daniel j. bernstein f quantum attacks shor also...
TRANSCRIPT
![Page 1: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/1.jpg)
1
Quantum attacks
against isogenies
Daniel J. Bernstein
1994 Shor discrete-log algorithm:
Input prime p; g ∈ F∗p; h ∈ gZ.
Define ’ : Z× Z→ F∗p by
’(a; b) = gahb. Fast function.
If h = g s and g has order N
then Ker’ = Z(N; 0) + Z(s;−1).
Shor computes ’ on quantum
superposition of many (a; b);
deduces Ker’; deduces s in Z=N.
2
Shor also generalizes
from F∗p to other finite groups
with fast computations.
e.g. F∗q for prime power q;
E(Fq) for elliptic curve E=Fq.
![Page 2: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/2.jpg)
1
Quantum attacks
against isogenies
Daniel J. Bernstein
1994 Shor discrete-log algorithm:
Input prime p; g ∈ F∗p; h ∈ gZ.
Define ’ : Z× Z→ F∗p by
’(a; b) = gahb. Fast function.
If h = g s and g has order N
then Ker’ = Z(N; 0) + Z(s;−1).
Shor computes ’ on quantum
superposition of many (a; b);
deduces Ker’; deduces s in Z=N.
2
Shor also generalizes
from F∗p to other finite groups
with fast computations.
e.g. F∗q for prime power q;
E(Fq) for elliptic curve E=Fq.
1995 Boneh–Lipton:
Find “hidden” lattice L ⊆ Zn,
given fast function ’ : Zn → X
that induces Zn=L ,→ X.
![Page 3: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/3.jpg)
1
Quantum attacks
against isogenies
Daniel J. Bernstein
1994 Shor discrete-log algorithm:
Input prime p; g ∈ F∗p; h ∈ gZ.
Define ’ : Z× Z→ F∗p by
’(a; b) = gahb. Fast function.
If h = g s and g has order N
then Ker’ = Z(N; 0) + Z(s;−1).
Shor computes ’ on quantum
superposition of many (a; b);
deduces Ker’; deduces s in Z=N.
2
Shor also generalizes
from F∗p to other finite groups
with fast computations.
e.g. F∗q for prime power q;
E(Fq) for elliptic curve E=Fq.
1995 Boneh–Lipton:
Find “hidden” lattice L ⊆ Zn,
given fast function ’ : Zn → X
that induces Zn=L ,→ X.
Non-commutative generalizations:
e.g. find hidden subgroup H ⊆ Sn,
given fast function ’ : Sn → X
that induces Sn=H ,→ X?
Some progress, some obstacles.
![Page 4: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/4.jpg)
1
Quantum attacks
against isogenies
Daniel J. Bernstein
1994 Shor discrete-log algorithm:
Input prime p; g ∈ F∗p; h ∈ gZ.
Define ’ : Z× Z→ F∗p by
’(a; b) = gahb. Fast function.
If h = g s and g has order N
then Ker’ = Z(N; 0) + Z(s;−1).
Shor computes ’ on quantum
superposition of many (a; b);
deduces Ker’; deduces s in Z=N.
2
Shor also generalizes
from F∗p to other finite groups
with fast computations.
e.g. F∗q for prime power q;
E(Fq) for elliptic curve E=Fq.
1995 Boneh–Lipton:
Find “hidden” lattice L ⊆ Zn,
given fast function ’ : Zn → X
that induces Zn=L ,→ X.
Non-commutative generalizations:
e.g. find hidden subgroup H ⊆ Sn,
given fast function ’ : Sn → X
that induces Sn=H ,→ X?
Some progress, some obstacles.
3
The hidden-shift problem
Given N ∈ Z, N > 0;
f0 : Z=N ,→ X; f1 : Z=N ,→ X;
f1(a) = f0(a + s) for all a ∈ Z=N.
Goal: Find s ∈ Z=N.
![Page 5: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/5.jpg)
1
Quantum attacks
against isogenies
Daniel J. Bernstein
1994 Shor discrete-log algorithm:
Input prime p; g ∈ F∗p; h ∈ gZ.
Define ’ : Z× Z→ F∗p by
’(a; b) = gahb. Fast function.
If h = g s and g has order N
then Ker’ = Z(N; 0) + Z(s;−1).
Shor computes ’ on quantum
superposition of many (a; b);
deduces Ker’; deduces s in Z=N.
2
Shor also generalizes
from F∗p to other finite groups
with fast computations.
e.g. F∗q for prime power q;
E(Fq) for elliptic curve E=Fq.
1995 Boneh–Lipton:
Find “hidden” lattice L ⊆ Zn,
given fast function ’ : Zn → X
that induces Zn=L ,→ X.
Non-commutative generalizations:
e.g. find hidden subgroup H ⊆ Sn,
given fast function ’ : Sn → X
that induces Sn=H ,→ X?
Some progress, some obstacles.
3
The hidden-shift problem
Given N ∈ Z, N > 0;
f0 : Z=N ,→ X; f1 : Z=N ,→ X;
f1(a) = f0(a + s) for all a ∈ Z=N.
Goal: Find s ∈ Z=N.
![Page 6: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/6.jpg)
1
Quantum attacks
against isogenies
Daniel J. Bernstein
1994 Shor discrete-log algorithm:
Input prime p; g ∈ F∗p; h ∈ gZ.
Define ’ : Z× Z→ F∗p by
’(a; b) = gahb. Fast function.
If h = g s and g has order N
then Ker’ = Z(N; 0) + Z(s;−1).
Shor computes ’ on quantum
superposition of many (a; b);
deduces Ker’; deduces s in Z=N.
2
Shor also generalizes
from F∗p to other finite groups
with fast computations.
e.g. F∗q for prime power q;
E(Fq) for elliptic curve E=Fq.
1995 Boneh–Lipton:
Find “hidden” lattice L ⊆ Zn,
given fast function ’ : Zn → X
that induces Zn=L ,→ X.
Non-commutative generalizations:
e.g. find hidden subgroup H ⊆ Sn,
given fast function ’ : Sn → X
that induces Sn=H ,→ X?
Some progress, some obstacles.
3
The hidden-shift problem
Given N ∈ Z, N > 0;
f0 : Z=N ,→ X; f1 : Z=N ,→ X;
f1(a) = f0(a + s) for all a ∈ Z=N.
Goal: Find s ∈ Z=N.
![Page 7: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/7.jpg)
2
Shor also generalizes
from F∗p to other finite groups
with fast computations.
e.g. F∗q for prime power q;
E(Fq) for elliptic curve E=Fq.
1995 Boneh–Lipton:
Find “hidden” lattice L ⊆ Zn,
given fast function ’ : Zn → X
that induces Zn=L ,→ X.
Non-commutative generalizations:
e.g. find hidden subgroup H ⊆ Sn,
given fast function ’ : Sn → X
that induces Sn=H ,→ X?
Some progress, some obstacles.
3
The hidden-shift problem
Given N ∈ Z, N > 0;
f0 : Z=N ,→ X; f1 : Z=N ,→ X;
f1(a) = f0(a + s) for all a ∈ Z=N.
Goal: Find s ∈ Z=N.
![Page 8: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/8.jpg)
2
Shor also generalizes
from F∗p to other finite groups
with fast computations.
e.g. F∗q for prime power q;
E(Fq) for elliptic curve E=Fq.
1995 Boneh–Lipton:
Find “hidden” lattice L ⊆ Zn,
given fast function ’ : Zn → X
that induces Zn=L ,→ X.
