SIKE in Hardware
Reza AzarderakhshFlorida Atlantic University
CHES 2019
Atlanta, GA, USA
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 1 / 56
Quantum Threat to Information Security
Large-scale quantumcomputers could breaksome encryption schemes
Need to migrateencryption to quantum-resistant algorithms
When we shouldstart the process?
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 2 / 56
Timeline
2019
2022-23
2030?
Standardization draft
QuantumComputersRound 2
2016
Start PQ Crypto
2017
Round 1
Retroactive decryption:
record encrypted data now, decrypt it once you have a
quantum computer
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 3 / 56
Post-Quantum Key-Exchange
Lattice-based
Code-based
Isogeny-based
Post-Quantum Signatures
Lattice-based
Hash-based
Multivariate-based
Zero-Knowledgebased
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 4 / 56
Open Questions about Post-Quantum Cryptography
• Design better post-quantum cryptosystems
• Improve classical and quantum attacks
• Pick parameter sizes
• Develop fast, efficient, and secure implementations
• Integrate them into the existing infrastructure
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 5 / 56
Architecture Selection for Cryptographic Design
HW only
CPU Coprocessor
+×
+ Highly optimized for dedicatedpurpose (power consumption,execution time, security)
− Extra HW costs
− limited flexibility
− HW design effort/complexity
HW/SW
CPU Coprocessor
+×
+ Good trade-off betweenoptimization/costs (still fast butless design effort/complexityeasier to handle)
+ Higher flexibility
− Not straight-forward to find optimalHW/SW partitioning
− Extra HW costs
− Less optimized than HW-only
SW only
CPU
+×
+ Limited HW costs (code/datastorage)
+ Highest flexibility
+ Minimal HW design effort/easeshandling of complexity(programming)
− Not optimized (energy,consumption, performance)
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 6 / 56
FPGAs: Field Programmable Gate Arrays
FPGAs are composed of:• Programmable logic cells• A configurable routing matrix• Configurable input/output cells• Embedded memory blocks• Small embedded multipliers• etc.
Inside a logic cell:• Connections to the routing matrix• Programmable lookup-tables
• 4 inputs, 1 output• 6 inputs, 1 output• 6 inputs, 2 outputs
• Optional registers• Free pipelining
• More logic for fast carry-propagation
18-bit×18-bit multiplier blocks
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 7 / 56
FPGAs vs. ASIC
+ prototyping+ re-usability+ short time to market+ simpler design cycle+ programmable in the field+ hardware/software co-design
− speed− silicon footprint− power and energy consumption− low cost for high volumes− better performance− reconfigurability and redundancy
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 8 / 56
SIKE Team
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 9 / 56
A brief history of public key cryptography
Cryptosystem Hard Problem
Diffie-Hellman(1976)
Discrete logarithmsElliptic curve cryptography (1986)
Pairing-based cryptography (2000)
RSA (1977)
Factoring integersRabin (1978)
Composite residues (1985)
Code-based cryptography (1979) Decoding linear codes
Lattice-based / NTRU (1996)Finding Short lattice vectorsComputing isogenies
Isogeny based / CRS (1996)
SIDH / SIKE (2011)
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 10 / 56
History of Supersingular Isogeny-based cryptography
• [2006]: Birth of Supersingular isogeny-based cryptosystem• Charles-Goren-Lauter• built hash function from supersingular isogeny graph
• [2011]: Supersingular isogeny Diffie-Hellman key exhange (SIDH)• Jao-De Feo
• [2017]: Supersingular isogeny key encapsulation (SIKE)• SIKE Team (https://sike.org)
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 11 / 56
SIDH/SIKE
Supersingular Isogeny Diffie-Hellman (Jao and De Feo, 2011):• A key-exchange protocol, similar to Diffie-Hellman, using isogenies between supersingular elliptic curves
Why isogenies?• Because they seem to be quantum-resistant
Why supersingular elliptic curves?• There is a quantum subexponential attack for ordinary (i.e. non-supersingular) curves (Childs, Jao, and Soukharev
2014)
Supersingular Isogeny Key Encapsulation• A more secure (and slower) version of SIDH, with random padding and protection against active attacks.
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 12 / 56
(Ordinary) Elliptic Curves• An elliptic curve over prime field: EW /Fp : y2 = x3 + ax + b.• To avoid infinite sets, we choose x , y , a, b ∈ Fp.
• Example: SAGE: E=EllipticCurve(GF(11),[1,6])• Elliptic Curve defined by y2 = x3 + x + 6 over Finite Field of size 11
• SAGE: E.points()• [(0 : 1 : 0), (2 : 4 : 1), (2 : 7 : 1), (3 : 5 : 1), (3 : 6 : 1), (5 : 2 : 1), (5 : 9 : 1), (7 : 2 : 1), (7 : 9 : 1), (8 : 3 : 1), (8 : 8 : 1),
(10 : 2 : 1), (10 : 9 : 1)]
• SAGE: E.cardinality() or E.order()=13• E.is_ordinary(): True• E.is_supersingular(): False
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 13 / 56
Point Addition
• Let E be an elliptic curve.• Suppose P,Q ∈ E .• We want to add P and Q.• Draw a line through P and Q.• Find where this line crosses E .• Reflect around the x-axis.• The reflected point is P + Q.
Group law example: addition on E/R : y 2 = x3 − 2x
ℓ : y = x
•(0, 0)•
•(2, 2)
(−1,−1)
•(2,−2)
E/R : y2 = x3 − 2x : addition.
20 / 69
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 14 / 56
Point Doubling
• Let E be an elliptic curve.• Suppose P,Q ∈ E .• To compute P + Q when P = Q:• Draw the tangent line through P.• Find where this line crosses E .• Reflect around the x-axis.• The reflected point is P + P.
Group law example: doubling on E/R : y 2 = x3 − 2x
ℓ′ : y = − x2 − 3
2
•(−1,−1)
•(94 ,
218 )
•(94 ,−21
8 )
E/R : y2 = x3 − 2: doubling.
22 / 69
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 15 / 56
Montgomery Curves• 1987 Montgomery: All Montgomery curves are elliptic curves.• Not all elliptic curves can be written in Montgomery form.
by2 = x3 + ax2 + x
• It has been observed that the x-coordinate of R = P + Q depends only on the x-coordinates of P, Q, and P − Q.
(x3 + y3)− (x2, y2) = (x1, y1)
(x3 + y3) + (x2, y2) = (x5, y5)
⇒x5 =(x2x3 − 1)2
x1(x2 − x3)2
• Similarly when P = Q it is true for doubling: x-only doubling.
2(x2 + y2) = (x4, y4)⇒ x4 =(x2
2 − 1)2
4x2(x22 + ax2 + 1)
• Can compute P + Q from {P,Q,P − Q} without y -coordinates.• Use projective coordinates: points (X : Z ) with x = X/Z• Cheap differential addition 4M + 2S and doubling (2M + 2S)
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 16 / 56
Real-world usage: Curve25519
• Proposed by Dan Bernestien 2006:
EM/Fp : y2 = x3 + 486662x2 + x
• Over prime number p = 2255 − 19• Used for DH key exchange
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 17 / 56
Montgomery Ladder
• Point multiplication: Q = k · P The Montgomery ladderI Algorithm proposed by Montgomery in 1987:
function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:
if ki = 1:T0 ← T0 + T1
T1 ← 2T1
else:T1 ← T0 + T1
T0 ← 2T0
return T0
I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P
I Example: k = 19 = (10011)2
T0 = P · 22 + 5P + 10P = 19P
T1 = (P · 2 + P + 2P) · 22 = 20P
Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60
• Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step
• Example: k = 26 = (11010)2
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 18 / 56
Supersingular Elliptic Curves
• Let E/Fq be an elliptic curve with q = pn
• E is supersingular if p | (q + 1−#E(Fq)). Otherwise, it is ordinary.• Special cases:
• When E/Fp supersingular and #E(Fp) = P + 1• When E/Fp2 supersingular and #E(Fp2 ) = (P + 1)2
• Example: EllipticCurve(GF(11),[1,0]): y2 = x3 + x
• E.is_supersingular()• True, E.order()=12
• EllipticCurve(GF(11^2),[1,0]): y2 = x3 + x is also supersingular.• E.order()=144
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 19 / 56
Supersingular Elliptic Curves
• There are only a finite number of supersingular elliptic curves.• All supersingular curves can be defined over Fp2
• Over an algebraically closed field an elliptic curve is determined by its j-invariant.• it can be viewed as a way to group multiple elliptic curves into disjoint sets.
