International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

M-SIDH and MD-SIDH: countering SIDH attacks by masking information

Authors:
Tako Boris Fouotsa , EPFL
Tomoki Moriya , Tokyo University
Christophe Petit , Université libre de Bruxelles and University of Birmingham
Download:
DOI: 10.1007/978-3-031-30589-4_10 (login may be required)
Search ePrint
Search Google
Presentation: Slides
Conference: EUROCRYPT 2023
Abstract: The SIDH protocol is an isogeny-based key exchange protocol using supersingular isogenies, designed by Jao and De Feo in 2011. The protocol underlies the SIKE algorithm which advanced to the fourth round of NIST's post-quantum standardization project in May 2022. The algorithm was considered very promising: indeed the most significant attacks against SIDH were meet-in-the-middle variants with exponential complexity, and torsion point attacks which only applied to unbalanced parameters (and in particular, not to SIKE). This security picture dramatically changed in August 2022 with new attacks by Castryck-Decru, Maino-Martindale and Robert. Like prior attacks on unbalanced versions, these new attacks exploit torsion point information provided in the SIDH protocol. Crucially however, the new attacks embed the isogeny problem into a similar isogeny problem in higher dimension to also affect the balanced parameters. As a result of these works, the SIKE algorithm is now fully broken both in theory and in practice. Given the considerable interest attracted by SIKE and related protocols in recent years, it is natural to seek countermeasures to the new attacks. In this paper, we introduce two such countermeasures based on partially hiding the isogeny degrees and torsion point information in SIDH protocol. We present a preliminary analysis of the resulting schemes including non trivial generalizations of prior attacks. Based on this analysis we suggest parameters for our M-SIDH variant with public key sizes of 4434, 7037 and 9750 bytes respectively for $\lambda=128$, 192 and 256 bits of security.
BibTeX
@inproceedings{eurocrypt-2023-32956,
  title={M-SIDH and MD-SIDH: countering SIDH attacks by masking information},
  publisher={Springer-Verlag},
  doi={10.1007/978-3-031-30589-4_10},
  author={Tako Boris Fouotsa and Tomoki Moriya and Christophe Petit},
  year=2023
}