SIKE in Hardware · Balanced isogeny graph size, 2eA ˇ3eB (Security) Elliptic curves over F p2, #E...

SIKE in Hardware

Reza AzarderakhshFlorida Atlantic University

CHES 2019

Atlanta, GA, USA

R. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 1 / 56

Quantum Threat to Information Security

Large-scale quantumcomputers could breaksome encryption schemes

Need to migrateencryption to quantum-resistant algorithms

When we shouldstart the process?


Timeline

2019

2022-23

2030?

Standardization draft

QuantumComputersRound 2

2016

Start PQ Crypto

2017

Round 1

Retroactive decryption:

record encrypted data now, decrypt it once you have a

quantum computer


Post-Quantum Key-Exchange

Lattice-based

Code-based

Isogeny-based

Post-Quantum Signatures

Lattice-based

Hash-based

Multivariate-based

Zero-Knowledgebased


Open Questions about Post-Quantum Cryptography

• Design better post-quantum cryptosystems

• Improve classical and quantum attacks

• Pick parameter sizes

• Develop fast, efficient, and secure implementations

• Integrate them into the existing infrastructure


Architecture Selection for Cryptographic Design

HW only

CPU Coprocessor

+×

+ Highly optimized for dedicatedpurpose (power consumption,execution time, security)

− Extra HW costs

− limited flexibility

− HW design effort/complexity

HW/SW

CPU Coprocessor

+×

+ Good trade-off betweenoptimization/costs (still fast butless design effort/complexityeasier to handle)

+ Higher flexibility

− Not straight-forward to find optimalHW/SW partitioning

− Extra HW costs

− Less optimized than HW-only

SW only

CPU

+×

+ Limited HW costs (code/datastorage)

+ Highest flexibility

+ Minimal HW design effort/easeshandling of complexity(programming)

− Not optimized (energy,consumption, performance)


FPGAs: Field Programmable Gate Arrays

FPGAs are composed of:• Programmable logic cells• A configurable routing matrix• Configurable input/output cells• Embedded memory blocks• Small embedded multipliers• etc.

Inside a logic cell:• Connections to the routing matrix• Programmable lookup-tables

• 4 inputs, 1 output• 6 inputs, 1 output• 6 inputs, 2 outputs

• Optional registers• Free pipelining

• More logic for fast carry-propagation

18-bit×18-bit multiplier blocks


FPGAs vs. ASIC

+ prototyping+ re-usability+ short time to market+ simpler design cycle+ programmable in the field+ hardware/software co-design

− speed− silicon footprint− power and energy consumption− low cost for high volumes− better performance− reconfigurability and redundancy


SIKE Team


A brief history of public key cryptography

Cryptosystem Hard Problem

Diffie-Hellman(1976)

Discrete logarithmsElliptic curve cryptography (1986)

Pairing-based cryptography (2000)

RSA (1977)

Factoring integersRabin (1978)

Composite residues (1985)

Code-based cryptography (1979) Decoding linear codes

Lattice-based / NTRU (1996)Finding Short lattice vectorsComputing isogenies

Isogeny based / CRS (1996)

SIDH / SIKE (2011)


History of Supersingular Isogeny-based cryptography

• [2006]: Birth of Supersingular isogeny-based cryptosystem• Charles-Goren-Lauter• built hash function from supersingular isogeny graph

• [2011]: Supersingular isogeny Diffie-Hellman key exhange (SIDH)• Jao-De Feo

• [2017]: Supersingular isogeny key encapsulation (SIKE)• SIKE Team (https://sike.org)


SIDH/SIKE

Supersingular Isogeny Diffie-Hellman (Jao and De Feo, 2011):• A key-exchange protocol, similar to Diffie-Hellman, using isogenies between supersingular elliptic curves

Why isogenies?• Because they seem to be quantum-resistant

Why supersingular elliptic curves?• There is a quantum subexponential attack for ordinary (i.e. non-supersingular) curves (Childs, Jao, and Soukharev

2014)

Supersingular Isogeny Key Encapsulation• A more secure (and slower) version of SIDH, with random padding and protection against active attacks.


(Ordinary) Elliptic Curves• An elliptic curve over prime field: EW /Fp : y2 = x3 + ax + b.• To avoid infinite sets, we choose x , y , a, b ∈ Fp.

• Example: SAGE: E=EllipticCurve(GF(11),[1,6])• Elliptic Curve defined by y2 = x3 + x + 6 over Finite Field of size 11

• SAGE: E.points()• [(0 : 1 : 0), (2 : 4 : 1), (2 : 7 : 1), (3 : 5 : 1), (3 : 6 : 1), (5 : 2 : 1), (5 : 9 : 1), (7 : 2 : 1), (7 : 9 : 1), (8 : 3 : 1), (8 : 8 : 1),

(10 : 2 : 1), (10 : 9 : 1)]

• SAGE: E.cardinality() or E.order()=13• E.is_ordinary(): True• E.is_supersingular(): False


Point Addition

• Let E be an elliptic curve.• Suppose P,Q ∈ E .• We want to add P and Q.• Draw a line through P and Q.• Find where this line crosses E .• Reflect around the x-axis.• The reflected point is P + Q.