Non-commutative generalizations:
e.g. find hidden subgroup H ⊆ Sn,
given fast function ’ : Sn → X
that induces Sn=H ,→ X?
Some progress, some obstacles.
3
The hidden-shift problem
Given N ∈ Z, N > 0;
f0 : Z=N ,→ X; f1 : Z=N ,→ X;
f1(a) = f0(a + s) for all a ∈ Z=N.
Goal: Find s ∈ Z=N.
Dihedral group DN = Z=N × Z=2:
(a; b)(c; d) = (a + (−1)bc; b + d).
![Page 9: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/9.jpg)
2
Shor also generalizes
from F∗p to other finite groups
with fast computations.
e.g. F∗q for prime power q;
E(Fq) for elliptic curve E=Fq.
1995 Boneh–Lipton:
Find “hidden” lattice L ⊆ Zn,
given fast function ’ : Zn → X
that induces Zn=L ,→ X.
Non-commutative generalizations:
e.g. find hidden subgroup H ⊆ Sn,
given fast function ’ : Sn → X
that induces Sn=H ,→ X?
Some progress, some obstacles.
3
The hidden-shift problem
Given N ∈ Z, N > 0;
f0 : Z=N ,→ X; f1 : Z=N ,→ X;
f1(a) = f0(a + s) for all a ∈ Z=N.
Goal: Find s ∈ Z=N.
Dihedral group DN = Z=N × Z=2:
(a; b)(c; d) = (a + (−1)bc; b + d).
Define ’ : DN → X by
’(a; i) = fi (a). Then ’ hides
subgroup {(0; 0); (s; 1)} of DN .
![Page 10: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/10.jpg)
2
Shor also generalizes
from F∗p to other finite groups
with fast computations.
e.g. F∗q for prime power q;
E(Fq) for elliptic curve E=Fq.
1995 Boneh–Lipton:
Find “hidden” lattice L ⊆ Zn,
given fast function ’ : Zn → X
that induces Zn=L ,→ X.
Non-commutative generalizations:
e.g. find hidden subgroup H ⊆ Sn,
given fast function ’ : Sn → X
that induces Sn=H ,→ X?
Some progress, some obstacles.
3
The hidden-shift problem
Given N ∈ Z, N > 0;
f0 : Z=N ,→ X; f1 : Z=N ,→ X;
f1(a) = f0(a + s) for all a ∈ Z=N.
Goal: Find s ∈ Z=N.
Dihedral group DN = Z=N × Z=2:
(a; b)(c; d) = (a + (−1)bc; b + d).
Define ’ : DN → X by
’(a; i) = fi (a). Then ’ hides
subgroup {(0; 0); (s; 1)} of DN .
These are the only “Shor-hard”
hidden subgroups of DN .
![Page 11: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/11.jpg)
2
Shor also generalizes
from F∗p to other finite groups
with fast computations.
e.g. F∗q for prime power q;
E(Fq) for elliptic curve E=Fq.
1995 Boneh–Lipton:
Find “hidden” lattice L ⊆ Zn,
given fast function ’ : Zn → X
that induces Zn=L ,→ X.
Non-commutative generalizations:
e.g. find hidden subgroup H ⊆ Sn,
given fast function ’ : Sn → X
that induces Sn=H ,→ X?
Some progress, some obstacles.
3
The hidden-shift problem
Given N ∈ Z, N > 0;
f0 : Z=N ,→ X; f1 : Z=N ,→ X;
f1(a) = f0(a + s) for all a ∈ Z=N.
Goal: Find s ∈ Z=N.
Dihedral group DN = Z=N × Z=2:
(a; b)(c; d) = (a + (−1)bc; b + d).
Define ’ : DN → X by
’(a; i) = fi (a). Then ’ hides
subgroup {(0; 0); (s; 1)} of DN .
These are the only “Shor-hard”
hidden subgroups of DN .
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
![Page 12: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/12.jpg)
2
Shor also generalizes
from F∗p to other finite groups
with fast computations.
e.g. F∗q for prime power q;
E(Fq) for elliptic curve E=Fq.
1995 Boneh–Lipton:
Find “hidden” lattice L ⊆ Zn,
given fast function ’ : Zn → X
that induces Zn=L ,→ X.
Non-commutative generalizations:
e.g. find hidden subgroup H ⊆ Sn,
given fast function ’ : Sn → X
that induces Sn=H ,→ X?
Some progress, some obstacles.
3
The hidden-shift problem
Given N ∈ Z, N > 0;
f0 : Z=N ,→ X; f1 : Z=N ,→ X;
f1(a) = f0(a + s) for all a ∈ Z=N.
Goal: Find s ∈ Z=N.
Dihedral group DN = Z=N × Z=2:
(a; b)(c; d) = (a + (−1)bc; b + d).
Define ’ : DN → X by
’(a; i) = fi (a). Then ’ hides
subgroup {(0; 0); (s; 1)} of DN .
These are the only “Shor-hard”
hidden subgroups of DN .
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
![Page 13: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/13.jpg)
2
Shor also generalizes
from F∗p to other finite groups
with fast computations.
e.g. F∗q for prime power q;
E(Fq) for elliptic curve E=Fq.
1995 Boneh–Lipton:
Find “hidden” lattice L ⊆ Zn,
given fast function ’ : Zn → X
that induces Zn=L ,→ X.
Non-commutative generalizations:
e.g. find hidden subgroup H ⊆ Sn,
given fast function ’ : Sn → X
that induces Sn=H ,→ X?
Some progress, some obstacles.
3
The hidden-shift problem
Given N ∈ Z, N > 0;
f0 : Z=N ,→ X; f1 : Z=N ,→ X;
f1(a) = f0(a + s) for all a ∈ Z=N.
Goal: Find s ∈ Z=N.
Dihedral group DN = Z=N × Z=2:
(a; b)(c; d) = (a + (−1)bc; b + d).
Define ’ : DN → X by
’(a; i) = fi (a). Then ’ hides
subgroup {(0; 0); (s; 1)} of DN .
These are the only “Shor-hard”
hidden subgroups of DN .
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
![Page 14: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/14.jpg)
3
The hidden-shift problem
Given N ∈ Z, N > 0;
f0 : Z=N ,→ X; f1 : Z=N ,→ X;
f1(a) = f0(a + s) for all a ∈ Z=N.
Goal: Find s ∈ Z=N.
Dihedral group DN = Z=N × Z=2:
(a; b)(c; d) = (a + (−1)bc; b + d).
Define ’ : DN → X by
’(a; i) = fi (a). Then ’ hides
subgroup {(0; 0); (s; 1)} of DN .
These are the only “Shor-hard”
hidden subgroups of DN .
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
![Page 15: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/15.jpg)
3
The hidden-shift problem
Given N ∈ Z, N > 0;
f0 : Z=N ,→ X; f1 : Z=N ,→ X;
f1(a) = f0(a + s) for all a ∈ Z=N.
Goal: Find s ∈ Z=N.
Dihedral group DN = Z=N × Z=2:
(a; b)(c; d) = (a + (−1)bc; b + d).
Define ’ : DN → X by
’(a; i) = fi (a). Then ’ hides
subgroup {(0; 0); (s; 1)} of DN .
These are the only “Shor-hard”
hidden subgroups of DN .
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
(1999–2004 Ettinger–Høyer–Knill:
Similarly few evaluations for
hidden subgroups of any group.)
