Skip to main content

Loop-Abort Faults on Supersingular Isogeny Cryptosystems

Part of the Lecture Notes in Computer Science book series (LNSC,volume 10346)


Cryptographic schemes based on supersingular isogenies have become an active area of research in the field of post-quantum cryptography. We investigate the resistance of these cryptosystems to fault injection attacks. It appears that the iterative structure of the secret isogeny computation renders these schemes vulnerable to loop-abort attacks. Loop-abort faults allow to perform a full key recovery, bypassing all the previously introduced validation methods. Therefore implementing additional countermeasures seems unavoidable for applications where physical attacks are relevant.


  • Supersingular isogeny cryptosystem
  • Fault injection
  • Real-world attacks
  • Post-quantum cryptography

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions


  1. 1.

    In [5], the pair \((P_A,Q_A)\) does not form a basis. The protocol still works, but some caution is required (see Appendix A).

  2. 2.

    Note that an element \(a \in \mathbf {Z}/\ell _A^{n}\mathbf {Z}\) is nilpotent if and only if it is the class of a multiple of \(\ell _A\).

  3. 3.

    Note the contrast with the simple attack of Sect. 3.1, in which the way Alice internally represents her secret key is crucial. In this more evolved attack, Alice’s representation is irrelevant.

  4. 4.

    For simplicity, we assume that this probability is independent of the number k of iterations after which we want to abort.

  5. 5.

    More precisely, if there exists a way to determine that a fault was successful (for instance, if \(\mu = 1\)), we can get rid of the factor 2, because a failure brings the information that the guess is wrong, so the bit is \(1-b\).


  1. Azarderakhsh, R., Koziel, B., Jalali, A., Kermani, M.M., Jao, D.: NEON-SIDH: efficient implementation of supersingular isogeny Diffe-Hellman key-exchange protocol on ARM. Cryptology ePrint Archive, Report 2016/669 (2016).

  2. Blake, I.F., Seroussi, G., Smart, N.P.: Advances in Elliptic Curve Cryptography. London Mathematical Society Lecture Note Series, vol. 317. Cambridge University Press, Cambridge (2004)

    MATH  Google Scholar 

  3. Blömer, J., Gomes da Silva, R., Günther, P., Krämer, J., Seifert, J.: A practical second-order fault attack against a real-world pairing implementation. In: 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2014, pp. 123–136 (2014)

    Google Scholar 

  4. Bröker, R.: Constructing supersingular elliptic curves. J. Comb. Number Theory 1, 269–273 (2009)

    MathSciNet  MATH  Google Scholar 

  5. Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. In: Proceedings of Advances in Cryptology - CRYPTO 2016, Part I, pp. 572–601 (2016)

    Google Scholar 

  6. De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)

    MathSciNet  MATH  Google Scholar 

  7. Espitau, T., Fouque, P.A., Gérard, B., Tibouchi, M.: Loop-abort faults on lattice-based Fiat-Shamir and hash-and-sign signatures. Cryptology ePrint Archive, Report 2016/449 (2016).

  8. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). doi:10.1007/3-540-48405-1_34

    CrossRef  Google Scholar 

  9. Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53887-6_3

    CrossRef  Google Scholar 

  10. Galbraith, S.D., Petit, C., Silva, J.: Signature schemes based on supersingular isogeny problems. Cryptology ePrint Archive, Report 2016/1154 (2016).

  11. Jao, D., Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25405-5_2

    CrossRef  Google Scholar 

  12. Jao, D., Soukharev, V.: Isogeny-based quantum-resistant undeniable signatures. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 160–179. Springer, Cham (2014). doi:10.1007/978-3-319-11659-4_10

    Google Scholar 

  13. Kirkwood, D., Lackey, B.C., McVey, J., Motley, M., Solinas, J.A., Tuller, D.: Failure is not an option: standardization issues for post-quantum key agreement on the security of supersingular isogeny cryptosystems. Workshop on Cybersecurity in a Post-Quantum World (2015).

