#pee-side thread

foo

bar

@rich olive

wororororororoo

Challenge was great

some explaination with the screen ?

sage: def recover_secret(P):
....:     res = []
....:     for (ell, _) in P.order().factor()[1:]:
....:         Qy = ((P.order() // ell) * P)[1]
....:         if Qy[0] == 0:
....:             res.append(1)
....:         elif Qy[1] == 0:
....:             res.append(-1)
....:         else:
....:             res.append(0)
....:     return res
....:     
sage: b = recover_secret(Pa)
sage: b == a
True

I just recovered a from the image of PP and sent Ea as my curve and Eaa as a shared secret

let me explain wpaeohkawpoehkko

whatever

mine's basically the same as jack:

def getval(P, l):
    w = [z.frobenius()==z for z in (psidh.p+1)//l*P]
    return w[0]*(-1)**w[1]
a = [getval(Pa, l) for l in ell]

I can do a write up maybe

But it was a cute challenge. I really liked it

I thought we had to create some curve for which we could guess the shared secret

You can recover a

I thought that but then I realised I had the image of the point haha

“Torsion point attack for CSIDH” haha

ok so i have to rethink everything now, I'll look at that before looking at a wu

Recall the notation: The starting curve is E0 and point is P0
And say we walk a l0 = 211-degree isogeny from E0 i.e. set Ea = act(E0, [1, 0, 0, ..., 0]) and denote by phi the isogeny
Then one can prove that phi(P0) will be of the form (x : y : 1) where x is in F_p, and y is in F_p^2

And if you know how CSIDH works you already know this, because the group action also satisfies E0 = act(Ea, [-1, 0, 0, ..., 0]) right (the dual isogeny phi_dual), and its kernel point will be the (F_p : F_p^2 : 1) form.

On the other hand, if Ea = act(E0, [-1, 0, 0, ..., 0]), then its dual will correspond to be vector [1, 0, 0, ..., 0], so its kernel point(which will be phi(P0) again) is of the form (F_p : F_p : 1)

You can see the observation above in the CSIDH code (you can prove it by looking at the Frobenius eigenvalues blablabla)

        while any(es):
            E.set_order((self.p + 1)**2)

            P = E.lift_x(ZZ(randrange(self.p)))
            s = [-1, 1][P[1] in GF(self.p)] # if y is in F_p^2, then it corresponds to a "-1" in exponent
            k = prod(l for l, e in zip(self.l, es) if sign(e) == s)
            P *= (self.p + 1) // k

        ...

And once you get this, the rest is clear some cofactors then check whether the case above happens

If you don't really want to think about kernels and stuff, basically you just have to know that an isogeny composed with its dual is the multiplication-by-l map. So roughly speaking you can brute force the dual to see which points are multiplied by l

I think looking at the kernel is not that hard anyways since you need it to know how CSIDH works

this was my thought process when i created it

Also you can send a 2-torsion point and ignore the part about the image in the hash

btw I told y7 to look at it, and a few hours later he just came back with a "indeed!", and I see hxp with one single solve 😂

I think the way I thought about it is that on Fp2 you can see the curve E/Fp and it’s twist hiding inside E/Fp2 and because all the kernel points in CSIDH have Fp rational c values, you know that the isogeny is essentially killing the contribution from E/Fp or it’s twist

By knowing which was “projected out” you can spot what sign the exp must have been and recover the secret

sage: pos = []
....: for i, l in enumerate(ell):
....:     if P.order() % l != 0:
....:         print("hmm", i) # fail with 12%, restart
....:         continue
....:     Q = P * (P.order() // l)
....:     y = str(Q[1])
....:     if "+" in y:
....:         pos.append(0)
....:     elif "i" in y:
....:         pos.append(1)
....:     else:
....:         pos.append(-1)
....: print(pos)```
string matching ![PI_ThumbsUp](https://cdn.discordapp.com/emojis/703131448361746452.webp?size=128 "PI_ThumbsUp")

That’s just this 😛

oh oops

isn't the fail rate roughly double that (23%)?

uh prod(1-1/l)

where does the 2 come from

prod((1-1/l)^2)

don't think so. I just need P.order() % l != 0 right

just treat P.order()random 😂

lemme think a bit. but I think yours might have some false positives (where it doesn't "hmm" but can end up with the wrong answer)

because it's not matching up with my intuition. but also my intuition could be completely wrong

I think not

hmm

Just to clarify this: so you bruteforce each position of the secret vector -1,1(,0) and see if phi(Pa) is of order full_order/l?

sry for bad notation phone bad

yes

And where’s the square coming from? You want both Pa and P0 to have order not divisible by l?

