CONSTRUCTING PUBLIC-KEY CRYPTOGRAPHIC SCHEMES BASED ON CLASS GROUP ACTION ON A SET OF ISOGENOUS ELLIPTIC CURVES

. We propose a public-key encryption scheme and key agreement protocols based on a group action on a set. We construct an implementation of these schemes for the action of the class group CL ( O K ) of an imaginary quadratic ﬁeld K on the set ELL p,n ( O K ) of isomorphism classes of elliptic curves over F p with n points and the endomorphism ring O K . This introduces a novel way of using elliptic curves for constructing asymmetric cryptography.


Introduction
The two most practical mathematical problems constituting the basis for security of modern asymmetric cryptographic schemes are integer factoring and computing discrete logarithms. Security of the former problem has decreased fast as new factoring methods and computer technology are developed. The latter problem remains exponential-time for some groups, e.g. elliptic curves. However, the Shor's algorithm can solve factoring and discrete logarithm problems in polynomial time when sufficiently large quantum computer registers become available [38]. These facts put a need for the development of asymmetric schemes that are based on new hard computational problems.
A potential mathematical object for this purpose is a low degree isogeny graph of ordinary elliptic curves over a finite field. Vertices in this graph are elliptic curves and edges are morphisms between them. Among the popular applications of low degree isogenies are the elliptic curve point counting, e.g. the Schoof-Elkies-Atkin (SEA) algorithm [37], reduction of the elliptic curve discrete logarithm problem (ECDLP) between different elliptic curves [19,27], computation of the endomorphism ring of an elliptic curve [28] and computation of modular polynomials [6,11]. Galbraith [18] and Galbraith, Hess and Smart [19] have proposed algorithms for constructing an isogeny between two given elliptic curves, i.e. searching for a route on an isogeny graph. Elliptic curve isogeny graphs have also been proposed for building cryptographic primitives. Rostovtsev et al. [33] have described an ordered digital signature scheme that implements the sequence number functionality for digitally signed documents using a small degree isogeny sequence. Teske [44] has constructed a key escrow system where a curve isogenous to the public curve is stored at a trusted authority and can be used to feasibly solve the ECDLP on the public curve, if needed. Charles, Goren and Lauter [12] have designed a hash function based on an isogeny graph of supersingular elliptic curves.
In this paper we use elliptic curve isogeny graphs for constructing new asymmetric cryptographic schemes. First we generalize some existing cryptographic schemes to the context of a group action on a set, and discuss their security. We then apply results of the complex multiplication theory to implement the proposed cryptographic schemes. Namely we use the action of the ideal class group CL(O K ) of an imaginary quadratic field K on the set ELL p,n (O K ) of isomorphism classes of elliptic curves over F p with n points and the endomorphism ring O K . The involved implementation-related solutions are then explained in more detail. We take advantage of available computational algorithms on elliptic curves and ideal class groups to implement the necessary operations. Finally we present our experimental results. Besides being interesting from the theoretical point of view, the proposed cryptographic schemes might also have an advantage against quantum computer attacks. However this question requires a further research, as we only point at the inapplicability of some currently known quantum algorithms.
This paper develops ideas of Rostovtsev and Stolbunov [34] originally appeared in their draft article. Independently of this work, research on a similar topic has been reported by Couveignes [14].
2. Public-key cryptography based on group action 2.1. Notation. We start with the basic notation. Let G be a finite abelian group, and X a set. A (left) action of G on X is a map which satisfies the associativity property (gh) * x = g * (h * x) for all g, h ∈ G, x ∈ X, and the property e * x = x for the identity element e ∈ G and all x ∈ X. The orbit of a set element x ∈ X is the subset G * x = {g * x : g ∈ G}. The orbits of the elements of X are equivalence classes.
By a ← b we denote the assignment of value b to a variable a. By a R ← − G we mean that a is sampled from the uniform distribution on the set of elements of G. We write #S for the number of elements in S. By log n we denote the binary logarithm of n.
As a general rule, we assume that all algorithms take descriptions of G and X, and an element x ∈ X, as part of implied system parameters. By descriptions of G and X we mean the information needed, besides the input, to implement the operations involved in the algorithm, such as the random sampling from G, the action of G on X, the group operation etc. so A and B output the same session key k. The protocol KA1 provides secrecy of k from passive adversaries. The next two key agreement protocols make use of long-term public key pairs and thus require a one-time setup. Alice randomly chooses her secret key sk A ∈ G and then computes the corresponding public key pk A = sk A * x. Alice then provides her public key to Bob in an authentic manner. Bob does the same setup with his key pair sk B , pk B . Key Agreement 2 and 3 protocols are shown in Fig. 2

and 3, respectively.
A and B output the same session key k in the protocol KA2 since In the KA3 protocol, A and B output the same session key k since Whereas the KA1 protocol does not provide authenticity, the protocols KA2 and KA3 are designed to provide mutual key authentication, i.e. Alice is assured that no other party aside from the one in possession of sk B may gain access to k, and vice-versa. The protocols KA2 and KA3 are generalizations of the MTI/C1 and MTI/C0 protocols proposed by Matsumoto, Takashima and Imai [30, §12.6]. Figure 3. Key agreement protocol KA3.

