Abstract
SIDH and CSIDH are key exchange protocols based on isogenies and conjectured to be quantum-resistant. Since the protocols are similar to the classical Diffie–Hellman, they are vulnerable to the man-in-the-middle attack. A key exchange which is resistant to such an attack is called an authenticated key exchange (AKE), and many isogeny-based AKEs have been proposed. However, the parameter sizes of the existing schemes should be large since they all have relatively large security losses in security proofs. This is partially because the random self-reducibility of isogeny-based decisional problems has not been proved yet.
In this paper, we show that the computational problem and the gap problem of CSIDH are random self-reducible. A gap problem is a computational problem given access to the corresponding decision oracle. Moreover, we propose a CSIDH-based AKE with small security loss, following the construction of Cohn-Gordon et al. in CRYPTO 2019, as an application of the random self-reducibility of the gap problem of CSIDH. Our AKE is proved to be the fastest CSIDH-based AKE when we aim at 110-bit security level.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Informally, a reduction is simple if the reduction runs the adversary only once.
- 2.
As mentioned above, we assume that \(z = xy\) if and only if \(b = 1\) to avoid pathology.
- 3.
Similarly, the proof of Cohn-Gordon et al. can be considered as an application of the random self-reducibility of the stDH problem.
- 4.
In this case, the advantage of the adversary is zero.
References
Bernstein, D.J., De Feo, L., Leroux, A., Smith, B.: Faster computation of isogenies of large prime degree. Cryptology ePrint Archive, Report 2020/341 (2020). https://eprint.iacr.org/2020/341
Brendel, J., Fischlin, M., Günther, F., Janson, C., Stebila, D.: Towards post-quantum security for signal’s X3DH handshake. In: Selected Areas in Cryptography (SAC) (2020, to appear)
Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_28
Castryck, W., Decru, T.: CSIDH on the surface. Cryptology ePrint Archive, Report 2019/1404 (2019). https://eprint.iacr.org/2019/1404
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15
Castryck, W., Sotáková, J., Vercauteren, F.: Breaking the decisional Diffie-Hellman problem for class group actions using genus theory. Cryptology ePrint Archive, Report 2020/151 (2020). https://eprint.iacr.org/2020/151
Cohn-Gordon, K., Cremers, C., Gjøsteen, K., Jacobsen, H., Jager, T.: Highly efficient key exchange protocols with optimal tightness. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 767–797. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_25
Couveignes, J.-M.: Hard Homogeneous Spaces. Cryptology ePrint Archive, Report 2006/291 (2006). https://eprint.iacr.org/2006/291
de Kock, B., Gjøsteen, K., Veroni, M.: Practical isogeny-based key-exchange with optimal tightness. In: Selected Areas in Cryptography (SAC) 2020 (2020, to appear)
Dobson, S., Galbraith, S.D.: On the degree-insensitive SI-GDH problem and assumption. Cryptology ePrint Archive, Report 2019/929 (2019). https://eprint.iacr.org/2019/929
El Kaafarani, A., Katsumata, S., Pintore, F.: Lossy CSI-FiSh: efficient signature scheme with tight reduction to decisional CSIDH-512. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12111, pp. 157–186. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45388-6_6
Fujioka, A., Takashima, K., Terada, S., Yoneyama, K.: Supersingular isogeny Diffie-Hellman authenticated key exchange. In: ICISC 2018, pp. 177–195 (2018)
Fujioka, A., Takashima, K., Yoneyama, K.: One-round authenticated group key exchange from isogenies. In: Steinfeld, R., Yuen, T.H. (eds.) ProvSec 2019. LNCS, vol. 11821, pp. 330–338. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-31919-9_20
Galbraith, S.D.: Authenticated key exchange for SIDH. Cryptology ePrint Archive, Report 2018/266 (2018). https://eprint.iacr.org/2018/266
Galbraith, S.D., Vercauteren, F.: Computational problems in supersingular elliptic curve isogenies. Quantum Inf. Process. 17(10), 265 (2018)
Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2
Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_33
LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75670-5_1
Longa, P.: A Note on Post-Quantum Authenticated Key Exchange from Supersingular Isogenies. Cryptology ePrint Archive, Report 2018/267 (2018). https://eprint.iacr.org/2018/267
Neukirch, J.: Algebraic Number Theory, vol. 322. Springer, Heidelberg (2013)
Okamoto, T., Pointcheval, D.: The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes. An Efficient Authenticated Key Exchange from Random Self-Reducibility on CSIDH. In: Public Key Cryptography 2001, pp. 104–118. Springer, Heidelberg (2001)
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)
Xu, X., Xue, H., Wang, K., Au, M.H., Tian, S.: Strongly secure authenticated key exchange from supersingular isogenies. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 278–308. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_11
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Authenticated Key Exchange
In this section, we give a detailed proof of Theorem 17.
