Jean-François Biasse, X. Bonnetain, Benjamin Pring, A. Schrottenloher, William Youmans
{"title":"针对CSIDH攻击的经典电路和量子电路尺寸之间的权衡","authors":"Jean-François Biasse, X. Bonnetain, Benjamin Pring, A. Schrottenloher, William Youmans","doi":"10.1515/JMC-2020-0070","DOIUrl":null,"url":null,"abstract":"Abstract We propose a heuristic algorithm to solve the underlying hard problem of the CSIDH cryptosystem (and other isogeny-based cryptosystems using elliptic curves with endomorphism ring isomorphic to an imaginary quadratic order 𝒪). Let Δ = Disc(𝒪) (in CSIDH, Δ = −4p for p the security parameter). Let 0 < α < 1/2, our algorithm requires: A classical circuit of size 2O˜log(|Δ|)1−α. $2^{\\tilde{O}\\left(\\log(|\\Delta|)^{1-\\alpha}\\right)}.$ A quantum circuit of size 2O˜log(|Δ|)α. $2^{\\tilde{O}\\left(\\log(|\\Delta|)^{\\alpha}\\right)}.$ Polynomial classical and quantum memory. Essentially, we propose to reduce the size of the quantum circuit below the state-of-the-art complexity 2O˜log(|Δ|)1/2 $2^{\\tilde{O}\\left(\\log(|\\Delta|)^{1/2}\\right)}$ at the cost of increasing the classical circuit-size required. The required classical circuit remains subexponential, which is a superpolynomial improvement over the classical state-of-the-art exponential solutions to these problems. Our method requires polynomial memory, both classical and quantum.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":null,"pages":null},"PeriodicalIF":0.5000,"publicationDate":"2020-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/JMC-2020-0070","citationCount":"8","resultStr":"{\"title\":\"A trade-off between classical and quantum circuit size for an attack against CSIDH\",\"authors\":\"Jean-François Biasse, X. Bonnetain, Benjamin Pring, A. Schrottenloher, William Youmans\",\"doi\":\"10.1515/JMC-2020-0070\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Abstract We propose a heuristic algorithm to solve the underlying hard problem of the CSIDH cryptosystem (and other isogeny-based cryptosystems using elliptic curves with endomorphism ring isomorphic to an imaginary quadratic order 𝒪). Let Δ = Disc(𝒪) (in CSIDH, Δ = −4p for p the security parameter). Let 0 < α < 1/2, our algorithm requires: A classical circuit of size 2O˜log(|Δ|)1−α. $2^{\\\\tilde{O}\\\\left(\\\\log(|\\\\Delta|)^{1-\\\\alpha}\\\\right)}.$ A quantum circuit of size 2O˜log(|Δ|)α. $2^{\\\\tilde{O}\\\\left(\\\\log(|\\\\Delta|)^{\\\\alpha}\\\\right)}.$ Polynomial classical and quantum memory. Essentially, we propose to reduce the size of the quantum circuit below the state-of-the-art complexity 2O˜log(|Δ|)1/2 $2^{\\\\tilde{O}\\\\left(\\\\log(|\\\\Delta|)^{1/2}\\\\right)}$ at the cost of increasing the classical circuit-size required. The required classical circuit remains subexponential, which is a superpolynomial improvement over the classical state-of-the-art exponential solutions to these problems. Our method requires polynomial memory, both classical and quantum.\",\"PeriodicalId\":43866,\"journal\":{\"name\":\"Journal of Mathematical Cryptology\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.5000,\"publicationDate\":\"2020-11-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://sci-hub-pdf.com/10.1515/JMC-2020-0070\",\"citationCount\":\"8\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Mathematical Cryptology\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1515/JMC-2020-0070\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q4\",\"JCRName\":\"COMPUTER SCIENCE, THEORY & METHODS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Mathematical Cryptology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1515/JMC-2020-0070","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}
A trade-off between classical and quantum circuit size for an attack against CSIDH
Abstract We propose a heuristic algorithm to solve the underlying hard problem of the CSIDH cryptosystem (and other isogeny-based cryptosystems using elliptic curves with endomorphism ring isomorphic to an imaginary quadratic order 𝒪). Let Δ = Disc(𝒪) (in CSIDH, Δ = −4p for p the security parameter). Let 0 < α < 1/2, our algorithm requires: A classical circuit of size 2O˜log(|Δ|)1−α. $2^{\tilde{O}\left(\log(|\Delta|)^{1-\alpha}\right)}.$ A quantum circuit of size 2O˜log(|Δ|)α. $2^{\tilde{O}\left(\log(|\Delta|)^{\alpha}\right)}.$ Polynomial classical and quantum memory. Essentially, we propose to reduce the size of the quantum circuit below the state-of-the-art complexity 2O˜log(|Δ|)1/2 $2^{\tilde{O}\left(\log(|\Delta|)^{1/2}\right)}$ at the cost of increasing the classical circuit-size required. The required classical circuit remains subexponential, which is a superpolynomial improvement over the classical state-of-the-art exponential solutions to these problems. Our method requires polynomial memory, both classical and quantum.