Two Remarks on Torsion-Point Attacks in Isogeny-Based Cryptography

Abstract

We fix an omission in [8] on torsion point attacks of isogeny-based cryptosystems akin to SIDH, also reprised in [9, 4]. In these works, their authors represent certain integers using a norm equation to derive a secret isogeny. However, this derivation uses as a crucial ingredient [8, Section 4.3, Lemma~6], which we show to be incorrect. We then state sufficient conditions allowing to prove a modified version this lemma.

A further idea of parametrizing solutions of the norm equation will show that these conditions can be fulfilled under the same heuristics of these previous works. Our contribution is a theoretical one. It doesn't invalidate the attack, which works as well in practice, but gives a correct mathematical justification for it.

We also simplify the argument of [9, Theorem~3] to show that the requirement that m be small is unnecessary.