Abstract
Despite recent breakthrough results in attacking SIDH, the CSIDH protocol remains a secure post-quantum key exchange protocol with appealing properties. However, for obtaining efficient CSIDH instantiations one has to resort to small secret keys. In this work, we provide novel methods to analyze small key CSIDH, thereby introducing the representation method —that has been successfully applied for attacking small secret keys in code- and lattice-based schemes— also to the isogeny-based world.
We use the recently introduced Restricted Effective Group Actions (\(\textsf{REGA}\)) to illustrate the analogy between CSIDH and Diffie-Hellman key exchange. This framework allows us to introduce a \(\textsf{REGA}\text {-}\textsf{DLOG}\) problem as a level of abstraction to computing isogenies between elliptic curves, analogous to the classic discrete logarithm problem. This in turn allows us to study \(\textsf{REGA}\text {-}\textsf{DLOG}\) with ternary key spaces such as \(\{-1, 0, 1\}^n, \{0,1,2\}^n\) and \(\{-2,0,2\}^n\), which lead to especially efficient, recently proposed CSIDH instantiations. The best classic attack on these key spaces is a Meet-in-the-Middle algorithm that runs in time \(3^{0.5 n}\), using also \(3^{0.5 n}\) memory.
We first show that \(\textsf{REGA}\text {-}\textsf{DLOG}\) with ternary key spaces \(\{0,1,2\}^n\) or \(\{-2,0,2\}^n\) can be reduced to the ternary key space \(\{-1,0,1\}^n\).
We further provide a heuristic time-memory tradeoff for \(\textsf{REGA}\text {-}\textsf{DLOG}\) with keyspace \(\{-1,0,1\}^n\) based on Parallel Collision Search with memory requirement M that under standard heuristics runs in time \(3^{0.75 n}/M^{0.5}\) for all \(M \le 3^{n/2}\). We then use the representation technique to heuristically improve to \(3^{0.675n}/M^{0.5}\) for all \(M \le 3^{0.22 n}\), and further provide more efficient time-memory tradeoffs for all \(M \le 3^{n/2}\).
Although we focus in this work on \(\textsf{REGA}\text {-}\textsf{DLOG}\) with ternary key spaces for showing its efficacy in providing attractive time-memory tradeoffs, we also show how to use our framework to analyze larger key spaces \(\{-m, \ldots , m\}^n\) with \(m = 2,3\).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
More precisely, it relies on slightly modified versions of the problems, where the adversary additionally knows that there exists a solution with \(g \in \mathcal {H}\subset \mathcal {G}\).
- 2.
Note that we later use \(\mathcal {O}\) also in the context of standard Landau notation for complexity statements, however, its meaning will be clear from the context.
- 3.
References
Adj, G., Cervantes-Vázquez, D., Chi-Domínguez, J.J., Menezes, A., Rodríguez-Henríquez, F.: On the cost of computing isogenies between supersingular elliptic curves. In: Cid, C., Jacobson Jr., M.J. (eds.) SAC 2018. LNCS, vol. 11349, pp. 322–343. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-10970-7_15
Alamati, N., De Feo, L., Montgomery, H., Patranabis, S.: Cryptographic group actions and applications. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 411–439. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_14
Albrecht, M.R., et al.: Classic McEliece: conservative code-based cryptography (2020)
Banegas, G., et al.: CTIDH: faster constant-time CSIDH. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2021(4), 351–387 (2021). https://doi.org/10.46586/tches.v2021.i4.351-387
Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Krauthgamer, R. (ed.) 27th SODA, pp. 10–24. ACM-SIAM (Jan 2016). https://doi.org/10.1137/1.9781611974331.ch2
Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in 2\(^\frac{n}{20}\) improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_31
Bellini, E., et al.: Parallel isogeny path finding with limited memory. In: INDOCRYPT 2022. LNCS, vol. 13774, pp. 294–316. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-22912-1_13
Bonnetain, X., Bricout, R., Schrottenloher, A., Shen, Y.: Improved classical and quantum algorithms for subset-sum. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 633–666. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_22
Bonnetain, X., Schrottenloher, A.: Quantum security analysis of CSIDH. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 493–522. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_17
Bos, J., et al.: Crystals-kyber: a cca-secure module-lattice-based kem. In: 2018 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 353–367. IEEE (2018)
Both, L., May, A.: Decoding linear codes with high error rate and its impact for LPN security. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 25–46. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_2
Bricout, R., Chailloux, A., Debris-Alazard, T., Lequesne, M.: Ternary syndrome decoding with large weight. In: Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, pp. 437–466. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38471-5_18
Castryck, W., Decru, T.: An efficient key recovery attack on SIDH (preliminary version). IACR Cryptol. ePrint Arch, p. 975 (2022). https://eprint.iacr.org/2022/975
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15
Cervantes-Vázquez, D., Chenu, M., Chi-Domínguez, J.-J., De Feo, L., Rodríguez-Henríquez, F., Smith, B.: Stronger and faster side-channel protections for CSIDH. In: Schwabe, P., Thériault, N. (eds.) LATINCRYPT 2019. LNCS, vol. 11774, pp. 173–193. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30530-7_9
Chávez-Saab, J., Chi-Domínguez, J., Jaques, S., Rodríguez-Henríquez, F.: The SQALE of CSIDH: sublinear vélu quantum-resistant isogeny action with low exponents. J. Cryptogr. Eng. 12(3), 349–368 (2022). https://doi.org/10.1007/s13389-021-00271-w
Chi-Domínguez, J., Rodríguez-Henríquez, F.: Optimal strategies for CSIDH. Adv. Math. Commun. 16(2), 383–411 (2022). https://doi.org/10.3934/amc.2020116
