Skip to main content

Stronger and Faster Side-Channel Protections for CSIDH

Part of the Lecture Notes in Computer Science book series (LNSC,volume 11774)

Abstract

CSIDH is a recent quantum-resistant primitive based on the difficulty of finding isogeny paths between supersingular curves. Recently, two constant-time versions of CSIDH have been proposed: first by Meyer, Campos and Reith, and then by Onuki, Aikawa, Yamazaki and Takagi. While both offer protection against timing attacks and simple power consumption analysis, they are vulnerable to more powerful attacks such as fault injections. In this work, we identify and repair two oversights in these algorithms that compromised their constant-time character. By exploiting Edwards arithmetic and optimal addition chains, we produce the fastest constant-time version of CSIDH to date. We then consider the stronger attack scenario of fault injection, which is relevant for the security of CSIDH static keys in embedded hardware. We propose and evaluate a dummy-free CSIDH algorithm. While these CSIDH variants are slower, their performance is still within a small constant factor of less-protected variants. Finally, we discuss derandomized CSIDH algorithms.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-30530-7_9
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-30530-7
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   79.99
Price excludes VAT (USA)

Notes

  1. 1.

    Following [8], we represent \(A = A'/C'\) as a projective point \((A':C')\); see Sect. 4.1.1.

  2. 2.

    Presumably, Onuki et al. do the same, however their exposition is not clear on this point, and we do not have access to their code.

  3. 3.

    The Elligator optimization is described in § 5.3 of [21]. The unoptimized constant-time version described in Algorithm 2 therein is not affected by this problem.

  4. 4.

    We also found a branch on secret data in the code provided with [21] at https://zenon.cs.hs-rm.de/pqcrypto/faster-csidh, during the 3-isogeny computation, when computing \([\ell ]P = [(\ell -1)/2]P + [(\ell +1)/2]P\). This can be easily fixed by a conditional swap, without any significant impact on running time.

  5. 5.

    A differential addition chain is an addition chain such that for every chain element c computed as \(a + b\), the difference \(a-b\) is already present in the chain.

  6. 6.

    Assuming the usual heuristic assumptions on the distribution of the output of Elligator, see [21].

References

  1. Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted Edwards curves. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 389–405. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68164-9_26

    CrossRef  Google Scholar 

  2. Bernstein, D.J., Hamburg, M., Krasnova, A., Lange, T.: Elligator: elliptic-curve points indistinguishable from uniform random strings. In: 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, 4–8 November 2013, pp. 967–980 (2013)

    Google Scholar 

  3. Bernstein, D.J., Lange, T., Martindale, C., Panny, L.: Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 409–441. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_15

    CrossRef  Google Scholar 

  4. Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. IACR Cryptology ePrint Archive 2019/498 (2019)

    Google Scholar 

  5. Castryck, W., Galbraith, S.D., Farashahi, R.R.: Efficient arithmetic on elliptic curves using a mixed Edwards-Montgomery representation. Cryptology ePrint Archive, 2008/218 (2008)

    Google Scholar 

  6. Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15

    CrossRef  Google Scholar 

  7. Childs, A.M., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014)

    MathSciNet  CrossRef  Google Scholar 

  8. Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_21

    CrossRef  Google Scholar 

  9. Costello, C., Smith, B.: Montgomery curves and their arithmetic - the case of large characteristic fields. J. Cryptogr. Eng. 8(3), 227–240 (2018)

    CrossRef  Google Scholar 

  10. Couveignes, J.M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006)

    Google Scholar 

  11. De Feo, L., Galbraith, S.D.: SeaSign: compact isogeny signatures from class group actions. Cryptology ePrint Archive, Report 2018/824 (2018)

    Google Scholar 

  12. De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)

    MathSciNet  MATH  Google Scholar 

  13. De Feo, L., Kieffer, J., Smith, B.: Towards practical key exchange from ordinary isogeny graphs. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 365–394. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_14

