Abstract
We present an attack on SIDH utilising isogenies between polarized products of two supersingular elliptic curves. In the case of arbitrary starting curve, our attack (discovered independently from [8]) has subexponential complexity, thus significantly reducing the security of SIDH and SIKE. When the endomorphism ring of the starting curve is known, our attack (here derived from [8]) has polynomial-time complexity assuming the generalised Riemann hypothesis. Our attack applies to any isogeny-based cryptosystem that publishes the images of points under the secret isogeny, for example Séta [13] and B-SIDH [11]. It does not apply to CSIDH [9], CSI-FiSh [3], or SQISign [14].
| Original language | English |
|---|---|
| Title of host publication | Advances in Cryptology – EUROCRYPT 2023 - 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings |
| Subtitle of host publication | Advances in Cryptology |
| Editors | Carmit Hazay, Martijn Stam |
| Publisher | Springer, Cham |
| Pages | 448-471 |
| Number of pages | 24 |
| ISBN (Electronic) | 9783031305894 |
| ISBN (Print) | 9783031305887 |
| DOIs | |
| Publication status | Published - 16 Apr 2023 |
| Event | Eurocrypt 2023 - Lyon, France Duration: 23 Apr 2023 → 27 Apr 2023 https://eurocrypt.iacr.org/2023/ |
Publication series
| Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
|---|---|
| Volume | 14008 LNCS |
| ISSN (Print) | 0302-9743 |
| ISSN (Electronic) | 1611-3349 |
Conference
| Conference | Eurocrypt 2023 |
|---|---|
| Country/Territory | France |
| City | Lyon |
| Period | 23/04/23 → 27/04/23 |
| Internet address |
Bibliographical note
Publisher Copyright:© 2023, International Association for Cryptologic Research.