M-SIDH and MD-SIDH: Countering SIDH Attacks by Masking Information

Abstract

The SIDH protocol is an isogeny-based key exchange protocol using supersingular isogenies, designed by Jao and De Feo in 2011. The protocol underlies the SIKE algorithm which advanced to the fourth round of NIST’s post-quantum standardization project in May 2022. The algorithm was considered very promising: indeed the most significant attacks against SIDH were meet-in-the-middle variants with exponential complexity, and torsion point attacks which only applied to unbalanced parameters (and in particular, not to SIKE).

This security picture dramatically changed in August 2022 with new attacks by Castryck-Decru, Maino-Martindale and Robert. Like prior attacks on unbalanced versions, these new attacks exploit torsion point information provided in the SIDH protocol. Crucially however, the new attacks embed the isogeny problem into a similar isogeny problem in a higher dimension to also affect the balanced parameters. As a result of these works, the SIKE algorithm is now fully broken both in theory and in practice.

Given the considerable interest attracted by SIKE and related protocols in recent years, it is natural to seek countermeasures to the new attacks. In this paper, we introduce two such countermeasures based on partially hiding the isogeny degrees and torsion point information in the SIDH protocol. We present a preliminary analysis of the resulting schemes including non-trivial generalizations of prior attacks. Based on this analysis we suggest parameters for our M-SIDH variant with public key sizes of 4434, 7037 and 9750 bytes respectively for NIST security levels 1, 3, 5.

Appendices

A On the claims of ePrint 2022/1667

The ePrint 2022/1667 vaguely claims attacks on M-SIDH. Reading through it, it clearly does not contain any attack against M-SIDH; it is easy to see that the “experimental evidence” provided there only applies to SIDH parameters and does not generalize to the parameters we recommend.

This ePrint paper runs the Castryck-Decru attack on Masked SIDH instantiated with SIDH primes, that is \(A = 2^a\) and \(B = 3^b\). Note that using SIDH primes in Masked SIDH is totally insecure at the first place. Nevertheless, when the \(2^a\) torsion points are masked, intuitively, one expects the Castryck-Decru attack to succeed \(50\%\) of the time. In fact, there are 4 roots of unity modulo \(2^a\), these are 1, \(-1\), \(2^{a-1} - 1\) and \(2^{a-1} + 1\). As precised earlier in Sect. 3.3, the attack succeeds when \(\beta = 1, -1\), hence one expects the Castryck-Decru attack to succeed when the masking scalar \( \beta \) is 1 or \(-1\), and fail when \( \beta \) is \(2^{a-1} - 1\) or \(2^{a-1} + 1\). The ePrint 2022/1667 ran the attack and noticed that the attack always succeeds, then claimed that this would be the case even when the correct parameters are used. We have already explained why we do not expect the attack to work on Masked degree instantiated with the correct parameters (see Sect. 3.3). Now, why does the Castryck-Decru attack works \(100\%\) of the time (instead of \(50\%\)) when instantiated with SIDH parameters? Well, it turns out it is because the Castryck-Decru attack does not fully use the torsion points provided in the public key, but scales them by a small power of 2 first. This is because the implementation of the attack needs \(a'\) and \(b'\) such that \(c = 2^{a'}-3^{b'}\) is smooth and its prime factors are congruent to 1 mod 4 (this is required for the attack to be efficient, see [7]). This implies that the order of the torsion points actually used in the attack divides \(2^{a-1}\). Therefore, the masking scalar \(\beta \) which lies in \(\{ 1, -1, 2^{a-1} - 1, 2^{a-1} + 1 \}\) becomes \(\beta \mod 2^{a-1} = 1, -1 \pmod {2^{a-1}}\). This justifies why the Castryck-Decru attack always succeeds when SIDH primes are used.

The attack clearly does not succeed when the torsion point images having order \(2^{a'}\) are masked with a scalar which is neither 1 nor \(-1\) modulo \(2^{a'}\). This can be verified using the sage implementation of the attack provided in [30]. One goes to the line where the torsion point images of order \(2^{a'}\) are computed (for example, in line 57 of the file \(castryck\_decru\_shortcut.sage\) in https://github.com/jack4818/Castryck-Decru-SageMath), and replaces the torsion points \(2^{alp}*P_B \) and \(2^{alp}*Q_B\) by \((2^{a_i-1}-1)*2^{alp}*P_B\) and \( (2^{a_i-1}-1)*2^{alp}*Q_B\) respectively.

Note. The non-applicability of the attacks claimed in the ePrint 2022/1667 to M-SIDH was also pointed out on Twitter by Luca De Feo, Steven Galbraith, Péter Kutas, Benjamin Wesolowski and other isogenists, and we thank them for that.

B Using B-SIDH primes in M-SIDH

B-SIDH is one variant of SIDH proposed by Costello [12]. The main characteristic of B-SIDH is the use of quadratic twists. This allows us to use the torsion points in \(E[p-1]\) and \(E[p+1]\) without extending the base field, while in the original SIDH, points which we can use must be in \(E[p+1]\). Thus, the size of the prime for B-SIDH is at most half that for SIDH.

If we can adapt this technique to our scheme, then the size of the prime may be at most halved. Since the MD-SIDH primes are larger than twice the M-SIDH primes, we only consider the case of M-SIDH.

In the setting of SIDH, the size of A needs to be large enough for its security; however, in the setting of M-SIDH, the number of primes dividing A needs to large enough. Therefore, the restriction of smoothness is harder in M-SIDH than in SIDH.

To use the B-SIDH method for M-SIDH, we need to find a prime p satisfying the following property:

$$\begin{aligned} p+1&= \ell _1 \cdots \ell _t \cdot f, \\ p-1&=q_1 \cdots q_t \cdot f', \end{aligned}$$

where \(t\ge 2\lambda \), and \(\ell _1,\ldots ,\ell _t\) and \(q_1,\ldots ,q_t\) are distinct primes, respectively.

The basic approach to find the B-SIDH prime is to construct an integer m such that both m and \(m+1\) are smooth. If \(2m+1\) is prime, we set \(p=2m+1\). In [12] and [13], some methods to find such m’s are proposed. The current most useful method is the method proposed in [13]. The main idea of this method is to use already known solutions of the Prouhet-Tarry-Escott (PTE) problem, which provide pairs of integer coefficient polynomials \(a(x)=(x-a_1)\cdots (x-a_s)\) and \(b(x)=(x-b_1)\cdots (x-b_s)\) whose difference is a constant value c. If we find an integer \(\ell \) such that all \(\ell -a_i\)’s and \(\ell -b_i\)’s are smooth, and \(a(\ell )/c\) and \(b(\ell )/c\) are integers, then \(b(\ell )/c\) can be taken as m.

The main issue with this approach is that such \(\ell \)’s have a very small probability to exist. For a polynomial \(a\in \mathbb {Z}[x]\), define

$$ \varPsi _a(N,M)=\# \{1\le m\le N \mid a(m)\text { is }M\text {-smooth}\}. $$

Then, heuristically it holds that \(\varPsi _a(N,N^{1/u})/N\sim \rho (d_1u)\cdots \rho (d_ku)\) as \(N\rightarrow \infty \), where \(d_1,\ldots ,d_k\) are degrees of distinct irreducible factors of a, and \(\rho \) is the Dickman–de Bruijn function.

Since \(t\ge 2\lambda \), both m and \(m+1\) are divided by at least \(2\lambda \) distinct primes. Then, we heuristically assume that the target value m is \(m^{1/\lambda }\)-smooth. Since \(\ell \approx m^{1/s}\), the probability of target \(\ell \)’s is

$$ \frac{\varPsi _a(m^{1/s},m^{1/\lambda })}{m^{1/s}}\sim \rho (\lambda /s)^s. $$

Note that s is less than or equal to 12 for an already known solution of the PTE problem. With \(\lambda =128\), we have \(\rho (\lambda /s)^s<2^{-463}\); with \(\lambda =192\), we have \(\rho (\lambda /s)^s<2^{-835}\); and with \(\lambda =256\), we have \(\rho (\lambda /s)^s<2^{-1246}\).