Paper 2022/904
Patient Zero and Patient Six: Zero-Value and Correlation Attacks on CSIDH and SIKE
Abstract
Recent works have started side-channel analysis on SIKE and show the vulnerability of isogeny-based systems to zero-value attacks. In this work, we expand on such attacks by analyzing the behavior of the zero curve $E_0$ and six curve $E_6$ in CSIDH and SIKE. We demonstrate an attack on static-key CSIDH and SIKE implementations that recovers bits of the secret key by observing via zero-value-based resp. exploiting correlation-collision-based side-channel analysis whether secret isogeny walks pass over the zero or six curve. We apply this attack to fully recover secret keys of SIKE and two state-of-the-art CSIDH-based implementations: CTIDH and SQALE. We show the feasibility of exploiting side-channel information for the proposed attacks based on simulations with various realistic noise levels. Additionally, we discuss countermeasures to prevent zero-value and correlation-collision attacks against CSIDH and SIKE in our attacker model.
Metadata
- Available format(s)
-
PDF
- Category
- Public-key cryptography
- Publication info
- Published elsewhere. Minor revision. SAC 2022
- Keywords
- post-quantum cryptographyisogeny-based cryptographyCSIDHSIKEside-channel analysiszero-value attacks
- Contact author(s)
-
campos @ sopmac de
michael @ random-oracles org
krijn @ cs ru nl
marc stoettinger @ hs-rm de - History
- 2023-10-20: revised
- 2022-07-12: received
- See all versions
- Short URL
- https://ia.cr/2022/904
- License
-
CC0
BibTeX
@misc{cryptoeprint:2022/904,
author = {Fabio Campos and Michael Meyer and Krijn Reijnders and Marc Stöttinger},
title = {Patient Zero and Patient Six: Zero-Value and Correlation Attacks on CSIDH and SIKE},
howpublished = {Cryptology ePrint Archive, Paper 2022/904},
year = {2022},
note = {\url{https://eprint.iacr.org/2022/904}},
url = {https://eprint.iacr.org/2022/904}
}