![Page 16: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/16.jpg)
3
The hidden-shift problem
Given N ∈ Z, N > 0;
f0 : Z=N ,→ X; f1 : Z=N ,→ X;
f1(a) = f0(a + s) for all a ∈ Z=N.
Goal: Find s ∈ Z=N.
Dihedral group DN = Z=N × Z=2:
(a; b)(c; d) = (a + (−1)bc; b + d).
Define ’ : DN → X by
’(a; i) = fi (a). Then ’ hides
subgroup {(0; 0); (s; 1)} of DN .
These are the only “Shor-hard”
hidden subgroups of DN .
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
(1999–2004 Ettinger–Høyer–Knill:
Similarly few evaluations for
hidden subgroups of any group.)
2003 Kuperberg:
Solve hidden-shift problem using
more quantum ’ evaluations,
less ’-independent computation.
![Page 17: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/17.jpg)
3
The hidden-shift problem
Given N ∈ Z, N > 0;
f0 : Z=N ,→ X; f1 : Z=N ,→ X;
f1(a) = f0(a + s) for all a ∈ Z=N.
Goal: Find s ∈ Z=N.
Dihedral group DN = Z=N × Z=2:
(a; b)(c; d) = (a + (−1)bc; b + d).
Define ’ : DN → X by
’(a; i) = fi (a). Then ’ hides
subgroup {(0; 0); (s; 1)} of DN .
These are the only “Shor-hard”
hidden subgroups of DN .
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
(1999–2004 Ettinger–Høyer–Knill:
Similarly few evaluations for
hidden subgroups of any group.)
2003 Kuperberg:
Solve hidden-shift problem using
more quantum ’ evaluations,
less ’-independent computation.
2004 Regev, 2011 Kuperberg:
More tradeoffs, better tradeoffs.
![Page 18: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/18.jpg)
3
The hidden-shift problem
Given N ∈ Z, N > 0;
f0 : Z=N ,→ X; f1 : Z=N ,→ X;
f1(a) = f0(a + s) for all a ∈ Z=N.
Goal: Find s ∈ Z=N.
Dihedral group DN = Z=N × Z=2:
(a; b)(c; d) = (a + (−1)bc; b + d).
Define ’ : DN → X by
’(a; i) = fi (a). Then ’ hides
subgroup {(0; 0); (s; 1)} of DN .
These are the only “Shor-hard”
hidden subgroups of DN .
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
(1999–2004 Ettinger–Høyer–Knill:
Similarly few evaluations for
hidden subgroups of any group.)
2003 Kuperberg:
Solve hidden-shift problem using
more quantum ’ evaluations,
less ’-independent computation.
2004 Regev, 2011 Kuperberg:
More tradeoffs, better tradeoffs.
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
![Page 19: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/19.jpg)
3
The hidden-shift problem
Given N ∈ Z, N > 0;
f0 : Z=N ,→ X; f1 : Z=N ,→ X;
f1(a) = f0(a + s) for all a ∈ Z=N.
Goal: Find s ∈ Z=N.
Dihedral group DN = Z=N × Z=2:
(a; b)(c; d) = (a + (−1)bc; b + d).
Define ’ : DN → X by
’(a; i) = fi (a). Then ’ hides
subgroup {(0; 0); (s; 1)} of DN .
These are the only “Shor-hard”
hidden subgroups of DN .
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
(1999–2004 Ettinger–Høyer–Knill:
Similarly few evaluations for
hidden subgroups of any group.)
2003 Kuperberg:
Solve hidden-shift problem using
more quantum ’ evaluations,
less ’-independent computation.
2004 Regev, 2011 Kuperberg:
More tradeoffs, better tradeoffs.
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
![Page 20: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/20.jpg)
3
The hidden-shift problem
Given N ∈ Z, N > 0;
f0 : Z=N ,→ X; f1 : Z=N ,→ X;
f1(a) = f0(a + s) for all a ∈ Z=N.
Goal: Find s ∈ Z=N.
Dihedral group DN = Z=N × Z=2:
(a; b)(c; d) = (a + (−1)bc; b + d).
Define ’ : DN → X by
’(a; i) = fi (a). Then ’ hides
subgroup {(0; 0); (s; 1)} of DN .
These are the only “Shor-hard”
hidden subgroups of DN .
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
(1999–2004 Ettinger–Høyer–Knill:
Similarly few evaluations for
hidden subgroups of any group.)
2003 Kuperberg:
Solve hidden-shift problem using
more quantum ’ evaluations,
less ’-independent computation.
2004 Regev, 2011 Kuperberg:
More tradeoffs, better tradeoffs.
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
![Page 21: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/21.jpg)
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
(1999–2004 Ettinger–Høyer–Knill:
Similarly few evaluations for
hidden subgroups of any group.)
2003 Kuperberg:
Solve hidden-shift problem using
more quantum ’ evaluations,
less ’-independent computation.
2004 Regev, 2011 Kuperberg:
More tradeoffs, better tradeoffs.
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
![Page 22: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/22.jpg)
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
(1999–2004 Ettinger–Høyer–Knill:
Similarly few evaluations for
hidden subgroups of any group.)
2003 Kuperberg:
Solve hidden-shift problem using
more quantum ’ evaluations,
less ’-independent computation.
2004 Regev, 2011 Kuperberg:
More tradeoffs, better tradeoffs.
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
Usually G ∼= Z=N with N ≈ p1=2.
![Page 23: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/23.jpg)
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
(1999–2004 Ettinger–Høyer–Knill:
Similarly few evaluations for
hidden subgroups of any group.)
2003 Kuperberg:
Solve hidden-shift problem using
more quantum ’ evaluations,
less ’-independent computation.
2004 Regev, 2011 Kuperberg:
More tradeoffs, better tradeoffs.
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
Usually G ∼= Z=N with N ≈ p1=2.
Compute N by Shor’s algorithm.
![Page 24: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/24.jpg)
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
(1999–2004 Ettinger–Høyer–Knill:
Similarly few evaluations for
hidden subgroups of any group.)
2003 Kuperberg:
Solve hidden-shift problem using
more quantum ’ evaluations,
less ’-independent computation.
2004 Regev, 2011 Kuperberg:
More tradeoffs, better tradeoffs.
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
Usually G ∼= Z=N with N ≈ p1=2.
Compute N by Shor’s algorithm.
Find ideal I with G = [I]Z.
![Page 25: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/25.jpg)
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
(1999–2004 Ettinger–Høyer–Knill:
Similarly few evaluations for
hidden subgroups of any group.)
2003 Kuperberg:
Solve hidden-shift problem using
more quantum ’ evaluations,
less ’-independent computation.
2004 Regev, 2011 Kuperberg:
More tradeoffs, better tradeoffs.
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
Usually G ∼= Z=N with N ≈ p1=2.
Compute N by Shor’s algorithm.
Find ideal I with G = [I]Z.
Given E0; E1 ∈ X: define
f0 : Z=N ,→ X by a 7→ [I]aE0;
f1 : Z=N ,→ X by a 7→ [I]aE1.
![Page 26: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/26.jpg)
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
(1999–2004 Ettinger–Høyer–Knill:
Similarly few evaluations for
hidden subgroups of any group.)
2003 Kuperberg:
Solve hidden-shift problem using
more quantum ’ evaluations,
less ’-independent computation.
2004 Regev, 2011 Kuperberg:
More tradeoffs, better tradeoffs.
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
Usually G ∼= Z=N with N ≈ p1=2.
Compute N by Shor’s algorithm.
Find ideal I with G = [I]Z.
