MT-GAIP: Multi-Target Group Action Inverse Problem
- MT-GAIP is defined as the inversion problem of finding a hidden group relation among multiple supersingular elliptic curves, extending the classical GAIP framework.
- It underpins the security of isogeny-based schemes like CSI-SDVS by ensuring strong unforgeability, non-transferability, and privacy through group action inversion.
- MT-GAIP also inspires orbit recovery in signal processing, where invariant statistics from transformed copies enable robust multi-target detection.
The Multi-Target Group Action Inverse Problem (MT-GAIP) is a multi-instance inversion problem for a group action. In the isogeny-based cryptographic setting of CSIDH and CSI-FiSh, it asks for a hidden class-group relation connecting some pair among several supersingular elliptic curves, and it functions as the explicit privacy assumption behind the isogeny-based strong designated verifier signature scheme (Renan, 20 Jul 2025). In a broader orbit-recovery usage, the same viewpoint treats MT-GAIP as recovery of an orbit representative from invariant statistics of many transformed copies under a group action, such as translations and rotations in multi-target detection (Bendory et al., 2021, Beinhorn et al., 14 Sep 2025).
1. Formal definition in the class-group action setting
In the CSIDH/CSI-FiSh framework, the algebraic environment is an order in an imaginary quadratic field, its ideal class group , and the set of -isomorphism classes of supersingular elliptic curves satisfying
The class group acts on through
via , where the subgroup
0
defines an isogeny with kernel 1. This action is free and transitive, hence a principal homogeneous action (Renan, 20 Jul 2025).
In the CSIDH-friendly case described for 2, 3 is cyclic with generator 4. Writing 5, every class is 6 for some 7, and the shorthand
8
is adopted (Renan, 20 Jul 2025).
Against this background, the single-target Group Action Inverse Problem (GAIP) asks: given curves 9 and 0 with endomorphism ring 1, find an ideal 2 such that
3
MT-GAIP generalizes this to several targets. Given supersingular elliptic curves 4 over 5 with 6 for all 7, the problem is to find an ideal 8 such that
9
Equivalently, in the abstract notation 0 and 1, one is given multiple targets 2 and must recover a nontrivial relation between two of them under the action of 3 (Renan, 20 Jul 2025).
The 4 instantiation fixes a prime
5
with small distinct odd primes 6 and 7, and uses the base supersingular curve
8
Its class number satisfies 9. Concretely, each public curve has the form 0 for an unknown exponent 1, and an MT-GAIP solver must detect indices 2 and a class 3 such that
4
or equivalently 5 (Renan, 20 Jul 2025).
2. Relation to GAIP and hardness assumptions
Conceptually, GAIP is a single-pair inversion problem, while MT-GAIP is a multi-target or multi-instance variant in which the adversary may succeed on any one of many possible pairs. In the class-group notation above, GAIP fixes one pair 6 and asks for 7 with 8; MT-GAIP receives 9 and asks for indices 0 and 1 with 2 (Renan, 20 Jul 2025).
A central point in the CSIDH-based setting is that MT-GAIP is not presented as a fundamentally stronger assumption than GAIP. The cited SeaSign analysis is summarized by the statement that MT-GAIP is tightly reducible to GAIP when the structure of the class group is known, which is the case when 3 is known and cyclic. In that regime, solving MT-GAIP efficiently implies an efficient solution to GAIP, and conversely, up to tight reductions. The role of MT-GAIP is therefore not to postulate extra asymptotic hardness, but to capture the natural security condition that arises when many group-action instances are simultaneously present (Renan, 20 Jul 2025).
The scheme parameters are chosen so that 4, while the number of targets 5, or effectively the coordinate count 6, is polynomial in 7. Within this parameterization, the best known classical algorithms for GAIP and MT-GAIP have complexity 8, reflecting square-root behavior typical of hidden-shift or group-action inversion problems. The best known quantum algorithms are described through Kuperberg’s hidden shift algorithm, which yields subexponential complexity; the paper further notes that concrete security analyses for this setting study the impact of those attacks on CSIDH parameter choices (Renan, 20 Jul 2025).
This relation between GAIP and MT-GAIP is directly reflected in the protocol structure. In 9, the signer public key, verifier public key, and ephemeral or simulated curves all live in the same action space: 0
1
2
and, in simulation,
3
From an adversarial viewpoint, these form a pool of curves of the form 4 for many unknown exponents 5, and MT-GAIP abstracts the difficulty of discovering any nontrivial action relation among them (Renan, 20 Jul 2025).
