-
Hidden Stabilizers, the Isogeny To Endomorphism Ring Problem and the Cryptanalysis of pSIDH
Authors:
Mingjie Chen,
Muhammad Imran,
Gábor Ivanyos,
Péter Kutas,
Antonin Leroux,
Christophe Petit
Abstract:
The Isogeny to Endomorphism Ring Problem (IsERP) asks to compute the endomorphism ring of the codomain of an isogeny between supersingular curves in characteristic $p$ given only a representation for this isogeny, i.e. some data and an algorithm to evaluate this isogeny on any torsion point. This problem plays a central role in isogeny-based cryptography; it underlies the security of pSIDH protoco…
▽ More
The Isogeny to Endomorphism Ring Problem (IsERP) asks to compute the endomorphism ring of the codomain of an isogeny between supersingular curves in characteristic $p$ given only a representation for this isogeny, i.e. some data and an algorithm to evaluate this isogeny on any torsion point. This problem plays a central role in isogeny-based cryptography; it underlies the security of pSIDH protocol (ASIACRYPT 2022) and it is at the heart of the recent attacks that broke the SIDH key exchange. Prior to this work, no efficient algorithm was known to solve IsERP for a generic isogeny degree, the hardest case seemingly when the degree is prime.
In this paper, we introduce a new quantum polynomial-time algorithm to solve IsERP for isogenies whose degrees are odd and have $O(\log\log p)$ many prime factors. As main technical tools, our algorithm uses a quantum algorithm for computing hidden Borel subgroups, a group action on supersingular isogenies from EUROCRYPT 2021, various algorithms for the Deuring correspondence and a new algorithm to lift arbitrary quaternion order elements modulo an odd integer $N$ with $O(\log\log p)$ many prime factors to powersmooth elements.
As a main consequence for cryptography, we obtain a quantum polynomial-time key recovery attack on pSIDH. The technical tools we use may also be of independent interest.
△ Less
Submitted 31 May, 2023;
originally announced May 2023.
-
Failing to hash into supersingular isogeny graphs
Authors:
Jeremy Booher,
Ross Bowden,
Javad Doliskani,
Tako Boris Fouotsa,
Steven D. Galbraith,
Sabrina Kunzweiler,
Simon-Philipp Merz,
Christophe Petit,
Benjamin Smith,
Katherine E. Stange,
Yan Bo Ti,
Christelle Vincent,
José Felipe Voloch,
Charlotte Weitkämper,
Lukas Zobernig
Abstract:
An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of "hard supersingular curves" that is, equations for supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. A related open problem is to produce a hash function to the vertices of the supersingular…
▽ More
An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of "hard supersingular curves" that is, equations for supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. A related open problem is to produce a hash function to the vertices of the supersingular $\ell$-isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hope that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: (i) iterative root-finding for the supersingular polynomial; (ii) gcd's of specialized modular polynomials; (iii) using division polynomials to create small systems of equations; (iv) taking random walks in the isogeny graph of abelian surfaces; and (v) using quantum random walks.
△ Less
Submitted 8 May, 2024; v1 submitted 29 April, 2022;
originally announced May 2022.
-
Stronger bounds on the cost of computing Groebner bases for HFE systems
Authors:
Elisa Gorla,
Daniela Mueller,
Christophe Petit
Abstract:
We give upper bounds for the solving degree and the last fall degree of the polynomial system associated to the HFE (Hidden Field Equations) cryptosystem. Our bounds improve the known bounds for this type of systems. We also present new results on the connection between the solving degree and the last fall degree and prove that, in some cases, the solving degree is independent of coordinate change…
▽ More
We give upper bounds for the solving degree and the last fall degree of the polynomial system associated to the HFE (Hidden Field Equations) cryptosystem. Our bounds improve the known bounds for this type of systems. We also present new results on the connection between the solving degree and the last fall degree and prove that, in some cases, the solving degree is independent of coordinate changes.
△ Less
Submitted 2 November, 2020;
originally announced November 2020.
