Abstract
The SIDH key exchange is the main building block of SIKE, the only isogeny based scheme involved in the NIST standardization process. In 2016, Galbraith et al. presented an adaptive attack on SIDH. In this attack, a malicious party manipulates the torsion points in his public key in order to recover an honest party’s static secret key, when having access to a key exchange oracle. In 2017, Petit designed a passive attack (which was improved by de Quehen et al. in 2020) that exploits the torsion point information available in SIDH public key to recover the secret isogeny when the endomorphism ring of the starting curve is known.
In this paper, firstly, we generalize the torsion point attacks by de Quehen et al. Secondly, we introduce a new adaptive attack vector on SIDH-type schemes. Our attack uses the access to a key exchange oracle to recover the action of the secret isogeny on larger subgroups. This leads to an unbalanced SIDH instance for which the secret isogeny can be recovered in polynomial time using the generalized torsion point attacks. Our attack is different from the GPST adaptive attack and constitutes a new cryptanalytic tool for isogeny based cryptography. This result proves that the torsion point attacks are relevant to SIDH (Disclaimer: this result is applicable to SIDH-type schemes only, not to SIKE.) parameters in an adaptive attack setting. We suggest attack parameters for some SIDH primes and discuss some countermeasures.
In this paper, firstly, we generalize the torsion point attacks by de Quehen et al. Secondly, we introduce a new adaptive attack vector on SIDH-type schemes. Our attack uses the access to a key exchange oracle to recover the action of the secret isogeny on larger subgroups. This leads to an unbalanced SIDH instance for which the secret isogeny can be recovered in polynomial time using the generalized torsion point attacks. Our attack is different from the GPST adaptive attack and constitutes a new cryptanalytic tool for isogeny based cryptography. This result proves that the torsion point attacks are relevant to SIDH (Disclaimer: this result is applicable to SIDH-type schemes only, not to SIKE.) parameters in an adaptive attack setting. We suggest attack parameters for some SIDH primes and discuss some countermeasures.
Original language | English |
---|---|
Title of host publication | Topics in Cryptology – CT-RSA 2022 |
Subtitle of host publication | Cryptographers’ Track at the RSA Conference 2022, Virtual Event, March 1–2, 2022, Proceedings |
Editors | Steven D. Galbraith |
Publisher | Springer |
Pages | 322-344 |
Number of pages | 23 |
Edition | 1 |
ISBN (Electronic) | 9783030953126 |
ISBN (Print) | 9783030953119 |
DOIs | |
Publication status | Published - 1 Jan 2022 |
Event | Cryptographers’ Track RSA Conference - Virtual Duration: 7 Feb 2022 → 10 Feb 2022 |
Publication series
Name | Lecture Notes in Computer Science |
---|---|
Publisher | Springer |
Volume | 13161 |
ISSN (Print) | 0302-9743 |
ISSN (Electronic) | 1611-3349 |
Conference
Conference | Cryptographers’ Track RSA Conference |
---|---|
Abbreviated title | CT-RSA |
Period | 7/02/22 → 10/02/22 |
Keywords
- Adaptive attacks
- Cryptanalysis
- Post-quantum cryptography
- SIDH