Group law example: addition on E/R : y 2 = x3 − 2x

ℓ : y = x

•(0, 0)•

•(2, 2)

(−1,−1)

•(2,−2)

E/R : y2 = x3 − 2x : addition.

20 / 69


Point Doubling

• Let E be an elliptic curve.• Suppose P,Q ∈ E .• To compute P + Q when P = Q:• Draw the tangent line through P.• Find where this line crosses E .• Reflect around the x-axis.• The reflected point is P + P.

Group law example: doubling on E/R : y 2 = x3 − 2x

ℓ′ : y = − x2 − 3

2

•(−1,−1)

•(94 ,

218 )

•(94 ,−21

8 )

E/R : y2 = x3 − 2: doubling.

22 / 69


Montgomery Curves• 1987 Montgomery: All Montgomery curves are elliptic curves.• Not all elliptic curves can be written in Montgomery form.

by2 = x3 + ax2 + x

• It has been observed that the x-coordinate of R = P + Q depends only on the x-coordinates of P, Q, and P − Q.

(x3 + y3)− (x2, y2) = (x1, y1)

(x3 + y3) + (x2, y2) = (x5, y5)

⇒x5 =(x2x3 − 1)2

x1(x2 − x3)2

• Similarly when P = Q it is true for doubling: x-only doubling.

2(x2 + y2) = (x4, y4)⇒ x4 =(x2

2 − 1)2

4x2(x22 + ax2 + 1)

• Can compute P + Q from {P,Q,P − Q} without y -coordinates.• Use projective coordinates: points (X : Z ) with x = X/Z• Cheap differential addition 4M + 2S and doubling (2M + 2S)


Real-world usage: Curve25519

• Proposed by Dan Bernestien 2006:

EM/Fp : y2 = x3 + 486662x2 + x

• Over prime number p = 2255 − 19• Used for DH key exchange


Montgomery Ladder

• Point multiplication: Q = k · P The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19 = (10011)2

T0 = P · 22 + 5P + 10P = 19P

T1 = (P · 2 + P + 2P) · 22 = 20P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

• Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step

• Example: k = 26 = (11010)2


Supersingular Elliptic Curves

• Let E/Fq be an elliptic curve with q = pn

• E is supersingular if p | (q + 1−#E(Fq)). Otherwise, it is ordinary.• Special cases:

• When E/Fp supersingular and #E(Fp) = P + 1• When E/Fp2 supersingular and #E(Fp2 ) = (P + 1)2

• Example: EllipticCurve(GF(11),[1,0]): y2 = x3 + x

• E.is_supersingular()• True, E.order()=12

• EllipticCurve(GF(11^2),[1,0]): y2 = x3 + x is also supersingular.• E.order()=144


Supersingular Elliptic Curves

• There are only a finite number of supersingular elliptic curves.• All supersingular curves can be defined over Fp2

• Over an algebraically closed field an elliptic curve is determined by its j-invariant.• it can be viewed as a way to group multiple elliptic curves into disjoint sets.

• Example: EllipticCurve(GF(11),[1,0]):y2 = x3 + x

• j(E) = j(a, b) = 1728 4a3

4a3+27b2• E.j_invariant=1

• The j-invariant determines isomorphisim class over the field.• E1/F13 : y2 = x3 + 9x + 8, E1=EllipticCurve(GF(13),[9,8])• E2/F13 : y2 = x3 + 3x + 5, E2=EllipticCurve(GF(13),[3,5])

• E1.j_invariant()=E2.j_invariant()=3• E1.is_isomorphic(E2): True


Isomorphisms and Isogenies• E1 and E2 isomorphic iff j(E1) = j(E2).• E1 and E2 isogenous iff #E1 = #E2.• #E(Fq) ≤ q + 1± 2

√q (Hasse theorem)

So• isogeny classes: O(

√q)

• isomorphism classes: O(q)


Isogenies of elliptic curves

DefinitionAn isogeny of elliptic curves over k is a non-zero morphism E → E ′ with finite kernel.

DefinitionLet E ,E ′/Fq be elliptic curves and let ` ∈ Z>0 be coprime to q.An `-isogeny f : E → E ′ is an isogeny with #ker(f ) = `.

FactAn isogeny is uniquely determined by its kernel.• Write φG : E → E/G for the isogeny from E with kernel G.• Vélu’s fomulas [1971] compute the `-isogney from its kernel in time O(`).


Isogenies of elliptic curves

• We call an isogeny cyclic if its kernel is cyclic.• The kernel of a cyclic `-isogeny is generated by an `-torsion point.

• An `-torsion point is a point P ∈ E(k) such that [`]P = P∞.• We will work on isogenies with big kernels.