2.3.
Public-key encryption based on group action. We now generalize the ElGamal public-key encryption scheme to the context of group action. An approach proposed by Monico [31] requires the set X to be a group in order to mask a message m ∈ X. In contrast with this, we use a "hashed" version of the ElGamal encryption scheme, which eliminates these restrictions on X and m through the use of a hash function family H, which, however, introduces a need for a security assumption about H (see Theorem 2).
For a fixed message length w, the message space is the set of bit strings {0, 1} w , and thus we can write m ∈ {0, 1} w . We use a hash function family H = {H k : k ∈ K} indexed by a finite set K, such that each H k is a function The public-key encryption scheme PE = (K, E, D) is pictured on Fig. 4. Some of the notation we use are: m is a message, sk ∈ G is a secret key, pk ∈ X × K is a public key and ct ∈ {0, 1} w × X is a ciphertext. We have that x, y, z, u ∈ X. The algorithm K also takes the description of K as part of implied system parameters.
The encryption scheme PE is sound, that is to say, for all pairs (sk, pk) which can be output by K() and for all m ∈ {0, 1} w we have that D(sk, pk, E(pk, m)) = m. Indeed, we can write H k (a * r) = H k (sk * y) since a * r = a * (sk * x) = (a sk) * x = sk * (a * x) = sk * y.

2.4.
Security of cryptographic schemes based on group action. In this section we provide reductionist security arguments for the KA1 protocol and the PE scheme, thus showing that breaching the security of these schemes is not easier than solving particular computational problems. A detailed discussion, together with proofs of Theorems 1 and 2, can be found in our earlier work [42].
For a finite abelian group G acting on a set X and a fixed element x ∈ X we define the following computational problems: Problem 1 (Group Action Inverse Problem (GAIP)). Given a randomly chosen element y ∈ G * x, find a group element g ∈ G such that g * x = y.
A problem similar to GAIP was defined for semigroups by Maze et al. [29] as the semigroup action problem. However we prefer the name GAIP as the problem asks to invert the function f (a) = a * x.
Problem 2 (Decisional Diffie-Hellman Group Action Problem (DDHAP)). Given a triple (y, z, u) ∈ X 3 sampled with probability 1 2 from one of the two following probability distributions: • (a * x, b * x, (ab) * x), where a and b are randomly chosen from G, where a, b and c are randomly chosen from G, decide which distribution the triple is sampled from.
Using a GAIP solver it is straightforward to construct a solver for the DDHAP, thus the DDHAP is not harder than the GAIP.
For a DDHAP distinguisher S, its probability of returning the correct solution will be denoted by Pr DDH S . Pr DDH S is a function of a security parameter s = log # G * x. Since the distinguisher S can gain a success probability of 1 2 by returning a random solution, the advantage of S is defined to be We can now define the following assumption about the computational complexity of the DDHAP: Assumption 1 (DDHAP). For any polynomial-time DDHAP distinguisher S, the advantage Adv DDH S is a negligible 1 function of s.
To model the security of the KA1 protocol we will use a notion of sessionkey (SK) security in the authenticated-links adversarial model (AM) proposed by Canetti and Krawczyk [9,10]. In outline, this security notion asserts that any polynomial-time adversary I that cannot change the information transmitted between parties, does not learn anything about the value of the session key established between uncorrupted parties. This is formalized via the infeasibility for I to distinguish between the real value of the session key and an independent random value in a specially designed experiment. We refer to the papers of Canetti and Krawczyk for a formal definition of the SK security in the AM. After a few implementationspecific modifications to the protocol KA1, namely introducing party identifiers, session identifiers and requiring to erase variables a and b before returning the output, the following theorem can be proved: Theorem 1. If the DDHAP assumption holds for the finite abelian group G acting on the set X, then the KA1 protocol is SK-secure in the AM.
The classical goal of encryption is to preserve the privacy of messages: an adversary should not be able to learn from a ciphertext information about its plaintext beyond the length of that plaintext. This idea is captured via the notion of semantic security of an encryption scheme, proposed by Goldwasser and Micali [21], which asserts that any polynomial-time adversary cannot effectively distinguish between the encryption of two messages of his choosing. We will use an equivalent notion, indistinguishability of encryptions in a chosen-plaintext attack (IND-CPA) [3]. The equivalence of these two security notions has been shown by Goldreich [20].
In our security argument we will also use a property of a hash function family H to be entropy smoothing (ES). The smooth entropy denotes the number of almost uniform random bits in a random variable [7,8]. The ES hash function should be able to produce almost uniformly distributed outputs by decreasing the output size, as compared to the size of the input. This is formalized via the requirement that any polynomial-time adversary cannot effectively distinguish between the values (k, H k (u)) and (k, h), where k ∈ K, u ∈ U and h ∈ {0, 1} w are chosen at random, and U is the domain of the hash function. When applied to the PE scheme, U is the set of bit strings that represent the elements of G * x.
Assumption 2 (ES). The hash function family H is entropy smoothing.
