Paper 2020/151

Breaking the decisional Diffie-Hellman problem for class group actions using genus theory -- extended version

Abstract

In this paper, we use genus theory to analyze the hardness of the decisional Diffie-Hellman problem for ideal class groups of imaginary quadratic orders acting on sets of elliptic curves through isogenies (DDH-CGA). Such actions are used in the Couveignes-Rostovtsev-Stolbunov protocol and in CSIDH. Concretely, genus theory equips every imaginary quadratic order $$ with a set of assigned characters $$, and for each such character and every secret ideal class $$ connecting two public elliptic curves $$ and $$, we show how to compute $$ given only $$ and $$, i.e. without knowledge of $$. In practice, this breaks DDH-CGA as soon as the class number is even, which is true for a density $$ subset of all imaginary quadratic orders. For instance, our attack works very efficiently for all supersingular elliptic curves over $$ with $$. Our method relies on computing Tate pairings and walking down isogeny volcanoes. We also show that these ideas carry over, at least partly, to abelian varieties of arbitrary dimension. This is an extended version of the paper that was presented at Crypto 2020.