Keywords

1 Introduction

The recent advancements in quantum computing  [Aar13, AAB+19] represent one of the most worrisome developments for cryptographers. Practical (and scalable) quantum computers pose a threat to the security of most commonly used cryptosystems today  [Gro96, Sho97]. In response to this threat, there has been a surge of interest in developing post-quantum replacements for existing cryptography standards. Notably, NIST has started a competition to determine new standards for post-quantum cryptosystems  [CJL+16].

Many of the candidate constructions for post-quantum cryptography are based on lattice assumptions  [Reg05, LPR10], including the key exchange and signature candidates in the NIST competition  [AASA+19]. The lack of diversity in post-quantum cryptosystems could be a potential problem in the future: what if a big advance in lattice cryptanalysis necessitates impractically large parameters for lattice-based cryptosystems, or, in the worst case, a quantum attack invalidates all of lattice-based cryptography? While there are some candidate non-lattice-based constructions, some of which are quite efficient  [ELPS18, MBD+18], the landscape of post-quantum cryptography would change dramatically if lattice-based systems were rendered inefficient by advances in lattice cryptanalysis.

1.1 Isogeny-Based Cryptography

A promising non-lattice-based candidate for post-quantum secure cryptosystems is isogeny-based cryptography. The study of isogeny-based cryptography was initiated by Couveignes  [Cou06] in 1997, but began in earnest in the late 2000s with several new ideas around collision-resistant hashing  [CLG09], key exchange  [RS06, Sto10], signatures  [Sto09], and key escrow  [Tes06]. Isogeny-based cryptography became much more popular after the introduction of the SIDH key exchange scheme  [JD11, DJP14], the first practical post-quantum scheme based on isogenies, and a precursor to the NIST competition candidate SIKE  [AKC+17].

One of the most recent additions to the isogeny portfolio is CSIDH  [CLM+18], an efficient variant of the original key-exchange proposal of Couveignes, Rostovtsev, and Stolbunov. CSIDH spurred a fair amount of new research in isogeny-based schemes, notably signatures  [DG19, BKV19], and will be a key focus of this work. Indeed, among all isogeny-based assumptions, CSIDH, its predecessors, and its derivatives are the only ones that can be interpreted in the framework of group actions.

Known Primitives from Isogeny-Based Assumptions. There exist many primitives from isogeny-based assumptions, which can be broadly categorized into those obtained from an isogeny-based group action, and those which are not related to a group action.

Known constructions from isogeny-based group actions include public-key encryption and non-interactive key exchange (both static and ephemeral) [CLM+18], (efficient) interactive zero-knowledge protocols and signatures [DG19, BKV19], multi-round UC-secure oblivious transfer against passive corruptions [dOPS18], and threshold signatures [DM20].

Known constructions not related to group actions include primitives such as public-key encryption [JD11, AKC+17], ephemeral key exchange  [JD11], (efficient) interactive zero-knowledge protocols and signatures  [DJP14, YAJ+17, GPS17], collision-resistant hash functions  [CLG09], multi-round UC-secure oblivious transfer against passive corruptions  [BOB18, dOPS18, Vit19], and verifiable delay functions  [DMPS19].

1.2 Cryptographic Group Actions

In order to simplify the presentation and understanding of certain isogeny-based constructions, some prior works have chosen to use group actions as an abstraction for them, including even the first presentations  [Cou06].

Informally, a group action is a mapping of the form \(\star : G \times X \rightarrow X\), where G is a group and X is a set, such that for any \(g_{1}, g_{2} \in G\) and any \(x \in X\), we have

$$ g_{1} \star \left( g_{2} \star x \right) = \left( g_{1} g_{2} \right) \star x. $$

From a cryptographic point of view, we can endow group actions with various hardness properties. For instance, a one-way group action  [BY91] is endowed with the following property: given randomly chosen set elements \(x_{1}, x_{2} \in X\), it is hard to find a group element \(g \in G\) such that \(g \star x_{1} = x_{2}\) (assuming such a g exists). Similarly, one could define a weak pseudorandom group action with following property: given a randomly chosen secret group element \(g \in G\), an adversary that sees many tuples of the form \(\left( x_{i}, g \star x_{i} \right) \) cannot distinguish them from tuples of the form \(\left( x_{i}, u_{i} \right) \) where each \(x_{i}\) and \(u_{i}\) are sampled uniformly from X.Footnote 1 We refer to group actions endowed with such hardness properties as cryptographic group actions.

As an example, we note that a simple cryptographic group action is implied by the DDH assumption. If we set \(X = \mathbb {H}\) (where \(\mathbb {H}\) is some group of prime order p), and \(G=\mathbb {Z}_{p}^*\), then the mapping \(z\star h \mapsto h^{z}\) where \(\star :\mathbb {Z}_{p}^* \times \mathbb {H} \rightarrow \mathbb {H}\) is a weak pseudorandom group action assuming that the DDH assumption holds over \(\mathbb {H}\). We note that here the “set” \(\mathbb {H}\) is actually structured. However, there exist candidate quantum-resistant cryptographic group actions where the set may not be a group.

Cryptographic group actions have received substantially less attention compared to traditional group-theoretic assumptions. Nonetheless, there have been a small number of works studying various candidate cryptographic group actions  [GS10, JQSY19] and their hardness properties  [BY91, GPSV18]. In terms of public-key primitives, these works have demonstrated that cryptographic group actions endowed with some hardness properties imply PKE and noninteractive key exchange (NIKE).

However, this leaves open a number of questions about the cryptographic utility of group actions. For instance, what are the capabilities of cryptographic group actions in terms of constructing public-key primitives richer than PKE and NIKE? Can we hope to construct from group actions (endowed with hardness properties such as weak pseudorandomness) all (or most) of the primitives that we can achieve from, say, the DDH assumption  [Bon98]? Or are cryptographic group actions barely more powerful than NIKE?

In terms of cryptographic capabilities, group-theoretic assumptions have been studied extensively over the past couple of decades. At present, we have a reasonably comprehensive understanding of what is (and is not) constructible from the most commonly encountered group-theoretic assumptions such as DLOG, CDH, and DDH (barring a few breakthrough results using novel non-black-box techniques, e.g.,  [DG17]). The cryptographic capabilities of these assumptions have also been explained from the point of view of their underlying algebraic structure  [AMPR19]. On the other hand, our understanding of the cryptographic capabilities of group actions is still somewhat limited.

So, in our opinion, an important question is the following: what primitives can we build from cryptographic group actions? We believe that it is important to understand the cryptographic capabilities of group actions given that they capture the algebraic structure underlying some candidate post-quantum cryptographic assumptions, namely isogeny-based cryptography amenable to group actions.

1.3 Cryptographic Group Actions and Isogenies

In a nutshell, an isogeny is a morphism of elliptic curves, i.e., a map from a curve to another curve that preserves the group structure. The central objects of study in isogeny-based cryptography are isogeny graphs, i.e., graphs whose vertices represent elliptic curves, and whose edges represent isogenies between them. There is a large variety of isogeny graphs, depending on which kinds of curves and isogenies are chosen. One such choice would be complex multiplication graphs, which arise from so-called horizontal isogenies of complex multiplication elliptic curves; indeed, these graphs are isomorphic to Cayley graphs of quadratic imaginary class groups, and thus present a natural group action.

One of the key objects associated with an elliptic curve is its endomorphism ring. In the cases that interest us here, this ring is known to be isomorphic to an imaginary quadratic order \(\mathcal {O}\), i.e., a 2-dimensional \(\mathbb {Z}\)-lattice and a subring of an imaginary quadratic number field \(\mathbb {Q}(\sqrt{D})\). An elliptic curve with endomorphism ring isomorphic to a given \(\mathcal {O}\) is said to have complex multiplication (CM) by \(\mathcal {O}\).

The celebrated theory of complex multiplication establishes a correspondence between the ideal classes of \(\mathcal {O}\) and the isogenies between elliptic curves with CM by \(\mathcal {O}\). More precisely, it defines a regular abelian group action

$$ \text {Cl} \left( \mathcal {O} \right) \times \mathcal {E}_{k} \left( \mathcal {O} \right) \rightarrow \mathcal {E}_{k} \left( \mathcal {O} \right) $$

of the class group \(\text {Cl} \left( \mathcal {O} \right) \) on the set \(\mathcal {E}_{k} \left( \mathcal {O} \right) \) of elliptic curves, defined over a field k, with CM by \(\mathcal {O}\). Moreover, each element of \(\text {Cl} \left( \mathcal {O} \right) \) corresponds to a unique class of isogenies, which can be leveraged to evaluate the group action. We refer the reader to  [De 17, Sut19] for more details.

Unfortunately, the correspondence between isogenies and the CM group action becomes less than ideal when we start contemplating algorithmic properties. Indeed, a natural requirement for a cryptographic group action is that given any group element \(g\in G\) and a set element \(x\in X\), computing \(g\star x\) can be done efficiently. However this does not hold for the CM group action, which can be evaluated efficiently only for a small subset of group elements.