Isogeny graph: Wouter Castryck

2-isogenies 3-isogenies


SIDH overview

1 Public parameters: Supersingular elliptic curve E over Fp2 .

2 Alice chooses a kernel A ⊂ E(Fp2 ) and sends E/A to Bob.

3 Bob chooses a kernel B ⊂ E(Fp2 and sends E/B to Alice.

4 The shared secret is

E/〈A,B〉 = (E/A)/φA(B) = (E/B)/φB(A).

E E/A

E/B E/〈A,B〉

φA

φB

The core operation in SIDH is to compute φA : E → E/A given A.


SIDH: from Cloudflare


SIDH Overview

• We are interested in the set of supersingular curves (upto isomorphism) over a specific field• Prime p = 2eA · 3eB · f ± 1• f = 1 (Efficiency)• eA is even (Efficiency)• Balanced isogeny graph size, 2eA ≈ 3eB (Security)• Elliptic curves over Fp2 , #E = (p ∓ 1)2

• Supersingular j-invariants: #Sp2 ≈ bp/12c (isogenouselliptic curves)

0 17

40

41

48

24

66

Prime p = 23 · 32 − 1 = 71, #E = 722, #Sp2 = 7


SIDH Parameter Selection

• Finite extension field formed as Fp2 = Fp(i) with i2 + 1 = 0 (Efficiency)

• Starting curve selection:• Montgomery curve: E0/Fp2 : y2 = x3 + x (where j(E0) = 1728)• SIKE round 2: E0/Fp2 : y2 = x3 + 6x2 + x (where j(E0) = 287496) (Security)• Torsion points in E0[2eA ] and E0[3eB ]


Isogeny Graphs


Vertices: All isogenous eliptic curves over Fp2 .Edges: Isogenies of degree `With Isogeny f degree `, we get a connected (`+1)-regular graph.

Alice Bob

0 17

40

41

48

24

66 0 17

40

41

48

24

66

2-isogeny graph 3-isogeny graph

Public Parameters


E0/Fp2

{PA,QA} ∈ E0[2eA ]{PB ,QB} ∈ E0[3eB ]

E0 : y2 = x3 + x

Alice Bob

0 17

40

41

48

24

66 0 17

40

41

48

24

66

PA = (53, 55)QA = (18, 27w + 44)

PA = (7w + 20, 31w + 50)QA = (21w + 64, 38w + 13)

Secret Key


sA ∈ [0, 2eA ]sB ∈ [0, 3eB ]

Alice Bob

0 17

40

41

48

24

66 0 17

40

41

48

24

66

sA = 6 sB = 3

Public Key Generation


EA

EA = E0/〈A〉{RA,SA} = {φA(PB), φA(QB)}

EB = E0/〈B〉{RB ,SB} = {φB(PA), φB(QA)}

EAB = EB/〈A′〉 ∼= EA/〈B ′〉 = EBA

φ A

ker(φ A)=〈A〉 =〈P A

+[s A]Q

A〉

φB

ker(φB )=〈B〉

=〈P

B+[sB ]Q

B 〉

φ ′A

ker(φ ′A )=〈A ′〉

=〈R

B+[sA ]S

B 〉

φ′

B

ker(φ

′B)=〈B〉 =〈R A

+[s B]SA〉

Alice Bob

0 17

40

41

48

24

66 0 17

40

41

48

24

66

E0 : y2 = x3 + x E0 : y2 = x3 + x



EA

EA = E0/〈A〉{RA,SA} = {φA(PB), φA(QB)}


EAB = EB/〈A′〉 ∼= EA/〈B ′〉 = EBA

φ A


+[s A]Q

A〉

φB

ker(φB )=〈B〉

=〈P

B+[sB ]Q

B 〉

φ ′A

ker(φ ′A )=〈A ′〉

=〈R

B+[sA ]S

B 〉

φ′

B

ker(φ

′B)=〈B〉 =〈R A

+[s B]SA〉

Alice Bob

0 17

40

41

48

24

66 0 17

40

41

48

24

66

E0 : y2 = x3 + x

φA : E0 → EA

E0 : y2 = x3 + x

φB : E0 → EB



EA

EA = E0/〈A〉{RA, SA} = {φA(PB), φA(QB)}


EAB = EB/〈A′〉 ∼= EA/〈B ′〉 = EBA

φ A


+[s A]Q

A〉

φB

ker(φB )=〈B〉

=〈P

B+[sB ]Q

B 〉

φ ′A

ker(φ ′A )=〈A ′〉

=〈R

B+[sA ]S

B 〉

φ′

B

ker(φ

′B)=〈B〉 =〈R A

+[s B]SA〉

Alice Bob

0 17

40

41

48

24

66 0 17

40

41

48

24

66

E0 : y2 = x3 + x

φA : E0 → EA

EB : y2 = x3 + 22x + 35

E0 : y2 = x3 + x

φB : E0 → EB

EB : y2 = x3 + 63x + (55w + 16)

