Cryptology ePrint Archive: Report 2020/1457

The Cost to Break SIKE: A Comparative Hardware-Based Analysis with AES and SHA-3

Patrick Longa and Wen Wang and Jakub Szefer

Abstract: This work presents a detailed study of the classical security of the post-quantum supersingular isogeny key encapsulation (SIKE) protocol using a realistic budget-based cost model that considers the actual computing and memory costs that are needed for cryptanalysis. In this effort, we design especially-tailored hardware accelerators for the time-critical isogeny computations that we use to model an ASIC-powered instance of the van Oorschot-Wiener (vOW) parallel collision search algorithm. We then extend the analysis to AES and SHA-3 in the context of the NIST post-quantum cryptography standardization process to carry out a parameter analysis based on our cost model. This analysis, together with the state-of-the-art quantum security analysis of SIKE, indicates that the current SIKE parameters offer a wide security margin, which in turn opens up the possibility of using significantly smaller primes that would enable more efficient and compact implementations with reduced bandwidth. Our improved cost model and analysis can be applied widely to other cryptographic settings and primitives, and can have implications for other post-quantum candidates in the NIST process.

Category / Keywords: public-key cryptography / Post-quantum cryptography, cost model, SIKE, SIDH, AES, SHA-3, efficient implementation

Date: received 18 Nov 2020

Contact author: plonga at microsoft com

Available format(s): PDF | BibTeX Citation

Version: 20201119:094626 (All versions of this report)

Short URL: ia.cr/2020/1457


[ Cryptology ePrint archive ]