The usual workaround adopted in isogeny-based cryptography is to represent elements of \(\text {Cl} \left( \mathcal {O} \right) \) as \(\mathbb {Z}\)-linear combinations of a fixed set of “low norm” generators \(\mathfrak {g}_i\) for which evaluating the group action is efficient, i.e., as \(\mathfrak {a} = \prod _{i=1}^\ell \mathfrak {g}_i^{a_i}\). Then, evaluating the action is efficient as long as the exponents \(a_i\) are polynomial in the security parameter.

This trick is not devoid of consequences: group elements do not have a unique representation, sampling uniformly in the group may not be possible in general, and even testing equality becomes tricky. We will capture the limitations of this framework in our definition of a Restricted Effective Group Action (REGA).

To illustrate the severe limitations of an REGA, we refer to SeaSign  [DG19], which is the Fiat-Shamir transform of an interactive authentication protocol based on CSIDH. To prove the knowledge of a secret \(s\in G\) s.t. \(y=s\star x\), the basic idea is to first commit to \(r\star x\) for some random r, and then reveal \(s^{-b}r\) depending on a bit b sent by the challenger. While it is straightforward to prove that this protocol is zero-knowledge when the elements of G have unique representation and are sampled uniformly, the proof breaks down for CSIDH. To fix this issue, SeaSign uses a rejection sampling technique  [Lyu09], which considerably increases parameters and signing/verification time.

An alternative fix is to compute the group structure of \(\text {Cl} \left( \mathcal {O} \right) \), in the form of a relation lattice of the low norm generators. This restores the ability to represent uniquely and to sample uniformly the elements of the group. This is the approach taken by the isogeny-based signature CSI-FiSh  [BKV19], which precomputes the group structure of CSIDH-512.

While it is clear that the approach taken by CSI-FiSh to build a full-fledged cryptographic group action greatly extends the capabilities of isogeny-based cryptography, recent results  [Pei20, BS20] showed quantum attacks against CSIDH for certain choices of parameters. Unfortunately, computing the group structure of a significantly larger class group seems out of reach today, owing to the subexponential complexity of the classical algorithms available. This limitation will go away once quantum computers become powerful enough to apply Shor’s algorithms to this group order computation, but until then we believe that REGAs can be a fundamental tool to construct post-quantum cryptographic protocols based on isogenies.

Bilinear maps gained popularity in cryptography partly because works such as  [BF01, GPS08] presented them in a generic, easy-to-use manner that abstracted out the mathematical details underlying the Weil or Tate pairings. Similarly, an easy-to-use abstraction for isogeny-based assumptions might make them more accessible to cryptographers.

1.4 Our Contributions

We improve the state of the art of cryptographic group actions and isogeny-based cryptography in three main ways:

  • We formally define many notions of cryptographic group actions endowed with natural hardness properties such as one-wayness, weak unpredictability, and weak pseudorandomness. We then show how certain isogeny-based assumptions can be modeled using our definitions.

  • We show several applications of cryptographic group actions (based on our definitions above) which were not previously known from isogeny-based assumptions. These include smooth projective hashing, dual-mode PKE, two-message statistically sender-private OT, and Naor-Reingold style PRF.

  • We introduce a new assumption over cryptographic group actions called linear hidden shift (LHS) assumption. We then present some discussions on the security of the LHS assumption and we show that it implies symmetric KDM-secure encryption, which in conjunction with PKE implies many powerful primitives that were not previously known from isogeny-based assumptions.

In addition, we also show that a homomorphic primitive with certain properties implies a cryptographic group action. We expand on our contributions in more details below.

Effective Group Action. We begin by introducing some new definitions for group actions endowed with hardness properties. Our first new definition is that of an effective group action (EGA). This models the standard notion of cryptographic group actions. Section 2 presents the formal definitions for effective group actions and the associated axioms of mathematical structure. While our definitions bear some resemblance to existing works, they are more amenable to cryptographic constructions in the post-quantum setting. Much of the early work on cryptographic group actions  [BY91, Cou06] either predates the major advances in quantum cryptanalysis like Shor’s algorithm  [Sho97] or did not focus on post-quantum applications.

Suppose we consider a set X and a group G, with an associated group action \(\star :G\times X\rightarrow X\). We informally define the following cryptographic effective group actions endowed with natural hardness properties:

  • One-way EGA: given a pair of set elements \(\left( x, g\star x \right) \) where \(x \leftarrow X\) and \(g \leftarrow G\) are sampled uniformly at random, there is no PPT adversary that can recover g.

  • Weak Unpredictable EGA: given polynomially many tuples of the form \(\left( x_{i}, g \star x_{i} \right) \) where \(g\leftarrow G\) and each \(x_{i}\leftarrow X\) are sampled uniformly at random, there is no PPT adversary that can compute \(g \star x^*\) for a given challenge \(x^* \leftarrow X\).

  • Weak Pseudorandom EGA: there is no PPT adversary that can distinguish tuples of the form \(\left( x_{i}, g \star x_{i} \right) \) from \(\left( x_{i}, u_{i} \right) \) where \(g\leftarrow G\) and each \(x_{i},u_{i}\leftarrow X\) are sampled uniformly at random.

We also note that CSI-FiSh  [BKV19] can be modeled as an effective group action defined above (plausibly as a weak pseudorandom effective group action).

Restricted Effective Group Action. Our definition of EGA does not capture isogeny-based assumptions such as CSIDH  [CLM+18], where we cannot compute the group action operation \(\star \) efficiently for all \(g \in G\).

To address this, we introduce the notion of a restricted effective group action (REGA). The basic idea is the following: in an REGA, as we mentioned before, it is not possible to efficiently compute the group action \(\star \) for all group elements \(g \in G\): instead, the group action is efficiently computable for some small subset of G. Note that we can still “simulate” the effect of a general group action by computing the group action on a sequence of different elements from this subset. While restricted EGAs are considerably less efficient than EGAs with respect to certain applications, they present an easy-to-use abstraction for CSIDH and related assumptions. This makes REGAs useful for building cryptographic protocols from such assumptions. We note that REGAs can be endowed with the same hardness properties as EGAs (such as one-wayness, weak unpredictability, and weak pseudorandomness).

New Constructions. One of the main contribution of our paper is new constructions from our definition of (R)EGA, which can then be concretely instantiated from isogeny-based assumptions. We refer to Fig. 1 for an overview of our results. Specifically, we show the following constructions from any weak pseudorandom (R)EGA:

  • Universal and smooth projective hashing, proposed by Cramer and Shoup  [CS02], is a useful primitive with many applications, including CCA-secure PKE in the standard model  [CS02], password authenticated key-exchange (PAKE)  [GL03], privacy-preserving protocols  [BPV12], and many others. We show how to construct a universal and smooth projective hash from any weak pseudorandom (R)EGA. To our knowledge, this is the first smooth projective hash function from isogeny-based assumptions. In particular, this also implies the first standard-model CCA-secure encryption scheme from isogenies. Previously known CCA-secure encryption schemes from group action based on isogenies  [CLM+18] required random oracles.

  • Dual-mode PKE, which was introduced in  [PVW08], has numerous applications such as UC-secure round-optimal OT protocols in the common reference string model against actively corrupt receivers and senders. Such OT protocols are in turn sufficient to construct UC-secure round-optimal multi-party computation (MPC) protocols for general functionalities  [GS18] in the same security model. In this work, we show how to build a dual-mode PKE from any weak pseudorandom (R)EGA. In particular, this implies the first round-optimal OT and MPC protocols from isogeny-based assumptions. Previously known constructions of OT from isogenies  [BOB18, dOPS18, Vit19] were neither round optimal nor UC secure against active corruptions.

  • We next show how to build two-message statistically sender-private OT (SSP-OT)  [NP01] in the plain model from any weak pseudorandom (R)EGA. For this result, we rely on our construction of smooth projective hashing and techniques from  [HK12]. This primitive has many cryptographic applications such as non-malleable commitments  [KS17], two-round witness indistinguishable proofs with private-coin verifier  [JKKR17, BGI+17, KKS18], and three-message statistical receiver-private OT in the plain model  [GJJM20]. To our knowledge, these primitives were not previously known from isogeny-based assumptions.

  • We construct Naor-Reingold style PRFs from any weak pseudorandom (R)EGA. Our construction, when based on EGA (and not REGA), results in a PRF that requires a single group action operation. Our construction in the case of REGA requires a linear number of group action operations. This essentially follows from the efficiency restrictions inherent to our definitions of REGA.

Fig. 1.
figure 1

Overview of our results and implications

Full size image

Linear Hidden Shift Assumption. We introduce a new assumption over cryptographic group actions that we call the Linear Hidden Shift (LHS) assumption and we provide some discussions on its security. We describe the assumption informally below.

For a vector of group elements \(\mathbf {g}\in G^{n}\) and a binary vector , let \(\langle \mathbf {g}, \mathbf {s}\rangle \) denote the subset product \(\prod _{i=1}^{n} g^{s_i}_i\). Informally, the LHS assumption states that for any m that is polynomial in the security parameter, the following holds:

$$\begin{aligned} \{(x_i, \mathbf {g}_i, (\langle \mathbf {g}_i, \mathbf {s}\rangle ) \star x_i)\}_{i \in [m]} \quad {\mathop {\approx }\limits ^{c}}\quad \{(x_i, \mathbf {g}_i, u_i)\}_{i \in [m]}, \end{aligned}$$

where \(\mathbf {g}_i \leftarrow G^n\), \(\mathbf {s}\leftarrow \{0,1\}^n\), \(x_i \leftarrow X\) and \(u_i \leftarrow X\) (all sampled independently).

