2020
DOI: 10.1007/978-3-030-45724-2_17
|View full text |Cite
|
Sign up to set email alerts
|

Quantum Security Analysis of CSIDH

Abstract: CSIDH is a recent proposal for post-quantum non-interactive key-exchange, based on supersingular elliptic curve isogenies. It is similar in design to a previous scheme by Couveignes, Rostovtsev and Stolbunov, but aims at an improved balance between efficiency and security. In the proposal, the authors suggest concrete parameters in order to meet some desired levels of quantum security. These parameters are based on the hardness of recovering a hidden isogeny between two elliptic curves, using a quantum subexpo… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
40
0

Year Published

2020
2020
2021
2021

Publication Types

Select...
6
1

Relationship

0
7

Authors

Journals

citations
Cited by 70 publications
(40 citation statements)
references
References 32 publications
0
40
0
Order By: Relevance
“…Let F q be a finite field of characteristic p. In the following we assume p ≥ 3 and therefore an elliptic curve E over F q can be defined by its short Weierstrass form 3 . The set of points on an elliptic curve is an abelian group under the "chord and tangent rule" with O E being the identity element.…”
Section: Mathematical Background On Isogeniesmentioning
confidence: 99%
See 2 more Smart Citations
“…Let F q be a finite field of characteristic p. In the following we assume p ≥ 3 and therefore an elliptic curve E over F q can be defined by its short Weierstrass form 3 . The set of points on an elliptic curve is an abelian group under the "chord and tangent rule" with O E being the identity element.…”
Section: Mathematical Background On Isogeniesmentioning
confidence: 99%
“…There have been multiple proposals to attack concrete parameter suggestions for CSIDH with quantum algorithms. Peikert [25] uses Kuperberg's collimation sieve algorithm to solve the hidden shift instance with quantum accessible classical memory and subexponential quantum time, a strategy independently also explored by Bonnetain-Schrottenloher [3].…”
Section: Hard Homogeneous Spaces and Csidhmentioning
confidence: 99%
See 1 more Smart Citation
“…While it is clear that the approach taken by CSI-FiSh to build a full-fledged cryptographic group action greatly extends the capabilities of isogeny-based cryptography, recent results [Pei20,BS20] showed quantum attacks against CSIDH for certain choices of parameters. Unfortunately, computing the group structure of a significantly larger class group seems out of reach today, owing to the subexponential complexity of the classical algorithms available.…”
Section: Cryptographic Group Actions and Isogeniesmentioning
confidence: 99%
“…In this case, we must choose the prime having those factors. The advantage of this method is that we can expect that CSIDH protocols to have a certain level of the resistance for subexponential quantum attack [2,17,18] by expanding the size of the base field.…”
Section: Collisions For Csidh-based Algorithmsmentioning
confidence: 99%