\mathfrak {g}^{b}\,\star \,E_0, E_2^{(0)}=\mathfrak {g}^{c}\,\star \,E_0), \big ( E_1^{(i)}=\mathfrak {g}^{a_i}\,\star \,E_1^{(0)}, E_2^{(i)}=\mathfrak {g}^{a'_i}\,\star \,E_2^{(0)} \big )_{i\in [S]} \Big ), $$ 
On input \((\mathsf {X},\mathsf {W})\), \(\mathsf {P}_1\) generates a random integer \(r \in \mathbb {Z}_N\) and returns the commitment \(\mathsf {com}=(F_1=\mathfrak {g}^r\,\star \,E_1^{(0)},F_2=\mathfrak {g}^r\,\star \,E_2^{(0)})\).

On input \((\mathsf {X},\mathsf {W},\mathsf {com},\mathsf {ch})\), where \(\mathsf {ch}\in \mathsf{ChSet}\), \(\mathsf {P}_2\) outputs the response \(\mathsf {resp}\) which is r if \(\mathsf {ch}=0\), \(ra_{\mathsf {ch}}\) if \(\mathsf {ch}> 0\).

On input \((\mathsf {X},\mathsf {com},\mathsf {ch},\mathsf {resp})\), the verification algorithm \(\mathsf {V}\) checks that
$$\begin{aligned} \mathfrak {g}^{\mathsf {resp}}\,\star \,E_1^{(\mathsf {ch})}=F_1, \quad \mathfrak {g}^{\mathsf {resp}} \star E_2^{(\mathsf {ch})}=F_2 \end{aligned}$$
Security of Lossy Identification Protocol \(\mathsf {ID}^\mathsf{enCh}_{\mathsf {ls}}\). The proposed lossy identification protocol \(\mathsf {ID}^\mathsf{enCh}_{\mathsf {ls}}\) inherits most of the desired standard properties presented in Sect. 2.1 from the base lossy identification protocol \(\mathsf {ID}^\mathsf{base}_{\mathsf {ls}}\). Namely, correctness, minentropy, perfect unique response, and commitment revocability trivially follow from those of \(\mathsf {ID}^\mathsf{base}_{\mathsf {ls}}\). Moreover, the HonestVerifier ZeroKnowledge property holds similarly as well. Simply consider a simulator \(\mathsf {Sim}\) which, on input \(\mathsf {X}\in \mathcal {L}_\mathcal {R}\) and \(\mathsf {ch}\in \{ 0, 1, \cdots , S \}\), outputs \(((g^u\,\star \,E_1^{(\mathsf {ch})}, g^u\,\star \,E_2^{(\mathsf {ch})}), \mathsf {ch}, u)\), where u is randomly sampled from \(\mathbb {Z}_N\).
We next show that \(\mathsf {ID}^\mathsf{enCh}_{\mathsf {ls}}\) satisfies the lossy properties (see Definition 2.2). Specifically, it has indistinguishability of lossy statements and statistical lossy soundness.
Lemma 4.2
Our lossy identification protocol \(\mathsf {ID}^\mathsf{enCh}_{\mathsf {ls}}\) satisfies indistinguishability of lossy statements assuming the hardness of the FCMDCSIDH problem with parameter S. Specifically, an adversary \(\mathcal {A}\) with advantage \(\mathsf {Adv}^{\mathsf {lossy}}_{\mathcal {A}}(\lambda )\) can be turned into an adversary \(\mathcal {B}\) against the FCMDCSIDH problem with advantage \(\mathsf {Adv}^\mathsf{FCMD\text {}CSIDH}_{\mathcal {B}, S}(\lambda ) = \mathsf {Adv}^{\mathsf {lossy}}_{\mathcal {A}}(\lambda )\) and same running time.
Proof
The proof is analogous to that of Lemma 3.1.
Lemma 4.3
The lossy identification protocol \(\mathsf {ID}^\mathsf{enCh}_{\mathsf {ls}}\) satisfies statistical \(\epsilon _\mathsf {ls}\)lossy soundness for \(\epsilon _\mathsf {ls}=(1/(S+1))\prod _{i=1}^{S}((Ni)/N)+ (1  \prod _{i=1}^{S}((Ni)/N))\), where \(N = \left \mathcal {C\ell (O)} \right \).
Proof
The general strategy is similar to that used for proving Lemma 3.3. We separate the set X in such a way that in one of the subsets the adversary \(\mathcal {A}\) has exactly \(1/(S + 1)\) probability in winning the lossy impersonation game. We then argue that \(\mathsf{LossyIGen}\) outputs a statement belonging to this subset with overwhelming probability. However, unlike the proof in Lemma 3.3, we will not be able to simply use \(X \backslash \mathcal {L}_\mathcal {R}\) as such a subset. This is because a computationally unbounded adversary may be able, for some of the instances in \(X \backslash \mathcal {L}_\mathcal {R}\), to forge a response for any \(\mathsf {ch}\in \mathsf{ChSet}\).