The LHS assumption is sufficient to realize symmetric KDM-CPA secure encryption, and enables us to realize many cryptographic applications such as trapdoor functions and designated-verifier NIZK, which were previously not known from isogeny-based assumptions. We believe that the LHS assumption is of independent interest and may have other cryptographic applications.

We present some discussions o the security of the LHS assumption. In particular, we first show a search to decision reduction: namely, that the decision variant of the LHS assumption mentioned above is equivalent to its search variant, which states that no PPT adversary can recover the binary vector \(\mathbf {s}\). Next, we show that in certain settings an additive variant of the LHS assumption is equivalent to the weak pseudorandom EGA if \(G = \mathbb {Z}_N^*\) and the vectors \(\mathbf {g}_i\) are sampled from a structured distribution. Based on this evidence, it appears likely that the LHS assumption holds with respect to some of the known group-action based isogenies.

KHwPRF and Cryptographic Group Actions. A key-homomorphic weak PRF (KHwPRF)  [NPR99, BLMR13] is a generic primitive with algebraic structure and is known to imply many cryptosystems that we know how to build from the DDH assumption  [AMPR19, AMP19]. We show that any KHwPRF with a cyclic output group implies a weak unpredictable group action.

On EGA and Homomorphic Primitives. Recent works  [AMPR19, AMP19] have shown that generic primitives (such as weak PRFs) endowed with group homomorphisms imply a large class of cryptographic applications. A natural question to ask is whether such homomorphic primitives can be built in a generic manner from EGA/REGA? This does not seem likely in light of the fact that the authors of  [AMP19] ruled out the existence of a few post-quantum secure primitives with “exact” homomorphisms over abelian groups.

This observation seems to have implications for the class of primitives that one can hope to build from EGA/REGA. One such primitive is collision-resistant hash function (CRHF). In particular, the main techniques we currently know of constructing CRHF from generic assumptions either rely on group homomorphism  [IKO05] or one-way functions with certain properties  [HL18]. This makes it difficult to realize CRHF from EGA/REGA by leveraging known techniques. Note that this does not apply to known constructions of CRHF from non-group-action based isogeny assumptions (such as  [CLG09]), which are not covered by our framework.

1.5 Notation

For any positive integer n, we use [n] to denote the set \(\{1, \ldots , n\}\). We use \(\lambda \) for the security parameter. For a finite set S, we use \(s \leftarrow S\) to sample uniformly from the set S. For a probability distribution \(\mathcal {D}\) on a finite set S, we use \(s \leftarrow \mathcal {D}\) to sample from \(\mathcal {D}\). We use the notations \({\mathop {\approx }\limits ^{s}}\) and \({\mathop {\approx }\limits ^{c}}\) to denote statistical and computational indistinguishably, respectively. Finally, for random variables X and Y, \(H_{\infty }(X|Y)\) denotes the min-entropy of X conditioned on Y.

1.6 Paper Outline

The rest of the paper is organized as follows. Section 2 introduces our group action-based framework and the definitions of EGA and REGA. Section 3 describes our construction of smooth projective hashing from weak pseudorandom EGA/REGA. Section 4 introduces the LHS assumption, presents some discussion on its security and shows how to construct symmetric KDM-secure encryption from it. Due to space constraints, the remaining material is presented in the full version of the paper.

2 Cryptographic Group Actions

In this section we present our definitions of cryptographic group actions. As we mentioned before, we use the definitions of Brassard and Yung  [BY91] and Couveignes  [Cou06] as starting points and aim to provide solid, modern definitions that allow for easy use of isogenies in cryptographic protocols. We begin by recalling the definition of a group action.

Definition 1

\(\mathrm{{(Group\,\,Action)}}\) A group G is said to act on a set X if there is a map \(\star : G \times X \rightarrow X\) that satisfies the following two properties:

  1. 1.

    Identity: If e is the identity element of G, then for any \(x\in X\), we have \(e \star x = x\).

  2. 2.

    Compatibility: For any \(g,h\in G\) and any \(x\in X\), we have \((g h) \star x=g \star (h \star x)\).

We may use the abbreviated notation \((G,X, \star )\) to denote a group action.

Remark 1

If \((G, X, \star )\) is a group action, for any \(g\in G\) the map \(\pi _g:x\mapsto g \star x\) defines a permutation of X.

Properties of Group Actions. We consider group actions that satisfy one or more of the following properties:

  1. 1.

    Transitive: A group action \((G, X, \star )\) is said to be transitive if for every \(x_1,x_2\in X\), there exists a group element \(g\in G\) such that \(x_2 = g \star x_1\). For such a transitive group action, the set X is called a homogeneous space for G.

  2. 2.

    Faithful: A group action \((G, X, \star )\) is said to be faithful if for each group element \(g\in G\), either g is the identity element or there exists a set element \(x\in X\) such that \(x\ne g \star x\).

  3. 3.

    Free: A group action \((G,X, \star )\) is said to be free if for each group element \(g\in G\), g is the identity element if and only if there exists some set element \(x\in X\) such that \(x = g \star x\).

  4. 4.

    Regular: A group action \((G, X, \star )\) is said to be regular if it is both free and transitive. For such a regular group action, the set X is called a principal homogeneous space for the group G, or a G-torsor.

Remark 2

Typically group action-based cryptography has focused on regular actions. If a group action is regular, then for any \(x\in X\), the map \(f_x:g\mapsto g \star x\) defines a bijection between G and X; in particular, if G (or X) is finite, then we must have \({|}{G}{|}= {|}{X}{|}\).

2.1 Effective Group Actions

We define an effective group action (EGA) as follows.

Definition 2

\(\mathrm{{(Effective\,\,Group\,\,Action)}}\) A group action \((G,X,\star )\) is effective if the following properties are satisfied:

  1. 1.

    The group G is finite and there exist efficient (PPT) algorithms for:

    1. (a)

      Membership testing, i.e., to decide if a given bit string represents a valid group element in G.

    2. (b)

      Equality testing, i.e., to decide if two bit strings represent the same group element in G.

    3. (c)

      Sampling, i.e., to sample an element g from a distribution \(\mathcal {D}_G\) on G. In this paper, We consider distributions that are statistically close to uniform.

    4. (d)

      Operation, i.e., to compute gh for any \(g,h\in G\).

    5. (e)

      Inversion, i.e., to compute \(g^{-1}\) for any \(g\in G\).

  2. 2.

    The set X is finite and there exist efficient algorithms for:

    1. (a)

      Membership testing, i.e., to decide if a bit string represents a valid set element.

    2. (b)

      Unique representation, i.e., given any arbitrary set element \(x\in X\), compute a string \(\hat{x}\) that canonically represents x.

  3. 3.

    There exists a distinguished element \(x_0\in X\), called the origin, such that its bit-string representation is known.

  4. 4.

    There exists an efficient algorithm that given (some bit-string representations of) any \(g\in G\) and any \(x\in X\), outputs \(g \star x\).

Computational Assumptions. We define certain computational assumptions pertaining to group actions.

Definition 3

\(\mathrm{{(One}\text {-}\mathrm {Way\,\,Group\,\,Action)}}\) A group action \((G,X, \star )\) is said to be one-way if the family of efficiently computable functions \(\{f_x:G\rightarrow X\}_{x\in X}\) is one-way, where \(f_x:g\mapsto g\star x\).

Definition 4

\(\mathrm{{(Weak\,\,Unpredictable\,\,Group\,\,Action)}}\) A group action \((G,X, \star )\) is said to be weakly unpredictable if the family of (efficiently computable) permutations \(\{\pi _g: X \rightarrow X\}_{g\in G}\) is weakly unpredictable, where \(\pi _g: x\mapsto g\star x\).

Definition 5

\(\mathrm{{(Weak\,\,Pseudorandom\,\,Group\,\,Action)}}\) A group action \((G,X,\star )\) is said to be weakly pseudorandom if the family of (efficiently computable) permutations \(\{\pi _g: X \rightarrow X\}_{g\in G}\) is weakly pseudorandom, where \(\pi _g: x\mapsto g\star x\).

In the full version of the paper, we provide a more formal treatment by describing notions of one-wayness, weak unpredictability, and weak pseudorandomness that are additionally parameterized by distributions over the group G and the set X. One may view the aforementioned definitions as special cases, where both the distributions are assumed to be uniform (or statistically close to uniform).

In what follows, we will focus on group actions where G is abelian and the action is regular. We will characterize them by the computational assumption and their effectivity properties, and we assume that they are abelian and regular unless stated otherwise. Therefore, an OW-EGA/wU-EGA/wPR-EGA will be a one-way/weak unpredictable/weak pseudorandom abelian regular effective group action. Note that Couveignes used the terminology Hard Homogeneous Space for wU-EGA, and Very Hard Homogeneous Space for wPR-EGA  [Cou06]; subsequent literature on isogeny-based cryptography has mostly followed his conventions  [DKS18, CLM+18].

