2022.08.02 08:00:20 (1554346340640903171) from Daniel J. Bernstein, replying to "Luca De Feo (@luca_defeo)" (1554223021820452875):
Of course A=0 doesn't sound like a secret number. But think about the SIKE design from the perspective of an attacker whose secret knowledge was this 2022 attack. That attacker knows how to exploit A=0, and doesn't (yet?) know how to exploit an A chosen randomly by (say) ANSSI.
2022.08.01 01:28:34 (1553885361138388992) from Daniel J. Bernstein:
Here's a funny aspect of the new SIDH/SIKE attack to think about: It seems that SIDH/SIKE wouldn't have been broken (yet?) if the proposers had applied a secret isogeny to build a standard starting curve. The attack would instead have been showing that the secret is a back door.
2022.08.01 23:50:19 (1554223021820452875) from "Luca De Feo (@luca_defeo)":
That's precisely why we chose a well known starting curve A=0, then changed to A=6, which obviously makes no difference from a cryptanalytic POV. IIRC, this was stated as early as Costello-Longa-Naherig, Crypto '16.