Christophe Petit, Université Libre de Bruxelles, University of Birmingham
Let $E$ and $E'$ be two supersingular elliptic curves and let $\varphi: E\to E'$ be an isogeny of known degree $d$. Given a basis $(P, Q)$ of $E[N]$ together with $(\varphi(P), \varphi(Q))$, it is possible to recover $\varphi$ provided that $N$ is sufficiently large and smooth, and that the torsion basis can be represented over a small extension of the base field. In this work, we consider the more general setting where the $N$-torsion may not be efficiently representable. To address this setting, we introduce a new framework for encoding torsion information via an oracle that computes pushforwards of $N$-isogenies under $\varphi$. We then show that there exist instances for which access to the pushforward oracle allows for an efficient isogeny recovery. Beyond their theoretical interest, these instances have direct cryptographic implications. We show a practical attack against the threshold signature scheme recently proposed by Kim, Kim, and Lee. We also identify weak instances for Basso's oblivious pseudorandom function, and we refine the security discussion for Leroux and Roméas's updatable encryption scheme.
BibTeX
@misc{cryptoeprint:2026/1030,
author = {Luciano Maino and Christophe Petit},
title = {Pushforward Problems and Applications to Isogeny-based Cryptography},
howpublished = {Cryptology {ePrint} Archive, Paper 2026/1030},
year = {2026},
url = {https://eprint.iacr.org/2026/1030}
}
此內容由慣性聚合(RSS閱讀器)自動聚合整理,僅供閱讀參考。 原文來自 — 版權歸原作者所有。