On Adaptive Attacks against Jao-Urbanik’s Isogeny-Based Protocol

The k-SIDH protocol is a static-static isogeny-based key agreement protocol. At Mathcrypt 2018, Jao and Urbanik introduced a variant of this protocol which uses non-scalar automorphisms of special elliptic curves to improve its efficiency. In this paper, we provide a new adaptive attack on Jao-Urbanik’s protocol. The attack is a non-trivial adaptation of Galbraith-Petit-Shani-Ti’s attack on SIDH (Asiacrypt 2016) and its extension to k-SIDH by Dobson-Galbraith-LeGrow-Ti-Zobernig (IACR eprint 2019). Our attack provides a speedup compared to a naïve application of Dobson et al.’s attack to Jao-Urbanik’s scheme, exploiting its inherent structure. Estimating the security of k-SIDH and Jao-Urbanik’s variant with respect to these attacks, k-SIDH provides better efficiency.SCOPUS: cp.kinfo:eu-repo/semantics/published12th International Conference on the Theory and Application of Cryptographic Techniques in Africa, AFRICACRYPT 2020; Cairo; Egypt; 20 July 2020 through 22 July 2020ISBN: 978-303051937-7Volume Editors: Nitaj A.Youssef A.Publisher: Springe

Improved algorithms for finding fixed-degree isogenies between supersingular elliptic curves

Finding isogenies between supersingular elliptic curves is a natural algorithmic problem which is known to be equivalent to computing the curves\u27 endomorphism rings. When the isogeny is additionally required to have a specific degree $d$, the problem appears to be somewhat different in nature, yet it is also considered a hard problem in isogeny-based cryptography. Let $E_1,E_2$ be supersingular elliptic curves over $\mathbb{F}_{p^2}$. We present improved classical and quantum algorithms that compute an isogeny of degree $d$ between $E_1$ and $E_2$ if it exists. Let the sought-after degree be $d = p^{1/2+ \epsilon}$ for some $\epsilon>0$. Our essentially memory-free algorithms have better time complexity than meet-in-the-middle algorithms, which require exponential memory storage, in the range $1/2\leq\epsilon\leq 3/4$ on a classical computer and quantum improvements in the range $0<\epsilon<5/2$

Failing to hash into supersingular isogeny graphs

An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of "hard supersingular curves" that is, equations for supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. A related open problem is to produce a hash function to the vertices of the supersingular $\ell$-isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hope that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: (i) iterative root-finding for the supersingular polynomial; (ii) gcd's of specialized modular polynomials; (iii) using division polynomials to create small systems of equations; (iv) taking random walks in the isogeny graph of abelian surfaces; and (v) using quantum random walks.Comment: 33 pages, 7 figure

Cryptanalysis of Isogeny-based Protocols in Genus 1 and 2

Isogeny-based cryptography is one of the contenders for providing cryptosystems based on mathematical problems which are assumed to be hard for both classical and quantum computers. The most general of these isogeny-related problems, the pure isogeny problem, is the task of finding an isogeny between any two given supersingular elliptic curves. Many variants of this problem exist - not all of which are actually hard both classically and quantumly. Some variants use special primes, require the found isogeny to be of a certain degree, provide additional torsion point information, use specific elliptic curves instead of arbitrary ones, or translate the problem to a higher-dimensional setting using genus-2 curves. This thesis focuses on the cryptanalysis of encryption schemes using variants of the pure isogeny problem for their underlying hardness assumption. We provide several attacks on the Supersingular Isogeny Diffie–Hellman (SIDH) protocol and some variants thereof. Note that these results predate the recent remarkable full break of the SIDH protocol by Castryck and Decru, as well as others. We first introduce a general attack framework using a malleability oracle to reduce inverting a one-way function with specific characteristics to quantumly solving a hidden shift problem. This framework can be instantiated to provide a quantum subexponential attack on SIDH with overstretched parameters by defining a group acting on subsets of the SIDH keyspace. Furthermore, we present adaptive attacks on two variants of the SIDH protocol which recover static secret keys by repeatedly sending malformed public information. The first protocol produces related key exchange instances from making use of non-trivial automorphisms existing on special elliptic curves. The second protocol is a variant using Jacobians of hyperelliptic genus-2 curves as well as elliptic curve products and isogenies between them. We conclude this thesis with the presentation of several new algorithms for computing isogenies between arbitrary supersingular elliptic curves of prescribed degree which, in most cases, require knowledge of the endomorphism rings. Making use of speedups obtained from quantum search and factoring algorithms, these methods result in an acceleration of the computation of certain isogenies

Improved algorithms for finding fixed-degree isogenies between supersingular elliptic curves

ISSN:0302-9743ISSN:1611-334

Improved algorithms for finding fixed-degree isogenies between supersingular elliptic curves

info:eu-repo/semantics/inPres

Die Norm der Inklusion zwischen Affirmation und Transformation

Hackbarth A. Die Norm der Inklusion zwischen Affirmation und Transformation. In: Fritzsche B, Köpfer A, Wagner-Willi M, et al., eds. Inklusionsforschung zwischen Normativität und Empirie – Abgrenzungen und Brückenschläge. Schriftenreihe der AG Inklusionsforschung der Deutschen Gesellschaft für Erziehungswissenschaft (DGfE) . Opladen: Verlag Barbara Budrich; 2021: 122-136

Failing to hash into supersingular isogeny graphs

An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of ''hard supersingular curves,'' that is, concrete supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. Or, even better, to produce a hash function to the vertices of the supersingular ℓ-isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hopes that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: (i) iterative root-finding for the supersingular polynomial; (ii) gcd's of specialized modular polynomials; (iii) using division polynomials to create small systems of equations; (iv) taking random walks in the isogeny graph of abelian surfaces; and (v) using quantum random walks

Failing to hash into supersingular isogeny graphs

An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of ''hard supersingular curves,'' that is, concrete supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. Or, even better, to produce a hash function to the vertices of the supersingular ℓ-isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hopes that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: (i) iterative root-finding for the supersingular polynomial; (ii) gcd's of specialized modular polynomials; (iii) using division polynomials to create small systems of equations; (iv) taking random walks in the isogeny graph of abelian surfaces; and (v) using quantum random walks