The microblog: 2022.08.02 12:03:14

2022.08.02 12:03:14 (1554407468456783872) from Daniel J. Bernstein, replying to "Luca De Feo (@luca_defeo)" (1554398632505483265):

No, it's not theoretical. As I said in the first message, you had the option of following a different path (ahem), generating the standard A at random by applying and then throwing away a secret isogeny. What's interesting about this is that then SIKE wouldn't (yet?) be broken.

2022.08.02 12:13:44 (1554410112252387328) from Daniel J. Bernstein:

In other words, if current attacks are the end of the story, then pushing for elimination of back doors created a SIKE weakness that could have been avoided otherwise. Now think about this situation from the perspective of attackers who secretly knew the weakness from the outset.


2022.08.01 01:28:34 (1553885361138388992) from Daniel J. Bernstein:

Here's a funny aspect of the new SIDH/SIKE attack to think about: It seems that SIDH/SIKE wouldn't have been broken (yet?) if the proposers had applied a secret isogeny to build a standard starting curve. The attack would instead have been showing that the secret is a back door.

2022.08.01 23:50:19 (1554223021820452875) from "Luca De Feo (@luca_defeo)":

That's precisely why we chose a well known starting curve A=0, then changed to A=6, which obviously makes no difference from a cryptanalytic POV. IIRC, this was stated as early as Costello-Longa-Naherig, Crypto '16.

2022.08.02 08:00:20 (1554346340640903171) from Daniel J. Bernstein, replying to "Luca De Feo (@luca_defeo)" (1554223021820452875):

Of course A=0 doesn't sound like a secret number. But think about the SIKE design from the perspective of an attacker whose secret knowledge was this 2022 attack. That attacker knows how to exploit A=0, and doesn't (yet?) know how to exploit an A chosen randomly by (say) ANSSI.

2022.08.02 11:28:07 (1554398632505483265) from "Luca De Feo (@luca_defeo)":

I don't understand what argument you're trying to make. That it's impossible to rule out backdoors? Besides, this is just theoretical talk. It's fairly evident the Castryck-Decru attack can be extended to any curve with known endomorphism ring, using KLPT-style techniques.