Christophe Petit, Université Libre de Bruxelles, University of Birmingham
Let $E$ and $E'$ be two supersingular elliptic curves and let $\varphi: E\to E'$ be an isogeny of known degree $d$. Given a basis $(P, Q)$ of $E[N]$ together with $(\varphi(P), \varphi(Q))$, it is possible to recover $\varphi$ provided that $N$ is sufficiently large and smooth, and that the torsion basis can be represented over a small extension of the base field. In this work, we consider the more general setting where the $N$-torsion may not be efficiently representable. To address this setting, we introduce a new framework for encoding torsion information via an oracle that computes pushforwards of $N$-isogenies under $\varphi$. We then show that there exist instances for which access to the pushforward oracle allows for an efficient isogeny recovery. Beyond their theoretical interest, these instances have direct cryptographic implications. We show a practical attack against the threshold signature scheme recently proposed by Kim, Kim, and Lee. We also identify weak instances for Basso's oblivious pseudorandom function, and we refine the security discussion for Leroux and Roméas's updatable encryption scheme.
BibTeX
@misc{cryptoeprint:2026/1030,
author = {Luciano Maino and Christophe Petit},
title = {Pushforward Problems and Applications to Isogeny-based Cryptography},
howpublished = {Cryptology {ePrint} Archive, Paper 2026/1030},
year = {2026},
url = {https://eprint.iacr.org/2026/1030}
}
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。