Improved Torsion-Point Attacks on SIDH Variants

SIDH is a post-quantum key exchange algorithm based on the presumed difficulty of finding isogenies between supersingular elliptic curves. However, and related cryptosystems also reveal additional information: restriction secret isogeny to subgroup curve (torsion-point information). Petit [31] was first demonstrate that torsion-point information could noticeably lower isogenies. In particular, showed “overstretched” parameterizations be broken in polynomial time. this did not impact security any proposed literature. The contribution paper twofold: First, we strengthen techniques by exploiting coming from dual Frobenius isogeny. This extends attacks considerably. our yield classical attack completely breaks n-party group [2], introduced as GSIDH [17], for 6 parties or more, quantum 3 more improves best known asymptotic complexity. We provide Magma implementation parties. give full range parameters which apply. Second, construct variants designed weak against attacks; includes backdoor choices starting curve, well base-field prime. stress results do degrade of, weakness in, NIST submission SIKE [20].