 Welcome to this EuroCrip 2021 presentation on one-way functions and malleability oracles, which is a talk about hidden shift attacks on isogyny-based protocols. This was joint work together with Peter Kutas, Christof Petit and Charlotte Weidkampel. In our work, we show that for overstretched and unbalanced parameters, a quantum sub-exponential attack on SIDH exists. I'll get back to what this means in a couple of minutes. The attack uses a reduction to an injective abelian hidden shift problem. For seaside and isogyny-based protocols based on ordinary curves, it is known how to solve the underlying problems in quantum sub-exponential time via such a reduction by the results of Charles Jauh and Sukharov. Yet a commonly widespread belief was that the algorithm of Charles Adol does not apply to SIDH. The argument was that the algorithm relies crucially on an abelian group action and therefore no variant of it would apply in the SIDH setting. Our work shows that for specific parameter choices, this widespread belief is false. However, let me add a disclaimer right here. The attack does not apply for balanced SIDH parameters as they were originally suggested by Jauh and Tefio, nor does it apply to Psyche, which is the isogyny-based submission to the NIST standardization process. Instead, the value of the paper consists in showing that a completely different attack vector exists for inadequate parameter choices. Let's start with a quick recap of what isogenes are. Let E0 and E1 be looked at curves defined over a field K. In cryptography, we are usually interested in those curves being defined over a finite field. An isogenes is a non-constant rational map between two curves that fixes the identity or equivalently is also a group homomorphism. Recall that elliptic curves have a group structure on them, so this in particular implies that the kernel of an isogyny is a subgroup of E0. However, the other direction is also true. Every finite subgroup of E0 defines an isogyny. Indeed, we have a one-to-one correspondence between finite subgroups of E0 and separable isogenes, which is the kind of isogyny I will be mostly talking about in the following. For these isogenes, the degree of the isogyny, which is the degree of the map when written as a rational map, equals the cardinality of the kernel. This kernel of an isogyny determines the image curve up to isomorphism, which is why it makes sense to write the image curve as the quotient of the starting curve and the kernel up to isomorphism, and elliptic curves that are isomorphic share the same J invariant, which is an invariant that can be efficiently computed. Since for every isogyny there exists a dual isogyny in the opposite direction of the same degree, this gives rise to an undirected L-isogyny graph, where the vertices are J invariants of elliptic curves and two vertices have an edge in between them, if and only if there exists an isogyny of degree L between those curves. Isogyny-based cryptography is one of the candidates for post-quantum cryptography. The core problem of the area is to find large degree isogenes between super singular elliptic curves. If you consider the previously mentioned isogyny graph, this could be interpreted as a pathfinding problem, where you're given two vertices in the graph and you have to find a path connecting them. Most isogyny-based cryptosets systems, most famously SIDH, are based on variants of this problem or slide realizations of this problem, in the sense that some additional information is provided that might or might not help to solve the pathfinding problem. One advantage of isogyny-based cryptography, besides being based on really beautiful maths, is that the key sizes are much smaller compared to cryptosystems of other post-quantum candidates. The most prominent key exchange in isogyny-based cryptography is the super singular isogyny-defi-harman scheme, which was introduced by Jao and Tefeo in 2011. It proceeds as follows, let N1 and N2 be smooth copram integers, usually they are chosen to be a power of 2 and a power of 3 respectively, and let P be a prime of the form N1 times N2 minus 1. Furthermore, you fix a curve E0 defined over Fp squared. And two bases of E0, namely of the N1 and the N2 torsion. Alice then picks an order N1 subgroup of E0 as her secret isogyny by choosing its generator, and similarly Bob chooses an order N2 subgroup of E0. Both compute the isogyny corresponding to their secret subgroup and send each other the curve they arrive at, say EA and EB. And further, Alice sends the image of the N2 torsion bases to Bob, and Bob sends the images of the N1 torsion bases to Alice. Using this torsion point information, both Alice and Bob can translate their secret isogyny onto the curve EB and EA respectively, which after one more isogyny computation allows them both to compute the curve EAB up to isomorphism. Essentially, this works because we're quotienting out two subgroups that only trivially intersect, and in the order we do this in does not matter. Since both Alice and Bob arrive at an isomorphic curve, the J-invariant is used as a shared secret. It is easy to see that recovering the isogyny, say phi A, would allow to attack the key exchange. Given E0 and EA, this would be an instance of the pure isogyny problem. However, we are also given additional torsion point information. In our work, we were looking whether this additional torsion point information makes it possible to reduce the problem of pathfinding, or equivalently of recovering an isogyny in this diagram, to an instance of the abelian hidden shift problem. The hidden shift problem is the following. F0 and F1 are functions from the same group G to some programming X. Such that there exists some group element S in G that F0 evaluated at any group element equals F1 evaluated at that same group element times S, in multiplicative mutation at least. The problem is to find the shift S given or actually access to both functions F0 and F1. If G is abelian and F0 and F1 are injective, this can be solved in quantum sub-exponential time with respect to the size of the group G using a quantum computer. This is some result due to Huberberg. Let's look how something like this might look roughly for SIDH. From now on, let's assume we want to recover the secret isogyny of Alice, which is of degree n1, say a power of 2. Then the two isogyny graphs starting at E0 looks like this. While we don't know Alice's secret isogyny, we do know its degree. So we do not know the path, but that EA lies at a certain distance from E0. Assume we have a group action that acts transitively on the possible kernel subgroups defining paths to curves at distance n1 from E0. That is all the curves on the outer circle here. And let's assume that it's efficiently computable given a curve and the torsion point information that one has in SIDH. Then if you take any other path of correct length from a starting curve to a curve, say EA prime, then by transitivity of the group action, there exists one element in the acting group that maps EA prime to EA. The idea behind our paper is that this element is a shift and can be recovered using a hidden shift algorithm if some further conditions are satisfied. Knowing this shift, we can apply it to the kernel of the isogyny from E0 to EA prime that we know because we picked it. And this will give us the kernel of the isogyny from E0 to EA, so the secret of Alice. Let's make this idea more general and let's consider what we actually need to compute a pre-image of an injective one-way function via a reduction to the injective abelian hidden shift problem. Let f from some domain i to a codomin O be an injective one-way function and let g be a group acting on the domain. We call a malleability oracle for g at an image point of f, say f of i, an oracle that provides f of g times i for any element g in the acting group g. Or put differently, the malleability oracle evaluates the function that on an input g of the group evaluates f of g times i. In some sense, this is a group action oracle, but it might be possible that more generally there are schemes where one could redefine a malleability oracle as some knowledge relating certain inputs and outputs. Now, the idea behind finding a pre-image of f of i via a reduction to the hidden shift computation is fairly straightforward if we make a couple more assumptions on the acting group g. Let the group g act transitively on the domain of the injective one-way function i and assume we have a malleability oracle for g at f of i, where i is the pre-image we want to compute. Then if we pick any j in that domain, we know by transitivity that there exists an element sigma such that i equals sigma times j. Define two functions f0 and f1 that map the group elements of g to the outputs of the one-way function evaluated at that group element times j and group element times i respectively. G times j can be evaluated using the knowledge of j and the knowledge of how to evaluate the one-way function in the easy direction. And f of j times i can be computed using the malleability oracle. These two functions are hidden shifts of one another and using a hidden shift algorithm, this shift can be computed in quantum sub-exponential time, at least if we further assume that f is injective and g is a finely generated appealing group acting freely on the domain i. This is to ensure that the solution is unique and that it can be computed with a sub-exponential quantum algorithm. Having computed sigma, like the shift of both functions, we can then compute i simply by computing the action of sigma on j. Let's get back to SIDH. For a fixed starting curve in SIDH, this is typically the curve with j and variant 1728 or one of the close neighbors, and let n1 and n2 be security parameters of Alice and Bob as before. Then the one-way function underlying Alice's secret isogeny is the map sending n1 or the subgroups of a E0 to a curve at distance n1 from E0 and the image of the basis of the n2 function. Note that this function can be efficiently evaluated using the loose formula, but computing free images is the hard problem underlying SIDH. In our work, we show that we can give a malleability oracle for this one-way function under certain conditions. More precisely, let g be a multiplicative subgroup of the endomorphism ring of E0, modulo and 1, where each equivalence class contains an endomorphism of degree co-prime to the degree of Alice's secret isogeny phi. Then a malleability oracle for this group G at EA, which is the starting curve E0 divided out by Alice's secret k, should provide the curve E0 divided out by theta of k, where theta is the endomorphism. By the co-primality of the degrees of theta and phi, we have the following commutative diagram and you can see that E0 divided out by theta of the kernel of phi is isomorphic to EA divided out by phi of the kernel of theta. Since we do not know the kernel of phi, we cannot compute the action of theta on it. However, the idea in our paper is to lift the endomorphism theta to an endomorphism theta prime that has the same action on the domain i of our one-way function, but is of degree n2 or dividing n2. For such a theta prime for which we know the kernel and for which we know that it's kernelized in the n2 torsion of E0, we can then evaluate phi of the kernel of theta prime. This is because the torsion information in SIDH of the n2 torsion points allows to compute the images of all points of order n2. In particular, if the kernel of the theta prime is in the n2 torsion, we can evaluate phi on it. But then given EA and phi of the kernel of theta prime allows to evaluate the bottom right corner of the commutative diagram, which is the same as evaluating the malleability oracle. Apart from this malleability oracle for SIDH, to use the general reduction to the hidden shift problem outlined earlier, there's some more tasks that had to be solved. First, we had to partition the domain of the one-way function, so the kernel subgroups of Alice, well that could, Alice could potentially pig, into large partitions such that SIDH one-way function, that the SIDH one-way function is injective on each of those partitions. We did this by explicitly writing down three partitions. For each partition, we then find an abelian subgroup of the endomorphism ring containing endomorphisms of degree co-prime2 and 1 that act freely and transitively on each partition. And finally, we give an algorithm to lift elements from these acting groups, SIDH, to endomorphisms of norm n2. This is in order for us to have a malleability oracle as described on the previous slide. While we give such solutions for the first two tasks in general, the lifting algorithm we provide works only if we allow SIDH parameters where n2, so Bob security parameter, is larger than p and significantly larger than n1. This is what we call overstretched and unbalanced. More precisely, we choose the group acting on Alice's secret key space such that each element can be represented as an endomorphism of the form Frobenius endomorphism times zi, where i is the non-trivial automorphism of v0. The task therefore reduces to lifting endomorphisms of this form to norm n2. We solve this by solving a norm equation similar to the one at the core of the KLPT algorithm, where KLPT stands for coal outer Pt and t0. Unfortunately, this algorithm works only for n2 greater p times n1 to the fourth and under some heuristics also for n2 greater than pn1 to the n1 cubed. However, the way we solve the lifting, we would not expect solutions if n2 is less or equal pn1 squared. This is also the reason why the attack does not in its current form apply to balanced SIDH parameters or cycle. With some more formal background, let's take one more look at the two isogenic graph containing Alice's blue secret path. In our paper, we put the end nodes of the different paths into three different partitions. On each partition, we have an abelian free and transitive group action of endomorphisms modulo n1. Now, by picking any path that lies in the same partition as Alice's secret, we get to the curve EA prime, which can be mapped by the group action to EA. This follows by transitivity and basically by having three partitions, there are three choices for such a J. We define two functions, one that sends elements of the acting group of the curve you get when applying the group action on the isogenous leading to EA prime. The other one when applying the group action to the isogene leading to EA. The first function we can evaluate because we know the pink path and we can just compute the endomorphism on its kernel. This gives us another isogene of the same length that we can then just evaluate. The second function, the one that computes the group action on EA, we can evaluate using the malleability oracle. Essentially, given an endomorphism of E0, we find another endomorphism of E0 that has the same action on the n1 torsion, but is of degree n2. We use the torsion point information provided by Alice on EA and compute the curve at distance n1 from E0 that one would get when applying this endomorphism to the kernel of the secret, essentially. Both of the functions we define are injective, they are shifts of one another and the acting group is abelian. Using a hidden shift algorithm like Kuperbecks, we then find the shift corresponding to the red arrow in the picture and this allows to compute the kernel of the secret blue isogene from the known pink isogene. Let me summarize the key contributions of the paper. It provides a new attack vector and SIDH-like protocols via a reduction to the abelian hidden shift problem, but the attack only works for unbalanced and overstretched SIDH parameters. Yet the results show that despite SIDH's non-commutative nature, there's an abelian group action on its key space that can be used for this kind of attack. As opposed to previous hand-wave arguments by such an attack should not exist, we give some bounds for when we expect the attack to actually work. We describe which algebraic properties are necessary for the attack in general terms and this captures some previous attacks such as the one of Charles, Jao and Tsukharov and we hope that the general framework might be of interest for future cryptanalysis in other areas. The isogene-based submission to NIST, Psyche and balanced SIDH parameters are not threatened by this attack. Indeed, parameters for which this new attack applies were already known to be insecure by the results of the KEN and others that was published this year at Crypto. If you have any questions, please ask in the Europe Prep Q&A or send us an email. Thanks!