Abstract
The SIDH protocol is an isogeny-based key exchange protocol using supersingular isogenies, designed by Jao and De Feo in 2011. The protocol underlies the SIKE algorithm which advanced to the fourth round of NIST’s post-quantum standardization project in May 2022. The algorithm was considered very promising: indeed the most significant attacks against SIDH were meet-in-the-middle variants with exponential complexity, and torsion point attacks which only applied to unbalanced parameters (and in particular, not to SIKE).
This security picture dramatically changed in August 2022 with new attacks by Castryck-Decru, Maino-Martindale and Robert. Like prior attacks on unbalanced versions, these new attacks exploit torsion point information provided in the SIDH protocol. Crucially however, the new attacks embed the isogeny problem into a similar isogeny problem in a higher dimension to also affect the balanced parameters. As a result of these works, the SIKE algorithm is now fully broken both in theory and in practice.
Given the considerable interest attracted by SIKE and related protocols in recent years, it is natural to seek countermeasures to the new attacks. In this paper, we introduce two such countermeasures based on partially hiding the isogeny degrees and torsion point information in the SIDH protocol. We present a preliminary analysis of the resulting schemes including non-trivial generalizations of prior attacks. Based on this analysis we suggest parameters for our M-SIDH variant with public key sizes of 4434, 7037 and 9750 bytes respectively for NIST security levels 1, 3, 5.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Torsion point information was previously used in active attacks against SIDH [20] and prompted the inclusion of a CCA transform (a variant of Fujisaki-Okamoto transform) within SIKE.
- 3.
- 4.
Note that we use the same notation \(t = t(\lambda )\) for M-SIDH and MD-SIDH. It will always be clear from the context whether we are referring to M-SIDH or MD-SIDH.
- 5.
The integers \(\alpha \) (for Alice) and \(\beta \) (for Bob) can be deleted immediately after key generation.
- 6.
The case where \(\ell _i = 2\) in general does not fit our definition of \(\chi \) since there are more than two square roots of 1 modulo \(2^r\) for \(r>2\). Nevertheless, if the power of 2 diving A or B is at least 4, then the security of the scheme is not affected.
References
Basso, A., et al.: Supersingular curves you can trust. Cryptology ePrint Archive, Report 2022/1469 (2022). https://eprint.iacr.org/2022/1469
Basso, A., Kutas, P., Merz, S.-P., Petit, C., Sanso, A.: Cryptanalysis of an oblivious PRF from supersingular isogenies. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 160–184. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_6
Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 227–247. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_9
Booher, J., et al.: Failing to hash into supersingular isogeny graphs. Cryptology ePrint Archive, Report 2022/518 (2022). https://eprint.iacr.org/2022/518
Bottinelli, P., de Quehen, V., Leonardi, C., Mosunov, A., Pawlega, F., Sheth, M.: The dark SIDH of isogenies. Cryptology ePrint Archive, Report 2019/1333 (2019). https://eprint.iacr.org/2019/1333
Bröker, R.: Constructing supersingular elliptic curves. J. Comb. Numb. Theory 1(3), 269–273 (2009)
Castryck, W., Decru, T.: An efficient key recovery attack on SIDH (preliminary version). Cryptology ePrint Archive, Report 2022/975 (2022). https://eprint.iacr.org/2022/975
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15
Charles, D.X., Lauter, K.E., Goren, E.Z.: Cryptographic hash functions from expander graphs. J. Cryptol. 22(1), 93–113 (2007). https://doi.org/10.1007/s00145-007-9002-x
Colò, L., Kohel, D.: Orienting supersingular isogeny graphs. Cryptology ePrint Archive, Report 2020/985 (2020). https://eprint.iacr.org/2020/985
Cooper, C.: On the rank of random matrices. Rand. Struct. Algor. 16(2), 209–232 (2000). https://doi.org/10.1002/(SICI)1098-2418(200003)16:2<209::AID-RSA6>3.0.CO;2-1
Costello, C.: B-SIDH: supersingular isogeny Diffie-Hellman using twisted torsion. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 440–463. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_15
Costello, C., Meyer, M., Naehrig, M.: Sieving for twin smooth integers with solutions to the prouhet-tarry-escott problem. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 272–301. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_10
Couveignes, J.M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006). https://eprint.iacr.org/2006/291
De Feo, L., Galbraith, S.D.: SeaSign: compact isogeny signatures from class group actions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 759–789. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_26
De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014). https://doi.org/10.1515/jmc-2012-0015
De Feo, L., Kohel, D., Leroux, A., Petit, C., Wesolowski, B.: SQISign: compact post-quantum signatures from quaternions and isogenies. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 64–93. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_3
Fouotsa, T.B.: SIDH with masked torsion point images. Cryptology ePrint Archive, Report 2022/1054 (2022). https://eprint.iacr.org/2022/1054
Fouotsa, T.B., Petit, C.: A new adaptive attack on SIDH. In: Galbraith, S.D. (ed.) CT-RSA 2022. LNCS, vol. 13161, pp. 322–344. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-95312-6_14
Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_3
Galbraith, S.D., Petit, C., Silva, J.: Identification protocols and signature schemes based on supersingular isogeny problems. J. Cryptol. 33(1), 130–175 (2019). https://doi.org/10.1007/s00145-019-09316-0
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: 28th Annual ACM Symposium on Theory of Computing, pp. 212–219. ACM Press, Philadephia (1996). https://doi.org/10.1145/237814.237866
Jao, D., et al.: SIKE. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions
Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2
Kovalenko, I., Levitskaya, A., Savchuk, M.: Selected Problems in Probabilistic Combinatorics. Naukova Dumka, Kiev (1986)
Maino, L., Martindale, C.: An attack on SIDH with arbitrary starting curve. Cryptology ePrint Archive, Report 2022/1026 (2022). https://eprint.iacr.org/2022/1026
Moriya, T.: Masked-degree SIDH. Cryptology ePrint Archive, Report 2022/1019 (2022). https://eprint.iacr.org/2022/1019
Mula, M., Murru, N., Pintore, F.: Random sampling of supersingular elliptic curves. Cryptology ePrint Archive, Report 2022/528 (2022). https://eprint.iacr.org/2022/528
National Institute of Standards and Technology: Post-quantum cryptography standardization (2016). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Post-Quantum-Cryptography-Standardization
Oudompheng, R., Pope, G.: A note on reimplementing the castryck-decru attack and lessons learned for SageMath. Cryptology ePrint Archive, Report 2022/1283 (2022). https://eprint.iacr.org/2022/1283
Petit, C.: Faster algorithms for isogeny problems using torsion point images. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 330–353. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_12
de Quehen, V., et al.: Improved torsion-point attacks on SIDH variants. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12827, pp. 432–470. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_15
Robert, D.: Breaking SIDH in polynomial time. Cryptology ePrint Archive, Report 2022/1038 (2022). https://eprint.iacr.org/2022/1038
Rostovtsev, A., Stolbunov, A.: Public-Key Cryptosystem Based On Isogenies. Cryptology ePrint Archive, Report 2006/145 (2006). https://eprint.iacr.org/2006/145
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE Computer Society Press, Santa Fe (1994). https://doi.org/10.1109/SFCS.1994.365700
van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999). https://doi.org/10.1007/PL00003816
Acknowledgements
We thank Castryck and Onuki for their valuable feedback on a preliminary version of the results in this paper, as well as those of the participants at ANTS 2022 that also gave us some feedback. The first author thanks Andrea Basso and Luca De Feo for several discussions regarding this work. We thank anonymous reviewers for their valuable feedback. This research was in part conducted under a contract of “Research and development on new generation cryptography for secure wireless communication services” among “Research and Development for Expansion of Radio Wave Resources (JPJ000254)”, which was supported by the Ministry of Internal Affairs and Communications, Japan. Christophe Petit’s work is in part supported by an EPSRC fellowship grant (EP/V011324/1).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A On the claims of ePrint 2022/1667
The ePrint 2022/1667 vaguely claims attacks on M-SIDH. Reading through it, it clearly does not contain any attack against M-SIDH; it is easy to see that the “experimental evidence” provided there only applies to SIDH parameters and does not generalize to the parameters we recommend.
This ePrint paper runs the Castryck-Decru attack on Masked SIDH instantiated with SIDH primes, that is \(A = 2^a\) and \(B = 3^b\). Note that using SIDH primes in Masked SIDH is totally insecure at the first place. Nevertheless, when the \(2^a\) torsion points are masked, intuitively, one expects the Castryck-Decru attack to succeed \(50\%\) of the time. In fact, there are 4 roots of unity modulo \(2^a\), these are 1, \(-1\), \(2^{a-1} - 1\) and \(2^{a-1} + 1\). As precised earlier in Sect. 3.3, the attack succeeds when \(\beta = 1, -1\), hence one expects the Castryck-Decru attack to succeed when the masking scalar \( \beta \) is 1 or \(-1\), and fail when \( \beta \) is \(2^{a-1} - 1\) or \(2^{a-1} + 1\). The ePrint 2022/1667 ran the attack and noticed that the attack always succeeds, then claimed that this would be the case even when the correct parameters are used. We have already explained why we do not expect the attack to work on Masked degree instantiated with the correct parameters (see Sect. 3.3). Now, why does the Castryck-Decru attack works \(100\%\) of the time (instead of \(50\%\)) when instantiated with SIDH parameters? Well, it turns out it is because the Castryck-Decru attack does not fully use the torsion points provided in the public key, but scales them by a small power of 2 first. This is because the implementation of the attack needs \(a'\) and \(b'\) such that \(c = 2^{a'}-3^{b'}\) is smooth and its prime factors are congruent to 1 mod 4 (this is required for the attack to be efficient, see [7]). This implies that the order of the torsion points actually used in the attack divides \(2^{a-1}\). Therefore, the masking scalar \(\beta \) which lies in \(\{ 1, -1, 2^{a-1} - 1, 2^{a-1} + 1 \}\) becomes \(\beta \mod 2^{a-1} = 1, -1 \pmod {2^{a-1}}\). This justifies why the Castryck-Decru attack always succeeds when SIDH primes are used.