Key exchange


EA



EAB = EB/〈A′〉 ∼= EA/〈B ′〉 = EBA

φ A


+[s A]Q

A〉

φB

ker(φB )=〈B〉

=〈P

B+[sB ]Q

B 〉

φ ′A

ker(φ ′A )=〈A ′〉

=〈R

B+[sA ]S

B 〉

φ′

B

ker(φ

′B)=〈B〉 =〈R A

+[s B]SA〉

Alice Bob

0 17

40

41

48

24

66 0 17

40

41

48

24

66

E0 : y2 = x3 + x

φA : E0 → EA

EB : y2 = x3 + 22x + 35

E0 : y2 = x3 + x

φB : E0 → EB

EB : y2 = x3 + 63x + (55w + 16)

Shared Secret Generation


EA



EAB = EB/〈A′〉 ∼= EA/〈B ′〉 = EBA

φ A


+[s A]Q

A〉

φB

ker(φB )=〈B〉

=〈P

B+[sB ]Q

B 〉

φ ′A

ker(φ ′A )=〈A ′〉

=〈R

B+[sA ]S

B 〉

φ′

B

ker(φ

′B)=〈B〉 =〈R A

+[s B]SA〉

Alice Bob

0 17

40

41

48

24

66 0 17

40

41

48

24

66

EB : y2 = x3 + 63x + (55w + 16) EB : y2 = x3 + 22x + 35



EA



EAB = EB/〈A′〉 ∼= EA/〈B ′〉 = EBA

φ A


+[s A]Q

A〉

φB

ker(φB )=〈B〉

=〈P

B+[sB ]Q

B 〉

φ ′A

ker(φ ′A )=〈A ′〉

=〈R

B+[sA ]S

B 〉φ

′B

ker(φ

′B)=〈B〉 =〈R A

+[s B]SA〉

Alice Bob

0 17

40

41

48

24

66 0 17

40

41

48

24

66

EB : y2 = x3 + 63x + (55w + 16)

φAB : EB → EAB

EB : y2 = x3 + 22x + 35

φBA : EA → EBA



EA



EAB = EB/〈A′〉 ∼= EA/〈B ′〉 = EBA

φ A


+[s A]Q

A〉

φB

ker(φB )=〈B〉

=〈P

B+[sB ]Q

B 〉

φ ′A

ker(φ ′A )=〈A ′〉

=〈R

B+[sA ]S

B 〉φ

′B

ker(φ

′B)=〈B〉 =〈R A

+[s B]SA〉

Alice Bob

0 17

40

41

48

24

66 0 17

40

41

48

24

66

EB : y2 = x3 + 63x + (55w + 16)

φAB : EB → EAB

EB : y2 = x3 + (21w + 14)x + (57w + 21)

EB : y2 = x3 + 22x + 35

φBA : EA → EBA

EB : y2 = x3 + (21w + 14)x + (57w + 21)


Shared SecretR. Azarderakhsh (Florida Atlantic University) SIKE in Hardware 29 / 56

EA



EAB = EB/〈A′〉 ∼= EA/〈B ′〉 = EBA

φ A


+[s A]Q

A〉

φB

ker(φB )=〈B〉

=〈P

B+[sB ]Q

B 〉

φ ′A

ker(φ ′A )=〈A ′〉

=〈R

B+[sA ]S

B 〉φ

′B

ker(φ

′B)=〈B〉 =〈R A

+[s B]SA〉

Alice Bob

0 17

40

41

48

24

66 0 17

40

41

48

24

66

SIDH: Security

• Hard problem: Given P,Q ∈ E and φ(P), φ(Q) ∈ φ(E)⇒ compute φ.• Best known attack: classical O(p1/4) and quantum O(p1/6).


SIKE Round 2 Key sizes

NIST Level Prime size (bits) Round 1 Prime size (bits) Round 2

1 (AES128) 503 434

2 (SHA256) — 503

3 (AES192) 751 610

5 (AES256) 964 751


SIKE Round 2 Key sizes

NIST Level Prime size(bits)

Prime Public keysize (bytes)

Compressed PKsize (bytes)

1 434 2216 · 3137 − 1 330 196

2 503 2250 · 3159 − 1 378 224

3 610 2305 · 3192 − 1 462 273

5 751 2372 · 3239 − 1 564 331


SIDH Computations

Fp Arithemtic

Fp2 Arithemtic

Group Ops

Extendedgroup ops

PQCprotocols

Addition Mult. Inversion

Addition Mult. Squaring Inversion

Point Addition Point Doubling

Isogeny Evaluation and Computation

Double PointMultiplication

Large Degree Isogeny Comput.

