Cryptology ePrint Archive: Report 2018/537

Quantum Security Analysis of CSIDH

Xavier Bonnetain and André Schrottenloher

Abstract: CSIDH is a recent proposal for post-quantum non-interactive key-exchange, presented at ASIACRYPT 2018. Based on supersingular elliptic curve isogenies, it is similar in design to a previous scheme by Couveignes, Rostovtsev and Stolbunov, but aims at an improved balance between efficiency and security. In the proposal, the authors suggest concrete parameters in order to meet some desired levels of quantum security. These parameters are based on the hardness of recovering a hidden isogeny between two elliptic curves, using a quantum subexponential algorithm of Childs, Jao and Soukharev. This algorithm combines two building blocks: first, a quantum algorithm for recovering a hidden shift in a commutative group. Second, a computation in superposition of all isogenies originating from a given curve, which the algorithm calls as a black box.

In this paper, we give a comprehensive security analysis of CSIDH. Our first step is to revisit three quantum algorithms for the abelian hidden shift problem from the perspective of non-asymptotic cost. There are many possible tradeoffs between the quantum and classical complexities of these algorithms and all of them should be taken into account by security levels. Second, we complete the non-asymptotic study of the black box in the hidden shift algorithm.

This allows us to show that the parameters proposed by the authors of CSIDH do not meet their expected quantum security.

Category / Keywords: public-key cryptography / Post-quantum cryptography, isogeny-based cryptography, hidden shift problem, lattices

Original Publication (with major differences): IACR-EUROCRYPT-2020

Date: received 31 May 2018, last revised 5 Mar 2020

Contact author: xbonnetain at uwaterloo ca, andre schrottenloher at inria fr

Available format(s): PDF | BibTeX Citation

Note: Final version.

Version: 20200306:034407 (All versions of this report)

Short URL: ia.cr/2018/537


[ Cryptology ePrint archive ]