Costello, C., Longa, P., Naehrig, M., Renes, J., Virdia, F.: Improved classical cryptanalysis of the computational supersingular isogeny problem. Cryptology ePrint Archive, Report 2019/298 (2019). https://eprint.iacr.org/2019/298
Couveignes, J.M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006). https://eprint.iacr.org/2006/291
Esser, A.: Revisiting nearest-neighbor-based information set decoding. Cryptology ePrint Archive, Report 2022/1328 (2022). https://eprint.iacr.org/2022/1328
Esser, A., Girme, R., Mukherjee, A., Sarkar, S.: Memory-efficient attacks on small lwe keys. Cryptology ePrint Archive (2023)
Esser, A., May, A.: Low weight discrete logarithm and subset sum in \(2^{0.65n}\) with polynomial memory. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 94–122. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_4
Esser, A., May, A., Zweydinger, F.: McEliece needs a break - solving McEliece-1284 and quasi-cyclic-2918 with modern ISD. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part III. LNCS, vol. 13277, pp. 433–457. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-07082-2_16
Galbraith, S.D., Hess, F., Smart, N.P.: Extending the GHS weil descent attack. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 29–44. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_3
Glaser, T., May, A.: How to enumerate LWE keys as narrow as in kyber/dilithium. Cryptology ePrint Archive, Report 2022/1337 (2022). https://eprint.iacr.org/2022/1337
Hutchinson, A., LeGrow, J., Koziel, B., Azarderakhsh, R.: Further optimizations of CSIDH: a systematic approach to efficient strategies, permutations, and bound vectors. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds.) ACNS 2020. LNCS, vol. 12146, pp. 481–501. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57808-4_24
Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2
Kuperberg, G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005)
Maino, L., Martindale, C.: An attack on SIDH with arbitrary starting curve. IACR Cryptol. ePrint Arch., p. 1026 (2022). https://eprint.iacr.org/2022/1026
May, A.: How to meet ternary LWE keys. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12826, pp. 701–731. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_24
May, A., Meurer, A., Thomae, E.: Decoding random linear codes in \(\tilde{\cal{O}}(2^{0.054n})\). In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 107–124. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_6
May, A., Ozerov, I.: A generic algorithm for small weight discrete logarithms in composite groups. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 278–289. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13051-4_17
May, A., Ozerov, I.: On computing nearest neighbors with applications to decoding of binary linear codes. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 203–228. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_9
McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. The deep space network progress report 42–44, Jet Propulsion Laboratory, California Institute of Technology (Jan/Feb 1978). https://ipnpr.jpl.nasa.gov/progress_report2/42-44/44N.PDF
Meyer, M., Campos, F., Reith, S.: On lions and elligators: an efficient constant-time implementation of CSIDH. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 307–325. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_17
Onuki, H., Aikawa, Y., Yamazaki, T., Takagi, T.: (Short Paper) a faster constant-time algorithm of CSIDH keeping two points. In: Attrapadung, N., Yagi, T. (eds.) IWSEC 2019. LNCS, vol. 11689, pp. 23–33. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26834-3_2
Onuki, H., Aikawa, Y., Yamazaki, T., Takagi, T.: A constant-time algorithm of CSIDH keeping two points. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 103-A(10), 1174–1182 (2020). https://doi.org/10.1587/transfun.2019DMP0008
Peikert, C.: He gives C-sieves on the CSIDH. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 463–492. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_16
Prange, E.: The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theory 8(5), 5–9 (1962)
Robert, D.: Breaking SIDH in polynomial time. IACR Cryptol. ePrint Arch. p. 1038 (2022). https://eprint.iacr.org/2022/1038
Rostovtsev, A., Stolbunov, A.: Public-Key Cryptosystem Based On Isogenies. Cryptology ePrint Archive, Report 2006/145 (2006). https://eprint.iacr.org/2006/145
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th FOCS, pp. 124–134. IEEE Computer Society Press (Nov 1994). https://doi.org/10.1109/SFCS.1994.365700
Tani, S.: Claw finding algorithms using quantum walk. Theoret. Comput. Sci. 410(50), 5285–5297 (2009)
van Hoof, I., Kirshanova, E., May, A.: Quantum key search for ternary LWE. In: Cheon, J.H., Tillich, J.-P. (eds.) PQCrypto 2021 2021. LNCS, vol. 12841, pp. 117–132. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81293-5_7
van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999). https://doi.org/10.1007/PL00003816
Acknowledgements
Sabrina Kunzweiler and Alexander May were funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy - EXC 2092 CASA - 390781972.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A The Case of Larger m
A The Case of Larger m
For larger choices of m we still assume that each coordinate is present \(\frac{n}{2m+1}\) times in the solution. For any constant m, this is the case for a polynomial fraction of all keys, and can be ensure with subexponential overhead similar to the procedure explained in Sect. 4.4. Further, we always use partial representations, i.e., the domains consist, similar to Sect. 4.2 and Sect. 4.3 of three parts of length \(\frac{(1-\delta )n}{2}, \frac{(1-\delta )n}{2}\) and \(\delta n\). Here we assume that each coordinate is present proportionally to the length of the segment, e.g., that the last segment contains each coordinate exactly \(\frac{\delta n}{2m +1}\) times, which again can be ensured at the cost of a polynomial overhead only.