SIDH


SIDH Computations

Fp Arithemtic

Fp2 Arithemtic

Group Ops

Extendedgroup ops

PQCprotocols







SIDH


SIDH Computations

Fp Arithemtic

Fp2 Arithemtic

Group Ops

Extendedgroup ops

PQCprotocols







SIDH


SIDH Computations

Fp Arithemtic

Fp2 Arithemtic

Group Ops

Extendedgroup ops

PQCprotocols







SIDH


SIDH Computations

Fp Arithemtic

Fp2 Arithemtic

Group Ops

Extendedgroup ops

PQCprotocols







SIDH


Three-Point Differential Ladder

• Compute R = P + [k ]Q• Jao et al. (2014) - Cost: 2PA + 1PD• Hernandez et al. (2017) - Cost: 1PA + 1PD• Example: k = 9 = 1001b

R1 = P R0 = Q R2 = Q−Pstart

k0 = 1 P + Q 2Q Q − P

k1 = 0 P + Q 4Q 3Q − P

k2 = 0 P + Q 8Q 7Q − P

k3 = 1 P + 9Q 16Q 7Q − P


Large Degree Isogeny Computations

• Vélu’s fomulas is only suitable for small degree isogenies: φG : E → E/G

Vélu’sformula

G

(a, b) of E

ϕ

(a’, b’) of E’

• Evaluate φG as a chain of small-degree isogenies• Complexity: O(e2 · `). Exponentially smaller than è.

• Jao and De Feo [2014]: Optimal strategy improves this to O(e log e · `).• For SIDH we only use isogenies of degree è for ` ∈ {2, 3}.



• Get isogeny Kernel [è−i−1]Ri

• Compute Isogenies φi := Ei/〈[è−i−1]Ri〉

• Compute Ei+1 = φi(Ei)

• Push points to new curve Ri+1 = φi(Ri)

φ = φ6 · φ5 · φ4 · φ3 · φ2 · φ1 · φ0

Base Curve

Point multby `

Apply `-isogeny

Point in queueGet `-isogeny

R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0


e.g., φ : E0/〈R0〉, ord(R0) = `7


Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7

Order of R0 is `7


Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7

Order of [`]R0 is `6


Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7

Order of [`2]R0 is `5


Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7



Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7



Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7



Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7

Order of [`6]R0 is `


Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7

φ0 := E0/〈[`6]R0〉E1 = φ0(E0)


Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7

R1 = φ0(R0)



Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7

φ1 := E1/〈[`5]R1〉E2 = φ1(E1)


Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7

R2 = φ1(R1)



Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7



Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7

φ2 := E2/〈[`4]R2〉E3 = φ2(E2)


Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7

R3 = φ2(R2)



Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7

φ3 := E3/〈[`3]R3〉E4 = φ3(E3)


Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7

R4 = φ3(R3)

Order of R4 is `3


Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7

Order of [`]R4 is `2


Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7



Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7

φ4 := E4/〈[`2]R2〉E5 = φ4(E4)


Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7

R5 = φ4(R4)Order of [`]R5 is `


Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7

φ5 := E5/〈[`]R5〉E6 = φ5(E5)


Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7

R6 = φ5(R5)Order of R6 is `


Base Curve

Point multby `

Apply `-isogeny


R0

[`]R0 R1

[`6]R0 [`3]R3R6

φ0

E0

R0

[`]R0

[`2]R0

[`3]R0

[`4]R0

[`5]R0

[`6]R0

E1

φ0

φ0

φ0

R1

[`3]R1

[`5]R1

E2

φ1

φ1

R2

[`3]R2

[`4]R2

E3

φ2

φ2

R3

[`3]R3

E4

φ3

R4

[`]R4

[`2]R4

E5

φ4

φ4

R5

[`]R5

E6

φ5

R6


e = 7

φ6 := E6/〈[`]R6〉E7 = φ6(E6)

High-level Hardware Architecture for SIDH

Adder/Subtractor

Mult Unit

Mult 00

n-1

1 Mult 1

Mult n-1

𝐸0𝑃𝐴𝑄𝐴𝑃𝐵𝑄𝐵

𝐸𝐵𝜙𝐵(𝑃𝐴)

𝜙𝐵(𝑄𝐴)

𝐸𝐴

𝜙𝐴(𝑃𝐵)

𝜙𝐴(𝑄𝐵)

𝑗(𝐸𝐴𝐵)

Public SIDHParameters

Round1

Round2

MemoryUnit

ControllerProgram

ROM

ALU

SecretKeys

TRNG


Fast Kernel Computations

𝑅 = ker 𝜙 = 𝑃 + 𝑠 𝑄

𝑃𝐴

𝑄𝐴

𝐸0/𝔽𝑃2

Public SIDH Parameters

Input Curve

Alice’sBasis

Bob’sBasis

𝑅𝐴

𝑠𝐴

𝜙𝐴(𝑃𝐵)

Ephemeral Public Key to Bob

𝜙𝐴(𝑄𝐵)