Theorem 2. If the DDHAP assumption holds for the finite abelian group G acting on the set X, and the hash function family H is ES, then the public-key encryption scheme PE is secure in the sense of IND-CPA.
We have shown that the security of the encryption scheme PE and the protocol KA1 is based on the hardness of the DDHAP and the GAIP. The PE security is also subject to the ES assumption about the used hash function family.

Isogenous elliptic curves over prime fields
We show that elliptic curves provide an option for implementing the cryptographic schemes presented in Sect. 2. The aim of this section is to define mathematical structures that will be used as a set X and a finite abelian group G acting on X.
An elliptic curve E over a field F , char(F ) ∈ {2, 3}, is an algebraic curve defined by an equation The set of rational points on E over F , together with the "point at infinity" O, is an additive group with the zero element O. The elliptic curve E over F is denoted E/F , and its group of rational points is denoted E(F ). For elliptic curves E 1 /F and E 2 /F , an isogeny between E 1 and E 2 is a morphism φ : The elliptic curves E 1 and E 2 are called isogenous if there is a nonconstant isogeny between them. Every isogeny E 1 → E 2 induces a homomorphism of the groups E 1 (F ) and E 2 (F ). For an elliptic curve E/F , the set of all isogenies E → E defined overF is called the endomorphism ring of E and denoted End(E).
We review basic facts about elliptic curves over C to establish notation [40, Ch. II §1]. For a pair of complex numbers ω 1 , ω 2 ∈ C, such that ω 2 /ω 1 ∈ R, the additive group Λ = ω 1 Z + ω 2 Z is called a complex lattice. For a complex lattice Λ, the Weierstrass ℘-function gives rise to an elliptic curve and a group isomorphism C/Λ ∼ = E Λ (C). For any nonzero α ∈ C the multiplicationby-α map induces the isomorphism E Λ (C) ∼ = E αΛ (C), and for the endomorphism ring of E Λ we have End(E Λ ) ∼ = {α ∈ C : αΛ ⊂ Λ}. When End(E Λ ) is larger than Z, E Λ is said to have complex multiplication, and End(E Λ ) is then isomorphic to an imaginary quadratic order.
Let O K be the ring of integers of an imaginary quadratic field K. By ELL(O K ) we denote the set of isomorphism classes of elliptic curves over C having the endomorphism ring O K : For convenience we will write E ∈ ELL(O K ) meaning that E belongs to the corre- There is a well-defined action of the ideal class group . Then Λ ⊂ b −1 Λ, and the homomorphism , and the degree of ψ equals the norm N K Q (b). We now reduce elliptic curves over C to the ones over a finite field 2 [16, §14.C]. Let H be the Hilbert class field of K, and O H its ring of integers. Then the elliptic curves in ELL(O K ) are defined over H. Let p > 3 be a prime in Z which splits completely in H, and fix a prime P of H lying above p, so that O H /P ∼ = F p . Finally, let E ∈ ELL(O K ) be an elliptic curve which has good reduction at P. Hence g 2 and g 3 of (1) can be written in the form α/β where α, β ∈ O H , β ∈ P, so that [g 2 ] and [g 3 ] can be defined in O H /P. The elliptic curveĒ : ] over the finite field O H /P is called the reduction of E modulo P. The reduction preserves the endomorphism ring, namely EndF p (Ē) ∼ = O K , and every elliptic curve over F p with the endomorphism ring O K arises in this way. For two elliptic curves E 1 , E 2 ∈ ELL(O K ) that have good reduction at P, the natural reduction map Hom(E 1 , E 2 ) → Hom(Ē 1 ,Ē 2 ) is injective and preserves degrees [40,Proposition II.4.4].
Let now E 1 /F p be an ordinary elliptic curve such that End(E 1 ) ∼ = O K for some imaginary quadratic field K. According to a theorem of Tate, We denote n = #E 1 (F p ) and restrict ourselves to the isogeny class of elliptic curves with n points. We define a set of isomorphism classes of elliptic curves with the endomorphism ring O K to be 27 41 15)(19 24 12) 27 19 41 24 15 12)   In terms of horizontal and vertical isogenies introduced by Kohel [28] this set corresponds to the surface, i.e. the topmost level, of the isogeny graph.
The reduction modulo P maps ELL(O K ) to ELL p,n (O K ) and induces the action of CL(O K ) on ELL p,n (O K ). Since the reduction preserves isogeny degrees, for an . In order to shorten the notation, we will often write ELL p,n or even ELL instead of ELL p,n (O K ), and CL instead of CL(O K ), where we do not need to explicitly refer to O K , p and n.
Remarkably, the set ELL p,n is a principal homogeneous space over the group CL [45, Theorem 4.5]. In particular, CL acts freely and transitively on ELL p,n , i.e. for any x, y ∈ ELL p,n there exists precisely one g ∈ CL such that g * x = y. It follows that # CL = # ELL p,n .
For the sake of a small example, consider the elliptic curve E : y 2 = x 3 + x + 5 over the field F 47 . E has 42 points, the Frobenius discriminant ∆ π = −152 is fundamental and j E = 27. Figure  and has norm 7, isogenies of degree 7 form cycles (27 15 41) and (19 12 24).
