Paper 2020/633

Weak instances of SIDH variants under improved torsion-point attacks

Péter Kutas and Chloe Martindale and Lorenz Panny and Christophe Petit and Katherine E. Stange

Abstract

SIDH is a post-quantum key exchange algorithm based on the presumed difficulty of computing isogenies between supersingular elliptic curves. However, the exact hardness assumption SIDH relies on is not the pure isogeny problem; attackers are also provided with the action of the secret isogeny restricted to a subgroup of the curve. Petit [21] leverages this information to break variants of SIDH in polynomial time, thus demonstrating that exploiting torsion-point information can lead to an attack in some cases. The contribution of this paper is twofold: First, we revisit and improve the techniques of [21] to span a broader range of parameters. Second, we construct SIDH variants designed to be weak against the resulting attacks; this includes weak choices of starting curve under moderately imbalanced parameters as well as weak choices of base field under balanced parameters. We stress that our results do not reveal any weakness in the NIST submission SIKE [19]. However, they do get closer than previous attacks in several ways and may have an impact on the security of SIDH-based group key exchange [2] and certain instantiations of B-SIDH [7].