Recall the set X we consider is of the following form:
where \((E_1^{(0)}, E_2^{(0)})\) are arbitrary elements in \(\mathcal {E\ell \ell }_p(\mathcal {O},\pi )\), and \(a_i, a_i'\) are arbitrary elements in \(\mathbb {Z}_N\). We define the set \(X_\mathsf{BAD}\) as the subset of X which satisfies the following conditions for all distinct \(i,j \in [S]\):
Below, we first compute \( X_\mathsf{BAD}\) and then show that \(\Pr [\mathcal {A}\text { wins} \mid \mathsf {X}_\mathsf {ls}\in X_\mathsf{BAD}]\) is at most \(1/(S + 1)\).
First, fix arbitrary \((E_1^{(0)}, E_2^{(0)})\). Then, let us consider fixing arbitrary \((a_1, a_1') \in (\mathbb {Z}_N)^2\), conditioned on conditions (4). Then, there exist at most \(N(N1)\) choices of such pairs. Let us further consider fixing arbitrary \((a_2, a_2') \in (\mathbb {Z}_N)^2\), conditioned on conditions (4). Then, since we have to also satisfy \(a_2  a_1 \ne a_2'  a_1'\), there exist at most \(N(N2)\) choices of such pairs. Continuing this procedure, each pair \((a_i, a_i') \in (\mathbb {Z}_N)^2\), with \(i \in [S]\), has exactly \(N(Ni)\) freedom. Therefore, we have \(X_\mathsf{BAD} = N^{2+S}(N  1) \cdots (NS)\) and \(\Pr [\mathsf {X}_\mathsf {ls}\leftarrow \mathsf{LossyIGen}: \mathsf {X}_\mathsf {ls}\in X_\mathsf{BAD}]\) equal to \((N1)\cdots (NS)/N^S\).
Let us now compute \(\Pr [\mathcal {A}\text { wins} \mid \mathsf {X}_\mathsf {ls}\in X_\mathsf{BAD}]\). Assume there exist two valid transcripts for \(\mathsf {X}_{\mathsf {ls}}\). Namely, consider \((\mathsf {com},\mathsf {ch},\mathsf {resp})\) and \((\mathsf {com},\mathsf {ch}',\mathsf {resp}')\), with \(\mathsf {ch}\ne \mathsf {ch}'\) and \(\mathsf {com}= (F_1, F_2)\). Then, we have
Therefore, we can deduce
However, this clearly contradicts conditions (4). Therefore, there can exist at most one challenge that admits a valid response in case \(X_\mathsf {ls}\in X_\mathsf{BAD}\). In particular, this proves \(\Pr [\mathcal {A}\text { wins} \mid \mathsf {X}_\mathsf {ls}\in X_\mathsf{BAD}] \le 1/(S+1)\).
Combining everything together, we conclude.
4.3 (Almost) Doubling Challenge Space of Lossy Identification Scheme \(\mathsf {ID}^\mathsf{EnCh}_{\mathsf {ls}}\)
Following the work of [6] and their exploitation of quadratic twists, we show a simple method to almost double the challenge space of the previous scheme \(\mathsf {ID}^\mathsf{enCh}_{\mathsf {ls}}\). The new scheme \(\mathsf {ID}^\mathsf{denCh}_{\mathsf {ls}}\) (with a doublyenlarged challenge set) has statementwitness pairs almost identical to those of \(\mathsf {ID}^\mathsf{enCh}_\mathsf {ls}\). The statement remains the same, while the witness contains two extracoordinates, namely \(b,c \in \mathbb {Z}_N\) such that \(\mathfrak {g}^b\,\star \,E_0=E_1^{(0)}\), \(\mathfrak {g}^c\,\star \,E_0=E_2^{(0)}\). The algorithm \(\mathsf {IGen}\) is adjusted according to this modification, while the lossy key generation algorithm \(\mathsf{LossyIGen}\) and prover’s first move \(\mathsf {P}_1\) are defined exactly the same.
The challenge set \(\mathsf{ChSet}\) now admits also negative values, in particular it is the set \(\{0,\pm 1, \dots , \pm S\}\). The third move \(\mathsf {P}_2\) and the Verification algorithm \(\mathsf {V}\) are hence converted to deal with these new challenge values:

On input \((\mathsf {X},\mathsf {W},\mathsf {com},\mathsf {ch})\), where \(\mathsf {ch}\in \mathsf{ChSet}\), \(\mathsf {P}_2\) outputs the response \(\mathsf {resp}\) which is r if \(\mathsf {ch}=0\), \(ra_{\mathsf {ch}}\) if \(\mathsf {ch}> 0\) and \(r+b+c+a_{\mathsf {ch}}\) if \(\mathsf {ch}< 0\).

