(Short Paper) Analysis of a Strong Fault Attack on Static/Ephemeral CSIDH

CSIDH is an isogeny-based post-quantum key establishment protocol proposed in 2018. In this work we analyze attacking implementations of CSIDH which use dummy isogeny operations using fault injections from a mathematical perspective. We detail an attack (implicit in prior works on implementations of CSIDH) by which a static private key can be learned (up to sign) by the attacker with certainty using E [log2 (k) 11 faults using a binary search approach, where b is the bound vector defining the keyspace. A natural idea for a countermeasure to this attack is to randomly mix the real degree 3 isogenies together with the dummy ones, so that binary search becomes ineffective. In this work we evaluate the efficacy of this idea as a fault attack countermeasure; in particular, we give bounds (as a function of the bound vector entries) on the number of fault injections (of a particular relatively strong, hypothetical type) required for an attacker to have a given success probability for guessing an unknown key, and present the results of simulated attacks on keys sampled from 6 keyspaces found in the literature. We find that the number of faults required to reach any constant success probability in guessing a static key is quadratic in the bound vector entries, rather than logarithmic as in the "real-then-dummy" setting concretely, the number of faults required increases from a few hundred to tens of thousands. Broadly, this behaviour is reflected in our simulations.