Paper 2022/1026

An attack on SIDH with arbitrary starting curve

Luciano Maino, University of Bristol
Chloe Martindale, University of Bristol
Abstract

We present an attack on SIDH which does not require any endomorphism information on the starting curve. Our attack has subexponential complexity thus significantly reducing the security of SIDH and SIKE; our analysis and preliminary implementation suggests that our algorithm will be feasible for the Microsoft challenge parameters $p = 2^{110}3^{67}-1$ on a regular computer. Our attack applies to any isogeny-based cryptosystem that publishes the images of points under the secret isogeny, for example Seta and B-SIDH. It does not apply to CSIDH, CSI-FiSh, or SQISign.

Note: An implementation will soon be made available.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
SIDH SIKE Elliptic product Supersingular Elliptic Curve Torsion Attack
Contact author(s)
luciano maino @ bristol ac uk
chloe martindale @ bristol ac uk
History
2022-08-25: revised
2022-08-08: received
See all versions
Short URL
https://ia.cr/2022/1026
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2022/1026,
      author = {Luciano Maino and Chloe Martindale},
      title = {An attack on SIDH with arbitrary starting curve},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1026},
      year = {2022},
      note = {\url{https://eprint.iacr.org/2022/1026}},
      url = {https://eprint.iacr.org/2022/1026}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.