Miyaji Laboratory

Abstract

When a quantum computer is realized, RSA cryptosystems used in standard time will be broken in polynomial time using quantum algorithms. For this reason, research on quantum-resistant cryptography that is secure even against quantum computers is in progress. The isogeny-based cryptography is one of the post-quantum cryptography, and it is based on the difficulty of finding isogenies defined on two elliptic curves. CSIDH is one of the isogeny-based cryptography and can do memory-efficient key sharing due to short public key length, and it is expected to be used for signatures. However, the execution time of CSIDH varies depending on the secret key, and it is vulnerable to physical attacks called side-channel attacks. For this reason, CSIDH has been improved so that the execution time does not depend on the secret key. There are two methods: the MCR method, which uses dummy isogenies, and the CCCDRS method, which does not use dummy isogenies. The former is weak against the fault injection attack which is a kind of side-channel attack, and the latter is resistant to it. In this study, we propose an attack method of fault injection against the latter method. As a result, we can reduce the secret key space from 11^74 to 2^74 by attacking the CSIDH using the CCCDRS method under stronger assumptions than the existing attack methods. Furthermore, we propose a CSIDH with the same speed as the CSIDH using the MCR method but with a higher security level by considering the combination of the MCR and CCCDRS methods.