A subexponential-time, polynomial quantum space algorithm for inverting the CM group action

1.1 Related work

Recent work by Bonnetain and Schrottenloher [3] makes a detailed analysis of the security of CSIDH, by assessing the effectivenes of using lattice reduction algorithms, in particular BKZ [19], for the evaluation of the action of the class group. Their emphasis is on practical attacks rather than theoretical analysis.

Independent work of Biasse et al. [1] describes a quantum algorithm to evaluate the action, also requiring subexponential time and polynomial quantum space. Moreover, [1] presents a further time-space tradeoff to evaluate the action using only polynomial classical space. Compared to their work, our work provides a more self-contained description of the quantum processing steps.

3.1 Restriction to the cyclic case

We assume the class group cl(𝓞) is cyclic. In general, the class group is not always cyclic, but heuristically it is cyclic in the vast majority of cases (97% of the time per Cohen-Lenstra [8]), and this case is easier to analyze. We conjecture that standard techniques such as [7, Appendix A] could be used to extend to the non-cyclic case.

3.2 Expander graphs

It is known [12, Theorem 3.2] that isogeny graphs for (isomorphism classes of) elliptic curves with complex multiplication by some imaginary quadratic order 𝓞_Δ where the edges are all isogenies with prime degree less than some fixed bound (log∣ Δ∣)^B are in fact expander graphs. The following well-known result about expander graphs then tells us about the distribution of elliptic curves chosen from this set by taking short random walks.

3.3 A BKW-like algorithm

Let n=log⁡N. The following two lemmas describe the iterative part of the BKW algorithm. The idea of both algorithms is to take as input a collection of uniformly chosen positive integers bounded by N ≈ 2ⁿ², and reduce the number of non-zero coefficients of their expression in base 2ⁿ.

4.1 Quantumly Instantiating the Action of cl(𝓞) in Polynomial Space

Since [4, Alg. 2] for computing the action of cl(𝓞) on 𝓔ℓℓ_p(𝓞) is not amenable to being instantiated quantumly, we present a modified algorithm here. While [4, Alg. 2] succeeds with probability 1 but has variable time, our algorithm has (tunable) fixed time but succeeds with (tunable) probability less than 1.

To begin, we give an algorithm for computing E_B = 𝔩^±1∗ E_A for prime ℓ. We emphasize that this (classical) algorithm is designed with translation to a quantum algorithm—rather than efficiency—in mind.

Algorithm 1 succeeds if and only if there is i^* ∈ {1, 2, …, r} such that

For uniformly random x, these conditions hold with probability 12 and ℓ−1ℓ, respectively, since E(𝔽_p) ≅ Z/4Z⊕⨁k=1tZ/ℓkZ. Thus the total probability that Algorithm 1 succeeds is 1−(ℓ+12ℓ)r. Later we shall choose a value of k so that our final quantum algorithm succeeds with sufficient probability.

Next we build upon Algorithm 1 to construct an algorithm which computes E_B = 𝔩^±e ∗ E_A for e ∈ ℕ. It is easy to see that Algorithm 2 succeeds with probability (1−(ℓ+12ℓ)r)e.

Finally, Algorithm 3 computes l1±e1l2±e2⋯lt±et∗EA.

Then P[Algorithm 2 succeeds] = ∏k=1t1−ℓk+12ℓkrek≥(1−(34)r)∥e∥1. From here we briefly describe how to instantiate this quantumly. First we describe the quantum instantiation of Algorithm 1. For brevity of notation we consider an input ∣s〉∣E_A〉∣0〉 which is not in superposition, but of course the algorithm extends linearly to superpositions. Before the quantum part of the algorithm begins, we sample x₁, x₂, … x_r ← U(𝔽_p) classically and include them as part of the initial state. We will use them in the quantum instantiation of all three algorithms.

1. In the notation of Algorithm 1, write (Qi)i=1r to a new register to obtain

   sEAx1,x2,…,xrQ1,Q2,…,Qr0

2. In the notation of Algorithm 1, define w_i = 1 if (xi3+Axi2+xip)=(−1)s and Q_i ≠ ∞, and w_i = 0 otherwise. Write w₁, w₂, … w_r to a new register to obtain

   sEAx1,x2,…,xrQ1,Q2,…,Qrw1,w2,…,wr0.

   This can be done by writing the results of each of the Boolean functions x3+Ax2+xp=(−1)s and [Q_i ≠ ∞] to new registers, applying a Toffoli gate from these registers onto another new register, and then uncomputing the results of the two Boolean functions.

3. Set aside a new 0-initialized register to contain c. For i = 1, 2, …, r apply Vélu’s formulas [21] conditioned on w_i = 1 and c = 0, and increment c conditioned on w_i = 1. Essentially, we look down the list of points until we find x_i^* which is “appropriate” (has w_i = 1) and, when we find the first appropriate point, we set a flag which indicates that we have computed 𝔩∗ E_A, and so we should not compute more. The resultant state is

   sEAx1,x2,…,xrQ1,Q2,…,Qrw1,w2,…,wrc^l∗EA0.

   where ĉ counts the number of w_i which are equal to 1.

4. Uncompute ĉ by subtracting 1 from it conditioned on w_i = 1, for i = r, r − 1, …, 1. Then uncompute (Qi)i=1r and (wi)i=1r by reversing the circuit of step (ii). Rearranging the registers, the final state is ∣s〉∣E_A〉∣𝔩∗ E_A〉∣x₁, x₂, …, x_r〉∣0〉, as required.

For fixed ℓ, call the algorithm above Qℓ(1). We shall use it is a subroutine in the quantum instantiation of Algorithm 2. For input ∣s〉∣e〉∣E_A〉∣x₁, x₂, …, x_r〉∣0〉:

1. Conditioned on register 2 being positive, apply Qℓ(1) to registers 1, 3, and 4 targetting a new register. Then decrement register 2, yielding

   se−1EAx1,x2,…,xrl(−1)s∗EA0

2. Swap registers 2 and 5, and conditioned on register 2 being positive, apply Qℓ(1) again to registers 1, 2, 3, and 4 targetting a new register. Decrement register 2 to obtain

   se−2|l∗(−1)sEA〉x1,x2,…,xrEA|l(−1)s2∗EA〉0.

3. Given a state ∣s〉∣e − z〉∣𝔩^{(−1)s(z−1)}∗ E_A〉∣x₁, x₂, …, x_r〉∣E_A〉∣𝔩^{(−1)sz∗ E_A}〉∣0〉 swap registers 3 and 6, and apply the Pauli X to register 1. This yields ∣1 − s〉∣e − z〉∣𝔩^(−1)sz〉∗ E_A∣x₁, x₂, …, x_r〉∣E_A〉∣𝔩^{(−1)s(z−1)}∗ E_A〉∣0〉. Apply Qℓ(1) to registers 1, 2, 3, and 4 targetting register 6 conditioned on register 2 being positive. Notice that the output of Qℓ(1) in this case is 𝔩^{(−1)s(z−1)} ∗ E_A since we are applying 𝔩^−(−1)s in this case. This effectively erases the contents of register 6. We can then apply Pauli X to register 1 again, and, conditioned on register 2 being positive, we apply Qℓ(1) and decrement register 2 to obtain ∣s〉∣e − (z + 1)〉∣𝔩^{(−1)sz∗ E_A}〉∣x₁, x₂, …, x_r〉∣E_A〉∣𝔩^(−1)s(z+1)〉∗ E_A∣0〉

4. Repeat step (iii) L − 2 times, where L ≥ e. The result is

   se−L|l(−1)s(e−1)∗EA〉x1,x2,…,xrEA|l(−1)se∗EA〉0

   Copy register 6 onto a new register to obtain

   se−L|l(−1)s(e−1)∗EA〉x1,x2,…,xrEA|l(−1)se∗EA〉|l(−1)se∗EA〉0.

   From here, we can simply reverse the iterations of step (iii) and steps (ii) and (i), erasing the anciliary registers. Rearranging registers yields

   seEA|l(−1)se∗EA〉x1,x2,…,xr0, as required.

For fixed 𝔩, call this algorithm Qℓ(L) To evaluate l1(−1)s1e1l2(−1)s2e2⋯lt(−1)stet∗EA, it suffices to apply each Qℓi(Li) in turn to the appropriate registers of

where L_i ≥ e_i. It is easy to see that this computes the correct value.

4.2 Constructing the States

In this subsection we show how to use the algorithms previously described to construct the states required to apply Kuperberg’s algorithm.

Given curves E = E_A : y² = x³ + Ax² + x and E′ = E_B : y² = x³ + Bx² + x where E_B = 𝔞∗ E_A, and 𝔞 = g^a, Kuperberg’s algorithm uses states of the form ψk:=120+exp2πiakN1 for k sampled uniformly at random from {0, 1, …, N − 1}.

