Paper 2023/640
A Direct Key Recovery Attack on SIDH
Abstract
We present an attack on SIDH utilising isogenies between polarized products of two supersingular elliptic curves. In the case of arbitrary starting curve, our attack (discovered independently from [CD22]) has subexponential complexity, thus significantly reducing the security of SIDH and SIKE. When the endomorphism ring of the starting curve is known, our attack (here derived from [CD22]) has polynomial-time complexity assuming the generalised Riemann hypothesis. Our attack applies to any isogeny-based cryptosystem that publishes the images of points under the secret isogeny, for example SÉTA and B-SIDH. It does not apply to CSIDH, CSI-FiSh, or SQISign.
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Published by the IACR in EUROCRYPT 2023
- DOI
- 10.1007/978-3-031-30589-4_16
- Keywords
- SIDHElliptic CurveIsogenyCryptanalysis
- Contact author(s)
-
luciano maino @ bristol ac uk
chloe martindale @ bristol ac uk
lorenz @ yx7 cc
giacomo pope @ nccgroup com
benjamin wesolowski @ math u-bordeaux fr - History
- 2023-05-08: approved
- 2023-05-05: received
- See all versions
- Short URL
- https://ia.cr/2023/640
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/640,
author = {Luciano Maino and Chloe Martindale and Lorenz Panny and Giacomo Pope and Benjamin Wesolowski},
title = {A Direct Key Recovery Attack on {SIDH}},
howpublished = {Cryptology {ePrint} Archive, Paper 2023/640},
year = {2023},
doi = {10.1007/978-3-031-30589-4_16},
url = {https://eprint.iacr.org/2023/640}
}
