### On the decisional Diffie-Hellman problem for class group actions on oriented elliptic curves

##### Abstract

We show how the Weil pairing can be used to evaluate the assigned characters of an imaginary quadratic order $\mathcal{O}$ in an unknown ideal class $[\mathfrak{a}] \in \mathrm{Cl}(\mathcal{O})$ that connects two given $\mathcal{O}$-oriented elliptic curves $(E, \iota)$ and $(E', \iota') = [\mathfrak{a}](E, \iota)$. When specialized to ordinary elliptic curves over finite fields, our method is conceptually simpler and often faster than a recent approach due to Castryck, Sot\'akov\'a and Vercauteren, who rely on the Tate pairing instead. The main implication of our work is that it breaks the decisional Diffie–Hellman problem for practically all oriented elliptic curves that are acted upon by an even-order class group. It can also be used to better handle the worst cases in Wesolowski's recent reduction from the vectorization problem for oriented elliptic curves to the endomorphism ring problem, leading to a method that always works in sub-exponential time.

Available format(s)
Category
Public-key cryptography
Publication info
Published elsewhere. ANTS XV -- Research in Number Theory
Keywords
decisional Diffie-Hellman isogeny-based cryptography oriented elliptic curves class group action Weil pairing
Contact author(s)
wouter castryck @ esat kuleuven be
houben mr @ gmail com
frederik vercauteren @ esat kuleuven be
benjamin wesolowski @ math u-bordeaux fr
History
2022-10-01: last of 2 revisions
See all versions
Short URL
https://ia.cr/2022/345

CC BY

BibTeX

@misc{cryptoeprint:2022/345,
author = {Wouter Castryck and Marc Houben and Frederik Vercauteren and Benjamin Wesolowski},
title = {On the decisional Diffie-Hellman problem for class group actions on oriented elliptic curves},
howpublished = {Cryptology ePrint Archive, Paper 2022/345},
year = {2022},
note = {\url{https://eprint.iacr.org/2022/345}},
url = {https://eprint.iacr.org/2022/345}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.