3. Role in 6 security
The isogeny-based strong designated verifier signature scheme 7 is built from the CSIDH ideal class group action and CSI-FiSh-style signature techniques, and its security claims are Strong Unforgeability under Chosen-Message Attacks (SUF-CMA), Non-Transferability (NT), and Privacy of Signer’s Identity (PSI), all in the random oracle model (Renan, 20 Jul 2025).
For SUF-CMA, the proof is phrased in the Hard Homogeneous Space model. A successful forger enables the simulator to solve the parallelization problem 8 given 9. In the concrete protocol, a valid forgery 0 on a message 1 satisfies
2
and for the correct forgery one can derive
3
Hence
4
Recovering 5 from the public curves 6 and 7 is a nontrivial instance of parallelization or vectorization in the same group action. The proof is therefore framed in HHS language, but the underlying hardness is again the same class-group inversion phenomenon captured by GAIP-type assumptions (Renan, 20 Jul 2025).
NT is established differently. The real-signature and simulated-signature experiments are shown to be identically distributed. In the real case, the signer samples 8 uniformly in 9, sets 0, and hashes curve coefficients corresponding to 1. In the simulation, the verifier samples 2 uniformly in 3, sets 4, and hashes curves of the form 5. In both distributions, each 6 is uniform over 7, each curve input to the hash is uniformly distributed in 8, and the hash output is a random oracle value. NT therefore relies on distributional equivalence rather than directly invoking MT-GAIP (Renan, 20 Jul 2025).
PSI is the property for which MT-GAIP is invoked explicitly. The PSI game uses two signers with secrets 9 and 0, one verifier with secret 1, both signer key pairs, and the verifier public key. The adversary receives a challenge signature produced by one of the two signers and must identify which signer generated it. A natural distinguishing strategy would be to compute
2
for each candidate signer 3 and then, if the verifier secret were known, derive
4
and test whether the corresponding hash value matches the challenge. The obstacle is that the adversary does not know 5 (Renan, 20 Jul 2025).
Without 6, the adversary only sees many curves of the form
7
together with
8
To succeed, it would need to compute, for the correct signer index 9,
00
or equivalently recover
01
That task is precisely the recovery of a hidden action relation among multiple observed curves. The theorem is therefore stated as: if MT-GAIP is hard, then 02 satisfies PSI security (Renan, 20 Jul 2025).
4. Multi-target structure, compactness, and protocol design
The “multi-target” qualifier is technically motivated by the protocol architecture. 03 employs vectors of size 04 in keys and signatures: 05
06
and signatures contain 07, while the hash input depends on 08 curves 09. The adversary thus observes many simultaneously related curves of the form 10, and MT-GAIP is the natural abstraction for exploiting any relation among them (Renan, 20 Jul 2025).
The same abstraction extends to a multi-key, multi-signature environment. Public curves arise from multiple signers, multiple verifiers, and multiple transcripts, so the relevant attack surface is a large pool of group-action instances rather than a single isolated inversion problem. PSI, in particular, compares two candidate signers simultaneously and turns anonymity into a question of identifying which signer’s public curves are related to the verifier’s curves through hidden exponents. The use of MT-GAIP therefore reflects protocol semantics rather than merely proof convenience (Renan, 20 Jul 2025).
This architecture is also tied to the compactness claim of the scheme. The class-group action permits a scalar-like representation of secrets, with
11
and curves represented by a single Montgomery coefficient 12. Since 13 and 14, the sizes are linear in 15: 16
17
18
The paper contrasts this with the typical 19 size behavior of existing post-quantum SDVS constructions based on lattices, where dimensions scale with 20 (Renan, 20 Jul 2025).
The concrete parameter choice follows CSI-FiSh and CSI-SharK by taking 21 for 128-bit security, balancing soundness, key size, and computation; larger values such as 22 are noted as a way to reduce statistical soundness error at linear size cost. On this basis, 23 is described as having both keys and signatures of size 24, as among the most compact PQC-based SDVS schemes, and as the only post-quantum secure construction based on isogenies (Renan, 20 Jul 2025).
5. Complexity-theoretic status and related problem variants
A complementary line of work studies GAIP-type problems as computational problems for effective group actions. In that framework, a group action 25 is required to support polynomial-time membership, equality, sampling, group operations, inversion, and action evaluation, while 26 has efficient membership testing and unique representation. For regular actions, the map 27, 28, is a bijection, and GAIP is the total search problem: given 29, find 30 such that
31
The paper also defines the Multiple Group Action Inverse Problem (mGAIP), in which one receives polynomially many pairs
32
and must find a single 33 satisfying
34
as well as the Pseudorandom Group Action Inverse Problem (pGAIP) and the orbit-membership decision problem dGAIP for non-transitive actions (D'Alconzo, 2022).