Generic Attacks. All known generic attacks against cryptographic group actions are attacks against the one-wayness. Given a pair \((x,g\star x)\), Stolbunov  [Sto12] called the problem of finding g the Group Action Inverse Problem (GAIP). The best known classical algorithm for GAIP is a meet-in-the-middle graph walk technique dating back to Pohl  [Poh69], with a low-memory variant by Galbraith, Hess and Smart  [GHS02], both running in time \(O(\sqrt{{|}{G}{|}})\).

Childs, Jao, and Soukharev  [CJS14] pointed out that GAIP can be formulated as a hidden shift problem, and thus it can be solved by Kuperberg’s quantum algorithm and its variants  [Kup05, Reg04, Kup13], provided a quantum oracle to evaluate the group action. All these algorithms have subexponential complexity between \(\exp (\sqrt{\log N})\) and \(L_{N}(1/2)\).

In the context of isogenies, there is a sizable literature on both classical and quantum attacks  [Gal99, GS13, BIJ18, BS20, Pei20]. Little is known in terms of non-generic attacks: a recent result gives an attack against pseudorandomness which applies to some isogeny-based group actions, but not to CSIDH and related constructions  [CSV20].

Alternative Axioms. In some circumstances, it is useful to strengthen or weaken the definition of EGA by slightly modifying the set of axioms. Here we list the most important variants.

  • Uncertified EGA: Brassard and Yung  [BY91] consider group actions without the Set Membership Testing axiom. They call certified those group actions that have Set Membership Testing, and uncertified those that do not. It is easy to construct examples of uncertified actions, see, e.g.,  [BY91, §6.2]. Here, unless otherwise stated, all actions will be certified.

  • Hashable OW-EGA: In an OW-EGA, one can efficiently sample from X as follows: first sample \(g\leftarrow \mathcal {D}_G\) using the Group Sampling axiom, then output \(g\star x_0\). However in some applications it is useful to sample from X in a way that does not automatically reveal the group action inverse. In a Hashable OW-EGA, the existence of the origin \(x_0\) is replaced with a Hashing to the Set axiom, stating that there exists an efficient sampler \({H}:[N]\rightarrow X\) (where the integer N depends on the security parameter) such that for any adversary \(\mathcal {A}\)

    $$\begin{aligned} \Pr [\mathcal {A}(i,j)\star {H}(i) = {H}(j)] \le {{\,\mathrm{negl}\,}}(\lambda ), \end{aligned}$$

    for \(i,j\leftarrow [N]\).

2.2 Restricted Effective Group Actions

An EGA is a useful abstraction, but sometimes it is too powerful in comparison to what is achievable in practice. A Restricted Effective Group Action (REGA) is a weakening of EGA, where we can only evaluate the action of a generating set of small cardinality.

Definition 6

\(\mathrm{{(Restricted\,\,Effective\,\,Group\,\,Action)}}\) Let \((G,X,\star )\) be a group action and let \(\mathbf {g}=(g_1,\ldots ,g_n)\) be a (not necessarily minimal) generating set for G. The action is said to be \(\mathbf {g}\)-restricted effective, if the following properties are satisfied:

  • G is finite and \(n = {{\,\mathrm{poly}\,}}(\log ({|}{G}{|}))\).

  • The set X is finite and there exist efficient algorithms for:

    1. 1.

      Membership testing, i.e., to decide if a bit string represents a valid set element.

    2. 2.

      Unique representation, i.e., to compute a string \(\hat{x}\) that canonically represents any given set element \(x\in X\).

  • There exists a distinguished element \(x_0\in X\), called the origin, such that its bit-string representation is known.

  • There exists an efficient algorithm that given any \(i\in [n]\) and any bit string representation of \(x\in X\), outputs \(g_i\star x\) and \(g_i^{-1}\star x\).

Although an REGA is limited to evaluations of the form \(g_i\star x\), this is actually enough to evaluate the action of many, and potentially all elements of G without even needing axioms on the effectivity of G.

A word on \((g_1,\dots ,g_n)\) is a finite sequence \(\sigma \in \{g_1,\dots ,g_n,g_1^{-1},\dots ,g_n^{-1}\}^* \), to which we canonically associate an element of G by

$$\begin{aligned} \sigma = \sigma _1\sigma _2\cdots \sigma _\ell \mapsto \prod _{i=1}^\ell \sigma _i. \end{aligned}$$

By hypothesis, any element of G can be represented by a word on \(\mathbf {g}\), however this representation may not be unique, nor equality needs to be efficiently testable. From the definition of a \(\mathbf {g}\)-REGA, it is clear that the action on \(x\in X\) of any word of polynomial length on \(\mathbf {g}\) can be computed in polynomial time.

When G is abelian, words on \(\mathbf {g}\) can be rewritten as vectors in \(\mathbb {Z}^n\), canonically mapped to G by

$$\begin{aligned} (a_1,\dots ,a_n)\mapsto \prod _{i=1}^n g_i^{a_i}. \end{aligned}$$

It follows from the axioms of REGA that the action of a vector \(\mathbf {a}\in \mathbb {Z}^n\) can be efficiently evaluated on any \(x\in X\) as long as \(\Vert \mathbf {a}\Vert \) is polynomial in \(\log ({|}{G}{|})\), where \(\Vert \cdot \Vert \) is any \(L^p\)-norm.

Protocols built on REGA will need to sample elements from G that are statistically close to uniform and for which the group action is efficiently computable. Prior works suggest sampling from a distribution \(\mathcal {D}_G\) on the words on \(\mathbf {g}\) in the non-abelian case, or from a distribution on vectors in \(\mathbb {Z}^n\) in the abelian case. Classic choices in the latter case are balls of fixed radius in \(L^\infty \)-norm  [CLM+18], in \(L^1\)-norm  [NOTT20], in weighted infinity norms  [Sto12, MR18], or discrete Gaussian distributions  [DG19]. The latter is plausibly sufficient for applications that require group elements to be sampled from distributions statistically close to uniform  [DG19].

2.3 Known-Order Effective Group Action

As a strengthening of EGA, we may assume that the group structure of G is known. By “known order” we mean that a minimal list of generators \(\mathbf {g}=(g_1,\ldots ,g_{n})\) together with their orders \((m_1, \ldots , m_n)\) is known, which in turn is equivalent to a decomposition

$$\begin{aligned} G \simeq \mathbb {Z}_{m_1} \oplus \cdots \oplus \mathbb {Z}_{m_n}. \end{aligned}$$

An important special case is when G is cyclic, i.e., \(G = \langle g\rangle \simeq \mathbb {Z}/m\mathbb {Z}\).

Denote by \(\mathcal {L}\) the lattice \(m_1\mathbb {Z}\oplus \cdots \oplus m_n\mathbb {Z}\), the map \(\phi : \mathbb {Z}^n/\mathcal {L} \rightarrow G\) defined as

$$\begin{aligned} (a_1,\dots ,a_{n})&\mapsto \prod _{i=1}^n g_i^{a_i} \end{aligned}$$

is an effective isomorphism, its inverse being a generalized discrete logarithm. If \((G,X,\star )\) is an EGA, then it is easy to verify that \((\mathbb {Z}^n/\mathcal {L},X,\star )\) is an EGA through \(\phi \). We may just use \(\mathbb {Z}^n/\mathcal {L}\) as the standard representation for G.

Definition 7

\(\mathrm{{(Known}\text {-}\mathrm {order\,\,Effective\,\,Group\,\,Action)}}\) A known-order effective group action (KEGA) is an EGA \((\mathbb {Z}^n/\mathcal {L},X,\star )\) where the lattice \(\mathcal {L}\) is given by the tuple \((m_1, \ldots , m_n)\).

It may look like we “lose some cryptography” when we replace the group G by its isomorphic image \(\mathbb {Z}^n/\mathcal {L}\). However, we stress that the main purpose of cryptography based on group actions is to design protocols that do not rely on discrete log assumptions. Thus, as soon as the group structure of G is known, KEGA is a more appropriate tool to design protocols, owing to its simplicity. For examples of protocols that require the KEGA setting, see  [DM20].

Furthermore, KEGA and abelian EGA are quantumly equivalent. Indeed, given any abelian group G, Shor’s algorithm and its generalization  [Sho97, CM01] precisely compute an isomorphism \(G\simeq \mathbb {Z}_{m_1} \oplus \cdots \oplus \mathbb {Z}_{m_n}\) (along with a minimal set of generators) in quantum polynomial time.

Remark 3

An REGA of known order is not automatically a KEGA, indeed the list of generators \(\mathbf {g}\) of a REGA need not be minimal. As an extreme example, consider the case where \(G=\langle g_1\rangle \) is cyclic, and \(\mathbf {g}= (g_1,\dots ,g_n)\). Any element of G can be uniquely represented as an integer in \(\mathbb {Z}_{m_1}\), however this representation does not lead to an efficiently computable group action. What is needed is an efficient algorithm to convert between the “minimal” representation \(G\simeq \mathbb {Z}/\mathcal {L}\), and products of small powers of \((g_1,\dots ,g_n)\). In some instances, this conversion is possible via lattice reduction techniques  [BKV19].

