An Exposure Model for Supersingular Isogeny Diffie-Hellman Key Exchange

摘要

In this work, we present an exposure model for the isogeny computation in the quantum-resistant supersingular isogeny Diffie-Hellman (SIDH) key exchange protocol. Notably, we propose this exposure model to characterize the severity of new attacks that force an SIDH user to divulge certain intermediate values. In our model, we show how an attacker can break SIDH by discovering an intermediate kernel point and its corresponding curve. To strengthen an SIDH-user against the exposure of intermediate values, we propose a random curve isomorphism that is performed just before the large-degree isogeny. We show that this countermeasure is computationally inexpensive compared to the whole of SIDH and can still operate with the Kirkwood et al. validation model that allows a static-key user to ensure the first round of the other party was performed honestly. The goal of this paper is to present an additional protection against future attacks for implementations of SIDH.