 Hello everyone, my name is Pierrick D'Artois, I'm a student of Luca de Feo, today I will present our work on the security of OSIDE, financed by IBM Research. OSIDE is an isogenic based protocol introduced by Leonardo Colo and David Cohell in 2019 to generalize seaside, but unlike seaside, OSIDE is more structured. And we explored its structure to provide an attack improving an idea by Onuki. OSIDE uses a lot of mathematics due to Colo and Cohell that I will need to introduce first. As seaside, OSIDE is based on a cryptographic group action, so I will explain what it is. Then we will see how this cryptographic group action is built in OSIDE in order to explain how the protocol works. Finally, I represent you our attack and possible countermeasures. Let's introduce cryptographic group actions. The original idea was first introduced by Brassard and Jung in 1991, and we used by Cohell in his paper constructing the first isogenic based cryptosystem. And surprisingly, to have a cryptographic group action, we need a group and a space to act upon. The group has to be oblivion, and the action needs to be transitive, meaning that we have a symbol orbit in this space. All space elements can be reached from any element of the space with the group action. It needs to be faithful also, only the trivial element acts trivially. The group action needs to be easy to compute for cryptographic needs. And finally, it needs to be one way to ensure cryptographic security. If we know x and y in the space related by your secret group element g, then g is hard to find. We can do a lot of cryptography with cryptographic group actions, including one of the simplest primitives, key exchange. Actually, OSIDE is a difficult element key exchange. To set up such a key exchange with a cryptographic group action, we fix a public space element x0. Alice and Bob can choose separately secret group element g and h. They will act separately on x0 with their secret and exchange the computed data gx0 and hx0. Then Alice and Bob will be able to recover the shared secret key ghx0 by acting with their secret on the data they receive from one another. They will find the same secret key because the group is abelian and the protocol will be secure because the group action is one way. Now let's see how the group action works. First, we need a group. That will be the ideal class group of an order in a quadratic imaginary field. So I will briefly recall what it is. A quadratic imaginary field is a field extension of degree 2 over q that is not real. An order is a sumbering and a full rank lattice in this field. If we fix an order o, we can look at o ideals which are simply lattices stable by multiplication by o. There is a commutative multiplication law of ideals with the order as neutral element. The set of invertible ideals for this flow form a group and we have a subgroup formed by principle ideals, which are basically ideals generated by a scholar. The quotient of those groups is the ideal class group. It is finite, so it is suitable for cryptography. Now that we know how a group, what will be the space of the action? The space will be a set of elliptic curves and the group action will use a correspondence between group elements, meaning ideal classes and isogenes between those elliptic curves. So I will briefly recall those notions. Of course you know elliptic curves over finite fields. They are simply given by this polynomial equation on the plane and the point at infinity. Elliptic curves have a group structure given by the addition law described on the figure displayed here. This is why elliptic curves are used in discrete logarithm based cryptography. But here we do post quantum cryptography. So we use isogenes, which are morphisms between elliptic curves as morphisms between algebraic varieties given by rational fractions and also group homomorphisms. I give here two simple examples. The multiplication map, which is a non-demorphism, meaning an isogenic of an elliptic curve to itself, and over finite fields, the Frobenius given by the exponentiation of the characteristic. And the morphisms are a special class of isogenes mapping an elliptic curve to itself, and they form for given elliptic curve a ring. This ring is either over a finite field, an order in a quadratic imaginary field, this is the ordinary case, or a maximal order in a quaternion algebra. This is the super singular case. If you are not familiar with quaternions, you just have to keep in mind that those are non-commutative four-dimensional extensions of a queue. Orders have the same definition that we introduced before, and maximal orders are simply maximal for the inclusion. In isogenic based cryptography, we often use super singular elliptic curves for security and efficiency reasons. But I recall those basics. We can get to our side. If we have a super singular elliptic curve and a quadratic imaginary field, we define a care orientation as an embedding of K in the quaternion algebra made of linear combinations of endomorphisms with rational coefficients. If O is an order of K, we have a primitive O orientation if O is the maximal order in K mapping to the endomorphism ring. Put in other words, it maps to the intersection of the image of K with the endomorphism ring. Actually, the space of O side group action by the ideal class group of an order O will be the space of O oriented super singular elliptic curves. Now, as promised, I explain how isogenes appear in this group action. If we have two K oriented elliptic curves E and F, a K oriented isogenic between those curves is simply an isogenic respecting the orientation, meaning following the formula displayed here. The degree appearing in this formula is roughly the cardinality of the kernel. We say that the isogenic is ascending if the order orienting E is smaller than the order orienting F. That it is horizontal if both orders are equal. And that it is descending if the order orienting E is bigger than the order orienting F. We are not always in those cases, except when isogenic has a prime degree. Now, we fix a quadratic imaginary field K and a prime L and we look at the graph whose vertices are K oriented elliptic curves and edges isogenes of degree L. The graph is very interesting because every connected component has a volcano structure. In this connected component, for instance, we have the crater of the volcano, which is oriented by the maximal order of the field. At the crater, we have one horizontal isogenic and one disanding isogenic. Also, we always have one ascending isogenic and L descending isogenic at each vertex and the orientation by the order of index L in the order above. Hence, the index is given by the degree when we descend the graph. For all side group action, every level of the graph can be a potential space. But as we go down, we see that the size of the level grows exponentially. So we need to choose a level deep enough to make sure that the crypto system is secure. Once we have chosen a level and the corresponding order O, the ideal class group of O will act on this level as follows. Every O ideal will associate a horizontal isogenic and take the co-domain as the result of the action of this ideal on the domain. This correspondence defines indeed a group action because principal ideals correspond to endomorphisms so that ideas in the same class act the same way. This is why we have an action of the ideal class group. And finally, multiplication of ideals correspond to isogenic