We reported last month that NIST had selected four Post-Quantum Cryptography (PQC) algorithms for standardization in Round 3 and another four algorithms were selected for further analysis in Round 4. One of the algorithms selected for further study was SIKE (Supersingular Isogeny Key Encapsulation). SIKE is a key encapsulation (KEM) algorithm based upon a fundamentally different approach (Supersingular Isogeny) than the lattice-based Kyber algorithms chosen for KEM applications in Round 3. NIST views a different approach as a positive because it can potentially provide a much different alternative in case a problem is found with Kyber. NIST also views SIKE as attractive because it has a small key size and small ciphertext size. But now, researchers at KU Leuven have published a preliminary paper claiming they were able to find an efficient key recovery attack for SIKEp434, security level 1 using a single core processor in about one hour’s time with a program they call Magma. Sometimes these deficiencies can be fixed by small modifications to the algorithm. But if it cannot be fixed, then the SIKE algorithm will be dropped from further consideration for PQC standardization. Earlier this year, a deficiency was found in a digital signature algorithm called Rainbow and it was dropped after Round 3. Right now, it is still too early in the process to know what the ultimate fate of the SIKE algorithm will be. But it certainly makes the case for using what the researchers call crypto-agility so algorithms can be changed out easily if a problem is found. It also make the case to look at other techniques to avoid situations where there could be a single point of failure. You can read an abstract of the preprint describing this key recovery attack here and view the full preprint here. A longer article that describes this attack in more detail is in preparation.
August 1, 2022