1.1 A.1 CCGJJ Security Model
First, we will introduce the security model, which we call CCGJJ model in this paper. This model was introduced by [7]. The most important difference between CCGJJ model and CK model [3] is that the adversary cannot reveal an oracle’s internal state, including an ephemeral secret key. In both models, we define a game between a challenger and an adversary, and if the advantage of an arbitrary efficient adversary is negligible, the protocol is regarded to be secure.
Execution Environment. Here, we describe the mathematical model of the execution environment. We assume that there exist \(\mu \) users and each user \(i\in \{1,\cdots ,\mu \}\) has long-term public key \(pk_i\) and long-term secret key \(sk_i\). We assume that each user i executes the protocol at most l times and each execution is regarded as an oracle. User i’s s-th oracle is denoted as \(\pi _i^s\). \(\pi _i^s\) uses not only user’s static key but also its ephemeral key in the execution. Note that a static key is a user’s key, so if two oracles belong to the same user, then these two oracles use the same static key, where the ephemeral keys are different with high probability. Each invocation of the protocol is called a session, and the shared secret is called a session key.
Each oracle \(\pi _i^s\) has an intended peer, denoted as \(\mathrm{Pid}_i^s\). Also, the session key of \(\pi _i^s\) is denoted as \(k_i^s\), where \(k_i^s = \emptyset \) if \(\pi _i^s\) has not computed the session key yet. The oracles send messages each other, and \(\mathrm{sent}_i^s / \mathrm{recv}_i^s\) are the messages sent/received by \(\pi _i^s\). Moreover, each oracle \(\pi _i^s\) has a role, \(\mathrm{role}_i^s \in \{\emptyset ,\mathrm{init},\mathrm{resp}\}\). Here, the role of an oracle is either an initiator (denoted as \(\mathrm{init}\)) or a responder (denoted as \(\mathrm{resp}\)). An initiator is an oracle which sends a message first, and the responder oracle follows. In Fig. 2, Alice’s oracle is the initiator and Bob’s one is the responder. Note that a responder oracle computes its session key first in the session, and the initiator follows.
To describe partnering between oracles, we define two notions:
Definition 18
(Origin oracle). \(\pi _j^t\) is an origin oracle of \(\pi _i^s\) if both oracles have completed its execution and the messages sent by \(\pi _j^t\) are equal to the messages received by \(\pi _i^s\), i.e., \(\mathrm{sent}_j^t = \mathrm{recv}_i^s\).
Definition 19
(Partner oracles). \(\pi _i^s\) and \(\pi _j^t\) are called partners if (1) \(\pi _j^t\) is an origin oracle of \(\pi _i^s\) and vice versa, (2) both oracles believe the other as an intended peer, i.e., \(\mathrm{Pid}_i^s = j\) and \(\mathrm{Pid}_j^t = i\), and (3) their roles are distinct, i.e., \(\mathrm{role}_i^s \ne \mathrm{role}_j^t\).
Attacker’s Model. Since each execution is regarded as an oracle, what attacker can do are described as queries. In CCGJJ model, attacker can issue four queries, Send, RevLTK, RegisterLTK, and RevSessKey.
