Paper 2022/975

An efficient key recovery attack on SIDH

Wouter Castryck, KU Leuven
Thomas Decru, KU Leuven

We present an efficient key recovery attack on the Supersingular Isogeny Diffie-Hellman protocol (SIDH). The attack is based on Kani's "reducibility criterion" for isogenies from products of elliptic curves and strongly relies on the torsion point images that Alice and Bob exchange during the protocol. If we assume knowledge of the endomorphism ring of the starting curve then the classical running time is polynomial in the input size (heuristically), apart from the factorization of a small number of integers that only depend on the system parameters. The attack is particularly fast and easy to implement if one of the parties uses 2-isogenies and the starting curve comes equipped with a non-scalar endomorphism of very small degree; this is the case for SIKE, the instantiation of SIDH that recently advanced to the fourth round of NIST's standardization effort for post-quantum cryptography. Our Magma implementation breaks SIKEp434, which aims at security level 1, in about ten minutes on a single core.

Note: Fixed a typo in Section 5.2.

Available format(s)
Public-key cryptography
Publication info
Published by the IACR in EUROCRYPT 2023
SIDHisogeny-based cryptographypost-quantum cryptography
Contact author(s)
wouter castryck @ esat kuleuven be
thomas decru @ esat kuleuven be
2023-05-15: last of 4 revisions
2022-07-30: received
See all versions
Short URL
Creative Commons Attribution


      author = {Wouter Castryck and Thomas Decru},
      title = {An efficient key recovery attack on {SIDH}},
      howpublished = {Cryptology ePrint Archive, Paper 2022/975},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.