Skip to main content

Breaking the Decisional Diffie-Hellman Problem for Class Group Actions Using Genus Theory

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12171)

Abstract

In this paper, we use genus theory to analyze the hardness of the decisional Diffie–Hellman problem (DDH) for ideal class groups of imaginary quadratic orders, acting on sets of elliptic curves through isogenies; such actions are used in the Couveignes–Rostovtsev–Stolbunov protocol and in CSIDH. Concretely, genus theory equips every imaginary quadratic order \(\mathcal {O}\) with a set of assigned characters \(\chi : {\text {cl}}(\mathcal {O}) \rightarrow \{ \pm 1\}\), and for each such character and every secret ideal class \([\mathfrak {a}]\) connecting two public elliptic curves E and \(E' = [\mathfrak {a}] \star E\), we show how to compute \(\chi ([\mathfrak {a}])\) given only E and \(E'\), i.e. without knowledge of \([\mathfrak {a}]\). In practice, this breaks DDH as soon as the class number is even, which is true for a density 1 subset of all imaginary quadratic orders. For instance, our attack works very efficiently for all supersingular elliptic curves over \(\mathbb {F}_p\) with \(p \equiv 1 \bmod 4\). Our method relies on computing Tate pairings and walking down isogeny volcanoes.

Keywords

  • Decisional Diffie-Hellman
  • Isogeny-based cryptography
  • Class group action
  • CSIDH

This work was supported in part by the Research Council KU Leuven grants C14/18/067 and STG/17/019, and by CyberSecurity Research Flanders with reference number VR20192203. JS was supported by the Dutch Research Council (NWO) through Gravitation-grant Quantum Software Consortium - 024.003.037. Date of this document: 13th July 2020.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-56880-1_4
  • Chapter length: 29 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   99.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-56880-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   129.99
Price excludes VAT (USA)
Fig. 1.

Notes

  1. 1.

    In the context of this paper, it is worth highlighting the work of Ionica and Joux  [20] on this topic, who use the Tate pairing as an auxiliary tool for travelling through the volcano.

References

  1. Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part I. LNCS, vol. 11921, pp. 227–247. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_9

    CrossRef  Google Scholar 

  2. Blake, I.F., Seroussi, G., Smart, N.P. (eds.): Advances in Elliptic Curve Cryptography. London Mathematical Society Lecture Note Series, vol. 317. Cambridge University Press, Cambridge (2005)

    MATH  Google Scholar 

  3. Boneh, D.: The decision Diffie-Hellman problem. In: Buhler, J.P. (ed.) ANTS-III, 1998. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054851. https://crypto.stanford.edu/~dabo/pubs/papers/DDH.pdf

  4. Boneh, D., Halevi, S., Hamburg, M., Ostrovsky, R.: Circular-secure encryption from decision Diffie-Hellman. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 108–125. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_7

    CrossRef  Google Scholar 

  5. Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system I: the user language. J. Symbolic Comput. 24(3–4), 235–265 (1997). Computational algebra and number theory (London, 1993)

    MathSciNet  CrossRef  Google Scholar 

  6. Bosma, W., Stevenhagen, P.: On the computation of quadratic 2-class groups. J. de Théorie des Nombres de Bordeaux 8(2), 283–313 (1996)

    MathSciNet  CrossRef  Google Scholar 

  7. Castryck, W., Decru, T.: CSIDH on the surface. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 111–129. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_7. https://ia.cr/2019/1404

    CrossRef  Google Scholar 

  8. Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part III. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15. https://ia.cr/2018/383

    CrossRef  Google Scholar 

  9. Colò, L., Kohel, D.: Orienting supersingular isogeny graphs (2019). http://nutmic2019.imj-prg.fr/confpapers/OrientIsogGraph.pdf

  10. Couveignes, J.-M.: Hard homogeneous spaces. IACR Cryptology ePrint Archive 2006/291 (1997). https://ia.cr/2006/291

  11. Cox, D.A.: Primes of the Form \(x^2 + ny^2\): Fermat, Class Field Theory, and Complex Multiplication. Pure and Applied Mathematics, 2nd edn. Wiley, Hoboken (2013)

    CrossRef  Google Scholar 

  12. Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055717. https://ia.cr/1998/006