Oh hmm. I thought they will have the same order but now I think abt it maybe not

(eg kernel points)

I don't have the right terminology for this, but the l-torsion group is Zl*Zl, if you take the generators to be in the real and imaginary directions, then you need both directions to be non-zero

I should probably think in kernel points

I sse what you mean but I don’t think so

sec

ok back on laptop
Say the 4-torsion group is generated by P, Q independently, so 4P = 4Q = 0
And the starting point is P0 = a * P + b * Q or sth

And say your isogeny is phi = (E0 -> Ea := E0 / <P>)
Then the point you receive is Pa = phi(P0) = b * phi(Q) // because phi(P) = 0
(and phi(Q) must have full order, else there'll be a multiple in the kernel <P>)
So as long as b doesn't vanish it's fine, what a is doesn't matter

So if your isogeny kernel is the "real direction", then what it is doesn't matter

lol

only need the imaginary direction to be nonzero

right, no you're correct in that we can detect an error in about 12% of cases and should restart

but assuming you don't restart, then the probability that your recovered a is equal to the original a then fails with a further 12%

but there is no way to detect this

so overall, only 77% of connections to the remote will result in the flag

12% will have "restart" and not submit an input at all

the remaining 11% will submit an input and the remote will say "wrong"

Didnt know anything about isogeny before, so couldnt solve
But I think the time I had yesterday struggling was worth it, maybe I can solve the next isogeny challenge 🥲

hi idol! Yes, I think this is a pretty good intro chal (as in you can learn enough from scratch in two days to solve it)
You should also check out Neobeo's own challenge (the mitm one, I forgot chal name). That one at least gets you familiar with what isogenies are

re neobeo, I'll read later, doing assignment 🤡

here's a horrible mspaint drawing of what the challenge looks like in my head

Actually for this it’s interesting

This requires bruteforcing isogenies right

Like the dual

but me and jack’s doesn’t

Because the kernel of the dual isogenies are special (they’re the “csidh prime isogenies”)

So ours won’t work if the secret vector a is sampled from [-2,2]^42 i think

While yours will

uhh don't we all have the same solution effectively?

Not exactly

I think

but in any case no, mine doesn't work with [-2,2]. I'm not sure you can detect this in any meaningful way

i think you need a random (p + 1)^n torsion point to detect keys in the range [-n, n]

at least for the solutions im aware of

ahhhh, my bad

Ok I will reply when I can actually talk, and also see experimentally how much % my sol works

I think it'd be more like prod(1-2/3*l), where 2/3 comes from the key element being 1 or -1

Hi, I can finally look at this lol

solved, thanks for the nice challenge🥹
btw I have one question, is it possible to recover (a + randrange(-5, 6) initial action) with just Ea's result?

since its EllipticCurve(K, [1, 0]) -> Ea with (a + randrange(-5, 6)), theoretically its possible, but is it efficiently possible without bruteforcing 11^42 or 13^42?

Also fun thing I discovered:
action([1, 0, 0, ...]) + action([-1, 0, 0, ...]) moves the curve into different curve, but the j_invariant is the same

in general no, as that's literally the underlying hard problem for CSIDH. with that said, I'm not sure whether you get some extra information from the a invariants (compared to just the montgomery coefficient = curve isomorphism + orientation)

it's actually stronger than that, the curves are isomorphic, and the the composition of the two actions is the multiplication-by-l map (so an endomorphism)

but also cryptohack has the wonderful #isogeny-school where you can get better answers from someone who's not noob like me

Ah, thanks for the explanation and suggestion!!
I have a long way to go

Don't think so, isn't there only two(? one?) isomorphic montgomery curves for each elliptic curve in general

false

so I think the actual probability of getting the flag (per remote connection) lies somewhere in between both our values. for each prime ℓ:

• if the key is 1 or -1 (prob ⅔), there is a 1/ℓ chance that the random P₀ is "projected" in a bad direction
• if the key is 0 (prob ⅓), there is a (2ℓ-1)/ℓ²≈2/ℓ chance that the random P₀ is "projected" in either direction (or both)

If key=0 why is it 2/l chance?

I actually thought it's 0 chance lol

If P is a (F_p^2 : F_p^2 : 1) l-torsion point, and phi is a l-isogeny, then phi(P) should also give a (F_p^2 : F_p^2 : 1) point
I think you can show this because phi is a CSIDH-isogeny, so the eigenvalue is like 1 or -1

(My notation means x and y coordinates are both in F_p^2 / F_p lol)

we can do this by thought experiment (no maths). if the key is 0, then instead of (E0,P0) we move one step to (E1,P1) and consider this to be our new starting point instead

Yeah, and say P0 is l-torsion and deg(E0 -> E1 isogeny) is not divisible by l right

