SIDH Proof of Knowledge

We demonstrate the soundness proof for the De Feo, Jao and Plût identification scheme (the basis for SIDH signatures) contains an invalid assumption and provide a counterexample for this assumption — thus showing the proof of soundness is invalid. As this proof was repeated in a number of works by various authors, multiple pieces of literature are affected by this result. Due to the importance of being able to prove knowledge of an SIDH key (for example, to prevent adaptive attacks), soundness is a vital property. We propose a modified identification scheme fixing the issue with the De Feo, Jao and Plût scheme, and provide a proof of security of this new scheme. We also prove that a modification of this scheme allows the torsion points in the public key to be verified too. This results in a secure proof of knowledge for SIDH keys and a secure SIDH-based signature scheme. In particular, these schemes provide a non-interactive way of verifying that SIDH public keys are well formed as protection against adaptive attacks, more efficient than generic NIZKs.

[1]  Lorenz Panny,et al.  How to not break SIDH , 2019, IACR Cryptol. ePrint Arch..

[2]  David Jao,et al.  Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies , 2011, J. Math. Cryptol..

[3]  Federico Pintore,et al.  Collisions in Supersingular Isogeny Graphs and the SIDH-based Identification Protocol , 2021, IACR Cryptol. ePrint Arch..

[4]  David Jao,et al.  Isogeny-Based Quantum-Resistant Undeniable Signatures , 2014, PQCrypto.

[5]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[6]  Craig Costello,et al.  Efficient Algorithms for Supersingular Isogeny Diffie-Hellman , 2016, CRYPTO.

[7]  Andrea Basso,et al.  On Adaptive Attacks Against Jao-Urbanik’s Isogeny-Based Protocol , 2020, IACR Cryptol. ePrint Arch..

[8]  David Jao,et al.  SoK: The Problem Landscape of SIDH , 2018, IACR Cryptol. ePrint Arch..

[9]  Reza Azarderakhsh,et al.  A Post-quantum Digital Signature Scheme Based on Supersingular Isogenies , 2017, Financial Cryptography.

[10]  Shuichi Katsumata,et al.  Calamari and Falafl: Logarithmic (Linkable) Ring Signatures from Isogenies and Lattices , 2020, IACR Cryptol. ePrint Arch..

[11]  Steven D. Galbraith,et al.  Identification Protocols and Signature Schemes Based on Supersingular Isogeny Problems , 2017, ASIACRYPT.

[12]  Steven D. Galbraith,et al.  On the Security of Supersingular Isogeny Cryptosystems , 2016, ASIACRYPT.

[13]  Yehuda Lindell,et al.  Sigma Protocols and Efficient Zero-Knowledge1 , 2010 .

[14]  Mark Zhandry,et al.  Revisiting Post-Quantum Fiat-Shamir , 2019, IACR Cryptol. ePrint Arch..

[15]  David Jao,et al.  New Techniques for SIDH-based NIKE , 2020, J. Math. Cryptol..

[16]  Frederik Vercauteren,et al.  Computational problems in supersingular elliptic curve isogenies , 2017, IACR Cryptol. ePrint Arch..

[17]  Steven D. Galbraith,et al.  An adaptive attack on 2-SIDH , 2020, Int. J. Comput. Math. Comput. Syst. Theory.

[18]  Edlyn Teske,et al.  The Pohlig-Hellman Method Generalized for Group Structure Computation , 1999, J. Symb. Comput..

[19]  Reza Azarderakhsh,et al.  Post-Quantum Static-Static Key Agreement Using Multiple Protocol Instances , 2017, SAC.