Paper 2021/1023

SIDH Proof of Knowledge

Luca De Feo, IBM Research Europe
Samuel Dobson, University of Auckland
Steven D. Galbraith, University of Auckland
Lukas Zobernig, University of Auckland
Abstract

We show that the soundness proof for the De Feo-Jao-Plut identification scheme (the basis for supersingular isogeny Diffie--Hellman (SIDH) signatures) contains an invalid assumption, and we provide a counterexample for this assumption---thus showing the proof of soundness is invalid. As this proof was repeated in a number of works by various authors, multiple pieces of literature are affected by this result. Due to the importance of being able to prove knowledge of an SIDH key (for example, to prevent adaptive attacks), soundness is a vital property. Surprisingly, the problem of proving knowledge of a specific isogeny turns out to be considerably more difficult than was perhaps anticipated. The main results of this paper are a sigma protocol to prove knowledge of a walk of specified length in a supersingular isogeny graph, and a second one to additionally prove that the isogeny maps some torsion points to some other torsion points (as seen in SIDH public keys). Our scheme also avoids the SIDH identification scheme soundness issue raised by Ghantous, Pintore and Veroni. In particular, our protocol provides a non-interactive way of verifying correctness of SIDH public keys, and related statements, as protection against adaptive attacks. Post-scriptum: Some months after this work was completed and made public, the SIDH assumption was broken in a series of papers by several authors. Hence, in the standard SIDH setting, some of the statements studied here now have trivial polynomial time non-interactive proofs. Nevertheless our first sigma protocol is unaffected by the attacks, and our second protocol may still be useful in present and future variants of SIDH that escape the attacks.

Note: This update corrects a mistake in the published version. See Section 1.3 for a summary of changes to the paper.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
A minor revision of an IACR publication in ASIACRYPT 2022
Keywords
Post-quantum cryptographyDiffie-Hellman key exchangesupersingular elliptic curvesisogeniesSIDHproof of knowledgepublic key verification
Contact author(s)
asiacrypt22 @ defeo lu
samuel dobson nz @ gmail com
s galbraith @ auckland ac nz
lukas zobernig @ gmail com
History
2023-05-11: last of 7 revisions
2021-08-06: received
See all versions
Short URL
https://ia.cr/2021/1023
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2021/1023,
      author = {Luca De Feo and Samuel Dobson and Steven D.  Galbraith and Lukas Zobernig},
      title = {SIDH Proof of Knowledge},
      howpublished = {Cryptology ePrint Archive, Paper 2021/1023},
      year = {2021},
      note = {\url{https://eprint.iacr.org/2021/1023}},
      url = {https://eprint.iacr.org/2021/1023}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.