Loop-abort faults on
supersingular isogeny cryptosystems
Alexandre Gélin
Benjamin Wesolowski
Laboratoire d’Informatique de Paris 6 – Sorbonne Universités UPMC, France
École Polytechnique Fédérale de Lausanne, EPFL IC LACAL, Switzerland
PQCrypto 2017 – Utrecht
2017/06/26
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Supersingular-Isogeny Public-key Cryptography
Introduced by Jao, De Feo, and Plût in 2011
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Supersingular-Isogeny Public-key Cryptography
Introduced by Jao, De Feo, and Plût in 2011
Based on the same problem as the hash function of [CLG06]
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Supersingular-Isogeny Public-key Cryptography
Introduced by Jao, De Feo, and Plût in 2011
Based on the same problem as the hash function of [CLG06]
The isogeny graph of a supersingular elliptic curve:
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Supersingular-Isogeny Public-key Cryptography
Introduced by Jao, De Feo, and Plût in 2011
Based on the same problem as the hash function of [CLG06]
The isogeny graph of a supersingular elliptic curve:
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Supersingular elliptic curves
Definition
A supersingular elliptic curve is a curve E defined over Fpk such that
³ ´
#E Fpk = 1 mod p.
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Supersingular elliptic curves
Definition
A supersingular elliptic curve is a curve E defined over Fpk such that
³ ´
#E Fpk = 1 mod p.
Interesting properties:
All supersingular elliptic curves can be defined over Fp2
About
p
12
supersingular elliptic curves, up to isomorphism
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Isogenies
Definition
An isogeny φ between two elliptic curves E1 and E2 is a surjective group homomorphism
with a finite kernel. The degree is defined by
deg φ = #Ker φ.
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Isogenies
Definition
An isogeny φ between two elliptic curves E1 and E2 is a surjective group homomorphism
with a finite kernel. The degree is defined by
deg φ = #Ker φ.
Interesting properties:
G ⊂ E1 =⇒ a unique E2 and φ such that
φ : E1 → E2
and Ker φ = G
¡
¢
E2 = E/G is obtained in O deg φ
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Key-Exchange Protocol
A prime p such that p + 1 = `nA `m
B
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Key-Exchange Protocol
A prime p such that p + 1 = `nA `m
B
A supersingular elliptic curve E with `nA `m
B points
E
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Key-Exchange Protocol
A prime p such that p + 1 = `nA `m
B
A supersingular elliptic curve E with `nA `m
B points
A point RA chosen randomly in E `nA
£
E
¤
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Key-Exchange Protocol
A prime p such that p + 1 = `nA `m
B
A supersingular elliptic curve E with `nA `m
B points
A point RA chosen randomly in E `nA
£
E
¤
−→ (mA , nA ) ∈ {1, . . . , `nA }2 random,
£ ¤
RA = mA PA + nA QA for 〈PA , QA 〉 = E `nA
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Key-Exchange Protocol
A prime p such that p + 1 = `nA `m
B
A supersingular elliptic curve E with `nA `m
B points
A point RA chosen randomly in E `nA
£
E
¤
φA
−→ (mA , nA ) ∈ {1, . . . , `nA }2 random,
£ ¤
RA = mA PA + nA QA for 〈PA , QA 〉 = E `nA
=⇒ the curve EA = E/〈RA 〉 and φA : E → EA
Alexandre Gélin, Benjamin Wesolowski
EA
Loop-abort faults on supersingular isogeny cryptosystems
Key-Exchange Protocol
A prime p such that p + 1 = `nA `m
B
A supersingular elliptic curve E with `nA `m
B points
A point RA chosen randomly in E `nA
£
E
¤
φA
−→ (mA , nA ) ∈ {1, . . . , `nA }2 random,
£ ¤
RA = mA PA + nA QA for 〈PA , QA 〉 = E `nA
=⇒ the curve EA = E/〈RA 〉 and φA : E → EA
EA
A point RB = mB PB + nB QB random in E `m
B = 〈PB , QB 〉,
the curve EB = E/〈RB 〉 and φB : E → EB
£
Alexandre Gélin, Benjamin Wesolowski
¤
Loop-abort faults on supersingular isogeny cryptosystems
φB
EB
Key-Exchange Protocol
Bob sends EB , φB (PA ), φB (QA )
where 〈φB (PA ), φB (QA )〉 = EB [`nA ]
¡
¢
E
φA
EA
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
φB
