Quantum Cost Models for Cryptanalysis of Isogenies

Abstract

Isogeny-based cryptography uses keys large enough to resist a far-future attack from Tani’s algorithm, a quantum random walk on Johnson graphs. The key size is based on an analysis in the query model. Queries do not reflect the full cost of an algorithm, and this thesis considers other cost models. These models fit in a memory peripheral framework, which focuses on the classical control costs of a quantum computer. Rather than queries, we use the costs of individual gates, error correction, and latency. Primarily, these costs make quantum memory access expensive and thus Tani’s memory-intensive algorithm is no longer the best attack against isogeny-based cryptography. A classical algorithm due to van Oorschot and Wiener can be faster and cheaper, depending on the model used and the availability of time and hardware. This means that isogeny-based cryptography is more secure than previously thought.