[Resource Topic] 2022/1464: Parallel Isogeny Path Finding with Limited Memory

Resource Attacks and cryptanalysis
#1

Welcome to the resource topic for 2022/1464

Title:
Parallel Isogeny Path Finding with Limited Memory

Authors: Emanuele Bellini, Jorge Chavez-Saab, Jesús-Javier Chi-Domínguez, Andre Esser, Sorina Ionica, Luis Rivera-Zamarripa, Francisco Rodríguez-Henríquez, Monika Trimoska, Floyd Zweydinger

Abstract:

The security guarantees of most isogeny-based protocols rely on the computational hardness of finding an isogeny between two supersingular isogenous curves defined over a prime field \mathbb{F}_q with q a power of a large prime p. In most scenarios, the isogeny is known to be of degree \ell^e for some small prime \ell. We call this problem the Supersingular Fixed-Degree Isogeny Path (SIPFD) problem.
It is believed that the most general version of SIPFD is not solvable faster than in exponential time by classical as well as quantum attackers.

In a classical setting, a meet-in-the-middle algorithm is the fastest known strategy for solving the SIPFD. However, due to its stringent memory requirements, it quickly becomes infeasible for moderately large SIPFD instances. In a practical setting, one has therefore to resort to time-memory trade-offs to instantiate attacks on the SIPFD. This is particularly true for GPU platforms, which are inherently more memory-constrained than CPU architectures. In such a setting, a van Oorschot-Wiener-based collision finding algorithm offers a better asymptotic scaling. Finding the best algorithmic choice for solving instances under a fixed prime size, memory budget and computational platform remains so far an open problem.

To answer this question, we present a precise estimation of the costs of both strategies considering most recent algorithmic improvements. As a second main contribution, we substantiate our estimations via optimized software implementations of both algorithms. In this context, we provide the first optimized GPU implementation of the van Oorschot-Wiener approach for solving the SIPFD. Based on practical measurements we extrapolate the running times for solving different-sized instances. Finally, we give estimates of the costs of computing a
degree-2^{88} isogeny using our CUDA software library running on an NVIDIA A100 GPU server.

ePrint: https://eprint.iacr.org/2022/1464

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .