Low Memory Attacks on Small Key CSIDH

Abstract

Despite recent breakthrough results in attacking SIDH, the CSIDH protocol remains a secure post-quantum key exchange protocol with appealing properties. However, for obtaining efficient CSIDH instantiations one has to resort to small secret keys. In this work, we provide novel methods to analyze small key CSIDH, thereby introducing the representation method —that has been successfully applied for attacking small secret keys in code- and lattice-based schemes— also to the isogeny-based world.

We use the recently introduced Restricted Effective Group Actions (\(\textsf{REGA}\)) to illustrate the analogy between CSIDH and Diffie-Hellman key exchange. This framework allows us to introduce a \(\textsf{REGA}\text {-}\textsf{DLOG}\) problem as a level of abstraction to computing isogenies between elliptic curves, analogous to the classic discrete logarithm problem. This in turn allows us to study \(\textsf{REGA}\text {-}\textsf{DLOG}\) with ternary key spaces such as \(\{-1, 0, 1\}^n, \{0,1,2\}^n\) and \(\{-2,0,2\}^n\), which lead to especially efficient, recently proposed CSIDH instantiations. The best classic attack on these key spaces is a Meet-in-the-Middle algorithm that runs in time \(3^{0.5 n}\), using also \(3^{0.5 n}\) memory.

We first show that \(\textsf{REGA}\text {-}\textsf{DLOG}\) with ternary key spaces \(\{0,1,2\}^n\) or \(\{-2,0,2\}^n\) can be reduced to the ternary key space \(\{-1,0,1\}^n\).

We further provide a heuristic time-memory tradeoff for \(\textsf{REGA}\text {-}\textsf{DLOG}\) with keyspace \(\{-1,0,1\}^n\) based on Parallel Collision Search with memory requirement M that under standard heuristics runs in time \(3^{0.75 n}/M^{0.5}\) for all \(M \le 3^{n/2}\). We then use the representation technique to heuristically improve to \(3^{0.675n}/M^{0.5}\) for all \(M \le 3^{0.22 n}\), and further provide more efficient time-memory tradeoffs for all \(M \le 3^{n/2}\).

Although we focus in this work on \(\textsf{REGA}\text {-}\textsf{DLOG}\) with ternary key spaces for showing its efficacy in providing attractive time-memory tradeoffs, we also show how to use our framework to analyze larger key spaces \(\{-m, \ldots , m\}^n\) with \(m = 2,3\).

A The Case of Larger m

For larger choices of m we still assume that each coordinate is present \(\frac{n}{2m+1}\) times in the solution. For any constant m, this is the case for a polynomial fraction of all keys, and can be ensure with subexponential overhead similar to the procedure explained in Sect. 4.4. Further, we always use partial representations, i.e., the domains consist, similar to Sect. 4.2 and Sect. 4.3 of three parts of length \(\frac{(1-\delta )n}{2}, \frac{(1-\delta )n}{2}\) and \(\delta n\). Here we assume that each coordinate is present proportionally to the length of the segment, e.g., that the last segment contains each coordinate exactly \(\frac{\delta n}{2m +1}\) times, which again can be ensured at the cost of a polynomial overhead only.

As outlined in Sect. 4.5, for each choice of m we now specify the used function domains and derive the amount representations of the solution. Let us start with the case of \(m=2\).

The Case of \(m=2\). We are looking for a solution \(\textbf{v}\in \{-2,\ldots ,2\}\). For our first instantiation we use the same function definitions as in Sect. 4.3 given in Eqs. (8) and (9), where we choose a different \(\alpha \) and \(\beta \), specified later. Let us again specify the possible representations of each entry (similar to Eq. (10))

$$\begin{aligned} \begin{aligned} 0&:{} & {} \underbrace{0+0}_{z_0}, \quad{} & {} \underbrace{1-1}_{z_1},\quad{} & {} \underbrace{-1+1}_{z_1},\quad{} & {} \underbrace{2-2}_{z_2},\quad \quad \underbrace{-2+2}_{z_2},\\ 1&:{} & {} \underbrace{1+0}_{\frac{\delta n}{10}-o},\quad{} & {} \underbrace{0+1}_{\frac{\delta n}{10}-o},\quad{} & {} \underbrace{2-1}_{o},\quad{} & {} \underbrace{-1+2}_{o},\\ -1&:{} & {} \underbrace{-1+0}_{\frac{\delta n}{10}-o},\quad{} & {} \underbrace{0-1}_{\frac{\delta n}{10} -o},\quad{} & {} \underbrace{-2+1}_{o},\quad{} & {} \underbrace{1-2}_{o}.\\ 2&:{} & {} \underbrace{2+0}_{\frac{\delta n}{10}-\frac{t}{2}},\quad{} & {} \underbrace{0+2}_{\frac{\delta n}{10}-\frac{t}{2}},\quad{} & {} \underbrace{1+1}_{t}, \quad{} & {} \\ -2&:{} & {} \underbrace{-2+0}_{\frac{\delta n}{10}-\frac{t}{2}},\quad{} & {} \underbrace{0-2}_{\frac{\delta n}{10}-\frac{t}{2}},\quad{} & {} \underbrace{-1-1}_{t}. \quad{} & {} \end{aligned} \end{aligned}$$

