2021.05.04 19:05:10 (1389627172470493184) from Daniel J. Bernstein, replying to "Luca De Feo (@luca_defeo)" (1389596828853751814):
"Nowhere in Section 5 does Craig speak of competitors": Huh? Section 5's summary claims that SIKE has a "good head start" and that "protecting it in most scenarios would be relatively cheap". The actual content of 5 doesn't justify this summary, and doesn't make a case for SIKE.
2021.05.04 12:39:18 (1389530067278209026) from "Luca De Feo (@luca_defeo)", replying to "Luca De Feo (@luca_defeo)" (1389528376831004672):
So it seems it's all about Craig's second claim: it's difficult to attack the isogeny computation part, because it comes after the scalar multiplication part. My (little) experience with side channels has me siding with his analysis. Do you have evidence of the contrary?
2021.05.04 12:41:26 (1389530602593046528) from "Luca De Feo (@luca_defeo)", replying to "Luca De Feo (@luca_defeo)" (1389530067278209026):
Because, if your main objection is "needs more work", then I wholeheartedly agree, and am willing to do it, and invite everyone to do so. But that doesn't mean Craig doesn't have a point, it just means he doesn't have the final point.
2021.05.04 15:15:58 (1389569489956601856) from Daniel J. Bernstein, replying to "Luca De Feo (@luca_defeo)" (1389530602593046528):
Every cryptosystem X can claim _some_ applicability of existing techniques for side-channel protection. Should each X publish this as part of a "Case for X", leaping to the conclusion that it's cheaper/easier to protect than its competitors? Sorry, no. Needs quantified analysis.
2021.05.04 17:04:36 (1389596828853751814) from "Luca De Feo (@luca_defeo)":
Nowhere in Section 5 does Craig speak of competitors, as you pointed out. It seems you're the one leaping to conclusions.