𝐸𝐴Isogenous Curve

Image of Bob’s basis

𝑃𝐵

𝑄𝐵

Alice’s Private Keys

Three PointLadder

Isogeny Computation

𝑅𝐴 = 𝑃𝐴 + 𝑠𝐴 𝑄𝐴 𝐸𝐴 = 𝐸0/ 𝑅𝐴


Field Multiplication

• Field multiplication performs C = A× B mod p

• Choice of multar multiplier is crucial: Montgomery multiplication

• Systloic Montgomery multiplier

• PEs process various chunks of the results in parallel

• For SIKE primes (2eA · 3eB − 1), p = 1 . . . 111 . . . 111︸︷︷︸eA

and p′ = −p−1 = 1( mod 2w ) where w ≤ eA

Coarsely Integrated Operand Scanning (CIOS):• Alternate between multiplication and reduction• Longer Critical Path: 1 Mult + 1 Additions• More clock cycles (4 × Number of words)

Finely Integrated Operand Scanning (FIOS):• Parallelize Multiplication and reduction• Longer Critical Path: 1 Mult + 2 Additions• Less clock cycles (3 × Number of words)


FIOS Design (Number of words = 4)


PEinitial

PE

ai aserial

b(1)(2)p(1)(2)

b0

startenen

mi

C0

T(0)(1)

S0

PE

ai

mi

C2

S2

ai

mi

C4

b(3)(4)p(3)(4)

T(2)(3)

S0S2

PE

S6

ai

mi

C8

b(5)(6)p(5)(6)

T(4)(5)

S4

S4

w

mout

×ain

bin

×pin

min

Sin

w

w

w

w

w

2w

2w

w+1Cout

Sout

+

MSW

LSW

+

MSW

LSW

ain

min

odd

w+1

w

w Smuxw

w

aout

Cinw+1 w+1

Cmux

aaen

aen

mmen

men

w+1

w

w+1

ww

w w

odd

even1 01 0

1 01 0

CC

SS

×ain

bin

Sin

w

w

CCCout

+Carry

Sum

ain

odd

aout aaen

aen

mmen

men ww

w ww

w

LSW+

MSW

Cin

mout

w+1 w+1

w

w

w

Arithmetic over Fp2

Each of the Fp2 arithmetic are built upon a series of Fp arithmetic

Fp2 Fp ops

a + b (a0 + b0, a1 + b1) 2A

a− b (a0 − b0, a1 − b1) 2A

a× b (a0 · b0 − a1 · b1, (a0 + a1) · (b0 + b1)− a0 · b0 − a1 · b1) 3M + 5A

a2 ((a0 + a1) · (a0 − a1), 2a0 · a1) 2M + 3A

a−1 (a0 · (a20 + a2

1)−1,−a1 · (a2

0 + a21)−1 4M + 2A + 1I


SIKE Control FlowKEY GENERATION (BOB)

Bob’s secret key sB

EB =E0/〈PB + [sB ]QB〉

Bob’s public key pkB ={EB , φB(PA), φB(QA)}

KEY ENCAPSULATION (Alice)

Alice’s secret message m

Bob’s public key pkB

r =Keccak(m, pkB)

EAB =EB/〈φB(PB) + [r ]φB(QB)〉

EA =E0/〈PA + [r ]QA〉

c =Keccak(j(EAB)) ⊕ m

Alice’s public key pkA ={EA, φA(PB), φA(QB)}

ciphertext(ct){pkA, c}

Shared Secret(ssA) =Keccak(m, pkA, c)

KEY DECAPSULATION (Bob)

ciphertext(ct)EBA =

EA/〈φA(PB)+[sB ]φA(QB)〉

m′ =Keccak(j(EBA)) ⊕ c

r ′ =Keccak(m′, pkB)

E ′A =

E0/〈PA + [r ′]QA〉Alice’s public key pk ′

A ={E ′

A, φ′A(PB), φ

′A(QB)}

Check pk ′A == pkA

Shared Secret(ssB) =Keccak(m, pkA, c)

Isogeny

Hash

Isogeny

Isogeny

Hash Hash

Isogeny

Hash Hash

Isogeny

Hash

Public ParametersAlice’s valuesBob’s values



Bob’s secret key sBEB =

E0/〈PB + [sB ]QB〉

Bob’s public key pkB ={EB , φB(PA), φB(QA)}




r =Keccak(m, pkB)








ciphertext(ct)EBA =




E ′A =


A ={E ′

A, φ′A(PB), φ

′A(QB)}



Isogeny

Hash

Isogeny

Isogeny

Hash Hash

Isogeny

Hash Hash

Isogeny

Hash





E0/〈PB + [sB ]QB〉Bob’s public key pkB ={EB , φB(PA), φB(QA)}




r =Keccak(m, pkB)








ciphertext(ct)EBA =




E ′A =


A ={E ′

A, φ′A(PB), φ

′A(QB)}



Isogeny

Hash

Isogeny

Isogeny

Hash Hash

Isogeny

Hash Hash

Isogeny

Hash









r =Keccak(m, pkB)








ciphertext(ct)EBA =




E ′A =


A ={E ′

A, φ′A(PB), φ

′A(QB)}



Isogeny

Hash

Isogeny

Isogeny

Hash Hash

Isogeny

Hash Hash

Isogeny

Hash









r =Keccak(m, pkB)








