isis agora lovecruft transcribed 8.6K bytes:
For the repeated suggestion of SIDH, [3] I expect we'll soon see concrete details and improvements to the attacks mentioned in (and which they establish "direct validation" measures to defend against in §9 of) "Efficient algorithms for supersingular isogeny Diffie-Hellman" by Craig Costello, Patrick Longa, and Michael Naehrig. [4] E.g. if an adversary sends a supersingular curve E and linearly independent points P and Q, such that Bob calculates an isogeny ɸ: E → E' with small-degree, there could potentially be ways to utilise the kernel of the isogeny from one handshake to learn information about the shared j-invariant computed in another handshake. Side note: it's a mystery to me why the NSA and the Microsoft Research teams are jumping through hoops to validate public SIDH keys, when they could just have the requirement that the keys must be ephemeral (at the cost of some efficiency). Basically, there's a whole bunch of swinging axes, poison darts, rolling boulders, and various other death traps and doom which come into play when you take a random elliptic curve as your key, and I expect another ten years of papers which slowly work to enumerate all of them.
Recently, a pre-print was submitted to eprint, and accepted to ASIACRYPT 2016: "On the Security of Supersingular Isogeny Cryptosystems" by Galbraith, Petit, Shani, and Ti. [0] The problems with reuse of non-ephemeral isogenies reused across SIDH key exchanges are potentially greater than previously realised, with attacks recovering the entire j-invariant.
"Our third contribution is to give a reduction that uses partial knowledge of shared keys to determine an entire shared key. This can be used to retrieve the secret key, given information leaked from a side-channel attack on the key exchange protocol. A corollary of this work is the first bit security result for the supersingular isogeny key exchange: Computing any component of the j-invariant is as hard as computing the whole j-invariant."
Please stop suggesting that Tor use SIDH. It's a fascinating and new field of research, with emphasis on new. It's not ready for use yet.
[0]: https://eprint.iacr.org/2016/859
Best regards,