Fault attack on Supersingular Isogeny Cryptosystems

We present the first fault attack on cryptosystems based on supersingular isogenies. During the computation of the auxiliary points, the attack aims to change the base point to a random point on the curve via a fault injection. We will show that this would reveal the secret isogeny with one successful perturbation with high probability. We will exhibit the attack by placing it against signature schemes and key-exchange protocols with validations in place. Our paper therefore demonstrates the need to incorporate checks in implementations of the cryptosystem

Genus Two Isogeny Cryptography

We study $(\ell,\ell)$-isogeny graphs of principally polarised supersingular abelian surfaces (PPSSAS). The $(\ell,\ell)$-isogeny graph has cycles of small length that can be used to break the collision resistance assumption of the genus two isogeny hash function suggested by Takashima. Algorithms for computing $(2,2)$-isogenies on the level of Jacobians and $(3,3)$-isogenies on the level of Kummers are used to develop a genus two version of the supersingular isogeny Diffie--Hellman protocol of Jao and de~Feo. The genus two isogeny Diffie--Hellman protocol achieves the same level of security as SIDH but uses a prime with a third of the bit length

Generalising Fault Attacks to Genus Two Isogeny Cryptosystems

In this paper, we generalise the SIDH fault attack and the SIDH loop-abort fault attacks on supersingular isogeny cryptosystems (genus-1) to genus-2. Genus-2 isogeny-based cryptosystems are generalisations of its genus-1 counterpart, as such, attacks on the latter are believed to generalise to the former. The point perturbation attack on supersingular elliptic curve isogeny cryptography has been shown to be practical. We show in this paper that this fault attack continues to be practical in genus-2, albeit with a few additional traces required. We also show that the loop-abort attack carries over to the genus-2 setting seamlessly. This article is a minor revision of the version accepted to the workshop Fault Diagnosis and Tolerance in Cryptography 2022 (FDTC 2022)

Supersingular Non-Superspecial Abelian Surfaces in Cryptography

We consider the use of supersingular abelian surfaces in cryptography. Several generalisations of well-known cryptographic schemes and constructions based on supersingular elliptic curves to the 2-dimensional setting of superspecial abelian surfaces have been proposed. The computational assumptions in the superspecial 2-dimensional case can be reduced to the corresponding 1-dimensional problems via a product decomposition by observing that every superspecial abelian surface is non-simple and separably isogenous to a product of supersingular elliptic curves. Instead, we propose to use supersingular non-superspecial isogeny graphs where such a product decomposition does not have a computable description via separable isogenies. We study the advantages and investigate security concerns of the move to supersingular non-superspecial abelian surfaces

On the Isogeny Problem with Torsion Point Information

It has recently been rigorously proven (and was previously known under certain heuristics) that the general supersingular isogeny problem reduces to the supersingular endomorphism ring computation problem. However, in order to attack SIDH-type schemes, one requires a particular isogeny which is usually not returned by the general reduction. At Asiacrypt 2016, Galbraith, Petit, Shani and Ti presented a polynomial-time reduction of the problem of finding the secret isogeny in SIDH to the problem of computing the endomorphism ring of a supersingular elliptic curve. Their method exploits the fact that secret isogenies in SIDH are of degree approximately $p^{1/2}$. The method does not extend to other SIDH-type schemes, where secret isogenies of larger degree are used and this condition is not fulfilled. We present a more general reduction algorithm that generalises to all SIDH-type schemes. The main idea of our algorithm is to exploit available torsion point images together with the KLPT algorithm to obtain a linear system of equations over a certain residue class ring. We show that this system will have a unique solution that can be lifted to the integers if some mild conditions on the parameters are satisfied. This lift then yields the secret isogeny. One consequence of this work is that the choice of the prime $p$ in B-SIDH is tight. Finally, we show that our reduction still applies for SIDH variations deploying recently proposed countermeasures against a series of classical polynomial time attacks against SIDH

