Skip to main content
SpringerLink
Log in

Safe-Error Attacks on SIKE and CSIDH

  • Conference paper
  • First Online:
Security, Privacy, and Applied Cryptography Engineering (SPACE 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13162))

Abstract

The isogeny-based post-quantum schemes SIKE (NIST PQC round 3 alternate candidate) and CSIDH (Asiacrypt 2018) have received only little attention with respect to their fault attack resilience so far. We aim to fill this gap and provide a better understanding of their vulnerability by analyzing their resistance towards safe-error attacks. We present four safe-error attacks, two against SIKE and two against a constant-time implementation of CSIDH that uses dummy isogenies. The attacks use targeted bitflips during the respective isogeny-graph traversals. All four attacks lead to full key recovery. By using voltage and clock glitching, we physically carried out two of the attacks - one against each scheme -, thus demonstrate that full key recovery is also possible in practice.

Author list in alphabetical order; see https://www.ams.org/profession/leaders/culture/CultureStatement04.pdf.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/Safe-Error-Attacks-on-SIKE-and-CSIDH/SEAoSaC.

  2. 2.

    https://doi.org/10.6028/NIST.IR.8309.

  3. 3.

    Wrong shared secret or an error raised from the algorithm.

  4. 4.

    https://github.com/newaetech/chipwhisperer, commit fa00c1f.

  5. 5.

    https://developer.arm.com/.

  6. 6.

    https://github.com/mupq/pqm4, commit 20bcf68.

  7. 7.

    https://sike.org/#implementation.

References

  1. Couveignes, J.M.: Hard homogeneous spaces. IACR Cryptology ePrint Archive, p. 291 (2006). http://eprint.iacr.org/2006/291

  2. Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. IACR Cryptology ePrint Archive, p. 145 (2006). http://eprint.iacr.org/2006/145

  3. Feo, L.D., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014). https://doi.org/10.1515/jmc-2012-0015

  4. Jao, D., et al.: “SIKE,” National Institute of Standards and Technology, Technical report (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  5. Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15

    Chapter  Google Scholar 

  6. Peikert, C.: He gives C-sieves on the CSIDH. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 463–492. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_16

    Chapter  Google Scholar 

  7. Bonnetain, X., Schrottenloher, A.: Quantum security analysis of CSIDH. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 493–522. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_17

    Chapter  Google Scholar 

  8. Yen, S.-M., Joye, M.: Checking before output may not be enough against fault-based cryptanalysis. IEEE Trans. Comput. 49(9), 967–970 (2000). https://doi.org/10.1109/12.869328

    Article  MATH  Google Scholar 

  9. Joye, M., Yen, S.-M.: The Montgomery powering ladder. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_22

    Chapter  Google Scholar 

  10. Bettale, L., Montoya, S., Renault, G.: Safe-error analysis of post-quantum cryptography mechanisms - short paper. In: 18th Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2021, Milan, Italy, 17 September 2021, pp. 39–44. IEEE (2021). https://doi.org/10.1109/FDTC53659.2021.00015

  11. Costello, C.: B-SIDH: supersingular isogeny Diffie-Hellman using twisted torsion. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 440–463. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_15

    Chapter  Google Scholar 

  12. Koziel, B., Azarderakhsh, R., Jao, D.: Side-channel attacks on quantum-resistant supersingular isogeny Diffie-Hellman. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 64–81. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_4

    Chapter  Google Scholar 

  13. Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_3

    Chapter  Google Scholar 

  14. Gélin, A., Wesolowski, B.: Loop-abort faults on supersingular isogeny cryptosystems. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 93–106. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_6

    Chapter  Google Scholar 

  15. Ti, Y.B.: Fault attack on supersingular isogeny cryptosystems. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 107–122. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_7

    Chapter  Google Scholar 

  16. Zhang, F., et al.: Side-channel analysis and countermeasure design on ARM-based quantum-resistant SIKE. IEEE Trans. Comput. 69(11), 1681–1693 (2020). https://doi.org/10.1109/TC.2020.3020407

    Article  MathSciNet  MATH  Google Scholar 

  17. Campos, F., Kannwischer, M.J., Meyer, M., Onuki, H., Stöttinger, M.: Trouble at the CSIDH: protecting CSIDH with dummy-operations against fault injection attacks. In: 17th Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2020, Milan, Italy, 13 September 2020, pp. 57–65. IEEE (2020). https://doi.org/10.1109/FDTC51366.2020.00015

  18. Cervantes-Vázquez, D., Chenu, M., Chi-Domínguez, J.-J., De Feo, L., Rodríguez-Henríquez, F., Smith, B.: Stronger and faster side-channel protections for CSIDH. In: Schwabe, P., Thériault, N. (eds.) LATINCRYPT 2019. LNCS, vol. 11774, pp. 173–193. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30530-7_9

    Chapter  Google Scholar 

  19. LeGrow, J.T., Hutchinson, A.: An analysis of fault attacks on CSIDH. IACR Cryptology ePrint Archive, p. 1006 (2020). https://eprint.iacr.org/2020/1006

  20. Tasso, É., De Feo, L., El Mrabet, N., Pontié, S.: Resistance of isogeny-based cryptographic implementations to a fault attack. In: Bhasin, S., De Santis, F. (eds.) COSADE 2021. LNCS, vol. 12910, pp. 255–276. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-89915-8_12

    Chapter  Google Scholar 

  21. Meyer, M., Campos, F., Reith, S.: On lions and elligators: an efficient constant-time implementation of CSIDH. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 307–325. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_17

