SpringerLink
Log in

Improved Torsion-Point Attacks on SIDH Variants

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2021 (CRYPTO 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12827))

Included in the following conference series:

Abstract

SIDH is a post-quantum key exchange algorithm based on the presumed difficulty of finding isogenies between supersingular elliptic curves. However, SIDH and related cryptosystems also reveal additional information: the restriction of a secret isogeny to a subgroup of the curve (torsion-point information). Petit [31] was the first to demonstrate that torsion-point information could noticeably lower the difficulty of finding secret isogenies. In particular, Petit showed that “overstretched” parameterizations of SIDH could be broken in polynomial time. However, this did not impact the security of any cryptosystems proposed in the literature. The contribution of this paper is twofold: First, we strengthen the techniques of [31] by exploiting additional information coming from a dual and a Frobenius isogeny. This extends the impact of torsion-point attacks considerably. In particular, our techniques yield a classical attack that completely breaks the n-party group key exchange of [2], first introduced as GSIDH in [17], for 6 parties or more, and a quantum attack for 3 parties or more that improves on the best known asymptotic complexity. We also provide a Magma implementation of our attack for 6 parties. We give the full range of parameters for which our attacks apply. Second, we construct SIDH variants designed to be weak against our attacks; this includes backdoor choices of starting curve, as well as backdoor choices of base-field prime. We stress that our results do not degrade the security of, or reveal any weakness in, the NIST submission SIKE [20].

Author list in alphabetical order; see https://www.ams.org/profession/leaders/culture/CultureStatement04.pdf. Lorenz Panny was a PhD student at Technische Universiteit Eindhoven while this research was conducted. Péter Kutas and Christophe Petit’s work was supported by EPSRC grant EP/S01361X/1. Katherine E. Stange was supported by NSF-CAREER CNS-1652238. This work was supported in part by the Commission of the European Communities through the Horizon 2020 program under project number 643161 (ECRYPT-NET) and in part by NWO project 651.002.004 (CHIST-ERA USEIT). Date of this document: 2021-06-25. ©IACR 2021. This article is the final version submitted by the author(s) to the IACR and to Springer-Verlag on June 25, 2021. The version published by Springer-Verlag is available at <DOI>.”.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
EUR 29.95
Price includes VAT (Germany)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
EUR 96.29
Price includes VAT (Germany)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
EUR 128.39
Price includes VAT (Germany)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    See Sect. 2.2 for how the objects discussed are represented computationally.

  2. 2.

    These constraints do not necessarily uniquely determine \(\varphi \), but any efficiently computable isogeny from \(E_0\) to E is usually enough to recover the SIDH secret [18, 37]. Moreover, \(\varphi \) is unique whenever \(B^2>4A\) [28, § 4].

  3. 3.

    Note that the naïve meet-in-the-middle approach has prohibitively large memory requirements. Collision finding à la van Oorschot–Wiener thus performs better in practice, although its time complexity is worse in theory [1].

  4. 4.

    [17] also proposes a different group key agreement, SIBD, to which our attack does not apply.

  5. 5.

    Each occurrence of \({\text {polylog}}(p)\) is shorthand for a concrete, fixed polynomial in \(\log p\). (The notation is not meant to imply that all instances of \({\text {polylog}}(p)\) be the same).

  6. 6.

    See also [7] for a different reduction to SLE\(_{B^2}\), cf. Subsect. 1.2.

  7. 7.

    Note that the newest version of SIKE [20] changed the starting curve to a 2-isogenous neighbour of \(j=1728\), but this does not affect the asymptotic complexity of any attack.

  8. 8.

    More generally, these attacks apply for any “special” starting curve in the sense of [26].

  9. 9.

    In the proof, it suffices to take \(p^k > A\) for any k.

  10. 10.

    https://simond.users.lmno.cnrs.fr/.

  11. 11.

    In [10] the theorem was referred to as a classical result, considered to be folklore.

  12. 12.

    Some choices of A and B result in \(D \equiv 2 \pmod 4\) which is an obstruction to this method.

  13. 13.

    We resist the temptation of referring to such instantiations as “door” instead of “backdoor”.

  14. 14.

    For the reader who is wondering exactly how to apply Grover’s algorithm in this context: Let \(\langle P_A, Q_A \rangle = E_0[A^{\gamma }].\) The input for Grover’s algorithm here is an integer \(n < A^{\gamma }\) and all of the input of Algorithm 5. Attempt Steps 2 and 3 for \(\varphi _g\) such that \(\ker (\varphi _g) = \langle P_A + nQ_A\rangle \); the output will be success or failure. Every subroutine of Steps 2 and 3 can be broken down into basic elliptic curve arithmetic for which there are known quantum algorithms of similar complexity to their classical counterparts.

  15. 15.

    The way Theorem 5 is presented differs from Theorem 37 here; this is merely a change in notation.

References

  1. Adj, G., Cervantes-Vázquez, D., Chi-Domínguez, J.-J., Menezes, A., Rodríguez-Henríquez, F.: On the cost of computing isogenies between supersingular elliptic curves. In: Cid, C., Jacobson Jr, M. (eds.) SAC 2018. LNCS, vol. 11349, pp. 322–343. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-10970-7_15

  2. Azarderakhsh, R., Jalali, A., Jao, D., Soukharev, V.: Practical supersingular isogeny group key agreement. IACR Cryptology ePrint Archive 2019/330 (2019)

    Google Scholar 

  3. Batut, C., Belabas, K., Bernardi, D., Cohen, H., Olivier, M.: User’s Guide to PARI-GP. Université de Bordeaux I. https://pari.math.u-bordeaux.fr/

  4. Biasse, J.-F., Jao, D., Sankar, A.: A quantum algorithm for computing isogenies between supersingular elliptic curves. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 428–442. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13039-2_25

    Chapter  Google Scholar 

  5. Boneh, D., Kogan, D., Woo, K.: Oblivious pseudorandom functions from isogenies. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part II. LNCS, vol. 12492, pp. 520–550. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_18

    Chapter  Google Scholar 

  6. Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system I: the user language. J. Symbolic Comput. 24(3–4), 235–265 (1997). https://magma.maths.usyd.edu.au/

  7. Bottinelli, P., de Quehen, V., Leonardi, C., Mosunov, A., Pawlega, F., Sheth, M.: The dark SIDH of isogenies. IACR Cryptology ePrint Archive 2019/1333 (2019)

    Google Scholar 

  8. Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part III. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15

    Chapter  Google Scholar 

  9. Castryck, W., Panny, L., Vercauteren, F.: Rational isogenies from irrational endomorphisms. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part II. LNCS, vol. 12106, pp. 523–548. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_18

    Chapter  Google Scholar 

  10. Colò, L., David, K.: Orienting supersingular isogeny graphs. J. Math. Cryptology 14(1), 414–437 (2020)

    Article  MathSciNet  Google Scholar 

  11. Costello, C.: B-SIDH: supersingular isogeny Diffie-Hellman using twisted torsion. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part II. LNCS, vol. 12492, pp. 440–463. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_15

    Chapter  Google Scholar 

  12. Cremona, J., David, R.: Efficient solution of rational conics. Math. Comput. 72(243), 1417–1441 (2003)

    Article  MathSciNet  Google Scholar 

  13. de Quehen, V., et al.: Improved torsion-point attacks on SIDH variants. Full version of this article. IACR Cryptology ePrint Archive 2020/633 (2021). https://ia.cr/2020/633

  14. Delpech de Saint Guilhem, C., Kutas, P., Petit, C., Silva, J.: SÉTA: supersingular encryption from torsion attacks. IACR Cryptology ePrint Archive 2019/1291 (2019)

    Google Scholar 

  15. Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(\mathbb{F}_p\). Des. Codes Crypt. 78(2), 425–440 (2016)

    Article  Google Scholar 

  16. Eisenträger, K., Hallgren, S., Lauter, K., Morrison, T., Petit, C.: Supersingular isogeny graphs and endomorphism rings: reductions and solutions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 329–368. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_11

    Chapter  Google Scholar 

  17. Furukawa, S., Kunihiro, N., Takashima, K.: Multi-party key exchange protocols from supersingular isogenies. In: ISITA, pp. 208–212. IEEE (2018)

    Google Scholar 

  18. Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_3

    Chapter  Google Scholar 

  19. Ivanyos, G., Rónyai, L.: Finding maximal orders in semisimple algebras over \(\mathbb{Q}\). Comput. Complex. 3(3), 245–261 (1993)

    Article  MathSciNet  Google Scholar 

  20. Jao, D., et al.: Supersingular isogeny key encapsulation. Updated version of [21] for round 3 of [29] (2020)

    Google Scholar 

  21. Jao, D., et al.: Supersingular isogeny key encapsulation. Submission to [29] (2017). https://sike.org

  22. Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2

    Chapter  MATH  Google Scholar 

  23. Jaques, S., Schanck, J.M.: Quantum cryptanalysis in the RAM model: claw-finding attacks on SIKE. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part I. LNCS, vol. 11692, pp. 32–61. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_2

    Chapter  MATH  Google Scholar 

  24. Jaques, S., Schrottenloher, A.: Low-gate quantum golden collision finding. In: SAC 2020. Springer (2020)

    Google Scholar 

  25. Kaneko, M.: Supersingular \(j\)-invariants as singular moduli mod \(p\). Osaka J. Math. 26(4), 849–855 (1989)

    MathSciNet  MATH  Google Scholar 

  26. Kohel, D., Lauter, K., Petit, C., Tignol, J.-P.: On the quaternion \(\ell \)-isogeny path problem. LMS J. Comput. Math. 17A, 418–432 (2014)

    Article  MathSciNet  Google Scholar 

  27. Love, J., Boneh, D.: Supersingular curves with small non-integer endomorphisms. In: Galbraith, S. (ed.) ANTS XIV: Proceedings of the Fourteenth Algorithmic Number Theory Symposium (2020)

    Google Scholar 

  28. Martindale, C., Panny, L.: How to not break SIDH. In: CFAIL 2019 (2019)

    Google Scholar 

  29. National Institute of Standards and Technology: Post-quantum cryptography standardization, December 2016. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Post-Quantum-Cryptography-Standardization

  30. Onuki, H.: On oriented supersingular elliptic curves. Finite Fields Appl. 69, 101777 (2021)

    Article  MathSciNet  Google Scholar 

  31. Petit, C.: Faster algorithms for isogeny problems using torsion point images. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part II. LNCS, vol. 10625, pp. 330–353. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_12

    Chapter  Google Scholar 

  32. Petit, C., Lauter, K.E.: Hard and easy problems for supersingular isogeny graphs. IACR Cryptology ePrint Archive 2017/962 (2017)

    Google Scholar 

  33. Pohlig, S., Hellman, M.: An improved algorithm for computing logarithms over \(\rm GF(p)\) and its cryptographic significance (corresp.). IEEE Trans. Inf. Theory 24(1), 106–110 (1978)

    Google Scholar 

  34. Sahu, R.A., Gini, A., Pal, A.: Supersingular isogeny-based designated verifier blind signature. IACR Cryptology ePrint Archive 2019/1498 (2019)

    Google Scholar 

  35. Siegel, C.L.: Über die Classenzahl quadratischer Zahlkörper. Acta Arithmetica, pp. 83–86 (1935)

    Google Scholar 

  36. Simon, D.: Quadratic equations in dimensions 4, 5 and more. Preprint (2005). https://simond.users.lmno.cnrs.fr/maths/Dim4.pdf

  37. Tako, B.F., Kutas, P., Merz, S.-P.: On the isogeny problem with torsion point information. IACR Cryptology ePrint Archive 2021/153

    Google Scholar 

  38. Tani, S.: An improved claw finding algorithm using quantum walk. In: Kučera, L., Kučera, A. (eds.) MFCS 2007. LNCS, vol. 4708, pp. 536–547. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74456-6_48

    Chapter  Google Scholar 

  39. Voight, J.: Identifying the matrix ring: algorithms for quaternion algebras and quadratic forms. In: Alladi, K., Bhargava, M., Savitt, D., Tiep, P. (eds.) Quadratic and Higher Degree Forms, pp. 255–298. Springer, New York (2013). https://doi.org/10.1007/978-1-4614-7488-3_10

Download references

Acknowledgements

Thanks to Daniel J. Bernstein for his insight into estimating sizes of solutions to Eq. 3, to John Voight for answering a question of ours concerning Subsect. 5.2, and to Boris Fouotsa for identifying errors in Proposition 34 and its proof. We would also like to thank Filip Pawlega and the anonymous reviewers for their careful reading and helpful feedback.

Author information

Authors and Affiliations

  1. ISARA Corporation, Waterloo, Canada

    Victoria de Quehen & Chris Leonardi

  2. School of Computer Science, University of Birmingham, Birmingham, UK

    Péter Kutas & Christophe Petit

  3. Department of Computer Science, University of Bristol, Bristol, UK

    Chloe Martindale

  4. Institute of Information Science, Academia Sinica, Taipei, Taiwan

    Lorenz Panny

  5. Laboratoire d’Informatique, Université Libre de Bruxelles, Brussels, Belgium

    Christophe Petit

  6. Department of Mathematics, University of Colorado Boulder, Boulder, CO, USA

    Katherine E. Stange

Authors
  1. Victoria de Quehen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Péter Kutas
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Chris Leonardi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Chloe Martindale
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Lorenz Panny
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Christophe Petit
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Katherine E. Stange
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Columbia University, New York City, NY, USA

    Tal Malkin

  2. University of Michigan, Ann Arbor, MI, USA

    Chris Peikert

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

de Quehen, V. et al. (2021). Improved Torsion-Point Attacks on SIDH Variants. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12827. Springer, Cham. https://doi.org/10.1007/978-3-030-84252-9_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-84252-9_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-84251-2

  • Online ISBN: 978-3-030-84252-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation