We present a polynomial-time adaptive attack on the genus-2 variant of the SIDH protocol
(G2SIDH) and describe an improvement to its secret selection procedure. G2SIDH is a generalisation
of the Supersingular Isogeny Diffie-Hellman key exchange into the genus-2 setting which was proposed
by Flynn and Ti. G2SIDH is able to achieve the same security as SIDH while using fields a third of the
size.
We give a thorough analysis of the keyspace of G2SIDH and achieve an improvement to the secret
selection by using symplectic bases for the torsion subgroups. This allows for the near uniform sampling
of secrets without needing to solve multiple linear congruences as suggested by Flynn-Ti.
The proposed adaptive attack on G2SIDH is able to recover the secret when furnished with an oracle
that returns a single bit of information. We ensure that the maliciously generated information provided
by the attacker cannot be detected by implementing simple countermeasures such as checking the Weil
pairing or order of the given points. We demonstrate this attack and show that it is able to recover
the secret isogeny in all cases of G2SIDH using a symplectic basis before extending the strategy to
arbitrary bases.

By admin