3 Hash Proof System

In this section, we demonstrate how to construct universal and smooth projective hashing schemes (also known as hash proof systems or projective hash functions) from any weak pseudorandom effective group action. We begin by recalling the definition of a universal projective hashing scheme as in  [CS02].

Definition 8

\(\mathrm{{(Universal\,\,Projective\,\,Hashing)}}\) Let \(\mathrm {\Lambda }:{K}\times \mathrm {\Sigma }\rightarrow \mathrm {\Gamma }\) be an efficiently computable function, and let \(L\subset \mathrm {\Sigma }\). In addition, let \(\alpha :{K}\rightarrow {P}\) be a “projection” function. We say that the tuple \(\mathrm {\Pi } = \left( \mathrm {\Lambda },{K},{P},\mathrm {\Sigma },\mathrm {\Gamma },{L}\right) \) is a universal projective hash function if the following properties hold:

  • Samplability: There exist efficient algorithms to sample uniformly from \(\mathrm {\Sigma }\) and from K. In addition, there exists an efficient algorithm to sample uniformly from L along with a witness w that proves membership in L.

  • Subset Membership Problem: If \(\sigma _0\leftarrow {L}\) and \(\sigma _1\leftarrow \mathrm {\Sigma }\) then \(\sigma _0 {\mathop {\approx }\limits ^{c}}\sigma _1\).

  • Projective Evaluation: There exists an efficient algorithm \(\mathsf {ProjEval} \) such that for any \({\mathsf {hk}} \in K\) and any \(\sigma \in L\) with membership witness w, we have

    $$\begin{aligned} \mathsf {ProjEval} (\alpha ({\mathsf {hk}}),w) = \mathrm {\Lambda }\left( {\mathsf {hk}},\sigma \right) . \end{aligned}$$

  • Universality: \(\mathrm {\Pi }\) is said to be \(\varepsilon \)-universal if for any \(\sigma \in \mathrm {\Sigma }\setminus {L}\), if \({\textsf {hk}}\leftarrow K\) it holds that

    $$\begin{aligned} H_{\infty }\big ( \mathrm {\Lambda }\left( {\mathsf {hk}},\sigma \right) \big | (\alpha ({\mathsf {hk}}),\sigma )\big ) \ge \log (\varepsilon ^{-1}). \end{aligned}$$

\(\mathbf{Universality }_2\) and Smoothness. We also recall two stronger notions of security for projective hash proof systems, namely \(\text {universality}_2\) and smoothness, as described in  [CS02].

  • \(\text {Universality}_2\): A hash proof system \(\mathrm {\Pi } = \left( \mathrm {\Lambda },{K},{P},\mathrm {\Sigma },\mathrm {\Gamma },{L}\right) \) is said to be \(\varepsilon \)-\(\text {universal}_2\) if for any \(\sigma ,\sigma ^*\in \mathrm {\Sigma }\) such that \(\sigma \in \mathrm {\Sigma }\setminus {(L \cup \{\sigma ^*\})}\), if \({\textsf {hk}}\leftarrow K\) it holds that

    $$\begin{aligned} H_{\infty }\big ( \mathrm {\Lambda }\left( {\textsf {hk}},\sigma \right) \big | (\alpha ({\textsf {hk}}), \sigma ,\sigma ^*, \mathrm {\Lambda }\left( {\textsf {hk}},\sigma ^*\right) )\big ) \ge \log (\varepsilon ^{-1}). \end{aligned}$$

  • Smoothness: A hash proof system \(\mathrm {\Pi } = \left( \mathrm {\Lambda },{K},{P},\mathrm {\Sigma },\mathrm {\Gamma },{L}\right) \) is said to be smooth if for any \(\sigma \in \mathrm {\Sigma }\setminus {L}\), if \({\textsf {hk}}\leftarrow K\) and \(\gamma \leftarrow \mathrm {\Gamma }\) it holds that

    $$ \big (\alpha ({\textsf {hk}}),\sigma ,\mathrm {\Lambda }\left( {\textsf {hk}},\sigma \right) \big ) \approx _s \big (\alpha ({\textsf {hk}}),\sigma ,\gamma \big ). $$

We now show how to construct a universal hash proof system from any weak pseudorandom EGA.

Construction. Let \((G,X,\star )\) be a weak pseudorandom EGA and let \(\ell = \omega (\log \lambda )\) be an integer. Additionally, let \(\bar{x}_0\leftarrow X\) and \(\bar{x}_1\leftarrow X\) be publicly available set elements. We define the input space \(\mathrm {\Sigma }\) as

$$\begin{aligned} \mathrm {\Sigma } = \Big \{(x_0,x_1)\in X^2:\exists (g_0,g_1)\in G^2 \text { s.t. } x_0 = g_0 \star \bar{x}_0,\; x_1 = g_1 \star \bar{x}_1\Big \}. \end{aligned}$$

By the regularity of the group action, this is equivalent to defining \(\mathrm {\Sigma } = X^2\). We also define the subset \({L}\subset \mathrm {\Sigma }\) as

$$\begin{aligned} {L} = \Big \{(x_0,x_1)\in X^2:\exists g\in G \text { s.t. } x_0 = g \star \bar{x}_0,\; x_1 = g \star \bar{x}_1\Big \}, \end{aligned}$$

where the group element g is the witness for membership in L. In addition, we let \(\mathrm {\Gamma } = X^{\ell }\) and , and we define the hash function \(\mathrm {\Lambda }:{K}\times \mathrm {\Sigma }\rightarrow \mathrm {\Gamma }\) to be

$$\begin{aligned} \mathrm {\Lambda }\big ((\mathbf {h}, \mathbf {b}) ,(x_0,x_1)\big ) = (h_1 \star x_{b_1},\ldots ,h_{\ell } \star x_{b_{\ell }}), \end{aligned}$$

where \(\mathbf {h}= (h_1, \ldots , h_{\ell })\) and \(\mathbf {b}= (b_1, \ldots , b_{\ell })\). We set the projection space to be \({P} = X^{\ell }\), and we define the projection function \(\alpha :{K}\rightarrow {P}\) as

$$\begin{aligned} \alpha (\mathbf {h},\mathbf {b}) = (h_1 \star \bar{x}_{b_1},\ldots ,h_{\ell } \star \bar{x}_{b_{\ell }}). \end{aligned}$$

Subset Membership Problem. We state and prove the following lemma.

Lemma 1

If \((G, X,\star )\) is a weak pseudorandom EGA, we have \(\sigma _0 {\mathop {\approx }\limits ^{c}}\sigma _1\) where \(\sigma _0 \leftarrow L\) and \(\sigma _1 \leftarrow \mathrm {\Sigma }\).

Proof

By the weak pseudorandomness of group action we have

$$\begin{aligned} (\bar{x}_0, \bar{x}_1, g \star \bar{x}_0, g \star \bar{x}_1) {\mathop {\approx }\limits ^{c}}(\bar{x}_0, \bar{x}_1, {x}_0, {x}_1), \end{aligned}$$

where \(g \leftarrow G\) and \(\bar{x}_1, x_0, x_1\) are all sampled uniformly and independently from X. It is easy to see that the “left” tuple corresponds to a uniformly sampled member \(\sigma _0 \in L\) and the “right” tuple corresponds to a uniformly sampled element \(\sigma _1 \in \mathrm {\Sigma }\) (because the action is regular), as required.

Projective Evaluation. We define \(\mathsf {ProjEval}:X^{\ell } \times G \rightarrow X^{\ell }\) as

$$\begin{aligned} \mathsf {ProjEval} \big (\mathbf {y}, g\big ) = (g \star y_1,\ldots ,g \star y_{\ell }), \end{aligned}$$

where \(\mathbf {y}= (y_1, \ldots , y_{\ell })\) and g is the witness. Let \((x_0,x_1) = (g \star \bar{x}_0, g \star \bar{x}_1)\) be a member of L with witness g, and let \(\mathbf {y}= \alpha (\mathbf {h},\mathbf {b})\) for some hash key \((\mathbf {h}, \mathbf {b}) \in K\). The algorithm \(\mathsf {ProjEval} \) satisfies the projective evaluation property by observing that

$$\begin{aligned} \mathsf {ProjEval} \big (\alpha (\mathbf {h},\mathbf {b}) , g\big )= & {} (g \star y_1,\ldots ,g \star y_{\ell })\\= & {} (g \star (h_1 \star \bar{x}_{b_1}),\ldots ,g \star (h_{\ell } \star \bar{x}_{b_{\ell }}))\\= & {} (h_1 \star (g \star \bar{x}_{b_1}),\ldots ,h_{\ell } \star (g \star \bar{x}_{b_{\ell }}))\\= & {} (h_1 \star {x}_{b_1},\ldots ,h_{\ell } \star {x}_{b_{\ell }})\\= & {} \mathrm {\Lambda }\big ((\mathbf {h}, \mathbf {b}) ,(x_0,x_1)\big ). \end{aligned}$$

Universality. We now establish the universality property (as defined in  [CS02]) via the following lemma.

Lemma 2

If \((G,X,\star )\) is a weak pseudorandom EGA, then the projective hash function is \(2^{-\ell }\)-universal.

