Here is a discussion thread for the fifth session of The Isogeny Club, where Tako Boris Fouotsa presents his talk titled: Torsion point images in SIDH - from savior to killer
Abstract:
The first isogeny-based key exchange is the CRS (Couveignes-Rostovtsev-Stolbunov) scheme, which uses ordinary isogenies. The CRS scheme is relatively slow and is subject to a sub-exponential quantum attack. This motivated Jao and De Feo to suggest SIDH, which uses supersingular isogenies that, as opposed to ordinary isogenies, do not commute. To solve this commutativity issue, Jao and De Feo publish images of torsion points through the secret isogeny. SIDH was then faster and was not vulnerable to sub-exponential quantum attacks.
Today, the picture has changed considerably. The torsion point images have been used to design both adaptive and passive attacks on SIDH. Recently, we reached the “point de non retour”: they were used to design a polynomial classical attack on SIDH.
In this talk, we will tell the story of the torsion point images in SIDH. We will go through their role in the design of SIDH, and in the design of both adaptive and passive attacks on SIDH.
Video:
A link will appear here when the recording is available.