Skip to main content
SpringerLink
Log in
Book cover

Annual International Cryptology Conference

CRYPTO 2021: Advances in Cryptology – CRYPTO 2021 pp 402–431Cite as

The Cost to Break SIKE: A Comparative Hardware-Based Analysis with AES and SHA-3

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12827))

Abstract

This work presents a detailed study of the classical security of the post-quantum supersingular isogeny key encapsulation (SIKE) protocol using a realistic budget-based cost model that considers the actual computing and memory costs that are needed for cryptanalysis. In this effort, we design especially-tailored hardware accelerators for the time-critical multiplication and isogeny computations that we use to model an ASIC-powered instance of the van Oorschot-Wiener (vOW) parallel collision search algorithm. We then extend the analysis to AES and SHA-3 in the context of the NIST post-quantum cryptography standardization process to carry out a parameter analysis based on our cost model. This analysis, together with the state-of-the-art quantum security analysis of SIKE, indicates that the current SIKE parameters offer higher practical security than currently believed, closing an open issue on the suitability of the parameters to match NIST’s security levels. In addition, we explore the possibility of using significantly smaller primes to enable more efficient and compact implementations with reduced bandwidth. Our improved cost model and analysis can be applied to other cryptographic settings and primitives, and can have implications for other post-quantum candidates in the NIST process.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    The name of the parameter set is assembled by concatenating “SIKEp” and the bitlength of the underlying prime p.

  2. 2.

    We note that there were no parameter changes for Round 3.

  3. 3.

    The issue is particularly problematic for level 5 for which the gap between the security estimates for SIKEp751 and AES256 is relatively large.

  4. 4.

    A point emphasized by Bernstein [4], for example, is that some studies focus on serial attacks and their improvement, ignoring the existence of better parallel attacks.

  5. 5.

    Wiener’s approach is unable to identify the best attack if, for example, an algorithm takes \(\mathcal {O}(n^{1/2})\) steps per processor and \(\mathcal {O}(n^{1/2})\) components, while another algorithm takes \(\mathcal {O}(n^{2/3})\) steps per processor and \(\mathcal {O}(n^{1/3})\) components.

  6. 6.

    As pointed out in [43], some applications such as discrete logarithms do not require locating the initial point of collision of two colliding trails. In these cases, it suffices to detect that the trails merged.

  7. 7.

    We use U.S. dollars (USD) as currency, without loss of generality.

  8. 8.

    We use “years” as the unit of security strength, without loss of generality.

  9. 9.

    More generally, the question is how the security of a given cryptosystem is expected to change over time due to technological advances and increases in capital, which is an aspect that is frequently ignored.

  10. 10.

    Although the core technology behind HDDs is not based on semiconductors, they have also followed a similar pattern of growth and cost reduction, arguably because of being under similar economic and technological forces.

  11. 11.

    We only compare the encapsulation operation, as this is the only high-level function in SIKE that fully works on the \(2^{e_2}\)-torsion subgroup, as in our isogeny accelerator.

  12. 12.

    Each Block RAM on the Virtex-7 consists of 36Kb which our accelerator uses very scarcely (see Table 2).

  13. 13.

    As a relevant point of reference, the annual budget of the NSA in 2013 was estimated at US$10.8 billion https://en.wikipedia.org/wiki/National_Security_Agency.

  14. 14.

    The use of SSD memory for calculating the cost reduction rate is to be conservative in our estimates: HDD memory is currently cheaper, but SSD is expected to become more cost-effective in the next years.

  15. 15.

    The classical security of SIKEp503 is actually closer to that of AES192 and SHA3-384. It would be interesting to investigate if further analysis can reduce or eliminate the small gap.