On input \((\mathsf {X},\mathsf {com},\mathsf {ch},\mathsf {resp})\), the verification algorithm \(\mathsf {V}\) checks that \(\mathfrak {g}^{\mathsf {resp}}\,\star \,E_1^{(\mathsf {ch})}=F_1\), \(\mathfrak {g}^{\mathsf {resp}}\,\star \,E_2^{(\mathsf {ch})}=F_2\) if \(\mathsf {ch}\ge 0\), and
$$\begin{aligned} \mathfrak {g}^{\mathsf {resp}}\,\star \,E_1^{(\mathsf {ch}),\mathsf {tw}}=F_2, \quad \mathfrak {g}^{\mathsf {resp}}\,\star \,E_2^{(\mathsf {ch}),\mathsf {tw}}=F_1 \end{aligned}$$if \(\mathsf {ch}< 0\).
We note that the symbols \(E_1^{(\mathsf {ch}),\mathsf {tw}}\), \(E_2^{(\mathsf {ch}),\mathsf {tw}}\) denote the quadratic twists of the curve \(E_1^{(\mathsf {ch})}\) and \(E_2^{(\mathsf {ch})}\), respectively. In particular \(E_1^{(\mathsf {ch}),\mathsf {tw}}=\mathfrak {g}^{a_{\mathsf {ch}}b}\,\star \,E_0\), and \(E_2^{(\mathsf {ch}),\mathsf {tw}}=\mathfrak {g}^{a_{\mathsf {ch}}c}\,\star \,E_0\).
Remark 4.1
We exploit the quadratic twist in a slightly different way compared to [6]. This has the effect of allowing us to base security on the FCMDCSIDH assumption rather than the more restricted FCMDCSIDH assumption where \(E_1^{(0)}\) is fixed to be the special elliptic curve \(E_0\). The variant proposed in [6, Section 2.5] in order to extend the challenge set to negative values relies on the fact that the public key and the commitment are computed starting from the specific elliptic curve \(E_0\). Consequently, the security of their derived sigma protocol requires the GAIP problem to be hard for this specific \(E_0\) as the base point. This is in contrast to all other schemes provided in [6] which only need the standard GAIP problem.
Security of Lossy Identification Scheme \(\mathsf {ID}^\mathsf{denCh}_{\mathsf {ls}}\). The proposed lossy identification protocol \(\mathsf {ID}^\mathsf{denCh}_{\mathsf {ls}}\) inherits all the standard properties of a lossy identification protocol (see Definition 2.1) from the previous scheme \(\mathsf {ID}^\mathsf{enCh}_{\mathsf {ls}}\). Moreover, since the statement output by \(\mathsf {IGen}\) and \(\mathsf{LossyIGen}\) is identical to \(\mathsf {ID}^\mathsf{enCh}_\mathsf {ls}\), the protocol \(\mathsf {ID}^\mathsf{denCh}_{\mathsf {ls}}\) satisfies indistinguishability of lossy statements assuming the hardness of the FCMDCSIDH problem.
Finally, the statistical lossy soundness is addressed in the following lemma. As it can be seen, the shape of \(\epsilon _\mathsf {ls}\) remains unchanged with respect to Lemma 4.3.
Lemma 4.4
Our lossy identification protocol \(\mathsf {ID}^\mathsf{denCh}_{\mathsf {ls}}\) satisfies statistical \(\epsilon _\mathsf {ls}\)lossy soundness for \(\epsilon _\mathsf {ls}=(1/(2S+1)) \cdot \prod _{i=1}^{S}((Ni)/N)+(1  \prod _{i=1}^{S}((Ni)/N))\), where \(N = \left \mathcal {C\ell (O)} \right \).