• Example: EllipticCurve(GF(11),[1,0]):y2 = x3 + x
• j(E) = j(a, b) = 1728 4a3
4a3+27b2• E.j_invariant=1
• The j-invariant determines isomorphisim class over the field.• E1/F13 : y2 = x3 + 9x + 8, E1=EllipticCurve(GF(13),[9,8])• E2/F13 : y2 = x3 + 3x + 5, E2=EllipticCurve(GF(13),[3,5])
• E1.j_invariant()=E2.j_invariant()=3• E1.is_isomorphic(E2): True
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 20 / 56
Isomorphisms and Isogenies• E1 and E2 isomorphic iff j(E1) = j(E2).• E1 and E2 isogenous iff #E1 = #E2.• #E(Fq) ≤ q + 1± 2
√q (Hasse theorem)
So• isogeny classes: O(
√q)
• isomorphism classes: O(q)
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 21 / 56
Isogenies of elliptic curves
DefinitionAn isogeny of elliptic curves over k is a non-zero morphism E → E ′ with finite kernel.
DefinitionLet E ,E ′/Fq be elliptic curves and let ` ∈ Z>0 be coprime to q.An `-isogeny f : E → E ′ is an isogeny with #ker(f ) = `.
FactAn isogeny is uniquely determined by its kernel.• Write φG : E → E/G for the isogeny from E with kernel G.• Vélu’s fomulas [1971] compute the `-isogney from its kernel in time O(`).
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 22 / 56
Isogenies of elliptic curves
• We call an isogeny cyclic if its kernel is cyclic.• The kernel of a cyclic `-isogeny is generated by an `-torsion point.
• An `-torsion point is a point P ∈ E(k) such that [`]P = P∞.• We will work on isogenies with big kernels.
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 23 / 56
Isogeny graph: Wouter Castryck
2-isogenies 3-isogenies
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 24 / 56
SIDH overview
1 Public parameters: Supersingular elliptic curve E over Fp2 .
2 Alice chooses a kernel A ⊂ E(Fp2 ) and sends E/A to Bob.
3 Bob chooses a kernel B ⊂ E(Fp2 and sends E/B to Alice.
4 The shared secret is
E/〈A,B〉 = (E/A)/φA(B) = (E/B)/φB(A).
E E/A
E/B E/〈A,B〉
φA
φB
The core operation in SIDH is to compute φA : E → E/A given A.
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 25 / 56
SIDH: from Cloudflare
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 26 / 56
SIDH Overview
• We are interested in the set of supersingular curves (upto isomorphism) over a specific field• Prime p = 2eA · 3eB · f ± 1• f = 1 (Efficiency)• eA is even (Efficiency)• Balanced isogeny graph size, 2eA ≈ 3eB (Security)• Elliptic curves over Fp2 , #E = (p ∓ 1)2
• Supersingular j-invariants: #Sp2 ≈ bp/12c (isogenouselliptic curves)
0 17
40
41
48
24
66
Prime p = 23 · 32 − 1 = 71, #E = 722, #Sp2 = 7
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 27 / 56
SIDH Parameter Selection
• Finite extension field formed as Fp2 = Fp(i) with i2 + 1 = 0 (Efficiency)
• Starting curve selection:• Montgomery curve: E0/Fp2 : y2 = x3 + x (where j(E0) = 1728)• SIKE round 2: E0/Fp2 : y2 = x3 + 6x2 + x (where j(E0) = 287496) (Security)• Torsion points in E0[2eA ] and E0[3eB ]
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 28 / 56
Isogeny Graphs
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 29 / 56
Vertices: All isogenous eliptic curves over Fp2 .Edges: Isogenies of degree `With Isogeny f degree `, we get a connected (`+1)-regular graph.
Alice Bob
0 17
40
41
48
24
66 0 17
40
41
48
24
66
2-isogeny graph 3-isogeny graph
Public Parameters
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 29 / 56
E0/Fp2
{PA,QA} ∈ E0[2eA ]{PB ,QB} ∈ E0[3eB ]
E0 : y2 = x3 + x
Alice Bob
0 17
40
41
48
24
66 0 17
40
41
48
24
66
PA = (53, 55)QA = (18, 27w + 44)
PA = (7w + 20, 31w + 50)QA = (21w + 64, 38w + 13)
Secret Key
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 29 / 56
sA ∈ [0, 2eA ]sB ∈ [0, 3eB ]
Alice Bob
0 17
40
41
48
24
66 0 17
40
41
48
24
66
sA = 6 sB = 3
Public Key Generation
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 29 / 56
EA
EA = E0/〈A〉{RA,SA} = {φA(PB), φA(QB)}
EB = E0/〈B〉{RB ,SB} = {φB(PA), φB(QA)}
EAB = EB/〈A′〉 ∼= EA/〈B ′〉 = EBA
φ A
ker(φ A)=〈A〉 =〈P A
+[s A]Q
A〉
φB
ker(φB )=〈B〉
=〈P
B+[sB ]Q
B 〉
φ ′A
ker(φ ′A )=〈A ′〉
=〈R
B+[sA ]S
B 〉
φ′
B
ker(φ
′B)=〈B〉 =〈R A
+[s B]SA〉
Alice Bob
0 17
40
41
48
24
66 0 17
40
41
48
24
66
E0 : y2 = x3 + x E0 : y2 = x3 + x
Public Key Generation
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 29 / 56
EA
EA = E0/〈A〉{RA,SA} = {φA(PB), φA(QB)}
EB = E0/〈B〉{RB ,SB} = {φB(PA), φB(QA)}
EAB = EB/〈A′〉 ∼= EA/〈B ′〉 = EBA
φ A
ker(φ A)=〈A〉 =〈P A
+[s A]Q
A〉
φB
ker(φB )=〈B〉
=〈P
B+[sB ]Q
B 〉
φ ′A
ker(φ ′A )=〈A ′〉
=〈R
B+[sA ]S
B 〉
φ′
B
ker(φ
′B)=〈B〉 =〈R A
+[s B]SA〉
Alice Bob
0 17
40
41
48
24
66 0 17
40
41
48
24
66
E0 : y2 = x3 + x
φA : E0 → EA
E0 : y2 = x3 + x
φB : E0 → EB
Public Key Generation
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 29 / 56
EA
EA = E0/〈A〉{RA, SA} = {φA(PB), φA(QB)}
EB = E0/〈B〉{RB ,SB} = {φB(PA), φB(QA)}
EAB = EB/〈A′〉 ∼= EA/〈B ′〉 = EBA
φ A
ker(φ A)=〈A〉 =〈P A
+[s A]Q
A〉
φB
ker(φB )=〈B〉
=〈P
B+[sB ]Q
B 〉
φ ′A
ker(φ ′A )=〈A ′〉
=〈R
B+[sA ]S
B 〉
φ′
B
ker(φ
′B)=〈B〉 =〈R A
+[s B]SA〉
Alice Bob
0 17
40
41
48
24
66 0 17
40
41
48
24
66
E0 : y2 = x3 + x
φA : E0 → EA
EB : y2 = x3 + 22x + 35
E0 : y2 = x3 + x
φB : E0 → EB
EB : y2 = x3 + 63x + (55w + 16)
Key exchange
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 29 / 56
EA
EA = E0/〈A〉{RA, SA} = {φA(PB), φA(QB)}
EB = E0/〈B〉{RB ,SB} = {φB(PA), φB(QA)}
EAB = EB/〈A′〉 ∼= EA/〈B ′〉 = EBA
φ A
ker(φ A)=〈A〉 =〈P A
+[s A]Q
A〉
φB
ker(φB )=〈B〉
=〈P
B+[sB ]Q
B 〉
φ ′A
ker(φ ′A )=〈A ′〉
=〈R
B+[sA ]S
B 〉
φ′
B
ker(φ
′B)=〈B〉 =〈R A
+[s B]SA〉
Alice Bob
0 17
40
41
48
24
66 0 17
40
41
48
24
66
E0 : y2 = x3 + x
φA : E0 → EA
EB : y2 = x3 + 22x + 35
E0 : y2 = x3 + x
φB : E0 → EB
EB : y2 = x3 + 63x + (55w + 16)
Shared Secret Generation
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 29 / 56
EA
EA = E0/〈A〉{RA, SA} = {φA(PB), φA(QB)}
EB = E0/〈B〉{RB ,SB} = {φB(PA), φB(QA)}
EAB = EB/〈A′〉 ∼= EA/〈B ′〉 = EBA
φ A
ker(φ A)=〈A〉 =〈P A
+[s A]Q
A〉
φB
ker(φB )=〈B〉
=〈P
B+[sB ]Q
B 〉
φ ′A
ker(φ ′A )=〈A ′〉
=〈R
B+[sA ]S
B 〉
φ′
B
ker(φ
′B)=〈B〉 =〈R A
+[s B]SA〉
Alice Bob
0 17
40
41
48
24
66 0 17
40
41
48
24
66
EB : y2 = x3 + 63x + (55w + 16) EB : y2 = x3 + 22x + 35
Shared Secret Generation
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 29 / 56
EA
EA = E0/〈A〉{RA, SA} = {φA(PB), φA(QB)}
EB = E0/〈B〉{RB ,SB} = {φB(PA), φB(QA)}
EAB = EB/〈A′〉 ∼= EA/〈B ′〉 = EBA
φ A
ker(φ A)=〈A〉 =〈P A
+[s A]Q
A〉
φB
ker(φB )=〈B〉
=〈P
B+[sB ]Q
B 〉
φ ′A
ker(φ ′A )=〈A ′〉
=〈R
B+[sA ]S
B 〉φ
′B
ker(φ
′B)=〈B〉 =〈R A
+[s B]SA〉
Alice Bob
0 17
40
41
48
24
66 0 17
40
41
48
24
66
EB : y2 = x3 + 63x + (55w + 16)
φAB : EB → EAB
EB : y2 = x3 + 22x + 35
φBA : EA → EBA
Shared Secret Generation
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 29 / 56
EA
EA = E0/〈A〉{RA, SA} = {φA(PB), φA(QB)}
EB = E0/〈B〉{RB ,SB} = {φB(PA), φB(QA)}
EAB = EB/〈A′〉 ∼= EA/〈B ′〉 = EBA
φ A
ker(φ A)=〈A〉 =〈P A
+[s A]Q
A〉
φB
ker(φB )=〈B〉
=〈P
B+[sB ]Q
B 〉
φ ′A
ker(φ ′A )=〈A ′〉
=〈R
B+[sA ]S
B 〉φ
′B
ker(φ
′B)=〈B〉 =〈R A
+[s B]SA〉
Alice Bob
0 17
40
41
48
24
66 0 17
40
41
48
24
66
EB : y2 = x3 + 63x + (55w + 16)
φAB : EB → EAB
EB : y2 = x3 + (21w + 14)x + (57w + 21)
EB : y2 = x3 + 22x + 35
φBA : EA → EBA
EB : y2 = x3 + (21w + 14)x + (57w + 21)
Shared Secret Generation
Shared SecretR. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 29 / 56
EA
EA = E0/〈A〉{RA, SA} = {φA(PB), φA(QB)}
EB = E0/〈B〉{RB ,SB} = {φB(PA), φB(QA)}
EAB = EB/〈A′〉 ∼= EA/〈B ′〉 = EBA
φ A
ker(φ A)=〈A〉 =〈P A
+[s A]Q
A〉
φB
ker(φB )=〈B〉
=〈P
B+[sB ]Q
B 〉
φ ′A
ker(φ ′A )=〈A ′〉
=〈R
B+[sA ]S
B 〉φ
′B
ker(φ
′B)=〈B〉 =〈R A
+[s B]SA〉
Alice Bob
0 17
40
41
48
24
66 0 17
40
41
48
24
66
SIDH: Security
• Hard problem: Given P,Q ∈ E and φ(P), φ(Q) ∈ φ(E)⇒ compute φ.• Best known attack: classical O(p1/4) and quantum O(p1/6).
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 30 / 56
SIKE Round 2 Key sizes
NIST Level Prime size (bits) Round 1 Prime size (bits) Round 2
1 (AES128) 503 434
2 (SHA256) — 503
3 (AES192) 751 610
5 (AES256) 964 751
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 31 / 56
SIKE Round 2 Key sizes
NIST Level Prime size(bits)
Prime Public keysize (bytes)
Compressed PKsize (bytes)
1 434 2216 · 3137 − 1 330 196
2 503 2250 · 3159 − 1 378 224
3 610 2305 · 3192 − 1 462 273
5 751 2372 · 3239 − 1 564 331
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 32 / 56
SIDH Computations
Fp Arithemtic
Fp2 Arithemtic
Group Ops
Extendedgroup ops
PQCprotocols
Addition Mult. Inversion
Addition Mult. Squaring Inversion
Point Addition Point Doubling
Isogeny Evaluation and Computation
Double PointMultiplication
Large Degree Isogeny Comput.
SIDH
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 33 / 56
SIDH Computations
Fp Arithemtic
Fp2 Arithemtic
Group Ops
Extendedgroup ops
PQCprotocols
Addition Mult. Inversion
Addition Mult. Squaring Inversion
Point Addition Point Doubling
Isogeny Evaluation and Computation
Double PointMultiplication
Large Degree Isogeny Comput.
SIDH
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 33 / 56
SIDH Computations
Fp Arithemtic
Fp2 Arithemtic
Group Ops
Extendedgroup ops
PQCprotocols
Addition Mult. Inversion
Addition Mult. Squaring Inversion
Point Addition Point Doubling
Isogeny Evaluation and Computation
Double PointMultiplication
Large Degree Isogeny Comput.
SIDH
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 33 / 56
SIDH Computations
Fp Arithemtic
Fp2 Arithemtic
Group Ops
Extendedgroup ops
PQCprotocols
Addition Mult. Inversion
Addition Mult. Squaring Inversion
Point Addition Point Doubling
Isogeny Evaluation and Computation
Double PointMultiplication
Large Degree Isogeny Comput.
SIDH
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 33 / 56
SIDH Computations
Fp Arithemtic
Fp2 Arithemtic
Group Ops
Extendedgroup ops
PQCprotocols
Addition Mult. Inversion
Addition Mult. Squaring Inversion
Point Addition Point Doubling
Isogeny Evaluation and Computation
Double PointMultiplication
Large Degree Isogeny Comput.
