2023
DOI: 10.1007/978-3-031-30589-4_11
|View full text |Cite
|
Sign up to set email alerts
|

Disorientation Faults in CSIDH

Abstract: We investigate a new class of fault-injection attacks against the CSIDH family of cryptographic group actions. Our disorientation attacks effectively flip the direction of some isogeny steps. We achieve this by faulting a specific subroutine, connected to the Legendre symbol or Elligator computations performed during the evaluation of the group action. These subroutines are present in almost all known CSIDH implementations. Post-processing a set of faulty samples allows us to infer constraints on the secret ke… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1

Citation Types

0
1
0

Year Published

2023
2023
2024
2024

Publication Types

Select...
4
1

Relationship

0
5

Authors

Journals

citations
Cited by 6 publications
(1 citation statement)
references
References 30 publications
0
1
0
Order By: Relevance
“…In protocols such as CSIDH, this is typically done by using x-only arithmetic as described here, followed by a square check for the y-coordinate to see on which curve the point is. Given that a square check is much more expensive over F p k than over F p for large k, one can instead opt to use the Elligator point sampling method (see for example [38,3]). Indeed, as our protocol does not need to differentiate between the ℓ-torsion point on the curve and the one on the twist, we can simply compute both simultaneously.…”
Section: Computing a Point Of Order ℓmentioning
confidence: 99%
“…In protocols such as CSIDH, this is typically done by using x-only arithmetic as described here, followed by a square check for the y-coordinate to see on which curve the point is. Given that a square check is much more expensive over F p k than over F p for large k, one can instead opt to use the Elligator point sampling method (see for example [38,3]). Indeed, as our protocol does not need to differentiate between the ℓ-torsion point on the curve and the one on the twist, we can simply compute both simultaneously.…”
Section: Computing a Point Of Order ℓmentioning
confidence: 99%