Paper 2022/1202
Disorientation faults in CSIDH
Abstract
We investigate a new class of fault-injection attacks against the CSIDH family of cryptographic group actions. Our disorientation attacks effectively flip the direction of some isogeny steps. We achieve this by faulting a specific subroutine, connected to the Legendre symbol or Elligator computations performed during the evaluation of the group action. These subroutines are present in almost all known CSIDH implementations. Post-processing a set of faulty samples allows us to infer constraints on the secret key. The details are implementation specific, but we show that in many cases, it is possible to recover the full secret key with only a modest number of successful fault injections and modest computational resources. We provide full details for attacking the original CSIDH proof-of-concept software as well as the CTIDH constant-time implementation. Finally, we present a set of lightweight countermeasures against the attack and discuss their security.
Metadata
- Available format(s)
-
PDF
- Category
- Public-key cryptography
- Publication info
- A minor revision of an IACR publication in EUROCRYPT 2023
- Keywords
- Fault-injection attackisogenies of elliptic curvespost-quantum cryptography
- Contact author(s)
-
gustavo @ cryptme in
juliane kraemer @ ur de
tanja @ hyperelliptic org
michael @ random-oracles org
lorenz @ yx7 cc
krijn @ cs ru nl
j s sotakova @ uva nl
monika trimoska @ ru nl - History
- 2023-03-15: revised
- 2022-09-12: received
- See all versions
- Short URL
- https://ia.cr/2022/1202
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2022/1202,
author = {Gustavo Banegas and Juliane Krämer and Tanja Lange and Michael Meyer and Lorenz Panny and Krijn Reijnders and Jana Sotáková and Monika Trimoska},
title = {Disorientation faults in {CSIDH}},
howpublished = {Cryptology {ePrint} Archive, Paper 2022/1202},
year = {2022},
url = {https://eprint.iacr.org/2022/1202}
}
