Abstract
This work presents a detailed study of the classical security of the post-quantum supersingular isogeny key encapsulation (SIKE) protocol using a realistic budget-based cost model that considers the actual computing and memory costs that are needed for cryptanalysis. In this effort, we design especially-tailored hardware accelerators for the time-critical multiplication and isogeny computations that we use to model an ASIC-powered instance of the van Oorschot-Wiener (vOW) parallel collision search algorithm. We then extend the analysis to AES and SHA-3 in the context of the NIST post-quantum cryptography standardization process to carry out a parameter analysis based on our cost model. This analysis, together with the state-of-the-art quantum security analysis of SIKE, indicates that the current SIKE parameters offer higher practical security than currently believed, closing an open issue on the suitability of the parameters to match NIST’s security levels. In addition, we explore the possibility of using significantly smaller primes to enable more efficient and compact implementations with reduced bandwidth. Our improved cost model and analysis can be applied to other cryptographic settings and primitives, and can have implications for other post-quantum candidates in the NIST process.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
The name of the parameter set is assembled by concatenating “SIKEp” and the bitlength of the underlying prime p.
- 2.
We note that there were no parameter changes for Round 3.
- 3.
The issue is particularly problematic for level 5 for which the gap between the security estimates for SIKEp751 and AES256 is relatively large.
- 4.
A point emphasized by Bernstein [4], for example, is that some studies focus on serial attacks and their improvement, ignoring the existence of better parallel attacks.
- 5.
Wiener’s approach is unable to identify the best attack if, for example, an algorithm takes \(\mathcal {O}(n^{1/2})\) steps per processor and \(\mathcal {O}(n^{1/2})\) components, while another algorithm takes \(\mathcal {O}(n^{2/3})\) steps per processor and \(\mathcal {O}(n^{1/3})\) components.
- 6.
As pointed out in [43], some applications such as discrete logarithms do not require locating the initial point of collision of two colliding trails. In these cases, it suffices to detect that the trails merged.
- 7.
We use U.S. dollars (USD) as currency, without loss of generality.
- 8.
We use “years” as the unit of security strength, without loss of generality.
- 9.
More generally, the question is how the security of a given cryptosystem is expected to change over time due to technological advances and increases in capital, which is an aspect that is frequently ignored.
- 10.
Although the core technology behind HDDs is not based on semiconductors, they have also followed a similar pattern of growth and cost reduction, arguably because of being under similar economic and technological forces.
- 11.
We only compare the encapsulation operation, as this is the only high-level function in SIKE that fully works on the \(2^{e_2}\)-torsion subgroup, as in our isogeny accelerator.
- 12.
Each Block RAM on the Virtex-7 consists of 36Kb which our accelerator uses very scarcely (see Table 2).
- 13.
As a relevant point of reference, the annual budget of the NSA in 2013 was estimated at US$10.8 billion https://en.wikipedia.org/wiki/National_Security_Agency.
- 14.
The use of SSD memory for calculating the cost reduction rate is to be conservative in our estimates: HDD memory is currently cheaper, but SSD is expected to become more cost-effective in the next years.
- 15.
The classical security of SIKEp503 is actually closer to that of AES192 and SHA3-384. It would be interesting to investigate if further analysis can reduce or eliminate the small gap.
