Paper 2016/859

On the Security of Supersingular Isogeny Cryptosystems

Steven D. Galbraith, Christophe Petit, Barak Shani, and Yan Bo Ti

Abstract

We study cryptosystems based on supersingular isogenies. This is an active area of research in post-quantum cryptography. Our first contribution is to give a very powerful active attack on the supersingular isogeny encryption scheme. This attack can only be prevented by using a (relatively expensive) countermeasure. Our second contribution is to show that the security of all schemes of this type depends on the difficulty of computing the endomorphism ring of a supersingular elliptic curve. This result gives significant insight into the difficulty of the isogeny problem that underlies the security of these schemes. Our third contribution is to give a reduction that uses partial knowledge of shared keys to determine an entire shared key. This can be used to retrieve the secret key, given information leaked from a side-channel attack on the key exchange protocol. A corollary of this work is the first bit security result for the supersingular isogeny key exchange: Computing any component of the $j$-invariant is as hard as computing the whole $j$-invariant. Our paper therefore provides an improved understanding of the security of these cryptosystems. We stress that our work does not imply that these systems are insecure, or that they should not be used. However, it highlights that implementations of these schemes will need to take account of the risks associated with various active and side-channel attacks. This is the full version of the paper: Steven D. Galbraith, Christophe Petit, Barak Shani and Yan Bo Ti, On the Security of Supersingular Isogeny Cryptosystems, in J. H. Cheon and T. Takagi (eds.), Proceedings of ASIACRYPT 2016, Part I, Springer Lecture Notes in Computer Science 10031 (2016) 63--91.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
A minor revision of an IACR publication in ASIACRYPT 2016
DOI
10.1007/978-3-662-53887-6_3
Keywords
Isogeniessupersingular elliptic curves.
Contact author(s)
s galbraith @ auckland ac nz
History
2017-01-31: last of 4 revisions
2016-09-08: received
See all versions
Short URL
https://ia.cr/2016/859
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2016/859,
      author = {Steven D.  Galbraith and Christophe Petit and Barak Shani and Yan Bo Ti},
      title = {On the Security of Supersingular Isogeny Cryptosystems},
      howpublished = {Cryptology ePrint Archive, Paper 2016/859},
      year = {2016},
      doi = {10.1007/978-3-662-53887-6_3},
      note = {\url{https://eprint.iacr.org/2016/859}},
      url = {https://eprint.iacr.org/2016/859}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.