On the Security of OSIDH

Abstract

The Oriented Supersingular Isogeny Diffie–Hellman is a post-quantum key exchange scheme recently introduced by Colò and Kohel. It is based on the group action of an ideal class group of a quadratic imaginary order on a subset of supersingular elliptic curves, and in this sense it can be viewed as a generalization of the popular isogeny based key exchange CSIDH. From an algorithmic standpoint, however, OSIDH is quite different from CSIDH. In a sense, OSIDH uses class groups which are more structured than in CSIDH, creating a potential weakness that was already recognized by Colò and Kohel. To circumvent the weakness, they proposed an ingenious way to realize a key exchange by exchanging partial information on how the class group acts in the neighborhood of the public curves, and conjectured that this additional information would not impact security.

In this work we revisit the security of OSIDH by presenting a new attack, building upon previous work of Onuki. Our attack has exponential complexity, but it practically breaks Colò and Kohel’s parameters unlike Onuki’s attack. We also discuss countermeasures to our attack, and analyze their impact on OSIDH, both from an efficiency and a functionality point of view.

Keywords

Appendices

A Time Complexity of the Chain Attack of Sect. 3.3

We refer to Sect. 3.3 for the notations. As explained in Sect. 3.3, the dominant step in the attack is to find a close vector to \(\mathbf {e}_{i+1}\) in \(L_{i+1}\) and compute the action of \([\mathfrak {a}_i\cdot \mathfrak {b}_i]\) on \(E_{i+1}\). This operation has to be repeated at most \(\simeq \ell \) times for all \(i\in \llbracket 0~;~n-1\rrbracket \), so at most \(n\ell \) times.

If we find \(\mathbf {c}\in L_{i+1}\) close to \(\mathbf {e}_{i+1}\) and set \(\mathbf {e}'_{i+1}:=\mathbf {e}_{i+1}-\mathbf {c}\), so that \([\mathfrak {a}_i\cdot \mathfrak {b}_i]=\prod _{j=1}^t[\mathfrak {q}_j]^{e'_{i+1,j}}\) in \(\text {Cl}(\mathcal {O}_{i+1})\), then the time complexity of the operation \([\mathfrak {a}_i\cdot \mathfrak {b}_i]\cdot E_{i+1}\) is

$$\begin{aligned} \varTheta \left( (i+1)\sum _{j=1}^tP(q_j,n)|e'_{i+1,j}|\right) , \end{aligned}$$

where P is a polynomial. Hence, the complexity is \(\varTheta (\Vert \mathbf {e}'_{i+1}\Vert _1)\) up to a polynomial factor (in n, t and the \(q_j\)). Since \(\Vert \mathbf {e}'_{i+1}\Vert _2\le \Vert \mathbf {e}'_{i+1}\Vert _1\le \sqrt{t}\Vert \mathbf {e}'_{i+1}\Vert _2\), the complexity becomes \(\varTheta (\Vert \mathbf {e}'_{i+1}\Vert _2)\) up to a polynomial factor.

Theorem 3

[23, Theorem 3.3]. Let \(\varLambda \subseteq \mathbb {Z}^d\) be a lattice of rank d, \(B:=(\mathbf {b}_1,\ldots , \mathbf {b}_d)\), a basis of \(\varLambda \), a target \(\mathbf {x}\in \mathbb {R}^d\) and \(k\in \mathbb {N}^*\) such that \(d>2k\). Under some heuristic assumptions, there exists an algorithm finding \(\mathbf {c}\in \varLambda \) such that

$$\begin{aligned} \Vert \mathbf {x}-\mathbf {c}\Vert _2=\varTheta \left( GH(k)^{\frac{d}{2k}}\text {Covol}(\varLambda )^{\frac{1}{d}}\right) , \end{aligned}$$

where GH is the Gaussian heuristic function: \(GH(k):=\varGamma (k/2+1)^{1/k}/\sqrt{\pi }\). This algorithm runs in time

$$\begin{aligned} (T_{CVP}(k)+T_{SVP}(k))P\left( k,d,\log \Vert \mathbf {x}\Vert _2,\log \max _{1\le i\le d}\Vert \mathbf {b}_i\Vert _2\right) , \end{aligned}$$

where \(T_{CVP}(k)\) and \(T_{SVP}(k)\) are the time complexities of oracles for CVP and SVP in dimension k for the norm \(\ell _2\) respectively and P is a polynomial.