SIDH
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 33 / 56
Three-Point Differential Ladder
• Compute R = P + [k ]Q• Jao et al. (2014) - Cost: 2PA + 1PD• Hernandez et al. (2017) - Cost: 1PA + 1PD• Example: k = 9 = 1001b
R1 = P R0 = Q R2 = Q−Pstart
k0 = 1 P + Q 2Q Q − P
k1 = 0 P + Q 4Q 3Q − P
k2 = 0 P + Q 8Q 7Q − P
k3 = 1 P + 9Q 16Q 7Q − P
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 34 / 56
Large Degree Isogeny Computations
• Vélu’s fomulas is only suitable for small degree isogenies: φG : E → E/G
Vélu’sformula
G
(a, b) of E
ϕ
(a’, b’) of E’
• Evaluate φG as a chain of small-degree isogenies• Complexity: O(e2 · `). Exponentially smaller than `e.
• Jao and De Feo [2014]: Optimal strategy improves this to O(e log e · `).• For SIDH we only use isogenies of degree `e for ` ∈ {2, 3}.
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 35 / 56
Large Degree Isogeny Computations
• Get isogeny Kernel [`e−i−1]Ri
• Compute Isogenies φi := Ei/〈[`e−i−1]Ri〉
• Compute Ei+1 = φi(Ei)
• Push points to new curve Ri+1 = φi(Ri)
φ = φ6 · φ5 · φ4 · φ3 · φ2 · φ1 · φ0
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 36 / 56
e.g., φ : E0/〈R0〉, ord(R0) = `7
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
Order of R0 is `7
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
Order of [`]R0 is `6
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
Order of [`2]R0 is `5
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
Order of [`3]R0 is `4
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
Order of [`4]R0 is `3
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
Order of [`5]R0 is `2
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
Order of [`6]R0 is `
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
φ0 := E0/〈[`6]R0〉E1 = φ0(E0)
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
R1 = φ0(R0)
Order of [`5]R1 is `
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
φ1 := E1/〈[`5]R1〉E2 = φ1(E1)
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
R2 = φ1(R1)
Order of [`3]R2 is `2
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
Order of [`4]R2 is `
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
φ2 := E2/〈[`4]R2〉E3 = φ2(E2)
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
R3 = φ2(R2)
Order of [`3]R3 is `
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
φ3 := E3/〈[`3]R3〉E4 = φ3(E3)
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
R4 = φ3(R3)
Order of R4 is `3
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
Order of [`]R4 is `2
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
Order of [`2]R4 is `
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
φ4 := E4/〈[`2]R2〉E5 = φ4(E4)
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
R5 = φ4(R4)Order of [`]R5 is `
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
φ5 := E5/〈[`]R5〉E6 = φ5(E5)
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
R6 = φ5(R5)Order of R6 is `
Large Degree Isogeny Computations
Base Curve
Point multby `
Apply `-isogeny
Point in queueGet `-isogeny
R0
[`]R0 R1
[`6]R0 [`3]R3R6
φ0
E0
R0
[`]R0
[`2]R0
[`3]R0
[`4]R0
[`5]R0
[`6]R0
E1
φ0
φ0
φ0
R1
[`3]R1
[`5]R1
E2
φ1
φ1
R2
[`3]R2
[`4]R2
E3
φ2
φ2
R3
[`3]R3
E4
φ3
R4
[`]R4
[`2]R4
E5
φ4
φ4
R5
[`]R5
E6
φ5
R6
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 37 / 56
e = 7
φ6 := E6/〈[`]R6〉E7 = φ6(E6)
High-level Hardware Architecture for SIDH
Adder/Subtractor
Mult Unit
Mult 00
n-1
1 Mult 1
Mult n-1
𝐸0𝑃𝐴𝑄𝐴𝑃𝐵𝑄𝐵
𝐸𝐵𝜙𝐵(𝑃𝐴)
𝜙𝐵(𝑄𝐴)
𝐸𝐴
𝜙𝐴(𝑃𝐵)
𝜙𝐴(𝑄𝐵)
𝑗(𝐸𝐴𝐵)
Public SIDHParameters
Round1
Round2
MemoryUnit
ControllerProgram
ROM
ALU
SecretKeys
TRNG
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 38 / 56
Fast Kernel Computations
𝑅 = ker 𝜙 = 𝑃 + 𝑠 𝑄
𝑃𝐴
𝑄𝐴
𝐸0/𝔽𝑃2
Public SIDH Parameters
Input Curve
Alice’sBasis
Bob’sBasis
𝑅𝐴
𝑠𝐴
𝜙𝐴(𝑃𝐵)
Ephemeral Public Key to Bob
𝜙𝐴(𝑄𝐵)
𝐸𝐴Isogenous Curve
Image of Bob’s basis
𝑃𝐵
𝑄𝐵
Alice’s Private Keys
Three PointLadder
Isogeny Computation
𝑅𝐴 = 𝑃𝐴 + 𝑠𝐴 𝑄𝐴 𝐸𝐴 = 𝐸0/ 𝑅𝐴
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 39 / 56
Field Multiplication
• Field multiplication performs C = A× B mod p
• Choice of multar multiplier is crucial: Montgomery multiplication
• Systloic Montgomery multiplier
• PEs process various chunks of the results in parallel
• For SIKE primes (2eA · 3eB − 1), p = 1 . . . 111 . . . 111︸ ︷︷ ︸eA
and p′ = −p−1 = 1( mod 2w ) where w ≤ eA
Coarsely Integrated Operand Scanning (CIOS):• Alternate between multiplication and reduction• Longer Critical Path: 1 Mult + 1 Additions• More clock cycles (4 × Number of words)
Finely Integrated Operand Scanning (FIOS):• Parallelize Multiplication and reduction• Longer Critical Path: 1 Mult + 2 Additions• Less clock cycles (3 × Number of words)
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 40 / 56
FIOS Design (Number of words = 4)
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 41 / 56
PEinitial
PE
ai aserial
b(1)(2)p(1)(2)
b0
startenen
mi
C0
T(0)(1)
S0
PE
ai
mi
C2
S2
ai
mi
C4
b(3)(4)p(3)(4)
T(2)(3)
S0S2
PE
S6
ai
mi
C8
b(5)(6)p(5)(6)
T(4)(5)
S4
S4
w
mout
×ain
bin
×pin
min
Sin
w
w
w
w
w
2w
2w
w+1Cout
Sout
+
MSW
LSW
+
MSW
LSW
ain
min
odd
w+1
w
w Smuxw
w
aout
Cinw+1 w+1
Cmux
aaen
aen
mmen
men
w+1
w
w+1
ww
w w
odd
even1 01 0
1 01 0
CC
SS
×ain
bin
Sin
w
w
CCCout
+Carry
