Paper 2024/1796

Isogeny interpolation and the computation of isogenies from higher dimensional representations

David Jao, University of Waterloo
Jeanne Laflamme, University of Waterloo
Abstract

The Supersingular Isogeny Diffie-Hellman (SIDH) scheme is a public key cryptosystem that was submitted to the National Institute of Standards and Technology's competition for the standardization of post-quantum cryptography protocols. The private key in SIDH consists of an isogeny whose degree is a prime power. In July 2022, Castryck and Decru discovered an attack that completely breaks the scheme by recovering Bob's secret key, using isogenies between higher dimensional abelian varieties to interpolate and reconstruct the isogenies comprising the SIDH private key. The original attack applies in theory to any prime power degree, but the implementation accompanying the original attack required one of the SIDH keys involved in a key exchange to have degree equal to a power of $2$. An implementation of the power of $3$ case was published subsequently by Decru and Kunzweiler. However, despite the passage of several years, nobody has published any implementations for prime powers other than $2$ or $3$, and for good reason --- the necessary higher dimensional isogeny computations rapidly become more complicated as the base prime increases. In this paper, we provide for the first time a fully general isogeny interpolation implementation that works for any choice of base prime, and provide timing benchmarks for various combinations of SIDH base prime pairs. We remark that the technique of isogeny interpolation now has constructive applications as well as destructive applications, and that our methods may open the door to increased flexibility in constructing isogeny-based digital signatures and cryptosystems.

Note: We are aware that other posted preprints, such as ePrint:2024/1519 and arXiv:2409.14819, also provide implementations of (N,N)-isogenies for N > 3. At the time our article was submitted for publication, these preprints were not yet posted, leading us to believe that our implementation was the first. We have chosen to leave our abstract text as-is, along with this clarifying note.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. Minor revision. Indocrypt 2024
Keywords
isogeny interpolationisogeny evaluationabelian varieties
Contact author(s)
djao @ uwaterloo ca
jmlaflam @ uwaterloo ca
History
2024-11-04: approved
2024-11-03: received
See all versions
Short URL
https://ia.cr/2024/1796
License
Creative Commons Attribution-ShareAlike
CC BY-SA

BibTeX 

@misc{cryptoeprint:2024/1796,
      author = {David Jao and Jeanne Laflamme},
      title = {Isogeny interpolation and the computation of isogenies from higher dimensional representations},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1796},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1796}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.