For regular effective actions, GAIP, mGAIP, and pGAIP are shown to be nonadaptively 35-random self-reducible. This yields a worst-case/average-case equivalence: solving a noticeable fraction of random instances suffices, via self-reduction, to solve arbitrary instances with high probability. The same work concludes that if GAIP, mGAIP, or pGAIP were NP-hard, then the Polynomial Hierarchy would collapse at the third level. For dGAIP, an interactive proof places the problem in 36, and since dGAIP is also in 37, it lies in 38; if dGAIP were NP-complete, then the Polynomial Hierarchy would collapse to the second level (D'Alconzo, 2022).
These results position GAIP-type assumptions as structurally similar to Graph Isomorphism and other NP-intermediate candidates rather than as NP-complete problems. Indeed, dGAIP subsumes orbit problems such as Graph Isomorphism, permutation code equivalence, deck checking, and Boolean isomorphism under suitable group actions (D'Alconzo, 2022).
That paper does not formally define the cryptographic MT-GAIP of the CSIDH literature. Instead, it introduces mGAIP, where many pairs share one hidden group element, and then describes a more general multi-target GAIP with independent secrets as a natural extension. The stated guidance is that the same random self-reduction ideas operate componentwise and that decision analogues would likely inherit similar 39 or 40 upper bounds. This suggests that multi-target GAIP variants should be viewed as parallel or multi-instance extensions of GAIP rather than as qualitatively different complexity classes (D'Alconzo, 2022).
6. Broader orbit-recovery interpretations in signal processing and inverse problems
Outside isogeny-based cryptography, group-action inversion appears in multi-target detection and related orbit-recovery models. In the two-dimensional detection model with rotations, the measurement is
41
where 42 is a single underlying target, 43 is its discretized rotation, 44 are i.i.d. uniform on 45, translations satisfy a separation condition, and the noise is i.i.d. Gaussian. This can be written as a group-action model with
46
acting by 47. In that paper’s terminology, “multi-target” means many occurrences of one target in the measurement rather than multiple distinct templates (Bendory et al., 2021).
The principal methodological move is to avoid estimating the individual group elements and instead estimate group-invariant statistics. The invariant features are rotationally and translationally averaged first-, second-, and third-order autocorrelations. In one dimension, the third-order invariant
48
determines 49 up to circular shift when the discrete Fourier coefficients are all nonzero. The empirical third-order autocorrelation of the measurement,
50
has expectation proportional to 51 up to explicit noise-bias terms, and its variance decays like
52
Thus, for fixed noise variance, density, and support size, the target is consistently estimable as the measurement size grows, without recovering the shifts or rotations of individual copies (Bendory et al., 2021).
In two dimensions, the analogous invariant is the discrete rotationally averaged third-order autocorrelation
53
and the reconstruction algorithm expands the target in a steerable Dirichlet eigenbasis
54
expresses the Fourier transform of 55 as a rotation-averaged bispectrum, and minimizes a nonconvex least-squares objective by BFGS. The 2D theory is not accompanied by a full identifiability theorem analogous to the 1D theorem, but noise-free and noisy experiments show accurate recovery from the invariant statistics (Bendory et al., 2021).
A subsequent moment-based line of work casts multi-target detection explicitly as recovery from low-order moments, again in a translation group-action model
56
or, in super-resolution form,
57
The order-58 autocorrelations 59 are homogeneous polynomials of degree 60 in the pixels of 61, and the inverse problem is formulated through the moment equations
62
The corresponding loss
63
defines a polynomial inverse problem whose conditioning deteriorates in high noise and in super-resolution settings (Beinhorn et al., 14 Sep 2025).
That work regularizes the invariant-matching problem with a score-based diffusion prior. The optimization target is
64
where the prior gradient is approximated by a score network 65. The proposed accelerated gradient scheme combines the moment gradient with an adaptively scaled score term. Empirically, the paper reports two main findings: diffusion priors substantially improve recovery from third-order moments, and they make the super-resolution multi-target detection problem feasible, while the underlying identifiability basis remains the earlier result that autocorrelations up to third order uniquely determine a generic two-dimensional target in the well-separated model (Beinhorn et al., 14 Sep 2025).
Taken together, these signal-processing papers suggest a broader use of the MT-GAIP viewpoint: a group action generates many transformed copies of an unknown object, low-order invariants are estimated directly from aggregate noisy data, and inversion proceeds by recovering the orbit representative rather than the individual nuisance transformations. In cryptography, MT-GAIP names a precise class-group inversion problem; in orbit recovery, it serves as a natural conceptual template for invariant-based reconstruction under group actions (Bendory et al., 2021, Beinhorn et al., 14 Sep 2025).