Title: Constructing broken SIDH parameters: a tale of De Feo, Jao, and Plut's serendipity.
|Affiliation:||University of Bristol|
|Zoom:||This event has been cancelled.|
This talk is motivated by analyzing the security of the cryptographic key exchange protocol SIDH (Supersingular Isogeny Diffie-Hellman), introduced by 2011 by De Feo, Jao, and Plut. We will first recall some mathematical background as well as the protocol itself. The 'keys' in this protocol are elliptic curves, which are typically described by equations in x and y of the form y^2 = x^3 + ax + b. Of importance in this talk will be 'endomorphisms' associated to elliptic curves: these are functions that map an elliptic curve to itself which also satisfy some nice properties. It was shown in 2016 by Galbraith, Petit, Shani, and Ti that certain endomorphisms can be used to break the SIDH protocol, if they can be found. However, finding such endomorphisms is a hard problem for the elliptic curves used in the SIDH protocol. In 2017 Petit gave (non-standard) parameters under which these endomorphisms can be computed. We will discuss this and show how to apply this idea to many new parameters; we hope that this work will lead to an understanding of all the parameters to which this attack can apply (almost certainly not the ones proposed by De Feo, Jao, and Plut). This is joint work with Peter Kutas, Lorenz Panny, Christophe Petit, and Kate Stange.