A New Adaptive Attack on SIDH
Tako Boris Fouotsa,Akshay Kumar Rathore +1 more
- pp 322-344
TLDR
In this paper , the generalized torsion point attacks were generalized to SIDH-type schemes and a new adaptive attack vector was introduced, where the access to a key exchange oracle was used to recover the action of the secret isogeny on larger subgroups.Abstract:
The SIDH key exchange is the main building block of SIKE, the only isogeny based scheme involved in the NIST standardization process. In 2016, Galbraith et al. presented an adaptive attack on SIDH. In this attack, a malicious party manipulates the torsion points in his public key in order to recover an honest party’s static secret key, when having access to a key exchange oracle. In 2017, Petit designed a passive attack (which was improved by de Quehen et al. in 2020) that exploits the torsion point information available in SIDH public key to recover the secret isogeny when the endomorphism ring of the starting curve is known. In this paper, firstly, we generalize the torsion point attacks by de Quehen et al. Secondly, we introduce a new adaptive attack vector on SIDH-type schemes. Our attack uses the access to a key exchange oracle to recover the action of the secret isogeny on larger subgroups. This leads to an unbalanced SIDH instance for which the secret isogeny can be recovered in polynomial time using the generalized torsion point attacks. Our attack is different from the GPST adaptive attack and constitutes a new cryptanalytic tool for isogeny based cryptography. This result proves that the torsion point attacks are relevant to SIDH (Disclaimer: this result is applicable to SIDH-type schemes only, not to SIKE.) parameters in an adaptive attack setting. We suggest attack parameters for some SIDH primes and discuss some countermeasures. read more
Citations
More filters
Book ChapterDOI
M-SIDH and MD-SIDH: countering SIDH attacks by masking information
Journal ArticleDOI
SIDH Proof of Knowledge
TL;DR: In this article , the authors show that the soundness proof for the De Feo-Jao-Plût identification scheme (the basis for supersingular isogeny Diffie-Hellman (SIDH) signatures) contains an invalid assumption, and provide a counterexample for this assumption, thus showing the proof of soundness is invalid.
Journal ArticleDOI
Proving knowledge of isogenies - A survey
Journal ArticleDOI
A New Isogeny Representation and Applications to Cryptography
TL;DR: In this paper , the suborder representation is proposed to evaluate isogenies and verify membership to the language of isogenous supersingular curves (the set of triples with a cyclic isogeny of degree D between $$E_1$$ and$$E_2$$ ).
Book ChapterDOI
Key-Recovery by Side-Channel Information on the Matrix-Vector Product in Code-Based Cryptosystems
TL;DR: In this article , a chosen-ciphertext attack on the first step of Niederreiter decryption was presented by solving the matrix-vector product problem with side-channel information.
References
More filters
Book
Advanced Topics in the Arithmetic of Elliptic Curves
TL;DR: In this article, the authors continue the study of elliptic curves by presenting six important, but somewhat more specialized topics: Elliptic and modular functions for the full modular group.
Journal ArticleDOI
Parallel Collision Search with Cryptanalytic Applications
TL;DR: The new technique greatly extends the reach of practical attacks, providing the most cost-effective means known to date for defeating: the small subgroup used in certain schemes based on discrete logarithms such as Schnorr, DSA, and elliptic curve cryptosystems; hash functions; and double encryption and three-key triple encryption.
Book ChapterDOI
Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies
David Jao,Luca De Feo +1 more
TL;DR: In this article, the authors proposed a quantum-resistant public-key cryptosystem based on the conjectured difficulty of finding isogenies between supersingular elliptic curves, which allows the two parties to arrive at a common shared key despite the noncommutativity of the endomorphism ring.
Book ChapterDOI
A Modular Analysis of the Fujisaki-Okamoto Transformation
TL;DR: The Fujisaki-Okamoto (FO) transformation as discussed by the authors turns any weakly secure public-key encryption scheme into a strongly secure one in the random oracle model, but it suffers from several drawbacks such as a non-tight security reduction, and the need for a perfectly correct scheme.
Journal ArticleDOI
Nonsingular plane cubic curves over finite fields
TL;DR: The number of projectively inequivalent nonsingular plane cubic curves over a finite field F q with a fixed number of points defined over F q is determined by counting elliptic curves over Fq together with a rational point which is annihilated by 3 up to a certain equivalence relation.