 From Peter Kutak, I'm going to talk about improved version point of text on SIDH variants, which is joint work with Victoria D'Aquin, Chris Leonardi, Chloe Mortindale, Lawrence Pony, Chris O'Forty, and Kate Stangen. Isogeny-based cryptology is based on the hard problem of finding isogenes between super signal of the curves. With the degree of the secretisogenes of the form L to the K, where L is some small prime number, this can be interpreted as a past finding problem in the super signal isogenic graph. Best-own algorithms for finding a degree of isogeny are then just needed in the middle algorithms, where you just do random walks from both endpoints and hope for a collision. This gives you an algorithm which has time complexity roughly squares of t, but requires a lot of memory, and the Bellon-Vonorsk Cathedral algorithm gives a time memory trade-off. Nevertheless, all known algorithms for this problem are exponential in the size of the input. However, most cryptosystems, most prominently as SIDH, are based on relaxations of this problem. So if a natural question occurs, can one exploit this extra information somehow to be generated in the middle algorithms? First let me briefly recall super-singular isogenity of the helmet, or otherwise known as SIDH. Let P be a prime number, and let A and B be smooth copron integers, let E0 be a super-singular recurve over Fp square. Then Alice picks a cyclic subgroup, GA, and computes the corresponding isogeny, E0 over GA, going from E0 to EA, and sends a codomate of the secretisogen to EA to Bob. Bob also picks a cyclic subgroup, computes the corresponding isogeny, and again sends the codomate of the secretisogeny to Alice. And then they want to compute the common shared secret, which is E0 over GA and GB. But just knowing the codomate of the other's secretisogeny is not enough to compute this shared secret, so both have to send over some extra information, namely Alice sends over Phi A, Pb, and Phi A, Qb, where Pb and Qb generate the b-torsion, and Bob sends over Phi B, Pa, Phi B, Qa, where Pa and Qa generate the a-torsion. This motivates the following algorithmic problem, which we call the SSIT problem. Let Phi be a secretisogeny of non-degree A, between two super-singular curves, E0 and EA, and suppose you also know Phi Pb and Phi Qb, where Pb and Qb generate the b-torsion, and the problem is to compute Phi. So our goal is to give certain conditions on A, B, and P, where P is the characteristic of the base field, and then we can solve this problem in polynomial time, or at least faster than generic algorithms. This is a relaxation of the well-known CSSI problem, which was introduced in the SIBH paper, where A and B are also required to be roughly the same size, and both have to be part of powers. So some remarks, so for this problem to truly make sense, you need the b-torsion to be efficiently representable, which you can do in many ways. So you could choose b to be power smooth, but most systems use special primes to make sure that the b-torsion is defined over a small extension fields in SIBH, A and B both divide people as one, and B side, which is a variant of SIBH, A and B are chosen to divide P square minus one. In both SIBH and B side, balance parameters are used, meaning that A is roughly the same size as B, but that doesn't really provide any efficiency benefit. It just comes from the fact that you want the same security level for Alice and Bob. So the first attack, which exploits this extra information, was by Pt at 2017, Asia Crypt, and let me briefly call what the attack does. So the main idea is to find a special anamorphism theta of the starting curve E0, and an integer D such that phi, theta, phi hat plus D can be recovered from its restriction from EAB. And why does this help us? Because then you can compute the intersection of the kernel of tau minus D and the a-torsion of the target curve, which will essentially give you the dual of phi, would give you some technical details. And then the natural question, how do you find such a tau? So what restrictions do you impose on theta? So you choose theta in a way that the degree of tau is B times E where E is something small, because then you can recover the B part of tau just using the torsion point images, and then the E part can be recovered by some meeting the little algorithm. And then the next question is how do you find such a theta? In general, when you know nothing about the anamorphism ring of E0, then this is a hard problem because for generic random curves, you usually don't know any non-scale or anamorphisms. But in many applications, or actually most applications, a special starting curve is used, y squared equals x equals x, which has a very particular anamorphism ring, which is known and has a special structure. Namely, it contains i and j with the property that i squared is minus one, j squared is minus p, j is actually just a propenious note, and i times j is equal to minus j times i. And in this context, just finding a suitable theta is that we will end up solving the following diaphragm time equation, a squared times small a squared p plus b squared p plus c squared plus b squared equals b times e. Here we're looking for small a, small b, small c, and small d, and e. And we also have the actual mission that