Proof
The proof is almost identical to that of Lemma 4.3. We consider exactly the same partition \(X_\mathsf{BAD}\), \(X \backslash X_\mathsf{BAD}\) for the set of statements X which was introduced in Lemma 4.3. The only difference is that three extracases arise from the extension of the challenge space when computing \(\Pr [\mathcal {A}\text { wins} \mid \mathsf {X}_\mathsf {ls}\in X_\mathsf{BAD}] \). Namely, consider \((\mathsf {com},\mathsf {ch},\mathsf {resp})\) and \((\mathsf {com},\mathsf {ch}',\mathsf {resp}')\), with \(\mathsf {ch}\ne \mathsf {ch}'\) and \(\mathsf {com}= (F_1, F_2)\), as valid transcripts for \(\mathsf {X}_\mathsf {ls}\). If \(\mathsf {ch}\) and \(\mathsf {ch}'\) are both negative, we have that \(\mathsf {resp} \mathsf {resp}'\) satisfies
i.e. \(a_{\mathsf {ch}}a_{\mathsf {ch}'}=a'_{\mathsf {ch}}a'_{\mathsf {ch}'}\). When \(\mathsf {ch}> 0\) and \(\mathsf {ch}' <0 \), for the value \(\mathsf {resp} \mathsf {resp}'\) it holds
which implies the analogous relation \(a_{\mathsf {ch}}a_{\mathsf {ch}'}=a'_{\mathsf {ch}}a'_{\mathsf {ch}'}\). The last case to be taken into account has \(\mathsf {ch}=0\) and \(\mathsf {ch}' <0\), for which we deduce
and then the relation \(a_{\mathsf {ch}'}=a'_{\mathsf {ch}'}\).
Therefore, combining this with conditions (4) in Lemma 4.3, we conclude that in case \(X_\mathsf {ls}\in X_\mathsf{BAD}\), there can exist at most one \(\mathsf {ch}\in \{0,\pm 1, \dots , \pm S\}\) which leads to a valid response \(\mathsf {resp}\). This concludes the proof.
4.4 Lossy Soundness Amplification of \(\mathsf {ID}^\mathsf{DenCh}_\mathsf {ls}\)
For completeness, we provide the following lemma.
Lemma 4.5
Consider running t parallel rounds of the lossy identification protocol \(\mathsf {ID}^\mathsf{denCh}_{\mathsf {ls}}\) (with the same statementwitness pair). Then it satisfies statistical \(\epsilon _\mathsf {ls}\)lossy soundness for \(\epsilon _\mathsf {ls}=(1/{(2S+1)^t}) \cdot \prod _{i=1}^{S}((Ni)/N)+(1  \prod _{i=1}^{S}((Ni)/N))\), where \(N = \left \mathcal {C\ell (O)} \right \).
Proof
The proof is analogous to Lemma 3.3.
5 Lossy CSIFiSh: Tightly Secure Signature from CSIDH512
5.1 Construction of Lossy CSIFiSh
We depict our Lossy CSIFiSh signature scheme, whose security is based on the FCMDCSIDH assumption with parameter S, in Algorithms 1 to 3. It is obtained by applying the FiatShamir transformation on the (soundnessamplified) lossy identification protocol \(\mathsf {ID}^\mathsf{denCh}_{\mathsf {ls}}\) introduced in Sect. 4.3. We note that we use a (quantumly secure) \(\mathsf {PRF}\) to derandomize the signature generation, to comply with the hypothesis of Theorem 2.1. In practice, one can simply use any standard hash function (e.g., SHA3).^{Footnote 5} Moreover, we use the extra property of commitment revocability (see Definition 2.1) of our lossy identification protocol \(\mathsf {ID}^\mathsf{denCh}_{\mathsf {ls}}\) and let the verifier recover \(\mathsf {com}\) from \(\mathsf {resp}\) and \(\mathsf {ch}\). This allows us to send thash values rather than 2telliptic curves over \( \mathcal {E\ell \ell }_p(\mathcal {O},\pi )\), and greatly reduces the signature size.
The values S and t are parameters of the signature scheme and can be chosen by the user allowing for different tradeoffs between security, efficiency and signature size. Roughly, the only condition which S and t must satisfy is \(t \cdot \log _2 S \approx \lambda \) in the classical setting, where \(\lambda \) is the desired security level. In the quantum setting, we will require \(t \cdot \log _2 S \approx \lambda + \log _2 Q_H\), where \(Q_H\) is the number of hash evaluations an adversary can make. For fixed S and t, the resulting signature size is \(t \cdot (\lceil \log _2 N \rceil + \lceil \log _2 S \rceil )\). A selection of candidate parameters is provided in Sect. 5.2.
The following asserts the tight security of Lossy CSIFiSh based on the FCMDCSIDH assumption. Observe that the computational advantages appear with a constant factor (one). Moreover, viewing S as a constant parameter, Lossy CSIFiSh admits tight security based on the DCSIDH assumption as well.
Theorem 5.1
Let Lossy CSIFiSh be the signature scheme depicted in Algorithms 1, 2, and 3. Then, for any quantum adversary \(\mathcal {A}\) against \(\mathsf {su\text {}cma}\) security of Lossy CSIFiSh that issues at most \(Q_H\) queries to the quantum random oracle, there exists a quantum adversary \(\mathcal {B}\) against the FCMDCSIDH problem with parameter S and an quantum adversary \(\mathcal {D}\) against the \(\mathsf {PRF}\) such that
and \(\mathsf {Time}(\mathcal {B}) = \mathsf {Time}(\mathcal {D}) = \mathsf {Time}(\mathcal {A}) + Q_H \approx \mathsf {Time}(\mathcal {A})\). Moreover, we can replace \(\mathcal {B}\) by a quantum adversary \(\mathcal {B}'\) against the DCSIDH problem such that
and \(\mathsf {Time}(\mathcal {B}) \approx \mathsf {Time}(B')\).
In the classical setting, the only difference is that the above bound depends linearly on \(Q_H\) instead of quadratically. That is, we can replace \(8 (Q_H + 1)^2\) with \(Q_H + 1\).^{Footnote 6}
Proof
The theorem is a consequence of Theorem 2.1, Lemmas 4.1, and 4.5, along with the additional security claims made in Sect. 4. Note that the lossy identification protocol \(\mathsf {ID}^\mathsf{denCh}_{\mathsf {ls}}\) has N bits of min entropy, where N is the cardinality of \(\mathcal {C\ell (O)}\).
Remark 5.1
(Shorter Secret Key). Since the secret key \(\mathsf {sk}\) is composed of random values, we can use standard tricks to derive them from the \(\mathsf {PRF}\) key. In particular, we only require one \(\mathsf {PRF}\) key, e.g., a 16byte seed for SHA3, as the secret key. This modification has (almost) no effect on the overall concrete security. In order to simplify the readability, in Algorithm 1 we do not make the use of the PRF explicit while uniformly sampling in \(\mathbb {Z}_N\).
5.2 Instantiations and Comparison to CSIFiSh
In this section, we specialise the Lossy CSIFiSh to the CSIDH512 parameters, and we consider distinct possible values for t and S both in the classical and quantum setting. For each choice of (S, t), Theorem 5.1 dictates how many bits of classical/quantum security the scheme guarantees. Clearly, different choices for (S, t) will lead to different bandwidth and computational efficiency.
Here, the term \(\gamma \)bit of security for a cryptographic scheme is defined as the nonexistence of an adversary that breaks the scheme with a success ratio bigger than \(2^{\gamma }\), where the success ratio is the quotient between the adversary’s success probability and its running time [3]. In the light of Theorem 5.1, the number of bits of security guaranteed by the signature scheme Lossy CSIFiSh is upper bounded by the security of the FCMDCSIDH problem. In line with [8], in the following we assume that the best methodology to solve the DCSIDH problem (and hence FCMDCSIDH) is solving one of the corresponding GAIP instances.
Aligning with [6], we consider a hash function that is a factor \(2^u\) slower than a standard hash function (as, for example, SHA3) and vary u to obtain tradeoffs between security and efficiency. Moreover, for the sake of easy comparison, we consider the same values for S and u that are used in [6]. Below, we first provide discussions on the size of the public key and signature size of Lossy CSIFiSh, both in the classical and quantum setting. We then discuss the efficiency of our scheme with respect to the running times of signature generation and verification. The analysis on runtime will be the same for both the classical and quantum setting.
Classical Setting. The best known classical algorithm to solve the GAIP problem applies the meetinthemiddle strategy, and hence has a time complexity \(O(\sqrt{N})\), where N is the cardinality of \(\mathcal {C\ell (O)}\). The class group computation executed in [6] has shown that \(N \simeq 2^{257.1}\) for CSIDH512 parameters. This means that the DCSIDH problem guarantees at most 128 bits of classical security and then, in turn, the FCMDCSIDH problem guarantees at most 128bits when \(S=1\), and at most \(128/\log _2{S}\) bits when \(S > 1\) (see Lemma 4.1).
By Theorem 5.1, for all classical adversaries running in time at most \(2^{128}\) and making at most \(2^{128}\) (random) queries \(Q_H\), it holds:
where we ignore the minentropy since it does not give any significant contribution, being smaller than \(2^{256}\). Furthermore, \(1\prod _{i \in [S]} (Ni)/N\) is less than \(2^{242}\) even for the biggest value of S considered in the following, i.e. \(2^{15}1\). Hence, the last term can be safely approximated as \(2^{u}\cdot (2S+1)^{t}\). Now, since each of the values of S is of the form \(2^w1\), we deduce that \(2^{u}\cdot (2S+1)^{t}\) must be bounded by \(2^{129}\) to reach \(128+w\) bits of security. For a fixed value of u, the smallest value of t for which the above inequality is satisfied is uniquely defined.
In the following Table 1 we report: for each choice of S and u, the minimum value of t for which we obtain the maximal security guaranteed by Lossy CSIFiSh, the number of bits of such security level, the sizes of signatures and the sizes of public keys for Lossy CSIFiSh and CSIFiSh. The column “bits of security” is dismissed for CSIFiSh as it does not provide provable concrete security. We highlight that for a fixed triple (S, t, u), the signatures produced with our scheme Lossy CSIFiSh have exactly the same size as those produced with CSIFiSh. Finally, we note that the values for CSIFiSh reported in Table 1 slightly differ from those of [6, Table 3], where some approximations were made (e.g., \(2S1\) was approximated with 2S), while our parameters are chosen without any approximation.
The differences on the public key sizes between Lossy CSIFiSh and CSIFiSh have a double cause:

in Lossy CSIFiSh the starting curves \(E_1^{(0)}, E_2^{(0)}\) are computed by each user and are part of the public key, while in CSIFiSh the starting curve \(E_0\) is part of the public parameters of the scheme;

for each coordinate \(a_i\) of the private key, with \(i \in [S]\), Algorithm 1 computes two curves that will become part of the public key, while in CSIFiSh only \(\mathfrak {g}^{a_i}\,\star \,E_0\) is appended to the public key.
Recalling that each curve in \(\mathcal {E\ell \ell }_p(\mathcal {O},\pi )\) can be uniquely represented by an element of \(\mathbb {F}_p\), with \(p \simeq 2^{512}\), for a given S the size of a CSIFiSh’s public key is \(S \cdot 512\) while the size of a public key produced with Lossy CSIFiSh has length equal to \((S+2) \cdot 512\), with the increment given by the extra term more visible for small values of S.
Quantum Setting. The best known quantum algorithm for the GAIP problem is Kuperberg’s algorithm for the hidden shift problem [28, 29], which has a subexponential complexity. The concrete security estimates, however, are still an active area of research [5, 7, 34]. In the following we will consider 56 bits of quantum security as a conservative choice, and 64 bits as a more optimistic choice for the DCSIDH problem. Consequently, we consider quantum adversaries running in time at most \(2^{56}\) in the conservative variant, and \(2^{64}\) in the more optimist one. Analogously, we upper bound the number of possible queries \(Q_H\) by \(2^{56}\) in the former case, and by \(2^{64}\) in the latter. In both cases, the upper bound on the security of Lossy CSIFiSh depends quadratically in \(Q_H\).
Considering the optimistic variant, the following inequality holds due to Theorem 5.1:
where the approximation is validated by the same argument as in the classical setting. We require \(2^{67u} \cdot (2S+1)^{t}\) to be bounded by \(2^{65}\) in order to reach \(64+w\) bits of quantum security, with \(S=2^w1\). Analogously, in the conservative variant, we require \(2^{59u}\cdot (2S+1)^{t}\) to be bounded by \(2^{57}\) in order to reach \(56+w\) bits of quantum security, with \(S=2^w1\).
In the following Table 2 we differentiate the Conservative and Optimistic variants, reporting the values of t for each choice of S and u, the security levels guaranteed in the two cases, and signatures and public keys sizes. We note that the size of the public key only depends on S, hence it achieves the same size as in the classical setting (see Table 1).
Estimated Performance. The costs of key generation, signing and verifying are dominated by the class group actions to be executed in each algorithm. For fixed S and t, the number of actions for each of them is as follows:

key generation (Algorithm 1) requires \(2S+2\) actions, while S of them are those also computed by the key generation algorithm of CSIFiSh;

both signing (Algorithm 2) and verifying (Algorithm 3) need 2t actions, exactly twice as many as required by the corresponding algorithms of CSIFiSh.
As it can be seen, the key generation would be slighter slower than twice the key generation of CSIFiSh, while the signature generation and verification would be twice that of CSIFiSh. To provide a concrete benchmark, we estimate the running times using the two triples \((2^{15}1,7,16)\) and \((2^31,28,16)\) reporting the values of S, t and u for two instances from [6, Table 3]. These two parameter settings are chosen in order to achieve a small signature size and a small sum of signature and public key size, respectively. For the first (resp. second) triple, CSIFiSh takes the following: 28 m (resp. 400 ms) for key generation, 395 ms (resp. 1.48 s) for signature generation, and 393 ms (resp. 1.48 s) for signature verification^{Footnote 7}. Therefore, we can estimate that for Lossy CSIFiSh it will take the following for the respective tuples: \(\sim 56\) m (resp. \({\sim }920\) ms) for key generation, \({\sim }800\) ms (resp. 3 s) for signature generation and verification. Here for estimating the runtime of key generation, we simply scaled the runtime of CSIFiSh by a factor \((2 S + 2) \cdot S^{1}\).