composition, and that's the reason why we have indeed a group action property. As Kohel and Onuki proved, this action is furthermore transitive and faithful. But is this action easy to compute on one way as required to have a cryptographic group action? To make our site practical, we need to use isogenic graphs that we just introduced. Suppose that we use level N as a group action space down here. Computing directly the group action in this space is almost impossible. Instead, if we want to compute the action of an ideal Q, let's say on EN in this space, represent EN as a descending isogenic chain, starting from the crater and going down to EN. And we compute the action level by level, going down the chain, which is practical with modular equations. The results will be a descending isogenic chain again, and the ending element will be the action of Q on EN. For efficiency reasons, Kolo and Kohel use this technique only with a bunch of prime ideals generating the ideal class group. Then they can compute the group action by a product of this bunch of ideals. This is called restricted cryptographic group action. The situation is the same in Seaside. We have a restricted cryptographic group action by an ideal class group, except that the level used in Seaside in the isogenic graphs is way closer to the crater. Only the first level is used. In Oside, we have to go much deeper. This is what makes Oside much more vulnerable to security attacks than Seaside. Now at last, we have what we need to introduce the protocol. Once we know the Oside framework, there is a naive Diffie-Hellman key exchange coming to mind. First, we just fix a public L isogenic chain that is descending. We let Alice and Bob choose their secret ideals as product of generator QJ with exponents within a range R, and we let them act on the public chain with their secret ideal. We exchange the resulting chain of the computation and finally act on the exchange chain with their respective secret ideals to find a shared secret chain H. Unfortunately, this is not secure. Colo and Cohell already knew it. Why? Because of the graph structure. Let's say that we want to recover Alice's secret ideal class. We know both chains E and F. It is easy to recover the secret ideal class relating them recursively. First, finding the ideal class at level zero is trivial. And if we know the ideal class at level I, we only have L possibilities for the ideal class at level I plus one. This is because of this equation. So we simply have to test them all until we map EI plus one to FI plus one. So how can we make Oside secure? First, remember that the chains that reveal all this information are not essential to the protocol. They are just computational tools. But Alice and Bob cannot just remove this information when they change data. The trick introduced by Colo and Cohell is to provide horizontal instead of vertical information. Alice and Bob will perform the same protocol, but simply send to each other the action of the QJ in the neighborhood of the ending element they found and not all the chain. Nonetheless, is it sufficient to make Oside secure? The answer is no. Actually, the additional horizontal chains can be used to recover the descending chain kept secret in the key exchange. And as explained, this makes Oside vulnerable to a key recovery. An idea introduced by Onuki is to leverage those chains to find a cycle in the isogenic graph or put in other words, an endomorphism. To do that, we have to find a principal ideal that is easily expressed as a product of the QJ with short exponents and then compute the action by such an ideal. As we saw when we introduced the group action, a principal ideal corresponds to an endomorphism or put in other words, a cycle in the orbit of the ideal class group. Then, once we have such an endomorphism, we can actually recover the ascending isogenic relating level N and N-1 in the chain. Technically, we compute the endomorphism we found on the L torsion to recover the kernel of the ascending isogenic and once we have the kernel, we have the isogenic. So the attack works as follows. First, we leverage the horizontal chains to find a cycle. Then, we recover FN-1 with this cycle. This way, we can push the horizontal chains to level N-1. This is an easy computation. And find a cycle again. This is how we recover the whole chain, making Oside vulnerable again to the attack represented earlier. The difficult step in our attack is to find a principal ideal of the right form to be able to compute a cycle easily. Onuki struggled with this problem and did not provide a practical way to do it. Our main contribution is a solution to this problem. We noticed that all we have to do is to find a short enough vector in the relations lattice of the ideal class group. Because such a vector will define a principal ideal. And if the exponents are short enough, we'll be able to perform the group action. This way is actually more efficient than Onuki's and Greg's colo and co-health parameters. The complex step in our approach is to find a short vector in the relation lattice. This is exponential but still practical with colo and co-health parameters using BKZ. All of those steps are polynomial, mainly group actions, including the discrete logarithm computations needed to compute the relation lattice, because the ideal class group is smooth. But in practice, those polynomial operations are very slow compared to the lattice reduction because group action are very slow to compute. This is why there is no known implementation of OSI to this day. Nevertheless, we implemented the protocol and the attack with toy parameters. With those parameters, we found that the attack runs in a reasonable time compared to the protocol execution. As we explained, the bottom line is, if we make the protocol practical, then the attack becomes practical as well, because the bottleneck is not the exponential lattice reduction, but the polynomial time operations. Can the attack be countered? Yes, because our lattice reduction relies on a strong hypothesis to work. We need to make sure that they are short enough vectors in the relation lattice to be able to compute a cycle. Paristically, the first minimum of this lattice for the infinity norm is given by the displayed formula. So under the reasonable assumption that the key space tightly covers the ideal class group, which is common with a restricted cryptographic group action, we get that the first minimum is short enough because we have this formula. The question is, do we have efficient enough lattice reduction algorithms to find short vectors? This leads to our first counter measure. Make it hard to find short vector by increasing the dimension of the lattice. The drawback is that it makes the protocol excessively costly and actually pointless because it now relies on the lattice-based security assumption that SVP is hard. But what should we use a very inefficient key exchange relying on SVP if there are much more efficient lattice-based alternatives with the same or better security level? The second counter measure increases the site of the ideal class group to make sure that there are no short enough vectors in the relation lattice because this bound is no longer satisfied. However, it makes oxide no longer a cryptographic group action, impeding other cryptographic constructions beyond key exchange that could be very interesting. So to conclude, our attack severely undermines the relevance of oxide.