Paper 2022/654

Torsion point attacks on ``SIDH-like'' cryptosystems

Péter Kutas, Eötvös Loránd University, University of Birmingham
Christophe Petit, University of Birmingham, Université Libre de Bruxelles
Abstract

Isogeny-based cryptography is a promising approach for post-quantum cryptography. The best-known protocol following that approach is the supersingular isogeny Diffie-Hellman protocol (SIDH); this protocol was turned into the CCA-secure key encapsulation mechanism SIKE, which was submitted to and remains in the third round of NIST's post-quantum standardization process as an ``alternate'' candidate. Isogeny-based cryptography generally relies on the conjectured hardness of computing an isogeny between two isogenous elliptic curves, and most cryptanalytic work referenced on SIKE's webpage exclusively focuses on that problem. Interestingly, the hardness of this problem is sufficient for neither SIDH nor SIKE. In particular, these protocols reveal additional information on the secret isogeny, in the form of images of specific torsion points through the isogeny. This paper surveys existing cryptanalysis approaches exploiting this often called ``torsion point information'', summarizes their current impact on SIKE and related algorithms, and suggests some research directions that might lead to further impact.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. IET Information Security
Keywords
isogenies cryptanalysis post-quantum cryptography
Contact author(s)
p kutas @ bham ac uk
christophe f petit @ gmail com
History
2022-06-01: revised
2022-05-27: received
See all versions
Short URL
https://ia.cr/2022/654
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2022/654,
      author = {Péter Kutas and Christophe Petit},
      title = {Torsion point attacks on ``{SIDH}-like'' cryptosystems},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/654},
      year = {2022},
      url = {https://eprint.iacr.org/2022/654}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.