Paper 2023/507

Low Memory Attacks on Small Key CSIDH

Abstract

Despite recent breakthrough results in attacking SIDH, the CSIDH protocol remains a secure post-quantum key exchange protocol with appealing properties. However, for obtaining efficient CSIDH instantiations one has to resort to small secret keys. In this work, we provide novel methods to analyze small key CSIDH, thereby introducing the representation method ---that has been successfully applied for attacking small secret keys in code- and lattice-based schemes--- also to the isogeny-based world. We use the recently introduced Restricted Effective Group Actions ($$) to illustrate the analogy between CSIDH and Diffie-Hellman key exchange. This framework allows us to introduce a $$ problem as a level of abstraction to computing isogenies between elliptic curves, analogous to the classic discrete logarithm problem. This in turn allows us to study $$ with ternary key spaces such as $$ and $$, which lead to especially efficient, recently proposed CSIDH instantiations. The best classic attack on these key spaces is a Meet-in-the-Middle algorithm that runs in time $$, using also $$ memory. We first show that $$ with ternary key spaces $$ or $$ can be reduced to the ternary key space $$. We further provide a heuristic time-memory tradeoff for $$ with keyspace $$ based on Parallel Collision Search with memory requirement $$ that under standard heuristics runs in time $$ for all $$. We then use the representation technique to heuristically improve to $$ for all $$, and further provide more efficient time-memory tradeoffs for all $$. Although we focus in this work on $$ with ternary key spaces for showing its efficacy in providing attractive time-memory tradeoffs, we also show how to use our framework to analyze larger key spaces $$ with $$.