Security Analysis of Group Action Inverse Problem with Auxiliary Inputs with Application to CSIDH Parameters

Abstract

In this paper, we consider the security of a problem called Group Action Inverse Problem with Auxiliary Inputs (GAIPwAI). The Group Action Inverse Problem (GAIP) plays an important role in the security of several isogeny-based cryptosystems, such as CSIDH, SeaSign and CSI-FiSh. Briefly speaking, given two isogenous supersingular curves E and E′ over Fp, where E′ is defined by an ideal a in the Fp-endomorphism ring of E and denoted by E′=[a]∗E, GAIP requires finding a⊂EndFp(E). Its best classical algorithm is based on the baby-step-giant-step method and it runs in time O(p1/4). In this paper, we show that if E and E′ are given together with [ad]∗E for a positive divisor d that divides the order of the class group of Z[-p], then a can be computed in O((p1/2/d)1/2+d1/2) time complexity. In particular, when d≈p1/4, it can be solved in time O(p1/8) which is significantly less than O(p1/4). Applying the idea to CSIDH-512 parameters, we show that, if an additional isogenous curve [ad]∗E is given, the security level of this cryptosystem reduces to 68-bit security instead of 128-bit security as originally believed.