The best known algorithms for CVP and SVP are due to [21] and [4] respectively. They run in time \(T_{CVP}(k)=2^{c_1 k+o(k)}\) and \(T_{SVP}(k)=\left( \frac{3}{2}\right) ^{k/2+o(k)}=2^{c_2 k+o(k)}\) respectively, with \(c_1\approx 0.264\) and \(c_2\approx 0.292\). The time complexity of the attack follows

$$\begin{aligned} T:=2^{c_2k+o(k)}+\frac{1}{\sqrt{\pi }^{\frac{1}{k}}}\varGamma \left( \frac{k}{2}+1\right) ^{\frac{t}{2k^2}}\ell ^{\frac{n}{t}} \end{aligned}$$

up to polynomial factors, where we used the fact that \(\text {Covol}(L_n)=\#\text {Cl}(\mathcal {O}_{n})\simeq \ell ^n\) and neglected \(T_{CVP}(k)\) compared to \(T_{SVP}(k)\). Using the Stirling equivalent \(\varGamma (k/2+1)\sim \sqrt{\pi k}(k/2e)^{k/2}\) as \(k\rightarrow +\infty \) and setting \(k:=\lfloor \kappa \sqrt{t\log _2(t)}\rfloor \), with \(\kappa :=1/\sqrt{8c_2}\) in order to optimize the complexity, we get

$$\begin{aligned} T=2^{(\sqrt{c_2/8}+o(1))\sqrt{t\log _2(t)}}=\exp ((c+o(1))\sqrt{t\log (t)}), \end{aligned}$$

with \(c:=\sqrt{c_2/8\log (2)}\simeq 0.229\), assuming that \(\ell \) and n are constant and \(t\rightarrow ~+\infty \).

B Complexity Analysis of Onuki’s Attack Presented in Sect. 4.1

We use the notations of Sect. 4.1 explaining Onuki’s attack which consists in computing a K-oriented endomorphism \(\iota '_n(\beta )\in \text {End}(F_n)\) for \(\beta \in \mathcal {O}_n\setminus \mathcal {O}_{n+1}\). We look for \(\beta \) such that \(\beta \mathcal {O}_n=I\cdot J\), with a big factor \(I:=\prod _{j=1}^t(\mathfrak {q}_j\cap \mathcal {O}_n)^{e_j}\), where \(e_1,\cdots ,e_t\in \llbracket -r~;~r\rrbracket \), and a small factor J. Then \(\iota '_n(\beta )\) will be computed as the composite of the isogeny associated to I and the isonegy associated to J. The first one is easy to compute with the knowledge of the action of powers of \(\mathfrak {q}_j\) on \(F_n\). The second one can be computed by a meet-in-the-middle strategy in \(\varOmega (\sqrt{N(J)})\) operations (as explained in Sect. 4.3).

We proceed as follows to select a suitable \(\beta \). Let \(\theta \) be a generator of \(\mathcal {O}_K\), so that \(\ell ^n\theta \) generates \(\mathcal {O}_n\). We sample \(\beta :=a+b\ell ^n\theta \) with a and b sampled uniformly at random in \(\llbracket -m~;~m\rrbracket \) and \(\llbracket -m~;~m\rrbracket \setminus \ell \mathbb {Z}\) respectively, for m big enough. We stop the sampling when \(N(\beta )\) has a big enough divisor \(Q:=\prod _{j=1}^t q_j^{e'_j}\) with \(e'_1, \cdots , e'_t\in \llbracket 0~;~r\rrbracket \), let’s say \(Q\ge x\), where the threshold x is to be chosen. We make the heuristic assumption that \(N(\beta )\) has the same arithmetic properties as a uniform variable in \(\llbracket N_{min}~;~N_{max}\rrbracket \). Under this assumption, we have the following result:

