Abstract
In this paper, we consider the security of a problem called Group Action Inverse Problem with Auxiliary Inputs (GAIPwAI). The Group Action Inverse Problem (GAIP) plays an important role in the security of several isogeny-based cryptosystems, such as CSIDH, SeaSign and CSI-FiSh.
Briefly speaking, given two isogenous supersingular curves E and \(E'\) over \(\mathbb F_p\), where \(E'\) is defined by an ideal \(\mathfrak a\) in the \(\mathbb F_p\)-endomorphism ring of E and denoted by \(E' = [\mathfrak a]*E\), GAIP requires finding \(\mathfrak a \subset {\text {End}}_{\mathbb F_p}(E)\). Its best classical algorithm is based on the baby-step-giant-step method and it runs in time \(O(p^{1/4})\).
In this paper, we show that if E and \(E'\) are given together with \([\mathfrak a^d]*E\) for a positive divisor d that divides the order of the class group of \({\mathbb Z}[\sqrt{-p}]\), then \(\mathfrak a\) can be computed in \(O\big ( ( p^{1/2} /d)^{1/2} + d^{1/2} \big )\) time complexity. In particular, when \(d \approx p^{1/4}\), it can be solved in time \(O( p^{1/8} )\) which is significantly less than \(O( p^{1/4} )\).
Applying the idea to CSIDH-512 parameters, we show that, if an additional isogenous curve \([\mathfrak a^d] * E\) is given, the security level of this cryptosystem reduces to 68-bit security instead of 128-bit security as originally believed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith, S., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 227–247. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_9
Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_14
Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_4
Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_26
Buchmann, J.A., Düllmann, S.: On the computation of discrete logarithms in class groups. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 134–139. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-38424-3_9
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15
Cheon, J.H.: Security analysis of the strong Diffie-Hellman problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_1
Cheon, J.H.: Discrete logarithm problems with auxiliary inputs. J. Cryptol. 23(3), 457–476 (2010)
Cheon, J.H., Kim, T.: A new approach to the discrete logarithm problem with auxiliary inputs. LMS J. Comput. Math. 19(1), 115 (2016)
Cheon, J.H., Kim, T., Song, Y.S.: A group action on \({\mathbb{Z}}_p^{\times }\) and the generalized DLP with auxiliary inputs. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 121–135. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43414-7_6
Childs, A.M., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. CoRR, abs/1012.4019 (2010)
Couveignes, J.M.: Hard homogeneous spaces. IACR Cryptol. ePrint Arch. 2006, 291 (2006)
De Feo, L., Galbraith, S.D.: SeaSign: compact isogeny signatures from class group actions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 759–789. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_26
Galbraith, S.D.: Mathematics of Public Key Cryptography. Cambridge University Press, Cambridge (2012)
Hafner, J.L., McCurley, K.S.: A rigorous subexponential algorithm for computation of class groups. J. Am. Math. Soc. 2(4), 837–850 (1989)
Kim, M., Cheon, J.H., Lee, I.: Analysis on a generalized algorithm for the strong discrete logarithm problem with auxiliary inputs. Math. Comput. 83(288), 1993–2004 (2014)
Kim, T.: Extended tower number field sieve: a new complexity for medium prime case. IACR Cryptol. ePrint Arch. 2015, 1027 (2015)
Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. IACR Cryptol. ePrint Arch. 2006, 145 (2006)
V’elu, J.: Isogénies entre courbes elliptiques. C. R. Acad. Sci. Paris 273, 238–241 (1971)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Kim, T. (2020). Security Analysis of Group Action Inverse Problem with Auxiliary Inputs with Application to CSIDH Parameters. In: Seo, J. (eds) Information Security and Cryptology – ICISC 2019. ICISC 2019. Lecture Notes in Computer Science(), vol 11975. Springer, Cham. https://doi.org/10.1007/978-3-030-40921-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-40921-0_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-40920-3
Online ISBN: 978-3-030-40921-0
eBook Packages: Computer ScienceComputer Science (R0)