SIDH is a post-quantum key exchange algorithm based on the presumed difficulty of finding isogenies between supersingular elliptic curves. However, SIDH and related cryptosystems also reveal additional information: the restriction of a secret isogeny to a subgroup of the curve (torsion point information). Petit (2017) was the first to demonstrate that torsion point information could noticeably lower the difficulty of finding secret isogenies. In particular, Petit showed that "overstretched" parameterizations of SIDH could be broken in polynomial time. However, this did not impact the security of any cryptosystems proposed in the literature. The contribution of this paper is twofold: First, we strengthen the techniques of Petit by exploiting additional information coming from a dual and a Frobenius isogeny. This extends the impact of torsion point attacks considerably. In particular, our techniques yield a classical attack that completely breaks the n-party group key exchange of Azarderakhsh et al. for 6 parties or more, and a quantum attack for 3 parties or more that improves on the best known asymptotic complexity. We also provide a Magma implementation of our attack for 6 parties. We give the full range of parameters for which our attacks apply. Second, we construct SIDH variants designed to be weak against our attacks; this includes backdoor choices of starting curve, as well as backdoor choices of base-field prime. We stress that our results do not degrade the security of, or reveal any weakness in, the NIST submission SIKE.
翻译:SISDH是一种后二次关键交换算法,其依据是假定难以在超单椭圆曲线之间找到异质。然而,SIDH和相关的加密系统也揭示了更多的信息:将秘密异质限制在曲线分组(感知点信息)上。小点(2017年)是第一个表明感知点信息可以明显降低发现秘密异质的困难。特别是,Petit显示,SISDH的“超负荷”参数选择在多元时间里可以打破。然而,这并没有影响文献中提议的任何密码系统提交系统的安全。本文的贡献有两个方面:第一,我们利用双轨和Frobenius之间的额外信息加强小点技术。这大大扩大了对感知点袭击的影响。特别是,我们的技术产生了一种经典的攻击,完全打破了Azarderakhsh等人的n-党级关键选择。我们六方或六方的SIS压力交换,以及量子攻击的3方或更多方面攻击的安全性攻击,我们用来改进了SIS攻击的最复杂程度。