A Direct Key Recovery Attack on SIDH

CryptoDB

A Direct Key Recovery Attack on SIDH

Authors:	Luciano Maino , University of Bristol Chloe Martindale , University of Bristol Lorenz Panny , Academia Sinica Giacomo Pope , NCC Group, University of Bristol Benjamin Wesolowski , Univ. Bordeaux and ENS de Lyon, CNRS, INRIA
Download:	Search ePrint Search Google
Presentation:	Slides
Conference:	EUROCRYPT 2023
Award:	Best Paper Honorable Mention
Abstract:	We present an attack on SIDH utilising isogenies between polarized products of two supersingular elliptic curves. In the case of arbitrary starting curve, our attack (discovered independently from [8]) has subexponential complexity, thus significantly reducing the security of SIDH and SIKE. When the endomorphism ring of the starting curve is known, our attack (here derived from [8]) has polynomial-time complexity assuming the generalised Riemann hypothesis. Our attack applies to any isogeny-based cryptosystem that publishes the images of points under the secret isogeny, for example Séta [13] and B-SIDH [11]. It does not apply to CSIDH [9], CSI-FiSh [3], or SQISign [14].

BibTeX

@inproceedings{eurocrypt-2023-33024,
  title={A Direct Key Recovery Attack on SIDH},
  publisher={Springer-Verlag},
  author={Luciano Maino and Chloe Martindale and Lorenz Panny and Giacomo Pope and Benjamin Wesolowski},
  year=2023
}

International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

A Direct Key Recovery Attack on SIDH

BibTeX

International Association for Cryptologic Research

International Associationfor Cryptologic Research

CryptoDB

A Direct Key Recovery Attack on SIDH

BibTeX

International Association
for Cryptologic Research