References

  1. Adj, G., Cervantes-Vázquez, D., Chi-Domínguez, J.-J., Menezes, A., Rodríguez-Henríquez, F.: On the cost of computing isogenies between supersingular elliptic curves. In: Cid, C., Jacobson, M.J., Jr. (eds.) SAC 2018. LNCS, vol. 11349, pp. 322–343. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-10970-7_15

    Chapter  Google Scholar 

  2. Akin, A., Aysu, A., Ulusel, O.C., Savaş, E.: Efficient hardware implementations of high throughput SHA-3 candidates Keccak, Luffa and Blue Midnight Wish for single- and multi-message hashing. In: Makarevich, O.B., et al. (eds.) International Conference on Security of Information and Networks (SIN 2010), pp. 168–177. ACM (2010)

    Google Scholar 

  3. Azarderakhsh, R., et al.: Supersingular Isogeny Key Encapsulation (SIKE), 2017–2020. Latest specification available at https://sike.org. Round 1 submission available at https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/SIKE.zip. Round 2 submission available at https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-2/submissions/SIKE-Round2.zip

  4. Bernstein, D.J.: Understanding brute force. In: Workshop Record of ECRYPT STVL Workshop on Symmetric Key Encryption, eSTREAM report 2005/036 (2005)

    Google Scholar 

  5. Biasse, J.-F., Pring, B.: A framework for reducing the overhead of the quantum oracle for use with Grover’s algorithm with applications to cryptanalysis of SIKE. In: MathCrypt 2019 (2019)

    Google Scholar 

  6. Chailloux, A., Naya-Plasencia, M., Schrottenloher, A.: An efficient quantum collision search algorithm and implications on symmetric cryptography. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 211–240. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_8

    Chapter  Google Scholar 

  7. Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_21

    Chapter  Google Scholar 

  8. Costello, C., Longa, P., Naehrig, M., Renes, J., Virdia, F.: Improved classical cryptanalysis of SIKE in practice. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12111, pp. 505–534. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45388-6_18

    Chapter  Google Scholar 

  9. Couveignes, J.-M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006). http://eprint.iacr.org/2006/291

  10. De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptology 8(3), 209–247 (2014)

    MathSciNet  MATH  Google Scholar 

  11. Dennard, R.H., Gaensslen, F., Yu, H.-N., Rideout, L., Bassous, E., LeBlanc, A.: Design of ion-implanted MOSFET’s with very small physical dimensions. IEEE J. Solid-State Circuits SC-9(5), 256–268 (1974)

    Google Scholar 

  12. Faz-Hernández, A., Hernandez, J.L., Ochoa-Jiménez, E., Rodríguez-Henríquez, F.: A faster software implementation of the supersingular isogeny Diffie-Hellman key exchange protocol. IEEE Trans. Comput. 67(11), 1622–1636 (2018)

    Article  MathSciNet  Google Scholar 

  13. International Roadmap for Devices and Systems (IRDS), 2016–2020. https://irds.ieee.org/

  14. The International Technology Roadmap for Semiconductors (ITRS). ITRS reports, 2001–2015. http://www.itrs2.net/itrs-reports.html

  15. Gargini, P.: The International Technology Roadmap for Semiconductors (ITRS): “Past, present and future”. In: IEEE Gallium Arsenide Integrated Circuits (GaAs IC) Symposium, pp. 3–5. IEEE (2000)

    Google Scholar 

  16. Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2

    Chapter  MATH  Google Scholar 

  17. Jaques, S., Naehrig, M., Roetteler, M., Virdia, F.: Implementing grover Oracles for quantum key search on AES and LowMC. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 280–310. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_10

    Chapter  Google Scholar 

  18. Jaques, S., Schanck, J.M.: Quantum cryptanalysis in the RAM model: claw-finding attacks on SIKE. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 32–61. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_2

    Chapter  MATH  Google Scholar 

  19. Jaques, S., Schrottenloher, A.: Low-gate quantum golden collision finding. In: Selected Areas in Cryptography - SAC 2020 (2020). http://eprint.iacr.org/2020/424

  20. Khan, S.M., Mann, A.: AI chips: what they are and why they matter. Center for Security and Emerging Technology (2020)

