Skip to main content
SpringerLink
Log in

An Efficient Key Recovery Attack on SIDH

  • Conference paper
  • First Online:
Advances in Cryptology – EUROCRYPT 2023 (EUROCRYPT 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14008))

Abstract

We present an efficient key recovery attack on the Supersingular Isogeny Diffie–Hellman protocol (SIDH). The attack is based on Kani’s “reducibility criterion” for isogenies from products of elliptic curves and strongly relies on the torsion point images that Alice and Bob exchange during the protocol. If we assume knowledge of the endomorphism ring of the starting curve then the classical running time is polynomial in the input size (heuristically), apart from the factorization of a small number of integers that only depend on the system parameters. The attack is particularly fast and easy to implement if one of the parties uses 2-isogenies and the starting curve comes equipped with a non-scalar endomorphism of very small degree; this is the case for SIKE, the instantiation of SIDH that recently advanced to the fourth round of NIST’s standardization effort for post-quantum cryptography. Our Magma implementation breaks SIKEp434, which aims at security level 1, in about ten minutes on a single core.

This work was supported in part by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement ISOCRYPT - No. 101020788) and by CyberSecurity Research Flanders with reference number VR20192203.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Right before posting our paper online, we learned that the authors of [30] had started pursuing related ideas.

  2. 2.

    Séta is now fully broken in view of Robert’s work [38].

References

  1. Azarderakhsh, R., Jao, D., Leonardi, C.: Post-quantum static-static key agreement using multiple protocol instances. In: Adams, C., Camenisch, J. (eds.) Selected Areas in Cryptography - SAC 2017, pp. 45–63. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_3

  2. Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system. I. The user language. J. Symbolic Comput. 24(3–4), 235–265 (1997). https://doi.org/10.1006/jsco.1996.0125

  3. Brock, B.: Superspecial curves of genera two and three. Ph.D. thesis, Princeton University (1994)

    Google Scholar 

  4. Bruin, N., Flynn, E.V., Testa, D.: Descent via \((3,3)\)-isogeny on Jacobians of genus 2 curves. Acta Arithmetica 165(3), 201–223 (2014). http://eudml.org/doc/279018

  5. Canfield, E.R., Erdös, P., Pomerance, C.: On a problem of Oppenheim concerning “factorisatio numerorum.” J. Number Theory 17(1), 1–28 (1983). https://doi.org/10.1016/0022-314X(83)90002-1

  6. Castryck, W., Decru, T.: Multiradical isogenies. In: Anni, S., Karemaker, V., Lorenzo García, E. (eds.) 18th International Conference Arithmetic, Geometry, Cryptography, and Coding Theory, Contemporary Mathematics, vol. 779, pp. 57–89. American Mathematical Society (2022). https://doi.org/10.1090/conm/779

  7. Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) Advances in Cryptology - ASIACRYPT 2018, vol. 3, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15

  8. Cosset, R., Robert, D.: Computing \((\ell ,\ell )\)–isogenies in polynomial time on Jacobians of genus 2 curves. Math. Comput. 84(294), 1953–1975 (2015). https://www.ams.org/journals/mcom/2015-84-294/S0025-5718-2014-02899-8/

  9. Costello, C.: B-SIDH: supersingular isogeny Diffie-Hellman using twisted torsion. In: Moriai, S., Wang, H. (eds.) Advances in Cryptology - ASIACRYPT 2020, vol. 2, pp. 440–463. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_15

  10. Couveignes, J.M.: Hard homogeneous spaces. Cryptology ePrint Archive, Paper 2006/291 (2006). https://eprint.iacr.org/2006/291

  11. De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014). https://doi.org/10.1515/jmc-2012-0015

    Article  MathSciNet  MATH  Google Scholar 

  12. De Feo, L., Kohel, D., Leroux, A., Petit, C., Wesolowski, B.: SQISign: compact post-quantum signatures from quaternions and isogenies. In: Moriai, S., Wang, H. (eds.) Advances in Cryptology - ASIACRYPT 2020, vol. 1, pp. 64–93. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_3

  13. De Feo, L., et al.: Séta: supersingular encryption from torsion attacks. In: Tibouchi, M., Wang, H. (eds.) Advances in Cryptology - ASIACRYPT 2021, vol. 4, pp. 249–278. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92068-5_9