Thus for an abelian group G and a set X defined by it is possible to implement the cryptographic schemes proposed in Sect. 2. The next three sections describe the implementation in greater detail.

Elements of ELL p,n and CL
We show how one can store elements of X and G when implementing the cryptographic schemes of Sect. 2 on a set of isomorphism classes of elliptic curves.  p,n by j-invariants. As j-invariants lie in F p they can be stored as non-negative integers less than p.
However, for calculations described in Sect. 5 one will need an explicit equation of a curve E ∈ ELL p,n with a given j-invariant. Here we see two ways for implementation: either to transmit the explicit curve equation, or to transmit the j-invariants and compute the equations when it is needed. The former approach saves computational resources while the latter one saves bandwidth. In the latter case, the elliptic curve equation can be obtained in the following way. At first one sets c = j/(j − 1728) and considers the curve E : y 2 = x 3 − 3cx + 2c. E is either a desired elliptic curve or a twist, i.e. #E(F p ) correspondingly equals n or 2p + 2 − n. When these numbers are relatively prime, #E can be tested by taking a random point on E and multiplying it by n. If in the twisted case, one takes a quadratic non-residue v ∈ F * p and sets the desired curve to be E ′ :

4.2.
Elements of CL. Elements of an ideal class group CL(O K ) are classes of fractional ideals modulo principal fractional ideals of the imaginary quadratic order O K . A traditional approach is to use reduced ideals or, equivalently, reduced binary quadratic forms, as representatives of the ideal classes. However for storing elements of CL we will use a different approach, which is more suitable in the context of the action on ELL p,n . We first recall an important result by Kohel [28]. For an ordinary elliptic curve E/F p with endomorphism ring O K of discriminant ∆, and a prime l, there are ∆ l + 1 isogenies of degree l to curves with endomorphism ring isomorphic to O K . We immediately observe that inert primes, namely those satisfying ∆ l = −1, do not appear as degrees of isogenies inside ELL p,n , and therefore will not be further considered. Ramified primes, that is when l | ∆, yield only one horizontal isogeny of degree l. Due to the existence of dual isogenies, isogenies of a ramified degree form loops of length 2. In other words, since l O K = l 2 , the ideal l has order 2 in CL. As compared to split primes, a ramified isogeny degree l does not introduce much diversity when moving on the isogeny graph, because the number of hops by l-isogenies has to be considered modulo 2. When l is split, there are two horizontal isogenies of degree l, and l-isogeny cycles can be much longer. For this reason it is beneficial to select an elliptic curve with an endomorphism ring where most of the small primes are split, when choosing the system parameters. Our further attention will be concentrated on split primes.
For a fixed positive integer l max let L be an indexed set Let also d = #L. Then for each i, 1 ≤ i ≤ d, we define a prime ideal l i of O K to be In practice for a majority of ideal class groups it suffices to take c 0 = 0.5. Moreover, it is believed that the average minimum value of l max needed to generate CL is O(log 1+ǫ |∆|) for any ǫ > 0 [2]. In our practical experiments we chose l max ≈ log |∆|. Note that when the structure of CL is pre-computed during the system parameters selection, the fact that the prime ideals l i of norms in L generate CL can be tested and nonconforming class groups can be discarded. Otherwise, when the structure of CL is not precomputed, the fact that any element of CL can be represented as a product in (4) depends on the GRH and the choice of l max .

4.3.
Generating the system parameters. In order to choose the set ELL p,n one first picks a prime p of sufficient size (see Sect. 7.1). One then tries arbitrary elliptic curves over F p until an appropriate curve is found. For every curve E one computes #E(F p ) using the SEA algorithm. The trace t of the Frobenius endomorphism π : (x, y) → (x p , y p ) is then obtained as t = p + 1 − #E(F p ), and to test that E is ordinary one verifies that t = 0. The Frobenius discriminant ∆ π is then obtained by the formula The discriminant ∆ of End(E) satisfies (6) ∆ = ∆ π /g 2 for some integer g. A straightforward way to ensure that End(E) is a maximal imaginary quadratic order is to check whether ∆ π is a fundamental discriminant. Besides, when the conductor of ∆ π is not divisible by a large prime, one may use an algorithm of Kohel [28] to move from E to a curve with the maximal endomorphism ring. In this case one should also check that l i ∤ g for all l i ∈ L, so that there are no l i -isogenies down. Once ∆ is known, one chooses l max (see Remark 1) and examines how many of the primes less or equal to l max are split. The more small primes are split the better performance the CL action will have. One can even do an "early abort" of the SEA algorithm when t is computed modulo small primes and too few of them satisfy ( t 2 −4p li ) = 1. When the curve is chosen, the structure of CL(O ∆ ) should be computed, as we discuss later in Sect. 6.
The obtained elliptic curve E ∈ ELL p,n is to be used as the set element x in the proposed cryptographic schemes.

