Welcome to the resource topic for 2024/1180
Title:
Fast computation of 2-isogenies in dimension 4 and cryptographic applications
Authors: Pierrick Dartois
Abstract:Dimension 4 isogenies have first been introduced in cryptography for the cryptanalysis of Supersingular Isogeny Diffie-Hellman (SIDH) and have been used constructively in several schemes, including SQIsignHD, a derivative of SQIsign isogeny based signature scheme. Unlike in dimensions 2 and 3, we can no longer rely on the Jacobian model and its derivatives to compute isogenies. In dimension 4 (and higher), we can only use theta-models. Previous works by Romain Cosset, David Lubicz and Damien Robert have focused on the computation of \ell-isogenies in theta-models of level n coprime to \ell (which requires to use n^g coordinates in dimension g). For cryptographic applications, we need to compute chains of 2-isogenies, requiring to use \geq 3^g coordinates in dimension g with state of the art algorithms.
In this paper, we present algorithms to compute chains of 2-isogenies between abelian varieties of dimension g\geq 1 with theta-coordinates of level n=2, generalizing a previous work by Pierrick Dartois, Luciano Maino, Giacomo Pope and Damien Robert in dimension g=2. We propose an implementation of these algorithms in dimension g=4 to compute endomorphisms of elliptic curve products derived from Kani’s lemma with applications to SQIsignHD and SIDH cryptanalysis. We are now able to run a complete key recovery attack on SIDH when the endomorphism ring of the starting curve is unknown within a few seconds on a laptop for all NIST SIKE parameters.
ePrint: https://eprint.iacr.org/2024/1180
See all topics related to this paper.
Feel free to post resources that are related to this paper below.
Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.
For more information, see the rules for Resource Topics .