CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations

In this paper we report on a new record class group computation of an imaginary quadratic field having 154-digit discriminant, surpassing the previous record of 130 digits. This class group is central to the CSIDH-512 isogeny based cryptosystem, and knowing the class group structure and relation lattice implies efficient uniform sampling and a canonical representation of its elements. Both operations were impossible before and allow us to instantiate an isogeny based signature scheme first sketched by Stolbunov. We further optimize the scheme using multiple public keys and Merkle trees, following an idea by De Feo and Galbraith. We also show that including quadratic twists allows to cut the public key size in half for free. Optimizing for signature size, our implementation takes 390 ms to sign/verify and results in signatures of 263 bytes, at the expense of a large public key. This is 300 times faster and over 3 times smaller than an optimized version of SeaSign for the same parameter set. Optimizing for public key and signature size combined, results in a total size of 1468 bytes, which is smaller than any other post-quantum signature scheme at the 128-bit security level.

[1]  A. Korkine,et al.  Sur les formes quadratiques , 1873 .

[2]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[3]  Anton Stolbunov,et al.  Cryptographic Schemes Based on Isogenies , 2012 .

[4]  Thijs Laarhoven,et al.  Finding Closest Lattice Vectors Using Approximate Voronoi Cells , 2019, PQCrypto.

[5]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[6]  Joseph H. Silverman,et al.  The arithmetic of elliptic curves , 1986, Graduate texts in mathematics.

[7]  Michael J. Jacobson Applying sieving to the computation of quadratic class groups , 1999, Math. Comput..

[8]  André Schrottenloher,et al.  Quantum Security Analysis of CSIDH and Ordinary Isogeny-based Schemes , 2018, IACR Cryptol. ePrint Arch..

[9]  Serge Fehr,et al.  Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model , 2019, IACR Cryptol. ePrint Arch..

[10]  David Jao,et al.  Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies , 2014, J. Math. Cryptol..

[11]  Luca De Feo,et al.  Mathematics of Isogeny Based Cryptography , 2017, ArXiv.

[12]  Thorsten Kleinjung Quadratic sieving , 2016, Math. Comput..

[13]  Reza Azarderakhsh,et al.  A Post-quantum Digital Signature Scheme Based on Supersingular Isogenies , 2017, Financial Cryptography.

[14]  Fang Song,et al.  Mitigating Multi-Target Attacks in Hash-based Signatures , 2016, IACR Cryptol. ePrint Arch..

[15]  Anton Stolbunov,et al.  Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves , 2010, Adv. Math. Commun..

[16]  Bart Preneel,et al.  Field Lifting for Smaller UOV Public Keys , 2017, INDOCRYPT.

[17]  Steven D. Galbraith,et al.  Identification Protocols and Signature Schemes Based on Supersingular Isogeny Problems , 2017, ASIACRYPT.

[18]  Frederik Vercauteren,et al.  Faster SeaSign signatures through improved rejection sampling , 2018, IACR Cryptol. ePrint Arch..

[19]  Jean-François Biasse,et al.  Improvements in the computation of ideal class groups of imaginary quadratic number fields , 2010, Adv. Math. Commun..

[20]  David Jao,et al.  Constructing elliptic curve isogenies in quantum subexponential time , 2010, J. Math. Cryptol..

[21]  Alexander Rostovtsev,et al.  Public-Key Cryptosystem Based on Isogenies , 2006, IACR Cryptol. ePrint Arch..

[22]  Steven D. Galbraith,et al.  SeaSign: Compact isogeny signatures from class group actions , 2019, IACR Cryptol. ePrint Arch..

[23]  Chris Peikert,et al.  He Gives C-Sieves on the CSIDH , 2020, IACR Cryptol. ePrint Arch..

[24]  David Jao,et al.  Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies , 2011, J. Math. Cryptol..

[25]  Tanja Lange,et al.  CSIDH: An Efficient Post-Quantum Commutative Group Action , 2018, IACR Cryptol. ePrint Arch..

[26]  Greg Kuperberg A Subexponential-Time Quantum Algorithm for the Dihedral Hidden Subgroup Problem , 2005, SIAM J. Comput..

[27]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[28]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[29]  D. Coppersmith Solving homogeneous linear equations over GF (2) via block Wiedemann algorithm , 1994 .

[30]  K. McCurley,et al.  A rigorous subexponential algorithm for computation of class groups , 1989 .

[31]  Douglas H. Wiedemann Solving sparse linear equations over finite fields , 1986, IEEE Trans. Inf. Theory.

[32]  Thijs Laarhoven Sieving for Closest Lattice Vectors (with Preprocessing) , 2016, SAC.

[33]  Greg Kuperberg,et al.  Another Subexponential-time Quantum Algorithm for the Dihedral Hidden Subgroup Problem , 2011, TQC.