References
Adj, G., Cervantes-Vázquez, D., Chi-Domínguez, J.-J., Menezes, A., Rodríguez-Henríquez, F.: On the cost of computing isogenies between supersingular elliptic curves. In: Cid, C., Jacobson, M.J., Jr. (eds.) SAC 2018. LNCS, vol. 11349, pp. 322–343. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-10970-7_15
Akin, A., Aysu, A., Ulusel, O.C., Savaş, E.: Efficient hardware implementations of high throughput SHA-3 candidates Keccak, Luffa and Blue Midnight Wish for single- and multi-message hashing. In: Makarevich, O.B., et al. (eds.) International Conference on Security of Information and Networks (SIN 2010), pp. 168–177. ACM (2010)
Azarderakhsh, R., et al.: Supersingular Isogeny Key Encapsulation (SIKE), 2017–2020. Latest specification available at https://sike.org. Round 1 submission available at https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/SIKE.zip. Round 2 submission available at https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-2/submissions/SIKE-Round2.zip
Bernstein, D.J.: Understanding brute force. In: Workshop Record of ECRYPT STVL Workshop on Symmetric Key Encryption, eSTREAM report 2005/036 (2005)
Biasse, J.-F., Pring, B.: A framework for reducing the overhead of the quantum oracle for use with Grover’s algorithm with applications to cryptanalysis of SIKE. In: MathCrypt 2019 (2019)
Chailloux, A., Naya-Plasencia, M., Schrottenloher, A.: An efficient quantum collision search algorithm and implications on symmetric cryptography. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 211–240. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_8
Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_21
Costello, C., Longa, P., Naehrig, M., Renes, J., Virdia, F.: Improved classical cryptanalysis of SIKE in practice. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12111, pp. 505–534. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45388-6_18
Couveignes, J.-M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006). http://eprint.iacr.org/2006/291
De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptology 8(3), 209–247 (2014)
Dennard, R.H., Gaensslen, F., Yu, H.-N., Rideout, L., Bassous, E., LeBlanc, A.: Design of ion-implanted MOSFET’s with very small physical dimensions. IEEE J. Solid-State Circuits SC-9(5), 256–268 (1974)
Faz-Hernández, A., Hernandez, J.L., Ochoa-Jiménez, E., Rodríguez-Henríquez, F.: A faster software implementation of the supersingular isogeny Diffie-Hellman key exchange protocol. IEEE Trans. Comput. 67(11), 1622–1636 (2018)
International Roadmap for Devices and Systems (IRDS), 2016–2020. https://irds.ieee.org/
The International Technology Roadmap for Semiconductors (ITRS). ITRS reports, 2001–2015. http://www.itrs2.net/itrs-reports.html
Gargini, P.: The International Technology Roadmap for Semiconductors (ITRS): “Past, present and future”. In: IEEE Gallium Arsenide Integrated Circuits (GaAs IC) Symposium, pp. 3–5. IEEE (2000)
Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2
Jaques, S., Naehrig, M., Roetteler, M., Virdia, F.: Implementing grover Oracles for quantum key search on AES and LowMC. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 280–310. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_10
Jaques, S., Schanck, J.M.: Quantum cryptanalysis in the RAM model: claw-finding attacks on SIKE. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 32–61. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_2
Jaques, S., Schrottenloher, A.: Low-gate quantum golden collision finding. In: Selected Areas in Cryptography - SAC 2020 (2020). http://eprint.iacr.org/2020/424
Khan, S.M., Mann, A.: AI chips: what they are and why they matter. Center for Security and Emerging Technology (2020)
Koziel, B., Ackie, A.-B., El Khatib, R., Azarderakhsh, R., Kermani, M.M.: SIKE’d Up: fast and secure hardware architectures for supersingular isogeny key encapsulation. IEEE Trans. Circuits Syst. I: Regular Papers (2020). Software Available at https://github.com/kozielbrian/VHDL-SIKE_R2
Koç, Ç.K., Acar, T., Kaliski, B.S., Jr.: Analyzing and comparing Montgomery multiplication algorithms. IEEE Micro 16(3), 26–33 (1996)
Longa, P., Wang, W., Szefer, J.: The cost to break SIKE: a comparative hardware-based analysis with AES and SHA-3 (full paper version). Cryptology ePrint Archive, Report 2020/1457 (2020). https://eprint.iacr.org/2020/1457
Massolino, P.M.C., Longa, P., Renes, J., Batina, L.: A compact and scalable hardware/software co-design of SIKE. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(2), 245–271 (2020). Software Available at https://github.com/pmassolino/hw-sike
Microsoft. SIDH Library v3.4 (2015–2021). https://github.com/Microsoft/PQCrypto-SIDH
Microsoft. vOW4SIKE Library (2020). https://github.com/microsoft/vOW4SIKE
Moore, G.E.: Cramming more components onto integrated circuits. Electronics 38(8), 114–117 (1965)
Naehrig, M., Renes, J.: Dual isogenies and their application to public-key compression for isogeny-based cryptography. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11922, pp. 243–272. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34621-8_9