we should be small. So how do we solve such an equation? So first, we solve it modulo a squared, which will give us d. Then we solve it modulo p, which will give us c. And then we hope that what we get is a sum of two squares. If not, then we iterate. And this is a viable way of solving this equation whenever b is bigger than p squared times a squared. So our main result concerns improving these methods in various ways. So let me start with our first improvement. So the first improvement is that it's actually enough for the degree of tau to be equal to b squared times e. And why is that? Because then tau can actually be composed as psi 1 e to psi 2 q o plus multiplication by m, where the degree of psi 1 and psi 2 is b over m. The degree of tau is e. And m is actually either one or two. And we can get most of the information about tau just by looking at tau modulo b. So tau modulo b can be represented by a two times two matrix over z over pz. And the kernel of this matrix is the kernel of psi 1. This was already used in the previous attack. But then the image of this matrix is actually the kernel of psi 2. And the m can also be recovered from this matrix representation. The only part which cannot be recovered is the eta part. But again, that part can be recovered by generic mean to the middle algorithm. An alternative way of thinking about this attack is just running putties attack twice, once with theta and then one with the dual of theta. And then essentially the first attack you recover psi 1 and the second one you recover the dual of psi 2. So another way of thinking about this attack is actually a reduction from finding a suitable theta with a suitable degree. And the other one being the SSIT problem. So when the starting curve is y square equals to x square plus x, then we have a very similar diagram from the previous one, except now we have b square instead of b. And we can solve this whenever b is bigger than p times a with the exact same method as before. But solutions should exist for a much wider variety of parameters. Just weren't able to find them. We give heuristics on when this should be solvable. But solving them is left as an open problem. The second improvement is that it's actually enough for the degree of tau to be b square times p times e. Because you can run the same attack as before. Just when you left with the eta part, then of course if eta has a small degree you can recover it by some meter in the algorithm. But even if the two curves in that part of the attack are not close, but one of them is close to the other one's conjugate, you can still recover the isogeny by applying for b nias and then applying the meter in the middle algorithm. So this changes the equation from b square to b square p. And this again imposes a modulo p condition now. So you need to choose c and d to be divisible by p. You make this choice and then you divide by p and set c equals to zero. And then solving this equation is again a very similar one as before. Solve modulo a square and then what you hope that what you get is a sum of two squares. The importance of this method is that this is much less reliant on p. Because essentially by setting c equals to zero you only have one p in the equation and this leads to a solution so this method succeeds whenever b is bigger than square into p times a square. Modulo some technical details which for that see the full version of the paper. So why is this important? Because you could bring down the exponent of p from one to one half. But then the exponent of a went up from one to two. But this is particularly important for SIDH like parameter choices where p is the biggest factor in the equation. So all these conditions were concerned with polynomial time attacks but you can also look at attacks which are exponential time but are faster than generic pass finding algorithms. And we have derived two types of methods for dealing with this situation. One is that of course you can increase the size of e and then the cost of the attack is just the cost of finding a degree eisogyny because all the other parts of the attack are polynomial time. The other one is you can also guess part of the secretisogyny which will reduce a and then run the torsion point attack. And then of course the attack can fail if the first guess was wrong and if it fails then you choose a different guess and guessing a degree d isogyny will give you a factor d in complexity. So now let me show two graphs which show the evolution of torsion point attacks throughout the years. So the first is the 2017 attack by T. So in this graph you have two axes, an axis alpha and axis beta where a is roughly p to the alpha and b is roughly p to the beta. So now you want conditions on alpha and beta when you have improved attacks. So in this graph the red line symbolizes and above the red area symbolizes polynomial time attacks and the orange line and above symbolizes better than generic attacks. As you can see the original attack didn't affect any SIDH or B side light parameter choices because so the dotted line connecting the two ones corresponds to SIDH light parameter choices and the dotted line connecting the two tools corresponds to B side light parameter choices. And now over work you can see we have a much larger portion of the parameter space covered here. So again red line and above is polynomial time attacks, orange line and above is better than generic attacks and we have a new line here which is the yellow line which is better than the quantum attacks. And as you can see now certain SIDH and B side light choices are now affected by our attacks. So let me give some highlights of this graph which are the most important parameter choices for which we have certain attacks. So first is a polynomial time key recovery when B is bigger than a to the fifth and p is roughly a times p which is an SIDH like parameter choice and it actually was chosen in some designs most importantly a group key exchange with six or more parties. The second one is a polynomial time key recovery when B is bigger than a square and p square is roughly a times B which is a B side light parameter choice. Again not chosen in B side itself because there the parameters are chosen to be balanced. And then the third one is an improved quantum attack whenever B is bigger than a square and p is roughly a times B which again is an SIDH like parameter choice. So so far all these attack were concerned with a special starting curve y square equals x plus x. We can also ask the question whether you can specifically design starting curves for which you can solve a SIDH in polynomial time or faster than generic algorithms. And the first result is whenever B is bigger than a square then the answer to this question is affirmative so you can actually construct certain backdoor curves for which you can solve a society in polynomial time. What is to be noted here is that this condition is completely independent of p so it only depends on the balance between B and A. So what is the main idea behind this attack is that instead of fixing the starting curve and then looking for some special endomorphism on it you look for them together. You actually look for the endomorphism first in a quaternion form and then you find the suitable supersingularity curve which contains that endomorphism. How does this change the conditions on equation solving? So you have the same equation as before in the first improvement method and again D has to be an integer but A and B and C do not have to be an integer. It's enough for them to be rational. What is to be noted that p times A square plus p times B square plus C square has to be an integer. The reason behind that is that that quantity will be the norm or otherwise in quaternion terms the norm of theta or in isogenic terms the degree of theta and you will be looking for a theta which has trace zero. How do you solve this equation? So first again you solve modulo A square which actually will give you the condition that B has to be bigger than A square because what you want is afterwards an equation where the right-hand side has to be positive because on the left-hand side you will have p times A square plus p times B square plus C square which even if you choose rational A, B and C will always be a positive number and then once the right-hand side is positive then the only other condition for this to be solvable over the rational is that it has to be a quadratic residue modulo P which happens half the time so if it's not then you choose a different V and you iterate as you before and then so once you've solved this equation you have found the theta in the quaternion form and what you do is you find the maximum order containing that particular quaternion and then you translate it to a super single of the curve. So to understand the solution step for this problem this is essentially any theta is good which has a particular minimal polynomial in this context it's actually all t-tars are good for which theta square is equal to minus d so essentially A, B back to our curves are curves which have an endomorphism ring which contains a copy of z squared of minus d and we show that the number of these maximum orders is actually exponential in log p which gives an indication that it's probably hard to distinguish a random curve from a back to our curve without doing anything any information about its endomorphism and again the condition that B has to be bigger than A square applies to polynomial time attacks so you can again look at special back to our curves for which you don't have a polynomial time attack but you have an exponential time attack which is still better than generic attacks and the result there is actually that even for balanced parameters you can construct back to our curves for which you can beat existing attacks we also discuss other back to our issues in the paper such as back to our parameters A and B and back to our base field problems which I won't be discussing in this talk so to conclude we have made significant improvements to previous attacks most prominently we have an attack whenever B is bigger than A to the fifth and P is roughly A times B which breaks a certain group key exchange with six or more parties it introduced the concept of back to our curves which is an important concept for future designs and actually can also be used in a constructive fashion our methods can serve as sort of a benchmark for SIDH and B side like parameter choices for future crypto systems and finally we advise against using starting curves coming from shady sources thank you