Cryptology ePrint Archive: Report 2019/298

Improved Classical Cryptanalysis of SIKE in Practice

Craig Costello and Patrick Longa and Michael Naehrig and Joost Renes and Fernando Virdia

Abstract: The main contribution of this work is an optimized implementation of the vanOorschot-Wiener (vOW) parallel collision finding algorithm. As is typical for cryptanalysis against conjectured hard problems (e. g. factoring or discrete logarithms), challenges can arise in the implementation that are not captured in the theory, making the performance of the algorithm in practice a crucial element of estimating security. We present a number of novel improvements, both to generic instantiations of the vOW algorithm finding collisions in arbitrary functions, and to its instantiation in the context of the supersingular isogeny key encapsulation (SIKE) protocol, that culminate in an improved classical cryptanalysis of the computational supersingular isogeny (CSSI) problem. In particular, we present a scalable implementation that can be applied to the Round-2 parameter sets of SIKE that can be used to give confidence in their security levels.

Category / Keywords: public-key cryptography / Post-quantum cryptography, supersingular elliptic curves, isogenies, SIDH, SIKE, parallel collision search, van Oorschot-Wiener algorithm

Original Publication (with major differences): IACR-PKC-2020

Date: received 14 Mar 2019, last revised 2 Jun 2020

Contact author: fernando virdia 2016 at rhul ac uk, mnaehrig at microsoft com

Available format(s): PDF | BibTeX Citation

Version: 20200603:045733 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]