Using the method described in Section 3 we can construct a table {(2j,v(j))∈N×Zt}j=1n with ∥v^(j)∥_∞ = 2^O(n) and [g2j]=[l1v1(j)l2v2(j)⋯ltvt(j)] for 1 ≤ j ≤ N. From this table, we construct the following quantum circuit, which converts from “cyclic notation” g^m to “prime decomposition notation” l1v1l2v2⋯ltvt:

where m = m_n ⋯ m₁m₀ is the bit decomposition of m, and v(m) satisfies [gm]=[l1v1(m)l2v2(m)⋯ltvt(m)]. This circuit can be implemented in polynomial space using standard techniques. Using this circuit and the one from Section 4.1, we can give a complete algorithm for constructing the states ∣ψ_k〉.

1. Construct the state Ψ0=(2N)−12∑m=0N−1m00+m10.

2. Apply C to the first and third registers above to obtain

   Ψ1=(2N)−12∑m=0N−1m0v(m)0+m1v(m)0.

3. Apply the gate ∣0, y〉 ↦ ∣0, y ⊕ E_B〉, ∣1, y〉 ↦ ∣1, y ⊕ E_A〉 to the second and fourth registers above to obtain

   Ψ2=(2N)−12∑m=0N−1m0v(m)EB0+m1v(m)EA0.

4. Apply the class group action gate to registers three, four, and five. If it is successful for each m, the resultant state is

   Ψ3=(2N)−12∑m=0N−1m0v(m)EB|l1v1(m)l2v2(m)⋯ltvt(m)∗EB〉0+m1v(m)EAl1v1(m)l2v2(m)⋯ltvt(m)∗EA〉0.

5. Measure the fifth register. This gives a curve E_C, and the state will collapse to

   Ψ4=2−12m0v(m)EB0+m+a1v(m+a)EA0,

   and a satisfies g^a∗ E_A = E_B.

6. Apply C again to uncompute the v-values, and discard the (now empty) third register to obtain ∣Ψ₅〉 = 2−12 (∣m〉∣0〉∣E_B〉∣0〉 + ∣m + a〉∣1〉∣E_A〉∣0〉) for unknown random m.

7. Apply the Quantum Fourier Transform over ℤ/Nℤ to the first register to obtain

   Ψ6=(2N)−12∑k=0N−1ωmkk0EB0+ω(m+a)kk1EA0,

   where ω=exp2πiN.

8. Measure the first register to get a uniformly random k and the state

   Ψ7=2−12ωmk0EB0+ωak1EA0.

9. Uncompute E_A and E_B using the gate from part (iii), and discard auxiliary qubits to yield

   2−12ωmk0+ωak1∝ψk,

   as required.

4.3 Using the States to Find the Hidden Shift

Now that we have a method to obtain states of the form ∣ψ_k〉 for uniformly random k, we can apply Regev’s sieve [16]^[1] to extract the states ∣ψ₁〉, ∣ψ₂〉, …, ∣ψ_2^m−1〉 where m = ⌈log₂N⌉. Unlike Kuperberg’s original algorithm [13], Regev’s sieve requires only polynomial quantum storage.

From here we proceed using [13, Remark 5.2]; we note that ⨂k=0m−1|ψ2k〉=2−m2∑y=02m−1ωayy and F_N ∣a〉 = N−12∑y=0N−1ωayy where F_N is the quantum Fourier transform. Since these states have inner product 2kN=Ω(1) and this inner product is preserved by the inverse Fourier transform, it follows that measuring FN†⨂j=0k−1ψ2j in the computational basis will yield a with probability ω(1).

4.4 Time and Space Analysis

We briefly explain the time and space analysis of the algorithms. The classical portions of the algorithm are:

1. Generating a subexponential number m of samples ∑i=1ta_ie_i = k, for small random e_i and known a_i = log_g 𝔩_i.

2. Using a BKW-like algorithm to find an expression ∑j=1ms_jk_j = 2^ℓ, with s_j subexponential and k_j from the given samples above. Its time and space complexity is O(23⌈log⁡N⌉)

As for the quantum portion, we have:

1. For a given ℓ, algorithm 1 runs in time O(rℓ log p) and uses quantum space O(r log p) = O(log^2.5N log p).

2. For Algorithm 2, we repeat Algorithm 12O(log⁡N) times. So this algorithm runs in time

   O(rℓmaxlog⁡p)2O(log⁡N)=2O(log⁡N)

   (for r, ℓ_max, log p = 2o(log⁡N)) and space O(log^2.5N log p).

3. For Algorithm 3, apply Algorithm 2t times. This requires time 2O(log⁡N)(for t=2o(log⁡N)) and space O(log^2.5N log p).

4. Each sample in Regev’s algorithm [16] invokes Algorithm 3 once, and so all our calls to Algorithm 3 take total time 2O(log⁡Nloglog⁡N). The space complexity is O(log3⁡Nlog⁡ploglog⁡N).