An Analysis of Fault Attacks on CSIDH

Jason LeGrow; Aaron Hutchinson

Paper 2020/1006

An Analysis of Fault Attacks on CSIDH

Jason LeGrow and Aaron Hutchinson

Abstract

CSIDH is an isogeny-based post-quantum key establishment protocol proposed in 2018. In this work, we analyze attacking implementations of CSIDH which use dummy isogeny operations using fault injections from a mathematical perspective. We detail an attack by which the private key can be learned by the attacker up to sign with absolute certainty using $\sum ⌈ \log_{2} (b_{i}) + 1 ⌉$ fault attacks on pairwise distinct group action evaluations under the same private key under ideal conditions using a binary search approach, where $\vec{b}$ is the bound vector defining the keyspace. As a countermeasure to this attack, we propose randomly mixing the real degree $ℓ_{j}$ isogenies together with the dummy ones by means of a binary decision vector. To evaluate the efficacy of this countermeasure, we formulate a probability-based attack on this randomized scheme using a maximum likelihood approach and simulate the attack using 6 bound vectors used in previous CSIDH implementations. We found that the number of attacks required under our model to reach just 1% certainty about the key increased by a factor between 8--12 over the standard approach in the setting of signed private keys and a factor between 28--45 using non-negative private keys, depending on . We derive theoretical upper bounds on the number of attacks required to reach a specified certainty threshold about the key under our model. Based on our data and the minimal additional overhead required, we recommend all future implementations of CSIDH to employ a randomized decision vector approach. Finally since our model assumes fault attacks provide no information on the sign of the key, we use a technique based on Gray codes to optimize the standard meet-in-the-middle attack for learning the sign of the key values once their magnitudes have been learned through fault attacks. We estimate that, on average, this optimized technique uses approximately 88% fewer field-multiplication-equivalent operations over the standard approach.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Preprint. MINOR revision.
Keywords: CSIDH fault attacks isogeny-based cryptography key establishment
Contact author(s): a5hutchinson @ uwaterloo ca
jason legrow @ uwaterloo ca
History: 2020-08-24: revised; 2020-08-22: received; See all versions
Short URL: https://ia.cr/2020/1006
License: CC BY

BibTeX

@misc{cryptoeprint:2020/1006,
      author = {Jason LeGrow and Aaron Hutchinson},
      title = {An Analysis of Fault Attacks on {CSIDH}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2020/1006},
      year = {2020},
      url = {https://eprint.iacr.org/2020/1006}
}