Given E0; E1 ∈ X: define
f0 : Z=N ,→ X by a 7→ [I]aE0;
f1 : Z=N ,→ X by a 7→ [I]aE1.
E1 = [I]sE0 for some s ∈ Z=N.
![Page 27: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/27.jpg)
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
(1999–2004 Ettinger–Høyer–Knill:
Similarly few evaluations for
hidden subgroups of any group.)
2003 Kuperberg:
Solve hidden-shift problem using
more quantum ’ evaluations,
less ’-independent computation.
2004 Regev, 2011 Kuperberg:
More tradeoffs, better tradeoffs.
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
Usually G ∼= Z=N with N ≈ p1=2.
Compute N by Shor’s algorithm.
Find ideal I with G = [I]Z.
Given E0; E1 ∈ X: define
f0 : Z=N ,→ X by a 7→ [I]aE0;
f1 : Z=N ,→ X by a 7→ [I]aE1.
E1 = [I]sE0 for some s ∈ Z=N.
f1(a) = f0(a + s) for all a ∈ Z=N.
![Page 28: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/28.jpg)
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
(1999–2004 Ettinger–Høyer–Knill:
Similarly few evaluations for
hidden subgroups of any group.)
2003 Kuperberg:
Solve hidden-shift problem using
more quantum ’ evaluations,
less ’-independent computation.
2004 Regev, 2011 Kuperberg:
More tradeoffs, better tradeoffs.
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
Usually G ∼= Z=N with N ≈ p1=2.
Compute N by Shor’s algorithm.
Find ideal I with G = [I]Z.
Given E0; E1 ∈ X: define
f0 : Z=N ,→ X by a 7→ [I]aE0;
f1 : Z=N ,→ X by a 7→ [I]aE1.
E1 = [I]sE0 for some s ∈ Z=N.
f1(a) = f0(a + s) for all a ∈ Z=N.
Find the hidden shift s in f0; f1.
![Page 29: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/29.jpg)
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
(1999–2004 Ettinger–Høyer–Knill:
Similarly few evaluations for
hidden subgroups of any group.)
2003 Kuperberg:
Solve hidden-shift problem using
more quantum ’ evaluations,
less ’-independent computation.
2004 Regev, 2011 Kuperberg:
More tradeoffs, better tradeoffs.
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
Usually G ∼= Z=N with N ≈ p1=2.
Compute N by Shor’s algorithm.
Find ideal I with G = [I]Z.
Given E0; E1 ∈ X: define
f0 : Z=N ,→ X by a 7→ [I]aE0;
f1 : Z=N ,→ X by a 7→ [I]aE1.
E1 = [I]sE0 for some s ∈ Z=N.
f1(a) = f0(a + s) for all a ∈ Z=N.
Find the hidden shift s in f0; f1.
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
![Page 30: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/30.jpg)
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
(1999–2004 Ettinger–Høyer–Knill:
Similarly few evaluations for
hidden subgroups of any group.)
2003 Kuperberg:
Solve hidden-shift problem using
more quantum ’ evaluations,
less ’-independent computation.
2004 Regev, 2011 Kuperberg:
More tradeoffs, better tradeoffs.
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
Usually G ∼= Z=N with N ≈ p1=2.
Compute N by Shor’s algorithm.
Find ideal I with G = [I]Z.
Given E0; E1 ∈ X: define
f0 : Z=N ,→ X by a 7→ [I]aE0;
f1 : Z=N ,→ X by a 7→ [I]aE1.
E1 = [I]sE0 for some s ∈ Z=N.
f1(a) = f0(a + s) for all a ∈ Z=N.
Find the hidden shift s in f0; f1.
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
![Page 31: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/31.jpg)
4
1998 Ettinger–Høyer:
Solve hidden-shift problem using
O(logN) quantum ’ evaluations,
huge ’-independent computation.
(1999–2004 Ettinger–Høyer–Knill:
Similarly few evaluations for
hidden subgroups of any group.)
2003 Kuperberg:
Solve hidden-shift problem using
more quantum ’ evaluations,
less ’-independent computation.
2004 Regev, 2011 Kuperberg:
More tradeoffs, better tradeoffs.
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
Usually G ∼= Z=N with N ≈ p1=2.
Compute N by Shor’s algorithm.
Find ideal I with G = [I]Z.
Given E0; E1 ∈ X: define
f0 : Z=N ,→ X by a 7→ [I]aE0;
f1 : Z=N ,→ X by a 7→ [I]aE1.
E1 = [I]sE0 for some s ∈ Z=N.
f1(a) = f0(a + s) for all a ∈ Z=N.
Find the hidden shift s in f0; f1.
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
![Page 32: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/32.jpg)
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
Usually G ∼= Z=N with N ≈ p1=2.
Compute N by Shor’s algorithm.
Find ideal I with G = [I]Z.
Given E0; E1 ∈ X: define
f0 : Z=N ,→ X by a 7→ [I]aE0;
f1 : Z=N ,→ X by a 7→ [I]aE1.
E1 = [I]sE0 for some s ∈ Z=N.
f1(a) = f0(a + s) for all a ∈ Z=N.
Find the hidden shift s in f0; f1.
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
![Page 33: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/33.jpg)
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
Usually G ∼= Z=N with N ≈ p1=2.
Compute N by Shor’s algorithm.
Find ideal I with G = [I]Z.
Given E0; E1 ∈ X: define
f0 : Z=N ,→ X by a 7→ [I]aE0;
f1 : Z=N ,→ X by a 7→ [I]aE1.
E1 = [I]sE0 for some s ∈ Z=N.
f1(a) = f0(a + s) for all a ∈ Z=N.
Find the hidden shift s in f0; f1.
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
[P1]5[P2]4[P3]1: 10 steps.
![Page 34: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/34.jpg)
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
Usually G ∼= Z=N with N ≈ p1=2.
Compute N by Shor’s algorithm.
Find ideal I with G = [I]Z.
Given E0; E1 ∈ X: define
f0 : Z=N ,→ X by a 7→ [I]aE0;
f1 : Z=N ,→ X by a 7→ [I]aE1.
E1 = [I]sE0 for some s ∈ Z=N.
f1(a) = f0(a + s) for all a ∈ Z=N.
Find the hidden shift s in f0; f1.
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
[P1]5[P2]4[P3]1: 10 steps.
[P1]7038304916: 7038304916 steps.
![Page 35: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/35.jpg)
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
Usually G ∼= Z=N with N ≈ p1=2.
Compute N by Shor’s algorithm.
Find ideal I with G = [I]Z.
Given E0; E1 ∈ X: define
f0 : Z=N ,→ X by a 7→ [I]aE0;
f1 : Z=N ,→ X by a 7→ [I]aE1.
E1 = [I]sE0 for some s ∈ Z=N.
f1(a) = f0(a + s) for all a ∈ Z=N.
Find the hidden shift s in f0; f1.
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
[P1]5[P2]4[P3]1: 10 steps.
[P1]7038304916: 7038304916 steps.
[P1]a for huge a ∈ Z=N: Hmmm.
![Page 36: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/36.jpg)
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
Usually G ∼= Z=N with N ≈ p1=2.
Compute N by Shor’s algorithm.
Find ideal I with G = [I]Z.
Given E0; E1 ∈ X: define
f0 : Z=N ,→ X by a 7→ [I]aE0;
f1 : Z=N ,→ X by a 7→ [I]aE1.
E1 = [I]sE0 for some s ∈ Z=N.
f1(a) = f0(a + s) for all a ∈ Z=N.