Finally, we provide one potential optimization for lowering the computation time required by the signing and verifying algorithms of Lossy CSIFiSh. We recall that, in order to efficiently compute the action of \(\mathfrak {g}^a\) on a given curve, with \(a \in \mathbb {Z}_N\), it is necessary to find an equivalent representation of \(\mathfrak {g}^a\) as a product of small powers of the special ideals \(\mathfrak {I}_{\ell _i}\) (see Sect. 2.5). In [6], an algorithm solving an approximate Closest Vector Problem (CVP) has been proposed to this task. Therefore, the computation of a class group action consists of two steps: finding the equivalent representation and computing the isogenies corresponding to the ideals’ powers. Here, we observe that in Lossy CSIFiSh most of the group actions are pairwise coupled, i.e. they use the same exponent. The result is that the signing and verifying algorithms do not need to execute the findingequivalentrepresentation step for each of the class actions. Therefore, this may potentially lead to more efficient algorithms depending on the exact runtime of finding the equivalent representation. We leave it as future work to implement and verify the validity of this observation.
6 Conclusions and Open Problems
In this work, we construct a new signature scheme based on the CSIDH512 parameters, called Lossy CSIFiSh. It is provably secure and tightly reduces to the DCSIDH (or FCMDCSIDH) assumption. Lossy CSIFiSh inherits most of the efficiency of CSIFiSh and shows that a slight modification to CSIFiSh allows to set the concrete parameters in a provably secure manner with minimal cost. In particular, the signature size is as small as CSIFiSh while the signature generation and verification are around a factor of two slower. We hope that further research will allow to improve the efficiency. Optimisations may be specialized for the scheme (like, for example, halving the number of approximate CVPproblems to be solved in the key generation) or, more generally, be designed for CSIFiSh. Indeed, the latter would likely have an impact also on our scheme.
One of the biggest open problems is to devise a (lossy or nonlossy) identification protocol that allows for the challenge set to be \(\mathbb {Z}_N\) rather than the small set \(\{ S, \cdots , S \}\), as also mentioned in [6]. This will allow for an analogue of the highly efficient Schnorr signature [36] based on the discrete logarithm problem. Another challenging yet interesting open problem is to show any type of random selfreducibility property for the DCSIDH problem. We believe such a technique will lend hands to other tightlysecure primitives (e.g., tightlysecure key exchange protocols) and perhaps shed light to CramerShouplike techniques [11] in the isogeny setting.
Notes
 1.
 2.
The parameter set having the smallest value for the prime p.
 3.
With [S] we denote the set \(\{1,\dots ,S\}\).
 4.
j varies from 0 to S, and with [0] we denote the set \(\{0\}\).
 5.
We note that assuming that a standard cryptographic hash function acts as a \(\mathsf {PRF}\) does not add to our set of assumptions, since we are already working in the ROM.
 6.
 7.
Their benchmarking experiments were performed on a Dell OptiPlex 3050 machine with Intel Core i57500T CPU @ 2.70 GHz.
References
Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the FiatShamir transform: minimizing assumptions for security and forwardsecurity. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002). https://doi.org/10.1007/3540460357_28
Abdalla, M., Fouque, P.A., Lyubashevsky, V., Tibouchi, M.: Tightlysecure signatures from lossy identification schemes. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 572–590. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642290114_34
Bellare, M., Rogaway, P.: The exact security of digital signatureshow to sign with RSA and Rabin. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). https://doi.org/10.1007/3540683399_34
Bernstein, D.J., Hülsing, A., Kölbl, S., Niederhagen, R., Rijneveld, J., Schwabe, P.: The SPHINCS signature framework. In: ACMCCS, pp. 17–43 (2019). Submission to the NIST PQC project
Bernstein, D.J., Lange, T., Martindale, C., Panny, L.: Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 409–441. Springer, Cham (2019). https://doi.org/10.1007/9783030176563_15
Beullens, W., Kleinjung, T., Vercauteren, F.: CSIFiSh: efficient isogeny based signatures through class group computations. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 227–247. Springer, Cham (2019). https://doi.org/10.1007/9783030345785_9
Bonnetain, X., Schrottenloher, A.: Quantum security analysis of CSIDH and ordinary isogenybased schemes. Cryptology ePrint Archive, Report 2018/537 (2018)
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient postquantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/9783030033323_15
Couveignes, J.M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006)
Cox, D.A.: Primes of the form \(x^2+ny^2\) (2011)
Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055717
De Feo, L., Galbraith, S.D.: SeaSign: compact isogeny signatures from class group actions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 759–789. Springer, Cham (2019). https://doi.org/10.1007/9783030176594_26
Jao, D., De Feo, L.: Towards quantumresistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642254055_2
