Cryptology ePrint Archive: Report 2020/151

Breaking the decisional Diffie-Hellman problem for class group actions using genus theory

Wouter Castryck and Jana Sotáková and Frederik Vercauteren

Abstract: In this paper, we use genus theory to analyze the hardness of the decisional Diffie--Hellman problem (DDH) for ideal class groups of imaginary quadratic orders, acting on sets of elliptic curves through isogenies; such actions are used in the Couveignes--Rostovtsev--Stolbunov protocol and in CSIDH. Concretely, genus theory equips every imaginary quadratic order $\mathcal{O}$ with a set of assigned characters $\chi : \mathop{cl}(\mathcal{O}) \to \{ \pm 1\}$, and for each such character and every secret ideal class $[\mathfrak{a}]$ connecting two public elliptic curves $E$ and $E' = [\mathfrak{a}] \star E$, we show how to compute $\chi([\mathfrak{a}])$ given only $E$ and $E'$, i.e., without knowledge of $[\mathfrak{a}]$. In practice, this breaks DDH as soon as the class number is even, which is true for a density $1$ subset of all imaginary quadratic orders. For instance, our attack works very efficiently for all supersingular elliptic curves over $\mathbb{F}_p$ with $p \equiv 1 \bmod 4$. Our method relies on computing Tate pairings and walking down isogeny volcanoes.

Category / Keywords: public-key cryptography / Decisional Diffie-Hellman, isogeny-based cryptography, class group action, CSIDH

Original Publication (in the same form): IACR-CRYPTO-2020

Date: received 11 Feb 2020, last revised 30 Jul 2020

Contact author: frederik vercauteren at gmail com,wouter castryck@gmail com

Available format(s): PDF | BibTeX Citation

Version: 20200730:141520 (All versions of this report)

Short URL: ia.cr/2020/151


[ Cryptology ePrint archive ]