Paper 2024/1453
Breaking and Repairing SQIsign2D-East
, KU Leuven, KU Leuven, KU Leuven, KU Leuven, KU LeuvenAbstract
We present a key recovery attack on SQIsign2D-East that reduces its security level from $\lambda$ to $\lambda/2$. We exploit the fact that each signature leaks a Legendre symbol modulo the secret degree of the private key isogeny. About $\lambda/2$ signatures are enough for these Legendre symbols to fully determine the secret degree, which can then be recovered by exhaustive search over a set of size $O(2^{\lambda/2})$. Once the degree is known, the private key isogeny itself can be found, again by exhaustive search, in time $\tilde{O}(2^{\lambda/2})$. We also present a new version of the protocol which does not leak any such information about the private key and show that our modified protocol is more efficient than the original one. Finally, we give a security analysis as well as a new proof of security.
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Keywords
- Isogeny-based cryptographySQIsign2D-EastLegendre symbolcryptanalysis
- Contact author(s)
-
wouter castryck @ esat kuleuven be
mingjie chen @ esat kuleuven be
riccardo invernizzi @ esat kuleuven be
gioella lorenzon @ esat kuleuven be
frederik vercauteren @ esat kuleuven be - History
- 2024-09-18: approved
- 2024-09-17: received
- See all versions
- Short URL
- https://ia.cr/2024/1453
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/1453,
author = {Wouter Castryck and Mingjie Chen and Riccardo Invernizzi and Gioella Lorenzon and Frederik Vercauteren},
title = {Breaking and Repairing {SQIsign2D}-East},
howpublished = {Cryptology {ePrint} Archive, Paper 2024/1453},
year = {2024},
url = {https://eprint.iacr.org/2024/1453}
}
