On the security of supersingular isogeny cryptosystems


Steven Galbraith


The University of Auckland


Wed, 02/11/2016 - 2:00pm


RC-4082, The Red Centre, UNSW


In 2011, Jao and de Feo introduced a key exchange protocol based on isogenies of supersingular elliptic curves. Similar problems had been used previously in a hash function construction by Charles, Goren and Lauter. The talk will survey these systems and the mathematical ideas behind them.

I will then present a very powerful active attack on the supersingular isogeny encryption scheme, based on similar principles to the well-known "small subgroup attack" on DLP protocols. The attack is not prevented by any of the currently proposed "validation protocols", but it can be avoided by using a relatively expensive countermeasure proposed by Kirkwood et al. I will briefly survey some other recent results. This is all joint work with Christophe Petit, Barak Shani and Yan Bo Ti.

School Seminar Series: