Skip to main content
SpringerLink
Log in

A faster method for fault attack resistance in static/ephemeral CSIDH

  • Regular Paper
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

We detail a new fault attack countermeasure for CSIDH. Interestingly, it seems that the countermeasure can only be applied in the relatively slow setting of non-negative secret keys; however, the resulting protocol is faster than the state-of-the-art “dummy-free” implementation (using signed secret keys), but requires additional communication, as now each party sends the Montgomery coefficient of two curves in each round of the protocol. We explain that, despite sending additional key-dependent information, the protocol is no less secure than CSIDH as it originally described and give a proof of security in the authenticated links model of Canetti and Krawczyk. We discuss how prior optimization techniques can be applied to our protocol, and give an optimized implementation (for the CSIDH-512 parameter set), along with benchmarks and comparisons with earlier fault attack-resistant implementations of CSIDH. Finally, we discuss difficulties that arise in attempts to translate our protocol to the setting of signed secret keys.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

Notes

  1. For a “real world” model of this: Eve can attempt to initiate communication with Alice using their shared key for encryption. If Alice’s message decrypts to something meaningful under Eve’s shared secret, it is likely that that Alice’s key is the same; otherwise it is likely different.

  2. In implementations of CSIDH, we generally only have that \(Q\) has order dividing this quantity; however, it simplifies the exposition if \(Q\) truly has this order.

  3. This explanation is slightly simplified; in implementations, we instead multiply out the factor of \(\ell _n\) (or, more generally, each \(\ell _i\) with \(\beta _i = 0\)) in advance.

References

  1. Banegas, G., Bernstein, D.J., Campos, F., Chou, T., Lange, T., Meyer, M., Smith, B., Sotáková, J.: CTIDH: faster constant-time CSIDH. IACR transactions on cryptographic hardware and embedded systems 2021(4), 351–387 (2021). https://doi.org/10.46586/tches.v2021.i4.351-387. Artifact available at https://artifacts.iacr.org/tches/2021/a20

  2. Bernstein, D.J., De Feo, L., Leroux, A., Smith, B.: Faster computation of isogenies of large prime degree. Cryptology ePrint Archive, Report 2020/341 (2020). https://eprint.iacr.org/2020/341

  3. Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: B. Pfitzmann (ed.) Advances in Cryptology — EUROCRYPT 2001, pp. 453–474. Springer, Berlin and Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_28. http://dx.doi.org/10.1007/3-540-44987-6_28

  4. Castryck, W., Decru, T.: CSIDH on the surface. In: Ding, J., Tillich, J.P. (eds.) Post-quantum cryptography, pp. 111–129. Springer, Cham (2020)

    Chapter  Google Scholar 

  5. Castryck, W., Decru, T., Vercauteren, F.: Radical isogenies. Cryptology ePrint Archive, Report 2020/1108 (2020). https://eprint.iacr.org/2020/1108

  6. Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) Advances in cryptology - ASIACRYPT 2018, pp. 395–427. Springer, Cham (2018)

  7. Cervantes-Vázquez, D., Chenu, M., Chi-Domínguez, J.J., De Feo, L., Rodríguez-Henríquez, F., Smith, B.: Stronger and faster side-channel protections for CSIDH. In: Schwabe, P., Thériault, N. (eds.) Progress in cryptology - LATINCRYPT 2019, pp. 173–193. Springer, Cham (2019)

  8. Chi-Domínguez, J.J., Rodríguez-Henríquez, F.: Optimal strategies for CSIDH. Cryptology ePrint Archive, Report 2020/417 (2020). https://eprint.iacr.org/2020/417

  9. De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)

    Article  MathSciNet  MATH  Google Scholar 

  10. Hutchinson, A., LeGrow, J., Koziel, B., Azarderakhsh, R.: Further optimizations of CSIDH: A systematic approach to efficient strategies, permutations, and bound vectors. Cryptology ePrint Archive, Report 2019/1121 (2019). https://eprint.iacr.org/2019/1121

  11. LeGrow, J.: Design, analysis, and optimization of isogeny-based key establishment protocols. Ph.D. thesis, University of Waterloo (2020)

  12. LeGrow, J., Hutchinson, A.: An analysis of fault attacks on CSIDH. Cryptology ePrint Archive, Report 2020/1006 (2020). https://eprint.iacr.org/2020/1006

  13. Meyer, M., Campos, F., Reith, S.: On lions and elligators: an efficient constant-time implementation of CSIDH. In: Ding, J., Steinwandt, R. (eds.) Post-quantum cryptography, pp. 307–325. Springer, Cham (2019)

    Chapter  Google Scholar 

  14. Meyer, M., Reith, S.: A faster way to the CSIDH. In: Chakraborty, D., Iwata, T. (eds.) Progress in cryptology - INDOCRYPT 2018, pp. 137–152. Springer, Cham (2018)

    Chapter  Google Scholar 

  15. Moriya, T., Onuki, H., Takagi, T.: How to construct CSIDH on Edwards curves. Cryptology ePrint Archive, Report 2019/843 (2019). https://eprint.iacr.org/2019/843

  16. Onuki, H., Aikawa, Y., Yamazaki, T., Takagi, T.: A faster constant-time algorithm of CSIDH keeping two points. In: Attrapadung, N., Yagi, T. (eds.) Advances in information and computer security, pp. 23–33. Springer, Cham (2019)

    Chapter  Google Scholar 

  17. Vélu, J.: Isogénies entre courbes elliptiques. Comptes-Rendus de l’Académie des Sciences, Série I(273), 238–241 (1971)

    MATH  Google Scholar 

Download references

Author information

Author notes

  1. Jason T. LeGrow

    Present address: Department of Mathematics, Virginia Polytechnic Institute and State University, Blacksburg, VA, USA

Authors and Affiliations

  1. Department of Mathematics, University of Auckland, Auckland, New Zealand

    Jason T. LeGrow

Authors
  1. Jason T. LeGrow
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jason T. LeGrow.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This research funded in part by MBIE fund UOAX1933 and the Commonwealth of Virginia’s Commonwealth Cyber Initiative (CCI), an investment in the advancement of cyber R &D, innovation, and workforce development. For more information about CCI, visit www.cyberinitiative.org.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

LeGrow, J.T. A faster method for fault attack resistance in static/ephemeral CSIDH. J Cryptogr Eng 13, 283–294 (2023). https://doi.org/10.1007/s13389-023-00318-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-023-00318-0

Keywords

Mathematics Subject Classification

Search

Navigation