    Chapter  Google Scholar 

  22. Onuki, H., Aikawa, Y., Yamazaki, T., Takagi, T.: (Short Paper) A faster constant-time algorithm of CSIDH keeping two points. In: Attrapadung, N., Yagi, T. (eds.) IWSEC 2019. LNCS, vol. 11689, pp. 23–33. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26834-3_2

    Chapter  Google Scholar 

  23. Costello, C.: Supersingular isogeny key exchange for beginners. In: Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, pp. 21–50. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38471-5_2

    Chapter  Google Scholar 

  24. Faz-Hernández, A., López-Hernández, J.C., Ochoa-Jiménez, E., Rodríguez-Henríquez, F.: A faster software implementation of the supersingular isogeny Diffie-Hellman key exchange protocol. IEEE Trans. Comput. 67(11), 1622–1636 (2018). https://doi.org/10.1109/TC.2017.2771535

  25. Sung-Ming, Y., Kim, S., Lim, S., Moon, S.: A countermeasure against one physical cryptanalysis may benefit another attack. In: Kim, K. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 414–427. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45861-1_31

    Chapter  Google Scholar 

  26. Yen, S.-M., Kim, S., Lim, S., Moon, S.-J.: RSA speedup with Chinese remainder theorem immune against hardware fault cryptanalysis. IEEE Trans. Comput. 52(4), 461–472 (2003). https://doi.org/10.1109/TC.2003.1190587

    Article  Google Scholar 

  27. Noack, D., et al.: Industrial use cases and requirements for the deployment of post-quantum cryptography (2020). https://www.quantumrisc.de/results/quantumrisc-wp1-report.pdf

  28. Seo, H., Anastasova, M., Jalali, A., Azarderakhsh, R.: Supersingular Isogeny Key Encapsulation (SIKE) round 2 on ARM cortex-M4. IEEE Trans. Comput. 70(10), 1705–1718 (2021). https://doi.org/10.1109/TC.2020.3023045

    Article  MATH  Google Scholar 

  29. Kannwischer, M.J., Rijneveld, J., Schwabe, P., Stoffelen, K.: pqm4: testing and benchmarking NIST PQC on ARM cortex-M4. IACR Cryptology ePrint Archive, p. 844 (2019). https://eprint.iacr.org/2019/844

  30. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25

    Chapter  Google Scholar 

  31. Chávez-Saab, J., Chi-Domínguez, J., Jaques, S., Rodríguez-Henríquez, F.: The SQALE of CSIDH: square-root vélu quantum-resistant isogeny action with low exponents. IACR Cryptology ePrint Archive, p. 1520 (2020). https://eprint.iacr.org/2020/1520

  32. Gierlichs, B., Schmidt, J.-M., Tunstall, M.: Infective computation and dummy rounds: fault protection for block ciphers without check-before-output. In: Hevia, A., Neven, G. (eds.) LATINCRYPT 2012. LNCS, vol. 7533, pp. 305–321. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33481-8_17

    Chapter  Google Scholar 

  33. Blömer, J., da Silva, R.G., Günther, P., Krämer, J., Seifert, J.: A practical second-order fault attack against a real-world pairing implementation. In: Tria, A., Choi, D. (eds.) 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2014, Busan, South Korea, 23 September 2014, pp. 123–136. IEEE Computer Society (2014). https://doi.org/10.1109/FDTC.2014.22

  34. Yuce, B., Ghalaty, N.F., Deshpande, C., Patrick, C., Nazhandali, L., Schaumont, P.: FAME: fault-attack aware microprocessor extensions for hardware fault detection and software fault response. In: Proceedings of the Hardware and Architectural Support for Security and Privacy 2016, HASP@ICSA 2016, Seoul, Republic of Korea, 18 June 2016, pp. 8:1–8:8. ACM (2016). https://doi.org/10.1145/2948618.2948626

  35. Banegas, G., et al.: CTIDH: faster constant-time CSIDH. IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2021, no. 4, pp. 351–387 (2021). https://doi.org/10.46586/tches.v2021.i4.351-387

Download references

Acknowledgments

JK acknowledges funding by the Deutsche Forschungsgemeinschaft (DFG) - SFB 1119 - 236615297, and JK and MM acknowledge funding by the German Federal Ministry of Education and Research (BMBF) under the project QuantumRISC.

Author information

Authors and Affiliations

  1. Max Planck Institute for Security and Privacy, Bochum, Germany

    Fabio Campos

  2. Technische Universität Darmstadt, Darmstadt, Germany

    Juliane Krämer & Marcel Müller

Authors
  1. Fabio Campos
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Juliane Krämer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Marcel Müller
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Fabio Campos , Juliane Krämer or Marcel Müller .

Editor information

Editors and Affiliations

  1. Radboud University, Nijmegen, The Netherlands

    Lejla Batina

  2. TU Delft, Delft, The Netherlands

    Stjepan Picek

  3. Indian Institute of Technology Kharagpur, Kharagpur, India

    Mainack Mondal

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Campos, F., Krämer, J., Müller, M. (2022). Safe-Error Attacks on SIKE and CSIDH. In: Batina, L., Picek, S., Mondal, M. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2021. Lecture Notes in Computer Science(), vol 13162. Springer, Cham. https://doi.org/10.1007/978-3-030-95085-9_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-95085-9_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-95084-2

  • Online ISBN: 978-3-030-95085-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation