# Improved Torsion-Point Attacks on SIDH Variants

@inproceedings{Quehen2021ImprovedTA, title={Improved Torsion-Point Attacks on SIDH Variants}, author={Victoria de Quehen and P{\'e}ter Kutas and Christopher Leonardi and Chloe Martindale and Lorenz Panny and Christophe Petit and Katherine E. Stange}, booktitle={CRYPTO}, year={2021} }

SIDH is a post-quantum key exchange algorithm based on the presumed difficulty of finding isogenies between supersingular elliptic curves. However, SIDH and related cryptosystems also reveal additional information: the restriction of a secret isogeny to a subgroup of the curve (torsion point information). Petit [28] was the first to demonstrate that torsion point information could noticeably lower the difficulty of finding secret isogenies. In particular, Petit showed that "overstretched…

## 12 Citations

Torsion point attacks on “SIDH-like” cryptosystems

- Computer Science, Mathematics
- 2021

Existing cryptanalysis approaches exploiting the isogeny, often called “torsion point information”, are surveyed, their current impact on SIKE and related algorithms are summarized, and some research directions that might lead to further impact are suggested.

Cryptanalysis of an oblivious PRF from supersingular isogenies

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2021

The SIDH-based oblivious oblivious pseudorandom function from supersingular isogenies proposed at Asiacrypt’20 is cryptanalyse and it is argued it is easy to change the OPRF protocol to include some countermeasures, and a second subexponential attack that succeeds in the presence of said countermeasures.

Towards Post-Quantum Updatable Public-Key Encryption via Supersingular Isogenies

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

This work formalizes two UPKE variants presented in the literature as Symmetric and Asymmetric Updatable Public-Key Encryption as well as describing a SIDH-basedSymmetric UPKE construction that can be instantiated using a parameter set in which the class group structure is fully known to ensure efficient uniform sampling and canonical representation to prevent leakage of secret keys.

SÉTA: Supersingular Encryption from Torsion Attacks

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

SÉTA, a new family of public-key encryption schemes with post-quantum security based on isogenies of supersingular elliptic curves, is presented and makes use of generic transformations to obtain IND-CCA security in the quantum random oracle model, both for a PKE scheme and a KEM.

An Effective Lower Bound on the Number of Orientable Supersingular Elliptic Curves

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2022

A generic lower bound on the number of O - orientable supersingular curves over F p 2 is proved and provides a complexity estimate for the brute-force attack against the new O -uber isogeny problem introduced by De Feo, Delpech de Saint Guilhem, Fouotsa, Kutas, Leroux, Petit, Silva and Wesolowski.

Failing to hash into supersingular isogeny graphs

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2022

A number of failed attempts to solve the supersingular isogeny-based cryptography problem are documented in the hopes that they may spur further research, and shed light on the challenges and obstacles to this endeavour.

Faulty isogenies: a new kind of leakage

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2022

This work presents a projective invariant property characterizing affine Montgomery curves defined over prime fields, and forces a secret 3-isogeny chain to repeatedly pass through a curve defined over a prime field to exploit the new property.

Orientations and cycles in supersingular isogeny graphs

- MathematicsIACR Cryptol. ePrint Arch.
- 2022

. The paper concerns several theoretical aspects of oriented supersingular (cid:96) -isogeny volcanoes and their relationship to closed walks in the supersingular (cid:96) -isogeny graph. Our main…

Orienteering with one endomorphism

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2022

Although the most general runtimes are subexponential, this paper demonstrates a class of (potentially large) endomorphisms, for any supersingular elliptic curve, for which the classical runtime is polynomial.

A New Adaptive Attack on SIDH

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2021

This paper generalizes the torsion point attacks by de Quehen et al. and constitutes a new cryptanalytic tool for isogeny based cryptography, and introduces a new adaptive attack vector on SIDHtype schemes.

## References

SHOWING 1-10 OF 43 REFERENCES

The Dark SIDH of Isogenies

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

This work shines some light on the possibility that the combination of two additional pieces of information given in practical SSDDH instances — the image of the torsion subgroup, and the starting curve’s endomorphism ring — can lead to better attacks cryptosystems relying on this assumption.

On the Security of Supersingular Isogeny Cryptosystems

- Computer Science, MathematicsASIACRYPT
- 2016

This work gives a very powerful active attack on the supersingular isogeny encryption scheme, and shows that the security of all schemes of this type depends on the difficulty of computing the endomorphism ring of asupersingular elliptic curve.

Towards Quantum-Resistant Cryptosystems from Supersingular Elliptic Curve Isogenies

- Mathematics, Computer SciencePQCrypto
- 2011

The main technical idea in this scheme is that the images of torsion bases under the isogeny are transmitted in order to allow the two parties to arrive at a common shared key despite the noncommutativity of the endomorphism ring.

On the Isogeny Problem with Torsion Point Information

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2021

A more general reduction algorithm that generalises to all SIDH-type schemes and is shown to exploit available torsion point images together with the KLPT algorithm to obtain a linear system of equations over a certain residue class ring.

SÉTA: Supersingular Encryption from Torsion Attacks

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

SÉTA, a new family of public-key encryption schemes with post-quantum security based on isogenies of supersingular elliptic curves, is presented and makes use of generic transformations to obtain IND-CCA security in the quantum random oracle model, both for a PKE scheme and a KEM.

Practical Supersingular Isogeny Group Key Agreement

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

We present the first quantum-resistant n-party key agreement scheme based on supersingular elliptic curve isogenies. We show that the scheme is secure against quantum adversaries, by providing a…

B-SIDH: supersingular isogeny Diffie-Hellman using twisted torsion

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2019

This framework lifts the restrictions on the shapes of the underlying prime fields originally imposed by Jao and De Feo, and allows a range of new options for instantiating isogeny-based public key cryptography, including alternatives that exploit Mersenne and Montgomeryfriendly primes.

Multi-party Key Exchange Protocols from Supersingular Isogenies

- Computer Science, Mathematics2018 International Symposium on Information Theory and Its Applications (ISITA)
- 2018

An n-party 2-round key exchange protocol is proposed by combining SIDH with the idea of Burmester–Desmedt (BD) key exchange, which significantly reduces the number of rounds and is based on the SSDDH assumption.

Faster Algorithms for Isogeny Problems Using Torsion Point Images

- Computer Science, MathematicsASIACRYPT
- 2017

There is a recent trend in cryptography to construct protocols based on the hardness of computing isogenies between supersingular elliptic curves. Two prominent examples are Jao-De Feo’s key exchange…

CSIDH: An Efficient Post-Quantum Commutative Group Action

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2018

The Diffie–Hellman scheme resulting from the group action allows for public-key validation at very little cost, runs reasonably fast in practice, and has public keys of only 64 bytes at a conjectured AES-128 security level, matching NIST’s post-quantum security category I.