A Direct Key Recovery Attack on SIDH

Maino, Luciano; Martindale, Chloe; Panny, Lorenz; Pope, Giacomo; Wesolowski, Benjamin

doi:10.1007/978-3-031-30589-4_16

Cited by 47 publications

(7 citation statements)

References 25 publications

(48 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Note that one loses precision every time one divides by , so that one's precision limits the number of steps one can take. A situation where one may be provided with such an endomorphism is the situation of the cryptographic SIDH problem (the subject of recent attacks [7,40]), where an unknown isogeny ϕ : E → E init to a starting curve gives rise to various endomorphisms ϕθϕ for θ ∈ End(E init ) whose action on certain torsion groups is known.…”

Section: Definition 46mentioning

confidence: 99%

“…In fact, it is known that the path-finding and endomorphism ring problems are equivalent [25,61]. These are the central problems in isogeny based cryptography, despite the recent complete break of SIDH/SIKE [7,40,45]. The hardness of these problems is in no way affected by the attack, and they form the basis of the CGL hash function [10] and CSIDH [8], among others.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Orienteering with One Endomorphism

et al. 2023

View full text Add to dashboard Cite

In supersingular isogeny-based cryptography, the path-finding problem reduces to the endomorphism ring problem. Can path-finding be reduced to knowing just one endomorphism? It is known that a small degree endomorphism enables polynomial-time path-finding and endomorphism ring computation (in: Love and Boneh, ANTS XIV-Proceedings of the Fourteenth Algorithmic Number Theory Symposium, volume 4 of Open Book Ser. Math. Sci. Publ., Berkeley, 2020). An endomorphism gives an explicit orientation of a supersingular elliptic curve. In this paper, we use the volcano structure of the oriented supersingular isogeny graph to take ascending/descending/horizontal steps on the graph and deduce path-finding algorithms to an initial curve. Each altitude of the volcano corresponds to a unique quadratic order, called the primitive order. We introduce a new hard problem of computing the primitive order given an arbitrary endomorphism on the curve, and we also provide a sub-exponential quantum algorithm for solving it. In concurrent work (in: Wesolowski, Advances in cryptology-EUROCRYPT 2022, volume 13277 of Lecture Notes in Computer Science. Springer, Cham, 2022), it was shown that the endomorphism ring problem in the presence of one endomorphism with known primitive order reduces to a vectorization problem, implying path-finding algorithms. Our path-finding algorithms are more general in the sense that we don’t assume the knowledge of the primitive order associated with the endomorphism.

show abstract

Section: Definition 46mentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Orienteering with One Endomorphism

et al. 2023

View full text Add to dashboard Cite

show abstract

“…If the endomorphism ring of the curve E given as input is known, there exists a polynomial-time algorithm that allows one to compute ℓ-isogenies without using the arithmetic on extension fields [37]: an attacker could extend (ℓ, π k ± 1) to a fractional ideal I ± in the maximal order End(E 0 ). Then, computing an isogeny associated with I ± has complexity O(poly(log p + C)), where C is the bit-size of the representation of End(E 0 ) [36, Propositon 5].…”

Section: Curves With Unknown Endomorphism Ringmentioning

confidence: 99%

“…Kani's criterion determines whether isogenies originating from elliptic products have split codomain. In our case, this criterion is leveraged in a constructive manner, in contrast to previous attacks [14,37,43] against the Supersingular Isogeny Diffie-Hellman key exchange protocol (SIDH) [24] and its instantiation SIKE [2]. While there have been other attempts to build quantum-resistant VDFs [17,47], to the best of our knowledge, this is the first instance where a quantum-resistant VDF has been constructed without relying on SNARG.…”

Section: Introductionmentioning

confidence: 99%

Towards a Quantum-Resistant Weak Verifiable Delay Function

Decru,

Maino,

Sanso

2023

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

In this paper, we present a new quantum-resistant weak Verifiable Delay Function based on a purely algebraic construction. Its delay depends on computing a large-degree isogeny between elliptic curves, whereas its verification relies on the computation of isogenies between products of two elliptic curves. One of its major advantages is its expected fast verification time. However, it is important to note that the practical implementation of our theoretical framework poses significant challenges. We examine the strengths and weaknesses of our construction, analyze its security and provide a proof-of-concept implementation.

show abstract

“…In July 2022, Castryck and Decru [7] described devastating attacks on SIDH that recovered the secret key in SIDH and SIKE, instantiated with the NIST parameters, in a few hours. The attacks were also developed in a concurrent work by Maino and Martindale [26]. Various follow-up works by other authors quickly improved the practical runtime time to minutes and seconds, and clarified the asymptotic complexities.…”

Section: Introductionmentioning

confidence: 99%

M-SIDH and MD-SIDH: Countering SIDH Attacks by Masking Information

Fouotsa¹,

Moriya²,

Petit³

2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The SIDH protocol is an isogeny-based key exchange protocol using supersingular isogenies, designed by Jao and De Feo in 2011. The protocol underlies the SIKE algorithm which advanced to the fourth round of NIST's post-quantum standardization project in May 2022. The algorithm was considered very promising: indeed the most significant attacks against SIDH were meet-in-the-middle variants with exponential complexity, and torsion point attacks which only applied to unbalanced parameters (and in particular, not to SIKE). This security picture dramatically changed in August 2022 with new attacks by Castryck-Decru, Maino-Martindale and Robert. Like prior attacks on unbalanced versions, these new attacks exploit torsion point information provided in the SIDH protocol. Crucially however, the new attacks embed the isogeny problem into a similar isogeny problem in a higher dimension to also affect the balanced parameters. As a result of these works, the SIKE algorithm is now fully broken both in theory and in practice. Given the considerable interest attracted by SIKE and related protocols in recent years, it is natural to seek countermeasures to the new attacks. In this paper, we introduce two such countermeasures based on partially hiding the isogeny degrees and torsion point information in the SIDH protocol. We present a preliminary analysis of the resulting schemes including non-trivial generalizations of prior attacks. Based on this analysis we suggest parameters for our M-SIDH variant with public key sizes of 4434, 7037 and 9750 bytes respectively for NIST security levels 1, 3, 5.

show abstract

A Direct Key Recovery Attack on SIDH

Cited by 47 publications

References 25 publications

Orienteering with One Endomorphism

Orienteering with One Endomorphism

Towards a Quantum-Resistant Weak Verifiable Delay Function

M-SIDH and MD-SIDH: Countering SIDH Attacks by Masking Information

Contact Info

Product

Resources

About