Paper 2022/904

Patient Zero and Patient Six: Zero-Value and Correlation Attacks on CSIDH and SIKE

Fabio Campos, RheinMain University of Applied Sciences Wiesbaden, Radboud University Nijmegen
Michael Meyer, University of Regensburg
Krijn Reijnders, Radboud University Nijmegen
Marc Stöttinger, RheinMain University of Applied Sciences Wiesbaden

Recent works have started side-channel analysis on SIKE and show the vulnerability of isogeny-based systems to zero-value attacks. In this work, we expand on such attacks by analyzing the behavior of the zero curve $E_0$ and six curve $E_6$ in CSIDH and SIKE. We demonstrate an attack on static-key CSIDH and SIKE implementations that recovers bits of the secret key by observing via zero-value-based resp. exploiting correlation-collision-based side-channel analysis whether secret isogeny walks pass over the zero or six curve. We apply this attack to fully recover secret keys of SIKE and two state-of-the-art CSIDH-based implementations: CTIDH and SQALE. We show the feasibility of exploiting side-channel information for the proposed attacks based on simulations with various realistic noise levels. Additionally, we discuss countermeasures to prevent zero-value and correlation-collision attacks against CSIDH and SIKE in our attacker model.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. Minor revision. SAC 2022
post-quantum cryptographyisogeny-based cryptographyCSIDHSIKEside-channel analysiszero-value attacks
Contact author(s)
campos @ sopmac de
michael @ random-oracles org
krijn @ cs ru nl
marc stoettinger @ hs-rm de
2023-10-20: revised
2022-07-12: received
See all versions
Short URL
No rights reserved


      author = {Fabio Campos and Michael Meyer and Krijn Reijnders and Marc Stöttinger},
      title = {Patient Zero and Patient Six: Zero-Value and Correlation Attacks on {CSIDH} and {SIKE}},
      howpublished = {Cryptology ePrint Archive, Paper 2022/904},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.