Lemma 6

The average time complexity of Onuki’s attack [32, §6.3] is:

$$\begin{aligned} C(x)\ge \frac{x}{(r+1)^t}+\frac{\kappa \sqrt{N_{max}}}{\sqrt{x}(r+1)^t}, \end{aligned}$$

where \(\kappa :=\frac{1}{2\sqrt{q_1}}\left( 1-\frac{1}{q_1}\right) \) and x is the threshold for the value of the norm of the ideal \(J=\prod _{j=1}^t\mathfrak {q}_j^{e_j}\) dividing \(\beta \). The optimal value for the threshold is \(x_m:=(\kappa /2)^{2/3}N_{max}^{1/2}(r+1)^{t/3}\) and the optimal average time complexity is:

$$\begin{aligned} C(x_m)=\varOmega \left( \frac{\sqrt{N_{max}}}{(r+1)^{\frac{t}{3}}}\right) =\varOmega \left( \frac{\ell ^{\frac{2n}{3}}}{(r+1)^{\frac{t}{3}}}\right) , \end{aligned}$$

since \(N_{max}\ge N_{min}\ge \ell ^{2n}\).

Proof

Under the heuristic assumption we made, we can assume that \(N:=N(\beta )\) is a uniform random variable in the range \(\llbracket N_{min}~;~N_{max}\rrbracket \). We define the random variable:

$$\begin{aligned} Q:=Q(N)=\prod _{j=1}^t q_j^{\min (r,v_{q_j}(N))}. \end{aligned}$$

The cost of the exhaustive search for a suitable \(\beta \) is then:

$$\begin{aligned} C_1(x)=\frac{1}{\mathbb {P}(Q(N)\ge x)}=\frac{N_{max}-N_{min}}{\#S(x)}, \end{aligned}$$

with:

$$\begin{aligned}S(x)&:=\left\{ y\in \llbracket N_{min}~;~N_{max}\rrbracket \Bigg | \ \prod _{j=1}^t q_j^{\min (r,v_{q_j}(y))}\ge x\right\} \\&=\bigcup _{\begin{array}{c} (e_1, \cdots , e_t)\in \llbracket 0~;~r\rrbracket ^t\\ x\le \prod _{j=1}^t q_j^{e_j}\le N_{max} \end{array}}\left\{ k\prod _{j=1}^t q_j^{e_j}\Bigg | \ k\in \llbracket \left\lceil \frac{N_{min}}{\prod _{j=1}^t q_j^{e_j}}\right\rceil ~;~\left\lfloor \frac{N_{max}}{\prod _{j=1}^t q_j^{e_j}}\right\rfloor \rrbracket \right\} \end{aligned}$$

so that:

$$\begin{aligned} \#S(x)&\le \sum _{\begin{array}{c} (e_1, \cdots , e_t)\in \llbracket 0~;~r\rrbracket ^t \\ x\le \prod _{j=1}^t q_j^{e_j}\le N_{max} \end{array}}\left( \left\lfloor \frac{N_{max}}{\prod _{j=1}^t q_j^{e_j}}\right\rfloor -\left\lceil \frac{N_{min}}{\prod _{j=1}^t q_j^{e_j}}\right\rceil \right) \nonumber \\&\le \sum _{\begin{array}{c} (e_1, \cdots , e_t)\in \llbracket 0~;~r\rrbracket ^t\\ x\le \prod _{j=1}^t q_j^{e_j}\le N_{max} \end{array}}\frac{N_{max}-N_{min}}{\prod _{j=1}^t q_j^{e_j}}\nonumber \\&\le \frac{N_{max}-N_{min}}{x}\#\left\{ (e_1, \cdots , e_t)\in \llbracket 0~;~r\rrbracket ^t \Bigg | x\le \prod _{j=1}^t q_j^{e_j}\le N_{max}\right\} \nonumber \\&\le (N_{max}-N_{min})\frac{(r+1)^t}{x}. \end{aligned}$$

