[Resource Topic] 2022/975: An efficient key recovery attack on SIDH (preliminary version)

Welcome to the resource topic for 2022/975

An efficient key recovery attack on SIDH (preliminary version)

Authors: Wouter Castryck, Thomas Decru


We present an efficient key recovery attack on the Supersingular Isogeny Diffie-Hellman protocol (SIDH), based on a “glue-and-split” theorem due to Kani. Our attack exploits the existence of a small non-scalar endomorphism on the starting curve, and it also relies on the auxiliary torsion point information that Alice and Bob share during the protocol. Our Magma implementation breaks the instantiation SIKEp434, which aims at security level 1 of the Post-Quantum Cryptography standardization process currently ran by NIST, in about one hour on a single core. This is a preliminary version of a longer article in preparation.

ePrint: https://eprint.iacr.org/2022/975

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .


There is a SageMath implementation of this attack: GitHub - jack4818/Castryck-Decru-SageMath: A SageMath implementation of the Castryck-Decru Key Recovery attack on SIDH


Here is a blog post by Steven Galbraith on this particular attack: Breaking supersingular isogeny Diffie-Hellman (SIDH) | ellipticnews


Slides from Thomas Décru’s talk on the attack at the isogeny club.


Talk by Thomas Décru at the isogeny days in Leuven