2021.05.03 10:31:08 (1389135423641841664) from Daniel J. Bernstein, replying to "Luca De Feo (@luca_defeo)" (1389035996398989315):
Here's a KEM: Alice's public key is aG. Bob sends random bG as the ciphertext. The session key is a hash of (aG,bG,abG). SIKE is much more complicated than this, and has many more side-channel targets, such as the comparisons in the FO transform used to protect against GPST.
2021.05.03 10:44:38 (1389138820348579842) from Daniel J. Bernstein:
We've seen again and again, for a wide range of cryptographic functions, that implementations without expensive countermeasures are broken at low cost by physical side channels beyond timing. There are many papers quantifying this. Unquantified security claims lack credibility.
2021.05.02 13:11:35 (1388813415796428801) from "Luca De Feo (@luca_defeo)", replying to "Luca De Feo (@luca_defeo)" (1388812944734048257):
For having worked on this, I concur: it's not easy to imagine attacks on SIKE which are not already known ECC attacks. Indeed, with few exceptions, the side-channel literature on SIKE has so far stuck to reproducing well known attacks.
2021.05.02 13:20:10 (1388815575468724228) from "Luca De Feo (@luca_defeo)", replying to "Luca De Feo (@luca_defeo)" (1388813415796428801):
This leads to a paradoxical situation: working on side-channel security of SIKE is unrewarding, so researchers stand clear of it. How do you make a case for side-channel security of an algorithm that already may be side-channel secure?
2021.05.02 19:07:11 (1388902902832369665) from Daniel J. Bernstein, replying to "Luca De Feo (@luca_defeo)" (1388815575468724228):
The SIKE implementation CCA disaster, from trying to stop FO timing attacks, is a perfect example of why protecting SIKE (1) isn't easy and (2) isn't like ECC. People also keep publishing papers on ECC side-channel attacks. "Not many SIKE papers ergo secure" is a flimsy argument.
2021.05.03 03:56:03 (1389035996398989315) from "Luca De Feo (@luca_defeo)":
If anything, the CCA fiasco shows that implementing constant-time comparison isn't easy. Can you show me a CCA-secure scheme (ECC or anything else) that doesn't need constant-time comparison?