Paper 2022/1667

Applying Castryck-Decru Attack on the Masked Torsion Point Images SIDH variant

Jesús-Javier Chi-Domínguez, Technology Innovation Institute

This paper illustrates that masking the torsion point images does not guarantee Castryck-Decru attack does not apply. Our experiments over SIDH primes hint that any square root concerning the Weil pairing on the masked public key helps to recover Bob's private key via the Castryck-Decru attack.

Note: We summarize below all changes (in chronological ordering) from the initial version to the most recent version: Changes according to Benjamin Wesolowski, Luca De Feo, and Peter Kutas for their discussion; Clarify that any of the four sqrt works to recover the secret isogeny (for SIDH primes); Add a brief description of the Catryck-Decru's Attack; Extend discussion concerning the reduction to the square roots of the unity subgroup; Include additional code to test new observations over CSIDH-like primes (particular shape of the kernels); Fix a few margins and typos in the Appendices;

Available format(s)
Attacks and cryptanalysis
Publication info
CryptanalysisCastryck-Decru AttackIsogeny-based cryptographyMasked-SIDH
Contact author(s)
jesus dominguez @ tii ae
2023-01-03: last of 4 revisions
2022-11-30: received
See all versions
Short URL
Creative Commons Attribution


      author = {Jesús-Javier Chi-Domínguez},
      title = {Applying Castryck-Decru Attack on the Masked Torsion Point Images SIDH variant},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1667},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.