De Feo, L., Kieffer, J., Smith, B.: Towards practical key exchange from ordinary isogeny graphs. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 365–394. Springer, Cham (2018). https://doi.org/10.1007/9783030033323_14
Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Don, J., Fehr, S., Majenz, C., Schaffner, C.: Security of the FiatShamir transformation in the quantum randomOracle model. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 356–383. Springer, Cham (2019). https://doi.org/10.1007/9783030269517_13
Ducas, L., et al.: CRYSTALSDilithium: a latticebased digital signature scheme. IACR TCHES 1, 238–268 (2018)
Fiat, A., Shamir, A.: How To prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3540477217_12
Fleischhacker, N., Jager, T., Schröder, D.: On tight security proofs for Schnorr signatures. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 512–531. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662456118_27
Fouque, P.A., et al.: Falcon: FastFourier latticebased compact signatures over NTRU
Galbraith, S.D., Petit, C., Silva, J.: Identification protocols and signature schemes based on supersingular isogeny problems. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 3–33. Springer, Cham (2017). https://doi.org/10.1007/9783319706948_1
Garg, S., Bhaskar, R., Lokam, S.V.: Improved bounds on security reductions for discrete log based signatures. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 93–107. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540851745_6
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: 40th ACM STOC, pp. 197–206 (2008)
Hülsing, A., Rijneveld, J., Song, F.: Mitigating multitarget attacks in hashbased signatures. In: Cheng, C.M., Chung, K.M., Persiano, G., Yang, B.Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662493847_15
Jao, D., De Feo, L.: Towards quantumresistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642254055_2
Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: ACM CCS, pp. 155–164 (2003)
Kiltz, E., Lyubashevsky, V., Schaffner, C.: A concrete treatment of FiatShamir signatures in the quantum randomOracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 552–586. Springer, Cham (2018). https://doi.org/10.1007/9783319783727_18
Kuperberg, G.: Another subexponentialtime quantum algorithm for the dihedral hidden subgroup problem. In: TQC, vol. 22, pp. 20–34 (2013)
Kuperberg, G.: A subexponentialtime quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005)
Liu, Q., Zhandry, M.: Revisiting postquantum FiatShamir. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 326–355. Springer, Cham (2019). https://doi.org/10.1007/9783030269517_12
Lyubashevsky, V.: FiatShamir with aborts: applications to lattice and factoringbased signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642103667_35
Micali, S., Reyzin, L.: Improving the exact security of digital signature schemes. J. Cryptol. 15(1), 1–18 (2002). https://doi.org/10.1007/s0014500100058
Paillier, P., Vergnaud, D.: Discretelogbased signatures may not be equivalent to discrete log. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 1–20. Springer, Heidelberg (2005). https://doi.org/10.1007/11593447_1
Peikert, C.: He gives CSieves on the CSIDH. Cryptology ePrint Archive: Report 2019/725 (2019)
Rostovtsev, A., Stolbunov, A.: Publickey cryptosystem based on isogenies. Cryptology ePrint Archive: Report 2006/145 (2006)
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0387348050_22
Seurin, Y.: On the exact security of Schnorrtype signatures in the random Oracle model. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 554–571. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642290114_33
Stolbunov, A.: Constructing publickey cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010)
Stolbunov, A.: Cryptographic schemes based on isogenies (2012)
Unruh, D.: Noninteractive zeroknowledge proofs in the quantum random Oracle model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 755–784. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662468036_25
Unruh, D.: Postquantum security of FiatShamir. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 65–95. Springer, Cham (2017). https://doi.org/10.1007/9783319706948_3
Yoo, Y., Azarderakhsh, R., Jalali, A., Jao, D., Soukharev, V.: A postquantum digital signature scheme based on supersingular isogenies. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 163–181. Springer, Cham (2017). https://doi.org/10.1007/9783319709727_9
Zhandry, M.: How to construct quantum random functions. In: 53rd FOCS, pp. 679–687 (2012)
Acknowledgement
The second author was supported by JST CREST Grant Number JPMJCR19F6.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 International Association for Cryptologic Research
About this paper
Cite this paper
El Kaafarani, A., Katsumata, S., Pintore, F. (2020). Lossy CSIFiSh: Efficient Signature Scheme with Tight Reduction to Decisional CSIDH512. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds) PublicKey Cryptography – PKC 2020. PKC 2020. Lecture Notes in Computer Science(), vol 12111. Springer, Cham. https://doi.org/10.1007/9783030453886_6
Download citation
DOI: https://doi.org/10.1007/9783030453886_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030453879
Online ISBN: 9783030453886
eBook Packages: Computer ScienceComputer Science (R0)