Side-Channel Analysis and Countermeasure Design on ARM-Based Quantum-Resistant SIKE

The implementations of post-quantum cryptographic algorithms have been newly explored, whereas, the protection against side-channel attacks shall be considered upfront, since it can have a non-negligible impact on security and performance. In this article, the security of supersingular isogeny key encapsulation (SIKE), a second-round candidate of NIST's on-going post-quantum standardization process, is thoroughly evaluated under side-channel analysis. First, the vulnerabilities of reference and optimized implementations of SIKE are thoroughly analyzed in terms of both horizontal and vertical side-channel leakage. After the optimized SIKE, which is based on Three-point Montgomery Differential Ladder algorithm, is proved to be constant-time and there is no horizontal leakage, a vertical vulnerability is analyzed based on the source code at the algorithmic level, and a theoretical differential power analysis (DPA) attack is proposed. In order to exploit this vulnerability, the differential electromagnetic attack (DEMA) is put into practice to extract the private key of SIKE based on a 32-bit ARM platform. To the best of our knowledge, this is the first practical side-channel attack at SIKE implemented on real ARM-based devices. Our experiments show that the DEMA needs only hundreds of electromagnetic traces to carry out the attack. More importantly, an efficient window-based countermeasure is proposed to eliminate the vertical leakage and prevent side-channel attacks with only a little overhead. The security of our countermeasure is carefully evaluated against most of well-known power analysis attacks. Through careful evaluation and comparison with other countermeasures, this method can lead to higher security at a very small cost in terms of time and memory.