    CrossRef  Google Scholar 

  13. ECRYPT - CSA. Algorithms, key size and protocols report (2018). https://www.ecrypt.eu.org/csa/documents/D5.4-FinalAlgKeySizeProt.pdf

  14. De Feo, L., Kieffer, J., Smith, B.: Towards practical key exchange from ordinary isogeny graphs. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part III. LNCS, vol. 11274, pp. 365–394. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_14. https://ia.cr/2018/485

    CrossRef  Google Scholar 

  15. Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \({\mathbb{F}}_p\). Des. Codes Crypt. 78(2), 425–440 (2016). https://arxiv.org/abs/1310.7789

    MathSciNet  CrossRef  Google Scholar 

  16. Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)

    MathSciNet  CrossRef  Google Scholar 

  17. Fouquet, M., Morain, F.: Isogeny volcanoes and the SEA algorithm. In: Fieker, C., Kohel, D.R. (eds.) ANTS-V, 2002. LNCS, vol. 2369, pp. 276–291. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45455-1_23

    CrossRef  Google Scholar 

  18. El Gamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_2

    CrossRef  Google Scholar 

  19. Hafner, J.L., McCurley, K.S.: A rigorous subexponential algorithm for computation of class groups. J. Am. Math. Soc. 2, 837–850 (1989)

    MathSciNet  CrossRef  Google Scholar 

  20. Ionica, S., Joux, A.: Pairing the volcano. Math. Comput. 82(281), 581–603 (2013). https://arxiv.org/abs/1110.3602

    MathSciNet  CrossRef  Google Scholar 

  21. Kohel, D.R.: Endomorphism rings of elliptic curves over finite fields. Ph.D thesis (1996)

    Google Scholar 

  22. Miret, J., Moreno, R., Sadornil, D., Tena-Ayuso, J., Valls, M.: An algorithm to compute volcanoes of 2-isogenies of elliptic curves over finite fields. Appl. Math. Comput. 176(2), 739–750 (2006)

    MathSciNet  MATH  Google Scholar 

  23. Miret, J., Sadornil, D., Tena-Ayuso, J., Tomàs, R., Valls, M.: Volcanoes of \(\ell \)-isogenies of elliptic curves over finite fields: the case \(\ell =3\). Publ. Mat. 51, 165–180 (2007)

    MathSciNet  CrossRef  Google Scholar 

  24. Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. In: FOCS, pp. 458–467. IEEE Computer Society (1997)

    Google Scholar 

  25. Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_31. https://ia.cr/2007/348

    CrossRef  Google Scholar 

  26. Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. IACR Cryptology ePrint Archive 2006:145 (2006)

    Google Scholar 

  27. Schoof, R.: Nonsingular plane cubic curves over finite fields. J. Combin. Theory Ser. A 46(2), 183–211 (1987)

    MathSciNet  CrossRef  Google Scholar 

  28. Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997). https://arxiv.org/abs/quant-ph/9508027

    MathSciNet  CrossRef  Google Scholar 

  29. Stolbunov, A.: Cryptographic schemes based on isogenies. Ph.D thesis (2012)

    Google Scholar 

  30. Sutherland, A.V.: Isogeny volcanoes. In: ANTS-X. Open Book Series, vol. 1, pp. 507–530. MSP (2013). https://arxiv.org/abs/1208.5370

  31. Tate, J.: Endomorphisms of abelian varieties over finite fields. Invent. Math. 2(2), 134–144 (1966). https://doi.org/10.1007/BF01404549

    MathSciNet  CrossRef  MATH  Google Scholar 

  32. Tenenbaum, G.: Introduction to Analytic and Probabilistic Number Theory. Graduate Studies in Mathematics, vol. 163, 3rd edn. American Mathematical Society, Providence (2015). Translated from the 2008 French edition by Patrick D. F. Ion

    CrossRef  Google Scholar 

  33. Vélu, J.: Isogénies entre courbes elliptiques. C. R. Acad. Sci. Paris Sér. A-B 273, A238–A241 (1971)

    MATH  Google Scholar 

  34. Waterhouse, W.C.: Abelian varieties over finite fields. Ann. Sci. École Norm. Sup. 2, 521–560 (1969)

    MathSciNet  CrossRef  Google Scholar 

Download references

Acknowledgements

The authors would like to thank Alex Bartel, Steven Galbraith and the anonymous referees for useful feedback on an earlier version of the paper.

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Wouter Castryck or Frederik Vercauteren .

