International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Improved torsion-point attacks on SIDH variants

Authors:
Victoria de Quehen , ISARA Corporation, Waterloo
Peter Kutas , University of Birmingham
Chris Leonardi , ISARA Corporation, Waterloo
Chloe Martindale , University of Bristol
Lorenz Panny , Academia Sinica
Christophe Petit , Universite libre de Bruxelles and University of Birmingham
Katherine E. Stange , University of Colorado Boulder
Download:
DOI: 10.1007/978-3-030-84252-9_15 (login may be required)
Search ePrint
Search Google
Presentation: Slides
Conference: CRYPTO 2021
Abstract: SIDH is a post-quantum key exchange algorithm based on the presumed difficulty of finding isogenies between supersingular elliptic curves. However, SIDH and related cryptosystems also reveal additional information: the restriction of a secret isogeny to a subgroup of the curve (torsion-point information). Petit [31] was the first to demonstrate that torsion-point information could noticeably lower the difficulty of finding secret isogenies. In particular, Petit showed that "overstretched'' parameterizations of SIDH could be broken in polynomial time. However, this did not impact the security of any cryptosystems proposed in the literature. The contribution of this paper is twofold: First, we strengthen the techniques of [31] by exploiting additional information coming from a dual and a Frobenius isogeny. This extends the impact of torsion-point attacks considerably. In particular, our techniques yield a classical attack that completely breaks the $n$-party group key exchange of [2], first introduced as GSIDH in [17], for 6 parties or more, and a quantum attack for 3 parties or more that improves on the best known asymptotic complexity. We also provide a Magma implementation of our attack for 6 parties. We give the full range of parameters for which our attacks apply. Second, we construct SIDH variants designed to be weak against our attacks; this includes backdoor choices of starting curve, as well as backdoor choices of base-field prime. We stress that our results do not degrade the security of, or reveal any weakness in, the NIST submission SIKE [20].
Video from CRYPTO 2021
BibTeX
@inproceedings{crypto-2021-31218,
  title={Improved torsion-point attacks on SIDH variants},
  publisher={Springer-Verlag},
  doi={10.1007/978-3-030-84252-9_15},
  author={Victoria de Quehen and Peter Kutas and Chris Leonardi and Chloe Martindale and Lorenz Panny and Christophe Petit and Katherine E. Stange},
  year=2021
}