Send represents the ability of the adversary to control the network, i.e., Send query allows the adversary to send arbitrary message to arbitrary oracle, or even starts an oracle. RevLTK and RevSessKey stand for Reveal Long-Term Key and Reveal Session Key. The adversary can reveal arbitrary oracle’s long-term key or session key. Here, the user whose oracle’s long-term key is revealed with this query is said to be corrupted. RegisterLTK allows the adversary to add a new user. Any oracle of users added by this query is corrupted by definition.
Moreover, the adversary can issue special queries, \(\mathsf{Test}\).
Definition 20
(Test query). Assume \(b\in \{0,1\}\) is determined beforehand. If an adversary queries a Test query to \(\pi _i^s\), \(\pi _i^s\) returns \(k_b\), where \(k_0\) is a random key and \(k_1\) is its session key. This query is denoted as \(\mathsf{Test}(i,s)\).
Here, we note that all oracles use the same bit b. Now, we define a state of an oracle, fresh.
Definition 21
(Freshness). We say \(\pi _i^s\) is fresh if following conditions hold: (1) \(\mathsf{RevSessKey}(i,s)\) has not been queried, (2) when \(\pi _j^t\) is the partner oracle of \(\pi _i^s\), neither \(\mathsf{Test}(j,t)\) nor \(\mathsf{RevSessKey}(j,t)\) has been issued, and (3) \(\mathrm{Pid}_i^s\) was not corrupted when \(\pi _i^s\) completed its execution if \(\pi _i^s\) has an origin oracle, and not corrupted at all otherwise.
The session key of a fresh oracle is not revealed by queries (it is fresh in this sense). So, if all tested oracles are fresh and the adversary can guess b correctly, we can conclude that the adversary can break the AKE’s security. The following definition of the AKE security game describe this formally. We say that an AKE is secure if all efficient adversary have negligible advantages.
Definition 22
(AKE security game). Let \(\mathcal {C}\) be a challenger and \(\mathcal {A}\) be an adversary. The security game proceeds as follows:
-
1.
\(\mathcal {C}\) chooses \(\mu \) static keys \((sk_i,pk_i)\ (i=1,2,\cdots ,\mu )\) and \(b\in \{0,1\}\) uniformly at random, and initializes all oracles.
-
2.
\(\mathcal {C}\) runs \(\mathcal {A}\) with inputs \(pk_1,\cdots ,pk_{\mu }\). The model allows \(\mathcal {A}\) to make some attacks on oracles as queries to an oracle, including Test queries. Here, \(\mathcal {A}\) must keep tested oracles fresh. Otherwise, the game aborts and \(b'\) is set to be a random bit.Footnote 4
-
3.
\(\mathcal {A}\) outputs \(b'\), a guess of b.
The advantage of an adversary is
where \(\lambda \) denotes a security parameter.
1.2 A.2 Detailed Security Proof of \(\mathrm{\Pi _{CSIDH}}\ \)
In this subsection, we give a proof of Theorem 17. First, we classify the oracles into 5 types in the same way as [7].
-
Type I Initiator oracles whose response message is sent by a responder which has the same ctxt and whose intended peer is honest, i.e., not corrupted when the message is received.
-
Type II Other initiators whose intended peer is honest until the initiator completes the execution.
-
Type III Responder oracles whose initial message is sent by a initiator which has the same ctxt up to the responder message and whose intended peer is honest when the message is received.
-
Type IV Other responders whose intended peer is honest until the responder completes the execution.
-
Type V Oracles that are not Type I, II, III, or IV. In other words, oracles whose intended peer is corrupted.
Note that Type I, II, III, and IV oracles are fresh, whereas Type V oracles are not fresh. So we have only to consider first four types of oracles when we make a security proof, because we don’t need to care the case when non-fresh oracles are tested.