Sum
ain
odd
aout aaen
aen
mmen
men ww
w ww
w
LSW+
MSW
Cin
mout
w+1 w+1
w
w
w
Arithmetic over Fp2
Each of the Fp2 arithmetic are built upon a series of Fp arithmetic
Fp2 Fp ops
a + b (a0 + b0, a1 + b1) 2A
a− b (a0 − b0, a1 − b1) 2A
a× b (a0 · b0 − a1 · b1, (a0 + a1) · (b0 + b1)− a0 · b0 − a1 · b1) 3M + 5A
a2 ((a0 + a1) · (a0 − a1), 2a0 · a1) 2M + 3A
a−1 (a0 · (a20 + a2
1)−1,−a1 · (a2
0 + a21)−1 4M + 2A + 1I
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 42 / 56
SIKE Control FlowKEY GENERATION (BOB)
Bob’s secret key sB
EB =E0/〈PB + [sB ]QB〉
Bob’s public key pkB ={EB , φB(PA), φB(QA)}
KEY ENCAPSULATION (Alice)
Alice’s secret message m
Bob’s public key pkB
r =Keccak(m, pkB)
EAB =EB/〈φB(PB) + [r ]φB(QB)〉
EA =E0/〈PA + [r ]QA〉
c =Keccak(j(EAB)) ⊕ m
Alice’s public key pkA ={EA, φA(PB), φA(QB)}
ciphertext(ct){pkA, c}
Shared Secret(ssA) =Keccak(m, pkA, c)
KEY DECAPSULATION (Bob)
ciphertext(ct)EBA =
EA/〈φA(PB)+[sB ]φA(QB)〉
m′ =Keccak(j(EBA)) ⊕ c
r ′ =Keccak(m′, pkB)
E ′A =
E0/〈PA + [r ′]QA〉Alice’s public key pk ′
A ={E ′
A, φ′A(PB), φ
′A(QB)}
Check pk ′A == pkA
Shared Secret(ssB) =Keccak(m, pkA, c)
Isogeny
Hash
Isogeny
Isogeny
Hash Hash
Isogeny
Hash Hash
Isogeny
Hash
Public ParametersAlice’s valuesBob’s values
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 43 / 56
SIKE Control FlowKEY GENERATION (BOB)
Bob’s secret key sBEB =
E0/〈PB + [sB ]QB〉
Bob’s public key pkB ={EB , φB(PA), φB(QA)}
KEY ENCAPSULATION (Alice)
Alice’s secret message m
Bob’s public key pkB
r =Keccak(m, pkB)
EAB =EB/〈φB(PB) + [r ]φB(QB)〉
EA =E0/〈PA + [r ]QA〉
c =Keccak(j(EAB)) ⊕ m
Alice’s public key pkA ={EA, φA(PB), φA(QB)}
ciphertext(ct){pkA, c}
Shared Secret(ssA) =Keccak(m, pkA, c)
KEY DECAPSULATION (Bob)
ciphertext(ct)EBA =
EA/〈φA(PB)+[sB ]φA(QB)〉
m′ =Keccak(j(EBA)) ⊕ c
r ′ =Keccak(m′, pkB)
E ′A =
E0/〈PA + [r ′]QA〉Alice’s public key pk ′
A ={E ′
A, φ′A(PB), φ
′A(QB)}
Check pk ′A == pkA
Shared Secret(ssB) =Keccak(m, pkA, c)
Isogeny
Hash
Isogeny
Isogeny
Hash Hash
Isogeny
Hash Hash
Isogeny
Hash
Public ParametersAlice’s valuesBob’s values
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 43 / 56
SIKE Control FlowKEY GENERATION (BOB)
Bob’s secret key sBEB =
E0/〈PB + [sB ]QB〉Bob’s public key pkB ={EB , φB(PA), φB(QA)}
KEY ENCAPSULATION (Alice)
Alice’s secret message m
Bob’s public key pkB
r =Keccak(m, pkB)
EAB =EB/〈φB(PB) + [r ]φB(QB)〉
EA =E0/〈PA + [r ]QA〉
c =Keccak(j(EAB)) ⊕ m
Alice’s public key pkA ={EA, φA(PB), φA(QB)}
ciphertext(ct){pkA, c}
Shared Secret(ssA) =Keccak(m, pkA, c)
KEY DECAPSULATION (Bob)
ciphertext(ct)EBA =
EA/〈φA(PB)+[sB ]φA(QB)〉
m′ =Keccak(j(EBA)) ⊕ c
r ′ =Keccak(m′, pkB)
E ′A =
E0/〈PA + [r ′]QA〉Alice’s public key pk ′
A ={E ′
A, φ′A(PB), φ
′A(QB)}
Check pk ′A == pkA
Shared Secret(ssB) =Keccak(m, pkA, c)
Isogeny
Hash
Isogeny
Isogeny
Hash Hash
Isogeny
Hash Hash
Isogeny
Hash
Public ParametersAlice’s valuesBob’s values
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 43 / 56
SIKE Control FlowKEY GENERATION (BOB)
Bob’s secret key sBEB =
E0/〈PB + [sB ]QB〉Bob’s public key pkB ={EB , φB(PA), φB(QA)}
KEY ENCAPSULATION (Alice)
Alice’s secret message m
Bob’s public key pkB
r =Keccak(m, pkB)
EAB =EB/〈φB(PB) + [r ]φB(QB)〉
EA =E0/〈PA + [r ]QA〉
c =Keccak(j(EAB)) ⊕ m
Alice’s public key pkA ={EA, φA(PB), φA(QB)}
ciphertext(ct){pkA, c}
Shared Secret(ssA) =Keccak(m, pkA, c)
KEY DECAPSULATION (Bob)
ciphertext(ct)EBA =
EA/〈φA(PB)+[sB ]φA(QB)〉
m′ =Keccak(j(EBA)) ⊕ c
r ′ =Keccak(m′, pkB)
E ′A =
E0/〈PA + [r ′]QA〉Alice’s public key pk ′
A ={E ′
A, φ′A(PB), φ
′A(QB)}
Check pk ′A == pkA
Shared Secret(ssB) =Keccak(m, pkA, c)
Isogeny
Hash
Isogeny
Isogeny
Hash Hash
Isogeny
Hash Hash
Isogeny
Hash
Public ParametersAlice’s valuesBob’s values
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 43 / 56
SIKE Control FlowKEY GENERATION (BOB)
Bob’s secret key sBEB =
E0/〈PB + [sB ]QB〉Bob’s public key pkB ={EB , φB(PA), φB(QA)}
KEY ENCAPSULATION (Alice)
Alice’s secret message m
Bob’s public key pkB
r =Keccak(m, pkB)
EAB =EB/〈φB(PB) + [r ]φB(QB)〉
EA =E0/〈PA + [r ]QA〉
c =Keccak(j(EAB)) ⊕ m
Alice’s public key pkA ={EA, φA(PB), φA(QB)}
ciphertext(ct){pkA, c}
Shared Secret(ssA) =Keccak(m, pkA, c)
KEY DECAPSULATION (Bob)
ciphertext(ct)EBA =
EA/〈φA(PB)+[sB ]φA(QB)〉
m′ =Keccak(j(EBA)) ⊕ c
r ′ =Keccak(m′, pkB)
E ′A =
E0/〈PA + [r ′]QA〉Alice’s public key pk ′
A ={E ′
A, φ′A(PB), φ
′A(QB)}
Check pk ′A == pkA
Shared Secret(ssB) =Keccak(m, pkA, c)
Isogeny
Hash
Isogeny
Isogeny
Hash Hash
Isogeny
Hash Hash
Isogeny
Hash
Public ParametersAlice’s valuesBob’s values
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 43 / 56
SIKE Control FlowKEY GENERATION (BOB)
Bob’s secret key sBEB =
E0/〈PB + [sB ]QB〉Bob’s public key pkB ={EB , φB(PA), φB(QA)}
KEY ENCAPSULATION (Alice)
Alice’s secret message m
Bob’s public key pkB
r =Keccak(m, pkB)
EAB =EB/〈φB(PB) + [r ]φB(QB)〉
EA =E0/〈PA + [r ]QA〉
c =Keccak(j(EAB)) ⊕ m
Alice’s public key pkA ={EA, φA(PB), φA(QB)}
ciphertext(ct){pkA, c}
Shared Secret(ssA) =Keccak(m, pkA, c)
KEY DECAPSULATION (Bob)
ciphertext(ct)EBA =
EA/〈φA(PB)+[sB ]φA(QB)〉
m′ =Keccak(j(EBA)) ⊕ c
r ′ =Keccak(m′, pkB)
E ′A =
E0/〈PA + [r ′]QA〉Alice’s public key pk ′
A ={E ′
A, φ′A(PB), φ
′A(QB)}
Check pk ′A == pkA
Shared Secret(ssB) =Keccak(m, pkA, c)
Isogeny
Hash
Isogeny
Isogeny
Hash Hash
