A Polynomial Time Attack on Instances of M-SIDH and FESTA

The recent devastating attacks on SIDH rely on the fact that the protocol reveals the images phi(P) and phi(Q) of the secret isogeny phi : E-0 -> E on a basis {P, Q} of the N-torsion subgroup E-0[N] where N-2 > deg(phi). To thwart this attack, two recent proposals, M-SIDH and FESTA, proceed by only revealing the images upto unknown scalars lambda(1), lambda(2) is an element of Z(N)(x), i.e. only lambda(1 phi)(P) and lambda(2 phi)(Q) are revealed, where lambda(1) = lambda(2) for M-SIDH and lambda(1) = lambda(-1)(2) for FESTA. Similar information is leaked in CSIDH since phi maps the eigenspaces of Frobenius on E-0 to the corresponding eigenspaces on E. In this paper, we introduce a new polynomial time attack that generalizes the well known "lollipop" attack and analyze how it applies to M-SIDH, FESTA and CSIDH. We show that M-SIDH can be broken in polynomial time whenever E-0 or E is F-p-rational, even when the endomorphism rings of E-0 and E are unknown. This can be generalized to the case where the starting (or end) curve is not F-p-rational, but is connected to its Frobenius conjugate by an isogeny of small degree. For FESTA, where the curve E-0 is already F-p-rational, we obtain a polynomial time attack under the added requirement that at least one of the basis points P, Q spans an eigenspace of Frobenius, of an endomorphism of low degree, or of a composition of both. We note that the current implementation of FESTA does not choose such a basis. Since it is always possible to construct an endomorphism, typically of large degree, with either P, Q an eigenvector, we conclude that FESTA with overstretched parameters is insecure. Although the information leaked in CSIDH is very similar to FESTA, we show that our attack does not reveal any new information about the secret isogeny, i.e. we only learn that it is F-p-rational, which is a priori knowledge. Finally, we analyze if and how it would be possible to backdoor M-SIDH and FESTA by choosing system parameters that look inconspicuous, but in fact reduce to the special cases above via a secret isogeny chosen by the adversary.