Again, the security theorem is as follows:
Theorem 17
Let \(\mathcal {A}\) be an adversary against Protocol \(\mathrm{\Pi _{CSIDH}}\ \)in CCGJJ model under the random oracle model and assume we use \([-m,m]^n\) as a secret key space of CSIDH for positive integers m, n. Then, there are adversaries \(\mathcal {B}_1,\mathcal {B}_2,\mathcal {B}_3\) against the CSI-stDH problem such that
where \(\mu \) and l are the number of users and the maximum number of sessions per user, respectively. Moreover, the adversaries \(\mathcal {B}_1,\mathcal {B}_2,\mathcal {B}_3\) all run in essentially the same time as \(\mathcal {A}\) and make essentially the same number of queries to the hash oracle H.
In this Appendix, we give a proof of this theorem.
Proof
We prove this theorem by changing the game little by little. This technique is called “game-hopping” technique. Let \(S_j\ (j=0,1,\cdots ,5)\) be events that the adversary wins in Game j.
Game 0. Game 0 is the original security game.
Game 1. In Game 1, we abort if two initiators or responders have the same ctxt. Since the size of our key space is \((2m+1)^n\), we have
Game 2. In Game 2, the oracles change the way they choose their session keys. Intuitively, they try to choose their session key uniformly at random, not using the hash function.
For example, let \(\pi _j^t\) be a Type IV oracle with \(sk_j = [\mathfrak {b}]\) and \(pk_j = \mathfrak {B}\). Also, let \(\pi _j^t\)’s ephemeral secret key and ephemeral public key be \([\mathfrak {s}]\) and \(\mathfrak {S}\). Moreover, for \(i = \mathrm{Pid}_j^t\), let \(i's\) long-term public key and ephemeral public key be \(\mathfrak {A}\) and \(\mathfrak {R}\), respectively.
Then, \(\pi _j^t\) has to query
to the hash oracle in Game 1. If x has not been queried or “registered” to the random oracle, then \(\pi _j^t\) takes its session key k uniformly at random, and “register” (x, k). If \((x,k')\) is registered to the random oracle, then \(\pi _j^t\) sets its session key to \(k'\). In the beginning of the game, no queries are registered.
Other type of the oracles choose their session key in similar ways, so we omit the description. For further details, see [7].
Random oracle model assures that no difference is observable by \(\mathcal {A}\), so we have
Game 3. In this game, Type IV oracles choose their session keys uniformly at random and do not modify the hash oracle unless whose intended peer is corrupted.
Let \(\pi _j^t\) be a type IV responder and we use the same notation as in Game 2. Then, \(\pi _j^t\) must have queried
in Game 2. If queries of the form (4) do not happen before user i is corrupted, Game 2 and Game 3 are identical. So when we define the event \(F_i\) as the event that such queries are made, we have
In order to make our proof simple, we define event \(G_i\) as the event that queries of the form
are made before user i is corrupted. The symbol \(\star \) means an arbitrary element. Since \(\Pr [F_i] \le \Pr [G_i]\) holds, we have
We can bound the righthand side by the advantage of a CSI-stDH adversary.
CSI-stDH Adversary \(\mathcal {B}_1\). The reduction \(\mathcal {B}_1\) is an algorithm whose inputs are two elliptic curves \((E_1,E_2)=([\mathfrak {x}]E,[\mathfrak {y}]E)\in \mathcal {E}ll(\mathcal {O})^2\), and output is an elliptic curve \(E_3\). The advantage of \(\mathcal {B}_1\) is \(\Pr [E_3=[\mathfrak {xy}]E]\).
When \(\mathcal {B}_1\) is given a tuple \((E_1,E_2)\in \mathcal {E}ll(\mathcal {O})^2\), it chooses a user i uniformly at random, and sets its static public key to \(E_1\). Then, for every Type IV responder, \(\mathcal {B}_1\) sets its ephemeral public key to \([\mathfrak {\rho }]E_2\), where each \([\mathfrak {\rho }]\in \mathcal {C}l(\mathcal {O})\) is sampled in the same way as key generation for every oracle. Here, \([\mathfrak {\rho }]\) is chosen independently for every Type IV responders.
