 # On the supersingular GPST attack

We explain why the first Galbraith-Petit-Shani-Ti attack on the Supersingular Isogeny Diffie-Hellman and the Supersingular Isogeny Key Encapsulation fails in some cases.

## Authors

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1. Introduction

In 2011, De Feo and Jao [DFJ11] introduced Supersingular Isogeny Diffie-Hellman (SIDH), a post-quantum key exchange protocol that mimics the Diffie-Hellman protocol in the settings of isogenies between supersingular curves. In 2014, Jao, De Feo and Plût [DFJP14] built upon SIDH to obtain a key encapsulation scheme called Supersingular Isogeny Key Encapsulation (SIKE).

We recently carried out a study of one of the most relevant attacks against SIDH and SIKE, namely the first attack presented in [GPST16]. We call it the Galbraith-Petit-Shani-Ti attack, or GPST. It is an active attack where the attacker impersonates one of the two parties and can recover the static key of the other party in about as many interactions as the number of bits of the key. We will show in Section 2 that the attack may fail in some precise circumstances.

### Preliminaries

For an elliptic curve defined over a field , we denote the base point of the elliptic curve by and the modular invariant of by . The invariant is an element of that characterizes the -isomorphism class of . For rational over , we denote by the subgroup of generated by .

The parameters of the SIDH protocol, in the form and notation of [GPST16], are the following:

• A prime , where are natural numbers, is small and .

• A supersingular elliptic curve defined over .

• Points which form a basis of and points which form a basis of .

We refer the reader to the original paper [GPST16] for the presentation of the attack. We introduce here the two assumptions that are required for the GPST attack to take place:

1. Alice uses a static key . The values are elements of , not both divisible by 2.

2. The attacker has access to an oracle such that, if denote supersingular elliptic curves defined over and denote any two points on ,

 (1) O(E,R,S,E′)={true,if j(E/⟨[a1]R+[a2]S⟩)=j(E′),false,otherwise.

Such an oracle can be realized in practice by having a mechanism in place that ensures the two parties obtain the same shared key.

The attacker does not need any additional information, which makes the GPST attack one of the most powerful attacks known in the literature.

## 2. Attacking the attack

Alice’s static key is always equivalent (i.e. it leads to the same key exchange) to a key of the form or , where is again an element of [GPST16, Lemma 2.1]. Without loss of generality, we may assume we are in the former case.

Each iteration of the GPST attack relies on the following implication, used in the paragraph First step of the attack of [GPST16]:

 (2) (j(E/⟨T1⟩)=j(E/⟨T2⟩))⇒(⟨T1⟩=⟨T2⟩)

to recover a single bit of the key. In particular, the oracle query (1) is used to recover whether is equal to , where are points on an elliptic curve computed by the attacker. The points and are chosen such that implies the -th bit of the key is a zero-bit. Thus, if the oracle returns true, then , otherwise .

However, implication (2) is not correct, because there exist pairs of elliptic curves with multiple isogenies between them. Thus, if and are distinct cyclic isogenies between and and and are their respective kernels, we have that is isomorphic to because they are both isomorphic to , but and may not be equal and need not even be isomorphic. Over , a classical example can be found in [Sil94, page 110], namely the pair , where is the curve defined over with , which is given by the affine Weierstrass equation . This curve admits a rational -isogeny to itself (hence cyclic, and given explicitly in loc. cit.), and one computes , hence and are in fact -isomorphic, but clearly .

Over a finite field of characteristic , if one starts with a supersingular elliptic curve , then for any prime , for any positive integer and for any cyclic subgroup of order , the elliptic curve will also be supersingular, because there are still no points of order on . As there are only finitely many supersingular curves over (see for instance [Sil86, Theorem 4.1, pages 148-149]), there exist pairs of cyclic groups where and are not isomorphic and such that is isomorphic to . This argument is used to compute the endomorphism ring of supersingular elliptic curves in [Sil86, page 146] (see also [Hus04, page 267]).

Let us give now a detailed example where the Galbraith-Petit-Shani-Ti attack fails to recover the private key of a SIDH key exchange.

###### Example 1.

Let be a prime and be the finite field , considered as , where satisfies the quadratic equation . Let be the supersingular elliptic curve with affine Weierstrass model over . Consider the points

 PA=(834β+726,642β+130),QA=(583β+276,180β+854), PB=(254β+697,516β+268),QB=(753β+317,234β+532).

