Implementing the Castryck-Decru attack on SIDH with general primes

Abstract

With the rapid progress of quantum computers in recent years, efforts have been made to standardize new public-key cryptographic protocols which would be secure against them. One of the schemes in contention was Supersingular Isogeny Diffie-Hellman (SIDH). This scheme relied on the assumed hardness of the isogeny problem on supersingular elliptic curves. However, in the SIDH protocol extra information on the secret isogenies is transmitted. In July 2022, Castryck and Decru found a way to exploit this information to completely break the scheme. They gave an implementation of their attack which allows to recover Bob’s secret key in a few seconds on a laptop. Usually, Alice and Bob’s secret isogenies are taken to have degree 2^a and 3^b respectively. This thesis gives a more general implementation of the attack in Magma which works even if Alice and Bob’s secret isogenies have degrees lA^a and lB^b for more general primes lA and lB.