Isogeny
Hash Hash
Isogeny
Hash
Public ParametersAlice’s valuesBob’s values
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 43 / 56
SIKE Control FlowKEY GENERATION (BOB)
Bob’s secret key sBEB =
E0/〈PB + [sB ]QB〉Bob’s public key pkB ={EB , φB(PA), φB(QA)}
KEY ENCAPSULATION (Alice)
Alice’s secret message m
Bob’s public key pkB
r =Keccak(m, pkB)
EAB =EB/〈φB(PB) + [r ]φB(QB)〉
EA =E0/〈PA + [r ]QA〉
c =Keccak(j(EAB)) ⊕ m
Alice’s public key pkA ={EA, φA(PB), φA(QB)}
ciphertext(ct){pkA, c}
Shared Secret(ssA) =Keccak(m, pkA, c)
KEY DECAPSULATION (Bob)
ciphertext(ct)EBA =
EA/〈φA(PB)+[sB ]φA(QB)〉
m′ =Keccak(j(EBA)) ⊕ c
r ′ =Keccak(m′, pkB)
E ′A =
E0/〈PA + [r ′]QA〉Alice’s public key pk ′
A ={E ′
A, φ′A(PB), φ
′A(QB)}
Check pk ′A == pkA
Shared Secret(ssB) =Keccak(m, pkA, c)
Isogeny
Hash
Isogeny
Isogeny
Hash
Hash
Isogeny
Hash Hash
Isogeny
Hash
Public ParametersAlice’s valuesBob’s values
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 43 / 56
SIKE Control FlowKEY GENERATION (BOB)
Bob’s secret key sBEB =
E0/〈PB + [sB ]QB〉Bob’s public key pkB ={EB , φB(PA), φB(QA)}
KEY ENCAPSULATION (Alice)
Alice’s secret message m
Bob’s public key pkB
r =Keccak(m, pkB)
EAB =EB/〈φB(PB) + [r ]φB(QB)〉
EA =E0/〈PA + [r ]QA〉
c =Keccak(j(EAB)) ⊕ m
Alice’s public key pkA ={EA, φA(PB), φA(QB)}
ciphertext(ct){pkA, c}
Shared Secret(ssA) =Keccak(m, pkA, c)
KEY DECAPSULATION (Bob)
ciphertext(ct)EBA =
EA/〈φA(PB)+[sB ]φA(QB)〉
m′ =Keccak(j(EBA)) ⊕ c
r ′ =Keccak(m′, pkB)
E ′A =
E0/〈PA + [r ′]QA〉Alice’s public key pk ′
A ={E ′
A, φ′A(PB), φ
′A(QB)}
Check pk ′A == pkA
Shared Secret(ssB) =Keccak(m, pkA, c)
Isogeny
Hash
Isogeny
Isogeny
Hash
Hash
Isogeny
Hash Hash
Isogeny
Hash
Public ParametersAlice’s valuesBob’s values
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 43 / 56
SIKE Control FlowKEY GENERATION (BOB)
Bob’s secret key sBEB =
E0/〈PB + [sB ]QB〉Bob’s public key pkB ={EB , φB(PA), φB(QA)}
KEY ENCAPSULATION (Alice)
Alice’s secret message m
Bob’s public key pkB
r =Keccak(m, pkB)
EAB =EB/〈φB(PB) + [r ]φB(QB)〉
EA =E0/〈PA + [r ]QA〉
c =Keccak(j(EAB)) ⊕ m
Alice’s public key pkA ={EA, φA(PB), φA(QB)}
ciphertext(ct){pkA, c}
Shared Secret(ssA) =Keccak(m, pkA, c)
KEY DECAPSULATION (Bob)
ciphertext(ct)EBA =
EA/〈φA(PB)+[sB ]φA(QB)〉
m′ =Keccak(j(EBA)) ⊕ c
r ′ =Keccak(m′, pkB)
E ′A =
E0/〈PA + [r ′]QA〉Alice’s public key pk ′
A ={E ′
A, φ′A(PB), φ
′A(QB)}
Check pk ′A == pkA
Shared Secret(ssB) =Keccak(m, pkA, c)
Isogeny
Hash
Isogeny
Isogeny
Hash Hash
Isogeny
Hash Hash
Isogeny
Hash
Public ParametersAlice’s valuesBob’s values
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 43 / 56
SIKE Control FlowKEY GENERATION (BOB)
Bob’s secret key sBEB =
E0/〈PB + [sB ]QB〉Bob’s public key pkB ={EB , φB(PA), φB(QA)}
KEY ENCAPSULATION (Alice)
Alice’s secret message m
Bob’s public key pkB
r =Keccak(m, pkB)
EAB =EB/〈φB(PB) + [r ]φB(QB)〉
EA =E0/〈PA + [r ]QA〉
c =Keccak(j(EAB)) ⊕ m
Alice’s public key pkA ={EA, φA(PB), φA(QB)}
ciphertext(ct){pkA, c}
Shared Secret(ssA) =Keccak(m, pkA, c)
KEY DECAPSULATION (Bob)
ciphertext(ct)
EBA =EA/〈φA(PB)+[sB ]φA(QB)〉
m′ =Keccak(j(EBA)) ⊕ c
r ′ =Keccak(m′, pkB)
E ′A =
E0/〈PA + [r ′]QA〉Alice’s public key pk ′
A ={E ′
A, φ′A(PB), φ
′A(QB)}
Check pk ′A == pkA
Shared Secret(ssB) =Keccak(m, pkA, c)
Isogeny
Hash
Isogeny
Isogeny
Hash Hash
Isogeny
Hash Hash
Isogeny
Hash
Public ParametersAlice’s valuesBob’s values
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 43 / 56
SIKE Control FlowKEY GENERATION (BOB)
Bob’s secret key sBEB =
E0/〈PB + [sB ]QB〉Bob’s public key pkB ={EB , φB(PA), φB(QA)}
KEY ENCAPSULATION (Alice)
Alice’s secret message m
Bob’s public key pkB
r =Keccak(m, pkB)
EAB =EB/〈φB(PB) + [r ]φB(QB)〉
EA =E0/〈PA + [r ]QA〉
c =Keccak(j(EAB)) ⊕ m
Alice’s public key pkA ={EA, φA(PB), φA(QB)}
ciphertext(ct){pkA, c}
Shared Secret(ssA) =Keccak(m, pkA, c)
KEY DECAPSULATION (Bob)
ciphertext(ct)EBA =
EA/〈φA(PB)+[sB ]φA(QB)〉
m′ =Keccak(j(EBA)) ⊕ c
r ′ =Keccak(m′, pkB)
E ′A =
E0/〈PA + [r ′]QA〉Alice’s public key pk ′
A ={E ′
A, φ′A(PB), φ
′A(QB)}
Check pk ′A == pkA
Shared Secret(ssB) =Keccak(m, pkA, c)
Isogeny
Hash
Isogeny
Isogeny
Hash Hash
Isogeny
Hash Hash
Isogeny
Hash
Public ParametersAlice’s valuesBob’s values
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 43 / 56
SIKE Control FlowKEY GENERATION (BOB)
Bob’s secret key sBEB =
E0/〈PB + [sB ]QB〉Bob’s public key pkB ={EB , φB(PA), φB(QA)}
KEY ENCAPSULATION (Alice)
Alice’s secret message m
Bob’s public key pkB
r =Keccak(m, pkB)
EAB =EB/〈φB(PB) + [r ]φB(QB)〉
EA =E0/〈PA + [r ]QA〉
c =Keccak(j(EAB)) ⊕ m
Alice’s public key pkA ={EA, φA(PB), φA(QB)}
ciphertext(ct){pkA, c}
Shared Secret(ssA) =Keccak(m, pkA, c)
KEY DECAPSULATION (Bob)
ciphertext(ct)EBA =
EA/〈φA(PB)+[sB ]φA(QB)〉
m′ =Keccak(j(EBA)) ⊕ c
r ′ =Keccak(m′, pkB)
E ′A =
E0/〈PA + [r ′]QA〉Alice’s public key pk ′
A ={E ′
A, φ′A(PB), φ
′A(QB)}
Check pk ′A == pkA
Shared Secret(ssB) =Keccak(m, pkA, c)
Isogeny
Hash
Isogeny
Isogeny
Hash Hash
Isogeny
Hash
Hash
Isogeny
Hash
Public ParametersAlice’s valuesBob’s values
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 43 / 56
SIKE Control FlowKEY GENERATION (BOB)
Bob’s secret key sBEB =
E0/〈PB + [sB ]QB〉Bob’s public key pkB ={EB , φB(PA), φB(QA)}
KEY ENCAPSULATION (Alice)
Alice’s secret message m
Bob’s public key pkB
