CTIDH: faster constant-time CSIDH

Banegas, Gustavo; Bernstein, Daniel J.; Campos, Fábio; Chou, Tai‐Li; Lange, Tanja; Meyer, Michaël; Smith, Benjamin; Sotáková, Jana

doi:10.46586/tches.v2021.i4.351-387

Cited by 20 publications

(31 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Combining these results shows that breaking CSIDH-512 requires around 2 60 qubit operations on logical qubits, i.e., not taking into account the overhead for quantum error correction. Implementation papers such as CTIDH [3] use the CSIDH-512 prime for comparison purposes and also offer larger parameters. Likewise, we use the CSIDH-512 and CTIDH-512 parameters for concrete examples.…”

Section: Note On Securitymentioning

confidence: 99%

“…In contrast, one can sample two points per round, one with positive and one with negative orientation, and attempt to compute isogenies for each degree ℓ i per round, independent of the sign of the e i [32]. Constanttime algorithms require choosing S independent of the secret key, and all stateof-the-art constant-time implementations use the 2-point approach, e.g., [3,17].…”

Section: -Point and 2-point Approachesmentioning

confidence: 99%

“…, 2m i } n was used in [30]. Other choices of K were made in [16,17,32], and CTIDH [3] (see Section 5.2).…”

Section: Keyspacementioning

confidence: 99%

“…The group action in CSIDH and related schemes is evaluated by computing a sequence of small-degree isogeny steps; the choice of degrees and "directions" is the private key. Thus, the control flow of a straightforward implementation is directly related to the secret key, which complicates side-channel resistant implementations [3,7,12,26,30,31].…”

Section: Introductionmentioning

confidence: 99%

“…The strategy in Algorithm 1 is called multiplicative strategy [7,15,31]. Other notable strategies from the literature are the SIMBA strategy [30], point-pushing strategies [18], and atomic blocks [3].…”

mentioning

confidence: 99%

See 4 more Smart Citations

Disorientation Faults in CSIDH

Banegas

Krämer

Lange

et al. 2023

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

We investigate a new class of fault-injection attacks against the CSIDH family of cryptographic group actions. Our disorientation attacks effectively flip the direction of some isogeny steps. We achieve this by faulting a specific subroutine, connected to the Legendre symbol or Elligator computations performed during the evaluation of the group action. These subroutines are present in almost all known CSIDH implementations. Post-processing a set of faulty samples allows us to infer constraints on the secret key. The details are implementation specific, but we show that in many cases, it is possible to recover the full secret key with only a modest number of successful fault injections and modest computational resources. We provide full details for attacking the original CSIDH proof-of-concept software as well as the CTIDH constant-time * Author list in alphabetical order; see https://ams.org/profession/leaders/ CultureStatement04.pdf.

show abstract

Section: Note On Securitymentioning

confidence: 99%

Section: -Point and 2-point Approachesmentioning

confidence: 99%

“…, 2m i } n was used in [30]. Other choices of K were made in [16,17,32], and CTIDH [3] (see Section 5.2).…”

Section: Keyspacementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

mentioning

confidence: 99%

See 3 more Smart Citations

Disorientation Faults in CSIDH

Banegas

Krämer

Lange

et al. 2023

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

Safe-Error Attacks on SIKE and CSIDH

Campos

Krämer

Müller

2022

Security, Privacy, and Applied Cryptography Engineering

View full text Add to dashboard Cite

Fully Projective Radical Isogenies in Constant-Time

Chi-Domínguez

Reijnders

2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

At PQCrypto-2020, Castryck and Decru proposed CSURF (CSIDH on the surface) as an improvement to the CSIDH protocol. Soon after that, at Asiacrypt-2020, together with Vercauteren they introduced radical isogenies as a further improvement. The main improvement in these works is that both CSURF and radical isogenies require only one torsion point to initiate a chain of isogenies, in comparison to Vélu isogenies which require a torsion point per isogeny. Both works were implemented using non-constant-time techniques, however, in a realistic scenario, a constant-time implementation is necessary to mitigate risks of timing attacks. The analysis of constant-time CSURF and radical isogenies was left as an open problem by Castryck, Decru, and Vercauteren. In this work we analyze this problem. A straightforward constant-time implementation of CSURF and radical isogenies encounters too many issues to be cost effective, but we resolve some of these issues with new optimization techniques. We introduce projective radical isogenies to save costly inversions and present a hybrid strategy for integration of radical isogenies in CSIDH implementations. These improvements make radical isogenies almost twice as efficient in constant-time, in terms of finite field multiplications. Using these improvements, we then measure the algorithmic performance in a benchmark of CSIDH, CSURF and CRADS (an implementation using radical isogenies) for different prime sizes. Our implementation provides a more accurate comparison between CSIDH, CSURF and CRADS than the original benchmarks, by using state-ofthe-art techniques for all three implementations. Our experiments illustrate that the speed-up of constant-time CSURF-512 with radical isogenies is reduced to about 3% in comparison to the fastest state-of-the-art constant-time CSIDH-512 implementation. The performance is worse for larger primes, as radical isogenies scale worse than Vélu isogenies.

show abstract

CTIDH: faster constant-time CSIDH

Cited by 20 publications

References 25 publications

Disorientation Faults in CSIDH

Disorientation Faults in CSIDH

Safe-Error Attacks on SIKE and CSIDH

Fully Projective Radical Isogenies in Constant-Time

Contact Info

Product

Resources

About