Improved Torsion-Point Attacks on SIDH Variants

@inproceedings{Quehen2021ImprovedTA,
  title={Improved Torsion-Point Attacks on SIDH Variants},
  author={Victoria de Quehen and P{\'e}ter Kutas and Christopher Leonardi and Chloe Martindale and Lorenz Panny and Christophe Petit and Katherine E. Stange},
  booktitle={CRYPTO},
  year={2021}
}
SIDH is a post-quantum key exchange algorithm based on the presumed difficulty of finding isogenies between supersingular elliptic curves. However, SIDH and related cryptosystems also reveal additional information: the restriction of a secret isogeny to a subgroup of the curve (torsion point information). Petit [28] was the first to demonstrate that torsion point information could noticeably lower the difficulty of finding secret isogenies. In particular, Petit showed that "overstretched… 
Torsion point attacks on “SIDH-like” cryptosystems
TLDR
Existing cryptanalysis approaches exploiting the isogeny, often called “torsion point information”, are surveyed, their current impact on SIKE and related algorithms are summarized, and some research directions that might lead to further impact are suggested.
Cryptanalysis of an oblivious PRF from supersingular isogenies
TLDR
The SIDH-based oblivious oblivious pseudorandom function from supersingular isogenies proposed at Asiacrypt’20 is cryptanalyse and it is argued it is easy to change the OPRF protocol to include some countermeasures, and a second subexponential attack that succeeds in the presence of said countermeasures.
Towards Post-Quantum Updatable Public-Key Encryption via Supersingular Isogenies
TLDR
This work formalizes two UPKE variants presented in the literature as Symmetric and Asymmetric Updatable Public-Key Encryption as well as describing a SIDH-basedSymmetric UPKE construction that can be instantiated using a parameter set in which the class group structure is fully known to ensure efficient uniform sampling and canonical representation to prevent leakage of secret keys.
SÉTA: Supersingular Encryption from Torsion Attacks
TLDR
SÉTA, a new family of public-key encryption schemes with post-quantum security based on isogenies of supersingular elliptic curves, is presented and makes use of generic transformations to obtain IND-CCA security in the quantum random oracle model, both for a PKE scheme and a KEM.
An Effective Lower Bound on the Number of Orientable Supersingular Elliptic Curves
  • Antonin Leroux
  • Mathematics, Computer Science
    IACR Cryptol. ePrint Arch.
  • 2022
TLDR
A generic lower bound on the number of O - orientable supersingular curves over F p 2 is proved and provides a complexity estimate for the brute-force attack against the new O -uber isogeny problem introduced by De Feo, Delpech de Saint Guilhem, Fouotsa, Kutas, Leroux, Petit, Silva and Wesolowski.
Failing to hash into supersingular isogeny graphs
TLDR
A number of failed attempts to solve the supersingular isogeny-based cryptography problem are documented in the hopes that they may spur further research, and shed light on the challenges and obstacles to this endeavour.
Faulty isogenies: a new kind of leakage
TLDR
This work presents a projective invariant property characterizing affine Montgomery curves defined over prime fields, and forces a secret 3-isogeny chain to repeatedly pass through a curve defined over a prime field to exploit the new property.
Orientations and cycles in supersingular isogeny graphs
. The paper concerns several theoretical aspects of oriented supersingular (cid:96) -isogeny volcanoes and their relationship to closed walks in the supersingular (cid:96) -isogeny graph. Our main
Orienteering with one endomorphism
TLDR
Although the most general runtimes are subexponential, this paper demonstrates a class of (potentially large) endomorphisms, for any supersingular elliptic curve, for which the classical runtime is polynomial.
A New Adaptive Attack on SIDH
TLDR
This paper generalizes the torsion point attacks by de Quehen et al. and constitutes a new cryptanalytic tool for isogeny based cryptography, and introduces a new adaptive attack vector on SIDHtype schemes.
...
1
2
...

References

SHOWING 1-10 OF 43 REFERENCES
The Dark SIDH of Isogenies
TLDR
This work shines some light on the possibility that the combination of two additional pieces of information given in practical SSDDH instances — the image of the torsion subgroup, and the starting curve’s endomorphism ring — can lead to better attacks cryptosystems relying on this assumption.
On the Security of Supersingular Isogeny Cryptosystems
TLDR
This work gives a very powerful active attack on the supersingular isogeny encryption scheme, and shows that the security of all schemes of this type depends on the difficulty of computing the endomorphism ring of asupersingular elliptic curve.
Towards Quantum-Resistant Cryptosystems from Supersingular Elliptic Curve Isogenies
TLDR
The main technical idea in this scheme is that the images of torsion bases under the isogeny are transmitted in order to allow the two parties to arrive at a common shared key despite the noncommutativity of the endomorphism ring.
On the Isogeny Problem with Torsion Point Information
TLDR
A more general reduction algorithm that generalises to all SIDH-type schemes and is shown to exploit available torsion point images together with the KLPT algorithm to obtain a linear system of equations over a certain residue class ring.
SÉTA: Supersingular Encryption from Torsion Attacks
TLDR
SÉTA, a new family of public-key encryption schemes with post-quantum security based on isogenies of supersingular elliptic curves, is presented and makes use of generic transformations to obtain IND-CCA security in the quantum random oracle model, both for a PKE scheme and a KEM.
Practical Supersingular Isogeny Group Key Agreement
We present the first quantum-resistant n-party key agreement scheme based on supersingular elliptic curve isogenies. We show that the scheme is secure against quantum adversaries, by providing a
B-SIDH: supersingular isogeny Diffie-Hellman using twisted torsion
  • Craig Costello
  • Mathematics, Computer Science
    IACR Cryptol. ePrint Arch.
  • 2019
TLDR
This framework lifts the restrictions on the shapes of the underlying prime fields originally imposed by Jao and De Feo, and allows a range of new options for instantiating isogeny-based public key cryptography, including alternatives that exploit Mersenne and Montgomeryfriendly primes.
Multi-party Key Exchange Protocols from Supersingular Isogenies
TLDR
An n-party 2-round key exchange protocol is proposed by combining SIDH with the idea of Burmester–Desmedt (BD) key exchange, which significantly reduces the number of rounds and is based on the SSDDH assumption.
Faster Algorithms for Isogeny Problems Using Torsion Point Images
  • C. Petit
  • Computer Science, Mathematics
    ASIACRYPT
  • 2017
There is a recent trend in cryptography to construct protocols based on the hardness of computing isogenies between supersingular elliptic curves. Two prominent examples are Jao-De Feo’s key exchange
CSIDH: An Efficient Post-Quantum Commutative Group Action
TLDR
The Diffie–Hellman scheme resulting from the group action allows for public-key validation at very little cost, runs reasonably fast in practice, and has public keys of only 64 bytes at a conjectured AES-128 security level, matching NIST’s post-quantum security category I.
...
1
2
3
4
5
...