As outlined in Sect. 4.5, for each choice of m we now specify the used function domains and derive the amount representations of the solution. Let us start with the case of \(m=2\).
The Case of \(m=2\). We are looking for a solution \(\textbf{v}\in \{-2,\ldots ,2\}\). For our first instantiation we use the same function definitions as in Sect. 4.3 given in Eqs. (8) and (9), where we choose a different \(\alpha \) and \(\beta \), specified later. Let us again specify the possible representations of each entry (similar to Eq. (10))
Recall, that we have only representations on the last segment of length \(\delta n\). As we expect any coordinate to be present \(\delta n / 5\) times, we need that the numbers below the representations in every row sum to \(\delta n/5\). Therefore we have
Further by counting the respective number of \(\pm 1\) and \(\pm 2\) entries in those representations we obtain
while the number of representations is given as
The values of \(z_1,z_2,o,t\) and \(\delta \) are subject to numerical optimization.
Increased Representations for \(m=2\). In the following we represent \(\textbf{v}\) on its last \(\delta n\) coordinates via the sum of two vectors \(\textbf{x}_0, \textbf{x}_1 \in \{-3,\ldots ,3\}^{\delta n}\). Similar to including \(-2\) and 2 entries in the case of \(m=1\) (Sect. 4.3), this leads to an increased amount of representations and in turn a runtime improvement.
First we naturally extend the definition \(\mathcal {T}^{n}(\alpha ,\beta )\) from Eq. (7) to \(\mathcal {T}^{n}(\alpha ,\beta ,\gamma )\), where in the latter case included vectors contain exactly \(\gamma n\) entries equal to \(\pm 3\) each. Then we let the new function domains be defined as
Accordingly we let their common image space be \(S=\mathcal {T}^{\frac{(1-\delta )n}{2}}(1/3)\times \mathcal {T}^{\delta n}(\alpha ,\beta ,\gamma )\).
Now we obtain additional representations of any 0, \(\pm 1\) and \(\pm 2\) entry. Let us again specify all representations and how often they appear in the addition.
Analogously to before we have
Further by counting we obtain
while the number of representations increases to
The values of \(z_1,z_2,z_3,o,t,d_1,d_2\) and \(\delta \) are subject to numerical optimization.
Finally let us consider the case of \(m=3\).
The Case of \(m=3\). We now have a solution \(\textbf{v}\in \{-3,\dots ,3\}\). We represent this solution by using the same function domains as specified in Eq. (11), with an adapted choice of \(\alpha ,\beta \) and \(\gamma \).
The possible representations stay therefore as specified in Eq. (12), by replacing \(\frac{\gamma n}{10}\) by \(\frac{\gamma n}{14}\). Since every row has now to add up to \(\frac{\gamma n}{7}\) we obtain
We now get additionally representations for the \(\pm 3\) entries in \(\textbf{v}\):
This leads to the adapted choices of
Eventually the amount of representations is given as
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Chi-Domínguez, JJ., Esser, A., Kunzweiler, S., May, A. (2023). Low Memory Attacks on Small Key CSIDH. In: Tibouchi, M., Wang, X. (eds) Applied Cryptography and Network Security. ACNS 2023. Lecture Notes in Computer Science, vol 13906. Springer, Cham. https://doi.org/10.1007/978-3-031-33491-7_11
Download citation
DOI: https://doi.org/10.1007/978-3-031-33491-7_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-33490-0
Online ISBN: 978-3-031-33491-7
eBook Packages: Computer ScienceComputer Science (R0)