@@ -209,7 +209,7 @@ \section*{Preface}
209209Many students have contributed by pointing out mistakes and helping
210210fixing them. %
211211We would like to thank, in particular, Simon Masson, Marcel Müller,
212- Martin Strand, Vadym Fedyukovych and Tomáš Novotny, Sina Schaeffler,
212+ Martin Strand, Vadym Fedyukovych, Tomáš Novotny, Sina Schaeffler,
213213Val\' erien Hatey, Mehdi Kermaoui, and apologize to all those students
214214whose name we've forgot.
215215
@@ -3023,18 +3023,21 @@ \section{Cryptographic group actions}
30233023hardness properties correspond to the following three problems.
30243024
30253025\begin {problem }[Group action inverse problem, Vectorization]
3026+ \label {prob:gaip }
30263027 Given two elliptic curves $ E,E'$
30273028 order $ \O $ $ \frak a⊂\O $
30283029 $ E'=\frak a · E$
30293030\end {problem }
30303031
30313032\begin {problem }[Parallelization, Group action CDH]
3033+ \label {prob:ga-cdh }
30323034 Let $ E,E'$ $ \O $ %
30333035 Let $ \frak a ∈ \Cl (\O )$ %
30343036 Given $ (E, \frak a·E, E')$ $ \frak a·E'$
30353037\end {problem }
30363038
30373039\begin {problem }[Group action DDH]
3040+ \label {prob:ga-ddh }
30383041 Let $ E,E'$ $ \O $ %
30393042 Let $ \frak a ∈ \Cl (\O )$ %
30403043 Given a tuple $ (E,\frak a·E,E',E'')$
@@ -3374,7 +3377,8 @@ \section{CSIDH and oriented supersingular curves}
33743377$ \End (E)$ $ \F _q$
33753378endomorphism of $ E$ %
33763379\footnote {There are, in fact, two possibilities for $ \End _{\F _p}(E)$
3377- namely $ ℤ[π]$ $ ℤ[(π+1 )/2 ]$ %
3380+ namely $ ℤ[π]$ $ ℤ[(π-1 )/2 ]$ $ π-1 $
3381+ on all of $ E[2 ]$ %
33783382Then, $ \Cl (ℤ[π])$ $ \F _q$
33793383supersingular curves, like in the CM case. %
33803384This fact was first observed in~\cite {Delfs2016 } and then leveraged
@@ -3410,86 +3414,127 @@ \section{CSIDH and oriented supersingular curves}
34103414 \label {fig:csidh }
34113415\end {figure }
34123416
3413- Supersingular curves over a prime field and the CSIDH group action are
3414- a special case of a more general setting called \emph {orientations of
3415- supersingular curves }. %
3416- Oriented curves are pairs $ (E, \O \hookrightarrow \End (E))$ $ E$
3417- is a supersingular curve and $ \O \hookrightarrow \End (E)$
3418- embedding of a quadratic imaginary order inside $ \End (E)$ %
3419- As Kohel and Coló showed~\cite {ColoKohel +2020 +414 +437 }, $ \Cl (\O )$
3420- on these curves like in the CM case, and this was leveraged
3417+ To encompass the ordinary and the supersingular case at once, we
3418+ introduce the terminology of orientations. %
3419+
3420+ \begin {definition }[Oriented curve]
3421+ \label {def:oriented-curve }
3422+ Let $ \O $ %
3423+ An \emph {$ \O $ $ E$
3424+ injection $ \O \hookrightarrow \End (E)$ %
3425+ If there is no other quadratic order $ \O ' ⊃ \O $
3426+ $ \O ' \hookrightarrow \End (E)$
3427+ \emph {primitive }.
3428+ \end {definition }
3429+
3430+ Theorems analogous to the \hyperref [th:compl-mul]{fundamental theorem
3431+ of complex multiplication} apply to oriented curves; in particular,
3432+ $ \Cl (\O )$ %
3433+ \footnote {The action is not always transitive: depending on the case,
3434+ there may be one or two orbits.} %
3435+ on primitively $ \O $
3436+ See~\cite {ColoKohel +2020 +414 +437 ,onuki2021 } for details.
3437+
3438+ Thus, CSIDH is an instance of a $ ℤ[π]$ %
3439+ Orientations induced by the Frobenius endomorphism are easy to work
3440+ with, because the action of Frobenius on $ E[ℓ_i]$
3441+ to compute. %
3442+ However, with some extra effort, it is possible to compute the class
3443+ group action on many other oriented supersingular isogeny classes:
3444+ This was first observed by Kohel and
3445+ Coló~\cite {ColoKohel +2020 +414 +437 }, and then leveraged
34213446in~\cite {PKC:DFKLMPW23 } to define an analogue of CSIDH, named SCALLOP,
3422- based on orientations by arbitrary orders.
3447+ based on orientations by suborders of large prime conductor inside a
3448+ maximal order of small discriminant.