    CrossRef  Google Scholar 

  14. Decru, T., Panny, L., Vercauteren, F.: Faster SeaSign signatures through improved rejection sampling. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 271–285. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_15

    CrossRef  Google Scholar 

  15. Gélin, A., Wesolowski, B.: Loop-abort faults on supersingular isogeny cryptosystems. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 93–106. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_6

    CrossRef  Google Scholar 

  16. Jalali, A., Azarderakhsh, R., Kermani, M.M., Jao, D.: Towards optimized and constant-time CSIDH on embedded devices. In: Polian, I., Stöttinger, M. (eds.) COSADE 2019. LNCS, vol. 11421, pp. 215–231. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-16350-1_12

    CrossRef  Google Scholar 

  17. Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2

    CrossRef  MATH  Google Scholar 

  18. Kim, S., Yoon, K., Kwon, J., Hong, S., Park, Y.H.: Efficient isogeny computations on twisted Edwards curves. Secur. Commun. Netw. 2018, 11 (2018)

    Google Scholar 

  19. Kim, S., Yoon, K., Kwon, J., Park, Y.H., Hong, S.: New hybrid method for isogeny-based cryptosystems using Edwards curves. Cryptology ePrint Archive, Report 2018/1215 (2018). https://eprint.iacr.org/2018/1215

  20. Kim, S., Yoon, K., Kwon, J., Park, Y.H., Hong, S.: Optimized method for computing odd-degree isogenies on Edwards curves. Cryptology ePrint Archive, Report 2019/110 (2019). https://eprint.iacr.org/2019/110

  21. Meyer, M., Campos, F., Reith, S.: On Lions and elligators: an efficient constant-time implementation of CSIDH. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 307–325. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_17

    CrossRef  Google Scholar 

  22. Meyer, M., Reith, S.: A faster way to the CSIDH. In: Chakraborty, D., Iwata, T. (eds.) INDOCRYPT 2018. LNCS, vol. 11356, pp. 137–152. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05378-9_8

    CrossRef  Google Scholar 

  23. Meyer, M., Reith, S., Campos, F.: On hybrid SIDH schemes using Edwards and Montgomery curve arithmetic. Cryptology ePrint Archive 2017/1213 (2017)

    Google Scholar 

  24. Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48, 243–264 (1987)

    MathSciNet  CrossRef  Google Scholar 

  25. Moody, D., Shumow, D.: Analogues of Vélu’s formulas for isogenies on alternate models of elliptic curves. Math. Comput. 85(300), 1929–1951 (2016)

    CrossRef  Google Scholar 

  26. Onuki, H., Aikawa, Y., Yamazaki, T., Takagi, T.: A faster constant-time algorithm of CSIDH keeping two torsion points. In: IWSEC 2019 - The 14th International Workshop on Security (2019, to appear)

    Google Scholar 

  27. Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 (2006)

    Google Scholar 

  28. Stolbunov, A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010)

    MathSciNet  CrossRef  Google Scholar 

  29. Ti, Y.B.: Fault attack on supersingular isogeny cryptosystems. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 107–122. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_7

    CrossRef  Google Scholar 

  30. Vélu, J.: Isogénies entre courbes elliptiques. Comptes-rendu de l’académie des sciences de Paris (1971)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Daniel Cervantes-Vázquez .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Cervantes-Vázquez, D., Chenu, M., Chi-Domínguez, JJ., De Feo, L., Rodríguez-Henríquez, F., Smith, B. (2019). Stronger and Faster Side-Channel Protections for CSIDH. In: Schwabe, P., Thériault, N. (eds) Progress in Cryptology – LATINCRYPT 2019. LATINCRYPT 2019. Lecture Notes in Computer Science(), vol 11774. Springer, Cham. https://doi.org/10.1007/978-3-030-30530-7_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-30530-7_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-30529-1

  • Online ISBN: 978-3-030-30530-7

  • eBook Packages: Computer ScienceComputer Science (R0)