 The last talk of the session is faster algorithm for isogenic problems using torsion point images by Christophe Putty. Of course Christophe putty. Thank you. Thank you to the organizers and thank you to Craig for introducing a lot of stuff that I won't have to use in details. So I don't think, well I think all of you are well aware of this, right? Today quantum computers are built, we need something to be based on speed-out and factoring. And one of the directions that is currently pursued is isogenic base code. So the protocols include the hash function that was actually proposed especially for SIDH, SIDH signature as you saw yesterday. And one of the same point of this area is that classical and quantum models still require exponential time. So in this talk I want to talk about the challenges. So in this paper we present near-technical needs for problems that are close to super-singular isogenic field. So I'll make more precise what I mean by close to and let you judge whether this is close enough for presenting some threats in the near future. Alright, so that's your plan of my talk. I still want to recap a little bit the SIDH protocol and then I'll go to the core of this paper. Alright, so isogenic problems in case you weren't listening. They're both computing some maps or isogenes between curves or some variants of this problem as we see. So the kind of pure problem would be you're given two curves, you have to compute an isogenic between them. There are several variants, there are several other problems that I've given to this one. For example, computing the anomerxon ring of a random curve. An anomerxon is just an isogenic from a curve to itself and this set as the ring structure. So computing this ring for whatever that means is the given to computing an isogenic between two curves. So breaking this hash function by Charles, Jordan and Lutter is also given to that. And as you saw yesterday, breaking our second signature scheme with Stephen and Javier is also given to that. However, breaking SIDH is not given to those problems, as far as I know, unless of course they're all easy and pre-maintained. Okay, so here's SIDH. You choose a prime P. So the formulation here is actually more general than what you saw in the pre-store. So you choose two integers, N, A and N, B. And I only require that those are comprised of each other. I just would pick a second subgroup GA in the innate ocean. So this defines an isogenic in the sense that the kernel of the isogenic is this second subgroup. You take the curve E0 modulo GA, so that's E0 of GA, if you like, in correct notation. And then she sends EA to both, or the GA variant of EA. Okay, both proceed similarly. So they exchange EA and EB, and then similarly to D. Fjellmann, you'd like Alice to do some additional computation here, and Bob to do some additional computation here, and so that they agree on some common shape key, which will be, I mean, it's not sure to expect this to be E0 modulo GA. Right? So the shape key is this curve here. You can also rewrite this as EB modulo phi E of GA, or EA modulo phi A of GB. The issue here is that, well, GA is not to Alice, but it's not known to Bob. And phi D is not to Bob, but not to Alice. So we had a problem here. And that was the core idea in Java. How to actually compute this, right? So to achieve that, they use a clever trick. So this curve GA, if you choose a basis for the DNA torsion, it can be defined by two integers alpha A and beta A modulo NA. At least one of them is co-prime to NA. So you get GA generated by this point here. And then in the protocol, in addition to revealing the curve, Bob will also reveal the image of PA and QA through his isogene phi B. And now when Alice has to compute phi B of GA, what she just has to do, she computes the point alpha A phi B of PA plus beta A phi B of QA. Because an isogene is a group of homomorphism, this will give a generator for this circle of GA. So that was the clever idea in Java, if you'll recall. To make this a little bit more efficient, they actually choose some restricted set of parameters. So as you saw in the last talk, they choose two to the sum integers for NA and three to the sum integers for NB, where both of them are roughly equal to square root of E to balance the security. And so P will be something like this. So that actually those points here, the NA torsion and NB torsion are actually defined very easily. It's not strictly necessary, so you can relax this. You pay a huge factor in practice in efficiency, but it's still going to matter. So here's the protocol again. The black information here is what's public. The blue information is what's not to Alice, and the red information is not to up. So that's the shared key. So as you see, in addition to EA and EB, you actually get those extra points here. Okay? So SADH doesn't rely on this pure problem. It relies on some very special problems for a different kind of reason. So first of all, we choose a very special prime, a Mercin-like prime, right? You want NI to be equal to 2 to the E, or 3 to the E, 3 to the E. And also, so you get P of a spatial form here, right? So that's one reason. Second reason, well, they're roughly P over 12 super-singular invariance, but because NA is roughly square root of P, they're only roughly square root of P choices for EA. So EA is not randomly distributed. Okay? And thirdly and most importantly for this talk, you do get this extra information. So you not only give them easier in EA, but you also, and the degree, the degree of the eye is actually, but you're also giving essentially the image of a wall and B torsion, right? You give them actually 5 of PB and 5 of PB, but from there you can make the image of any E in there. So it was well understood that point two here will improve the kind of trigger attack in the middle attack where you start from two curves and perform some random, well, kind of tree-based attacks. But points one and three are essentially all papers. So in this paper, what we do, we kind of relax points from point one and this allows us to exploit point three. And I want to stress that relaxing point one actually makes sense also if you want to deal with this issue. So there are good reasons for doing that except just making my technique work. All