On Lions and Elligators: An Efficient Constant-Time Implementation of CSIDH

“…This allows them to avoid timing attacks, while keeping the same primes and exponent range [−5, 5] as in the original CSIDH algorithm. Their algorithm also employs dummy isogenies to mitigate some power analysis attacks, as in [21]. With these improvements, they achieve a speed-up of 27.35% compared to [21].…”

“…This is a major departure from [3], where all precomputed values of u are tried for each isogeny computation, and the algorithm succeeds if at least one passes the test. And indeed the implementation of [21] leaks information on the secret via the timing channel: 7 since Elligator uses no randomness for u, its output only depends on the A-coefficient of the current curve, which itself depends on the secret key; but the running time of the algorithm varies and, not being correlated to u, it is necessarily correlated to A and thus to the secret.…”

“…In this work we take a new look at side-channel protected implementations of CSIDH. We start by reviewing the implementations in [21] and [26]. We highlight a flaw that makes their constant-time claims disputable, and propose a fix for it.…”

“…Then, we introduce new optimizations to make both [21] and [26] faster: we improve isogeny formulas for the model, and we introduce the use of optimal addition chains in the scalar multiplications. With these improvements, we obtain a version of CSIDH protected against timing and some simple power analysis (SPA) attacks that is 39% more efficient than [21].…”

“…In §2 we briefly recall ideas, algorithms and parameters from CSIDH [6]. In §3 we highlight a shortcoming in [21] and [26] and propose a way to fix it. In §4 we introduce new optimizations compatible with all previous versions of CSIDH.…”

Stronger and Faster Side-Channel Protections for CSIDH

“…This allows them to avoid timing attacks, while keeping the same primes and exponent range [−5, 5] as in the original CSIDH algorithm. Their algorithm also employs dummy isogenies to mitigate some power analysis attacks, as in [21]. With these improvements, they achieve a speed-up of 27.35% compared to [21].…”

“…This is a major departure from [3], where all precomputed values of u are tried for each isogeny computation, and the algorithm succeeds if at least one passes the test. And indeed the implementation of [21] leaks information on the secret via the timing channel: 7 since Elligator uses no randomness for u, its output only depends on the A-coefficient of the current curve, which itself depends on the secret key; but the running time of the algorithm varies and, not being correlated to u, it is necessarily correlated to A and thus to the secret.…”

“…In this work we take a new look at side-channel protected implementations of CSIDH. We start by reviewing the implementations in [21] and [26]. We highlight a flaw that makes their constant-time claims disputable, and propose a fix for it.…”

“…Then, we introduce new optimizations to make both [21] and [26] faster: we improve isogeny formulas for the model, and we introduce the use of optimal addition chains in the scalar multiplications. With these improvements, we obtain a version of CSIDH protected against timing and some simple power analysis (SPA) attacks that is 39% more efficient than [21].…”

“…In §2 we briefly recall ideas, algorithms and parameters from CSIDH [6]. In §3 we highlight a shortcoming in [21] and [26] and propose a way to fix it. In §4 we introduce new optimizations compatible with all previous versions of CSIDH.…”

Stronger and Faster Side-Channel Protections for CSIDH

How to Construct CSIDH on Edwards Curves

Group Key Exchange from CSIDH and Its Application to Trusted Setup in Supersingular Isogeny Cryptosystems