Cryptanalysis of an Oblivious PRF from Supersingular Isogenies

Basso, Andrea; Kutas, Péter; Merz, Simon-Philipp; Petit, Christophe; Sanso, Antonio

doi:10.1007/978-3-030-92062-3_6

Cited by 17 publications

(13 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These attacks require large torsion point information which is not normally available in an SIDH instance; the first step of the attack will collect this information through adaptive queries. One can also note that the shifted endomorphism attacks of Section 5 typically assume knowledge of the exact images of points through the secret isogeny, but [4] showed that knowing these images up to a common scalar multiple is enough.…”

Section: Another Adaptive Attackmentioning

confidence: 99%

“…This provides a polynomial-time method whenever B > pA. However, heuristics show that a solution should exist for a much wider variety of parameters for example when p ≈ AB and B > A 4 , but finding such a solution is still an important open problem. Why would an algorithm to compute these solutions be interesting?…”

Section: The Dual Isogeny and The Frobenius Attackmentioning

confidence: 99%

“…The condition for the existence of such a curve is B > A 2 , so in particular it is independent of p. The above polynomial time attack still requires unbalanced SIDH parameters, but non-polynomial time generalizations can be faster than meet-in-the-middle algorithms for balanced SIDH parameters [18]. An application of this idea can be found in [4] where they analyze the security of a recently proposed oblivious pseudorandom function [7]. They show that in order to avoid backdoor attacks (or failures of the security proof) it is advisable to use a trusted party to generate a random starting curve.…”

Section: Backdoor Attacksmentioning

confidence: 99%

See 2 more Smart Citations

Torsion point attacks on ‘SIDH‐like’ cryptosystems

Kutas

Petit

2022

IET Information Security

Self Cite

View full text Add to dashboard Cite

Isogeny-based cryptography is a promising approach for postquantum cryptography. The best-known protocol following that approach is the supersingular isogeny Diffie-Hellman protocol (SIDH); this protocol was turned into the CCA-secure key encapsulation mechanism SIKE, which was submitted to and remains in the third round of NIST's post-quantum standardization process as an "alternate" candidate. Isogeny-based cryptography generally relies on the conjectured hardness of computing an isogeny between two isogenous elliptic curves, and most cryptanalytic work referenced on SIKE's webpage exclusively focuses on that problem. Interestingly, the hardness of this problem is sufficient for neither SIDH nor SIKE. In particular, these protocols reveal additional information on the secret isogeny, in the form of images of specific torsion points through the isogeny. This paper surveys existing cryptanalysis approaches exploiting this often called "torsion point information", summarizes their current impact on SIKE and related algorithms, and suggests some research directions that might lead to further impact.

show abstract

Section: Another Adaptive Attackmentioning

confidence: 99%

Section: The Dual Isogeny and The Frobenius Attackmentioning

confidence: 99%

Section: Backdoor Attacksmentioning

confidence: 99%

See 1 more Smart Citation

Torsion point attacks on ‘SIDH‐like’ cryptosystems

Kutas

Petit

2022

IET Information Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…Any three of the singular points in K sing already define a hyperplane H, and it turns out that this hyperplane must pass through exactly 6 of the nodes. These hyperplanes, known as the tropes of the Kummer, are classical objects of study; there are sixteen of them, and the incidence structure formed by the intersections of tropes and nodes is a (16,6)-configuration [33, §26].…”

Section: Constructing Curves On the Kummer Surfacementioning

confidence: 99%

“…Further, it would circumvent the trusted setup in an isogeny-based verifiable delay function [21], in delay encryption [12] and in an SIDH-based oblivious pseudorandom function [8]. For the latter, the necessity of the trusted setup was pointed out by [6].…”

Section: Introductionmentioning

confidence: 99%

Failing to hash into supersingular isogeny graphs

Booher¹,

Bowden²,

Doliskani³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of "hard supersingular curves," that is, concrete supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. Or, even better, to produce a hash function to the vertices of the supersingular -isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hopes that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: (i) iterative root-finding for the supersingular polynomial; (ii) root-finding for certain gcd's of specialized modular polynomials; (iii) using division polynomials to create small systems of equations; (iv) taking random walks in the isogeny graph of abelian surfaces; and (v) using quantum random walks.

show abstract

Séta: Supersingular Encryption from Torsion Attacks

Feo

Guilhem

Fouotsa

et al. 2021

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

We present Séta, 11 a new family of public-key encryption schemes with post-quantum security based on isogenies of supersingular elliptic curves. It is constructed from a new family of trapdoor one-way functions, where the inversion algorithm uses Petit's so called torsion attacks on SIDH to compute an isogeny between supersingular elliptic curves given an endomorphism of the starting curve and images of torsion points. We prove the OW-CPA security of Séta and present an IND-CCA variant using the post-quantum OAEP transformation. Several variants for key generation are explored together with their impact on the selection of parameters, such as the base prime of the scheme. We furthermore formalise an "uber" isogeny assumption framework which aims to generalize computational isogeny problems encountered in schemes including SIDH, CSDIH, OSIDH and ours. Finally, we carefully select parameters to achieve a balance between security and run-times and present experimental results from our implementation.

show abstract

Cryptanalysis of an Oblivious PRF from Supersingular Isogenies

Cited by 17 publications

References 25 publications

Torsion point attacks on ‘SIDH‐like’ cryptosystems

Torsion point attacks on ‘SIDH‐like’ cryptosystems

Failing to hash into supersingular isogeny graphs

Séta: Supersingular Encryption from Torsion Attacks

Contact Info

Product

Resources

About