A Direct Key Recovery Attack on SIDH

Luciano Maino, Chloe Martindale, Lorenz Panny, Giacomo Pope, Benjamin Wesolowski

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

31 Scopus citations

Abstract

We present an attack on SIDH utilising isogenies between polarized products of two supersingular elliptic curves. In the case of arbitrary starting curve, our attack (discovered independently from [8]) has subexponential complexity, thus significantly reducing the security of SIDH and SIKE. When the endomorphism ring of the starting curve is known, our attack (here derived from [8]) has polynomial-time complexity assuming the generalised Riemann hypothesis. Our attack applies to any isogeny-based cryptosystem that publishes the images of points under the secret isogeny, for example Séta [13] and B-SIDH [11]. It does not apply to CSIDH [9], CSI-FiSh [3], or SQISign [14].

Original languageEnglish
Title of host publicationAdvances in Cryptology – EUROCRYPT 2023 - 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings
EditorsCarmit Hazay, Martijn Stam
PublisherSpringer Science and Business Media Deutschland GmbH
Pages448-471
Number of pages24
ISBN (Print)9783031305887
DOIs
StatePublished - 2023
Externally publishedYes
Event42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Eurocrypt 2023 - Lyon, France
Duration: 23 Apr 202327 Apr 2023

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume14008 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Eurocrypt 2023
Country/TerritoryFrance
CityLyon
Period23/04/2327/04/23

Keywords

  • Cryptanalysis
  • Elliptic curve
  • Isogeny
  • SIDH

Fingerprint

Dive into the research topics of 'A Direct Key Recovery Attack on SIDH'. Together they form a unique fingerprint.

Cite this