A New Adaptive Attack on SIDH

Fouotsa, Tako Boris; Petit, Christophe

doi:10.1007/978-3-030-95312-6_14

Cited by 12 publications

(10 citation statements)

References 33 publications

(46 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…are small, and decodes the error-correcting code to recover M. SIKE (Supersingular Isogeny Key Encapsulation) is a key encapsulation mechanism based on the hard problem of pseudo-random walks in supersingular isogeny graphs. SIKE is a relatively new problem in the cryptographic arena and currently undergoing several attacks like its instantiation SIDH (Supersingular Isogeny Diffie-Hellman key exchange protocol) [8,13,20,34,35]. These are key recovery attacks, reduces of the level security, side-channel attacks, and fault injection.…”

Section: Nist Pqc Standardization and Resultsmentioning

confidence: 99%

Key-Recovery by Side-Channel Information on the Matrix-Vector Product in Code-Based Cryptosystems

Seck

Cayrel

Diop³

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L'archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d'enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

show abstract

Section: Nist Pqc Standardization and Resultsmentioning

confidence: 99%

Key-Recovery by Side-Channel Information on the Matrix-Vector Product in Code-Based Cryptosystems

Seck

Cayrel

Diop³

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…He also crushed the hope for secure higher-dimensional variants of SIDH. Fouotsa, Moriya and Petit have proposed an interesting (yet impractical) variant of SIDH that aims at thwarting the current attacks [18].…”

Section: Follow-up Workmentioning

confidence: 99%

An Efficient Key Recovery Attack on SIDH

Castryck

Decru

2023

Lecture Notes in Computer Science

129

View full text Add to dashboard Cite

We present an efficient key recovery attack on the Supersingular Isogeny Diffie-Hellman protocol (SIDH). The attack is based on Kani's "reducibility criterion" for isogenies from products of elliptic curves and strongly relies on the torsion point images that Alice and Bob exchange during the protocol. If we assume knowledge of the endomorphism ring of the starting curve then the classical running time is polynomial in the input size (heuristically), apart from the factorization of a small number of integers that only depend on the system parameters. The attack is particularly fast and easy to implement if one of the parties uses 2-isogenies and the starting curve comes equipped with a non-scalar endomorphism of very small degree; this is the case for SIKE, the instantiation of SIDH that recently advanced to the fourth round of NIST's standardization effort for post-quantum cryptography. Our Magma implementation breaks SIKEp434, which aims at security level 1, in about ten minutes on a single core.

show abstract

“…Another adaptive attack against SIDH (different in nature from the GPST attack) is given in Ref. [23]. The attack works in two steps.…”

Section: Another Adaptive Attackmentioning

confidence: 99%

“…One can also note that the shifted endomorphism attacks of Section 5 typically assume knowledge of the exact images of points through the secret isogeny, but Ref. [24] showed that knowing these images up to a common scalar multiple is enough.…”

Section: Active Attacksmentioning

confidence: 99%

See 1 more Smart Citation

Torsion point attacks on ‘SIDH‐like’ cryptosystems

Kutas

Petit

2022

IET Information Security

View full text Add to dashboard Cite

Isogeny-based cryptography is a promising approach for postquantum cryptography. The best-known protocol following that approach is the supersingular isogeny Diffie-Hellman protocol (SIDH); this protocol was turned into the CCA-secure key encapsulation mechanism SIKE, which was submitted to and remains in the third round of NIST's post-quantum standardization process as an "alternate" candidate. Isogeny-based cryptography generally relies on the conjectured hardness of computing an isogeny between two isogenous elliptic curves, and most cryptanalytic work referenced on SIKE's webpage exclusively focuses on that problem. Interestingly, the hardness of this problem is sufficient for neither SIDH nor SIKE. In particular, these protocols reveal additional information on the secret isogeny, in the form of images of specific torsion points through the isogeny. This paper surveys existing cryptanalysis approaches exploiting this often called "torsion point information", summarizes their current impact on SIKE and related algorithms, and suggests some research directions that might lead to further impact.

show abstract

A New Adaptive Attack on SIDH

Cited by 12 publications

References 33 publications

Key-Recovery by Side-Channel Information on the Matrix-Vector Product in Code-Based Cryptosystems

Key-Recovery by Side-Channel Information on the Matrix-Vector Product in Code-Based Cryptosystems

An Efficient Key Recovery Attack on SIDH

Torsion point attacks on ‘SIDH‐like’ cryptosystems

Contact Info

Product

Resources

About