Avoiding side-channel attacks by computing isogenous and isomorphic elliptic curves (Q1616162)

Elliptic curve cryptosystems are vulnerable under a particular type of side-channel attack (SCA), the so-called zero-value point (ZVP) attacks (if the underline elliptic curve \(E: y^2=x^3+ax+b\),\, defined over a finite field, fulfill some conditions this attack allows to obtain the secret key), see [\textit{T. Akishita} and \textit{T. Takagi}, Lect. Notes Comput. Sci. 2851, 218--233 (2003; Zbl 1255.94052)]. \textit{C. Murdica} et al. [Lect. Notes Comput. Sci. 7275, 183--198 (2012)] added more conditions to the elliptic curve \(E\)\, to be SCA-resistent (same-value analysis (SVA) attaks). To overcome those weakness \textit{N. P. Smart} [``Same values power analysis using special points on elliptic curves'', Lect. Notes Comput. Sci. 2779, 281--290 (2003; Zbl 1274.94116)] proposed to use instead of \(E\)\, another curve \(l\)-isogenous (\(l\)\, prime) to \(E\),\, curve not fulfilling the conditions of Akishita and Takagi. \textit{J. M. Miret} et al. [Lect. Notes Comput. Sci. 5379, 266--277 (2009; Zbl 1292.94114)] proposed to take instead of a unique \(l\)-isogeny a chain of isogenies (of small degree), working in the volcanoes of \(E\). The present paper follows these paths looking for alternative curves, resistant to SCA and efficient (\(a=-3\)), for two sets of curves: the curves recommended by the NIST [FIPS PUB 186--4, Appendix D. (2013), \url{http://csrc.nist.gov/ publications/PubsFIPS.html}] and the proposed by J.W. Bos et al. [``Selecting elliptic curves for cryptography: an efficiency and security analysis'', J. Cryptogr. Eng. 6, No. 4, 259--286 (2016)]. Sections 2 and 3 summarizes the basic facts about elliptic curves and SCA, in particular ZVP and SVA attacks. The proposed analysis is presented in Section 5. First it proves that all the curves of both sets are vulnerable (Tables 1 and 2) and then it looks for sure and efficient alternative curves (Algorithm 1). Algorithm 1 is a variant of an algorithm due to \textit{R. Abarzúa} et al. [``Evitando ataques Side-Channel mediante el cálculo de curvas isógenas e isomorfas'', in: Proceedings of VII CIBSI, 173--180, Panamá (2013)]. Given an elliptic curve \(E\)\, and using isogenies and isomorphisms the algorithm looks for a resistant and efficient curve. But ``If, after several tries, the algorithm is unable to find a resistant efficient curve (with \(a = -3\)), then it computes a resistant curve \dots without forcing the efficiency restriction.'' Appendices A. and B. show the founded curves.