Paper 2018/537

Quantum Security Analysis of CSIDH

Xavier Bonnetain and André Schrottenloher

Abstract

CSIDH is a recent proposal for post-quantum non-interactive key-exchange, presented at ASIACRYPT 2018. Based on supersingular elliptic curve isogenies, it is similar in design to a previous scheme by Couveignes, Rostovtsev and Stolbunov, but aims at an improved balance between efficiency and security. In the proposal, the authors suggest concrete parameters in order to meet some desired levels of quantum security. These parameters are based on the hardness of recovering a hidden isogeny between two elliptic curves, using a quantum subexponential algorithm of Childs, Jao and Soukharev. This algorithm combines two building blocks: first, a quantum algorithm for recovering a hidden shift in a commutative group. Second, a computation in superposition of all isogenies originating from a given curve, which the algorithm calls as a black box. In this paper, we give a comprehensive security analysis of CSIDH. Our first step is to revisit three quantum algorithms for the abelian hidden shift problem from the perspective of non-asymptotic cost. There are many possible tradeoffs between the quantum and classical complexities of these algorithms and all of them should be taken into account by security levels. Second, we complete the non-asymptotic study of the black box in the hidden shift algorithm. This allows us to show that the parameters proposed by the authors of CSIDH do not meet their expected quantum security.

Note: Final version.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
A major revision of an IACR publication in EUROCRYPT 2020
Keywords
Post-quantum cryptographyisogeny-based cryptographyhidden shift problemlattices
Contact author(s)
xbonnetain @ uwaterloo ca
andre schrottenloher @ inria fr
History
2020-03-06: last of 9 revisions
2018-06-04: received
See all versions
Short URL
https://ia.cr/2018/537
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2018/537,
      author = {Xavier Bonnetain and André Schrottenloher},
      title = {Quantum Security Analysis of {CSIDH}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2018/537},
      year = {2018},
      url = {https://eprint.iacr.org/2018/537}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.