Proof

Let \((x_0, x_1) \in \mathrm {\Sigma } \setminus L\) be an arbitrary non-member, and let \((\mathbf {h}, \mathbf {b}) \leftarrow K\) be a randomly chosen hash key. We need to show that

$$\begin{aligned} H_{\infty }\big (\mathrm {\Lambda }((\mathbf {h}, \mathbf {b}), (x_0, x_1)) \big |\big (\bar{x}_0, \bar{x}_1, x_0,x_1, \alpha (\mathbf {h}, \mathbf {b})\big ) \big ) = \ell . \end{aligned}$$

First, observe that there exists \(g_0 \ne g_1\) such that \((x_0, x_1) = (g_0 \star \bar{x}_0, g_1 \star \bar{x}_1)\) because \((x_0, x_1) \notin L\). In addition, let \(\mathbf {y}= \alpha (\mathbf {h}, \mathbf {b})\), i.e., for each \(i \in [\ell ]\) we have \(y_i = h_i \star \bar{x}_{b_i}\). By the regularity of the group action, for each \(i\in [\ell ]\) there exists \(d_{i,0} \in G\) and \(d_{i,1} \in G\) such that

$$\begin{aligned} d_{i,0} \star \bar{x}_0 = d_{i,1} \star \bar{x}_1 = y_i. \end{aligned}$$

In other words, given the tuple \((\bar{x}_0, \bar{x}_1, x_0, x_1, y_i)\), the bit \(b_i\) in the hash-key component \((h_i,b_i)\) has full entropy. On the other hand, we have

$$\begin{aligned} h_i \star x_{b_i} = h_i \star (g_{b_i} \star \bar{x}_{b_i}) = g_{b_i} \star (h_i \star \bar{x}_{b_i}) = g_{b_i} \star y_i. \end{aligned}$$

Since \(g_0\ne g_1\), it follows that given the tuple \((\bar{x}_0, \bar{x}_1, x_0,x_1, y_i)\), the set element \(h_i \star x_{b_i} = g_{b_i} \star y_i\) has one bit of entropy (even in the view of a computationally unbounded adversary). By extending the same argument, we get

$$\begin{aligned} H_{\infty }\big ( \{h_i \star x_{b_i}\}_{i \in [\ell ]} \big | \big (\bar{x}_0, \bar{x}_1, x_0,x_1, \{y_i\}_{i \in [\ell ]}\big ) \big ) = \ell , \end{aligned}$$

as desired. This completes the proof of Lemma 2.

The aforementioned lemmas yield the following theorem.

Theorem 1

There exists a construction of a \(2^{-\ell }\)-universal projective hash function for any \(\ell > 0\) from any weak pseudorandom EGA.

Remark 4

Our construction and proof work in essentially the same way from a restricted EGA provided that we can sample group elements from a distribution that is statistically close to uniform over the group G while retaining the ability to efficiently compute the action. We note that this is plausibly the case with respect to the instantiation of restricted EGA from CSIDH and other similar isogeny-based assumptions (see  [DG19] for more details).

Remark 5

In the aforementioned description of the HPS scheme, the hardness of the language membership problem crucially relies on the fact that the group element h such that \(x_1=h\star x_0\) is computationally hidden from the adversary. Note that most applications of HPS typically assume a trusted setup. For applications that necessarily require an untrusted setup, our proposed HPS can still be used, albeit from a hashable EGA.

\(\mathbf{Universal }_2\) and Smooth Projective Hashing. Based on known reductions from Section 2.1 of  [CS02], Theorem 1 implies the following corollary.

Corollary 1

Let \((G,X,\star )\) be any weak pseudorandom EGA. Assuming the existence of an injective function for some \(m = \omega (\log \lambda )\) and the existence of a pairwise independent hash function for some \(\ell = \omega (\log \lambda )\), there exists a \(2^{-\ell }\)-\({\textit{universal}}_2\) projective hash function and a smooth projective hash function, respectively.

Further Applications. \(\text {Universal}_{2}\) and smooth projective hashing imply CCA-secure PKE  [CS02]. In addition, smooth projective hashing additionally implies password authenticated key-exchange  [GL03], privacy-preserving protocols  [BPV12], and many other cryptographic primitives. Hence, our construction allows all of these primitives to be constructed from any weak pseudorandom (R)EGA.

4 Linear Hidden Shift (LHS) Assumption

In this section we introduce a hardness assumption called Linear Hidden Shift (LHS) problem and describe its cryptographic applications.

Notation. Unless stated otherwise, we use \(+\) to denote the group operation, and we assume that e denotes the identity element of the group. For a binary vector and a group element \(h \in G\), we use \(h \cdot \mathbf {s}\) to denote a vector of group elements whose ith component is \(s_i \cdot h\). For a vector of group elements \(\mathbf {g}\in G^{n}\) and a binary vector , we use \(\langle \mathbf {g}, \mathbf {s}\rangle \) to denote \(s_1 \cdot g_1 + \cdots + s_n \cdot g_n\) where \(+\) denotes the group operation (we remark that although the notation resembles an inner product, we do not necessarily have an inner product space).

Given a group action \(\star : G \times X \rightarrow X\), the action naturally extends to the direct product group \(G^n\) for any positive integer n. So if \(\mathbf {g}\in G^n\) and \(\mathbf {x}\in X^n\) are two vectors of group elements and set elements respectively, we use \(\mathbf {g}\star \mathbf {x}\) to denote a vector of set element whose ith component is \(g_i \star x_i\).

Below, we formally state the search and decision versions of the assumption. Later, we show a simple search to decision reduction for the LHS assumption.

Definition 9

\(\mathrm{{(Search\,\,Linear\,\,Hidden\,\,Shift)}}\) Let \(\star : G \times X \rightarrow X\) be a regular group action, and let \(n = {{\,\mathrm{poly}\,}}(\lambda )\) be a parameter. We say that (search) LHS problem is hard over \((G, X, \star )\) if for any \(m = {{\,\mathrm{poly}\,}}(\lambda )\) and for any PPT attacker \(\mathcal {A}\), we have

$$\begin{aligned} \Pr \Big [\mathcal {A}\Big (\big \{(x_i, \mathbf {g}_i, (\langle \mathbf {g}_i, \mathbf {s}\rangle ) \star x_i)\big \}_{i \in [m]}\Big ) \text { outputs } \mathbf {s}\Big ] \le {{\,\mathrm{negl}\,}}(\lambda ), \end{aligned}$$

where \(\mathbf {g}_i \leftarrow G^n\), \(\mathbf {s}\leftarrow \{0,1\}^n\), \(x_i \leftarrow X\) (all sampled independently), and the probability is taken over all random coins in the experiment.

Definition 10

\(\mathrm{{(Decision\,\,Linear\,\,Hidden\,\,Shift)}}\) Let \(\star : G \times X \rightarrow X\) be a group action, and let \(n = {{\,\mathrm{poly}\,}}(\lambda )\) be a parameter. We say that LHS assumption holds over \((G, X, \star )\) if for any \(m = {{\,\mathrm{poly}\,}}(\lambda )\) we have

$$\begin{aligned} \{(x_i, \mathbf {g}_i, (\langle \mathbf {g}_i, \mathbf {s}\rangle ) \star x_i)\}_{i \in [m]} \quad {\mathop {\approx }\limits ^{c}}\quad \{(x_i, \mathbf {g}_i, u_i)\}_{i \in [m]}, \end{aligned}$$

where \(\mathbf {g}_i \leftarrow G^n\), \(\mathbf {s}\leftarrow \{0,1\}^n\), \(x_i \leftarrow X\) and \(u_i \leftarrow X\) (all sampled independently).

We naturally extend the notation \(\langle \mathbf {g}, \mathbf {s}\rangle \) to matrices, i.e., for a matrix \(\mathbf {M}\in G^{n \times \ell }\) and a binary vector , we use \(\mathbf {s}^t \mathbf {M}\) to denote a vector whose ith component is \(\langle \mathbf {m}_i, \mathbf {s}\rangle \) where \(\mathbf {m}_i\) is the ith column of \(\mathbf {M}\).

Search to Decision Reduction. Using the notation described above the search LHS problem can be stated as the problem of recovering \(\mathbf {s}\) given a tuple of the form \((\mathbf {x}, \mathbf {M}, \mathbf {M}\mathbf {s}\star \mathbf {x})\) where \(\mathbf {x}\leftarrow X^n\) and \(\mathbf {M}\leftarrow G^{m \times n}\). Similarly, the decision LHS problem states that

$$\begin{aligned} (\mathbf {x}, \mathbf {M}, \mathbf {M}\mathbf {s}\star \mathbf {x}) \quad {\mathop {\approx }\limits ^{c}}\quad (\mathbf {x}, \mathbf {M}, \mathbf {u}), \end{aligned}$$

where \(\mathbf {u}\leftarrow X^n\) and \(m \gg n\). Now we show a simple search to decision reduction for LHS problem, which is similar to the reductions in  [IN96, MM11] for (generalized) knapsack functions.

Lemma 3

\(\mathrm{{(Search\,\,to\,\,Decision)}}\) Let \(\mathcal {A}\) be a distinguisher that distinguishes between LHS samples of the form \((\mathbf {x}, \mathbf {M}, \mathbf {M}\mathbf {s}\star \mathbf {x})\) and all-random tuple with probability \(1 - {{\,\mathrm{negl}\,}}(\lambda )\). There exists a PPT attacker \(\mathcal {A}'\) that recovers \(\mathbf {s}\) from an instance of search LHS problem with probability \(1 - {{\,\mathrm{negl}\,}}(\lambda )\).