ciphertext(ct)EBA =




E ′A =


A ={E ′

A, φ′A(PB), φ

′A(QB)}



Isogeny

Hash

Isogeny

Isogeny

Hash Hash

Isogeny

Hash Hash

Isogeny

Hash









r =Keccak(m, pkB)








ciphertext(ct)EBA =




E ′A =


A ={E ′

A, φ′A(PB), φ

′A(QB)}



Isogeny

Hash

Isogeny

Isogeny

Hash Hash

Isogeny

Hash Hash

Isogeny

Hash









r =Keccak(m, pkB)








ciphertext(ct)EBA =




E ′A =


A ={E ′

A, φ′A(PB), φ

′A(QB)}



Isogeny

Hash

Isogeny

Isogeny

Hash

Hash

Isogeny

Hash Hash

Isogeny

Hash









r =Keccak(m, pkB)








ciphertext(ct)EBA =




E ′A =


A ={E ′

A, φ′A(PB), φ

′A(QB)}



Isogeny

Hash

Isogeny

Isogeny

Hash

Hash

Isogeny

Hash Hash

Isogeny

Hash









r =Keccak(m, pkB)








ciphertext(ct)EBA =




E ′A =


A ={E ′

A, φ′A(PB), φ

′A(QB)}



Isogeny

Hash

Isogeny

Isogeny

Hash Hash

Isogeny

Hash Hash

Isogeny

Hash









r =Keccak(m, pkB)








ciphertext(ct)

EBA =EA/〈φA(PB)+[sB ]φA(QB)〉



E ′A =


A ={E ′

A, φ′A(PB), φ

′A(QB)}



Isogeny

Hash

Isogeny

Isogeny

Hash Hash

Isogeny

Hash Hash

Isogeny

Hash









r =Keccak(m, pkB)








ciphertext(ct)EBA =




E ′A =


A ={E ′

A, φ′A(PB), φ

′A(QB)}



Isogeny

Hash

Isogeny

Isogeny

Hash Hash

Isogeny

Hash Hash

Isogeny

Hash









r =Keccak(m, pkB)








ciphertext(ct)EBA =




E ′A =


A ={E ′

A, φ′A(PB), φ

′A(QB)}



Isogeny

Hash

Isogeny

Isogeny

Hash Hash

Isogeny

Hash

Hash

Isogeny

Hash









r =Keccak(m, pkB)








ciphertext(ct)EBA =




E ′A =


A ={E ′

A, φ′A(PB), φ

′A(QB)}



Isogeny

Hash

Isogeny

Isogeny

Hash Hash

Isogeny

Hash Hash

Isogeny

Hash









r =Keccak(m, pkB)








ciphertext(ct)EBA =




E ′A =

E0/〈PA + [r ′]QA〉

Alice’s public key pk ′A =

{E ′A, φ

′A(PB), φ

′A(QB)}



Isogeny

Hash

Isogeny

Isogeny

Hash Hash

Isogeny

Hash Hash

Isogeny

Hash









r =Keccak(m, pkB)








ciphertext(ct)EBA =




E ′A =


A ={E ′

A, φ′A(PB), φ

′A(QB)}



Isogeny

Hash

Isogeny

Isogeny

Hash Hash

Isogeny

Hash Hash

Isogeny

Hash









r =Keccak(m, pkB)








ciphertext(ct)EBA =




E ′A =


A ={E ′

A, φ′A(PB), φ

′A(QB)}



Isogeny

Hash

Isogeny

Isogeny

Hash Hash

Isogeny

Hash Hash

Isogeny

Hash









r =Keccak(m, pkB)








ciphertext(ct)EBA =




E ′A =


A ={E ′

A, φ′A(PB), φ

′A(QB)}



Isogeny

Hash

Isogeny

Isogeny

Hash Hash

Isogeny

Hash Hash

Isogeny

Hash



SIKE in FPGA

The host initializes any isogeny inputs 𝑥 𝑃 , 𝑥 𝑄 , 𝑥 𝑄 − 𝑃 and key 𝑘

Program ROM

TRNG

IsogenyAccelerator

RegisterFile

IsogenyController

Keccak-1088

64

3

32

data_in

SIKE_cmd

SIKE mux selects

data_out 64

Host CPU SIKE Accelerator


Isogeny Operations

Total number of Fp2 arithmetic operations in fastest known isogeny formulas (from SIKE submission)

Isogeny Operation Fp2 Mult. Fp2 Squaring Fp2 Addition

xDBL 4 2 4

get_2_isog 0 2 1

eval_2_isog 4 0 6

xTPL 7 5 10

get_3_isog 2 3 12

eval_3_isog 4 2 4


SIKE Operations

Total number of Fp arithmetic operations in SIKEp503

Fp Keygen Encapsulation Decapsulation

Addition 31,882 43,127 51,620

Multiplication 40,107 64,372 69,550

Inversion 1 3 3


SIDH and SIKE in PC

SIDH SIKE CSIDHKey size (quantum 128-bit) 330 bytes 330 bytes 64 bytes

Running time (x86-64) 2.5 ms 4.5 ms 50 ms

Compressed SIDH/SIKE 196 bytes 195 bytes6.5 ms 8.6 ms

Exponential quantum security 3 3 7Active attack security 7 3 3Direct key validation 7 7 3

Digital signatures 3 7 3NIST candidate 7 3 7


SIKE Performance in FPGA

NIST-Round 1 Submission and updated in Round 2.