    Google Scholar 

  21. Koziel, B., Ackie, A.-B., El Khatib, R., Azarderakhsh, R., Kermani, M.M.: SIKE’d Up: fast and secure hardware architectures for supersingular isogeny key encapsulation. IEEE Trans. Circuits Syst. I: Regular Papers (2020). Software Available at https://github.com/kozielbrian/VHDL-SIKE_R2

  22. Koç, Ç.K., Acar, T., Kaliski, B.S., Jr.: Analyzing and comparing Montgomery multiplication algorithms. IEEE Micro 16(3), 26–33 (1996)

    Article  Google Scholar 

  23. Longa, P., Wang, W., Szefer, J.: The cost to break SIKE: a comparative hardware-based analysis with AES and SHA-3 (full paper version). Cryptology ePrint Archive, Report 2020/1457 (2020). https://eprint.iacr.org/2020/1457

  24. Massolino, P.M.C., Longa, P., Renes, J., Batina, L.: A compact and scalable hardware/software co-design of SIKE. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(2), 245–271 (2020). Software Available at https://github.com/pmassolino/hw-sike

  25. Microsoft. SIDH Library v3.4 (2015–2021). https://github.com/Microsoft/PQCrypto-SIDH

  26. Microsoft. vOW4SIKE Library (2020). https://github.com/microsoft/vOW4SIKE

  27. Moore, G.E.: Cramming more components onto integrated circuits. Electronics 38(8), 114–117 (1965)

    Google Scholar 

  28. Naehrig, M., Renes, J.: Dual isogenies and their application to public-key compression for isogeny-based cryptography. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11922, pp. 243–272. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34621-8_9

    Chapter  Google Scholar 

  29. National Institute of Standards and Technology (NIST). Post-quantum cryptography standardization - round 3 submissions (2020). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-3-Submissions

  30. National Institute of Standards and Technology (NIST). Status report on the second round of the NIST post-quantum cryptography standardization process (2020). https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8309.pdf

  31. National Institute of Standards and Technology (NIST). Submission requirements and evaluation criteria for the post-quantum cryptography standardization process, December 2016. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf

  32. Oechslin, P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_36

    Chapter  Google Scholar 

  33. National Institute of Standards and Technology (NIST). Advanced Encryption Standard (AES. Federal Inf. Process. Stds. (FIPS PUBS) - 197 (2001). https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf

  34. National Institute of Standards and Technology (NIST). SHA-3 standard: Permutation-based hash and extendable-output functions. Federal Inf. Process. Stds. (FIPS PUBS) - 202 (2015). https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf

  35. Geovandro, C.C.F.P., Doliskani, J., Jao, D.: X-only point addition formula and faster compressed SIKE. J. Cryptogr. Eng. 11(1), 57–69 (2021)

    Article  Google Scholar 

  36. RISC-V, 2010–2020. https://riscv.org/

  37. Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 (2006). http://eprint.iacr.org/2006/145

  38. Silvaco. NanGate FreePDK45 open-cell library. https://si2.org/open-cell-library/. Accessed Sept 2020

  39. Spencer, W.J., Seidel, T.E.: National technology roadmaps: the U.S. semiconductor experience. In: International Conference on Solid-State and IC Technology (ICSICT). IEEE (1995)

    Google Scholar 

  40. Stolbunov, A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010)

    Article  MathSciNet  Google Scholar 

  41. Ueno, R., et al.: High throughput/gate AES hardware architectures based on datapath compression. IEEE Trans. Comput. 69(4), 534–548 (2020)

    Article  Google Scholar 

  42. van Oorschot, P.C., Wiener, M.J.: Parallel collision search with application to hash functions and discrete logarithms. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S. (eds.) ACM Conference on Computer and Communications Security - CCS 1994, pp. 210–218. ACM (1994)

    Google Scholar 

  43. van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptology 12(1), 1–28 (1999)

