Abstract
Cryptographic schemes based on supersingular isogenies have become an active area of research in the field of post-quantum cryptography. We investigate the resistance of these cryptosystems to fault injection attacks. It appears that the iterative structure of the secret isogeny computation renders these schemes vulnerable to loop-abort attacks. Loop-abort faults allow to perform a full key recovery, bypassing all the previously introduced validation methods. Therefore implementing additional countermeasures seems unavoidable for applications where physical attacks are relevant.
Keywords
- Supersingular isogeny cryptosystem
- Fault injection
- Real-world attacks
- Post-quantum cryptography
This is a preview of subscription content, access via your institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
Note that an element \(a \in \mathbf {Z}/\ell _A^{n}\mathbf {Z}\) is nilpotent if and only if it is the class of a multiple of \(\ell _A\).
- 3.
Note the contrast with the simple attack of Sect. 3.1, in which the way Alice internally represents her secret key is crucial. In this more evolved attack, Alice’s representation is irrelevant.
- 4.
For simplicity, we assume that this probability is independent of the number k of iterations after which we want to abort.
- 5.
More precisely, if there exists a way to determine that a fault was successful (for instance, if \(\mu = 1\)), we can get rid of the factor 2, because a failure brings the information that the guess is wrong, so the bit is \(1-b\).
References
Azarderakhsh, R., Koziel, B., Jalali, A., Kermani, M.M., Jao, D.: NEON-SIDH: efficient implementation of supersingular isogeny Diffe-Hellman key-exchange protocol on ARM. Cryptology ePrint Archive, Report 2016/669 (2016). http://eprint.iacr.org/2016/669
Blake, I.F., Seroussi, G., Smart, N.P.: Advances in Elliptic Curve Cryptography. London Mathematical Society Lecture Note Series, vol. 317. Cambridge University Press, Cambridge (2004)
Blömer, J., Gomes da Silva, R., Günther, P., Krämer, J., Seifert, J.: A practical second-order fault attack against a real-world pairing implementation. In: 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2014, pp. 123–136 (2014)
Bröker, R.: Constructing supersingular elliptic curves. J. Comb. Number Theory 1, 269–273 (2009)
Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. In: Proceedings of Advances in Cryptology - CRYPTO 2016, Part I, pp. 572–601 (2016)
De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)
Espitau, T., Fouque, P.A., Gérard, B., Tibouchi, M.: Loop-abort faults on lattice-based Fiat-Shamir and hash-and-sign signatures. Cryptology ePrint Archive, Report 2016/449 (2016). http://eprint.iacr.org/2016/449
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). doi:10.1007/3-540-48405-1_34
Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53887-6_3
Galbraith, S.D., Petit, C., Silva, J.: Signature schemes based on supersingular isogeny problems. Cryptology ePrint Archive, Report 2016/1154 (2016). http://eprint.iacr.org/2016/1154
Jao, D., Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25405-5_2
Jao, D., Soukharev, V.: Isogeny-based quantum-resistant undeniable signatures. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 160–179. Springer, Cham (2014). doi:10.1007/978-3-319-11659-4_10
Kirkwood, D., Lackey, B.C., McVey, J., Motley, M., Solinas, J.A., Tuller, D.: Failure is not an option: standardization issues for post-quantum key agreement on the security of supersingular isogeny cryptosystems. Workshop on Cybersecurity in a Post-Quantum World (2015). http://csrc.nist.gov/groups/ST/post-quantum-2015/presentations/session7-motley-mark.pdf
Koziel, B., Azarderakhsh, R., Kermani, M.M., Jao, D.: Post-quantum cryptography on FPGA based on isogenies on elliptic curves. Cryptology ePrint Archive, Report 2016/672 (2016). http://eprint.iacr.org/2016/672
Microsoft Security and Cryptography: SIDH Library (2016). https://www.microsoft.com/en-us/research/project/sidh-library/
Page, D., Vercauteren, F.: A fault attack on pairing-based cryptography. IEEE Trans. Comput. 55(9), 1075–1080 (2006)
Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014). doi:10.1007/978-3-319-11659-4_12
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)
Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106, 2nd edn. Springer, New York (2009)
Sun, X., Tian, H., Wang, Y.: Toward quantum-resistant strong designated verifier signature from isogenies. In: 2012 Fourth International Conference on Intelligent Networking and Collaborative Systems, INCoS 2012, pp. 292–296 (2012)
Tate, J.: Endomorphisms of abelian varieties over finite fields. Inventiones Math. 2(2), 134–144 (1966)
Vélu, J.: Isogénies entre courbes elliptiques. Comptes Rendus de l’Académie des Sciences de Paris 273, 238–241 (1971)
Acknowledgements
This work has been supported in part by the European Union’s H2020 Programme under grant agreement number ERC-669891. The second author was supported by the Swiss National Science Foundation under grant number 200021-156420.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
A When P and Q Are Not a Basis of the Torsion
A When P and Q Are Not a Basis of the Torsion
The implementation proposed by [5, 15] uses a pair of points P and Q in \(E[\ell ^k]\) that does not generate the full group \(E[\ell ^k]\), in order to achieve better compression. The point P is chosen to be a point of order \(\ell ^k\), and Q is set as the image of P by the distortion map \((x,y) \mapsto (-x,iy)\) (where \(i^2 = -1\)).
They prove that because of this construction, when \(\ell = 2\), the sum \(P+Q\) has order \(2^{k-1}\) (instead of the expected \(2^k\)). Thus every point of the form \(P+[a]Q\) for a even has order \(2^k\). Caution is required when applying to P and Q results that are meant to be applied to a basis of \(E[2^k]\). It appears for instance in [9, Lemma 3.2], where the factor \(2^{k-1}\) should be replaced by \(2^{k-2}\) when using this pair (P, Q).
Also, if a is generated following the guidelines of [5] (as \(a = 2m\) for \(m\in \{1,2,\dots ,2^{k-1}\}\)), then its most significant bit is superfluous. Indeed, the kernel of the first isogeny is necessarily the group generated by \([2^{k-1}] P = - [2^{k-1}] Q\). Then, the image of \(P+[a]Q\) under this isogeny is the same as the image of \(P+[a+2^{k-1}]Q\). It follows that the secret a leads to the same shared secret as its reduction \(a \bmod 2^{k-1}\). Therefore the secret \(a = 2m\) could be chosen with \(m < 2^{k-2}\).
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Gélin, A., Wesolowski, B. (2017). Loop-Abort Faults on Supersingular Isogeny Cryptosystems. In: Lange, T., Takagi, T. (eds) Post-Quantum Cryptography . PQCrypto 2017. Lecture Notes in Computer Science(), vol 10346. Springer, Cham. https://doi.org/10.1007/978-3-319-59879-6_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-59879-6_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59878-9
Online ISBN: 978-3-319-59879-6
eBook Packages: Computer ScienceComputer Science (R0)