A trade-off between classical and quantum circuit size for an attack against CSIDH

IF 0.5 Q4 COMPUTER SCIENCE, THEORY & METHODS

Journal of Mathematical Cryptology Pub Date : 2020-11-17 DOI:10.1515/JMC-2020-0070

Jean-François Biasse, X. Bonnetain, Benjamin Pring, A. Schrottenloher, William Youmans

{"title":"A trade-off between classical and quantum circuit size for an attack against CSIDH","authors":"Jean-François Biasse, X. Bonnetain, Benjamin Pring, A. Schrottenloher, William Youmans","doi":"10.1515/JMC-2020-0070","DOIUrl":null,"url":null,"abstract":"Abstract We propose a heuristic algorithm to solve the underlying hard problem of the CSIDH cryptosystem (and other isogeny-based cryptosystems using elliptic curves with endomorphism ring isomorphic to an imaginary quadratic order 𝒪). Let Δ = Disc(𝒪) (in CSIDH, Δ = −4p for p the security parameter). Let 0 < α < 1/2, our algorithm requires: A classical circuit of size 2O˜log(|Δ|)1−α. $2^{\\tilde{O}\\left(\\log(|\\Delta|)^{1-\\alpha}\\right)}.$ A quantum circuit of size 2O˜log(|Δ|)α. $2^{\\tilde{O}\\left(\\log(|\\Delta|)^{\\alpha}\\right)}.$ Polynomial classical and quantum memory. Essentially, we propose to reduce the size of the quantum circuit below the state-of-the-art complexity 2O˜log(|Δ|)1/2 $2^{\\tilde{O}\\left(\\log(|\\Delta|)^{1/2}\\right)}$ at the cost of increasing the classical circuit-size required. The required classical circuit remains subexponential, which is a superpolynomial improvement over the classical state-of-the-art exponential solutions to these problems. Our method requires polynomial memory, both classical and quantum.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"4 - 17"},"PeriodicalIF":0.5000,"publicationDate":"2020-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/JMC-2020-0070","citationCount":"8","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Mathematical Cryptology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1515/JMC-2020-0070","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 8

Abstract

Abstract We propose a heuristic algorithm to solve the underlying hard problem of the CSIDH cryptosystem (and other isogeny-based cryptosystems using elliptic curves with endomorphism ring isomorphic to an imaginary quadratic order 𝒪). Let Δ = Disc(𝒪) (in CSIDH, Δ = −4p for p the security parameter). Let 0 < α < 1/2, our algorithm requires: A classical circuit of size 2O˜log(|Δ|)1−α. $2^{\tilde{O}\left(\log(|\Delta|)^{1-\alpha}\right)}.$ A quantum circuit of size 2O˜log(|Δ|)α. $2^{\tilde{O}\left(\log(|\Delta|)^{\alpha}\right)}.$ Polynomial classical and quantum memory. Essentially, we propose to reduce the size of the quantum circuit below the state-of-the-art complexity 2O˜log(|Δ|)1/2 $2^{\tilde{O}\left(\log(|\Delta|)^{1/2}\right)}$ at the cost of increasing the classical circuit-size required. The required classical circuit remains subexponential, which is a superpolynomial improvement over the classical state-of-the-art exponential solutions to these problems. Our method requires polynomial memory, both classical and quantum.

查看原文本刊更多论文

针对CSIDH攻击的经典电路和量子电路尺寸之间的权衡

摘要提出了一种启发式算法来解决CSIDH密码系统(以及其他基于同胚密码系统的密码系统)的底层难题，这些密码系统使用具有自同构环的椭圆曲线与虚二次阶态同构)。设Δ =磁盘(变量)(在CSIDH中，对于安全参数p， Δ =−4p)。设0 < α < 1/2，我们的算法需要:一个大小为2O ～ log(|Δ|)1−α的经典电路。$2^{\tilde{O}\left(\log(|\Delta|)^{1-\alpha}\right)}.$尺寸为2O ～ log(|Δ|)α的量子电路。$2^{\tilde{O}\left(\log(|\Delta|)^{\alpha}\right)}.$多项式经典和量子存储器。从本质上讲，我们建议以增加所需的经典电路尺寸为代价，将量子电路的尺寸减小到最先进的复杂性2O ～ log(|Δ|)1/2 $2^{\tilde{O}\left(\log(|\Delta|)^{1/2}\right)}$以下。所要求的经典电路仍然是次指数的，这是对这些问题的经典最先进的指数解的一个超多项式改进。我们的方法需要多项式存储器，包括经典和量子存储器。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