Cryptology ePrint Archive: Report 2021/706

Cryptanalysis of an oblivious PRF from supersingular isogenies

Andrea Basso and Péter Kutas and Simon-Philipp Merz and Christophe Petit and Antonio Sanso

Abstract: We cryptanalyse the SIDH-based oblivious pseudorandom function from supersingular isogenies proposed at Asiacrypt'20 by Boneh, Kogan and Woo. To this end, we give an attack on an assumption, the auxiliary one-more assumption, that was introduced by Boneh et al. and we show that this leads to an attack on the oblivious PRF itself. The attack breaks the pseudorandomness as it allows adversaries to evaluate the OPRF without further interactions with the server after some initial OPRF evaluations and some offline computations. More specifically, we first propose a polynomial-time attack. Then, we argue it is easy to change the OPRF protocol to include some countermeasures, and present a second subexponential attack that succeeds in the presence of said countermeasures. Both attacks break the security parameters suggested by Boneh et al. Furthermore, we provide a proof of concept implementation as well as some timings of our attack. Finally, we examine the generation of one of the OPRF parameters and argue that a trusted third party is needed to guarantee provable security.

Category / Keywords: cryptographic protocols / isogeny, isogenies, sidh, oprf, cryptanalysis

Original Publication (in the same form): IACR-ASIACRYPT-2021

Date: received 27 May 2021, last revised 11 Dec 2021

Contact author: a basso at cs bham ac uk, kutasp at gmail com, simon-philipp merz 2018 at live rhul ac uk, christophe f petit at gmail com, antonio sanso at gmail com

Available format(s): PDF | BibTeX Citation

Note: Add results of our proof-of-concept implementation of the attack for the 67 bits instance

Version: 20211211:114928 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]