The Dark SIDH of Isogenies

Many isogeny-based cryptosystems are believed to rely on the hardness of the Supersingular Decision Diffie-Hellman (SSDDH) problem. However, most cryptanalytic efforts have treated the hardness of this problem as being equivalent to the more generic supersingular $\ell^e$-isogeny problem --- an established hard problem in number theory. In this work, we shine some light on the possibility that the combination of two additional pieces of information given in practical SSDDH instances --- the image of the torsion subgroup, and the starting curve\u27s endomorphism ring --- can lead to better attacks cryptosystems relying on this assumption. We show that SIKE/SIDH are secure against our techniques. However, in certain settings, e.g., multi-party protocols, our results may suggest a larger gap between the security of these cryptosystems and the $\ell^e$-isogeny problem. Our analysis relies on the ability to find many endomorphisms on the base curve that have special properties. To the best of our knowledge, this class of endomorphisms has never been studied in the literature. We informally discuss the parameter sets where these endomorphisms should exist. We also present an algorithm which may provide information about additional torsion points under the party\u27s private isogeny, which is of independent interest. Finally, we present a minor variation of the SIKE protocol that avoids exposing a known endomorphism ring

Jacobi forms

Along with explaining the Saito-Kurokawa lift, Eichler and Zagier's book gives the main structural theorems for Jacobi forms on the full modular subgroup. Since then much work has been published in papers generalizing these results to different types of Jacobi forms, but very little work has been done generalizing the theory to Jacobi forms for congruence subgroups. A large part of this thesis will be aimed at generalizing the work of Eichler-Zagier's book to Jacobi forms for congruence subgroups. In particular, we describe the structure for the Jacobi-Eisenstein space of the congruence subgroup Gamma(N). We will also find a bound on the number of Fourier coefficients needed to determine a Jacobi form for a congruence subgroup. The latter part of this work will cover the theory of theta series and the corresponding theory of Jacobi-theta series. The motivating problem for this thesis is to find a basis for the space of Jacobi forms for congruence subgroups.En plus d'expliquer la soulevement Saito-Kurokawa, le livre d'Eichler et Zagier donne les theoremes principaux sur la structure des formes de Jacobi pour le sous-groupe modulaire complet. Depuis, de nombreux travaux publies generalisent ces resultats differentes sortes de formes de Jacobi, mais tres peu de travail a ete effectu en vue de generaliser la theorie des formes de Jacobi pour les sous-groupes de congruence. Une grande partie de cette these visera a generaliser les conclusions du livre d'Eichler-Zagiera des formes de Jacobi pour les sous-groupes de congruence. En particulier, nous decrirons la structure de l'espace Jacobi-Eisenstein du sous-groupe de congruence Gamma(N). Nous trouverons egalement une borne au nombre de coefficients de Fourier necessaires pour determiner une forme de Jacobi d'un sous-groupe de congruence. La derniere partie de ce travail portera sur la theorie des series theta et la theorie correspondante de la serie theta de Jacobi. Le probleme central pour cette these est de trouver une base pour l'espace des formes de Jacobi relativement aux sous-groupes de congruence

Improved Torsion-Point Attacks on SIDH Variants

SIDH is a post-quantum key exchange algorithm based on the presumed difficulty of finding isogenies between supersingular elliptic curves. However, SIDH and related cryptosystems also reveal additional information: the restriction of a secret isogeny to a subgroup of the curve (torsion-point information). Petit [31] was the first to demonstrate that torsion-point information could noticeably lower the difficulty of finding secret isogenies. In particular, Petit showed that “overstretched” parameterizations of SIDH could be broken in polynomial time. However, this did not impact the security of any cryptosystems proposed in the literature. The contribution of this paper is twofold: First, we strengthen the techniques of [31] by exploiting additional information coming from a dual and a Frobenius isogeny. This extends the impact of torsion-point attacks considerably. In particular, our techniques yield a classical attack that completely breaks the n-party group key exchange of [2], first introduced as GSIDH in [17], for 6 parties or more, and a quantum attack for 3 parties or more that improves on the best known asymptotic complexity. We also provide a Magma implementation of our attack for 6 parties. We give the full range of parameters for which our attacks apply. Second, we construct SIDH variants designed to be weak against our attacks; this includes backdoor choices of starting curve, as well as backdoor choices of base-field prime. We stress that our results do not degrade the security of, or reveal any weakness in, the NIST submission SIKE [20].SCOPUS: cp.kinfo:eu-repo/semantics/publishe