-
On the role of solute drag in reconciling laboratory and natural constraints on olivine grain growth kinetics
Authors:
Jean Furstoss,
Carole Petit,
Andrea Tommasi,
Clément Ganino,
Daniel Pino Muñoz,
Marc Bernacki
Abstract:
We investigate the effect of solute drag on grain growth (GG) kinetics in olivine-rich rocks through full field and mean field modelling. Considering a drag force exerted by impurities on grain boundary migration allows reconciling laboratory and natural constraints on olivine GG kinetics. Solute drag is implemented in a full field level-set framework and on a mean field model, which explicitly ac…
▽ More
We investigate the effect of solute drag on grain growth (GG) kinetics in olivine-rich rocks through full field and mean field modelling. Considering a drag force exerted by impurities on grain boundary migration allows reconciling laboratory and natural constraints on olivine GG kinetics. Solute drag is implemented in a full field level-set framework and on a mean field model, which explicitly accounts for a grain size distribution. After calibration of the mean field model on full field results, both models are able to both reproduce laboratory GG kinetics and to predict grain sizes consistent with observations in peridotite xenoliths from different geological contexts.
△ Less
Submitted 9 July, 2020;
originally announced July 2020.
-
Improved torsion point attacks on SIDH variants
Authors:
Victoria de Quehen,
Péter Kutas,
Chris Leonardi,
Chloe Martindale,
Lorenz Panny,
Christophe Petit,
Katherine E. Stange
Abstract:
SIDH is a post-quantum key exchange algorithm based on the presumed difficulty of finding isogenies between supersingular elliptic curves. However, SIDH and related cryptosystems also reveal additional information: the restriction of a secret isogeny to a subgroup of the curve (torsion point information). Petit (2017) was the first to demonstrate that torsion point information could noticeably low…
▽ More
SIDH is a post-quantum key exchange algorithm based on the presumed difficulty of finding isogenies between supersingular elliptic curves. However, SIDH and related cryptosystems also reveal additional information: the restriction of a secret isogeny to a subgroup of the curve (torsion point information). Petit (2017) was the first to demonstrate that torsion point information could noticeably lower the difficulty of finding secret isogenies. In particular, Petit showed that "overstretched" parameterizations of SIDH could be broken in polynomial time. However, this did not impact the security of any cryptosystems proposed in the literature. The contribution of this paper is twofold: First, we strengthen the techniques of Petit by exploiting additional information coming from a dual and a Frobenius isogeny. This extends the impact of torsion point attacks considerably. In particular, our techniques yield a classical attack that completely breaks the n-party group key exchange of Azarderakhsh et al. for 6 parties or more, and a quantum attack for 3 parties or more that improves on the best known asymptotic complexity. We also provide a Magma implementation of our attack for 6 parties. We give the full range of parameters for which our attacks apply. Second, we construct SIDH variants designed to be weak against our attacks; this includes backdoor choices of starting curve, as well as backdoor choices of base-field prime. We stress that our results do not degrade the security of, or reveal any weakness in, the NIST submission SIKE.
△ Less
Submitted 20 October, 2021; v1 submitted 29 May, 2020;
originally announced May 2020.
-
New results on quasi-subfield polynomials
Authors:
M. Euler,
C. Petit
Abstract:
Quasi-subfield polynomials were introduced by Huang et al. together with a new algorithm to solve the Elliptic Curve Discrete Logarithm Problem (ECDLP) over finite fields of small characteristic. In this paper we provide both new quasi-subfield polynomial families and a new theorem limiting their existence. Our results do not allow to derive any speedup for the new ECDLP algorithm compared to prev…
▽ More
Quasi-subfield polynomials were introduced by Huang et al. together with a new algorithm to solve the Elliptic Curve Discrete Logarithm Problem (ECDLP) over finite fields of small characteristic. In this paper we provide both new quasi-subfield polynomial families and a new theorem limiting their existence. Our results do not allow to derive any speedup for the new ECDLP algorithm compared to previous approaches.
△ Less
Submitted 25 June, 2021; v1 submitted 25 September, 2019;
originally announced September 2019.
