Side-Channel Secure CSIDH with Projective Coordinates

Abstract

CSIDH is an isogeny-based Non-Interactive Key Exchange (NIKE) proposed at ASIACRYPT’18. In this work, we present the first masked version of CSIDH and, in fact, any isogeny-based scheme. We develop gadgets to efficiently mask all arithmetics in the underlying finite field and prove them secure in the d-probing model. In particular, we develop new gadgets for the Montgomery ladder that use the fact that projective values already represent a multiplicative sharing in two variables. The technique (dubbed quotient masking) might be of independent interest. Lastly, we provide an efficient implementation based on High-Security CSIDH (Communications in Cryptology 2024).