  14. De Feo, L., et al.: (open project): Is SIKE broken yet? (2022). https://issikebrokenyet.github.io/

  15. Djukanovic, M.: Split Jacobians and lower bounds on heights. Ph.D. thesis, Université de Bordeaux (2017)

    Google Scholar 

  16. Eisenträger, K., Hallgren, S., Lauter, K., Morrison, T., Petit, C.: Supersingular isogeny graphs and endomorphism rings: Reductions and solutions. In: Nielsen, J.B., Rijmen, V. (eds.) Advances in Cryptology - EUROCRYPT 2018, vol. 3, pp. 329–368. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_11

  17. Flynn, E.V., Ti, Y.B.: Genus two isogeny cryptography. In: Ding, J., Steinwandt, R. (eds.) Post-quantum Cryptography, pp. 286–306. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_16

  18. Fouotsa, T.B., Moriya, T., Petit, C.: M-SIDH and MD-SIDH: countering SIDH attacks by masking information. Cryptology ePrint Archive, Paper 2023/013 (2023). https://eprint.iacr.org/2023/013

  19. Fouotsa, T.B., Petit, C.: SHealS and HealS: isogeny-based PKEs from a key validation method for SIDH. In: Tibouchi, M., Wang, H. (eds.) Advances in Cryptology - ASIACRYPT 2021, vol. 4, pp. 279–307. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92068-5_10

  20. Galbraith, S.D., Petit, C., Silva, J.: Identification protocols and signature schemes based on supersingular isogeny problems. In: Takagi, T., Peyrin, T. (eds.) Advances in Cryptology - ASIACRYPT 2017, vol. 1, pp. 3–33. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_1

  21. Galbraith, S.D., Vercauteren, F.: Computational problems in supersingular elliptic curve isogenies. Quantum Inf. Process. 17(10), 1–22 (2018). https://doi.org/10.1007/s11128-018-2023-6

    Article  MathSciNet  MATH  Google Scholar 

  22. Hafner, J.L., McCurley, K.S.: A rigorous subexponential algorithm for computation of class groups. J. Am. Math. Soc. 2(4), 837–850 (1989). https://doi.org/10.1090/S0894-0347-1989-1002631-0

    Article  MathSciNet  MATH  Google Scholar 

  23. Howe, E.W., Leprévost, F., Poonen, B.: Large torsion subgroups of split Jacobians of curves of genus two or three. Forum Math. 12(3), 315–364 (2000). https://doi.org/10.1515/form.2000.008

    Article  MathSciNet  MATH  Google Scholar 

  24. Jao, D., et al.: Supersingular Isogeny Key Encapsulation. https://csrc.nist.gov/Projects/post-quantum-cryptography/round-4-submissions

  25. Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.Y. (ed.) Post-Quantum Cryptography, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2

  26. Kani, E.: The number of curves of genus two with elliptic differentials. J. für die reine und angewandte Mathematik 1997(485), 93–122 (1997). https://doi.org/10.1515/crll.1997.485.93

    Article  MathSciNet  MATH  Google Scholar 

  27. Kohel, D., Lauter, K., Petit, C., Tignol, J.P.: On the quaternion \(\ell \)-isogeny path problem. LMS J. Comput. Math. 17(A), 418–432 (2014). https://doi.org/10.1112/S1461157014000151

  28. Kuhn, R.M.: Curves of genus 2 with split Jacobian. Trans. Am. Math. Soc. 307(1), 41–49 (1988). https://doi.org/10.2307/2000749

    Article  MathSciNet  MATH  Google Scholar 

  29. Love, J., Boneh, D.: Supersingular curves with small non-integer endomorphisms. In: Algorithmic Number Theory Symposium (ANTS-XIV), MSP Open Book Series, vol. 4, pp. 7–22 (2020). https://doi.org/10.2140/obs.2020.4.7

  30. Maino, L., Martindale, C.: An attack on SIDH with arbitrary starting curve. Cryptology ePrint Archive, Paper 2022/1026 (2022). https://eprint.iacr.org/2022/1026