right. Okay, so let's go to the attacks now. So remember, our motivation is an attack on gel-deferred theoretical, so I'll change NAND for N1 and N2 just because you can revert them. It doesn't change my discussion. So the goal here is, given an eye's or NG, of given degree N1, between easy or N1, you also give them those two curves, and degree to compute the eye's or NG, given also the action of phi on N2. Okay. Well, how useful is this additional information? Well, if the GCD of N1 and N2 is not one, then you can use this information truly to recover part of the kernel of the eye's or NG. So you're essentially recovering part of phi 1. Okay. But of course, in the parameters, we have to prevent the data to be broken. So that's one day's protocol. Another observation is, well, there has been some papers, including in this conference last year with Steven and students, where we replaced these two points that are supposed to be given by the protocol by other wide-shooting points so that eventually we grab a little bit of information and we repeat and repeat, so we actually get all the world-private key. But this is kind of cheating, in a sense. I mean, it's an active attack, so we're not following the protocol. So in this talk, what I want to show is some techniques that we'll allow to deal with with passing that time. So assuming there is, we follow the protocol, and Eve is only Eve-dropping, what can she do to actually break those problems? As some warm-up, I want to be targeting exactly an ISRG problem, but I'll come to it later. I want to target a slightly easier problem than a priority, which is essentially a problem but for anamorphism. So let P be a prime, let E be a super-similarity to curative finalism. Let phi be a non-scholar anamorphism of E with smooth order N1. So let N2 be another smooth integer, such that it's 4 prime to N1. And then P and Q be a basis of E of N2. The only difference with the ISRGH setting is that there's only one curve and phi is an anamorphism except of being an ISRG between the two curves. So my attack assumed that we know a sub-ring of this anamorphism ring. I don't know it because it's easy to compute or because for some reason it's given. A simple example where you may know such a sub-ring is the scarmant equation. So for any curves, you know that scarmant equations are anamorphisms, so this assumption is not very straight. It's not an assumption, but it's a fact in this case. So the problem I want to target here is given a curve E, given P, Q, and the images of P and Q through this ISRG, anamorphism, sorry, the degree of phi given R compute phi. So suppose we're ignoring this additional information, so what's the best attack? The best attack is this tree-based approach that I've already talked about. So you start from E0 and you're building two trees of ISRG. Each of them is roughly square root of N1. And if you do that, well, there will be a collision in the middle. So the cost of this strategy is roughly square root of N1. So the attack technique I will show you now will actually provide square root of N1 on this. So your recipe will be N1 to the power of 1.4. Okay. So here's a sketch of the algorithm in the case where this subset of anamorphism, the subring of anamorphism that I know is just a scar medication, so there's no restriction here. So we know phi on the N2 torsion. So this allows us to deduce the action of its dual on the N2 torsion as well, just because N2 is co-prime to N1. Now if you have the action of phi in the action of its dual on the N2 torsion, you can just compute phi plus phi 0, and that gives you the trace. Trace of phi actually modulo N2. But you can also bound the trace by 2 square root of the degree. So assuming that N2 is bigger than 2 square root of N1, which is the case, by the way, in all the parameters chosen, then you actually get trace of phi not only modulo N2, but you actually get it over the integers. So the core trick in this effectiveness is to consider this anamorphism. So the anamorphism ring is a ring, so you can compose it additively and mathematically. So you have phi. So if phi is an anamorphism, then A5 plus B is also an anamorphism for any A and B that are integers. So you can evaluate phi on the N2 torsion. You don't know phi because you don't know phi at this point, but since you know phi on the N2 torsion, you can also evaluate phi on the N2 torsion. So the attack will try to find A and B such that the degree of phi, which will be equal to this formula, you can ignore this for a moment, such that the degree of phi will be equal to this product N2 times N1 dash, where N2 is given in the problem, and in one dash we want it to be as small as possible and as smooth as possible. All right? So in this formula here, just notice that the degree of phi is known, it's given in the problem, in the case of phi, we've completed. So this is essentially a product forming A and B, unless you have to solve it. Then the anamorphism I can write because it's of degree N2 and 1 dash, I can write it's the composition of isogenes of degree respectively and 1 dash and N2. And then because I can evaluate psi on the N2 torsion, I can actually recover the part of the kernel of psi that corresponds to N2. So this gives me the kernel of psi N2, and then from this I can use values formula to deduce psi of N2. So at this point I've got E, I've got an isogeny of psi of N2, and I'm looking for another isogeny of psi of N1 dash that will go back to E. Well, this isogeny of N1 dash, I can just use the mid and the middle strategy, and the cost of this mid and the middle strategy is essentially the square root of N1 dash. So if we manage to get this efficient enough, and if N1 dash is square root of N1, then we get the square root speed of the type I write. So, sorry, I forgot this last step. So once you have found N1 dash, psi N1 dash, you have this component and this component, you get psi, and if you want to recover psi, you just compute psi minus E divided by A and you go on the solution. So that's the sketch of the algorithm. So I just want to give a few words about how to actually find A and B here, such that this quadratic form here is equal to N2, which is given, and N1 dash, which will run as small as possible. Okay, so here's this