Suppose that \(G_i\) happens in Game 2. Then, a query of the form (5) is made to the random oracle before user i is corrupted. The simulator can detect this query by querying . If the answer is true, \(\mathcal {B}_1\) outputs \([\rho ]^{-1}\mathfrak {W}\), which means whenever \(G_i\) happens, the simulator can answer the CSI-stDH problem correctly. So we have
From (6),(7), it is obvious that
We note here that other hash queries in which the identity i is included can be detected using oracle.
For Game 4 and 5, the proof is similar to [7], so we just give an intuitive proof.
Game 4. In Game 4, all type III responders choose their session key at random, and do not modify the hash oracle.
Assume that the adversary \(\mathcal {B}_2\) is given a CSI-stDH instance \((E_1,E_2)\). Then, for all type I or II oracles, \(\mathcal {B}_2\) generates random elements \([\rho _1]\in \mathcal {C}l(\mathcal {O})\) independently, and sets their ephemeral public keys to \([\rho _1]E_1\). Similarly, Type III oracles have ephemeral public keys \([\rho _2]E_2\). If the adversary against Game 3 does not make any hash query corresponding to Type III oracles, the Game 4 is identical to Game 3, whereas if such query is made, \(\mathcal {B}_2\) can solve the strong CSIDH problem. Here, we have
Game 5. In Game 5, all type II initiator oracles choose their session key at random and do not modify the hash oracle unless their intended peer is corrupted. The proof is identical to that of Game 3, so we have
for an adversary \(\mathcal {B}_3\) against strong CSIDH problem.
Since all honest oracles choose their session keys uniformly at random in Game 5, the advantage of an arbitrary adversary against Game 5 is strictly 0. Then, we have
Combining (2), (3), (8), (9), (10), and (11), we have
Here, we complete the proof. \(\square \)
B CSIDH
In this section, we introduce the detailed protocol of CSIDH.
1.1 B.1 CSIDH as an Instantiation of HHS
In CSIDH, HHS is realized with the ideal class group of an imaginary quadratic field and supersingular elliptic curves. In this subsection, we see how the ideal class group \(\mathcal {C}\ell (\mathcal {O})\) for an order \(\mathcal {O}\) acts on \(\mathcal {E}\ell \ell _p (\mathcal {O})\), the set of \(\mathbb {F}_p\)-isomorphic classes of supersingular elliptic curves whose \(\mathbb {F}_p\)-endomorphism ring is isomorphic to \(\mathcal {O}\).
Ideal Class Group. Let K be an imaginary quadratic field and \(\mathcal {O}\subset K\) be an order, a subring which is a free \(\mathbb {Z}\)-module of rank 2. Then, a fractional ideal of \(\mathcal {O}\) is an \(\mathcal {O}\)-submodule of K which can be written in the form of \(\alpha \mathfrak {a}\), where \(\alpha \in K^{\times }\) and \(\mathfrak {a}\) is an ideal of \(\mathcal {O}\). Note that a multiplication of fractional ideals is induced by the multiplication of ideals naturally. We say a fractional ideal \(\mathfrak {a}\) is invertible when there exists a fractional ideal \(\mathfrak {b}\) such that \(\mathfrak {ab}=\mathcal {O}\).
The set of all invertible fractional ideals \(I(\mathcal {O})\) forms an abelian group under the above multiplication, and the set of all principle ideals \(P(\mathcal {O})\) is a normal subgroup of \(I(\mathcal {O})\). So we can define a quotient group \(\mathcal {C}l(\mathcal {O}) = I(\mathcal {O})/P(\mathcal {O})\), which is called the ideal class group of \(\mathcal {O}\). We denote the class containing \(\mathfrak {a}\in I(\mathcal {O})\) by \([\mathfrak {a}]\). For more details, see [20].
