Paper 2019/890

An Adaptive Attack on 2-SIDH

Samuel Dobson, Steven D. Galbraith, Jason LeGrow, Yan Bo Ti, and Lukas Zobernig


We present a polynomial-time adaptive attack on the 2-SIDH protocol. The 2-SIDH protocol is a special instance of the countermeasure proposed by Azarderakhsh, Jao and Leonardi to perform isogeny-based key exchange with static keys in the presence of an adaptive attack. This countermeasure has also been recently explicitly proposed by Kayacan. Our attack extends the adaptive attack by Galbraith, Petit, Shani and Ti (GPST) to recover a static secret key using malformed points. The extension of GPST is non-trivial and requires learning additional information. In particular, the attack needs to recover intermediate elliptic curves in the isogeny path, and points on them. We also discuss how to extend the attack to k-SIDH when k > 2 and explain that the attack complexity is exponential in k.

Note: Updated paper.

Available format(s)
Public-key cryptography
Publication info
cryptanalysissupersingular isogeny Diffie-Hellman
Contact author(s)
samuel dobson nz @ gmail com
s galbraith @ auckland ac nz
jlegrow @ waterloo ca
yanbo ti @ gmail com
lukas zobernig @ auckland ac nz
2020-09-05: last of 4 revisions
2019-08-05: received
See all versions
Short URL
Creative Commons Attribution


      author = {Samuel Dobson and Steven D.  Galbraith and Jason LeGrow and Yan Bo Ti and Lukas Zobernig},
      title = {An Adaptive Attack on 2-SIDH},
      howpublished = {Cryptology ePrint Archive, Paper 2019/890},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.