The points form a basis of , and form a basis of . Let Alice’s key be of the form , with (written in base ten). The value can also be expressed in bits as (written in base two). From now on, by a slight abuse of notation we refer to as the key.

Let us now carry on the Galbraith-Petit-Shani-Ti attack. Assume the randomly generated values are (for simplicity, we assume and stay constant across iterations, but we only need in the second round for the attack to fail). Let be the isogeny with kernel . Then has affine Weierstrass model . Let us begin the attack and let be the isogeny with kernel . Thus has affine Weierstrass model . Furthermore, we have

 R=ϕB(PA)=(151β+257,594β+2), S=ϕB(QA)=(98β+386,286β+58).

Note that since the degree of is coprime with the order of and , the points and have also order .

The first iteration of the attack starts by computing

 θ0=√(1+24)−1 (mod 25)=7, R′0=[θ0]R=(527β+129,700β+163), S′0=[θ0][1+24]S=(164β+377,566β+641).

It then proceeds by querying the oracle with . The curve has -invariant . The curve also has -invariant , thus the oracle response is true and the first (rightmost) bit of the key is a zero-bit. Hence the attack correctly obtains the first bit of the key.

For the second round, the attacker computes

 θ1=√(1+23)−1 (mod 25)=5, R′1=[θ1]R=(97β+261,795β+545), S′1=[θ1][1+23]S=(718β+214,450β+844),

and queries the oracle on . As before, the curves and both have -invariant , thus the oracle responds true. Hence this time the attacker incorrectly deduces the second bit (reading from right to left) of the key to be zero.

Brute-forcing the remaining bits does not yield any solution, since there is no key ending with two zero-bits (00) such that is isomorphic to .

The previous example establishes that there exist cases where the attack fails. The following are sufficient conditions (when considered together) for the attack to fail at the -th iteration of the attack, for (the attack brute-forces the last three bits of the key and thus cannot fail after ):

1. [(i)]

2. There exist two distinct isogenies and between and .

3. One has and , where and are generators of the kernel of and , respectively.

4. The -th key bit is .

Determining whether condition 1 is satisfied is computationally hard since it is generally hard to compute isogenies between two given curves. Moreover, the points and are dependent on the key and thus unknown to the attacker. Hence, while the attacker influences the points and by choosing , they cannot know whether his choice of would cause the attack to fail.

Condition 2 ensures that the attack is taking place in the case where the points and give rise to the isogenies considered in the first condition. Given the points , we have

 {P1=R+[α]S,P2=R′i+[α]S′i=[θi]R+[θi][α+αi2n−i−1]S,

thus (because of condition 3). If a exists such that the previous equation is satisfied, then suitable points and also exist.

Condition 3 is necessary because the attack fails by incorrectly deducing a zero-bit instead of a one-bit.

These conditions appear to be quite rare. If it could be shown that the number of cases where the attack fails is polylogarithmic in the security parameter, the attacker could simply retry the attack with different choices of until it succeeds. The attack would still be efficient.

Let us add a remark. Each iteration of the attack depends on the previous one since the modified value of iteration relies on , whose last bit is obtained in the th iteration. To see how the error propagates, assume the attack fails at iteration . Thus , the th bit of the key, is a one-bit but the attacker deduces it to be a zero-bit. It follows that = for the attacker since prepending zero-bits does not affect the value of . The attacker then computes the points

 R′i=[θ]R−[θ][2n−i−1Ki−1]S,S′i=[θ][1+2n−i−1]S

and queries the oracle on .

Thus, omitting since it does not affect the subgroup, we have

 ⟨R′i+[α]S′i⟩ = ⟨R+[−2n−i−1Ki−1+α(1+2n−i−1)]S⟩ = ⟨R+[α]S+[−2n−i−1Ki−1+2n−i−1(Ki−1+2i−1+2iαi+2i+1α′)]S⟩ = ⟨R+[α]S+[2n−2+2n−1αi]S⟩ ≠ ⟨R+[α]S⟩,

To see why the the inequality in the last line holds, consider that if the two cyclic subgroups are the same, their generators must be multiples of each other. Assume then . The linear independence of and implies that , which means . Thus, the equality on implies that , which is impossible because and . This means that the oracle will return false (unless the two subgroups, and , give rise again to two isogenies with isomorphic codomain).