34233449
34243450
34253451\section {Security and quantum computers }
34263452
34273453We now do a quick review of the security of protocols based on complex
34283454multiplication. %
3429- The cornerstone of isogeny based cryptography is the isogeny path
3430- problem: given isogenous curves $ E$ $ E'$
3431- degree between them. %
3432- CM based protocols are no exception: find an isogeny walk between $ E$
3433- and $ E'$ %
3434- Naturally, the first parameter to look at is the size of the isogeny
3435- class of $ E,E'$
3436- force. %
3437-
3438- For simplicity we assume that $ E$ $ E'$
3439- by a maximal order. %
3440- Indeed, if this is not the case, we may use the theory of isogeny
3441- volcanoes to find ascending paths from $ E$ $ E'$
3442- $ \hat {E},\hat {E}'$ %
3443- \footnote {Ascending an $ \ell $
3444- as $ \ell $ %
3445- However SCALLOP~\cite {PKC:DFKLMPW23 } uses supersingular curves
3446- oriented by a non-maximal quadratic order of large prime conductor,
3447- a case where it is not currently known how to efficiently walk to
3448- the maximal order.} %
3449- Then, we are left with the problem of finding a horizontal isogeny
3450- between $ \hat {E}$ $ \hat {E'}$ %
3451- Since the horizontal isogeny class of $ \O _K$
3452- horizontal isogeny classes of curves with complex multiplication by
3453- some $ \O ⊂\O _K$
3454- Galbraith, Hess and
3455- Smart~\cite {EC:GalHesSma02 ,galbraith +stolbunov11 }.%
3456-
3457- \begin {problem }[Horizontal isogeny path problem]
3455+ The cornerstone of isogeny based cryptography is the \emph {isogeny
3456+ path problem }: given isogenous curves $ E$ $ E'$
3457+ them in \emph {some } isogeny graph. %
3458+ CM-based protocols are no exception: find an isogeny walk between $ E$
3459+ and $ E'$ \hyperref [prob:gaip]{group action
3460+ inverse problem} is solved. %
3461+ We restate this problem using our newly introduced terminology; for
3462+ simplicity, we restrict to primitive orientations.
3463+
3464+ \begin {problem }[Oriented isogeny path problem]
34583465 \label {prob:hiwp }
3459- Let $ \F _q$ $ \O _K$
3460- of a quadratic imaginary field $ K=ℚ(\sqrt {-D})$ %
3461- Given two elliptic curves $ E,E'$ $ \F _q$
3462- multiplication by $ \O _K$ $ E→E'$
3466+ \footnote {This problem is almost identical to the \emph {effective
3467+ $ \O $ } problem of~\cite {EC:Wesolowski22 }.} %
3468+ Let $ \F _q$ $ \O $
3469+ order $ \O ⊂ K$ %
3470+ Given two isogenous primitively $ \O $ $ E,E'$
3471+ defined over $ \F _q$ $ E→E'$
34633472\end {problem }
34643473
3465- The size of the horizontal isogeny class is $ h(\O _K)$
3466- the class number formula that this is in $ O(\sqrt {Δ_K}\log Δ_K)$
3467- for the typical isogeny class\footnote {Including the isogeny class of
3468- trace zero supersingular curves used in CSIDH.}, $ Δ_K=O(q)$ %
3474+ Naturally, the first parameter to look at is the size of the
3475+ $ \O $
3476+ brute force. %
34693477The best generic attack against the \nameref {prob:hiwp } is a
34703478Pollard-rho style algorithm, performing random walks from $ E$ $ E'$
34713479until a collision is found~\cite {GHS }. %
3472- Its average complexity is $ O(\sqrt {h(\O _K)})$ $ O(q^{1/4})$
3473- typical isogeny class. %
3474- This justifies choosing a prime $ q$ $ 4 n$
3475- of $ 2 ^n$
3476- does~\cite {AC:CLMPR18 }.
3477-
3478- However, we must also ensure that the key space covers the whole
3479- $ \Ell _q(\O _K)$ %
3480- This means that isogeny walks, as in Eq.~\eqref {eq:iso-walk }, must be
3481- sampled from a relatively large subset $ S⊂\Cl (\O _K)$
3482- $ \# S\gg \log q$ %
3483- For efficiency reasons, practical instantiations take $ S$
3484- enough: $ \# S\sim (\log q)/2 $ %
3485- \footnote {Additional constraints in CSIDH force $ \# S$
3486- $ (\log q)/(\loglog q)$ %
3487- however it will not go unnoticed that this choice is insufficient to
3488- apply Theorem~\ref {th:ord-exp }. %
3489- We may as well live with it, changing our security assumptions to take
3490- into account the biased distributions given by random walks in graphs
3491- that are not provably expander families, but behave in practice as
3492- such. %
3480+ Its average complexity is $ O(\sqrt {h(\O )})$
3481+ class number of $ \O $ %
3482+
3483+ When $ \O $ $ K$
3484+ formula that $ h(\O )$ $ O(\sqrt {Δ_K}\log Δ_K)$ %
3485+ If we take an elliptic curve over $ \F _q$
3486+ overwhelming probability it will be ordinary and $ Δ_K=O(q)$ %
3487+ \footnote {The discriminant of Frobenius can be computed in polynomial
3488+ time using Schoof's algorithm (see
3489+ Appendix~\ref {sec:appl-point-count }), then factoring it gives
3490+ $ Δ_K$ %
3491+ Thus it is generally feasible to find by trial-and-error ordinary
3492+ curves with an adequately large $ Δ_K$ %
3493+ Similarly, in the case of Frobenius-oriented supersingular curves
3494+ (i.e., CSIDH and variants) $ Δ_K = -4 q$ $ Δ_K = -q$ %
3495+ Either way, the generic attack runs in $ O(q^{1/4})$
3496+ justifies choosing a prime $ q$ $ 4 n$
3497+ $ 2 ^n$ \cite {10.1007 /978 -3 -030 -03332 -3_14 ,AC:CLMPR18 }.