quadratic form again. And, well, it is, of course, I know that this could be, more or less, a two-dimensional lattice. So a solution to degree psi modulo equal to zero modulo N2 will reform a two-dimensional lattice. And then we're looking for some element in this lattice, such that the norm here is as small as possible. So you just use a lattice basis prediction in dimension two. It just goes up. So, very efficient. And then once you have computed a reduced basis, we search for a rather short vector, such that N1 dash, in addition to being short, is also smooth enough. Okay, so I don't have the time here to give you a second analysis in the paper, but it shows that we can expect N1 dash to be as small as the square root of N1, as promised. And this shows that if, by revealing this extra information by using it, we actually get the square root speedup that ignored it entirely. There's some parameter restrictions to be on this slide. All right, so this is just solving a problem that you might not be so interested in. So now let's go to the real thing. We now have a prime P. We've got N1 into integer stock or prime. Easier is the first thing that is here, and now we have an isogeny from E0 to E1, and we're given a degree. I take some extra assumption. I assume that I know R0 and R1, so subgroups of both the n-arson ring of E0 and E1. And I actually have to take an extra assumption here. I assume that R0 contains a little more than the square multiplication. So, assuming that it contains the square multiplication is no restriction at all, because this I know, but this poses some condition on E0. We'll see that, in fact, in the implementation that condition now is always fulfilled. The problem we want to solve here is we're given some E, all those parameters, E and 1, those two curves, R0, R1, and the image of phi1 on the whirl into torsion, and we want to compute this isogeny in time. The best previous algorithm, again, well, you have those two curves, and you kind of build two trees from the two curves until you get a collision. So, again, the cost of the best algorithm if you ignore this additional information will be something like as per the demo. Okay, here's the general idea of R-attack. R-attack will actually be reduced into a previous case. So, remember, I assumed that I knew some part of the anamorphism of E0, not just for my patients. So, let's theta be a non-scarer anamorphism of E0. Then I can consider an anamorphism of E1 defined by the composition of the dual of E1, theta and E1. That's an anamorphism of E1. And observe that because you're given the action of E1 on the intuition, you can deduce the section on the dual of phi1 and then you know theta, so you can actually evaluate phi on the whirl into torsion. So, we have the setting of the previous case. We now have an anamorphism of E1, and we can apply the techniques that I just showed in previous case. This gives us essentially phi. So, at this point, we want to deduce phi1 from phi, right? There's a little bit of work to be done, but it's not too complicated. So, you compute the intersection of the kernel of phi with the N1 torsion on E1, and then the kernel of the dual of phi1 is a cyclic subgroup that's contained in this one. So, if this guy is a cyclic subgroup, you don't. In general, you don't expect to be a cyclic subgroup, but you expect that there are not too many possible options. So, you can just do some research to actually recover the real one. So, once you have found this, you actually deduce phi1 hat and you don't. Right? Now, impact on key agreement protocol. I guess that's what you all care about. Well, first of all, this will accept this assumption that I made. I remember, and I need to assume that R0 contains a little more than the skirmish creation. Well, observe that in the SIDH implementation time aware of, and in actually the mission. They're using J equal to 1728. That's a very special curve for which you not only know a small subgroup, you actually know the dual anamorphism ring of E0. And not only, you know the one anamorphism ring, but it's also very special. So, it contains very small elements in particular the G1 non-square element. So, both aspects, the fact that we know it entirely and the fact that there are small elements in there, both aspects are useful to make all our types more efficient. We don't actually break a SIDH parameter. I'll come to that. But we do obtain heuristic point-on-time absence to recover the world key, assuming the parameter side is stretched. Okay? So, if J is as they use in their implementation, then I actually need N1 to be p-square and N2 to be at least N1 to the 4. In that case, actually, the additional information provided by the action of the iso-genial, this N2 torsion, is sufficient to recover the iso-genial in point-on-time. And there's another attack in the paper where I relax this assumption that I take even more over-stretched parameters. And again, I get some point-on-time here and there. So, in SIDH parameters from pre-expo, typically they would choose N1 and N2 roughly equal to square root of p. So, I don't find a way to apply my techniques in this setting. But, of course, maybe next year, there are more clever people here than I am. So, maybe next year there will be somebody presenting some extension wasting. Alright, so to conclude, iso-genial problems in using ICDH are special in many senses. It was already known that the small degree could accelerate the attacks, but there are other properties that haven't been exploited so far. So, one of them is the use of, I mean, the fact that you're actually revealing this kind of information. So, what we're doing here in this paper is we show that revealing this extra information is not an instance of potentially, at least there are some iso-genial problems that are very close to the ones appearing in those particles, for which it actually leads to green light and key recovery. So, in my opinion, iso-genial descriptor is very, very appealing. But, of course, it's still a very recent area and I hope the submission to this can encourage more classical and actually quantum prefixes on these problems. You have one more. I'm too familiar with this. Can you explain the truth precisely? Okay, not at all. Thanks to the speaker again.