    Article  MathSciNet  Google Scholar 

  44. Vélu, J.: Isogénies entre courbes elliptiques. Comptes Rendus de l’Académie des Sciences des Paris 273, 238–241 (1971)

    MathSciNet  MATH  Google Scholar 

  45. VexRiscv, 2017–2020. https://github.com/SpinalHDL/VexRiscv/

  46. Wiener, M.J.: The full cost of cryptanalytic attacks. J. Cryptology 17(2), 105–124 (2004)

    Article  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Microsoft Research, Redmond, USA

    Patrick Longa

  2. Yale University, New Haven, USA

    Wen Wang & Jakub Szefer

Authors
  1. Patrick Longa
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wen Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jakub Szefer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Patrick Longa .

Editor information

Editors and Affiliations

  1. Columbia University, New York City, NY, USA

    Tal Malkin

  2. University of Michigan, Ann Arbor, MI, USA

    Chris Peikert

Appendices

A Price Data

Table 8 summarizes the price information that we collected per year for memory (HDD, DRAM and SSD) and Intel/AMD MPUs. For our security estimates, we used the lowest prices available per byte, which in all the cases considered correspond to HDDs. To estimate the cost per gate we considered the MPU (Intel or AMD) that provided the cheapest cost per transistor for a given year. We used the standard assumption that one gate equivalent consists of four transistors. The rows with the “adjusted” costs per byte or gate are obtained by dividing the corresponding costs by the factor 7.40 which approximates the release prices to the chip production cost, as described in the full paper version [23, App. A].

Table 9 summarizes our projections of HDD memory and gate costs for the years between 2025 and 2040. To obtain these values we used a constant cost reduction rate applied starting at the year 2020’s prices. Specifically, the reduction rate that we used for MPUs is taken as the ratio between a gate cost in 2015 and its cost in 2020. Similarly, for HDDs it is taken as the ratio between the cost of a byte on SSD memory in 2015 and its cost in 2020. The use of data from SSD memory in this case is to derive conservative estimates, so that SSD is expected to become more cost-effective than HDD in the next years.

The “adjusted” costs were used to calculate the costs of the memory and processing units that are needed to set up the cryptanalytic attacks against SIKE, AES and SHA-3 (see Sect. 6).

Sources. We used the following sources for data collection:

And other several chip manufacturer websites.

Table 8. Historical release prices collected for memory (HDD, DRAM and SSD) and Intel/AMD MPUs from 2000 to 2020. To estimate the cost per gate we considered the MPU (Intel or AMD) that provided the cheapest cost per transistor (“trans.”) for a given year. We used the standard assumption that one gate equivalent consists of four transistors. “Adjusted” costs approximate costs based on release prices to costs at production by dividing the corresponding costs by the factor 7.4 (see [23, App. A]).
Full size table
Table 9. Projected prices for HDD memory and gates for 2025–2040, at 5-year intervals. The values were obtained by applying a constant reduction factor starting at the adjusted cost in 2020. For MPUs the factor (2.47) is computed by diving a gate cost in 2015 by its cost in 2020. For HDDs the factor (3.16) is computed by dividing the cost of an SSD byte in 2015 by its cost in 2020.
Full size table

B Security Estimates

Table 10. Security estimates in terms of years produced by the budget-based cost model and following the procedure from Sect. 6. The estimates are expressed as the base-2 logarithms of the number of years required to break a given primitive under a fixed budget. Results correspond to key-search on AES using Oechslin’s rainbow chains, collision-search on SHA-3 using vOW (case of small number of collisions) and golden collision-search on SIKE using vOW (case of large number of collisions). The hardware (computing power and memory) costs used for the analysis can be found in Appendix A.
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Longa, P., Wang, W., Szefer, J. (2021). The Cost to Break SIKE: A Comparative Hardware-Based Analysis with AES and SHA-3. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12827. Springer, Cham. https://doi.org/10.1007/978-3-030-84252-9_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-84252-9_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-84251-2

  • Online ISBN: 978-3-030-84252-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation