On the Security of Supersingular Isogeny Cryptosystems

  • Steven D. GalbraithEmail author
  • Christophe Petit
  • Barak Shani
  • Yan Bo Ti
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10031)


We study cryptosystems based on supersingular isogenies. This is an active area of research in post-quantum cryptography. Our first contribution is to give a very powerful active attack on the supersingular isogeny encryption scheme. This attack can only be prevented by using a (relatively expensive) countermeasure. Our second contribution is to show that the security of all schemes of this type depends on the difficulty of computing the endomorphism ring of a supersingular elliptic curve. This result gives significant insight into the difficulty of the isogeny problem that underlies the security of these schemes. Our third contribution is to give a reduction that uses partial knowledge of shared keys to determine an entire shared key. This can be used to retrieve the secret key, given information leaked from a side-channel attack on the key exchange protocol. A corollary of this work is the first bit security result for the supersingular isogeny key exchange: Computing any component of the j-invariant is as hard as computing the whole j-invariant.

Our paper therefore provides an improved understanding of the security of these cryptosystems. We stress that our work does not imply that these systems are insecure, or that they should not be used. However, it highlights that implementations of these schemes will need to take account of the risks associated with various active and side-channel attacks.


Isogenies Supersingular elliptic curves 



We thank the anonymous reviewers for their comments. We would like to thank Roger Heath-Brown for his help with the calculation in Appendix A. The idea to study bit security of the isogeny scheme, which led to our third result, was suggested to us by Katsuyuki Takashima. We thank David Jao for comments on the Kirkwood et al. validation. The second author is supported by a GCHQ grant on post-quantum cryptography.

Supplementary material


  1. 1.
    Aranha, D.F., Fouque, P.-A., Gérard, B., Kammerer, J.-G., Tibouchi, M., Zapalowicz, J.-C.: GLV/GLS decomposition, power analysis, and attacks on ECDSA signatures with single-bit nonce bias. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 262–281. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-45611-8_14 Google Scholar
  2. 2.
    Biasse, J.-F., Jao, D., Sankar, A.: A quantum algorithm for computing isogenies between supersingular elliptic curves. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 428–442. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-13039-2_25 Google Scholar
  3. 3.
    Blake, I.F., Seroussi, G., Smart, N.P.: Elliptic Curves in Cryptography. Cambridge University Press, Cambridge (1999)CrossRefzbMATHGoogle Scholar
  4. 4.
    Blake, I.F., Seroussi, G., Smart, N.P.: Advances in Elliptic Curve Cryptography. Cambridge University Press, Cambridge (2005)CrossRefzbMATHGoogle Scholar
  5. 5.
    Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in diffie-hellman and related schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996). doi: 10.1007/3-540-68697-5_11 Google Scholar
  6. 6.
    Charles, D.X., Lauter, K.E., Goren, E.Z.: Cryptographic hash functions from expander graphs. J. Cryptol. 22(1), 93–113 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Childs, A.M., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Ciet, M., Joye, M.: Elliptic curve cryptosystems in the presence of permanent and transient faults. Des. Codes Crypt. 36(1), 33–43 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53018-4_21 CrossRefGoogle Scholar
  10. 10.
    Cox, D.A.: Primes of the Form \(x^2 + n y^2 \). John Wiley & Sons Inc, New York (1989)Google Scholar
  11. 11.
    Cox, D.A., Little, J., O’Shea, D.: Ideals, Varieties, and Algorithms: An Introduction to Computational Algebraic Geometry and Commutative Algebra. Undergraduate Texts in Mathematics, 3rd edn. Springer, Secaucus (2007)CrossRefzbMATHGoogle Scholar
  12. 12.
    Deuring, M.: Die typen der multiplikatoren ringe elliptischer funktionenkörper. Abh. Math. Sem. Hansischen Univ. 14, 197–272 (1941)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)MathSciNetzbMATHGoogle Scholar
  14. 14.
    Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). doi: 10.1007/3-540-48405-1_34 Google Scholar
  15. 15.
    Galbraith, S.D.: Constructing isogenies between elliptic curves over finite fields. LMS J. Comput. Math. 2, 118–138 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Howgrave-Graham, N.A., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Crypt. 23(3), 283–290 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Jao, D., Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25405-5_2 CrossRefGoogle Scholar
  18. 18.
    Jao, D., Soukharev, V.: Isogeny-based quantum-resistant undeniable signatures. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 160–179. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-11659-4_10 Google Scholar
  19. 19.
    Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006). doi: 10.1007/11935230_18 CrossRefGoogle Scholar
  20. 20.
    Kirkwood, D., Lackey, B.C., McVey, J., Motley, M., Solinas, J.A., Tuller, D.: Failure is not an option: standardization issues for post-quantum key agreement. In: Workshop on Cybersecurity in a Post-Quantum World (2015)Google Scholar
  21. 21.
    Kohel, D.: Endomorphism rings of elliptic curves over finite fields. Ph.D. thesis, University of California, Berkeley (1996)Google Scholar
  22. 22.
    Kohel, D., Lauter, K., Petit, C., Tignol, J.-P.: On the quaternion \(\ell \)-isogeny path problem. LMS J. Comput. Math. 17(Special issue A), 418–432 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Lim, C.H., Lee, P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997). doi: 10.1007/BFb0052240 CrossRefGoogle Scholar
  24. 24.
    De Mulder, E., Hutter, M., Marson, M.E., Pearson, P.: Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA: extended version. J. Crypt. Eng. 4(1), 33–45 (2014)CrossRefGoogle Scholar
  25. 25.
    Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the digital signature algorithm with partially known nonces. J. Crypt. 15(3), 151–176 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Crypt. 30(2), 201–217 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Nguyen, P.Q., Stehlé, D.: Low-dimensional lattice basis reduction revisited. In: Buell, D. (ed.) ANTS 2004. LNCS, vol. 3076, pp. 338–357. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24847-7_26 CrossRefGoogle Scholar
  28. 28.
    Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-11659-4_12 Google Scholar
  29. 29.
    Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 (2006).
  30. 30.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106, 2nd edn. Springer, New York (2009)CrossRefzbMATHGoogle Scholar
  31. 31.
    Tate, J.: Endomorphisms of abelian varieties over finite fields. Inventiones mathematicae 2(2), 134–144 (1966)MathSciNetCrossRefzbMATHGoogle Scholar
  32. 32.
    Vélu, J.: Isogénies entre courbes elliptiques. C.R. Acad. Sci. Paris Sér. A. 273, 238–241 (1971)zbMATHGoogle Scholar
  33. 33.
    Vignéras, M.-F.: Arithmétique des Algèbres de Quaternions. Lecture Notes in Mathematics, vol. 800. Springer, New York (1980)zbMATHGoogle Scholar
  34. 34.
    Xi, S., Tian, H., Wang, Y.: Toward quantum-resistant strong designated verifier signature from isogenies. Int. J. Grid Util. Comput. 5(2), 292–296 (2012)Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Steven D. Galbraith
    • 1
    Email author
  • Christophe Petit
    • 2
  • Barak Shani
    • 1
  • Yan Bo Ti
    • 1
  1. 1.Mathematics DepartmentUniversity of AucklandAucklandNew Zealand
  2. 2.Mathematical InstituteOxford UniversityOxfordUK

Personalised recommendations