Recall, that we have only representations on the last segment of length \(\delta n\). As we expect any coordinate to be present \(\delta n / 5\) times, we need that the numbers below the representations in every row sum to \(\delta n/5\). Therefore we have

$$ z_0+2z_1+2z_2 = \delta n/5 \quad \Leftrightarrow \quad z_0 = \delta n/5-2z_1-2z_2. $$

Further by counting the respective number of \(\pm 1\) and \(\pm 2\) entries in those representations we obtain

$$ \alpha = \frac{1}{10} +\frac{z_1+t}{\delta }\quad \text {and}\quad \beta = \frac{1}{10} +\frac{z_2-t/2+o}{\delta }, $$

while the number of representations is given as

$$ R=\left( {\begin{array}{c}\frac{\delta n}{5}\\ z_0,z_1,z_1,z_2,z_2\end{array}}\right) \left( {\begin{array}{c}\frac{\delta n}{5}\\ \frac{\delta n}{10}-o,\frac{\delta n}{10}-o,o,o\end{array}}\right) ^2\left( {\begin{array}{c}\frac{\delta n}{5}\\ \frac{\delta n}{10}-\frac{t}{2},\frac{\delta n}{10}-\frac{t}{2},t\end{array}}\right) ^2. $$

The values of \(z_1,z_2,o,t\) and \(\delta \) are subject to numerical optimization.

Increased Representations for \(m=2\). In the following we represent \(\textbf{v}\) on its last \(\delta n\) coordinates via the sum of two vectors \(\textbf{x}_0, \textbf{x}_1 \in \{-3,\ldots ,3\}^{\delta n}\). Similar to including \(-2\) and 2 entries in the case of \(m=1\) (Sect. 4.3), this leads to an increased amount of representations and in turn a runtime improvement.

First we naturally extend the definition \(\mathcal {T}^{n}(\alpha ,\beta )\) from Eq. (7) to \(\mathcal {T}^{n}(\alpha ,\beta ,\gamma )\), where in the latter case included vectors contain exactly \(\gamma n\) entries equal to \(\pm 3\) each. Then we let the new function domains be defined as

$$\begin{aligned} \begin{aligned} S_0:= & {} \mathcal {T}^{\frac{(1-\delta )n}{2}}(1/3)\times & {} 0^{\frac{(1-\delta ) n}{2}}&\times \mathcal {T}^{\delta n}(\alpha ,\beta ,\gamma )\quad \text {and}\\ S_1:= & {} 0^{\frac{(1-\delta ) n}{2}}\times & {} \mathcal {T}^{\frac{(1-\delta )n}{2}}(1/3)&\times \mathcal {T}^{\delta n}(\alpha ,\beta ,\gamma ), \end{aligned} \end{aligned}$$

(11)

Accordingly we let their common image space be \(S=\mathcal {T}^{\frac{(1-\delta )n}{2}}(1/3)\times \mathcal {T}^{\delta n}(\alpha ,\beta ,\gamma )\).

Now we obtain additional representations of any 0, \(\pm 1\) and \(\pm 2\) entry. Let us again specify all representations and how often they appear in the addition.

$$\begin{aligned} \begin{aligned} 0&:{} & {} \underbrace{0+0}_{z_0},{} & {} \quad \underbrace{1-1}_{z_1},{} & {} \underbrace{-1+1}_{z_1},{} & {} \quad \underbrace{2-2}_{z_2},{} & {} \underbrace{-2+2}_{z_2},{} & {} \quad \underbrace{-3+3}_{z_3},{} & {} \underbrace{-3+3}_{z_3},\\ 1&:{} & {} \underbrace{1+0,}_{\frac{\delta n}{10}-o-d_1}{} & {} \quad \underbrace{0+1,}_{\frac{\delta n}{10}-o-d_1}{} & {} \underbrace{2-1}_{o},{} & {} \quad \underbrace{-1+2}_{o},{} & {} \underbrace{3-2}_{d_1},{} & {} \quad \underbrace{-2+3}_{d_1},\\ -1&:{} & {} \underbrace{-1+0,}_{\frac{\delta n}{10}-o-d_1}{} & {} \quad \underbrace{0-1,}_{\frac{\delta n}{10} -o-d_1}{} & {} \underbrace{-2+1}_{o},{} & {} \quad \underbrace{1-2}_{o},{} & {} \underbrace{-3+2}_{d_1},{} & {} \quad \underbrace{2-3}_{d_1},\\ 2&:{} & {} \underbrace{2+0}_{\frac{\delta n}{10}-\frac{t}{2}-d_2},{} & {} \quad \underbrace{0+2}_{\frac{\delta n}{10}-\frac{t}{2}-d_2},{} & {} \underbrace{1+1}_{t},{} & {} \quad \underbrace{3-1}_{d_2},{} & {} \underbrace{-1+3}_{d_2},\\ -2&:{} & {} \underbrace{-2+0}_{\frac{\delta n}{10}-\frac{t}{2}-d_2},{} & {} \quad \underbrace{0-2}_{\frac{\delta n}{10}-\frac{t}{2}-d_2},{} & {} \underbrace{-1-1}_{t}{} & {} \quad \underbrace{-3+1}_{d_2},{} & {} \underbrace{1-3}_{d_2}. \end{aligned} \end{aligned}$$

(12)

Analogously to before we have

$$ z_0+2z_1+2z_2+2z_3 = \delta n/5 \quad \Leftrightarrow \quad z_0 = \delta n/5-2z_1-2z_2-2z_3. $$

Further by counting we obtain

$$\begin{aligned} \begin{aligned} \alpha&= \frac{1}{10} +\frac{z_1+t-d_1+d_2}{\delta },\quad \beta = \frac{1}{10} +\frac{z_2-t/2+o-d_2+d_1}{\delta } \quad \text {and}\quad \\ \gamma&= \frac{z_3+d_1+d_2}{\gamma } \end{aligned} \end{aligned}$$

while the number of representations increases to

$$\begin{aligned} \begin{aligned} R=&\left( {\begin{array}{c}\frac{\delta n}{5}\\ z_0,z_1,z_1,z_2,z_2,z_3,z_3\end{array}}\right) \left( {\begin{array}{c}\frac{\delta n}{5}\\ \frac{\delta n}{10}-o-d_1,\frac{\delta n}{10}-o-d_1,o,o,d_1,d_1\end{array}}\right) ^2\\&\cdot \left( {\begin{array}{c}\frac{\delta n}{5}\\ \frac{\delta n}{10}-\frac{t}{2}-d_2,\frac{\delta n}{10}-\frac{t}{2}-d_2,t,d_2,d_2\end{array}}\right) ^2. \end{aligned} \end{aligned}$$

The values of \(z_1,z_2,z_3,o,t,d_1,d_2\) and \(\delta \) are subject to numerical optimization.

Finally let us consider the case of \(m=3\).

The Case of \(m=3\). We now have a solution \(\textbf{v}\in \{-3,\dots ,3\}\). We represent this solution by using the same function domains as specified in Eq. (11), with an adapted choice of \(\alpha ,\beta \) and \(\gamma \).

The possible representations stay therefore as specified in Eq. (12), by replacing \(\frac{\gamma n}{10}\) by \(\frac{\gamma n}{14}\). Since every row has now to add up to \(\frac{\gamma n}{7}\) we obtain

$$ z_0+2z_1+2z_2+2z_3 = \delta n/7 \quad \Leftrightarrow \quad z_0 = \delta n/7-2z_1-2z_2-2z_3. $$

We now get additionally representations for the \(\pm 3\) entries in \(\textbf{v}\):

$$\begin{aligned} \begin{aligned} 3&:{} & {} \underbrace{3+0}_{\frac{\delta n}{14}-d_3},{} & {} \quad \underbrace{0+3}_{\frac{\delta n}{14}-d_3},{} & {} \underbrace{2+1}_{d_3},{} & {} \quad \underbrace{1+2}_{d_3},\\ -3&:{} & {} \underbrace{-3+0}_{\frac{\delta n}{14}-d_3},{} & {} \quad \underbrace{0-3}_{\frac{\delta n}{14}-d_3},{} & {} \underbrace{-2-1}_{d_3}{} & {} \quad \underbrace{-1-2}_{d_3}. \end{aligned} \end{aligned}$$

This leads to the adapted choices of

$$\begin{aligned} \begin{aligned} \alpha&= \frac{1}{14} +\frac{z_1+t-d_1+d_2}{\delta },\quad \beta = \frac{1}{14} +\frac{z_2-t/2+o-d_2+d_1}{\delta } \quad \text {and}\quad \\ \gamma&= \frac{1}{14} + \frac{z_3+d_1+d_2-d_3}{\gamma }. \end{aligned} \end{aligned}$$

Eventually the amount of representations is given as

$$\begin{aligned} \begin{aligned} R=&\left( {\begin{array}{c}\frac{\delta n}{7}\\ z_0,z_1,z_1,z_2,z_2,z_3,z_3\end{array}}\right) \left( {\begin{array}{c}\frac{\delta n}{7}\\ \frac{\delta n}{14}-o-d_1,\frac{\delta n}{14}-o-d_1,o,o,d_1,d_1\end{array}}\right) ^2\\&\cdot \left( {\begin{array}{c}\frac{\delta n}{7}\\ \frac{\delta n}{14}-\frac{t}{2}-d_2,\frac{\delta n}{14}-\frac{t}{2}-d_2,t,d_2,d_2\end{array}}\right) ^2 \left( {\begin{array}{c}\frac{\delta n}{7}\\ \frac{\delta n}{14}-d_3,\frac{\delta n}{14}-d_3,d3,d3\end{array}}\right) ^2. \end{aligned} \end{aligned}$$