EB
Key-Exchange Protocol
Bob sends EB , φB (PA ), φB (QA )
where 〈φB (PA ), φB (QA )〉 = EB [`nA ]
¡
¢
E
φA
φB
Alice computes EAB = EB /〈mA φB (PA ) + nA φB (QA )〉
EA
EB
EAB
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Key-Exchange Protocol
Bob sends EB , φB (PA ), φB (QA )
where 〈φB (PA ), φB (QA )〉 = EB [`nA ]
¡
¢
E
φA
φB
Alice computes EAB = EB /〈mA φB (PA ) + nA φB (QA )〉
Bob computes EBA = EA /〈mB φA (PB ) + nB φA (QB )〉
EA
EB
EAB
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Key-Exchange Protocol
Bob sends EB , φB (PA ), φB (QA )
where 〈φB (PA ), φB (QA )〉 = EB [`nA ]
¡
¢
E
φA
φB
Alice computes EAB = EB /〈mA φB (PA ) + nA φB (QA )〉
Bob computes EBA = EA /〈mB φA (PB ) + nB φA (QB )〉
EA
EB
EAB ' E/〈RA , RB 〉 ' EBA so j(EAB ) = j(EBA )
EAB
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Key-Exchange Protocol
Bob sends EB , φB (PA ), φB (QA )
where 〈φB (PA ), φB (QA )〉 = EB [`nA ]
¡
¢
E
φA
φB
Alice computes EAB = EB /〈mA φB (PA ) + nA φB (QA )〉
Bob computes EBA = EA /〈mB φA (PB ) + nB φA (QB )〉
EA
EB
EAB ' E/〈RA , RB 〉 ' EBA so j(EAB ) = j(EBA )
=⇒ j(EAB ) secret shared by Alice and Bob
Alexandre Gélin, Benjamin Wesolowski
,
EAB
Loop-abort faults on supersingular isogeny cryptosystems
Position of the problem
Path-finding problem
Given two isogenous curves E1 and E2 , find an isogeny between them of degree `nA .
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Position of the problem
Path-finding problem
Given two isogenous curves E1 and E2 , find an isogeny between them of degree `nA .
Equivalent to find a path of fixed length in the isogeny graph
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Position of the problem
Path-finding problem
Given two isogenous curves E1 and E2 , find an isogeny between them of degree `nA .
Equivalent to find a path of fixed length in the isogeny graph
Brute-force attack in O `nA ≈ O
¡
¢
¡p ¢
p
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Position of the problem
Path-finding problem
Given two isogenous curves E1 and E2 , find an isogeny between them of degree `nA .
Equivalent to find a path of fixed length in the isogeny graph
Brute-force attack in O `nA ≈ O
¡
¢
¡p ¢
p
³
n
´
Claw finding: Find a collision in O `A2 ≈ O
Alexandre Gélin, Benjamin Wesolowski
¡p ¢
4
p
Loop-abort faults on supersingular isogeny cryptosystems
Attack framework
Alice uses a static private key (mA , nA )
E
φA
φB
EA
EB
EAB
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Attack framework
Alice uses a static private key (mA , nA )
=⇒ EA and φA can be precomputed
E
φA
φB
EA
EB
EAB
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Attack framework
Alice uses a static private key (mA , nA )
=⇒ EA and φA can be precomputed
E
φA
The attacker plays the role of Bob
φB
EA
EB
EAB
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Attack framework
Alice uses a static private key (mA , nA )
=⇒ EA and φA can be precomputed
E
φA
The attacker plays the role of Bob
Focus on the isogeny from EB to EB /〈mA PA0 + nA QA0 〉,
φB
EA
EB
where PA0 = φB (PA ) and QA0 = φB (QA )
EAB
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Attack framework
Alice uses a static private key (mA , nA )
=⇒ EA and φA can be precomputed
E
φA
The attacker plays the role of Bob
Focus on the isogeny from EB to EB /〈mA PA0 + nA QA0 〉,
φB
EA
EB
where PA0 = φB (PA ) and QA0 = φB (QA )
Previous active attack [GPST16]:
e A ) instead of (P 0 , Q0 )
eA , Q
Idea: Provide dishonest points (P
A
A
Alexandre Gélin, Benjamin Wesolowski
EAB
Loop-abort faults on supersingular isogeny cryptosystems
Attack framework
Alice uses a static private key (mA , nA )
=⇒ EA and φA can be precomputed
E
φA
The attacker plays the role of Bob
Focus on the isogeny from EB to EB /〈mA PA0 + nA QA0 〉,
φB
EA
EB
where PA0 = φB (PA ) and QA0 = φB (QA )
Previous active attack [GPST16]:
e A ) instead of (P 0 , Q0 )
eA , Q
Idea: Provide dishonest points (P
A
A
EAB
Countermeasure: Validation method verifies the correctness
of the inputs (Fujisaki-Okamoto transform)
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
How is computed the isogeny ?
