The microblog: 2021.05.04 15:15:58

2021.05.04 15:15:58 (1389569489956601856) from Daniel J. Bernstein, replying to "Luca De Feo (@luca_defeo)" (1389530602593046528):

Every cryptosystem X can claim _some_ applicability of existing techniques for side-channel protection. Should each X publish this as part of a "Case for X", leaping to the conclusion that it's cheaper/easier to protect than its competitors? Sorry, no. Needs quantified analysis.

2021.05.04 15:37:38 (1389574942656647173) from Daniel J. Bernstein:

Analogy: "This chaos-based RNG uses multiplications, and there has been a lot of work on multiplication speed, so obviously this RNG will be faster than non-mult RNGs once we've written software. Also, obviously the software will pass whatever statistical tests you can imagine."


2021.05.04 07:38:49 (1389454447005237248) from Daniel J. Bernstein:

Having this flimsy side-channel argument in a "case for SIKE" document also distracts attention from arguments that are clear and quantified and justified, such as the fact that the best attack known against SIKE's proposed parameters is 1990s-vintage vOW golden-collision search.

2021.05.04 12:32:35 (1389528376831004672) from "Luca De Feo (@luca_defeo)":

I get your argument about a lack of comparison to competitors. Not easy to squeeze in a 10 page document, may well be worth a full paper. You seem to agree with Craig's first claim: protecting the scalar multiplication in SIKE == protecting ECC.

2021.05.04 12:39:18 (1389530067278209026) from "Luca De Feo (@luca_defeo)", replying to "Luca De Feo (@luca_defeo)" (1389528376831004672):

So it seems it's all about Craig's second claim: it's difficult to attack the isogeny computation part, because it comes after the scalar multiplication part. My (little) experience with side channels has me siding with his analysis. Do you have evidence of the contrary?

2021.05.04 12:41:26 (1389530602593046528) from "Luca De Feo (@luca_defeo)", replying to "Luca De Feo (@luca_defeo)" (1389530067278209026):

Because, if your main objection is "needs more work", then I wholeheartedly agree, and am willing to do it, and invite everyone to do so. But that doesn't mean Craig doesn't have a point, it just means he doesn't have the final point.