Quantum Cryptanalysis in the RAM Model: Claw-Finding Attacks on SIKE

Jaques, Samuel; Schanck, John M.

doi:10.1007/978-3-030-26948-7_2

Cited by 69 publications

(85 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The algorithm of [30] would yield an attack with time complexity the third root of the size of the graph we work over; this would imply a solution to Problem 1 or Problem 2 in timeÕ(p). However, Jaques and Schanck have shown that the data structures required by this algorithm adds significantly to its complexity, to the point where it does not in fact beat square-root algorithms (which have much lower quantum memory requirements) [31]; this suggests thatÕ(p 3/2 ) is (currently) the correct complexity estimate for our problems.…”

Section: Securitymentioning

confidence: 90%

Hash functions from superspecial genus-2 curves using Richelot isogenies

Castryck¹,

Decru²,

Smith

2020

Journal of Mathematical Cryptology

View full text Add to dashboard Cite

In 2018 Takashima proposed a version of Charles, Goren and Lauter’s hash function using Richelot isogenies, starting from a genus-2 curve that allows for all subsequent arithmetic to be performed over a quadratic finite field 𝔽p2. In 2019 Flynn and Ti pointed out that Takashima’s hash function is insecure due to the existence of small isogeny cycles. We revisit the construction and show that it can be repaired by imposing a simple restriction, which moreover clarifies the security analysis. The runtime of the resulting hash function is dominated by the extraction of 3 square roots for every block of 3 bits of the message, as compared to one square root per bit in the elliptic curve case; however in our setting the extractions can be parallelized and are done in a finite field whose bit size is reduced by a factor 3. Along the way we argue that the full supersingular isogeny graph is the wrong context in which to study higher-dimensional analogues of Charles, Goren and Lauter’s hash function, and advocate the use of the superspecial subgraph, which is the natural framework in which to view Takashima’s 𝔽p2-friendly starting curve.

show abstract

Section: Securitymentioning

confidence: 90%

Hash functions from superspecial genus-2 curves using Richelot isogenies

Castryck¹,

Decru²,

Smith

2020

Journal of Mathematical Cryptology

View full text Add to dashboard Cite

show abstract

“…The status report on the first round [9] noted that the basic security problem upon which SIKE is based is an area where further study would be useful. Towards the end of the first round, a series of papers [32,33] examined the relevant classical and black-box quantum attacks, resulting in confidence that existing parameter sets were providing more security than previously claimed. As a result, the SIKE team was able to lower the parameter sizes used in their second-round specification.…”

Section: Sikementioning

confidence: 99%

Status report on the second round of the NIST post-quantum cryptography standardization process

Moody¹,

Alagic²,

Apon³

et al. 2020

View full text Add to dashboard Cite

Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST. Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at https://csrc.nist.gov/publications.

show abstract

“…In the quantum paradigm, Tani's algorithm [37] would succeed in O(p g(g+1)/12 ), meaning we get the same asymptotic complexities for dimensions 2 and 3, and an asymptotic improvement for all g > 3. Moreover, Jaques and Schanck [28] suggest a significant gap between the asymptotic runtime of Tani's algorithm and its actual efficacy in any meaningful model of quantum computation. On the other hand, the bottleneck of the quantum attack forecasted above is a relatively straightforward invocation of Grover search, and the gap between its asymptotic and concrete complexities is likely to be much closer.…”

Section: Cryptographic Implicationsmentioning

confidence: 99%

The Supersingular Isogeny Problem in Genus 2 and Beyond

Costello

Smith

2020

Post-Quantum Cryptography

View full text Add to dashboard Cite

Let A/Fp and A ′ /Fp be superspecial principally polarized abelian varieties of dimension g > 1. For any prime ℓ = p, we give an algorithm that finds a path φ : A → A ′ in the (ℓ, . . . , ℓ)-isogeny graph in O(p g−1 ) group operations on a classical computer, and O( p g−1 ) calls to the Grover oracle on a quantum computer. The idea is to find paths from A and A ′ to nodes that correspond to products of lower dimensional abelian varieties, and to recurse down in dimension until an elliptic path-finding algorithm (such as Delfs-Galbraith) can be invoked to connect the paths in dimension g = 1. In the general case where A and A ′ are any two nodes in the graph, this algorithm presents an asymptotic improvement over all of the algorithms in the current literature. In the special case where A and A ′ are a known and relatively small number of steps away from each other (as is the case in higher dimensional analogues of SIDH), it gives an asymptotic improvement over the quantum claw finding algorithms and an asymptotic improvement over the classical van Oorschot-Wiener algorithm.

show abstract

Quantum Cryptanalysis in the RAM Model: Claw-Finding Attacks on SIKE

Cited by 69 publications

References 36 publications

Hash functions from superspecial genus-2 curves using Richelot isogenies

Hash functions from superspecial genus-2 curves using Richelot isogenies

Status report on the second round of the NIST post-quantum cryptography standardization process

The Supersingular Isogeny Problem in Genus 2 and Beyond

Contact Info

Product

Resources

About