Loop-Abort Faults on Supersingular Isogeny Cryptosystems

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10346)


Cryptographic schemes based on supersingular isogenies have become an active area of research in the field of post-quantum cryptography. We investigate the resistance of these cryptosystems to fault injection attacks. It appears that the iterative structure of the secret isogeny computation renders these schemes vulnerable to loop-abort attacks. Loop-abort faults allow to perform a full key recovery, bypassing all the previously introduced validation methods. Therefore implementing additional countermeasures seems unavoidable for applications where physical attacks are relevant.


Supersingular isogeny cryptosystem Fault injection Real-world attacks Post-quantum cryptography 



This work has been supported in part by the European Union’s H2020 Programme under grant agreement number ERC-669891. The second author was supported by the Swiss National Science Foundation under grant number 200021-156420.


  1. 1.
    Azarderakhsh, R., Koziel, B., Jalali, A., Kermani, M.M., Jao, D.: NEON-SIDH: efficient implementation of supersingular isogeny Diffe-Hellman key-exchange protocol on ARM. Cryptology ePrint Archive, Report 2016/669 (2016).
  2. 2.
    Blake, I.F., Seroussi, G., Smart, N.P.: Advances in Elliptic Curve Cryptography. London Mathematical Society Lecture Note Series, vol. 317. Cambridge University Press, Cambridge (2004)zbMATHGoogle Scholar
  3. 3.
    Blömer, J., Gomes da Silva, R., Günther, P., Krämer, J., Seifert, J.: A practical second-order fault attack against a real-world pairing implementation. In: 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2014, pp. 123–136 (2014)Google Scholar
  4. 4.
    Bröker, R.: Constructing supersingular elliptic curves. J. Comb. Number Theory 1, 269–273 (2009)MathSciNetzbMATHGoogle Scholar
  5. 5.
    Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. In: Proceedings of Advances in Cryptology - CRYPTO 2016, Part I, pp. 572–601 (2016)Google Scholar
  6. 6.
    De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)MathSciNetzbMATHGoogle Scholar
  7. 7.
    Espitau, T., Fouque, P.A., Gérard, B., Tibouchi, M.: Loop-abort faults on lattice-based Fiat-Shamir and hash-and-sign signatures. Cryptology ePrint Archive, Report 2016/449 (2016).
  8. 8.
    Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). doi: 10.1007/3-540-48405-1_34 CrossRefGoogle Scholar
  9. 9.
    Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53887-6_3 CrossRefGoogle Scholar
  10. 10.
    Galbraith, S.D., Petit, C., Silva, J.: Signature schemes based on supersingular isogeny problems. Cryptology ePrint Archive, Report 2016/1154 (2016).
  11. 11.
    Jao, D., Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25405-5_2 CrossRefGoogle Scholar
  12. 12.
    Jao, D., Soukharev, V.: Isogeny-based quantum-resistant undeniable signatures. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 160–179. Springer, Cham (2014). doi: 10.1007/978-3-319-11659-4_10 Google Scholar
  13. 13.
    Kirkwood, D., Lackey, B.C., McVey, J., Motley, M., Solinas, J.A., Tuller, D.: Failure is not an option: standardization issues for post-quantum key agreement on the security of supersingular isogeny cryptosystems. Workshop on Cybersecurity in a Post-Quantum World (2015).
  14. 14.
    Koziel, B., Azarderakhsh, R., Kermani, M.M., Jao, D.: Post-quantum cryptography on FPGA based on isogenies on elliptic curves. Cryptology ePrint Archive, Report 2016/672 (2016).
  15. 15.
    Microsoft Security and Cryptography: SIDH Library (2016).
  16. 16.
    Page, D., Vercauteren, F.: A fault attack on pairing-based cryptography. IEEE Trans. Comput. 55(9), 1075–1080 (2006)CrossRefzbMATHGoogle Scholar
  17. 17.
    Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014). doi: 10.1007/978-3-319-11659-4_12 Google Scholar
  18. 18.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106, 2nd edn. Springer, New York (2009)CrossRefzbMATHGoogle Scholar
  20. 20.
    Sun, X., Tian, H., Wang, Y.: Toward quantum-resistant strong designated verifier signature from isogenies. In: 2012 Fourth International Conference on Intelligent Networking and Collaborative Systems, INCoS 2012, pp. 292–296 (2012)Google Scholar
  21. 21.
    Tate, J.: Endomorphisms of abelian varieties over finite fields. Inventiones Math. 2(2), 134–144 (1966)MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Vélu, J.: Isogénies entre courbes elliptiques. Comptes Rendus de l’Académie des Sciences de Paris 273, 238–241 (1971)zbMATHGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Sorbonne Universités, UPMC Paris 6, UMR 7606, LIP6ParisFrance
  2. 2.École Polytechnique Fédérale de Lausanne, EPFL IC LACALLausanneSwitzerland

Personalised recommendations