Abstract
AbstractWe present a quantum algorithm which computes group action inverses of the complex multiplication group action on isogenous ordinary elliptic curves, using subexponential time, but only polynomial quantum space. One application of this algorithm is that it can be used to find the private key from the public key in the isogeny-based CRS and CSIDH cryptosystems. Prior claims by Childs, Jao, and Soukharev of such a polynomial quantum space algorithm for this problem are false; our algorithm (along with contemporaneous, independent work by Biasse, Iezzi, and Jacobson) is the first such result.
Highlights
In recent years, isogeny-based cryptosystems have emerged as a possible candidate for post-quantum cryptography
We present a quantum algorithm which computes group action inverses of the complex multiplication group action on isogenous ordinary elliptic curves, using subexponential time, but only polynomial quantum space
One application of this algorithm is that it can be used to find the private key from the public key in the isogeny-based CRS and CSIDH cryptosystems
Summary
Isogeny-based cryptosystems have emerged as a possible candidate for post-quantum cryptography. In terms of security analysis, CRS and CSIDH are completely different from the supersingular case, which was first proposed for use in cryptography by Charles, Goren, and Lauter [5] Both CRS and CSIDH can be broken (in the sense of a total break — recovery of the private key from the public key) by solving the group action inverse problem [20] on the complex multiplication group action, where the group in question is cl(O). The CJS attack consists of two parts: a classical algorithm (subexponential in time and space) to evaluate the complex multiplication action, and a quantum algorithm by Kuperberg to solve the di-. Our results are based on a variant of BKW [2] instead of LLL, and constitute (along with [1]; see below) the first detailed description of how to evaluate the complex multiplication operator in quantum subexponential time using only polynomial quantum space
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