3498+
3499+ The generic attack is relevant when the distributions of $ E$ $ E'$
3500+ are independent, e.g.\ when at least one of the two is uniformly
3501+ distributed in the class. %
3502+ However if the key space of a key exchange scheme is not large enough,
3503+ it may be more efficient to perform a brute force search on it. %
3504+ Ideally, we would construct CM graphs with a sufficiently large subset
3505+ of edges $ S⊂\Cl (\O _K)$
3506+ Theorem~\ref {th:ord-exp } applies, thus ensuring that public keys are
3507+ uniformly distributed. %
3508+ However this is seldom efficient, and practical schemes take instead a
3509+ key space just large enough that a search for the secret key is at
3510+ least as expensive as the generic algorithm. %
3511+
3512+ \begin {remark }
3513+ When the orientation is not principal, the first step consists in
3514+ reducing to the principal case using the theory of isogeny
3515+ volcanoes, as first outlined by Galbraith, Hess and
3516+ Smart~\cite {EC:GalHesSma02 ,galbraith +stolbunov11 }.
3517+
3518+ Let $ E$ $ \O $ $ \O _K ⊃ \O $ %
3519+ For each prime $ ℓ$ $ [\O _K:\O ]$
3520+ the level of $ E$ $ ℓ$
3521+ curve on the crater. %
3522+ Repeating for each prime, we obtain an $ \O _K$
3523+ curve $ \hat {E}$ $ E→\hat {E}$ %
3524+ Doing the same for the second curve $ E'$
3525+ $ \O _K$ $ \hat {E}$ $ \hat {E}'$
3526+
3527+ However, these steps are only doable for `` small'' $ ℓ$
3528+ $ ℓ∈\polylog (q)$ %
3529+ In most practical cases, the conductor $ [\O _K:\O ]$
3530+ a handful of small primes and the reduction applies. %
3531+ One notable exception are the public keys used in
3532+ SCALLOP~\cite {PKC:DFKLMPW23 }, which are all principally oriented by
3533+ the same order $ \O $ $ f = [\O _K:\O ]$ %
3534+ In this case, it can be shown that evaluating the ascending
3535+ $ f$
3536+ \end {remark }
3537+
34933538
34943539\paragraph {Quantum security. }
34953540The discussion on security would not be complete without surveying
@@ -3542,10 +3587,11 @@ \section{Security and quantum computers}
35423587As first noted in~\cite {childs2014constructing } and then improved
35433588in~\cite {BIJ18 ,Jao -etal -kuperberg -2018 ,EC:BonSch20 ,EC:Peikert20 },
35443589Kuperberg's algorithm can be used to solve the \nameref {prob:hiwp } as
3545- follows: let $ E,E'$
3546- $ \O _K$ $ f_0 ,f_1 :\Cl (\O _K)\to\Ell _q(\O _K)$
3547- $ f_0 (\a )=\a ·E$ $ f_1 (\a )=\a ·E'$
3548- horizontal isogeny between $ E$ $ E'$ %
3590+ follows: let $ E,E'$
3591+ class $ \mathcal {C}$
3592+ $ f_0 ,f_1 :\Cl (\O )\to\mathcal {C}$ $ f_0 (\a )=\a ·E$ $ f_1 (\a )=\a ·E'$
3593+ then the hidden shift corresponds to the class of a horizontal isogeny
3594+ between $ E$ $ E'$ %
35493595
35503596Kuperberg's algorithm is a game changer for protocols based on complex
35513597multiplication: indeed, to ensure $ 2 ^n$
@@ -4312,7 +4358,7 @@ \section{The effective Deuring correspondence}
43124358\end {proof }
43134359
43144360Even though $ ϕ:E_0 →E$
4315- compute . %
4361+ find . %
43164362We will come back to the problem of computing isogenies of
43174363supersingular curves and its relationship to computing their
43184364endomorphsim rings in Section~\ref {sec:security }.
0 commit comments