Abstract
We detail a new fault attack countermeasure for CSIDH. Interestingly, it seems that the countermeasure can only be applied in the relatively slow setting of non-negative secret keys; however, the resulting protocol is faster than the state-of-the-art “dummy-free” implementation (using signed secret keys), but requires additional communication, as now each party sends the Montgomery coefficient of two curves in each round of the protocol. We explain that, despite sending additional key-dependent information, the protocol is no less secure than CSIDH as it originally described and give a proof of security in the authenticated links model of Canetti and Krawczyk. We discuss how prior optimization techniques can be applied to our protocol, and give an optimized implementation (for the CSIDH-512 parameter set), along with benchmarks and comparisons with earlier fault attack-resistant implementations of CSIDH. Finally, we discuss difficulties that arise in attempts to translate our protocol to the setting of signed secret keys.
Similar content being viewed by others
Notes
For a “real world” model of this: Eve can attempt to initiate communication with Alice using their shared key for encryption. If Alice’s message decrypts to something meaningful under Eve’s shared secret, it is likely that that Alice’s key is the same; otherwise it is likely different.
In implementations of CSIDH, we generally only have that \(Q\) has order dividing this quantity; however, it simplifies the exposition if \(Q\) truly has this order.
This explanation is slightly simplified; in implementations, we instead multiply out the factor of \(\ell _n\) (or, more generally, each \(\ell _i\) with \(\beta _i = 0\)) in advance.
References
Banegas, G., Bernstein, D.J., Campos, F., Chou, T., Lange, T., Meyer, M., Smith, B., Sotáková, J.: CTIDH: faster constant-time CSIDH. IACR transactions on cryptographic hardware and embedded systems 2021(4), 351–387 (2021). https://doi.org/10.46586/tches.v2021.i4.351-387. Artifact available at https://artifacts.iacr.org/tches/2021/a20
Bernstein, D.J., De Feo, L., Leroux, A., Smith, B.: Faster computation of isogenies of large prime degree. Cryptology ePrint Archive, Report 2020/341 (2020). https://eprint.iacr.org/2020/341
Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: B. Pfitzmann (ed.) Advances in Cryptology — EUROCRYPT 2001, pp. 453–474. Springer, Berlin and Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_28. http://dx.doi.org/10.1007/3-540-44987-6_28
Castryck, W., Decru, T.: CSIDH on the surface. In: Ding, J., Tillich, J.P. (eds.) Post-quantum cryptography, pp. 111–129. Springer, Cham (2020)
Castryck, W., Decru, T., Vercauteren, F.: Radical isogenies. Cryptology ePrint Archive, Report 2020/1108 (2020). https://eprint.iacr.org/2020/1108
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) Advances in cryptology - ASIACRYPT 2018, pp. 395–427. Springer, Cham (2018)
Cervantes-Vázquez, D., Chenu, M., Chi-Domínguez, J.J., De Feo, L., Rodríguez-Henríquez, F., Smith, B.: Stronger and faster side-channel protections for CSIDH. In: Schwabe, P., Thériault, N. (eds.) Progress in cryptology - LATINCRYPT 2019, pp. 173–193. Springer, Cham (2019)
Chi-Domínguez, J.J., Rodríguez-Henríquez, F.: Optimal strategies for CSIDH. Cryptology ePrint Archive, Report 2020/417 (2020). https://eprint.iacr.org/2020/417
De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)
Hutchinson, A., LeGrow, J., Koziel, B., Azarderakhsh, R.: Further optimizations of CSIDH: A systematic approach to efficient strategies, permutations, and bound vectors. Cryptology ePrint Archive, Report 2019/1121 (2019). https://eprint.iacr.org/2019/1121
LeGrow, J.: Design, analysis, and optimization of isogeny-based key establishment protocols. Ph.D. thesis, University of Waterloo (2020)
LeGrow, J., Hutchinson, A.: An analysis of fault attacks on CSIDH. Cryptology ePrint Archive, Report 2020/1006 (2020). https://eprint.iacr.org/2020/1006
Meyer, M., Campos, F., Reith, S.: On lions and elligators: an efficient constant-time implementation of CSIDH. In: Ding, J., Steinwandt, R. (eds.) Post-quantum cryptography, pp. 307–325. Springer, Cham (2019)
Meyer, M., Reith, S.: A faster way to the CSIDH. In: Chakraborty, D., Iwata, T. (eds.) Progress in cryptology - INDOCRYPT 2018, pp. 137–152. Springer, Cham (2018)
Moriya, T., Onuki, H., Takagi, T.: How to construct CSIDH on Edwards curves. Cryptology ePrint Archive, Report 2019/843 (2019). https://eprint.iacr.org/2019/843
Onuki, H., Aikawa, Y., Yamazaki, T., Takagi, T.: A faster constant-time algorithm of CSIDH keeping two points. In: Attrapadung, N., Yagi, T. (eds.) Advances in information and computer security, pp. 23–33. Springer, Cham (2019)
Vélu, J.: Isogénies entre courbes elliptiques. Comptes-Rendus de l’Académie des Sciences, Série I(273), 238–241 (1971)
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This research funded in part by MBIE fund UOAX1933 and the Commonwealth of Virginia’s Commonwealth Cyber Initiative (CCI), an investment in the advancement of cyber R &D, innovation, and workforce development. For more information about CCI, visit www.cyberinitiative.org.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
LeGrow, J.T. A faster method for fault attack resistance in static/ephemeral CSIDH. J Cryptogr Eng 13, 283–294 (2023). https://doi.org/10.1007/s13389-023-00318-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-023-00318-0