TY - GEN
T1 - Stronger and faster side-channel protections for CSIDH
AU - Cervantes-Vázquez, Daniel
AU - Chenu, Mathilde
AU - Chi-Domínguez, Jesús Javier
AU - De Feo, Luca
AU - Rodríguez-Henríquez, Francisco
AU - Smith, Benjamin
N1 - Publisher Copyright:
© Springer Nature Switzerland AG 2019.
PY - 2019/1/1
Y1 - 2019/1/1
N2 - CSIDH is a recent quantum-resistant primitive based on the difficulty of finding isogeny paths between supersingular curves. Recently, two constant-time versions of CSIDH have been proposed: first by Meyer, Campos and Reith, and then by Onuki, Aikawa, Yamazaki and Takagi. While both offer protection against timing attacks and simple power consumption analysis, they are vulnerable to more powerful attacks such as fault injections. In this work, we identify and repair two oversights in these algorithms that compromised their constant-time character. By exploiting Edwards arithmetic and optimal addition chains, we produce the fastest constant-time version of CSIDH to date. We then consider the stronger attack scenario of fault injection, which is relevant for the security of CSIDH static keys in embedded hardware. We propose and evaluate a dummy-free CSIDH algorithm. While these CSIDH variants are slower, their performance is still within a small constant factor of less-protected variants. Finally, we discuss derandomized CSIDH algorithms.
AB - CSIDH is a recent quantum-resistant primitive based on the difficulty of finding isogeny paths between supersingular curves. Recently, two constant-time versions of CSIDH have been proposed: first by Meyer, Campos and Reith, and then by Onuki, Aikawa, Yamazaki and Takagi. While both offer protection against timing attacks and simple power consumption analysis, they are vulnerable to more powerful attacks such as fault injections. In this work, we identify and repair two oversights in these algorithms that compromised their constant-time character. By exploiting Edwards arithmetic and optimal addition chains, we produce the fastest constant-time version of CSIDH to date. We then consider the stronger attack scenario of fault injection, which is relevant for the security of CSIDH static keys in embedded hardware. We propose and evaluate a dummy-free CSIDH algorithm. While these CSIDH variants are slower, their performance is still within a small constant factor of less-protected variants. Finally, we discuss derandomized CSIDH algorithms.
U2 - 10.1007/978-3-030-30530-7_9
DO - 10.1007/978-3-030-30530-7_9
M3 - Conference contribution
AN - SCOPUS:85072865372
SN - 9783030305291
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 173
EP - 193
BT - Progress in Cryptology – LATINCRYPT 2019 - 6th International Conference on Cryptology and Information Security in Latin America, Proceedings
A2 - Schwabe, Peter
A2 - Thériault, Nicolas
PB - Springer Verlag
T2 - 6th International Conference on Cryptology and Information Security in Latin America, LATINCRYPT 2019
Y2 - 2 October 2019 through 4 October 2019
ER -