Implementation of CL action on ELL p,n
We show how to implement the group action * used in the cryptographic schemes of Sect. 2. Let an elliptic curve E ∈ ELL p,n be defined by y 2 = x 3 + Ax + B, and an ideal class be given by a vector v ∈ Z d according to the notation of Sect. 4.2. Our aim is to compute φ( v) * E ∈ ELL p,n . From (4) we have that The associativity property of the group action implies that we can compute (7) by gradually acting by the factors [l i ] or [l i ] −1 in (7), depending on the sign of v i . We call the operation [l i ] * E = E 1 a hop, this corresponds to an isogeny E → E 1 of degree l i . The computation of (7) consists of d i=1 |v i | hops between elliptic curves. We further explain the implementation of a single hop.
Throughout this section we use a notation for the prime ideals l i defined by (3), in order to explicitly refer to b. Since To compute the elliptic curve E 1 = [(l, b, ·)] * E we apply ideas used in the SEA algorithm [15,37]. For the action [(l, b, ·)] * E = E 1 there exists a separable F pisogeny ψ : E → E 1 of degree N K Q (l, b, ·) = l. The same holds for [(l, −b, ·)] * E = E 2 . The j-invariants of E 1 and E 2 are computed as roots of the equation where Φ l is the modular polynomial of level l. When l does not divide the conductor g of ∆ π , the equation (8) has exactly 2 roots. We should determine which root is the j-invariant of the curve E 1 . For that we take one of the roots and apply the algorithm of Elkies to compute the equation of an isogenous elliptic curveÊ, j(Ê) =, and the polynomialĥ(x) that vanishes on the l-isogeny E →Ê kernel. The kernel of an l-degree isogeny is a subgroup of the l-torsion group, and the Frobenius endomorphism π on the kernel points satisfies the characteristic equation (9) π 2 − tπ + p ≡ 0 (mod l).
For split l the equation (9) has two different roots π 1 , π 2 ∈ Z l called Frobenius eigenvalues. These are related to the ideals (l, b, ·) and (l, −b, ·) by the following formula: where t is the trace of the Frobenius endomorphism. Indeed, we have that b 2 ≡ ∆ (mod 4l), thus g 2 b 2 ≡ ∆ π (mod 4l) and (t + gb)/2 satisfies (9): The same holds for (t − gb)/2. The eigenvalue π 1 ≡ (t − gb)/2 (mod l) corresponds to the action of π on the kernel of the isogeny associated with (l, b, ·) and π 2 ≡ (t + gb)/2 (mod l) corresponds to the isogeny associated with (l, −b, ·). We then check that the eigenvalue π 1 satisfies the relation where [π 1 ](x, y) stands for the point multiplication by π 1 . If (10) holds, we set the resulting elliptic curve E 1 to beÊ. Otherwise E 1 is obtained from the second root of (8).
The computational complexity of a single hop between l-isogenous elliptic curves is dominated by solving the equation (8). The degree of the polynomial f (x) = Φ l (x, j(E)) is l + 1. The roots are found by computing the gcd(x p − x, f (x)). The left-right binary exponentiation x p (mod f (x)) takes log p polynomial squarings, and multiplications by x are given "for free". Each polynomial multiplication through the number-theoretic transform (NTT) requires O(l log l) field multiplications. Also the division with remainder of the 2l-degree product polynomial by f (x) can be implemented in O(l log l) multiplications in F p [5]. In practice for l less than approximately 70 these operations are faster implemented with the "schoolbook" and related algorithms, but for the asymptotic analysis we use the O(l log l) estimation anyway. This results in a total of O(l log l log p) field multiplications needed to compute x p (mod f (x)). The GCD of l-degree polynomials is computed with O(l log 2 l) field multiplications [5], and since log l < log p, the resulting complexity of solving f (x) = 0 is O(l log l log p).
The second most demanding operation in an l-isogenous hop is the verification of (10). A substitution y p−1 = (x 3 + Ax + B) (p−1)/2 allows the exponentiation to be performed in the univariate polynomial ring F p [x]/h 1 (x). Since the degree of h 1 (x) is (l − 1)/2, the binary exponentiation requires O(l log l log p) field multiplications. When several consecutive hops are done along the same isogeny degree l, the verification of (10) is needed only on the first hop. This is because when moving along a cycle, at the second and the subsequent hops we know where we came from.
Thus the running time of one hop between l-isogenous elliptic curves is To estimate the average running time of the action (7), we use the following approximations: h ≈ 0.46(−∆) 1/2 for the class number # CL(O ∆ ) [13]; l max ≈ log|∆| for the biggest prime in L (see Remark 1); ∆ = cp, where c is a constant (follows from (5), the Hasse's bound |t| ≤ 2 √ p, (6) and the fact that the conductor g is chosen to be small during the system parameter generation); l i ≈ 2i ln 2i for the value of the i-th prime in L; and d ≈ Now, using the Lenstra-Lenstra-Lovasz (LLL) lattice basis reduction algorithm, we compute a short basis of Λ and store it in a matrix B Λ of column vectors. All the above described steps are needed only once and therefore can be done during the parameter choice or the pre-computation phase. This allows to reject elliptic curves that require l max larger than approximately log|∆| (see Remark 1) or yield long vectors in B Λ . Practical experiments for ⌈log p⌉ = 224 and l max ≈ log|∆| show that the coordinates of vectors in B Λ are generally less than 50.