The Action on Supersingular Elliptic Curves. For an order \(\mathcal {O}\) in an imaginary quadratic field K, we define \(\mathcal {E}\ell \ell _p (\mathcal {O})\) as a set of isomorphism classes of elliptic curves E over \(\mathbb {F}_p\) such that \(\mathrm{End}_{\mathbb {F}_p}(E)\simeq \mathcal {O}\). Here, \(\mathrm{End}_{\mathbb {F}_p}(E)\) is the ring of \(\mathbb {F}_p\)-endomorphisms of E.
Now, we define a group action of \(\mathcal {C}l(\mathcal {O})\) on \(\mathcal {E}\ell \ell _p (\mathcal {O})\). Fix \([\mathfrak {a}]\in \mathcal {C}l(\mathcal {O})\) and \(E\in \mathcal {E}\ell \ell _p (\mathcal {O})\), then there uniquely exist nonnegative integer r and \([\mathfrak {a}_s]\in \mathcal {C}l(\mathcal {O})\) such that \([\mathfrak {a}] = [(\pi \mathcal {O})]^r [\mathfrak {a}_s]\) and \(\mathfrak {a}_s \not \subseteq \pi \mathcal {O}\), where \(\pi \) denotes the Frobenius map. For such \([\mathfrak {a}_s]\), we take an isogeny \(\psi \) from E with \(\ker \psi = \bigcap _{\alpha \in \mathfrak {a}_s} \ker \alpha \). Then, for \([\mathfrak {a}]\), we take an isogeny \(\pi ^r\psi \), and whose codomain is denoted as \([\mathfrak {a}]E\). We can easily show that this correspondence enjoys the conditions to be a group action. A Hard Homogeneous Space can be constructed by this action.
1.2 B.2 Detailed Description of CSIDH
Let \(\ell _1\dots \ell _n\) be small distinct odd primes such that \(p=4\ell _1\cdots \ell _n-1\) is a prime for some n. We can efficiently compute the class group action of \(\mathfrak {l}_i = (\ell _i, \pi -1)\) and \(\mathfrak {l}_i^{-1} = (\ell _i, \pi +1)\), since we have only to find a \(\ell _i\)-torsion point.
Moreover, it is assumed heuristically that the map which maps \((e_1,\dots ,e_n) \in [-m,m]^n\) to \(\mathfrak {l}_1^{e_1}\mathfrak {l}_2^{e_2}\cdots \mathfrak {l}_n^{e_n} \in \mathcal {C}\ell (\mathbb {Z}[\sqrt{-p}])\) is almost bijective, when m enjoys \((2m+1)^n \ge \#\mathcal {C}l(\mathbb {Z}[\sqrt{-p}])\). So we can choose \(e_1,\dots , e_n\) instead of \([\mathfrak {a}]\), and its action can be computed efficiently. In this case, the size of the key space is approximately \((2m+1)^n\).
Here, we describe how the protocol proceeds between Alice and Bob. Fix \(E_0\in \mathcal {E}ll_p(\mathbb {Z}[\sqrt{-p}])\) as a public parameter. First, Alice chooses \(e_i\in [-m,m]\) for \(i=1,2,\dots ,n\) uniformly at random, and computes \(E_A = [\mathfrak {a}]E_0\), where \([\mathfrak {a}] = [\mathfrak {l}_1^{e_1}\mathfrak {l}_2^{e_2}\cdots \mathfrak {l}_n^{e_n}]\). Then, Alice sends \(E_A\) to Bob. Bob also computes \(E_B = [\mathfrak {b}]E_0\), and sends it to Alice. Finally, Alice computes \([\mathfrak {a}]E_B\), and Bob computes \([\mathfrak {b}]E_A\). The shared secret is \(\mathcal {M}([\mathfrak {a}]E_B) = \mathcal {M}([\mathfrak {b}]E_A)\), where \(\mathcal {M}\) denotes the Montgomery coefficient.
C Random Self-reducibility of the CSI-stDH Problem
In this section, we prove the random self-reducibility of the CSI-stDH problem. Here, we use another definition of the random self-reducibility. First, we define the CSI-stMDH problem, the multi-instance version of the CSI-stDH problem.
