Paper 2023/807

Ready to SQI? Safety First! Towards a constant-time implementation of isogeny-based signature, SQIsign

David Jacquemin, Graz University of Technology
Anisha Mukherjee, Graz University of Technology
Péter Kutas, University of Birmingham, Eötvös Loránd University
Sujoy SINHA ROY, Graz University of Technology
Abstract

NIST has already published the first round of submissions for additional post-quantum signature schemes and the only isogeny-based candidate is SQIsign. It boasts the most compact key and signature sizes among all post-quantum signature schemes. However, its current implementation does not address side-channel resistance. This work is the first to identify a potential side-channel vulnerability in SQIsign. At certain steps within the signing procedure, it relies on Cornacchia’s algorithm to represent an integer as a sum of squares of two integers. This algorithm in turn uses a ‘half-GCD’ (half-greatest common divisor) sub-routine based on Euclid’s division algorithm which has often been exploited for side-channel attacks. We show that if the inputs of Cornacchia’s algorithm leak, then one can retrieve the signing key in polynomial time. Also, since there is no constant-time implementation for SQIsign, we propose two timing attack-resistant versions of Cornacchia’s algorithm. The first version uses a constant-time ‘half-GCD’ algorithm that runs a fixed number of times for a given upper bound based on the bit-size of the inputs. The second version is based on the two-dimensional lattice reduction algorithm. We show that randomizing the starting basis with an unimodular matrix would make the execution time independent of the input.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
isogeny-based cryptographySQISignside-channel analysisisogeny signatureconstant-time implementation
Contact author(s)
david jacquemin @ iaik tugraz at
anisha mukherjee @ iaik tugraz at
p kutas @ bham ac uk
sujoy sinharoy @ iaik tugraz at
History
2024-02-09: revised
2023-06-01: received
See all versions
Short URL
https://ia.cr/2023/807
License
No rights reserved
CC0

BibTeX

@misc{cryptoeprint:2023/807,
      author = {David Jacquemin and Anisha Mukherjee and Péter Kutas and Sujoy SINHA ROY},
      title = {Ready to {SQI}? Safety First! Towards a constant-time implementation of isogeny-based signature, {SQIsign}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/807},
      year = {2023},
      url = {https://eprint.iacr.org/2023/807}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.