It's a fact that if P0 doesn't lie on the real axis nor imaginary axis, then P1 doesn't either

my point is that you cannot distinguish whether you started at P0 or P1. you have to guess, and it's more likely that it started at P0 but it doesn't have to

uhh I'm assuming here that E0->E1 is a degree-l isogeny

I thought key=0

Like the setting is E1 = act(E0, [0, xxxxxxx]) right? Is that not what you meant for key=0

ok, I'm saying compare these two scenarios:

1. start at (E0, P0, a=[1, xxx])
2. let (E1,P1) = action(E0,P0,[1,0,...,0]), then start at (E1, P1, a=[0,xxx])

they both end up to the same (Ea,Pa)

I don't think so

but if the "actual" starting point was (E1,P1) then we'd get it wrong because we'd actually guess (E0,P0)

let (E1,P1) = action(E0,P0,[1,0,...,0]), then start at (E1, P1, a=[0,xxx])
The distribution of P1 won't be uniform on E1

ok, I agree P1 is not uniform on E1

the probability of getting such a P1 is 1/l

Sorry I think I'm a bit lost right now

We're thinking about this statement right

if the key is 0 (prob ⅓), there is a (2ℓ-1)/ℓ²≈2/ℓ chance that the random P₀ is "projected" in either direction (or both)

yes

I'm saying here that if (E1, P1) was the actual key (i.e. key=0), we would not get it right because P1 is already projected

so actual_key = 0, but recovered_key = 1

Oh! I think you're right

Okay I finally understand

yeah sorry about all my bad terminology lol. I never learnt this stuff formally

So like when it does self.P0 = self.E0.random_point() it might already be on the real or imaginary axis

which we'll detect as 1 or -1 even tho it's not

yup

ok yeah makes sense

oops

btw the real and imaginary axis actually makes sense

yeah that's how I have it in my head, and it seems to be consistent with everything so 🤷

yeah that kinda makes sense I guess. I probably need to read more solve more isogeny ctf challs

Sorry, I’ve been reading this but I don’t quite know why it should work… Is there a more intuitive way / resources to understand this mechanism?

Me neither, maybe since I'm dumb. Actually I think the most intuitive way is to think of doing the reverse action/dual isogeny and check the order thing.

You're not dumb, you just haven't learned it yet

https://eprint.iacr.org/2018/383.pdf + intuition from working with isogenies I guess

In particular, the section under "Rational Elkies primes" and section 8 basically describes what jack is saying

And the Frobenius action I described above is a more laid out explanation

Thank you so much 🙏

I think the CSIDH paper (linked) is the easiest to start with, as a "first goal" to understand. The concepts are elementary enough that even if you're new to isogenies, you can just ask and dig around and eventually get through the whole thing

Indeed, the paper describes everything nicely in high level for someone isogeny beginner like me. Actually, this is a nice challenge, since it mixes CSIDH with a specific point on a curve. I usually just see CSIDH as a group action between curves and this makes me fail to dig into inspect a specific curve point in the scheme. So much to learn.

Is there anywhere I can learn and try nice isogeny chals?

it's quite a new area so I don't think so. I can suggest Neobeo's isogeny maze (easy)

I also have a chal but it's not solvable yet, but it's only because the params are set wrong. You can think about the ideas. I am happy to discuss them, found here (medium)

y7 has some challenges for hxp ctf, backed up on ctf.link (click on "scoreboard")
hxp 2022: not csidh (quite hard)
hxp 2021: infinity (medium iirc)

m0lecon ctf had a sigiso challenge which is also good intro chal (easy)

It is a group action, but there's algebraic property about isogeny

If not, there won't be isogeny-based crypto - it will just be classical diffie-hellman crypto or its friends

I suspect we'll start to see more isogeny challenges in CTFs going forward anyway (I have some in the pipeline myself)

Hopefully no more "modify castryck-decru/jack-remy's code"

I purposely avoided suggesting them above

Every point in a curve E/Fp2 can be written as aP + bQ for points P,Q which are linearly independent

<P,Q> is our basis for this abelian group (Z/nZ) x (Z/nZ)

Once such basis can be thought of as defined by the action of Frobenius (see above messages) or simply “is the y coordinate real or imaginary”

When I apply an isogeny phi it sends all the points in its “kernel” to the identity so phi(P) = 0 if P is in the kernel

So if I look at some random point K = aP + bQ

And the image of K is phi(K) = phi(aP + bQ) = aphi(P) + bphi(Q)

If phi kills either the real or imaginary component of the basis this can be seen by looking at the y coordinate of phi(K) as the image will be purely imaginary or real as the other part is projected out

Ahh

Damn, this makes things clear so much, thank you!!