Find the hidden shift s in f0; f1.
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
[P1]5[P2]4[P3]1: 10 steps.
[P1]7038304916: 7038304916 steps.
[P1]a for huge a ∈ Z=N: Hmmm.
Approach 1: Compute lattice L =
Ker(a1; : : : ; ad 7→ [P1]a1 · · · [Pd ]ad ).
![Page 37: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/37.jpg)
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
Usually G ∼= Z=N with N ≈ p1=2.
Compute N by Shor’s algorithm.
Find ideal I with G = [I]Z.
Given E0; E1 ∈ X: define
f0 : Z=N ,→ X by a 7→ [I]aE0;
f1 : Z=N ,→ X by a 7→ [I]aE1.
E1 = [I]sE0 for some s ∈ Z=N.
f1(a) = f0(a + s) for all a ∈ Z=N.
Find the hidden shift s in f0; f1.
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
[P1]5[P2]4[P3]1: 10 steps.
[P1]7038304916: 7038304916 steps.
[P1]a for huge a ∈ Z=N: Hmmm.
Approach 1: Compute lattice L =
Ker(a1; : : : ; ad 7→ [P1]a1 · · · [Pd ]ad ).
Given a ∈ Zd , find close v ∈ L:
distance exp((logN)1=2+o(1))
using time exp((logN)1=2+o(1)).
![Page 38: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/38.jpg)
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
Usually G ∼= Z=N with N ≈ p1=2.
Compute N by Shor’s algorithm.
Find ideal I with G = [I]Z.
Given E0; E1 ∈ X: define
f0 : Z=N ,→ X by a 7→ [I]aE0;
f1 : Z=N ,→ X by a 7→ [I]aE1.
E1 = [I]sE0 for some s ∈ Z=N.
f1(a) = f0(a + s) for all a ∈ Z=N.
Find the hidden shift s in f0; f1.
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
[P1]5[P2]4[P3]1: 10 steps.
[P1]7038304916: 7038304916 steps.
[P1]a for huge a ∈ Z=N: Hmmm.
Approach 1: Compute lattice L =
Ker(a1; : : : ; ad 7→ [P1]a1 · · · [Pd ]ad ).
Given a ∈ Zd , find close v ∈ L:
distance exp((logN)1=2+o(1))
using time exp((logN)1=2+o(1)).
7
Approach 2: Increase d up to
exp((logN)1=2+o(1)). Search
randomly for small relations.
![Page 39: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/39.jpg)
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
Usually G ∼= Z=N with N ≈ p1=2.
Compute N by Shor’s algorithm.
Find ideal I with G = [I]Z.
Given E0; E1 ∈ X: define
f0 : Z=N ,→ X by a 7→ [I]aE0;
f1 : Z=N ,→ X by a 7→ [I]aE1.
E1 = [I]sE0 for some s ∈ Z=N.
f1(a) = f0(a + s) for all a ∈ Z=N.
Find the hidden shift s in f0; f1.
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
[P1]5[P2]4[P3]1: 10 steps.
[P1]7038304916: 7038304916 steps.
[P1]a for huge a ∈ Z=N: Hmmm.
Approach 1: Compute lattice L =
Ker(a1; : : : ; ad 7→ [P1]a1 · · · [Pd ]ad ).
Given a ∈ Zd , find close v ∈ L:
distance exp((logN)1=2+o(1))
using time exp((logN)1=2+o(1)).
7
Approach 2: Increase d up to
exp((logN)1=2+o(1)). Search
randomly for small relations.
![Page 40: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/40.jpg)
5
Attacking isogenies
CRS/CSIDH: Class group G
acts freely and transitively
on a set X of curves over Fp.
Usually G ∼= Z=N with N ≈ p1=2.
Compute N by Shor’s algorithm.
Find ideal I with G = [I]Z.
Given E0; E1 ∈ X: define
f0 : Z=N ,→ X by a 7→ [I]aE0;
f1 : Z=N ,→ X by a 7→ [I]aE1.
E1 = [I]sE0 for some s ∈ Z=N.
f1(a) = f0(a + s) for all a ∈ Z=N.
Find the hidden shift s in f0; f1.
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
[P1]5[P2]4[P3]1: 10 steps.
[P1]7038304916: 7038304916 steps.
[P1]a for huge a ∈ Z=N: Hmmm.
Approach 1: Compute lattice L =
Ker(a1; : : : ; ad 7→ [P1]a1 · · · [Pd ]ad ).
Given a ∈ Zd , find close v ∈ L:
distance exp((logN)1=2+o(1))
using time exp((logN)1=2+o(1)).
7
Approach 2: Increase d up to
exp((logN)1=2+o(1)). Search
randomly for small relations.
![Page 41: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/41.jpg)
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
[P1]5[P2]4[P3]1: 10 steps.
[P1]7038304916: 7038304916 steps.
[P1]a for huge a ∈ Z=N: Hmmm.
Approach 1: Compute lattice L =
Ker(a1; : : : ; ad 7→ [P1]a1 · · · [Pd ]ad ).
Given a ∈ Zd , find close v ∈ L:
distance exp((logN)1=2+o(1))
using time exp((logN)1=2+o(1)).
7
Approach 2: Increase d up to
exp((logN)1=2+o(1)). Search
randomly for small relations.
![Page 42: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/42.jpg)
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
[P1]5[P2]4[P3]1: 10 steps.
[P1]7038304916: 7038304916 steps.
[P1]a for huge a ∈ Z=N: Hmmm.
Approach 1: Compute lattice L =
Ker(a1; : : : ; ad 7→ [P1]a1 · · · [Pd ]ad ).
Given a ∈ Zd , find close v ∈ L:
distance exp((logN)1=2+o(1))
using time exp((logN)1=2+o(1)).
7
Approach 2: Increase d up to
exp((logN)1=2+o(1)). Search
randomly for small relations.
2010 Childs–Jao–Soukharev:
A. Time exp((logN)1=2+o(1)) to
compute G action by Approach 2.
![Page 43: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/43.jpg)
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
[P1]5[P2]4[P3]1: 10 steps.
[P1]7038304916: 7038304916 steps.
[P1]a for huge a ∈ Z=N: Hmmm.
Approach 1: Compute lattice L =
Ker(a1; : : : ; ad 7→ [P1]a1 · · · [Pd ]ad ).
Given a ∈ Zd , find close v ∈ L:
distance exp((logN)1=2+o(1))
using time exp((logN)1=2+o(1)).
7
Approach 2: Increase d up to
exp((logN)1=2+o(1)). Search
randomly for small relations.
2010 Childs–Jao–Soukharev:
A. Time exp((logN)1=2+o(1)) to
compute G action by Approach 2.
B. Unfixably flawed argument that
Approach 2 beats Approach 1.
![Page 44: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/44.jpg)
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
[P1]5[P2]4[P3]1: 10 steps.
[P1]7038304916: 7038304916 steps.
[P1]a for huge a ∈ Z=N: Hmmm.
Approach 1: Compute lattice L =
Ker(a1; : : : ; ad 7→ [P1]a1 · · · [Pd ]ad ).
Given a ∈ Zd , find close v ∈ L:
distance exp((logN)1=2+o(1))
using time exp((logN)1=2+o(1)).
7
Approach 2: Increase d up to
exp((logN)1=2+o(1)). Search
randomly for small relations.
2010 Childs–Jao–Soukharev:
A. Time exp((logN)1=2+o(1)) to
compute G action by Approach 2.
B. Unfixably flawed argument that
Approach 2 beats Approach 1.