Problem 18
(Commutative Supersingular Isogeny strong Multi Diffie–Hellman (CSI-stMDH) Problem). Assume that a large prime p which enjoys \(p\equiv 3\mod 4\) and an elliptic \(E \in \mathcal {E}ll_p(\mathcal {O})\) for \(\mathcal {O}=\mathbb {Z}[\sqrt{-p}]\) are given. Then, given \((\mathfrak {X} = [\mathfrak {x}] E; (\mathfrak {Y}_i = [\mathfrak {y}_i] E)_{i \in [S]})\), the CSI-stMDH problem with parameter S is to compute \([\mathfrak {x} \mathfrak {y}_j] E\) for the index j chosen by the solver. Here, the solver is given accesses to the decision oracle CSI-stDH\(_{\mathfrak {x}}(\cdot , \cdot )\).
For an adversary \(\mathcal {A}\) whose output is \(E'\), the advantage of \(\mathcal {A}\) is defined as .
In this subsection, we say that the CSI-stDH is random self-reducible if we can reduce the CSI-stDH problem to the CSI-stMDH problem tightly. The only difference from the Definition 3 is that we fix the first curve \(\mathfrak {X}\). Though we can prove the random self-reducibility of the CSI-stDH problem in a similar way following the Definition 3, we use this definition here so that we can see the analogy with the security proof of \(\mathrm{\Pi _{CSIDH}}\) easily. Actually, \(\mathfrak {X}\) corresponds to the user i’s long-term public key in the security proof in Sect. A, and \(\mathfrak {Y}_i\)’s correspond to the ephemeral public keys of the oracles whose intended peer is i.
Here, our goal is to prove the random self-reducibility of CSI-stDH problem, i.e., the existence of tight reduction from the CSI-stDH problem to the CSI-stMDH problem:
Corollary 19
(Random Self-Reducibility of the CSI-stDH Problem). For arbitrary adversary \(\mathcal {A}\) against the CSI-stMDH problem with parameter S, there is an adversary \(\mathcal {B}\) against the CSI-stDH problem such that
hold.
Proof
For an instance \((\mathfrak {X}, \mathfrak {Y}) = ([\mathfrak {x}]E, [\mathfrak {y}]E)\) of the CSI-stDH problem, \(\mathcal {B}\) generates random ideal classes \([\eta _i] \in C\ell (\mathcal {O})\) for \(i \in [S]\). Then, \(\mathcal {B}\) generates a CSI-stMDH instance \((\mathfrak {X}; (\eta _i \mathfrak {Y})_{i\in [S]})\) and inputs this to \(\mathcal {A}\). If \(\mathcal {A}\) outputs \(\mathfrak {Z}_j\) for \(j \in [S]\), \(\mathcal {A}\) outputs \([\eta _j]^{-1} \mathfrak {Z}_j\). For query made by \(\mathcal {A}\), \(\mathcal {B}\) queries it to its own oracle. Here, if \(\mathcal {A}\) succeeds, \(\mathcal {B}\) answers the CSI-stMDH problem correctly, which completes the proof. \(\square \)
Remark 20
If we use the Definition 3 for the definition of the random self-reducibility, we also rerandomize the first curve \(\mathfrak {X}\) as \(\mathfrak {X}_i = [\xi _i] \mathfrak {X}\) for randomly chosen \([\xi _i] \in \mathcal {C}\ell (\mathcal {O})\). Here, to prove the random self-reducibility, we should answer to the decision queries for every i. However, since
we have , thus we can simulate the oracles perfectly.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Kawashima, T., Takashima, K., Aikawa, Y., Takagi, T. (2021). An Efficient Authenticated Key Exchange from Random Self-reducibility on CSIDH. In: Hong, D. (eds) Information Security and Cryptology – ICISC 2020. ICISC 2020. Lecture Notes in Computer Science(), vol 12593. Springer, Cham. https://doi.org/10.1007/978-3-030-68890-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-68890-5_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-68889-9
Online ISBN: 978-3-030-68890-5
eBook Packages: Computer ScienceComputer Science (R0)