The cr.yp.to microblog: 2022.08.01 01:28:34

2022.08.01 01:28:34 (1553885361138388992) from Daniel J. Bernstein:

Here's a funny aspect of the new SIDH/SIKE attack to think about: It seems that SIDH/SIKE wouldn't have been broken (yet?) if the proposers had applied a secret isogeny to build a standard starting curve. The attack would instead have been showing that the secret is a back door.

2022.08.01 01:33:01 (1553886481793499136) from Daniel J. Bernstein:

See Section 5 of https://eprint.iacr.org/2020/633 for previous approaches to constructing SIDH/SIKE back doors. The new attack gives a back door for many more parameters, including parameters that look just like current SIDH/SIKE plus a defensible "we added this extra protection" tweak.

2022.08.01 01:39:22 (1553888077298380800) from Daniel J. Bernstein:

Compare to NIST's submission criteria: "To help rule out the existence of possible back-doors in an algorithm, the submitter shall explain the provenance of any constants or tables used in the algorithm." Is it true that explaining the SIDH/SIKE constants rules out back doors?