C. Apply Kuperberg (or Regev):
Time exp((logN)1=2+o(1))
to find g ∈ G with gE0 = E1.
![Page 45: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/45.jpg)
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
[P1]5[P2]4[P3]1: 10 steps.
[P1]7038304916: 7038304916 steps.
[P1]a for huge a ∈ Z=N: Hmmm.
Approach 1: Compute lattice L =
Ker(a1; : : : ; ad 7→ [P1]a1 · · · [Pd ]ad ).
Given a ∈ Zd , find close v ∈ L:
distance exp((logN)1=2+o(1))
using time exp((logN)1=2+o(1)).
7
Approach 2: Increase d up to
exp((logN)1=2+o(1)). Search
randomly for small relations.
2010 Childs–Jao–Soukharev:
A. Time exp((logN)1=2+o(1)) to
compute G action by Approach 2.
B. Unfixably flawed argument that
Approach 2 beats Approach 1.
C. Apply Kuperberg (or Regev):
Time exp((logN)1=2+o(1))
to find g ∈ G with gE0 = E1.
D. Proof assuming only GRH,
using provable-factoring ideas.
![Page 46: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/46.jpg)
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
[P1]5[P2]4[P3]1: 10 steps.
[P1]7038304916: 7038304916 steps.
[P1]a for huge a ∈ Z=N: Hmmm.
Approach 1: Compute lattice L =
Ker(a1; : : : ; ad 7→ [P1]a1 · · · [Pd ]ad ).
Given a ∈ Zd , find close v ∈ L:
distance exp((logN)1=2+o(1))
using time exp((logN)1=2+o(1)).
7
Approach 2: Increase d up to
exp((logN)1=2+o(1)). Search
randomly for small relations.
2010 Childs–Jao–Soukharev:
A. Time exp((logN)1=2+o(1)) to
compute G action by Approach 2.
B. Unfixably flawed argument that
Approach 2 beats Approach 1.
C. Apply Kuperberg (or Regev):
Time exp((logN)1=2+o(1))
to find g ∈ G with gE0 = E1.
D. Proof assuming only GRH,
using provable-factoring ideas.
8
Approach 3 (mentioned in 2018
Bernstein–Lange–Martindale–
Panny): Uniform (a1; : : : ; ad )
in {−c; : : : ; c}d . Choose c
somewhat larger than users do.
Not much slowdown in action.
Surely g = [P1]a1 · · · [Pd ]ad is
nearly uniformly distributed in G.
![Page 47: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/47.jpg)
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
[P1]5[P2]4[P3]1: 10 steps.
[P1]7038304916: 7038304916 steps.
[P1]a for huge a ∈ Z=N: Hmmm.
Approach 1: Compute lattice L =
Ker(a1; : : : ; ad 7→ [P1]a1 · · · [Pd ]ad ).
Given a ∈ Zd , find close v ∈ L:
distance exp((logN)1=2+o(1))
using time exp((logN)1=2+o(1)).
7
Approach 2: Increase d up to
exp((logN)1=2+o(1)). Search
randomly for small relations.
2010 Childs–Jao–Soukharev:
A. Time exp((logN)1=2+o(1)) to
compute G action by Approach 2.
B. Unfixably flawed argument that
Approach 2 beats Approach 1.
C. Apply Kuperberg (or Regev):
Time exp((logN)1=2+o(1))
to find g ∈ G with gE0 = E1.
D. Proof assuming only GRH,
using provable-factoring ideas.
8
Approach 3 (mentioned in 2018
Bernstein–Lange–Martindale–
Panny): Uniform (a1; : : : ; ad )
in {−c; : : : ; c}d . Choose c
somewhat larger than users do.
Not much slowdown in action.
Surely g = [P1]a1 · · · [Pd ]ad is
nearly uniformly distributed in G.
![Page 48: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/48.jpg)
6
How many steps in an action?
Steps for CRS/CSIDH users:
fast algorithms for actions of
small [P1]; [P2]; [P3]; : : : ; [Pd ].
e.g., d = 74 for CSIDH-512.
[P1]5[P2]4[P3]1: 10 steps.
[P1]7038304916: 7038304916 steps.
[P1]a for huge a ∈ Z=N: Hmmm.
Approach 1: Compute lattice L =
Ker(a1; : : : ; ad 7→ [P1]a1 · · · [Pd ]ad ).
Given a ∈ Zd , find close v ∈ L:
distance exp((logN)1=2+o(1))
using time exp((logN)1=2+o(1)).
7
Approach 2: Increase d up to
exp((logN)1=2+o(1)). Search
randomly for small relations.
2010 Childs–Jao–Soukharev:
A. Time exp((logN)1=2+o(1)) to
compute G action by Approach 2.
B. Unfixably flawed argument that
Approach 2 beats Approach 1.
C. Apply Kuperberg (or Regev):
Time exp((logN)1=2+o(1))
to find g ∈ G with gE0 = E1.
D. Proof assuming only GRH,
using provable-factoring ideas.
8
Approach 3 (mentioned in 2018
Bernstein–Lange–Martindale–
Panny): Uniform (a1; : : : ; ad )
in {−c; : : : ; c}d . Choose c
somewhat larger than users do.
Not much slowdown in action.
Surely g = [P1]a1 · · · [Pd ]ad is
nearly uniformly distributed in G.
![Page 49: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/49.jpg)
7
Approach 2: Increase d up to
exp((logN)1=2+o(1)). Search
randomly for small relations.
2010 Childs–Jao–Soukharev:
A. Time exp((logN)1=2+o(1)) to
compute G action by Approach 2.
B. Unfixably flawed argument that
Approach 2 beats Approach 1.
C. Apply Kuperberg (or Regev):
Time exp((logN)1=2+o(1))
to find g ∈ G with gE0 = E1.
D. Proof assuming only GRH,
using provable-factoring ideas.
8
Approach 3 (mentioned in 2018
Bernstein–Lange–Martindale–
Panny): Uniform (a1; : : : ; ad )
in {−c; : : : ; c}d . Choose c
somewhat larger than users do.
Not much slowdown in action.
Surely g = [P1]a1 · · · [Pd ]ad is
nearly uniformly distributed in G.
![Page 50: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/50.jpg)
7
Approach 2: Increase d up to
exp((logN)1=2+o(1)). Search
randomly for small relations.
2010 Childs–Jao–Soukharev:
A. Time exp((logN)1=2+o(1)) to
compute G action by Approach 2.
B. Unfixably flawed argument that
Approach 2 beats Approach 1.
C. Apply Kuperberg (or Regev):
Time exp((logN)1=2+o(1))
to find g ∈ G with gE0 = E1.
D. Proof assuming only GRH,
using provable-factoring ideas.
8
Approach 3 (mentioned in 2018
Bernstein–Lange–Martindale–
Panny): Uniform (a1; : : : ; ad )
in {−c; : : : ; c}d . Choose c
somewhat larger than users do.
Not much slowdown in action.
Surely g = [P1]a1 · · · [Pd ]ad is
nearly uniformly distributed in G.
Can quickly compute gEb
and image of g in Z=N.
![Page 51: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/51.jpg)
7
Approach 2: Increase d up to
exp((logN)1=2+o(1)). Search
randomly for small relations.
2010 Childs–Jao–Soukharev:
A. Time exp((logN)1=2+o(1)) to
compute G action by Approach 2.
B. Unfixably flawed argument that
Approach 2 beats Approach 1.
C. Apply Kuperberg (or Regev):
Time exp((logN)1=2+o(1))
to find g ∈ G with gE0 = E1.
D. Proof assuming only GRH,
using provable-factoring ideas.
8
Approach 3 (mentioned in 2018
Bernstein–Lange–Martindale–
Panny): Uniform (a1; : : : ; ad )
in {−c; : : : ; c}d . Choose c
somewhat larger than users do.
Not much slowdown in action.
Surely g = [P1]a1 · · · [Pd ]ad is
nearly uniformly distributed in G.
Can quickly compute gEb
and image of g in Z=N.
Need more analysis of impact of
these redundant representations
upon Kuperberg’s algorithm.
![Page 52: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/52.jpg)
7
Approach 2: Increase d up to
exp((logN)1=2+o(1)). Search
randomly for small relations.
2010 Childs–Jao–Soukharev:
A. Time exp((logN)1=2+o(1)) to
compute G action by Approach 2.
B. Unfixably flawed argument that
Approach 2 beats Approach 1.
C. Apply Kuperberg (or Regev):
Time exp((logN)1=2+o(1))
to find g ∈ G with gE0 = E1.
D. Proof assuming only GRH,
using provable-factoring ideas.
8
Approach 3 (mentioned in 2018
Bernstein–Lange–Martindale–
Panny): Uniform (a1; : : : ; ad )
in {−c; : : : ; c}d . Choose c
somewhat larger than users do.
Not much slowdown in action.
Surely g = [P1]a1 · · · [Pd ]ad is
nearly uniformly distributed in G.
Can quickly compute gEb
and image of g in Z=N.
Need more analysis of impact of
these redundant representations
upon Kuperberg’s algorithm.
9
How fast are the steps?
e.g. CSIDH-512, user distribution
on G, error rate <2−32 (is this
adequate?), nonlinear bit ops:
≈251 by 2018 Jao–LeGrow–
Leonardi–Ruiz-Lopez.
![Page 53: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/53.jpg)
7
Approach 2: Increase d up to
exp((logN)1=2+o(1)). Search
randomly for small relations.
2010 Childs–Jao–Soukharev:
A. Time exp((logN)1=2+o(1)) to
compute G action by Approach 2.
B. Unfixably flawed argument that
Approach 2 beats Approach 1.
C. Apply Kuperberg (or Regev):
Time exp((logN)1=2+o(1))
to find g ∈ G with gE0 = E1.
D. Proof assuming only GRH,
using provable-factoring ideas.
8
Approach 3 (mentioned in 2018
Bernstein–Lange–Martindale–
Panny): Uniform (a1; : : : ; ad )
in {−c; : : : ; c}d . Choose c
somewhat larger than users do.
Not much slowdown in action.
Surely g = [P1]a1 · · · [Pd ]ad is
nearly uniformly distributed in G.
Can quickly compute gEb
and image of g in Z=N.
Need more analysis of impact of
these redundant representations
upon Kuperberg’s algorithm.
9
How fast are the steps?
e.g. CSIDH-512, user distribution
on G, error rate <2−32 (is this
adequate?), nonlinear bit ops:
≈251 by 2018 Jao–LeGrow–
Leonardi–Ruiz-Lopez.
![Page 54: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/54.jpg)
7
Approach 2: Increase d up to
exp((logN)1=2+o(1)). Search
randomly for small relations.
2010 Childs–Jao–Soukharev:
A. Time exp((logN)1=2+o(1)) to
compute G action by Approach 2.
B. Unfixably flawed argument that
Approach 2 beats Approach 1.
C. Apply Kuperberg (or Regev):
Time exp((logN)1=2+o(1))
to find g ∈ G with gE0 = E1.
D. Proof assuming only GRH,
using provable-factoring ideas.
8
Approach 3 (mentioned in 2018
Bernstein–Lange–Martindale–
Panny): Uniform (a1; : : : ; ad )
in {−c; : : : ; c}d . Choose c
somewhat larger than users do.
Not much slowdown in action.
Surely g = [P1]a1 · · · [Pd ]ad is
nearly uniformly distributed in G.
Can quickly compute gEb
and image of g in Z=N.
Need more analysis of impact of
these redundant representations
upon Kuperberg’s algorithm.
9
How fast are the steps?
e.g. CSIDH-512, user distribution
on G, error rate <2−32 (is this
adequate?), nonlinear bit ops:
≈251 by 2018 Jao–LeGrow–
Leonardi–Ruiz-Lopez.
![Page 55: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/55.jpg)
8
Approach 3 (mentioned in 2018
Bernstein–Lange–Martindale–
Panny): Uniform (a1; : : : ; ad )
in {−c; : : : ; c}d . Choose c
somewhat larger than users do.
Not much slowdown in action.
Surely g = [P1]a1 · · · [Pd ]ad is
nearly uniformly distributed in G.
Can quickly compute gEb
and image of g in Z=N.
Need more analysis of impact of
these redundant representations
upon Kuperberg’s algorithm.
9
How fast are the steps?
e.g. CSIDH-512, user distribution
on G, error rate <2−32 (is this
adequate?), nonlinear bit ops:
≈251 by 2018 Jao–LeGrow–
Leonardi–Ruiz-Lopez.
![Page 56: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/56.jpg)
8
Approach 3 (mentioned in 2018
Bernstein–Lange–Martindale–
Panny): Uniform (a1; : : : ; ad )
in {−c; : : : ; c}d . Choose c
somewhat larger than users do.
Not much slowdown in action.
Surely g = [P1]a1 · · · [Pd ]ad is
nearly uniformly distributed in G.
Can quickly compute gEb
and image of g in Z=N.
Need more analysis of impact of
these redundant representations
upon Kuperberg’s algorithm.
9
How fast are the steps?
e.g. CSIDH-512, user distribution
on G, error rate <2−32 (is this
adequate?), nonlinear bit ops:
≈251 by 2018 Jao–LeGrow–
Leonardi–Ruiz-Lopez.
Many optimizations, detailed
analysis: 765325228976 ≈ 0:7 ·240
by 2018 BLMP Algorithm 8.1.
![Page 57: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/57.jpg)
8
Approach 3 (mentioned in 2018
Bernstein–Lange–Martindale–
Panny): Uniform (a1; : : : ; ad )
in {−c; : : : ; c}d . Choose c
somewhat larger than users do.
Not much slowdown in action.
Surely g = [P1]a1 · · · [Pd ]ad is
nearly uniformly distributed in G.
Can quickly compute gEb
and image of g in Z=N.
Need more analysis of impact of
these redundant representations
upon Kuperberg’s algorithm.
9
How fast are the steps?
e.g. CSIDH-512, user distribution
on G, error rate <2−32 (is this
adequate?), nonlinear bit ops:
≈251 by 2018 Jao–LeGrow–
Leonardi–Ruiz-Lopez.
Many optimizations, detailed
analysis: 765325228976 ≈ 0:7 ·240
by 2018 BLMP Algorithm 8.1.
quantum.isogenies.org:
full software and 56-page paper;
variations in 512, distrib, 2−32.
![Page 58: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/58.jpg)
8
Approach 3 (mentioned in 2018
Bernstein–Lange–Martindale–
Panny): Uniform (a1; : : : ; ad )
in {−c; : : : ; c}d . Choose c
somewhat larger than users do.
Not much slowdown in action.
Surely g = [P1]a1 · · · [Pd ]ad is
nearly uniformly distributed in G.
Can quickly compute gEb
and image of g in Z=N.
