针对CSIDH攻击的经典电路和量子电路尺寸之间的权衡

IF 0.5 Q4 COMPUTER SCIENCE, THEORY & METHODS

Journal of Mathematical Cryptology Pub Date : 2020-11-17 DOI:10.1515/JMC-2020-0070

Jean-François Biasse, X. Bonnetain, Benjamin Pring, A. Schrottenloher, William Youmans

{"title":"针对CSIDH攻击的经典电路和量子电路尺寸之间的权衡","authors":"Jean-François Biasse, X. Bonnetain, Benjamin Pring, A. Schrottenloher, William Youmans","doi":"10.1515/JMC-2020-0070","DOIUrl":null,"url":null,"abstract":"Abstract We propose a heuristic algorithm to solve the underlying hard problem of the CSIDH cryptosystem (and other isogeny-based cryptosystems using elliptic curves with endomorphism ring isomorphic to an imaginary quadratic order 𝒪). Let Δ = Disc(𝒪) (in CSIDH, Δ = −4p for p the security parameter). Let 0 < α < 1/2, our algorithm requires: A classical circuit of size 2O˜log(|Δ|)1−α. $2^{\\tilde{O}\\left(\\log(|\\Delta|)^{1-\\alpha}\\right)}.$ A quantum circuit of size 2O˜log(|Δ|)α. $2^{\\tilde{O}\\left(\\log(|\\Delta|)^{\\alpha}\\right)}.$ Polynomial classical and quantum memory. Essentially, we propose to reduce the size of the quantum circuit below the state-of-the-art complexity 2O˜log(|Δ|)1/2 $2^{\\tilde{O}\\left(\\log(|\\Delta|)^{1/2}\\right)}$ at the cost of increasing the classical circuit-size required. The required classical circuit remains subexponential, which is a superpolynomial improvement over the classical state-of-the-art exponential solutions to these problems. Our method requires polynomial memory, both classical and quantum.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":null,"pages":null},"PeriodicalIF":0.5000,"publicationDate":"2020-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/JMC-2020-0070","citationCount":"8","resultStr":"{\"title\":\"A trade-off between classical and quantum circuit size for an attack against CSIDH\",\"authors\":\"Jean-François Biasse, X. Bonnetain, Benjamin Pring, A. Schrottenloher, William Youmans\",\"doi\":\"10.1515/JMC-2020-0070\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Abstract We propose a heuristic algorithm to solve the underlying hard problem of the CSIDH cryptosystem (and other isogeny-based cryptosystems using elliptic curves with endomorphism ring isomorphic to an imaginary quadratic order 𝒪). Let Δ = Disc(𝒪) (in CSIDH, Δ = −4p for p the security parameter). Let 0 < α < 1/2, our algorithm requires: A classical circuit of size 2O˜log(|Δ|)1−α. $2^{\\\\tilde{O}\\\\left(\\\\log(|\\\\Delta|)^{1-\\\\alpha}\\\\right)}.$ A quantum circuit of size 2O˜log(|Δ|)α. $2^{\\\\tilde{O}\\\\left(\\\\log(|\\\\Delta|)^{\\\\alpha}\\\\right)}.$ Polynomial classical and quantum memory. Essentially, we propose to reduce the size of the quantum circuit below the state-of-the-art complexity 2O˜log(|Δ|)1/2 $2^{\\\\tilde{O}\\\\left(\\\\log(|\\\\Delta|)^{1/2}\\\\right)}$ at the cost of increasing the classical circuit-size required. The required classical circuit remains subexponential, which is a superpolynomial improvement over the classical state-of-the-art exponential solutions to these problems. Our method requires polynomial memory, both classical and quantum.\",\"PeriodicalId\":43866,\"journal\":{\"name\":\"Journal of Mathematical Cryptology\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.5000,\"publicationDate\":\"2020-11-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://sci-hub-pdf.com/10.1515/JMC-2020-0070\",\"citationCount\":\"8\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Mathematical Cryptology\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1515/JMC-2020-0070\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q4\",\"JCRName\":\"COMPUTER SCIENCE, THEORY & METHODS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Mathematical Cryptology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1515/JMC-2020-0070","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 8

摘要

摘要提出了一种启发式算法来解决CSIDH密码系统(以及其他基于同胚密码系统的密码系统)的底层难题，这些密码系统使用具有自同构环的椭圆曲线与虚二次阶态同构)。设Δ =磁盘(变量)(在CSIDH中，对于安全参数p， Δ =−4p)。设0 < α < 1/2，我们的算法需要:一个大小为2O ～ log(|Δ|)1−α的经典电路。$2^{\tilde{O}\left(\log(|\Delta|)^{1-\alpha}\right)}.$尺寸为2O ～ log(|Δ|)α的量子电路。$2^{\tilde{O}\left(\log(|\Delta|)^{\alpha}\right)}.$多项式经典和量子存储器。从本质上讲，我们建议以增加所需的经典电路尺寸为代价，将量子电路的尺寸减小到最先进的复杂性2O ～ log(|Δ|)1/2 $2^{\tilde{O}\left(\log(|\Delta|)^{1/2}\right)}$以下。所要求的经典电路仍然是次指数的，这是对这些问题的经典最先进的指数解的一个超多项式改进。我们的方法需要多项式存储器，包括经典和量子存储器。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

A trade-off between classical and quantum circuit size for an attack against CSIDH

Abstract We propose a heuristic algorithm to solve the underlying hard problem of the CSIDH cryptosystem (and other isogeny-based cryptosystems using elliptic curves with endomorphism ring isomorphic to an imaginary quadratic order 𝒪). Let Δ = Disc(𝒪) (in CSIDH, Δ = −4p for p the security parameter). Let 0 < α < 1/2, our algorithm requires: A classical circuit of size 2O˜log(|Δ|)1−α. $2^{\tilde{O}\left(\log(|\Delta|)^{1-\alpha}\right)}.$ A quantum circuit of size 2O˜log(|Δ|)α. $2^{\tilde{O}\left(\log(|\Delta|)^{\alpha}\right)}.$ Polynomial classical and quantum memory. Essentially, we propose to reduce the size of the quantum circuit below the state-of-the-art complexity 2O˜log(|Δ|)1/2 $2^{\tilde{O}\left(\log(|\Delta|)^{1/2}\right)}$ at the cost of increasing the classical circuit-size required. The required classical circuit remains subexponential, which is a superpolynomial improvement over the classical state-of-the-art exponential solutions to these problems. Our method requires polynomial memory, both classical and quantum.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Journal of Mathematical Cryptology COMPUTER SCIENCE, THEORY & METHODS-

CiteScore

2.70

自引率

8.30%

发文量

审稿时长

100 weeks