(1)

It follows that the search for \(\beta \) costs:

$$\begin{aligned} C_1(x)\ge \frac{x}{(r+1)^t}. \end{aligned}$$

(2)

The average cost of the meet-in-the-middle procedure to find the isogeny associated to J is:

$$\begin{aligned} C_2(x)\ge \mathbb {E}\left[ \sqrt{\frac{N}{Q(N)}}\mid Q(N)\ge x\right] \ge \sqrt{A}\mathbb {P}(N\ge A Q(N)|Q(N)\ge x), \end{aligned}$$

where we used Markov’s inequality with \(A>0\) to be chosen. Hence:

$$\begin{aligned} C_2(x)\ge \sqrt{A}\frac{\mathbb {P}(\{N\ge A Q(N)\}\cap \{Q(N)\ge x\})}{\mathbb {P}(Q(N)\ge x)}=\frac{\sqrt{A}\#T(A)}{\#S(x)} ,\end{aligned}$$

(3)

with:

$$\begin{aligned} T(A):=&\Bigg \{k\prod _{j=1}^tq_j^{e_j}\Bigg | \ N_{max}\ge \prod _{j=1}^tq_j^{e_j}\ge x \\&\text{ and } \quad k\in \llbracket \max \left( \lceil A\rceil ,\left\lceil \frac{N_{min}}{\prod _{j=1}^t q_j^{e_j}}\right\rceil \right) ~;~\left\lfloor \frac{N_{max}}{\prod _{j=1}^t q_j^{e_j}}\right\rfloor \rrbracket \Bigg \}. \end{aligned}$$

We take \(A:=N_{max}/(q_1 x)\), so that for all \(e_1, \cdots ,e_t\in \llbracket 0~;~r\rrbracket \) such that \(N_{max}\ge \prod _{j=1}^tq_j^{e_j}\ge x\), we have:

$$\begin{aligned} \frac{N_{min}}{\prod _{j=1}^tq_j^{e_j}}\le \frac{N_{min}}{x}<\frac{N_{max}}{q_1x}=A, \end{aligned}$$

since \(N_{max}/N_{min}\simeq m^2\gg q_1\). Without loss of generality, we can assume that x is a product of the \(q_j\). Hence:

$$\begin{aligned} \#T(A)\ge \left\lfloor \frac{N_{max}}{x}\right\rfloor -A\ge \frac{N_{max}}{x}-\frac{N_{max}}{q_1x}-1=\frac{N_{max}}{2x}\left( 1-\frac{1}{q_1}\right) , \end{aligned}$$

under the fair assumption that \(x\le N_{max}/2(1-1/q_1)\). This inequality combined with Eq. (1) and Eq. (3) leads to:

$$\begin{aligned} C_2(x)&\ge \frac{(N_{max})^{\frac{3}{2}}(1-1/q_1)}{2\sqrt{q_1 x}(r+1)^t(N_{max}-N_{min})}\ge \frac{\sqrt{N_{max}}}{2\sqrt{q_1 x}(r+1)^t}\left( 1-\frac{1}{q_1}\right) .\end{aligned}$$

(4)

Combining Eq. (2) and Eq. (4), we find that Onuki’s attack has average complexity:

$$\begin{aligned} C(x)\ge C_1(x)+C_2(x)\ge \frac{x}{(r+1)^t}+\frac{\kappa \sqrt{N_{max}}}{\sqrt{x}(r+1)^t}, \end{aligned}$$

with \(\kappa :=\frac{1}{2\sqrt{q_1}}\left( 1-\frac{1}{q_1}\right) \). The optimal value for x is obtained by differenciating of the function defined over \(\mathbb {R}_+^*\):

$$\begin{aligned} x\longmapsto \frac{x}{(r+1)^t}+\frac{\kappa \sqrt{N_{max}}}{\sqrt{x}(r+1)^t}. \end{aligned}$$