Proof

Given an instance of a search problem \((\mathbf {x}, \mathbf {M}, \mathbf {y})\) where \(\mathbf {y}= \mathbf {M}\mathbf {s}\star \mathbf {x}\) for some (unknown) vector \(\mathbf {s}\), the attacker \(\mathcal {A}'\) does the following for each \(i \in [n]\): it samples a column vector \(\mathbf {r}\leftarrow G^m\), and let \(\mathbf {R}_i\) be a matrix whose ith column is \(\mathbf {r}\) while all other columns are identical to the corresponding columns of \(\mathbf {M}\) (so \(\mathbf {R}_i\) and \(\mathbf {M}\) only differ in the ith column). \(\mathcal {A}'\) runs \(\mathcal {A}\) on the tuple \((\mathbf {x}, \mathbf {R}_i, \mathbf {y})\). If \(\mathcal {A}\) outputs “LHS samples,” \(\mathcal {A}'\) sets \(s_i\) to be zero. Otherwise, \(\mathcal {A}'\) sets \(s_i\) to be 1.

Observe that if \(s_i\) were zero, then \((\mathbf {x}, \mathbf {R}_i, \mathbf {y})\) is distributed as LHS samples because \(\mathbf {R}_i\mathbf {s}= \mathbf {M}\mathbf {s}\). On the other hand, if \(s_i = 1\) then \((\mathbf {x}, \mathbf {R}_i, \mathbf {y})\) is a random tuple because the action is regular and hence the distribution of \(\mathbf {R}_i\mathbf {s}\star \mathbf {x}\) is uniform and independent of \(\mathbf {y}\).

Remark 6

We note that the reduction above also works if the group action is restricted (where we can only evaluate the action of a set of small cardinality), provided that it is possible to sample a group element from a distribution that is statistically close to uniform.

4.1 Symmetric KDM-CPA Security from LHS

We describe a symmetric encryption scheme that satisfies KDM-CPA security (for projection functions) based on the LHS assumption. Our construction follows the blueprint of  [BHHO08]. Let \(\star : G \times X \rightarrow X\) be a group action such that LHS holds. We assume that all parties have access to a public fixed non-identity group element \(h \in G\). Our construction of symmetric-key bit encryption \(\mathrm {\Pi } = (\mathsf {Gen}, \mathsf {Enc}, \mathsf {Dec})\) scheme is as follows:

  • \(\mathsf {Gen} (1^{\lambda })\): To generate a secret key, sample a binary vector \(\mathbf {s}\leftarrow \{0,1\}^n\).

  • \(\mathsf {Enc} (\mathbf {s}, b \in \{0, 1\})\): Sample \(\mathbf {g}\leftarrow G^n\), \(x \leftarrow X\), and output

    $$\begin{aligned} {\textsf {ct}}= \big (x, \mathbf {g}, (b\cdot h + \langle \mathbf {g}, \mathbf {s}\rangle ) \star x \big ). \end{aligned}$$

  • \(\mathsf {Dec} (\mathbf {s}, {\textsf {ct}}= (x, \mathbf {g}, y) )\): Output 0 if \(y = \langle \mathbf {g}, \mathbf {s}\rangle \star x\), otherwise output 1.

Lemma 4

The scheme \(\mathrm {\Pi }\) above is CPA secure.

Proof

We sketch a simple proof. Notice that a tuple of \(m = {{\,\mathrm{poly}\,}}(\lambda )\) ciphertexts encrypting m (arbitrary) bits \(\{b_i\}_{i \in [m]}\) in the scheme above has the form \(\{x_i, \mathbf {g}_i, (b_i \cdot h) \star y_i\}_{i \in [m]}\) where \(\{x_i, \mathbf {g}_i, y_i\}_{i \in [m]}\) are LHS samples. Therefore, by the LHS assumption we have

$$\begin{aligned} \{x_i, \mathbf {g}_i, (b_i \cdot h) \star y_i\}_{i \in [m]} \quad {\mathop {\approx }\limits ^{c}}\quad \{x_i, \mathbf {g}_i, (b_i \cdot h) \star u_i\}_{i \in [m]} , \end{aligned}$$

where each \(u_i\) is a random set element. It follows that encryptions of \(\{b_i\}_{i \in [m]}\) are indistinguishable from a (truly) random tuple, as required.

Lemma 5

The scheme \(\mathrm {\Pi }\) is KDM secure with respect to projection functions.

Proof

Observe that encryptions of all bits of the secret key have the form \((\mathbf {x}, \mathbf {M}, (\mathbf {M}\mathbf {s}+ h\cdot \mathbf {s}) \star \mathbf {x})\), where \(\mathbf {x}\leftarrow X^n\), \(\mathbf {M}\leftarrow G^{n \times n}\) and the action is applied componentwise. By a simple rearrangement we have

$$\begin{aligned} \big (\mathbf {x}, \mathbf {M}, (\mathbf {M}\mathbf {s}+ h\cdot \mathbf {s}) \star \mathbf {x}\big ) = \big (\mathbf {x}, \mathbf {M}, (\mathbf {M}+ h\cdot \mathbf {I})\mathbf {s}\star \mathbf {x}\big ). \end{aligned}$$

Similarly, it is straightforward to see that encryptions of \(\{1 - s_i\}_{i \in [n]}\) have the form

$$\begin{aligned} (\mathbf {x}', {\mathbf {M}'}, (\mathbf {M}'\mathbf {s}+ h\cdot (\mathbf {1} - \mathbf {s})) \star \mathbf {x}' ), \end{aligned}$$

where \(\mathbf {1}\) is the all-one vector. By a simple rearrangement we have

$$\begin{aligned} \big (\mathbf {x}', \mathbf {M}', (\mathbf {M}'\mathbf {s}+ h\cdot (\mathbf {1} - \mathbf {s})) \star \mathbf {x}'\big ) = \big (\mathbf {x}', \mathbf {M}', [(\mathbf {M}' - h\cdot \mathbf {I})\mathbf {s}+ h\cdot \mathbf {1}] \star \mathbf {x}'\big ). \end{aligned}$$

Clearly, if \(\mathbf {M}\) (resp., \(\mathbf {M}'\)) is a uniform matrix, then \(\mathbf {M}_1 := \mathbf {M}+ h\cdot \mathbf {I}\) (resp., \(\mathbf {M}_2 := \mathbf {M}' - h \cdot \mathbf {I}\)) is also a uniform matrix. Given 2n samples of LHS challenges of the form \(\{(\mathbf {x}_j, \mathbf {M}_j, \mathbf {y}_j)\}_{j \in [2]}\) where either \(\{\mathbf {y}_j = \mathbf {M}_j\mathbf {s}\, \star \, \mathbf {x}_j\}_{j \in [2]}\) or \(\{\mathbf {y}_j\}_{j \in [2]}\) are truly random vectors of set elements, the reduction simulates encryptions of projection functions of the secret key by computing \((\mathbf {x}_1, \mathbf {M}_1 - h\cdot \mathbf {I}, \mathbf {y}_1)\) and \((\mathbf {x}_2, \mathbf {M}_2 + h\cdot \mathbf {I}, (h\cdot \mathbf {1}) \star \mathbf {y}_2)\). By the LHS assumption it follows that

$$\begin{aligned} \big (\mathbf {x}, \mathbf {M}, (\mathbf {M}+ h\cdot \mathbf {I})\mathbf {s}\star \mathbf {x}\big ) {\mathop {\approx }\limits ^{c}}(\mathbf {x}, \mathbf {M}, \mathbf {u}), \end{aligned}$$
$$\begin{aligned} (\mathbf {x}', {\mathbf {M}'}, (\mathbf {M}'\mathbf {s}+ h\cdot (\mathbf {1} - \mathbf {s})) \star \mathbf {x}') {\mathop {\approx }\limits ^{c}}(\mathbf {x}', \mathbf {M}', \mathbf {u}'), \end{aligned}$$

where \(\mathbf {u}\leftarrow X^n\) and \(\mathbf {u}' \leftarrow X^n\) are uniform vectors of set elements. Therefore, encryptions of all projection functions of secret key are indistinguishable from tuples of truly random elements. On the other hand, by Lemma 4 we know that encryptions of zero are indistinguishable from truly random tuples. It follows that

$$\begin{aligned} \big ( \{\mathsf {Enc} (\mathbf {s}, s_i) \}_{i \in [n]}, \{\mathsf {Enc} (\mathbf {s}, 1 - s_i) \}_{i \in [n]}\big ) \quad {\mathop {\approx }\limits ^{c}}\quad \{ \mathsf {Enc} (\mathbf {s}, 0)\}_{i \in [2n]}, \end{aligned}$$

as required. Indistinguishability of multiple encryptions of a projection function of the secret key from random tuples follows from a standard hybrid argument, and the proof is complete.