The attack clearly does not succeed when the torsion point images having order \(2^{a'}\) are masked with a scalar which is neither 1 nor \(-1\) modulo \(2^{a'}\). This can be verified using the sage implementation of the attack provided in [30]. One goes to the line where the torsion point images of order \(2^{a'}\) are computed (for example, in line 57 of the file \(castryck\_decru\_shortcut.sage\) in https://github.com/jack4818/Castryck-Decru-SageMath), and replaces the torsion points \(2^{alp}*P_B \) and \(2^{alp}*Q_B\) by \((2^{a_i-1}-1)*2^{alp}*P_B\) and \( (2^{a_i-1}-1)*2^{alp}*Q_B\) respectively.
Note. The non-applicability of the attacks claimed in the ePrint 2022/1667 to M-SIDH was also pointed out on Twitter by Luca De Feo, Steven Galbraith, Péter Kutas, Benjamin Wesolowski and other isogenists, and we thank them for that.
B Using B-SIDH primes in M-SIDH
B-SIDH is one variant of SIDH proposed by Costello [12]. The main characteristic of B-SIDH is the use of quadratic twists. This allows us to use the torsion points in \(E[p-1]\) and \(E[p+1]\) without extending the base field, while in the original SIDH, points which we can use must be in \(E[p+1]\). Thus, the size of the prime for B-SIDH is at most half that for SIDH.
If we can adapt this technique to our scheme, then the size of the prime may be at most halved. Since the MD-SIDH primes are larger than twice the M-SIDH primes, we only consider the case of M-SIDH.
In the setting of SIDH, the size of A needs to be large enough for its security; however, in the setting of M-SIDH, the number of primes dividing A needs to large enough. Therefore, the restriction of smoothness is harder in M-SIDH than in SIDH.
To use the B-SIDH method for M-SIDH, we need to find a prime p satisfying the following property:
where \(t\ge 2\lambda \), and \(\ell _1,\ldots ,\ell _t\) and \(q_1,\ldots ,q_t\) are distinct primes, respectively.
The basic approach to find the B-SIDH prime is to construct an integer m such that both m and \(m+1\) are smooth. If \(2m+1\) is prime, we set \(p=2m+1\). In [12] and [13], some methods to find such m’s are proposed. The current most useful method is the method proposed in [13]. The main idea of this method is to use already known solutions of the Prouhet-Tarry-Escott (PTE) problem, which provide pairs of integer coefficient polynomials \(a(x)=(x-a_1)\cdots (x-a_s)\) and \(b(x)=(x-b_1)\cdots (x-b_s)\) whose difference is a constant value c. If we find an integer \(\ell \) such that all \(\ell -a_i\)’s and \(\ell -b_i\)’s are smooth, and \(a(\ell )/c\) and \(b(\ell )/c\) are integers, then \(b(\ell )/c\) can be taken as m.
The main issue with this approach is that such \(\ell \)’s have a very small probability to exist. For a polynomial \(a\in \mathbb {Z}[x]\), define
Then, heuristically it holds that \(\varPsi _a(N,N^{1/u})/N\sim \rho (d_1u)\cdots \rho (d_ku)\) as \(N\rightarrow \infty \), where \(d_1,\ldots ,d_k\) are degrees of distinct irreducible factors of a, and \(\rho \) is the Dickman–de Bruijn function.
Since \(t\ge 2\lambda \), both m and \(m+1\) are divided by at least \(2\lambda \) distinct primes. Then, we heuristically assume that the target value m is \(m^{1/\lambda }\)-smooth. Since \(\ell \approx m^{1/s}\), the probability of target \(\ell \)’s is
Note that s is less than or equal to 12 for an already known solution of the PTE problem. With \(\lambda =128\), we have \(\rho (\lambda /s)^s<2^{-463}\); with \(\lambda =192\), we have \(\rho (\lambda /s)^s<2^{-835}\); and with \(\lambda =256\), we have \(\rho (\lambda /s)^s<2^{-1246}\).
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Fouotsa, T.B., Moriya, T., Petit, C. (2023). M-SIDH and MD-SIDH: Countering SIDH Attacks by Masking Information. In: Hazay, C., Stam, M. (eds) Advances in Cryptology – EUROCRYPT 2023. EUROCRYPT 2023. Lecture Notes in Computer Science, vol 14008. Springer, Cham. https://doi.org/10.1007/978-3-031-30589-4_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-30589-4_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30588-7
Online ISBN: 978-3-031-30589-4
eBook Packages: Computer ScienceComputer Science (R0)