International Association for Cryptologic Research

International Association
for Cryptologic Research


Disorientation faults in CSIDH

Gustavo Banegas , Inria and Laboratoire d'Informatique de l'Ecole polytechnique, Institut Polytechnique de Paris
Juliane Krämer , University of Regensburg
Tanja Lange , Eindhoven University of Technology and Academia Sinica
Michael Meyer , University of Regensburg
Lorenz Panny , Academia Sinica
Krijn Reijnders , Radboud University
Jana Sotáková , University of Amsterdam and QuSoft
Monika Trimoska , Radboud University
DOI: 10.1007/978-3-031-30589-4_11 (login may be required)
Search ePrint
Search Google
Presentation: Slides
Conference: EUROCRYPT 2023
Abstract: We investigate a new class of fault-injection attacks against the CSIDH family of cryptographic group actions. Our disorientation attacks effectively flip the direction of some isogeny steps. We achieve this by faulting a specific subroutine, connected to the Legendre symbol or Elligator computations performed during the evaluation of the group action. These subroutines are present in almost all known CSIDH implementations. Post-processing a set of faulty samples allows us to infer constraints on the secret key. The details are implementation specific, but we show that in many cases, it is possible to recover the full secret key with only a modest number of successful fault injections and modest computational resources. We provide full details for attacking the original CSIDH proof-of-concept software as well as the CTIDH constant-time implementation. Finally, we present a set of lightweight countermeasures against the attack and discuss their security.
  title={Disorientation faults in CSIDH},
  author={Gustavo Banegas and Juliane Krämer and Tanja Lange and Michael Meyer and Lorenz Panny and Krijn Reijnders and Jana Sotáková and Monika Trimoska},