A Note on the Security of CSIDH

Biasse, Jean‐François; Iezzi, Annamaria; Jacobson, Michael J.

doi:10.1007/978-3-030-05378-9_9

Cited by 19 publications

(31 citation statements)

References 29 publications

(54 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Biasse, Iezzi, and Jacobson [4] work out some more details of the attack ideas mentioned above for Regev's algorithm. They focus on the class-groupcomputation part of the oracle and they work out how to represent random elements of the class group as a product of small prime ideals.…”

Section: Quantum Securitymentioning

confidence: 99%

CSIDH: An Efficient Post-Quantum Commutative Group Action

Castryck

Lange

Martindale

et al. 2018

Lecture Notes in Computer Science

322

342

View full text Add to dashboard Cite

We propose an efficient commutative group action suitable for non-interactive key exchange in a post-quantum setting. Our construction follows the layout of the Couveignes-Rostovtsev-Stolbunov cryptosystem, but we apply it to supersingular elliptic curves defined over a large prime field Fp, rather than to ordinary elliptic curves. The Diffie-Hellman scheme resulting from the group action allows for publickey validation at very little cost, runs reasonably fast in practice, and has public keys of only 64 bytes at a conjectured AES-128 security level, matching NIST's post-quantum security category I.

show abstract

Section: Quantum Securitymentioning

confidence: 99%

CSIDH: An Efficient Post-Quantum Commutative Group Action

Castryck

Lange

Martindale

et al. 2018

Lecture Notes in Computer Science

322

342

View full text Add to dashboard Cite

show abstract

“…Under the original parameter choices and security analysis in [5], CSIDH-based NIKE is both faster and more compact than SIDH-based NIKE for a given security level, even with our improvements. However, subsequent analyses [3,4] indicate that CSIDH may not be as secure as originally estimated. Hence, we believe our improvements are still worth proposing, since they could lead to further improvements which might make SIDH competitive in this setting.…”

Section: Related Workmentioning

confidence: 99%

“…Under a naive estimate, typically three of the shared secrets will be wrong, and the number of possible wrong answers for each shared secret is ℓ(ℓ + 1). The attacker then has to search through a space of Ω((ℓ(ℓ + 1)) 3 ) possibilities. If Alice has α public keys, the cost is therefore Ω((ℓ(ℓ + 1)) 3α…”

Section: Using Multiple Secrets In Key Exchangementioning

confidence: 99%

New Techniques for SIDH-based NIKE

Urbanik

Jao

2020

Journal of Mathematical Cryptology

View full text Add to dashboard Cite

AbstractWe consider the problem of producing an efficient, practical, quantum-resistant non-interactive key exchange (NIKE) protocol based on Supersingular Isogeny Diffie-Hellman (SIDH). An attack of Galbraith, Petit, Shani and Ti rules out the use of naïve forms of the SIDH construction for this application, as they showed that an adversary can recover private key information when supplying an honest party with malformed public keys. Subsequently, Azarderakhsh, Jao and Leonardi presented a method for overcoming this attack using multiple instances of the SIDH protocol, but which increases the costs associated with performing a key exchange by factors of up to several thousand at typical security levels. In this paper, we present two new techniques to reduce the cost of SIDH-based NIKE, with various possible tradeoffs between key size and computational cost.

show abstract

“…If the trapdoor is kept secret, one obtains a signature/identification protocol based on walks in isogeny graphs; if the trapdoor is made public, one obtains a VDF. 7 We will present our instantiations in Section 5.…”

Section: A New Vdf Construction Frameworkmentioning

confidence: 99%

“…The best known classical attacks, both for the F p and the F p 2 case, are in the square root of the graph size (respectively, O( 4 √ p) and O( √ p)). But key recovery is hard even for quantum computers: the best attack for the F p case is Kuperberg's algorithm for the Hidden Shift Problem [49,63,50,18,13,7,39,5], which finds φ in exp( log(p)) quantum operations; whereas in the F p 2 case quantum computers give a square-root speedup via Grover's algorithm at best [8]. Hence, both identification protocols have a security property similar to the quantum annoyance defined in Defintion 2: any forgery requires running a new instance of Shor's algorithm, while key recovery is infeasible on quantum computers.…”

Section: Attacksmentioning

confidence: 99%