Trouble at the CSIDH: Protecting CSIDH with Dummy-Operations Against Fault Injection Attacks

Campos, Fábio; Kannwischer, Matthias J.; Meyer, Michaël; Onuki, Hiroshi; Stöttinger, Marc

doi:10.1109/fdtc51366.2020.00015

Cited by 10 publications

(12 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Prior works investigating fault attacks on isogeny-based cryptography mostly target specific variants or implementations of schemes and are different from our approach. Loop-abort faults on the SIDH cryptosystem [25], discussed for CSIDH in [10], lead to leakage of an intermediate value of the computation rather than the final result. Replacing torsion points with other points in SIDH [36,37] can be used to recover the secret keys; faulting intermediate curves in SIDH [2] to learn if secret isogeny paths lead over subfield curves can also leak information on secret keys.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Disorientation Faults in CSIDH

Banegas

Krämer

Lange

et al. 2023

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

We investigate a new class of fault-injection attacks against the CSIDH family of cryptographic group actions. Our disorientation attacks effectively flip the direction of some isogeny steps. We achieve this by faulting a specific subroutine, connected to the Legendre symbol or Elligator computations performed during the evaluation of the group action. These subroutines are present in almost all known CSIDH implementations. Post-processing a set of faulty samples allows us to infer constraints on the secret key. The details are implementation specific, but we show that in many cases, it is possible to recover the full secret key with only a modest number of successful fault injections and modest computational resources. We provide full details for attacking the original CSIDH proof-of-concept software as well as the CTIDH constant-time * Author list in alphabetical order; see https://ams.org/profession/leaders/ CultureStatement04.pdf.

show abstract

Section: Related Workmentioning

confidence: 99%

“…One can modify memory locations and observe if this changes the resulting shared secret [11]. A different attack avenue is to target fault injections against dummy computations in CSIDH [10,28]. We emphasize that these are attacks against specific implementations and variants of CSIDH.…”

Section: Related Workmentioning

confidence: 99%

Disorientation Faults in CSIDH

Banegas

Krämer

Lange

et al. 2023

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Further, to defend the attacker who performs one fault injection, we can simply compute the above points twice and check whether the two results are the same. This countermeasure is also adapted in the CSIDH with dummy-operations against fault injection attacks [22].…”

Section: Proof Note That the T-th Iteration The Three-point Ladder Co...mentioning

confidence: 99%

Faster Key Generation of Supersingular Isogeny Diffie-Hellman

Lin

Zhang

Zhao

2022

IEICE Trans. Fundamentals

View full text Add to dashboard Cite

Supersingular isogeny Diffie-Hellman (SIDH) is attractive for its relatively small public key size, but it is still unsatisfactory due to its efficiency, compared to other post-quantum proposals. In this paper, we focus on the performance of SIDH when the starting curve is E 6 : y 2 = x 3 + 6x 2 + x, which is fixed in Round-3 SIKE implementation. Inspired by previous works [1], [2], we present several tricks to accelerate key generation of SIDH and each process of SIKE. Our experimental results show that the performance of this work is at least 6.09% faster than that of the SIKE implementation, and we can further improve the performance when large storage is available.

show abstract

“…Fault-injection attacks on constant-time CSIDH implementations are discussed in [11,8]. Dummy operations are dangerous in this context: a "safe-error attack" faults an operation and, if the output is unchanged, concludes that the operation was a dummy operation.…”

Section: A Dummy-free Algorithmsmentioning

confidence: 99%

“…For example, the constant-time differential addition chains in our software involve dummy differential additions; it should be possible to avoid these by precomputing chains of the same length for all of the primes in a batch. As another example, the Matryoshka-doll structure involves dummy operations, and it would be interesting to explore adaptations of the countermeasures of [8] to this context.…”

Section: A Dummy-free Algorithmsmentioning

confidence: 99%

CTIDH: faster constant-time CSIDH

Banegas

Bernstein

Campos

et al. 2021

TCHES

Self Cite

View full text Add to dashboard Cite

This paper introduces a new key space for CSIDH and a new algorithm for constant-time evaluation of the CSIDH group action. The key space is not useful with previous algorithms, and the algorithm is not useful with previous key spaces, but combining the new key space with the new algorithm produces speed records for constant-time CSIDH. For example, for CSIDH-512 with a 256-bit key space, the best previous constant-time results used 789000 multiplications and more than 200 million Skylake cycles; this paper uses 438006 multiplications and 125.53 million cycles.

show abstract

Trouble at the CSIDH: Protecting CSIDH with Dummy-Operations Against Fault Injection Attacks

Cited by 10 publications

References 17 publications

Disorientation Faults in CSIDH

Disorientation Faults in CSIDH

Faster Key Generation of Supersingular Isogeny Diffie-Hellman

CTIDH: faster constant-time CSIDH

Contact Info

Product

Resources

About