(or if it's cyclic)

More specifically, (for our setting) every n-torsion point can be written as aP + bQ for n-torsion points P, Q which are linearly independent. This is a consequence of that E[n] (the subgroup of n-torsion points) has group structure Z/m1 x Z/m2, where m1, m2 | n

So the 16-torsion points might be like Z/8Z x Z/4Z, and those two directions will give a basis

(Set n = |E| to get the full thing) this is shown in Silverman's book

Me too :))

This chal looks like a failed attempt to translate Schnorr into CSIDH version, which is continued and succeeded by CSI-Fish. It is also a nice chall

What a clean explanation.
Is it also possible when DLP is not possible due to unsmooth curve order?
Not recovering a, b(thats definitely impossible), but recovering aP and bQ.

I think using pairing you can show they're equivalent (?) like you can solve dlp

Hmm, I gotta study pairing first then

You're saying that given R (= aP + bQ, a,b hidden), P, Q, recover aP and bQ right

Yeah

Hmm, most of the case I've tested with random GF(p^2) and random invariants, most of the case, P's order and Q's order is different

Yes

That way, it will be done easily I guess

Why?

mul Q's order and mul Q's order ^ -1 mod P's order

that way aP will be left

Oh. If all P, Q, R are n-torsion points, then ord(P) | ord(Q) | n

Ah really, hmm

Silverman

This is when K is algebraically closed. If not say K=GF(p) then it's a subgroup of ^

Idk about torsion points(Things I need to study is exponentially increasing), but I think with random GF(p^2) and random invariants, P's order and Q's order arent dependent to each other

How are you generating P and Q?

P: E.lift_x(random) until P[1] is in GF(p)

Q: the opposite

the opposite as in, Q[1] is in GF(p^2) - GF(p)? or wdym

when it has form of 12341234432 * i

I see ah um

Yes those will have independent orders

Ah I see what you mean, sorry I got confused

I thought P's order and Q's order were always the same but guess not

maybe its related to supersingular blah blah

nono not in this case

You can think of P is on E/F_p because P[0] and P[1] is on GF(p)

yeah

and Q is on the quadratic twist of it

because if you recall, if P[0] is not an x-coordinate on E/F_p, then it is an x-coordinate on its twist

Ok, yep

Oh wait but the two curves have the same order here

oops

yeah maybe thats reason is related to supersingularity (maybe)

I’m sorry I don’t see how DLP is related to what I said

But given a basis P,Q you can solve R = aP + bQ on the curve (BSGS) or you can use pairings to move this to Fp^k when the curve has embedding degree k

For these curves k = 2, so the pairing trick is particularly efficient

if dlp is easy, recovering a from a*phi(P) and phi(P) should be easy
Thats what I thought about dlp part

I think there are two parts

1. For jack's explanation, you don't actually have to recover a and b, it's just theoretical analysis. In theory it just works out
2. And soon_haari is asking a separate/independent question: Given R = aP + bQ, P, Q, find aP, bQ without dlog

Sorry my bad, I see the problem. As I said, if P[1] is in GF(p), then you can think of P is on E/F_p. and if Q[1] is in GF(p^2) - GF(p), then Q is on (E/F_p)^t (twist)
and since you're testing random curves, the twists will in general have different orders

sage: p = random_prime(2^16)
....: a, b = [randrange(p) for _ in range(2)]
....: E = EllipticCurve(GF(p^2), [a, b])
....: Ep = E.change_ring(GF(p))
....: Fp_points = []
....: Fp2_points = []
....: while len(Fp_points) < 5 or len(Fp2_points) < 5:
....:     P = E.lift_x(ZZ(randrange(p)))
....:     if P[1] in GF(p): Fp_points.append(P)
....:     else: Fp2_points.append(P)
....: lcm([P.order() for P in Fp_points]), Ep.order()
....: lcm([Q.order() for Q in Fp2_points]), Ep.quadratic_twist().order()
(16056, 32112) # lhs divides rhs
(16242, 32484) # lhs divides rhs

However for supersingular curves, |E / F_q| = |(E / F_q)^t| because trace = 0

What is the requirement for curve on GF(p)'s order to be same with its twist?

is it iff supersingularity

Do you know that |E / F_p| = p + 1 - trace(E)?

not really

Well there you go. and |(E / F_p)^t| = p + 1 + trace(E)

ah!

So you're correct, the order of curve and its twist is the same when it's supersingular

actually I forgot if it's true when p is prime power, but anyways

Ok that solves my question a lot

what is trace of E btw?

Just think of it as a quantity for now

Alternatively, you can define trace(E) := p + 1 - |E / F_p|

Defining it correctly is slightly too hard to describe here

hmm, alright thanks for telling

It is actually called the trace of Frobenius. In Sage you type E.trace_of_frobenius()

Again, I recommend reading Silverman's book, "The Arithmetic of Elliptic Curves"

it's a math book, so there's some math, but it's worth it to get a proper grasp of the concepts
IMO

It’s not true in generality when q is a prime power