An Adaptive Attack on 2-SIDH

We present a polynomial-time adaptive attack on the 2-SIDH protocol. The 2-SIDH protocol is a special instance of the countermeasure proposed by Azarderakhsh, Jao and Leonardi to perform isogeny-based key exchange with static keys in the presence of an adaptive attack. This countermeasure has also been recently explicitly proposed by Kayacan. Our attack extends the adaptive attack by Galbraith, Petit, Shani and Ti (GPST) to recover a static secret key using malformed points. The extension of GPST is non-trivial and requires learning additional information. In particular, the attack needs to recover intermediate elliptic curves in the isogeny path, and points on them. We also discuss how to extend the attack to k-SIDH when k > 2 and explain that the attack complexity is exponential in k

Characterization of a New Cyclohexylamine Oxidase From Acinetobacter sp. YT-02

Cyclohexylamine (CHAM) is widely used in various industries, but it is harmful to human beings and the environment. Acinetobacter sp. YT-02 can degrade CHAM via cyclohexanone as an intermediate. In this study, the cyclohexylamine oxidase (CHAO) gene from Acinetobacter sp. YT-02 was cloned. Amino acid sequence alignment indicated that the cyclohexylamine oxidase (CHAOYT–02) was 48% identical to its homolog from Brevibacterium oxydans IH-35A (CHAOIH–35). The enzyme was expressed in Escherichia coli BL21 (DE3), and purified to apparent homogeneity by Ni-affinity chromatography. The purified enzyme was proposed to be a dimer of molecular mass of approximately 91 kDa. The enzyme exhibited its maximum activity at 50°C and at pH 7.0. The enzyme was thermolabile as demonstrated by loss of important percentage of its maximal activity after 30 min incubation at 50°C. Metal ions Mg2+, Co2+, and K+ had certain inhibitory effect on the enzyme activity. The kinetic parameters Km and Vmax were 0.25 ± 0.02 mM and 4.3 ± 0.083 μM min−1, respectively. The biochemical properties, substrate specificities, and three-dimensional structures of CHAOYT–02 and CHAOIH–35 were compared. Our results are helpful to elucidate the mechanism of microbial degradation of CHAM in the strain YT-02. In addition, CHAOYT–02, as a potential biocatalyst, is promising in controlling CHAM pollution and deracemization of chiral amines

Failing to hash into supersingular isogeny graphs

An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of "hard supersingular curves" that is, equations for supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. A related open problem is to produce a hash function to the vertices of the supersingular $\ell$-isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hope that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: (i) iterative root-finding for the supersingular polynomial; (ii) gcd's of specialized modular polynomials; (iii) using division polynomials to create small systems of equations; (iv) taking random walks in the isogeny graph of abelian surfaces; and (v) using quantum random walks.Comment: 33 pages, 7 figure

Search for Quasi-Periodical Oscillations in Precursors of Short and Long Gamma Ray Bursts

The precursors of short and long Gamma Ray Bursts (SGRBs and LGRBs) can serve as probes of their progenitors, as well as shedding light on the physical processes of mergers or core-collapse supernovae. Some models predict the possible existence of Quasi-Periodically Oscillations (QPO) in the precursors of SGRBs. Although many previous studies have performed QPO search in the main emission of SGRBs and LGRBs, so far there was no systematic QPO search in their precursors. In this work, we perform a detailed QPO search in the precursors of SGRBs and LGRBs detected by Fermi/GBM from 2008 to 2019 using the power density spectrum (PDS) in frequency domain and Gaussian processes (GP) in time domain. We do not find any convinced QPO signal with significance above 3 $\sigma$, possibly due to the low fluxes of precursors. Finally, the PDS continuum properties of both the precursors and main emissions are also studied for the first time, and no significant difference is found in the distributions of the PDS slope for precursors and main emissions in both SGRBs and LGRBs.Comment: submitte