r =Keccak(m, pkB)
EAB =EB/〈φB(PB) + [r ]φB(QB)〉
EA =E0/〈PA + [r ]QA〉
c =Keccak(j(EAB)) ⊕ m
Alice’s public key pkA ={EA, φA(PB), φA(QB)}
ciphertext(ct){pkA, c}
Shared Secret(ssA) =Keccak(m, pkA, c)
KEY DECAPSULATION (Bob)
ciphertext(ct)EBA =
EA/〈φA(PB)+[sB ]φA(QB)〉
m′ =Keccak(j(EBA)) ⊕ c
r ′ =Keccak(m′, pkB)
E ′A =
E0/〈PA + [r ′]QA〉Alice’s public key pk ′
A ={E ′
A, φ′A(PB), φ
′A(QB)}
Check pk ′A == pkA
Shared Secret(ssB) =Keccak(m, pkA, c)
Isogeny
Hash
Isogeny
Isogeny
Hash Hash
Isogeny
Hash Hash
Isogeny
Hash
Public ParametersAlice’s valuesBob’s values
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 43 / 56
SIKE Control FlowKEY GENERATION (BOB)
Bob’s secret key sBEB =
E0/〈PB + [sB ]QB〉Bob’s public key pkB ={EB , φB(PA), φB(QA)}
KEY ENCAPSULATION (Alice)
Alice’s secret message m
Bob’s public key pkB
r =Keccak(m, pkB)
EAB =EB/〈φB(PB) + [r ]φB(QB)〉
EA =E0/〈PA + [r ]QA〉
c =Keccak(j(EAB)) ⊕ m
Alice’s public key pkA ={EA, φA(PB), φA(QB)}
ciphertext(ct){pkA, c}
Shared Secret(ssA) =Keccak(m, pkA, c)
KEY DECAPSULATION (Bob)
ciphertext(ct)EBA =
EA/〈φA(PB)+[sB ]φA(QB)〉
m′ =Keccak(j(EBA)) ⊕ c
r ′ =Keccak(m′, pkB)
E ′A =
E0/〈PA + [r ′]QA〉
Alice’s public key pk ′A =
{E ′A, φ
′A(PB), φ
′A(QB)}
Check pk ′A == pkA
Shared Secret(ssB) =Keccak(m, pkA, c)
Isogeny
Hash
Isogeny
Isogeny
Hash Hash
Isogeny
Hash Hash
Isogeny
Hash
Public ParametersAlice’s valuesBob’s values
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 43 / 56
SIKE Control FlowKEY GENERATION (BOB)
Bob’s secret key sBEB =
E0/〈PB + [sB ]QB〉Bob’s public key pkB ={EB , φB(PA), φB(QA)}
KEY ENCAPSULATION (Alice)
Alice’s secret message m
Bob’s public key pkB
r =Keccak(m, pkB)
EAB =EB/〈φB(PB) + [r ]φB(QB)〉
EA =E0/〈PA + [r ]QA〉
c =Keccak(j(EAB)) ⊕ m
Alice’s public key pkA ={EA, φA(PB), φA(QB)}
ciphertext(ct){pkA, c}
Shared Secret(ssA) =Keccak(m, pkA, c)
KEY DECAPSULATION (Bob)
ciphertext(ct)EBA =
EA/〈φA(PB)+[sB ]φA(QB)〉
m′ =Keccak(j(EBA)) ⊕ c
r ′ =Keccak(m′, pkB)
E ′A =
E0/〈PA + [r ′]QA〉Alice’s public key pk ′
A ={E ′
A, φ′A(PB), φ
′A(QB)}
Check pk ′A == pkA
Shared Secret(ssB) =Keccak(m, pkA, c)
Isogeny
Hash
Isogeny
Isogeny
Hash Hash
Isogeny
Hash Hash
Isogeny
Hash
Public ParametersAlice’s valuesBob’s values
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 43 / 56
SIKE Control FlowKEY GENERATION (BOB)
Bob’s secret key sBEB =
E0/〈PB + [sB ]QB〉Bob’s public key pkB ={EB , φB(PA), φB(QA)}
KEY ENCAPSULATION (Alice)
Alice’s secret message m
Bob’s public key pkB
r =Keccak(m, pkB)
EAB =EB/〈φB(PB) + [r ]φB(QB)〉
EA =E0/〈PA + [r ]QA〉
c =Keccak(j(EAB)) ⊕ m
Alice’s public key pkA ={EA, φA(PB), φA(QB)}
ciphertext(ct){pkA, c}
Shared Secret(ssA) =Keccak(m, pkA, c)
KEY DECAPSULATION (Bob)
ciphertext(ct)EBA =
EA/〈φA(PB)+[sB ]φA(QB)〉
m′ =Keccak(j(EBA)) ⊕ c
r ′ =Keccak(m′, pkB)
E ′A =
E0/〈PA + [r ′]QA〉Alice’s public key pk ′
A ={E ′
A, φ′A(PB), φ
′A(QB)}
Check pk ′A == pkA
Shared Secret(ssB) =Keccak(m, pkA, c)
Isogeny
Hash
Isogeny
Isogeny
Hash Hash
Isogeny
Hash Hash
Isogeny
Hash
Public ParametersAlice’s valuesBob’s values
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 43 / 56
SIKE Control FlowKEY GENERATION (BOB)
Bob’s secret key sBEB =
E0/〈PB + [sB ]QB〉Bob’s public key pkB ={EB , φB(PA), φB(QA)}
KEY ENCAPSULATION (Alice)
Alice’s secret message m
Bob’s public key pkB
r =Keccak(m, pkB)
EAB =EB/〈φB(PB) + [r ]φB(QB)〉
EA =E0/〈PA + [r ]QA〉
c =Keccak(j(EAB)) ⊕ m
Alice’s public key pkA ={EA, φA(PB), φA(QB)}
ciphertext(ct){pkA, c}
Shared Secret(ssA) =Keccak(m, pkA, c)
KEY DECAPSULATION (Bob)
ciphertext(ct)EBA =
EA/〈φA(PB)+[sB ]φA(QB)〉
m′ =Keccak(j(EBA)) ⊕ c
r ′ =Keccak(m′, pkB)
E ′A =
E0/〈PA + [r ′]QA〉Alice’s public key pk ′
A ={E ′
A, φ′A(PB), φ
′A(QB)}
Check pk ′A == pkA
Shared Secret(ssB) =Keccak(m, pkA, c)
Isogeny
Hash
Isogeny
Isogeny
Hash Hash
Isogeny
Hash Hash
Isogeny
Hash
Public ParametersAlice’s valuesBob’s values
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 43 / 56
SIKE in FPGA
The host initializes any isogeny inputs 𝑥 𝑃 , 𝑥 𝑄 , 𝑥 𝑄 − 𝑃 and key 𝑘
Program ROM
TRNG
IsogenyAccelerator
RegisterFile
IsogenyController
Keccak-1088
64
3
32
data_in
SIKE_cmd
SIKE mux selects
data_out 64
Host CPU SIKE Accelerator
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 44 / 56
Isogeny Operations
Total number of Fp2 arithmetic operations in fastest known isogeny formulas (from SIKE submission)
Isogeny Operation Fp2 Mult. Fp2 Squaring Fp2 Addition
xDBL 4 2 4
get_2_isog 0 2 1
eval_2_isog 4 0 6
xTPL 7 5 10
get_3_isog 2 3 12
eval_3_isog 4 2 4
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 45 / 56
SIKE Operations
Total number of Fp arithmetic operations in SIKEp503
Fp Keygen Encapsulation Decapsulation
Addition 31,882 43,127 51,620
Multiplication 40,107 64,372 69,550
Inversion 1 3 3
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 46 / 56
SIDH and SIKE in PC
SIDH SIKE CSIDHKey size (quantum 128-bit) 330 bytes 330 bytes 64 bytes
Running time (x86-64) 2.5 ms 4.5 ms 50 ms
Compressed SIDH/SIKE 196 bytes 195 bytes6.5 ms 8.6 ms
Exponential quantum security 3 3 7Active attack security 7 3 3Direct key validation 7 7 3
Digital signatures 3 7 3NIST candidate 7 3 7
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 47 / 56
SIKE Performance in FPGA
NIST-Round 1 Submission and updated in Round 2.