  14. Koziel, B., Azarderakhsh, R., Kermani, M.M., Jao, D.: Post-quantum cryptography on FPGA based on isogenies on elliptic curves. Cryptology ePrint Archive, Report 2016/672 (2016).

  15. Microsoft Security and Cryptography: SIDH Library (2016).

  16. Page, D., Vercauteren, F.: A fault attack on pairing-based cryptography. IEEE Trans. Comput. 55(9), 1075–1080 (2006)

    CrossRef  MATH  Google Scholar 

  17. Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014). doi:10.1007/978-3-319-11659-4_12

    Google Scholar 

  18. Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)

    CrossRef  MathSciNet  MATH  Google Scholar 

  19. Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106, 2nd edn. Springer, New York (2009)

    CrossRef  MATH  Google Scholar 

  20. Sun, X., Tian, H., Wang, Y.: Toward quantum-resistant strong designated verifier signature from isogenies. In: 2012 Fourth International Conference on Intelligent Networking and Collaborative Systems, INCoS 2012, pp. 292–296 (2012)

    Google Scholar 

  21. Tate, J.: Endomorphisms of abelian varieties over finite fields. Inventiones Math. 2(2), 134–144 (1966)

    CrossRef  MathSciNet  MATH  Google Scholar 

  22. Vélu, J.: Isogénies entre courbes elliptiques. Comptes Rendus de l’Académie des Sciences de Paris 273, 238–241 (1971)

    MATH  Google Scholar 

Download references


This work has been supported in part by the European Union’s H2020 Programme under grant agreement number ERC-669891. The second author was supported by the Swiss National Science Foundation under grant number 200021-156420.

Author information

Authors and Affiliations


Corresponding authors

Correspondence to Alexandre Gélin or Benjamin Wesolowski .

Editor information

Editors and Affiliations

A When P and Q Are Not a Basis of the Torsion

A When P and Q Are Not a Basis of the Torsion

The implementation proposed by [5, 15] uses a pair of points P and Q in \(E[\ell ^k]\) that does not generate the full group \(E[\ell ^k]\), in order to achieve better compression. The point P is chosen to be a point of order \(\ell ^k\), and Q is set as the image of P by the distortion map \((x,y) \mapsto (-x,iy)\) (where \(i^2 = -1\)).

They prove that because of this construction, when \(\ell = 2\), the sum \(P+Q\) has order \(2^{k-1}\) (instead of the expected \(2^k\)). Thus every point of the form \(P+[a]Q\) for a even has order \(2^k\). Caution is required when applying to P and Q results that are meant to be applied to a basis of \(E[2^k]\). It appears for instance in [9, Lemma 3.2], where the factor \(2^{k-1}\) should be replaced by \(2^{k-2}\) when using this pair (PQ).

Also, if a is generated following the guidelines of [5] (as \(a = 2m\) for \(m\in \{1,2,\dots ,2^{k-1}\}\)), then its most significant bit is superfluous. Indeed, the kernel of the first isogeny is necessarily the group generated by \([2^{k-1}] P = - [2^{k-1}] Q\). Then, the image of \(P+[a]Q\) under this isogeny is the same as the image of \(P+[a+2^{k-1}]Q\). It follows that the secret a leads to the same shared secret as its reduction \(a \bmod 2^{k-1}\). Therefore the secret \(a = 2m\) could be chosen with \(m < 2^{k-2}\).

Rights and permissions

Reprints and Permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Gélin, A., Wesolowski, B. (2017). Loop-Abort Faults on Supersingular Isogeny Cryptosystems. In: Lange, T., Takagi, T. (eds) Post-Quantum Cryptography . PQCrypto 2017. Lecture Notes in Computer Science(), vol 10346. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-59878-9

  • Online ISBN: 978-3-319-59879-6

  • eBook Packages: Computer ScienceComputer Science (R0)