In order to implement the random sampling from CL, we construct a vector u ∈ Z d by choosing the coordinates Now φ( u) is a random element of CL, as the uniform distributions on the cyclic subgroups [l i ] , i ∈ J, give the uniform distribution on CL. Some of the coordinates of u will be large. For instance, if the class group is generated by an ideal l i , then u i is a random number between 0 and # CL −1. The following optimisation steps are aimed at computing an equivalent vector v ≡ u (mod Λ) which is faster than u in terms of its action on ELL.
We first find a lattice vector b ∈ Λ close to u and set w = u − b. The vector b can be found by Babai rounding [1] where ⌊·⌋ is the coordinate-wise floor function, and u is a column vector, or by any other algorithm for the closest lattice vector problem.
To further optimize w, we will need a d-dimensional row vector t = (t 1 , . . . , t d ), where each coordinate t i is the average time used to compute the action [l i ] * E. The row vector t can be obtained experimentally during the parameter choice phase. Now for a column vector v ∈ Z d , the approximate time needed to compute the action where |·| is the coordinate-wise absolute value function. We thus need to solve the following (mixed) integer linear program (ILP): The problem (12) can be solved by various ILP algorithms, e.g. the branch and bound algorithm, the simplex algorithm or a primitive search. Note that we do not require finding the optimal solution, as it can take a long time. Even a quick run of an ILP algorithm allows to significantly improve the value of the objective function in (12). Moreover, in some applications, for instance when v is the private key in the encryption scheme PE (Fig. 4), it is beneficial to spend more time on the optimization of v during the pre-computation phase.
The random sampling from CL proposed in this section requires the pre-computation of an ideal class group structure and therefore cannot be used with large class groups. However the group size threshold keeps increasing due to the development of computational resources and algorithms. The up-to-date class group computation record reported by Biasse [4] employs a 366-bit discriminant. This is enough for achieving the 112-bit security level, as discussed later in Sect. 7.
6.2. Pseudo-random sampling from large CL. We show how to implement the sampling operation without prior knowledge of the class group structure.
An algorithm for random sampling proposed by Srinivasan [41] outputs an ideal of a large norm. To further factor this ideal over the smooth factor base (2), techniques from index calculus algorithms for imaginary quadratic fields could be used as it is done by Galbraith et al. [19]. However this approach would have exponential running time and still yield an ideal representation which is slow in terms of its action on ELL p,n , as compared to optimized representations discussed in Sect. 6.1.
We propose to use a non-uniform probability distribution S on the set of elements of CL instead of the uniform distribution R. Note that in order to complete the proofs of Theorems 1 and 2 we have to additionally assume that R and S are computationally indistinguishable. Several authors, including Galbraith [18], Jao et al. [27] and Teske [44], construct samplings from CL that employ ideals with small split norms, in order to emulate the random sampling from CL. Below we propose a candidate probability distribution S that is constructed to optimize the speed of the CL action on ELL. How plausible it is that S is computationally indistinguishable from R is a difficult question that requires further analysis.
The probability distribution S is constructed as follows. For a fixed l max we use the notations ∆, d, l i and φ from Sect. 4.2. Let also h ≈ 0.46(−∆) 1/2 be an approximation for the class number # CL(O ∆ ). We then choose a set V ⊂ Z d such that #V = ch for a small c > 1, and the random sampling from V is easy to implement. For instance, if V is the set of vectors inside a d-dimensional box defined by non-negative integersv i , 1 ≤ i ≤ d, then the random sampling from V can be achieved through d random samplings of the coordinates. We define S to be the probability distribution on CL induced by the uniform probability distribution on V and the map (4).
To construct the box V we start with a d-cube. Since for smaller primes l i the action [l i ] * E can be computed faster, we stretch the box V along the faster dimensions and squeeze it along the slower ones, so that the average time used for the computation along the i-th axis is the same for all the dimensions 1 ≤ i ≤ d. The valuesv i in (13) can be computed using the timing vector t (see Sect. 6.1). This approach has an advantage against timing side-channel attacks, as the running time of the group action is almost the same for different randomly chosen vectors from V .

Security of ELL-based cryptographic schemes
In this section we discuss the plausibility of the DDHAP and the ES assumptions with respect to the cryptographic schemes based on the CL action on ELL p,n . 7.1. Plausibility of the CL-DDHAP assumption. The DDHAP formulated for the CL action on ELL p,n (CL-DDHAP) has not been considered in the literature. As far as we are concerned, the most efficient approach is to solve the corresponding CL group action inverse problem (CL-GAIP).
Let us estimate the computational complexity of the CL-GAIP. Galbraith et al. proposed an algorithm for constructing isogenies between elliptic curves [19]. Stages 2 and 3 of this algorithm particularly solve the CL-GAIP, that is, find an ideal that maps a given elliptic curve to another given curve in the set ELL p,n (O K ). The algorithm is based on the Pollard's rho method [32] and requires approximately (πh) 1/2 hops between l i -isogenous curves, l i ∈ L, h = # CL. We have estimated the running time of one hop by (11), so the average running time of the algorithm . After using the approximations for h, d and l i as in Sect. 5 this becomes (14) O(p 1/4 (log 2 p) log log p) multiplications in F p . We do not count the O(p 1/4+ǫ ) complexity of finding a short smooth representation of the resulting ideal.