Instantiation from Restricted EGA. Notice that the reduction above does not work in case of a restricted EGA because the relation lattice (i.e., the group structure) is not known. However, it is possible to show that an alternative version of the scheme described above is KDM-CPA secure in case of a restricted EGA (for which the LHS assumption holds). Therefore, it is possible to realize symmetric KDM-CPA encryption from a restricted EGA provided that we can sample group elements from a distribution over the group G that is statistically close to uniform while retaining the ability to compute the action efficiently. Note that this is plausibly true for the restricted EGAs implied by CSIDH and other similar isogeny-based assumptions  [DG19].

  • \(\mathsf {Gen} (1^{\lambda })\): To generate a secret key, sample a binary vector \(\mathbf {s}\leftarrow \{0,1\}^n\).

  • \(\mathsf {Enc} (\mathbf {s}, b \in \{0, 1\})\): Sample \(\mathbf {g}\leftarrow G^n\), \(x \leftarrow X\), and \(u \leftarrow X\). If \(b = 0\), output the ciphertext \({\textsf {ct}}= (x, \mathbf {g}, \langle \mathbf {g}, \mathbf {s}\rangle \star x)\). Otherwise, output \({\textsf {ct}}= (x, \mathbf {g}, u)\).

  • \(\mathsf {Dec} (\mathbf {s}, {\textsf {ct}}= (x, \mathbf {g}, y) )\): Output 0 if \(y = \langle \mathbf {g}, \mathbf {s}\rangle \star x\), otherwise output 1.

Lemma 6

If \((G, X, \star )\) is a restricted EGA that satisfies the LHS assumption, the construction above is KDM-CPA secure.

Proof

Observe that an encryption of 0 corresponds to an LHS sample while an encryption of 1 corresponds to a random tuple, so it is easy to see that the construction above is CPA secure based on the LHS assumption. The argument for KDM security is quite similar to the search to decision reduction for the LHS assumption (Lemma 4), and hence we omit the details.

Implications. Using the general amplification of  [App14], one can transform a symmetric-key KDM-secure scheme (with respect to projection functions) to a symmetric-key KDM-secure scheme with respect to circuits of a priori bounded size. Therefore, one can construct a symmetric-key KDM-secure scheme (with respect to bounded circuits) based on the LHS assumption. In a recent work, Lombardi et al.  [LQR+19] showed a construction of reusable designated-verifier NIZK (DV-NIZK) argument for NP assuming any PKE and a symmetric-key KDM-secure scheme. Hence, any PKE along with the LHS assumption implies reusable DV-NIZK arguments for NP.

In the same vein, Kitagawa and Matsuda  [KM19] showed a construction of KDM-CCA PKE assuming PKE, DV-NIZK, and symmetric-key KDM security with respect to projection functions. Therefore, any PKE along with the LHS assumption implies KDM-CCA PKE.

Furthermore, Kitagawa et al.  [KMT19] showed a construction of trapdoor function (with adaptive one-wayness) from a randomness-recovering symmetric-key KDM-secure scheme and a PKE scheme with pseudorandom ciphertexts. By plugging in their result, we obtain trapdoor functions with adaptive one-wayness based the LHS assumption and any wPR-(R)EGA.

Remark 7

We note that although our definition of the LHS assumption uses a fresh \(x_i\) per each sample, almost all of the results in this section would still be valid if we use a fixed (but randomly chosen) \(x \in X\) across all LHS samples.

4.2 On the Security of LHS Assumption

In what follows we provide some insights on the security of the LHS assumption. We consider an additive variant of the LHS assumption, which we call it LHS(+), where \(G = \mathbb {Z}_N^*\) and the product term \(\mathbf {M}\mathbf {s}\) is computed by a subset sum over the columns of \(\mathbf {M}\). We show that in this setting the LHS assumption is equivalent to the weak pseudorandomness for (effective) group actions provided that \(\mathbf {M}\) is a structured matrix. We describe an attack that breaks the search/decision LHS assumption in certain settings, and explain how such attacks can be avoided.

LHS(+) Assumption. Let \((G, X, \star )\) be an EGA such that \(G = \mathbb {Z}_N^*\) and \(\varphi (N)/N \ge 1 - {{\,\mathrm{negl}\,}}(\lambda )\). Consider the following additive variant of the LHS assumption

$$\begin{aligned} (\mathbf {x}, \mathbf {M}, \mathbf {M}\mathbf {s}\star \mathbf {x}) {\mathop {\approx }\limits ^{c}}(\mathbf {x}, \mathbf {M}\mathbf {s}, \mathbf {u}), \end{aligned}$$

where \(\mathbf {M}\mathbf {s}\) is computed over \((\mathbb {Z}_N, +)\), i.e., subset sum over the columns of \(\mathbf {M}\) modulo N. We show that if \(\mathbf {M}\) is a structured “rank” 1 matrix (instead of a uniformly chosen matrix), the additive LHS assumption is equivalent to the weak pseudorandomness of the \((G, X, \star )\).

Let \(\overline{\mathbf {M}} = \mathbf {a}\otimes \mathbf {b}\) where \(\mathbf {a}\leftarrow \mathbb {Z}_N^m\) and \(\mathbf {b}\leftarrow \mathbb {Z}_N^n\) are two randomly chosen vectors of group elements and \(\otimes \) denotes the “tensor product” with respect to \(\mathbb {Z}_N^*\). To put it differently, the \(ij^{\text {th}}\) entry of \(\overline{\mathbf {M}}\) is equal to \(a_i \cdot b_j\) where \(\cdot \) denotes the multiplication modulo N. First, observe that \(\overline{\mathbf {M}}\mathbf {s}= \mathbf {a}\otimes b^*\) where \(b^* = \mathbf {b}^t\mathbf {s}\). In addition, if n is an integer such that \(n > \log (N) + \omega (\log (\lambda ))\), then by the leftover hash lemma \(b^*\) is distributed uniformly and independent of others. Furthermore, given any \(\mathbf {M}\) with the aforementioned structure, one can compute two vectors \(\mathbf {a}\) and \(\mathbf {b}\) such that \(\mathbf {M}= \mathbf {a}\otimes \mathbf {b}\). Consider the rows of LHS(+) assumption, which have the following form:

For each \(i \in [m]\), compute \(y_i = a_i \star x_i\). So, given an instance of the LHS(+) problem one can compute the following:

$$\begin{aligned} (y_1, b^* \star y_1), (y_2, b^* \star y_2), \ldots ,(y_m, b^* \star y_m). \end{aligned}$$

Therefore, LHS(+) assumption is equivalent to the weak pseudorandomness for EGA in the aforementioned setting (the proof for the other direction is similar).

Attacks on LHS. To analyze the quantum security of LHS assumption, it is reasonable to assume that discrete logarithms are easy in the group G. Then, the LHS problem becomes essentially a linear algebra one. For example, if G is cyclic of order q, we can rewrite all elements of G as their discrete log to a fixed basis, the subset product \(\langle \mathbf {g}, \mathbf {s}\rangle \) becomes the standard inner product over \((\mathbb {Z}_q)^n\), and LHS becomes similar to LWE  [Reg05], with the main difference that the algebraic structure is hidden by the group action, rather than by noise.

It is then evident that both decision and search LHS can be solved by breaking the one-wayness of the group action, recovering a list of tuples \((\mathbf {a}_i, \langle \mathbf {a}_i, \mathbf {s}\rangle )\), and then using linear algebra over \(\mathbb {Z}_q\). The same blueprint also applies to non-cyclic groups. To the best of our knowledge, this is the most efficient generic attack on the LHS assumption.

However, some instantiations may offer easier paths to attack LHS: isogenies are an interesting example. The recent work of Castryck, Sotáková and Vercauteren  [CSV20] shows that some instantiations of group actions from isogenies are not pseudorandom EGAs. While it is not evident how breaking pseudorandomness could help solve LHS, their technique is actually more powerful. Indeed, it provides an efficient algorithm to compute some quadratic characters of the group G, directly on its isomorphic representation on X. More precisely, for a fixed quadratic character \(\chi \) of the class group \(\text {Cl} \left( \mathcal {O} \right) \), on input a pair \((x,y)\in X^2\) such that \(y=g\star x\), their algorithm outputs \(\chi (g)=\pm 1\).

We can use this algorithm to solve LHS as follows. Define as \(f = (1 - \chi )/2\). For any tuple \((x_i, \mathbf {g}_i = (g_i^{(1)}, \ldots , g_i^{(n)}), \langle \mathbf {g}_i, \mathbf {s}\rangle \star x_i)\) we compute the following

$$\big (f(g_i^{(1)}), \dots , f(g_i^{(n)}), f(\langle \mathbf {g}_i, \mathbf {s}\rangle )\big ).$$

After we collect enough tuples, we obtain a linear system over \(\mathbb {Z}_2\), which we solve to recover \(\mathbf {s}\). This is analogous to the attack on the discrete logarithm equivalent of LHS using Legendre symbols, and applies to any other group action where the group G has low order characters which can be “read” on X.

Castryck et al.’s attack does not apply against CSIDH, because the class group associated to it has no quadratic characters. Even for instantiations where class groups do have quadratic characters, e.g., isogeny schemes based on ordinary elliptic curves, it is easy to block the attack by restricting G to the subgroup of squares inside \(\text {Cl} \left( \mathcal {O} \right) \).