Editor information

Editors and Affiliations

Appendices

A Not Walking to the Floor

As explained in Sect. 3, our approach to computing \(\chi (E, E')\) is to take an arbitrary walk to the floor of the respective m-isogeny volcanoes of E and \(E'\). In fact, one can stop walking down as soon as one reaches a level where the \(m^\infty \)-torsion is sufficiently unbalanced. We illustrate this by means of the following modification of Theorem 8 (for \(n=1\)), which is likely to admit further generalizations.

Theorem 12

Let \(E / \mathbb {F}_q\) be an ordinary elliptic curve and let m be a prime divisor of \(q-1\). Assume that E is not located on the crater of its m-volcano and that

$$\begin{aligned} E(\mathbb {F}_q)[m^\infty ] \cong \frac{\mathbb {Z}}{(m^r)} \times \frac{\mathbb {Z}}{(m^s)} \end{aligned}$$

for some \(r > s + 1\). Let \(P \in E(\mathbb {F}_q)[m] \setminus \{ \mathbf {0}\}\) be such that there exists a point \(Q \in E(\mathbb {F}_q)\) for which \(m^{r-1}Q = P\). Then the reduced Tate pairing

$$\begin{aligned} T_m(P, \cdot ) : E(\mathbb {F}_q) / mE(\mathbb {F}_q) \rightarrow \mu _m : X \mapsto T_m(P,X) \end{aligned}$$
(7)

is trivial if and only if X belongs to \(E[m^s] \bmod mE(\mathbb {F}_q)\). In particular, \(T_m(P,Q)\) is a primitive m-th root of unity which, for a fixed P, does not depend on the choice of Q.

Proof

The assumption \(m \mid (q-1)\) implies that \(\mu _m \subset \mathbb {F}_q\). As explained in [2, IX.7.1], the kernel of \(T_m(P, \cdot )\) is a codimension 1 subspace of \(E(\mathbb {F}_q) / mE(\mathbb {F}_q)\), when viewed as a vector space over \(\mathbb {F}_m\). Therefore it suffices to prove that \(T_m(P, \cdot )\) is trivial on \(E[m^s] \bmod mE(\mathbb {F}_q)\), because the latter space indeed has codimension 1. More precisely, it has dimension 0 if \(s = 0\) and dimension 1 if \(s \ge 1\).

Now, since we are not on the crater, we know from Theorem 7 that there exists an elliptic curve \(E' / \mathbb {F}_q\) and an \(\mathbb {F}_q\)-rational m-isogeny \(\varphi : E' \rightarrow E\) such that \(E'(\mathbb {F}_q)[m^\infty ] \cong \mathbb {Z}/(m^{r-1}) \times \mathbb {Z}/(m^{s+1})\). We note:

  • \(E[m^s] \subset \varphi (E'[m^{s+1}]) \subset \varphi (E'(\mathbb {F}_q))\), hence each \(X \in E[m^s]\) can be written as \(\varphi (X')\) for some \(X' \in E'(\mathbb {F}_q)\).

  • The kernel of the dual isogeny \(\hat{\varphi } : E \rightarrow E'\) equals \(\langle P \rangle \), as otherwise \(E'\) would admit \(\mathbb {F}_q\)-rational \(m^r\)-torsion. Therefore P is the image of a point \(P' \in E'[m] \subset E'(\mathbb {F}_q)\).

We conclude that

$$\begin{aligned} T_m(P,X) = T_m(\varphi (P'), \varphi (X')) = T_m(P',X')^{\deg (\varphi )} = T_m(P',X')^m = 1, \end{aligned}$$

as wanted.    \(\square \)

B Magma Code

figure a
figure b
figure c
figure d
figure e
figure f
figure g
figure h

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Castryck, W., Sotáková, J., Vercauteren, F. (2020). Breaking the Decisional Diffie-Hellman Problem for Class Group Actions Using Genus Theory. In: Micciancio, D., Ristenpart, T. (eds) Advances in Cryptology – CRYPTO 2020. CRYPTO 2020. Lecture Notes in Computer Science(), vol 12171. Springer, Cham. https://doi.org/10.1007/978-3-030-56880-1_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-56880-1_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-56879-5

  • Online ISBN: 978-3-030-56880-1

  • eBook Packages: Computer ScienceComputer Science (R0)