### How Not to Create an Isogeny-Based PAKE

Reza Azarderakhsh, David Jao, Brian Koziel, Jason T. LeGrow, Vladimir Soukharev, and Oleg Taraskin

##### Abstract

Isogeny-based key establishment protocols are believed to be resistant to quantum cryptanalysis. Two such protocols---supersingular isogeny Diffie-Hellman (SIDH) and commutative supersingular isogeny Diffie-Hellman (CSIDH)---are of particular interest because of their extremely small public key sizes compared with other post-quantum candidates. Although SIDH and CSIDH allow us to achieve key establishment against passive adversaries and authenticated key establishment (using generic constructions), there has been little progress in the creation of provably-secure isogeny-based password-authenticated key establishment protocols (PAKEs). This is in stark contrast with the classical setting, where the Diffie-Hellman protocol can be tweaked in a number of straightforward ways to construct PAKEs, such as EKE, SPEKE, PAK (and variants), J-PAKE, and Dragonfly. Although SIDH and CSIDH superficially resemble Diffie-Hellman, it is often difficult or impossible to translate'' these Diffie-Hellman-based protocols to the SIDH or CSIDH setting; worse still, even when the construction can be translated,'' the resultant protocol may be insecure, even if the Diffie-Hellman based protocol is secure. In particular, a recent paper of Terada and Yoneyama and ProvSec 2019 purports to instantiate encrypted key exchange (EKE) over SIDH and CSIDH; however, there is a subtle problem which leads to an offline dictionary attack on the protocol, rendering it insecure. In this work we present man-in-the-middle and offline dictionary attacks on isogeny-based PAKEs from the literature, and explain why other classical constructions do not translate'' securely to the isogeny-based setting.

Available format(s)
Category
Cryptographic protocols
Publication info
Preprint. MINOR revision.
Keywords
Contact author(s)
razarderakhsh @ fau edu
djao @ math uwaterloo ca
bkoziel2017 @ fau edu
tog postquant @ gmail com
jason legrow @ uwaterloo ca
History
Short URL
https://ia.cr/2020/361

CC BY

BibTeX

@misc{cryptoeprint:2020/361,
author = {Reza Azarderakhsh and David Jao and Brian Koziel and Jason T.  LeGrow and Vladimir Soukharev and Oleg Taraskin},
title = {How Not to Create an Isogeny-Based PAKE},
howpublished = {Cryptology ePrint Archive, Paper 2020/361},
year = {2020},
note = {\url{https://eprint.iacr.org/2020/361}},
url = {https://eprint.iacr.org/2020/361}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.