National Institute of Standards and Technology (NIST). Post-quantum cryptography standardization - round 3 submissions (2020). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-3-Submissions
National Institute of Standards and Technology (NIST). Status report on the second round of the NIST post-quantum cryptography standardization process (2020). https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8309.pdf
National Institute of Standards and Technology (NIST). Submission requirements and evaluation criteria for the post-quantum cryptography standardization process, December 2016. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf
Oechslin, P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_36
National Institute of Standards and Technology (NIST). Advanced Encryption Standard (AES. Federal Inf. Process. Stds. (FIPS PUBS) - 197 (2001). https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf
National Institute of Standards and Technology (NIST). SHA-3 standard: Permutation-based hash and extendable-output functions. Federal Inf. Process. Stds. (FIPS PUBS) - 202 (2015). https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
Geovandro, C.C.F.P., Doliskani, J., Jao, D.: X-only point addition formula and faster compressed SIKE. J. Cryptogr. Eng. 11(1), 57–69 (2021)
RISC-V, 2010–2020. https://riscv.org/
Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 (2006). http://eprint.iacr.org/2006/145
Silvaco. NanGate FreePDK45 open-cell library. https://si2.org/open-cell-library/. Accessed Sept 2020
Spencer, W.J., Seidel, T.E.: National technology roadmaps: the U.S. semiconductor experience. In: International Conference on Solid-State and IC Technology (ICSICT). IEEE (1995)
Stolbunov, A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010)
Ueno, R., et al.: High throughput/gate AES hardware architectures based on datapath compression. IEEE Trans. Comput. 69(4), 534–548 (2020)
van Oorschot, P.C., Wiener, M.J.: Parallel collision search with application to hash functions and discrete logarithms. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S. (eds.) ACM Conference on Computer and Communications Security - CCS 1994, pp. 210–218. ACM (1994)
van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptology 12(1), 1–28 (1999)
Vélu, J.: Isogénies entre courbes elliptiques. Comptes Rendus de l’Académie des Sciences des Paris 273, 238–241 (1971)
VexRiscv, 2017–2020. https://github.com/SpinalHDL/VexRiscv/
Wiener, M.J.: The full cost of cryptanalytic attacks. J. Cryptology 17(2), 105–124 (2004)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Price Data
Table 8 summarizes the price information that we collected per year for memory (HDD, DRAM and SSD) and Intel/AMD MPUs. For our security estimates, we used the lowest prices available per byte, which in all the cases considered correspond to HDDs. To estimate the cost per gate we considered the MPU (Intel or AMD) that provided the cheapest cost per transistor for a given year. We used the standard assumption that one gate equivalent consists of four transistors. The rows with the “adjusted” costs per byte or gate are obtained by dividing the corresponding costs by the factor 7.40 which approximates the release prices to the chip production cost, as described in the full paper version [23, App. A].
Table 9 summarizes our projections of HDD memory and gate costs for the years between 2025 and 2040. To obtain these values we used a constant cost reduction rate applied starting at the year 2020’s prices. Specifically, the reduction rate that we used for MPUs is taken as the ratio between a gate cost in 2015 and its cost in 2020. Similarly, for HDDs it is taken as the ratio between the cost of a byte on SSD memory in 2015 and its cost in 2020. The use of data from SSD memory in this case is to derive conservative estimates, so that SSD is expected to become more cost-effective than HDD in the next years.
The “adjusted” costs were used to calculate the costs of the memory and processing units that are needed to set up the cryptanalytic attacks against SIKE, AES and SHA-3 (see Sect. 6).
Sources. We used the following sources for data collection:
-
https://en.wikipedia.org/wiki/List_of_Intel_Core_2_microprocessors
-
https://en.wikipedia.org/wiki/List_of_Intel_Core_i3_microprocessors
-
https://en.wikipedia.org/wiki/List_of_Intel_Core_i5_microprocessors
-
https://en.wikipedia.org/wiki/List_of_Intel_Celeron_microprocessors
-
https://en.wikipedia.org/wiki/List_of_Intel_Pentium_D_microprocessors
-
https://en.wikipedia.org/wiki/List_of_AMD_Athlon_microprocessors
-
https://en.wikipedia.org/wiki/List_of_AMD_Ryzen_microprocessors
And other several chip manufacturer websites.
B Security Estimates
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Longa, P., Wang, W., Szefer, J. (2021). The Cost to Break SIKE: A Comparative Hardware-Based Analysis with AES and SHA-3. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12827. Springer, Cham. https://doi.org/10.1007/978-3-030-84252-9_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-84252-9_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-84251-2
Online ISBN: 978-3-030-84252-9
eBook Packages: Computer ScienceComputer Science (R0)