Paper 2024/345
An Efficient Adaptive Attack Against FESTA
Abstract
At EUROCRYPT’23, Castryck and Decru, Maino et al., and Robert present efficient attacks against supersingular isogeny Diffie-Hellman key exchange protocol (SIDH). Drawing inspiration from these attacks, Andrea Basso, Luciano Maino, and Giacomo Pope introduce FESTA, an isogeny-based trapdoor function, along with a corresponding IND-CCA secure public key encryption (PKE) protocol at ASIACRYPT’23. FESTA incorporates either a diagonal or circulant matrix into the secret key to mask torsion points. In this paper, we employ a side-channel attack to construct an auxiliary verification oracle. By querying this oracle, we propose an adaptive attack strategy to recover the secret key in FESTA when the secret matrix is circulant. Compared with existing attacks, our strategy is more efficient and formal. Leveraging these findings, we implement our attack algorithms to recover the circulant matrix in secret key. Finally, we demonstrate that if the secret matrix is circulant, then the adversary can successfully recover FESTA’s secret key with a polynomial number of decryption machine queries. Consequently, our paper illustrates that FESTA PKE protocol with secret circulant matrix does not achieve IND-CCA security.
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Published elsewhere. Preprint
- Keywords
- Isogeny-based CryptographyCryptanalysisFESTAAdaptive AttackSide-channel Attack
- Contact author(s)
- zgqsms @ pku edu cn
- History
- 2024-02-27: approved
- 2024-02-27: received
- See all versions
- Short URL
- https://ia.cr/2024/345
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/345,
author = {Guoqing Zhou and Maozhi Xu},
title = {An Efficient Adaptive Attack Against FESTA},
howpublished = {Cryptology ePrint Archive, Paper 2024/345},
year = {2024},
note = {\url{https://eprint.iacr.org/2024/345}},
url = {https://eprint.iacr.org/2024/345}
}
