This post is about the paper A polynomial time attack on instances of M-SIDH and FESTA by Wouter Castryck and Frederik Vercauteren. As we all know, SIDH was broken in 2022 by using knowledge of exact images of torsion points under a secret isogeny. (For more details, see previous blog post, and another, and Quanta article.) Precisely, in SIDH the secret isogeny has known degree , and one is given where are a basis for . Here The key technique is a result from Kani, which involves isogenies of Abelian varieties of dimension more than one. In response, several papers proposed ways to fix it ..read more

The SIAM conference on Applied Algebraic Geometry took place in Eindhoven last week. The “mini symposia” included: Applications of Algebraic Geometry to Post-Quantum Cryptology Elliptic Curves and Pairings in Cryptography Applications of Isogenies in Cryptography Despite having promised myself to attend talks outside of my domain, I ended up attending all the talks in the “Applications of Algebraic Geometry to Post-Quantum Cryptology” mini-symposium. The first day was mostly about multi-variate crypto. Bo-Yin Yang gave two talks about the recent history of attacks on multivariate schemes, an ..read more

Lorenz Panny recently wrote a detailed and interesting blog post with the title CSI‑FiSh really isn’t polynomial‑time. The purpose of this post is to give some more context and discussion, and mention some recent papers. CSIDH is an isogeny-based primitive. It is not affected by the attacks on SIDH, so is currently believed to be secure. It is an implementation of a cryptographic group action. For a prime , the group is the ideal class group of the quadratic field , and the group acts on the set of supersingular elliptic curves with -invariant in the finite field . By the way, I have recentl ..read more

A new version of the NIST Federal Information Processing Standard (FIPS) for Digital Signatures has been published. Also see here. This version includes EdDSA. There are (at least) two notable features of EdDSA. First, it is more closely related to Schnorr signatures than ECDSA. This means it avoids (in my opinion) many of the clunky aspects of ECDSA and allows a much more elegant security analysis. Second, it uses curves in Edwards form. Specifically, the document Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters states “this Recommendation includes t ..read more

You may feel like you are having trouble keeping up with the news on SIDH/SIKE. So am I! I hope this blog post doesn’t instantly become obsolete due to new advances. To recall, there are now three preprints giving attacks on SIDH: An efficient key recovery attack on SIDH (preliminary version) by Wouter Castryck and Thomas Decru. Posted July 30. An attack on SIDH with arbitrary starting curve by Luciano Maino and Chloe Martindale. Posted August 8. Breaking SIDH in polynomial time” by Damien Robert. Posted August 10. The first two are parallel independent works that apply a theorem due to Kani ..read more

Eurocrypt 2021 was held as a hybrid conference, with some participants in-person in Zagreb and some online. I was one of the ones joining the conference by Zoom and Zulip. As always in this blog I focus on talks and news most relevant for elliptic curve fans. For each accepted paper there was a short (20-30 minutes) video available in advance of the conference on the conference website, and also a short live Q&A session that is immortalised on the IACR youtube channel. There were two invited talks: Craig Gentry’s talk “A Decade (or So) of Fully Homomorphic Encryption” (FHE) gave an overvie ..read more

The 3rd PQC Standardization Conference, organized by NIST, took place online from June 7 to 9, featuring a mix of live talks, pre-recorded talks, and panels. The oral exchanges were complemented by a text-based forum, provided by an app well known for its lack of end-to-end encryption, where some topics were eventually debated at length. Slides for the talks will be available in a few days, and video recordings in a few weeks. In the meantime, I will give a personal account of the conference based exclusively on my recollections. I took no notes, and I was often preparing or eating dinner at t ..read more

There have been quite a few papers on isogeny crypto posted in the last few months. Here is a brief summary of some of them. Improved torsion point attacks on SIDH variants by Victoria de Quehen, Péter Kutas, Chris Leonardi, Chloe Martindale, Lorenz Panny, Christophe Petit and Katherine E. Stange. This is a greatly revised and expanded version of an earlier paper by a subset of the authors. I am writing about the March 2021 version. The paper builds on an idea of Petit (published at ASIACRYPT 2017) to exploit the fact that SIDH gives the image of torsion points. To be precise, suppose is an ..read more

This post is about SQISign, an exciting post-quantum signature scheme based on isogenies. The blog post is intended for people who understand SIDH well, but are not experts at quaternions and Eichler orders. I do not claim to explain (or understand) all the details. I am mainly trying to give an overview of what are the main technical achievements of the SQISign authors. First some background. Previously there were three isogeny-based signature schemes. A scheme hased on SIDH was given by Yoo, Azarderakhsh, Jalali, Jao and Soukharev. The basic idea is simple: Given a public key the prover wan ..read more

One of the reasons I started this blog was to share information with people who were unable to attend conferences. So I’ve tried to maintain a tradition of conference reviews. I’ll continue, even though online conferences are more inclusive and there is no excuse not to attend. ECC 2020 took place online last week. Recordings of the 4 panel discussions are available on youtube here. There were technical problems with the first panel (the “Pacific rim” group), but the audio is ok and the quality gets better after the first few minutes. The discussion in the first panel covered various attacks o ..read more