In order to choose appropriate system parameters we use cryptographic security levels defined by the European Network of Excellence in Cryptology II (ECRYPT2) [47]. Computational complexities of 80, 96, 112 and 128 bits are assumed to be infeasible during the next 4, 10, 20 and 30 years, respectively. The size of p is chosen such that the number of bits in (14) equals the corresponding security level recommendation. The resulting values of log p are listed in Table 1. 7.2. Solving the CL-GAIP with a quantum computer. Quantum computers allow to solve certain computational problems with a significantly greater efficiency than classical computers. An intriguing question is whether the CL-GAIP can be efficiently solved on a quantum computer.
Since the problem involves the action of an ideal class group CL of an imaginary quadratic field, we will firstly review current advances in the computations in CL. In the classical computation case, sub-exponential algorithms have been proposed for computing the structure of CL and solving the discrete logarithm problem (DLP) in a cyclic subgroup of CL (see, for example, Jacobson [25,26]). Note however that these results do not imply sub-exponential complexity for the CL-GAIP, which is still exponential-time (14).
In the quantum computation case, a polynomial-time algorithm for the structure of CL has been described by Hallgren [23]. The ability of quantum computer to solve the hidden subgroup problem is employed for computing the lattice of relations between generators of CL. Schmidt [36] has carefully described an implementation of Shor's algorithm for solving the DLP in a cyclic subgroup of CL and estimated the necessary quantum register size.
These classical and quantum computation results for problems in the ideal class group do not apply to the CL-GAIP. Indeed, the CL-GAIP is defined for elements of the set ELL p,n that the group CL acts on. One is given the j-invariants of two elliptic curves E x , E y ∈ ELL p,n , and the problem is to find an ideal r such that E y = r * E x . In order to reduce the CL-GAIP to a similar problem over C and look at the relationship between corresponding complex lattices, one has to lift these elliptic curves to C, namely to solve the following problem: Problem 3 (Coherent Lifting Problem). For given ordinary elliptic curves E x /F p , E y /F p with End(E x ) ∼ = End(E y ) ∼ = O K , find complex lattices Λ x , Λ y such that there is a prime P | p of the Hilbert class field H of K for which One can solve the coherent lifting problem by constructing H through the computation of the class polynomial H ∆ = h i=1 (X − j(τ i )), where the complex numbers τ i are obtained from the reduced representatives of the elements of CL. One then finds a prime P of H and reduces the values j(τ i ) modulo P. Since the degree of H ∆ is h = # CL, this approach requires time and space exponential in log h. In fact, the best way to solve the coherent lifting problem seems to be to solve the CL-GAIP first. Now we will try to apply Shor's DLP algorithm [38] directly to the elements of ELL p,n . The original algorithm relies on the following idea. Let y = x r in a finite cyclic group, so that the DLP asks to compute r knowing x and y. A function f (a, b) = x a y b has the value (r, −1) as its period, since f (a, b) = f (a + r, b − 1). When f (a, b) is implemented in quantum gates, one can efficiently find the period by means of the quantum Fourier transform, thus obtaining r. Quantum computers use reversible computation, and implementing a deterministic function on a quantum computer reversibly requires as much space as it does time. So it is essential for implementing the Shor's algorithm that the periodic function is polynomial-time. For solving the CL-GAIP we try to construct a functionf (a, b) similar to f (a, b), that takes imaginary quadratic ideals a and b. Even though it is possible to compute a * E x and b * E y , we do not know of any polynomial-time composition operation for the two obtained elliptic curves that would be suitable for the purpose. We leave it as an open question to find a polynomial-time periodic function on ELL p,n with the period dependent on r, such that E y = r * E x .
It has been recently proposed to use quantum computers for solving the hidden shift problem. The problem asks, for a given finite group G, a finite set X and maps f, g : G → X such that g(a) = f (a + r) for all a ∈ G and a fixed shift r ∈ G, to find r. When applied to the CL-GAIP, these functions can be defined as g(a) = a * E y and f (a) = a * E x . Then r is a (multiplicative) shift because f (ar) = ar * E x = a * E y = g(a). However polynomial-time quantum algorithms for the hidden shift problem have been described only for some special types of functions, namely the Legendre symbol [17] and several classes of bent functions, a type of boolean functions [35]. 7.3. Plausibility of the ES assumption. The ES assumption about a hash function family H = {H k : k ∈ K} concerns the hash function's ability to extract entropy from a "partially random" source. In the ELL-based PE scheme the hash function H k (u) is applied to the elliptic curve u represented by its j-invariant. Since there is log p bits in the representation of a j-invariant as an element of F p , but only h ≈ p 1/2 elliptic curve isomorphism classes exist in the ELL p,n , the entropy of the random variable u is approximately 1 2 log p bits. Thus, on input u, the hash function H k should output an almost uniformly distributed string of 1 2 log p bits. A similar problem appears, for example, when the Diffie-Hellman key agreement protocol is implemented in, say, a 160-bit multiplicative subgroup of a 1024-bit finite field. The shared secret output by the key agreement protocol needs to be transformed into a secret keying material. A function that implements this transformation is called a key derivation function. The National Institute of Standards and Technology (NIST) defines two approved key derivation functions [46]. The length of the output keying material in these functions is adjustable. The NIST key derivation functions are based on hash algorithms approved by NIST, namely the SHA-1 function and the SHA-2 family of hash functions. The applicability for key derivation is also a Security (bits) ⌈log p⌉ (bits) Time (seconds)   75  224  19   80  244  21  96  304  56  112  364  90  128 428 229 Table 1. Average running time of one CL action on ELL p,n .
