(Short Paper) Analysis of a Strong Fault Attack on Static/Ephemeral CSIDH

“…One can modify memory locations and observe if this changes the resulting shared secret [11]. A different attack avenue is to target fault injections against dummy computations in CSIDH [10,28]. We emphasize that these are attacks against specific implementations and variants of CSIDH.…”

“…Although these attacks are implementation-specific, the proposed countermeasures impact our attack too. Typically, real isogenies are computed prior to dummy isogenies, but the order of real and dummy isogenies can be randomized [10,28] with essentially no computational overhead. When applied to dummy-based implementations, e.g., from [30,32], this randomization means dummy isogenies can appear in different rounds for each run, which makes the definitions of the curves E r,± almost obsolete.…”

Disorientation Faults in CSIDH

“…One can modify memory locations and observe if this changes the resulting shared secret [11]. A different attack avenue is to target fault injections against dummy computations in CSIDH [10,28]. We emphasize that these are attacks against specific implementations and variants of CSIDH.…”

“…Although these attacks are implementation-specific, the proposed countermeasures impact our attack too. Typically, real isogenies are computed prior to dummy isogenies, but the order of real and dummy isogenies can be randomized [10,28] with essentially no computational overhead. When applied to dummy-based implementations, e.g., from [30,32], this randomization means dummy isogenies can appear in different rounds for each run, which makes the definitions of the curves E r,± almost obsolete.…”

Disorientation Faults in CSIDH

Effective Pairings in Isogeny-Based Cryptography

Patient Zero & Patient Six: Zero-Value and Correlation Attacks on CSIDH and SIKE