The subsequent iterations further propagate the error and the oracle will respond false to every further query (unless, again, the isogenies with different kernels have the same codomain, which is believed to be a rare occurrence). Thus, if the attack fails at the th iteration, all the following key bits are deduced to be a one-bit. This allows the attacker to approximately identify the part of the key that has been correctly deduced and target, with a different choice of , only the remaining part.

## 3. Sage Implementation

In this section, we report the source code of a SAGE [S09] implementation that shows the attack failing in the case detailed in Example 1.

def oracle(E, R, S, Ep):
EAp = E.isogeny(R + alpha*S).codomain()
return EAp.j_invariant() == Ep.j_invariant()

## Performs the GPST attack, assuming that Alice’s key
## is of the form (1, alpha).
def attack(n, m, E0, PA, QA, PB, QB, EA, phiAPB, phiAQB):
K = 0

for i in range(n - 3):
alpha = 0

b1 = 1
b2 = 6

KB = b1*PB + b2*QB
phiB = E0.isogeny(KB)
EB = phiB.codomain()

R = phiB(PA)
S = phiB(QA)
EAB = EA.isogeny(b1*phiAPB + b2*phiAQB).codomain()

FF = IntegerModRing(2^n)
theta = Integer(FF((1 + 2^(n - i - 1))^-1).sqrt())
Rprime = theta * (R - (2^(n - i - 1) * K) * S)
Sprime = theta * (1 + 2^(n - i - 1)) * S

response = oracle(EB, Rprime, Sprime, EAB)

if response == False:
alpha = 1

K += alpha*2^i

found = False

## Bruteforcing the rest of the key
for i in range(2):
for j in range(2):
for k in range(2):
key = K
key += i*2^(n-3) + j*2^(n-2) + k*2^(n-1)

EAprime = E0.isogeny(PA + key*QA).codomain()

if EAprime.j_invariant() == EA.j_invariant():
solution = (1, key % 2^n)
found = True
break

if found:
return solution
else:

## Setup
lA = 2
lB = 3
eA = 5
eB = 3
f = 1

p = lA^eA*lB^eB*f - 1 #p in Primes() returns True
F.<x> = GF(p^2)

# E0: y^2 = x^3 + (531\beta + 538)x + 720\beta + 375
# E0 is supersingular, as shown by E0.is_supersingular()
E0 = EllipticCurve(F, [531*x + 538, 720*x + 375])

PA = E0(834*x + 726, 642*x + 130)
QA = E0(583*x + 276, 180*x + 854) #PA and QA form a basis of E0[2^5]
PB = E0(254*x + 697, 516*x + 268)
QB = E0(753*x + 317, 234*x + 532) #PB and QB form a basis of E0[3^3]

mA = 1
nA = alpha = 10

KA = mA*PA + nA*QA

phiA = E0.isogeny(KA)
EA = phiA.codomain()

phiAPB = phiA(PB)
phiAQB = phiA(QB)

alphaprime = attack(eA, eB, E0, PA, QA, PB, QB, EA, phiAPB, phiAQB)
print("The key is: %s" % str(alphaprime))


## References

• [DFJ11] Jao, D. and De Feo, L., Towards Quantum-resistant Cryptosystems from Supersingular Elliptic Curve Isogenies. Proceedings of the 4th International Conference on Post-Quantum Cryptography PQCrypto’11, Berlin, Heidelberg, Springer-Verlag (2011), 19–34.
• [DFJP14] De Feo, L., Jao, D., and Plût, J., Towards Quantum-Resistant Cryptosystems from Supersingular Elliptic Curve Isogenies. J. Math. Cryptol. 8.3 (2014), 209–247.
• [GPST16] Galbraith, S., Petit, C., Shani, B., and Ti, Y.B., On the Security of Supersingular Isogeny Cryptosystems

. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

10031 (2016), 63–91.
• [Hus04] Husemöller, D., Elliptic curves. Second edition. GTM 111 (2004).
• [S09] Stein, W. A. et al., Sage Mathematics Software (Version 7.5.1), The Sage Development Team, (2017), http://www.sagemath.org.
• [Sil86] Silverman, J., The Arithmetic of Elliptic Curves. Second edition. GTM 106 (1986).
• [Sil94] Silverman, J., Advanced topics in the arithmetic of elliptic curves. GTM 151 (1994).