ISH: Isogeny-based Secret Handshakes with friendly communication costs

Abstract

Secret handshake schemes allow members from the same organization to authenticate each other anonymously. After its proposal, various schemes have been introduced to achieve advanced privacy protection. Regrettably, all the schemes based on number theoretic assumptions are insecure under quantum computers, and the known post-quantum designs are impractical because of the overhead cost ($>$ 10 MB). To fill the gap, we present the first isogeny-based secret handshake scheme (i.e., $\mathrm{ISH}$) with a friendly communication cost (67 KB). In particular, we apply the CSI-FiSh signature scheme to generate group keys and credentials. For each zero-knowledge transcript in the credential, we generate a signature for handshake via the Fiat–Shamir paradigm, while it fails anonymous authentication. To fix the issue, we modify the Fiat–Shamir-type signature by embedding the CSIDH ephemeral private key into the challenge space. After verifying the modified signatures, two users recover the right ephemeral private key if they are in the same group, then they can negotiate a session key and authenticate each other. Our scheme is proved secure under the Group Action Inverse Problems (GAIP) in the random oracle model, and deniability, as an attractive property, also holds for $\mathrm{ISH}$, enabling user’s ability to deny their interactions in the finished handshakes. Via choosing appropriate parameters, the communication cost surpasses all the existing post-quantum secret handshakes.