Xilinx Virtex 7 FPGA

NIST SIKE Area Freq Time (ms)

Level Prime #FFs LUTs #Slices DSPs BRAMs (MHz) KeyGen Encaps Decaps Total (E+D)

2 SIKEp503 26,971 25,094 9,514 264 34 171 3.74 7.07 6.6 13.6

5 SIKEp751 50,390 45,893 17,530 512 43 167.4 7.42 13 13.9 26.9


SIKE in FPGA Area Results

Area distribution of NIST level 5 SIKEp751 on Virtex-7 FPGA xc7vx690tffg1157-3

5.82%

10.59%16.19% 14.22%

2.96%

0%

20%

40%

60%

80%

100%

FFs LUTs Slices DSPs BRAMs

%Utilization


SIKE: Results for NIST level 1

0

200

400

600

800

1000

1200

1400

1600

1800

2000

Software Hardware

Mili

seco

nd

s

SIKE Total Running Time

ARM Cortex-M4 Artix-7 FPGA

~3K Slices only

ARM Cortex-A53 Artix-7 FPGA

Target: Resource-constrained IoTTarget: High Performance Edge

0

10

20

30

40

50

60

70

Software Hardware

Mili

seco

nd

s

SIKE Total Running Time

~10K Slices


Side Channel Attacks on SIDH/SIKE

• Attacking isogeny computations:recover steps φi in secret walk φ

• Loop abort attack→ Fault animplementation to stop isogenyoperation early and give Ei

• Refined Power Analysis→ Forcezero-values to divulge φi

φ = φ6·φ5·φ4·φ3·φ2·φ1·φ0 Isomorphism

Class

-Isogeny

Computation

Initial

Isomorphism

Class







Class

-Isogeny

Computation

ith Isomorphism

Class (target)

(i+1) Isomorphism

Class (check)







Class

-Isogeny

Computation

ith Isomorphism

Class (target)

(i+1) Isomorphism

Class (check)







Class

-Isogeny

Computation

ith Isomorphism

Class (target)

(i+1) Isomorphism

Class (check)







Class

-Isogeny

Computation

ith Isomorphism

Class (target)

(i+1) Isomorphism

Class (check)







Class

-Isogeny

Computation

ith Isomorphism

Class (target)

(i+1) Isomorphism

Class (check)







Class

-Isogeny

Computation

ith Isomorphism

Class (target)

(i+1) Isomorphism

Class (check)


The case for SIKE

• The post-quantum landscape is uncharted territory:• The smallest scheme is the slowest, and the fastest scheme is the largest.

• Compare with traditional cryptography, where the fastest scheme (ECC) is also the smallest.

• This situation introduces a new set of tradeoffs.• SIKE’s advantages will become more pronounced over time.

• SIKE’s disadvantages will become less pronounced over time.

• Why not CSIDH?• CSIDH has sub-exponential quantum security, compared to SIDH/SIKE which has exponential

quantum security.

• Over time, CSIDH becomes less attractive compared to SIKE.


The future of SIKE: Computational Costs

• Hardware gets faster over time.

• Software also gets faster over time.

• The above happens naturally, without effort or expenditure.

• An across-the-board performance increase reduces the performance penalty of SIKE (inabsolute terms).

• We can also spend more money for faster hardware.

• Certain expenditures (e.g. hardware acceleration) provide good value per unit cost.


The future of SIKE: Communication Costs

• As hardware and software gets faster, attacks get faster.

• Faster attacks require larger keys to counteract.

• An across-the-board key size increase enlarges the communication cost benefits of SIKE (inabsolute terms).

• Variance in communication channels is much higher than variance in cycle counts. SIKEalready wins today on desktop browsers when including variance.


Open Research Directions

• How to make isogenies FASTER?• Different curves, formulas, algorithms, isogeny base degrees, etc.

• How to design high-performance field arithmetic operators?• Addition, multiplication, inversion, etc.

• How can we attack and defend isogenies?• Side-channels, countermeasures, security analysis, etc.

• How to create efficient isogeny cryptosystems?• Signatures, hashing, PAKE, etc.

• How can we apply isogenies?• Blockchain, OT, broadcast encryption, etc.


Questions?

Thanks for your attention!


Date post:	18-Mar-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

SIKE in Hardware · Balanced isogeny graph size, 2eA ˇ3eB (Security) Elliptic curves over F p2, #E...

Documents