Abstract
We present an efficient key recovery attack on the Supersingular Isogeny Diffie–Hellman protocol (SIDH). The attack is based on Kani’s “reducibility criterion” for isogenies from products of elliptic curves and strongly relies on the torsion point images that Alice and Bob exchange during the protocol. If we assume knowledge of the endomorphism ring of the starting curve then the classical running time is polynomial in the input size (heuristically), apart from the factorization of a small number of integers that only depend on the system parameters. The attack is particularly fast and easy to implement if one of the parties uses 2-isogenies and the starting curve comes equipped with a non-scalar endomorphism of very small degree; this is the case for SIKE, the instantiation of SIDH that recently advanced to the fourth round of NIST’s standardization effort for post-quantum cryptography. Our Magma implementation breaks SIKEp434, which aims at security level 1, in about ten minutes on a single core.
This work was supported in part by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement ISOCRYPT - No. 101020788) and by CyberSecurity Research Flanders with reference number VR20192203.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Azarderakhsh, R., Jao, D., Leonardi, C.: Post-quantum static-static key agreement using multiple protocol instances. In: Adams, C., Camenisch, J. (eds.) Selected Areas in Cryptography - SAC 2017, pp. 45–63. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_3
Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system. I. The user language. J. Symbolic Comput. 24(3–4), 235–265 (1997). https://doi.org/10.1006/jsco.1996.0125
Brock, B.: Superspecial curves of genera two and three. Ph.D. thesis, Princeton University (1994)
Bruin, N., Flynn, E.V., Testa, D.: Descent via \((3,3)\)-isogeny on Jacobians of genus 2 curves. Acta Arithmetica 165(3), 201–223 (2014). http://eudml.org/doc/279018
Canfield, E.R., Erdös, P., Pomerance, C.: On a problem of Oppenheim concerning “factorisatio numerorum.” J. Number Theory 17(1), 1–28 (1983). https://doi.org/10.1016/0022-314X(83)90002-1
Castryck, W., Decru, T.: Multiradical isogenies. In: Anni, S., Karemaker, V., Lorenzo García, E. (eds.) 18th International Conference Arithmetic, Geometry, Cryptography, and Coding Theory, Contemporary Mathematics, vol. 779, pp. 57–89. American Mathematical Society (2022). https://doi.org/10.1090/conm/779
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) Advances in Cryptology - ASIACRYPT 2018, vol. 3, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15
Cosset, R., Robert, D.: Computing \((\ell ,\ell )\)–isogenies in polynomial time on Jacobians of genus 2 curves. Math. Comput. 84(294), 1953–1975 (2015). https://www.ams.org/journals/mcom/2015-84-294/S0025-5718-2014-02899-8/
Costello, C.: B-SIDH: supersingular isogeny Diffie-Hellman using twisted torsion. In: Moriai, S., Wang, H. (eds.) Advances in Cryptology - ASIACRYPT 2020, vol. 2, pp. 440–463. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_15
Couveignes, J.M.: Hard homogeneous spaces. Cryptology ePrint Archive, Paper 2006/291 (2006). https://eprint.iacr.org/2006/291
De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014). https://doi.org/10.1515/jmc-2012-0015
De Feo, L., Kohel, D., Leroux, A., Petit, C., Wesolowski, B.: SQISign: compact post-quantum signatures from quaternions and isogenies. In: Moriai, S., Wang, H. (eds.) Advances in Cryptology - ASIACRYPT 2020, vol. 1, pp. 64–93. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_3
De Feo, L., et al.: Séta: supersingular encryption from torsion attacks. In: Tibouchi, M., Wang, H. (eds.) Advances in Cryptology - ASIACRYPT 2021, vol. 4, pp. 249–278. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92068-5_9
De Feo, L., et al.: (open project): Is SIKE broken yet? (2022). https://issikebrokenyet.github.io/
Djukanovic, M.: Split Jacobians and lower bounds on heights. Ph.D. thesis, Université de Bordeaux (2017)
Eisenträger, K., Hallgren, S., Lauter, K., Morrison, T., Petit, C.: Supersingular isogeny graphs and endomorphism rings: Reductions and solutions. In: Nielsen, J.B., Rijmen, V. (eds.) Advances in Cryptology - EUROCRYPT 2018, vol. 3, pp. 329–368. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_11
Flynn, E.V., Ti, Y.B.: Genus two isogeny cryptography. In: Ding, J., Steinwandt, R. (eds.) Post-quantum Cryptography, pp. 286–306. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_16
Fouotsa, T.B., Moriya, T., Petit, C.: M-SIDH and MD-SIDH: countering SIDH attacks by masking information. Cryptology ePrint Archive, Paper 2023/013 (2023). https://eprint.iacr.org/2023/013
Fouotsa, T.B., Petit, C.: SHealS and HealS: isogeny-based PKEs from a key validation method for SIDH. In: Tibouchi, M., Wang, H. (eds.) Advances in Cryptology - ASIACRYPT 2021, vol. 4, pp. 279–307. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92068-5_10
Galbraith, S.D., Petit, C., Silva, J.: Identification protocols and signature schemes based on supersingular isogeny problems. In: Takagi, T., Peyrin, T. (eds.) Advances in Cryptology - ASIACRYPT 2017, vol. 1, pp. 3–33. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_1
Galbraith, S.D., Vercauteren, F.: Computational problems in supersingular elliptic curve isogenies. Quantum Inf. Process. 17(10), 1–22 (2018). https://doi.org/10.1007/s11128-018-2023-6
Hafner, J.L., McCurley, K.S.: A rigorous subexponential algorithm for computation of class groups. J. Am. Math. Soc. 2(4), 837–850 (1989). https://doi.org/10.1090/S0894-0347-1989-1002631-0
Howe, E.W., Leprévost, F., Poonen, B.: Large torsion subgroups of split Jacobians of curves of genus two or three. Forum Math. 12(3), 315–364 (2000). https://doi.org/10.1515/form.2000.008
Jao, D., et al.: Supersingular Isogeny Key Encapsulation. https://csrc.nist.gov/Projects/post-quantum-cryptography/round-4-submissions
Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.Y. (ed.) Post-Quantum Cryptography, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2
Kani, E.: The number of curves of genus two with elliptic differentials. J. für die reine und angewandte Mathematik 1997(485), 93–122 (1997). https://doi.org/10.1515/crll.1997.485.93
Kohel, D., Lauter, K., Petit, C., Tignol, J.P.: On the quaternion \(\ell \)-isogeny path problem. LMS J. Comput. Math. 17(A), 418–432 (2014). https://doi.org/10.1112/S1461157014000151
Kuhn, R.M.: Curves of genus 2 with split Jacobian. Trans. Am. Math. Soc. 307(1), 41–49 (1988). https://doi.org/10.2307/2000749
Love, J., Boneh, D.: Supersingular curves with small non-integer endomorphisms. In: Algorithmic Number Theory Symposium (ANTS-XIV), MSP Open Book Series, vol. 4, pp. 7–22 (2020). https://doi.org/10.2140/obs.2020.4.7
Maino, L., Martindale, C.: An attack on SIDH with arbitrary starting curve. Cryptology ePrint Archive, Paper 2022/1026 (2022). https://eprint.iacr.org/2022/1026
Martindale, C., Panny, L.: How to not break SIDH. Cryptology ePrint Archive, Paper 2019/558 (2019). https://eprint.iacr.org/2019/558, Presented at CFAIL 2019, Columbia University
Microsoft: SIKE cryptographic challenge. https://www.microsoft.com/en-us/msrc/sike-cryptographic-challenge
National Institute of Standards and Technology (NIST): Post-quantum cryptography standardization process. https://csrc.nist.gov/projects/post-quantum-cryptography
Oudompheng, R.: A note on implementing direct isogeny determination in the Castryck–Decru attack. https://www.normalesup.org/~oudomphe/textes/202208-castryck-decru-shortcut.pdf
Oudompheng, R., Pope, G.: A note on reimplementing the Castryck–Decru attack and lessons learned for SageMath. Cryptology ePrint Archive, Paper 2022/1283 (2022). https://eprint.iacr.org/2022/1283
Petit, C.: Faster algorithms for isogeny problems using torsion point images. In: Takagi, T., Peyrin, T. (eds.) Advances in Cryptology - ASIACRYPT 2017, vol. 2, pp. 330–353. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_12
de Quehen, V., et al.: Improved torsion-point attacks on SIDH variants. In: Malkin, T., Peikert, C. (eds.) Advances in Cryptology - CRYPTO 2021, vol. 3, pp. 432–470. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_15
Robert, D.: Breaking SIDH in polynomial time. Cryptology ePrint Archive, Paper 2022/1038 (2022). https://eprint.iacr.org/2022/1038
Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Paper 2006/145 (2006). https://eprint.iacr.org/2006/145
SageMath: The Sage Mathematics Software System. https://www.sagemath.org
Shanks, D., Schmid, L.P.: Variations on a theorem of Landau. Part I. Math. Comput. 20(96), 551–569 (1966). https://doi.org/10.2307/2003544
Smith, B.: Explicit endomorphisms and correspondences. Ph.D. thesis, University of Sydney (2006)
Urbanik, D., Jao, D.: SoK: the problem landscape of SIDH. In: Emura, K., Seo, J.H., Watanabe, Y. (eds.) Proceedings of the 5th ACM on ASIA Public-Key Cryptography Workshop, APKC@AsiaCCS, Incheon, Republic of Korea, 4 June 2018, pp. 53–60. ACM (2018). https://doi.org/10.1145/3197507.3197516
Wesolowski, B.: The supersingular isogeny path and endomorphism ring problems are equivalent. In: 2021 IEEE 62nd Annual Symposium on Foundations of Computer Science (FOCS), pp. 1100–1111 (2022). https://doi.org/10.1109/FOCS52979.2021.00109
Wesolowski, B.: Understanding and improving the Castryck–Decru attack on SIDH (2022). https://www.bweso.com/papers.php
Acknowledgements
We thank Craig Costello, Luca De Feo, Luciano Maino, Frederik Vercauteren, Benjamin Wesolowski, Yifan Zheng and the anonymous reviewers for helpful discussions, questions and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Castryck, W., Decru, T. (2023). An Efficient Key Recovery Attack on SIDH. In: Hazay, C., Stam, M. (eds) Advances in Cryptology – EUROCRYPT 2023. EUROCRYPT 2023. Lecture Notes in Computer Science, vol 14008. Springer, Cham. https://doi.org/10.1007/978-3-031-30589-4_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-30589-4_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30588-7
Online ISBN: 978-3-031-30589-4
eBook Packages: Computer ScienceComputer Science (R0)