Xilinx Virtex 7 FPGA
NIST SIKE Area Freq Time (ms)
Level Prime #FFs LUTs #Slices DSPs BRAMs (MHz) KeyGen Encaps Decaps Total (E+D)
2 SIKEp503 26,971 25,094 9,514 264 34 171 3.74 7.07 6.6 13.6
5 SIKEp751 50,390 45,893 17,530 512 43 167.4 7.42 13 13.9 26.9
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 48 / 56
SIKE in FPGA Area Results
Area distribution of NIST level 5 SIKEp751 on Virtex-7 FPGA xc7vx690tffg1157-3
5.82%
10.59%16.19% 14.22%
2.96%
0%
20%
40%
60%
80%
100%
FFs LUTs Slices DSPs BRAMs
%Utilization
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 49 / 56
SIKE: Results for NIST level 1
0
200
400
600
800
1000
1200
1400
1600
1800
2000
Software Hardware
Mili
seco
nd
s
SIKE Total Running Time
ARM Cortex-M4 Artix-7 FPGA
~3K Slices only
ARM Cortex-A53 Artix-7 FPGA
Target: Resource-constrained IoTTarget: High Performance Edge
0
10
20
30
40
50
60
70
Software Hardware
Mili
seco
nd
s
SIKE Total Running Time
~10K Slices
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 50 / 56
Side Channel Attacks on SIDH/SIKE
• Attacking isogeny computations:recover steps φi in secret walk φ
• Loop abort attack→ Fault animplementation to stop isogenyoperation early and give Ei
• Refined Power Analysis→ Forcezero-values to divulge φi
φ = φ6·φ5·φ4·φ3·φ2·φ1·φ0 Isomorphism
Class
-Isogeny
Computation
Initial
Isomorphism
Class
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 51 / 56
Side Channel Attacks on SIDH/SIKE
• Attacking isogeny computations:recover steps φi in secret walk φ
• Loop abort attack→ Fault animplementation to stop isogenyoperation early and give Ei
• Refined Power Analysis→ Forcezero-values to divulge φi
φ = φ6·φ5·φ4·φ3·φ2·φ1·φ0 Isomorphism
Class
-Isogeny
Computation
ith Isomorphism
Class (target)
(i+1) Isomorphism
Class (check)
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 51 / 56
Side Channel Attacks on SIDH/SIKE
• Attacking isogeny computations:recover steps φi in secret walk φ
• Loop abort attack→ Fault animplementation to stop isogenyoperation early and give Ei
• Refined Power Analysis→ Forcezero-values to divulge φi
φ = φ6·φ5·φ4·φ3·φ2·φ1·φ0 Isomorphism
Class
-Isogeny
Computation
ith Isomorphism
Class (target)
(i+1) Isomorphism
Class (check)
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 51 / 56
Side Channel Attacks on SIDH/SIKE
• Attacking isogeny computations:recover steps φi in secret walk φ
• Loop abort attack→ Fault animplementation to stop isogenyoperation early and give Ei
• Refined Power Analysis→ Forcezero-values to divulge φi
φ = φ6·φ5·φ4·φ3·φ2·φ1·φ0 Isomorphism
Class
-Isogeny
Computation
ith Isomorphism
Class (target)
(i+1) Isomorphism
Class (check)
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 51 / 56
Side Channel Attacks on SIDH/SIKE
• Attacking isogeny computations:recover steps φi in secret walk φ
• Loop abort attack→ Fault animplementation to stop isogenyoperation early and give Ei
• Refined Power Analysis→ Forcezero-values to divulge φi
φ = φ6·φ5·φ4·φ3·φ2·φ1·φ0 Isomorphism
Class
-Isogeny
Computation
ith Isomorphism
Class (target)
(i+1) Isomorphism
Class (check)
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 51 / 56
Side Channel Attacks on SIDH/SIKE
• Attacking isogeny computations:recover steps φi in secret walk φ
• Loop abort attack→ Fault animplementation to stop isogenyoperation early and give Ei
• Refined Power Analysis→ Forcezero-values to divulge φi
φ = φ6·φ5·φ4·φ3·φ2·φ1·φ0 Isomorphism
Class
-Isogeny
Computation
ith Isomorphism
Class (target)
(i+1) Isomorphism
Class (check)
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 51 / 56
Side Channel Attacks on SIDH/SIKE
• Attacking isogeny computations:recover steps φi in secret walk φ
• Loop abort attack→ Fault animplementation to stop isogenyoperation early and give Ei
• Refined Power Analysis→ Forcezero-values to divulge φi
φ = φ6·φ5·φ4·φ3·φ2·φ1·φ0 Isomorphism
Class
-Isogeny
Computation
ith Isomorphism
Class (target)
(i+1) Isomorphism
Class (check)
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 51 / 56
The case for SIKE
• The post-quantum landscape is uncharted territory:• The smallest scheme is the slowest, and the fastest scheme is the largest.
• Compare with traditional cryptography, where the fastest scheme (ECC) is also the smallest.
• This situation introduces a new set of tradeoffs.• SIKE’s advantages will become more pronounced over time.
• SIKE’s disadvantages will become less pronounced over time.
• Why not CSIDH?• CSIDH has sub-exponential quantum security, compared to SIDH/SIKE which has exponential
quantum security.
• Over time, CSIDH becomes less attractive compared to SIKE.
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 52 / 56
The future of SIKE: Computational Costs
• Hardware gets faster over time.
• Software also gets faster over time.
• The above happens naturally, without effort or expenditure.
• An across-the-board performance increase reduces the performance penalty of SIKE (inabsolute terms).
• We can also spend more money for faster hardware.
• Certain expenditures (e.g. hardware acceleration) provide good value per unit cost.
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 53 / 56
The future of SIKE: Communication Costs
• As hardware and software gets faster, attacks get faster.
• Faster attacks require larger keys to counteract.
• An across-the-board key size increase enlarges the communication cost benefits of SIKE (inabsolute terms).
• Variance in communication channels is much higher than variance in cycle counts. SIKEalready wins today on desktop browsers when including variance.
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 54 / 56
Open Research Directions
• How to make isogenies FASTER?• Different curves, formulas, algorithms, isogeny base degrees, etc.
• How to design high-performance field arithmetic operators?• Addition, multiplication, inversion, etc.
• How can we attack and defend isogenies?• Side-channels, countermeasures, security analysis, etc.
• How to create efficient isogeny cryptosystems?• Signatures, hashing, PAKE, etc.
• How can we apply isogenies?• Blockchain, OT, broadcast encryption, etc.
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 55 / 56
Questions?
Thanks for your attention!
R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 56 / 56