2021.05.02 08:47:12 (1388746881723817993) from Daniel J. Bernstein, replying to "Luca De Feo (@luca_defeo)" (1388408596703109122):
The official SIKE code screwed up constant-time comparisons, allowing a CCA attack in December. Defending against more invasive side channels is harder. The necessary security analysis has barely started. The broader literature is full of breaks of overconfident security claims.
2021.04.29 16:44:02 (1387779717370048518) from Daniel J. Bernstein:
Agreeing with main points in 3, 4, 6, 10 in https://eprint.iacr.org/2021/543. More objections to 2, 5, 7, 9. Most important dispute is regarding risk management, 1+8. Recent advances in torsion-point attacks have killed a huge part of the SIKE parameter space, far worse than MOV vs ECDLP.
2021.04.29 19:51:08 (1387826799422418944) from "Luca De Feo (@luca_defeo)":
I'm curious about your objections to 5 (side-channel). Do you mind to expound?
2021.05.01 09:48:32 (1388399928280457221) from Daniel J. Bernstein, replying to "Luca De Feo (@luca_defeo)" (1387826799422418944):
5 spends all its time describing some SIKE side-channel countermeasures. How is this supposed to justify the main 5 conclusion, namely that SIKE is easier/cheaper to protect than competitors? Weak, unquantified arguments for SIKE => like ECC => easy; zero analysis of competitors.
2021.05.01 10:22:59 (1388408596703109122) from "Luca De Feo (@luca_defeo)":
I see. But, outside of the comparison, do you agree that SIKE is easy/cheap to protect?