Visible to the public On Secure Implementations of Quantum-Resistant Supersingular Isogeny Diffie-Hellman

TitleOn Secure Implementations of Quantum-Resistant Supersingular Isogeny Diffie-Hellman
Publication TypeConference Paper
Year of Publication2017
AuthorsKoziel, B., Azarderakhsh, R., Jao, D.
Conference Name2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)
KeywordsALU, cryptographic protocols, cryptography, Differential Power Analysis, double-point multiplication, ECDH key exchange, Electronic mail, elliptic curve Diffie-Hellman key exchange, elliptic curve isomorphism, elliptic curve theory, Elliptic curves, Fault Attacks, Fermat little theorem inversion, Hardware, hardware architectures, isogeny-based cryptography, oracle attacks, Post-quantum cryptography, Protocols, pubcrawl, public key cryptography, quantum computing, quantum-resistant SIDH protocol, quantum-resistant supersingular isogeny Diffie-Hellman protocol, random number generation, resilience, Resiliency, Scalability, secret kernel point, secret scalars, side-channel analysis, signature based defense, simple power analysis, Timing, timing attacks, true random number generator
AbstractIn this work, we analyze the feasibility of a physically secure implementation of the quantum-resistant supersingular isogeny Diffie-Hellman (SIDH) protocol. Notably, we analyze the defense against timing attacks, simple power analysis, differential power analysis, and fault attacks. Luckily, the SIDH protocol closely resembles its predecessor, the elliptic curve Diffie-Hellman (ECDH) key exchange. As such, much of the extensive literature in side-channel analysis can also apply to SIDH. In particular, we focus on a hardware implementation that features a true random number generator, ALU, and controller. SIDH is composed of two rounds containing a double-point multiplication to generate a secret kernel point and an isogeny over that kernel to arrive at a new elliptic curve isomorphism. To protect against simple power analysis and timing attacks, we recommend a constant-time implementation with Fermat's little theorem inversion. Differential power analysis targets the power output of the SIDH core over many runs. As such, we recommend scaling the base points by secret scalars so that each iteration has a unique power signature. Further, based on recent oracle attacks on SIDH, we cannot recommend the use of static keys from both parties. The goal of this paper is to analyze the tradeoffs in elliptic curve theory to produce a cryptographically and physically secure implementation of SIDH.
Citation Keykoziel_secure_2017