Abstract
It follows from a result by Friedl, Ivanyos, Magniez, Santha and Sen from 2014 that, for any fixed integer \(m > 0\) (thought of as being small), there exists a quantum algorithm for solving the hidden shift problem in an arbitrary finite abelian group \((G, +)\) with time complexity
As discussed in the current paper, this can be viewed as a modest statement of Pohlig–Hellman type for hard homogeneous spaces. Our main contribution is a somewhat simpler algorithm achieving the same runtime for \(m = 2^tp\), with t any non-negative integer and p any prime number, where additionally the memory requirements are mostly in terms of quantum random access classical memory; indeed, the amount of qubits that need to be stored is \(\mathrm {poly}( \log |G|)\). Our central tool is an extension of Peikert’s adaptation of Kuperberg’s collimation sieve to arbitrary finite abelian groups. This allows for a reduction, in said time, to the hidden shift problem in the quotient \(G/2^tpG\), which can then be tackled in polynomial time, by combining methods by Friedl et al. for p-torsion groups and by Bonnetain and Naya-Plasencia for \(2^t\)-torsion groups.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Note that a support set \(A_\varPsi \) is not intrinsic to its phase vector \(\varPsi \): in principle, it could be any set in \(\mathcal {A}\) containing all the \(\chi _j\) occurring in \(\varPsi \). It could therefore be useful to shrink this set after a collimation step, making it as small as possible.
- 2.
Remark that, in practice, we can be more lax and allow for incomplete phase vectors, choosing f so that for each \(i=1,\ldots ,\ell \) and \(\chi \in A\) there is at most one \(j\in \{0,\ldots ,L-1\}\) such that \(\chi _j=\chi \). Then some \(\chi \in A\) could be missing in the resulting state, but this is tolerable to some extent. For simplicity, we stick to the complete case.
- 3.
Note that \(A \cong B^\vee \) because each \(\chi \in A\) is of the form \(\chi '\circ q\) for some \(\chi ' \in B^\vee \).
- 4.
Unless \(k_1 \mid a_1\cdots a_r\) in which case we always get the first superposition.
References
Berger, T.P., Francq, J., Minier, M., Thomas, G.: Extended generalized Feistel networks using matrix representation to propose a new lightweight block cipher: Lilliput. IEEE Trans. Comput. 65(7), 2074–2089 (2016)
Bonnetain, X., Naya-Plasencia, M.: Hidden shift quantum cryptanalysis and implications. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part I. LNCS, vol. 11272, pp. 560–592. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_19
Bonnetain, X., Schrottenloher, A.: Quantum security analysis of CSIDH. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part II. LNCS, vol. 12106, pp. 493–522. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_17
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part III. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15
Castryck, W., Sotáková, J., Vercauteren, F.: Breaking the decisional Diffie-Hellman problem for class group actions using genus theory. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 92–120. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_4
Csáji, G.: A new quantum algorithm for the hidden shift problem in \(\mathbb{Z}_{2^t}^n\), preprint available at https://arxiv.org/abs/2102.04171 (2021)
Chávez-Saab, J., Chi-Domínguez, J.-J., Jaques, S., Rodríguez-Henríquez, F.: The SQALE of CSIDH: Square-root Vélu quantum-resistant isogeny action with low exponents, preprint available at https://eprint.iacr.org/2020/1520 (2020)
Childs, A.M., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014)
Cohen, H., Lenstra, H.W.: Heuristics on class groups of number fields. In: Jager, H. (ed.) Number Theory Noordwijkerhout 1983. LNM, vol. 1068, pp. 33–62. Springer, Heidelberg (1984). https://doi.org/10.1007/BFb0099440
Couveignes, J.-M.: Hard homogeneous spaces (unpublished). https://eprint.iacr.org/2006/291
Gerth, F., III.: The \(4\)-class ranks of quadratic fields. Invent. Math. 77, 489–515 (1984)
van Dam, W., Hallgren, S., Ip, L.: Quantum algorithms for some hidden shift problems. SIAM J. Comput. 36(3), 763–778 (2006)
Friedl, K., Ivanyos, G., Magniez, F., Santha, M., Sen, P.: Hidden translation and translating coset in quantum computing. SIAM J. Comput. 43(1), 1–24 (2014)
