Cryptology ePrint Archive: Report 2019/1209

On collisions related to an ideal class of order 3 in CSIDH

Hiroshi Onuki and Tsuyoshi Takagi

Abstract: CSIDH is an isogeny-based key exchange, which is a candidate for post quantum cryptography. It uses the action of an ideal class group on Fp-isomorphic classes of supersingular elliptic curves. In CSIDH, the ideal classes are represented by vectors with integer coefficients. The number of ideal classes represented by these vectors de- termines the security level of CSIDH. Therefore, it is important to investigate the correspondence between the vectors and the ideal classes. Heuristics show that integer vectors in a certain range represent “almost” uniformly all of the ideal classes. However, the precise correspondence between the integer vectors and the ideal classes is still unclear. In this paper, we investigate the correspondence between the ideal classes and the integer vectors and show that the vector (1, . . . , 1) corresponds to an ideal class of order 3. Consequently, the integer vectors in CSIDH have collisions related to this ideal class. Here, we use the word “collision” in the sense of distinct vectors belonging to the same ideal class, i.e., distinct secret keys that correspond to the same public key in CSIDH. We further propose a new ideal representation in CSIDH that does not include these collisions and give formulae for efficiently computing the action of the new representation.

Category / Keywords: public-key cryptography / CISDH, post-quantum cryptography, isogeny-based cryptography, ideal class groups, supersingular elliptic curve isogenies

Date: received 15 Oct 2019, last revised 15 Oct 2019

Contact author: onuki at mist i u-tokyo ac jp

Available format(s): PDF | BibTeX Citation

Note: This paper will appear at Computer Security Symposium 2019 (CSS2019). https://www.iwsec.org/css/2019/english/

Theorem 3 in this paper is essentially the same as Lemma 8 in ePrint Archive: Report 2019/1202.

Version: 20191016:121142 (All versions of this report)

Short URL: ia.cr/2019/1209


[ Cryptology ePrint archive ]