requirement for the upcoming SHA-3 family of hash functions. These facts suggest that it is indeed possible to construct an ES hash function family suitable for the ELL-based PE scheme.

Numerical experiments
In this section we report about a trial implementation of the arithmetic used in the proposed cryptographic schemes 3 .
We have implemented the CL group action on ELL p,n using the computer algebra system PARI/GP 2. The largest discriminant for which we could compute the class group structure using LiDIA was 226 bits long. This took approximately 3 hours and the process occupied 3 gigabytes of memory space. This size of discriminant corresponds to 75 bits of security and we have incuded it in our results. The class group structure was employed in the random sampling as described in Sect. 6.1. In the top row of Table 1, Time is the average time used for one random sampling of v followed by an optimization of v that lasts about 2 seconds and then the action φ( v) * E. Longer optimisation runs generally yield better group action times, which is relevant when the optimised vector can be precomputed off-line. Table 1 shows the average time for one CL action on ELL p,n . For security levels 80-128, the Time column is the average time for a sampling of v from V , as described in Sect. 6.2, followed by the action φ( v) * E.
The system parameters which were used for time measurements in Table 1 are listed in Appendix A.
We stress that the provided time estimations are valid for one class group action. For the PE scheme, an encryption requires two group actions that can be computed in parallel. Since modern processors often have several processing cores the "wall clock" encryption time can be treated as one group action time. The decryption in the PE scheme takes one group action. In the three proposed KA protocols each party has to perform two consecutive group actions. However the first action can be precomputed before the protocol starts.
Timings in Table 1 were obtained on a Ubuntu Linux 9.04 system with Intel Core i7 920 processor clocked at 3.6 GHz. The implementation is single-threaded, so only one of the four processor cores was used at a time. Note that whereas PARI, NTL and GMP are fast computation oriented libraries, a customized implementation of the arithmetic may result in better speeds. For instance the reduction modulo p can be implemented faster for p = 2 n ± a for small a, as compared to the generic long division algorithm used in GMP. Also the polynomial multiplication and division operations can be efficiently parallelized [5].

Concluding remarks
Let us compare the proposed cryptographic schemes with the ones based on the ECDLP, namely the elliptic curve Diffie-Hellman key agreement scheme, the elliptic curve digital signature algorithm and others. For an elliptic curve over a field F q , the ECDLP is usually considered in a cyclic subgroup of order approximately q. For the CL-GAIP, the cardinality of the set ELL p,n is the class number h, and the elliptic curves are defined over F p , where p ≈ h 2 . We shall consider the ECDLP and the CL-GAIP of similar sizes q and h, respectively. First of all, we note that the system parameters for an ECDLP-based cryptographic scheme can be generated in polynomial in log q time, whereas a CL-GAIP-based cryptographic scheme requires sub-exponential in log h time for computing the class group structure. The second aspect is the cryptosystem running time. The average running time of one scalar multiplication on an elliptic curve is 10 log q [24], or O(log q) multiplications in F q . For the CL action on ELL, the average running time is O(log 3.7 h) multiplications in F p , which is much slower than for the ECDLP-based schemes. The third aspect we will consider is the computational complexity of the problems. The ECDLP complexity for a cryptographically strong elliptic curve is widely believed to be O(q 1/2 log q) field operations. The computational complexity of the CL-GAIP is O(h 1/2 (log 2 h) log log h) multiplications in F p , i.e. the CL-GAIP has higher complexity than the ECDLP.
It is not yet clear whether the CL-GAIP can be efficiently solved on a quantum computer. Arguments against the applicability of some currently known quantum algorithms have been provided in Sect. 7.2. In case a quantum attack is discovered later, the proposed cryptographic schemes would seemingly become of theoretical interest only.
The encryption scheme and the key agreement protocols proposed in this paper use random sampling from the ideal class group CL. Since the implementation of the CL action on ELL p,n employs short smooth ideal representations, efficient random sampling is only possible for class groups with known structure. This provides security levels of up to 112 bits, as of 2009 class group computation records. Higher security levels are only achievable with a pseudo-random sampling which has to offer good randomness characteristics. It should be also noted that when the class group structure is not pre-computed, the fact that all elements of CL can be represented and used in the cryptographic scheme depends on the GRH. of work on this topic. Very useful comments were also received from the Advances in Mathematics of Communications journal's anonymous reviewers. The author is grateful to Dr. Steven Galbraith for his feedback on this paper and for suggestion of the coherent lifting problem.