I'm Andreas, a reseacher at RheinMain University of Applied Sciences (HSRM) in Wiesbaden working at Post-Quantum-Cryptography, with a focus on isogeny-based cryptography.
Isogeny-based cryptography has emerged as a promising post-quantum alternative,
with CSIDH and its constant-time variants CTIDH
and dCTIDH offering efficient group-action protocols. However, CTIDH
and dCTIDH rely on dummy operations in differential addition chains
(DACs) and Matryoshka, which can be exploitable by fault-injection
attacks. In this work, we present the first dummy-free implementation
of dCTIDH. Our approach combines two recent ideas: DACsHUND, which
enforces equal-length DACs within each batch without padding, and
a reformulated Matryoshka structure that removes dummy multiplications
and validates all intermediate points. Our analysis shows that small
primes such as 3, 5, and 7 severely restrict feasible DACsHUND
configurations, motivating new parameter sets that exclude them.
We implement dummy-free dCTIDH-2048-194 and dCTIDH-2048-205, achieving group
action costs of roughly 357,000–362,000 Fp-multiplications, with median
evaluation times of 1.59–1.60 (Gcyc). These results do not surpass dCTIDH,
but they outperform CTIDH by roughly 5% while eliminating
dummy operations entirely. Compared to dCSIDH, our construction is
more than 4× faster. To the best of our knowledge, this is the first
efficient implementation of a CSIDH-like protocol that is simultaneously
deterministic, constant-time, and fully dummy-free.
ʕ •ᴥ•ʔ
wombat
This paper presents dCTIDH, a CSIDH implementation that combines two recent developments into a novel state-of-the-art deterministic implementation. We combine the approach of deterministic variants of CSIDH with the batching strategy of CTIDH, which shows that the full potential of this key space has not yet been explored. This high-level adjustment in itself leads to a significant speed-up. To achieve an effective deterministic evaluation in constant time, we introduce Wombats, a new approach to performing isogenies in batches, specifically tailored to the behavior required for deterministic CSIDH using CTIDH batching.
Furthermore, we explore the two-dimensional space of optimal primes for dCTIDH, with regard to both the performance of dCTIDH in terms of finite-field operations per prime and the efficiency of finite-field operations, determined by the prime shape, in terms of cycles. This allows us to optimize both for choice of prime and scheme parameters simultaneously. Lastly, we implement and benchmark constant-time, deterministic dCTIDH. Our results show that dCTIDH not only outperforms state-of-the-art deterministic CSIDH, but even non-deterministic CTIDH: dCTIDH-2048 is faster than CTIDH-2048 by 17 percent, and is almost five times faster than dCSIDH-2048.