The problem of computing an isogeny between two given supersingular elliptic curves over a finite field holds significant importance in cryptography. In particular, isogeny-based cryptography, which is a promising candidate for post-quantum cryptography, relies on the hardness of this problem. When constructing cryptosystems, it is often necessary to assume the hardness of a variant of the problem with additional information. One such problem is the supersingular isogeny with torsion (SSI-T) problem, where the degree of a secret isogeny and the image of a torsion subgroup under the isogeny are provided. SIDHSIDH is a key-exchange protocol founded on the hardness of the SSI-T problem. SIKE, a key encapsulation mechanism, is based on SIDH and was a round-4 candidate in the NIST post-quantum cryptography standardization process. However, in 2022, Castryck and Decru introduced a polynomial-time attack on the SSI-T problem in SIKE, thereby compromising the security of SIDH and SIKE. Subsequently, various works have emerged, which include extensions of this attack, countermeasures against this attack, and new cryptosystems using this attack. These efforts have explored different variants of the SSI-T problem. This paper provides a survey of the attacks on the SSI-T problem and its variants.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

A Survey of Attacks on Supersingular Isogeny with Torsion Problem and Its Variants

  • Hiroshi Onuki

摘要

The problem of computing an isogeny between two given supersingular elliptic curves over a finite field holds significant importance in cryptography. In particular, isogeny-based cryptography, which is a promising candidate for post-quantum cryptography, relies on the hardness of this problem. When constructing cryptosystems, it is often necessary to assume the hardness of a variant of the problem with additional information. One such problem is the supersingular isogeny with torsion (SSI-T) problem, where the degree of a secret isogeny and the image of a torsion subgroup under the isogeny are provided. SIDHSIDH is a key-exchange protocol founded on the hardness of the SSI-T problem. SIKE, a key encapsulation mechanism, is based on SIDH and was a round-4 candidate in the NIST post-quantum cryptography standardization process. However, in 2022, Castryck and Decru introduced a polynomial-time attack on the SSI-T problem in SIKE, thereby compromising the security of SIDH and SIKE. Subsequently, various works have emerged, which include extensions of this attack, countermeasures against this attack, and new cryptosystems using this attack. These efforts have explored different variants of the SSI-T problem. This paper provides a survey of the attacks on the SSI-T problem and its variants.