International Association for Cryptologic Research

International Association
for Cryptologic Research


A Direct Key Recovery Attack on SIDH

Luciano Maino , University of Bristol
Chloe Martindale , University of Bristol
Lorenz Panny , Academia Sinica
Giacomo Pope , NCC Group, University of Bristol
Benjamin Wesolowski , Univ. Bordeaux and ENS de Lyon, CNRS, INRIA
Search ePrint
Search Google
Presentation: Slides
Conference: EUROCRYPT 2023
Award: Best Paper Honorable Mention
Abstract: We present an attack on SIDH utilising isogenies between polarized products of two supersingular elliptic curves. In the case of arbitrary starting curve, our attack (discovered independently from [8]) has subexponential complexity, thus significantly reducing the security of SIDH and SIKE. When the endomorphism ring of the starting curve is known, our attack (here derived from [8]) has polynomial-time complexity assuming the generalised Riemann hypothesis. Our attack applies to any isogeny-based cryptosystem that publishes the images of points under the secret isogeny, for example S├ęta [13] and B-SIDH [11]. It does not apply to CSIDH [9], CSI-FiSh [3], or SQISign [14].
  title={A Direct Key Recovery Attack on SIDH},
  author={Luciano Maino and Chloe Martindale and Lorenz Panny and Giacomo Pope and Benjamin Wesolowski},