Need more analysis of impact of
these redundant representations
upon Kuperberg’s algorithm.
9
How fast are the steps?
e.g. CSIDH-512, user distribution
on G, error rate <2−32 (is this
adequate?), nonlinear bit ops:
≈251 by 2018 Jao–LeGrow–
Leonardi–Ruiz-Lopez.
Many optimizations, detailed
analysis: 765325228976 ≈ 0:7 ·240
by 2018 BLMP Algorithm 8.1.
quantum.isogenies.org:
full software and 56-page paper;
variations in 512, distrib, 2−32.
Next big challenge: AT analysis.
![Page 59: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/59.jpg)
8
Approach 3 (mentioned in 2018
Bernstein–Lange–Martindale–
Panny): Uniform (a1; : : : ; ad )
in {−c; : : : ; c}d . Choose c
somewhat larger than users do.
Not much slowdown in action.
Surely g = [P1]a1 · · · [Pd ]ad is
nearly uniformly distributed in G.
Can quickly compute gEb
and image of g in Z=N.
Need more analysis of impact of
these redundant representations
upon Kuperberg’s algorithm.
9
How fast are the steps?
e.g. CSIDH-512, user distribution
on G, error rate <2−32 (is this
adequate?), nonlinear bit ops:
≈251 by 2018 Jao–LeGrow–
Leonardi–Ruiz-Lopez.
Many optimizations, detailed
analysis: 765325228976 ≈ 0:7 ·240
by 2018 BLMP Algorithm 8.1.
quantum.isogenies.org:
full software and 56-page paper;
variations in 512, distrib, 2−32.
Next big challenge: AT analysis.
10
How many actions + other costs?
2011 Kuperberg estimates “time”
exp((0:98 : : : + o(1))(log2 N)1=2);
compares to 2003 Kuperberg:
exp((1:23 : : : + o(1))(log2 N)1=2).
![Page 60: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/60.jpg)
8
Approach 3 (mentioned in 2018
Bernstein–Lange–Martindale–
Panny): Uniform (a1; : : : ; ad )
in {−c; : : : ; c}d . Choose c
somewhat larger than users do.
Not much slowdown in action.
Surely g = [P1]a1 · · · [Pd ]ad is
nearly uniformly distributed in G.
Can quickly compute gEb
and image of g in Z=N.
Need more analysis of impact of
these redundant representations
upon Kuperberg’s algorithm.
9
How fast are the steps?
e.g. CSIDH-512, user distribution
on G, error rate <2−32 (is this
adequate?), nonlinear bit ops:
≈251 by 2018 Jao–LeGrow–
Leonardi–Ruiz-Lopez.
Many optimizations, detailed
analysis: 765325228976 ≈ 0:7 ·240
by 2018 BLMP Algorithm 8.1.
quantum.isogenies.org:
full software and 56-page paper;
variations in 512, distrib, 2−32.
Next big challenge: AT analysis.
10
How many actions + other costs?
2011 Kuperberg estimates “time”
exp((0:98 : : : + o(1))(log2 N)1=2);
compares to 2003 Kuperberg:
exp((1:23 : : : + o(1))(log2 N)1=2).
![Page 61: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/61.jpg)
8
Approach 3 (mentioned in 2018
Bernstein–Lange–Martindale–
Panny): Uniform (a1; : : : ; ad )
in {−c; : : : ; c}d . Choose c
somewhat larger than users do.
Not much slowdown in action.
Surely g = [P1]a1 · · · [Pd ]ad is
nearly uniformly distributed in G.
Can quickly compute gEb
and image of g in Z=N.
Need more analysis of impact of
these redundant representations
upon Kuperberg’s algorithm.
9
How fast are the steps?
e.g. CSIDH-512, user distribution
on G, error rate <2−32 (is this
adequate?), nonlinear bit ops:
≈251 by 2018 Jao–LeGrow–
Leonardi–Ruiz-Lopez.
Many optimizations, detailed
analysis: 765325228976 ≈ 0:7 ·240
by 2018 BLMP Algorithm 8.1.
quantum.isogenies.org:
full software and 56-page paper;
variations in 512, distrib, 2−32.
Next big challenge: AT analysis.
10
How many actions + other costs?
2011 Kuperberg estimates “time”
exp((0:98 : : : + o(1))(log2 N)1=2);
compares to 2003 Kuperberg:
exp((1:23 : : : + o(1))(log2 N)1=2).
![Page 62: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/62.jpg)
9
How fast are the steps?
e.g. CSIDH-512, user distribution
on G, error rate <2−32 (is this
adequate?), nonlinear bit ops:
≈251 by 2018 Jao–LeGrow–
Leonardi–Ruiz-Lopez.
Many optimizations, detailed
analysis: 765325228976 ≈ 0:7 ·240
by 2018 BLMP Algorithm 8.1.
quantum.isogenies.org:
full software and 56-page paper;
variations in 512, distrib, 2−32.
Next big challenge: AT analysis.
10
How many actions + other costs?
2011 Kuperberg estimates “time”
exp((0:98 : : : + o(1))(log2 N)1=2);
compares to 2003 Kuperberg:
exp((1:23 : : : + o(1))(log2 N)1=2).
![Page 63: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/63.jpg)
9
How fast are the steps?
e.g. CSIDH-512, user distribution
on G, error rate <2−32 (is this
adequate?), nonlinear bit ops:
≈251 by 2018 Jao–LeGrow–
Leonardi–Ruiz-Lopez.
Many optimizations, detailed
analysis: 765325228976 ≈ 0:7 ·240
by 2018 BLMP Algorithm 8.1.
quantum.isogenies.org:
full software and 56-page paper;
variations in 512, distrib, 2−32.
Next big challenge: AT analysis.
10
How many actions + other costs?
2011 Kuperberg estimates “time”
exp((0:98 : : : + o(1))(log2 N)1=2);
compares to 2003 Kuperberg:
exp((1:23 : : : + o(1))(log2 N)1=2).
Open: Do better than 1=2?
Do better than 0:98 : : :?
![Page 64: Daniel J. Bernstein F Quantum attacks Shor also ...cr.yp.to/talks/2019.07.10/slides-djb-20190710-qisog-4x3.pdf · 1 Quantum attacks against isogenies Daniel J. Bernstein 1994 Shor](https://reader033.vdocument.in/reader033/viewer/2022060506/5f1f3aedda3d0a13d63ac2e1/html5/thumbnails/64.jpg)
9
How fast are the steps?
e.g. CSIDH-512, user distribution
on G, error rate <2−32 (is this
adequate?), nonlinear bit ops:
≈251 by 2018 Jao–LeGrow–
Leonardi–Ruiz-Lopez.
Many optimizations, detailed
analysis: 765325228976 ≈ 0:7 ·240
by 2018 BLMP Algorithm 8.1.
quantum.isogenies.org:
full software and 56-page paper;
variations in 512, distrib, 2−32.
Next big challenge: AT analysis.
10
How many actions + other costs?
2011 Kuperberg estimates “time”
exp((0:98 : : : + o(1))(log2 N)1=2);
compares to 2003 Kuperberg:
exp((1:23 : : : + o(1))(log2 N)1=2).
Open: Do better than 1=2?
Do better than 0:98 : : :?
Exact number of actions? Some
work on analysis+optimization:
2003 Kuperberg; 2011 Kuperberg;
2018 Bonnetain–Naya-Plasencia;
2018 Bonnetain–Schrottenloher;
2019 Kuperberg; 2019 Peikert;
2019 Bonnetain–Schrottenloher.