@phdthesis{Meyer2021,
  author    = {Meyer, Michael},
  title     = {Practical isogeny-based cryptography},
  doi       = {10.25972/OPUS-24682},
  url       = {http://nbn-resolving.de/urn:nbn:de:bvb:20-opus-246821},
  school      = {Universit{\"a}t W{\"u}rzburg},
  year      = {2021},
  abstract  = {This thesis aims at providing efficient and side-channel protected implementations of isogeny-based primitives, and at their application in threshold protocols. It is based on a sequence of academic papers. Chapter 3 reviews the original variable-time implementation of CSIDH and introduces several optimizations, e.g. a significant improvement of isogeny computations by using both Montgomery and Edwards curves. In total, our improvements yield a speedup of 25\% compared to the original implementation. Chapter 4 presents the first practical constant-time implementation of CSIDH. We describe how variable-time implementations of CSIDH leak information on private keys, and describe ways to mitigate this. Further, we present several techniques to speed up the implementation. In total, our constant-time implementation achieves a rather small slowdown by a factor of 3.03. Chapter 5 reviews practical fault injection attacks on CSIDH and presents countermeasures. We evaluate different attack models theoretically and practically, using low-budget equipment. Moreover, we present countermeasures that mitigate the proposed fault injection attacks, only leading to a small performance overhead of 7\%. Chapter 6 initiates the study of threshold schemes based on the Hard Homogeneous Spaces (HHS) framework of Couveignes. Using the HHS equivalent of Shamir's secret sharing in the exponents, we adapt isogeny based schemes to the threshold setting. In particular, we present threshold versions of the CSIDH public key encryption and the CSI-FiSh signature scheme. Chapter 7 gives a sieving algorithm for finding pairs of consecutive smooth numbers that utilizes solutions to the Prouhet-Tarry-Escott (PTE) problem. Recent compact isogeny-based protocols, namely B-SIDH and SQISign, both require large primes that lie between two smooth integers. Finding such a prime can be seen as a special case of finding twin smooth integers under the additional stipulation that their sum is a prime.},
  subject      = {Kryptologie},
  language  = {en}
}