Galbraith, S.D., Panny, L., Smith, B., Vercauteren, F.: Quantum equivalence of the DLP and CDHP for group actions. Math. Cryptol. 1(1), 40–44 (2021)
Kuperberg, G.: A subexponential time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005)
Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In: Proceedings of TQC 2013, Leibniz International Proceedings in Informatics, vol. 22, pp. 20–34 (2013)
Maurer, U.M., Wolf, S.: The Diffie-Hellman protocol. Des. Codes Crypt. 19, 147–171 (2000)
Panny, L.: Cryptography on isogeny graphs. Ph.D. thesis, TU Eindhoven (2021)
Peikert, C.: He gives C-sieves on the CSIDH. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part II. LNCS, vol. 12106, pp. 463–492. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_16
Pohlig, S., Hellman, M.: An improved algorithm for computing logarithms over \(\mathit{GF}(p)\) and its cryptographic significance. IEEE Trans. Inf. Theory 24(1), 106–110 (1978)
Regev, O.: A subexponential time algorithm for the dihedral hidden subgroup problem with polynomial space (unpublished). https://arxiv.org/abs/quant-ph/0406151
Regev, O.: Quantum computation and lattice problems. SIAM J. Comput. 33(3), 738–760 (2004)
Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies (unpublished). https://eprint.iacr.org/2006/145.pdf
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)
Simon, D.R.: On the power of quantum computation. SIAM J. Comput. 26(5), 1474–1483 (1997). A preliminary version appeared in Proc. of the 35th Annual Symposium on Foundations of Computer Science, pp. 116–123 (1994)
Smith, B.: Pre- and post-quantum Diffie–Hellman from groups, actions, and isogenies. In: Budaghyan, L., Rodríguez-Henríquez, F. (eds.) WAIFI 2018. LNCS, vol. 11321, pp. 3–40. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05153-2_1
Stolbunov, A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010)
Acknowledgments
This work was supported by the Research Council KU Leuven grant C14/18/067, by CyberSecurity Research Flanders with reference number VR20192203, and by the Research Foundation Flanders (FWO) through the WOG Coding Theory and Cryptography. We thank the anonymous referees and shepherd for pointing us to a number of missing references, and for various other suggestions for improvement.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Expected Quality of a Collimation Step
A Expected Quality of a Collimation Step
Proposition A.1
When \(\varPsi _1\) and \(\varPsi _2\) are given, we have
regardless of how \(A_{\varPsi _1}+A_{\varPsi _2}\) is subdivided, with equality holding as long as every set \(A_i\) in the subdivision contains at least one character \(\chi _{j_1}\chi _{j_2}\) occurring in \(\varPsi _1\otimes \varPsi _2\). Using this the expected value of the logarithm of the density can be bounded as \(\mathbb {E}\log \delta (\varPsi _3)\ge \log (L_1L_2 / |A_{\varPsi _1}+A_{\varPsi _2}|)\). If Q is the quality of the collimation step then the expected value of the logarithm is bounded as
Proof
We have
Note that if \(\mathbb {P}(A_{\varPsi _3}=A_i)=0\) then we simply omit that term from the sum. In this case we only have an upper bound on the expected value of one over the density, rather than an equality. This proves the first statement.
To obtain the second statement we use the result from probability theory that
for any random variable X that only assumes positive values. This follows from Jensen’s inequality and the fact that \(-\log x\) is a convex function on \(\mathbb {R}_{>0}\). This can be rewritten as \(\mathbb {E}\log X\ge -\log \mathbb {E} \, X^{-1}\). The second statement follows from this result by applying it to \(X=\delta (\varPsi _3)\). The third statement follows from the second and the definition of the quality Q. \(\square \)
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Castryck, W., Dooms, A., Emerencia, C., Lemmens, A. (2021). A Fusion Algorithm for Solving the Hidden Shift Problem in Finite Abelian Groups. In: Cheon, J.H., Tillich, JP. (eds) Post-Quantum Cryptography. PQCrypto 2021. Lecture Notes in Computer Science(), vol 12841. Springer, Cham. https://doi.org/10.1007/978-3-030-81293-5_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-81293-5_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-81292-8
Online ISBN: 978-3-030-81293-5
eBook Packages: Computer ScienceComputer Science (R0)