Degree `nA : Vélu’s formulae ⇒ O `nA
¡
¢
Alexandre Gélin, Benjamin Wesolowski
/
Loop-abort faults on supersingular isogeny cryptosystems
How is computed the isogeny ?
Degree `nA : Vélu’s formulae ⇒ O `nA
¡
/
¢
Decompose and iterate ⇒ n · O (`A )
EB
=
E0
→
E1
→
···
,
→
En−1
→
En
=
EAB
where each → is a degree-`A isogeny
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
How is computed the isogeny ?
Degree `nA : Vélu’s formulae ⇒ O `nA
¡
/
¢
Decompose and iterate ⇒ n · O (`A )
EB
=
E0
→
E1
→
···
,
→
En−1
→
En
=
EAB
where each → is a degree-`A isogeny
R0 = mA PA0 + nA QA0 and for 1 ≤ k ≤ n − 1,
Ek+1 = Ek /〈`n−k−1
Rk 〉
A
φk+1 : Ek → Ek+1
Alexandre Gélin, Benjamin Wesolowski
Rk+1 = φk+1 (Rk )
Loop-abort faults on supersingular isogeny cryptosystems
How is computed the isogeny ?
Degree `nA : Vélu’s formulae ⇒ O `nA
¡
/
¢
Decompose and iterate ⇒ n · O (`A )
EB
=
E0
→
E1
→
···
,
→
En−1
→
En
=
EAB
where each → is a degree-`A isogeny
R0 = mA PA0 + nA QA0 and for 1 ≤ k ≤ n − 1,
Ek+1 = Ek /〈`n−k−1
Rk 〉
A
φk+1 : Ek → Ek+1
Rk+1 = φk+1 (Rk )
En = EAB = EB /〈R0 〉 and φ = φn ◦ · · · ◦ φ1
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Loop-abort fault attacks
Introduced for pairing-based cryptography
Used recently in the context of lattice-based signature schemes
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Loop-abort fault attacks
Introduced for pairing-based cryptography
Used recently in the context of lattice-based signature schemes
Inject a fault that induces an early-abort in the loop
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Loop-abort fault attacks
Introduced for pairing-based cryptography
Used recently in the context of lattice-based signature schemes
Inject a fault that induces an early-abort in the loop
Proven feasible in practice [Blömer et al.]
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Loop-abort fault attacks
Introduced for pairing-based cryptography
Used recently in the context of lattice-based signature schemes
Inject a fault that induces an early-abort in the loop
Proven feasible in practice [Blömer et al.]
Implementations of SIDH on embedded devices already exist
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
`A = 2
The attack
Need an oracle to compare Alice’s outputs with what the attacker computes
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
`A = 2
The attack
Need an oracle to compare Alice’s outputs with what the attacker computes
After k iterations, Alice has computed the intermediate curve
Ek = EB /〈2n−k (mA PA0 + nA QA0 )〉
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
`A = 2
The attack
Need an oracle to compare Alice’s outputs with what the attacker computes
After k iterations, Alice has computed the intermediate curve
Ek = EB /〈2n−k (mA PA0 + nA QA0 )〉
Guess strategy: first step, k = 1
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
`A = 2
The attack
Need an oracle to compare Alice’s outputs with what the attacker computes
After k iterations, Alice has computed the intermediate curve
Ek = EB /〈2n−k (mA PA0 + nA QA0 )〉
Guess strategy: first step, k = 1
if ma is even, then Ker φ1 = 〈2n−1 QA0 〉
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
`A = 2
The attack
Need an oracle to compare Alice’s outputs with what the attacker computes
After k iterations, Alice has computed the intermediate curve
Ek = EB /〈2n−k (mA PA0 + nA QA0 )〉
Guess strategy: first step, k = 1
if ma is even, then Ker φ1 = 〈2n−1 QA0 〉
if na is even, then Ker φ1 = 〈2n−1 PA0 〉
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
`A = 2
The attack
Need an oracle to compare Alice’s outputs with what the attacker computes
After k iterations, Alice has computed the intermediate curve
Ek = EB /〈2n−k (mA PA0 + nA QA0 )〉
Guess strategy: first step, k = 1
if ma is even, then Ker φ1 = 〈2n−1 QA0 〉
if na is even, then Ker φ1 = 〈2n−1 PA0 〉
if both are odd, then Ker φ1 = 〈2n−1 (PA0 + QA0 )〉
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
`A = 2
The attack
Need an oracle to compare Alice’s outputs with what the attacker computes
After k iterations, Alice has computed the intermediate curve
Ek = EB /〈2n−k (mA PA0 + nA QA0 )〉
Guess strategy: first step, k = 1
if ma is even, then Ker φ1 = 〈2n−1 QA0 〉
=⇒ (mA , nA ) equivalent to (a, 1) for a =
mA
nA
and a even
if na is even, then Ker φ1 = 〈2n−1 PA0 〉
if both are odd, then Ker φ1 = 〈2n−1 (PA0 + QA0 )〉
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
`A = 2
The attack
Need an oracle to compare Alice’s outputs with what the attacker computes
After k iterations, Alice has computed the intermediate curve
Ek = EB /〈2n−k (mA PA0 + nA QA0 )〉
Guess strategy: first step, k = 1
if ma is even, then Ker φ1 = 〈2n−1 QA0 〉
=⇒ (mA , nA ) equivalent to (a, 1) for a =
mA
nA
and a even
nA
mA
and a even
if na is even, then Ker φ1 = 〈2n−1 PA0 〉
=⇒ (mA , nA ) equivalent to (1, a) for a =
if both are odd, then Ker φ1 = 〈2n−1 (PA0 + QA0 )〉
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
`A = 2
The attack
Need an oracle to compare Alice’s outputs with what the attacker computes
After k iterations, Alice has computed the intermediate curve
Ek = EB /〈2n−k (mA PA0 + nA QA0 )〉
Guess strategy: first step, k = 1
if ma is even, then Ker φ1 = 〈2n−1 QA0 〉
=⇒ (mA , nA ) equivalent to (a, 1) for a =
mA
nA
and a even
nA
mA
and a even
if na is even, then Ker φ1 = 〈2n−1 PA0 〉
=⇒ (mA , nA ) equivalent to (1, a) for a =
if both are odd, then Ker φ1 = 〈2n−1 (PA0 + QA0 )〉
=⇒ (mA , nA ) equivalent to (1, a) for a =
Alexandre Gélin, Benjamin Wesolowski
nA
mA
and a odd
Loop-abort faults on supersingular isogeny cryptosystems
`A = 2
The attack
Subsequent steps: we assume the key of the form (1, a)
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
`A = 2
The attack
Subsequent steps: we assume the key of the form (1, a)
We know the k − 1 least significant bits
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
`A = 2
The attack
Subsequent steps: we assume the key of the form (1, a)
We know the k − 1 least significant bits
The k-th bit is either 0 or 1, i.e.,
Ek = EB
´E
± D n−k ³ 0
2
PA + (a mod 2k−1 )QA0
or Ek = EB
Alexandre Gélin, Benjamin Wesolowski
±D
´E
³
2n−k PA0 + (a mod 2k−1 + 2k−1 )QA0
Loop-abort faults on supersingular isogeny cryptosystems
`A = 2
The attack
Subsequent steps: we assume the key of the form (1, a)
We know the k − 1 least significant bits
The k-th bit is either 0 or 1, i.e.,
Ek = EB
´E
± D n−k ³ 0
2
PA + (a mod 2k−1 )QA0
or Ek = EB
±D
´E
³
2n−k PA0 + (a mod 2k−1 + 2k−1 )QA0
Make a guess and recover the k-th bit of a
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
`A = 2
The attack
Subsequent steps: we assume the key of the form (1, a)
We know the k − 1 least significant bits
The k-th bit is either 0 or 1, i.e.,
Ek = EB
´E
± D n−k ³ 0
2
PA + (a mod 2k−1 )QA0
or Ek = EB
±D
´E
³
2n−k PA0 + (a mod 2k−1 + 2k−1 )QA0
Make a guess and recover the k-th bit of a
Conclusion: full-key recovery by iterating this process
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Analysis
n bits recovered in n interactions with the victim =⇒ n faults injected
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Analysis
n bits recovered in n interactions with the victim =⇒ n faults injected
if the success probability µ of the fault injection is not 1,
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Analysis
n bits recovered in n interactions with the victim =⇒ n faults injected
if the success probability µ of the fault injection is not 1,
about
n
µ
faults injected if the success can be detected
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Analysis
n bits recovered in n interactions with the victim =⇒ n faults injected
if the success probability µ of the fault injection is not 1,
about
n
µ
about
2n
µ
faults injected if the success can be detected
otherwise
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Analysis
n bits recovered in n interactions with the victim =⇒ n faults injected
if the success probability µ of the fault injection is not 1,
about
n
µ
about
2n
µ
faults injected if the success can be detected
otherwise
Alternative with less faults assuming a stronger oracle
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems
Thanks
Bedankt
Alexandre Gélin, Benjamin Wesolowski
Loop-abort faults on supersingular isogeny cryptosystems