  31. Martindale, C., Panny, L.: How to not break SIDH. Cryptology ePrint Archive, Paper 2019/558 (2019). https://eprint.iacr.org/2019/558, Presented at CFAIL 2019, Columbia University

  32. Microsoft: SIKE cryptographic challenge. https://www.microsoft.com/en-us/msrc/sike-cryptographic-challenge

  33. National Institute of Standards and Technology (NIST): Post-quantum cryptography standardization process. https://csrc.nist.gov/projects/post-quantum-cryptography

  34. Oudompheng, R.: A note on implementing direct isogeny determination in the Castryck–Decru attack. https://www.normalesup.org/~oudomphe/textes/202208-castryck-decru-shortcut.pdf

  35. Oudompheng, R., Pope, G.: A note on reimplementing the Castryck–Decru attack and lessons learned for SageMath. Cryptology ePrint Archive, Paper 2022/1283 (2022). https://eprint.iacr.org/2022/1283

  36. Petit, C.: Faster algorithms for isogeny problems using torsion point images. In: Takagi, T., Peyrin, T. (eds.) Advances in Cryptology - ASIACRYPT 2017, vol. 2, pp. 330–353. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_12

  37. de Quehen, V., et al.: Improved torsion-point attacks on SIDH variants. In: Malkin, T., Peikert, C. (eds.) Advances in Cryptology - CRYPTO 2021, vol. 3, pp. 432–470. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_15

  38. Robert, D.: Breaking SIDH in polynomial time. Cryptology ePrint Archive, Paper 2022/1038 (2022). https://eprint.iacr.org/2022/1038

  39. Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Paper 2006/145 (2006). https://eprint.iacr.org/2006/145

  40. SageMath: The Sage Mathematics Software System. https://www.sagemath.org

  41. Shanks, D., Schmid, L.P.: Variations on a theorem of Landau. Part I. Math. Comput. 20(96), 551–569 (1966). https://doi.org/10.2307/2003544

    Article  MATH  Google Scholar 

  42. Smith, B.: Explicit endomorphisms and correspondences. Ph.D. thesis, University of Sydney (2006)

    Google Scholar 

  43. Urbanik, D., Jao, D.: SoK: the problem landscape of SIDH. In: Emura, K., Seo, J.H., Watanabe, Y. (eds.) Proceedings of the 5th ACM on ASIA Public-Key Cryptography Workshop, APKC@AsiaCCS, Incheon, Republic of Korea, 4 June 2018, pp. 53–60. ACM (2018). https://doi.org/10.1145/3197507.3197516

  44. Wesolowski, B.: The supersingular isogeny path and endomorphism ring problems are equivalent. In: 2021 IEEE 62nd Annual Symposium on Foundations of Computer Science (FOCS), pp. 1100–1111 (2022). https://doi.org/10.1109/FOCS52979.2021.00109

  45. Wesolowski, B.: Understanding and improving the Castryck–Decru attack on SIDH (2022). https://www.bweso.com/papers.php

Download references

Acknowledgements

We thank Craig Costello, Luca De Feo, Luciano Maino, Frederik Vercauteren, Benjamin Wesolowski, Yifan Zheng and the anonymous reviewers for helpful discussions, questions and suggestions.

Author information

Authors and Affiliations

  1. imec-COSIC, KU Leuven, Leuven, Belgium

    Wouter Castryck & Thomas Decru

  2. Vakgroep Wiskunde: Algebra en Meetkunde, Universiteit Gent, Ghent, Belgium

    Wouter Castryck

Authors
  1. Wouter Castryck
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thomas Decru
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wouter Castryck .

Editor information

Editors and Affiliations

  1. Bar-Ilan University, Ramat Gan, Israel

    Carmit Hazay

  2. Simula UiB, Bergen, Norway

    Martijn Stam

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Castryck, W., Decru, T. (2023). An Efficient Key Recovery Attack on SIDH. In: Hazay, C., Stam, M. (eds) Advances in Cryptology – EUROCRYPT 2023. EUROCRYPT 2023. Lecture Notes in Computer Science, vol 14008. Springer, Cham. https://doi.org/10.1007/978-3-031-30589-4_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-30589-4_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-30588-7

  • Online ISBN: 978-3-031-30589-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation