NIST Post-Quantum Cryptography Standardization: SIKE Bites the Dust

Just a month ago, NIST announced its selection of three digital signature algorithms and one key establishment mechanism (KEM) for future use in quantum-resistant cryptography applications. Also, four algorithms for post-quantum key establishment were selected as candidates for the 4^th round of evaluation, for potential standardization at a later time.

Only four weeks later, researchers Wouter Castrick and Thomas Decru at the Katolieke Universiteit Leuven (Belgium) published a practical attack on one of these four candidates: They showed that the SIKE algorithm can be completely broken at NIST’s Security Level 1: The attack recovers the secret key in just an hour on an Intel Xeon CPU E5-2630v2 at 2.60GHz, which is a machine launched in 2013. This is somewhat surprising given that, just like any other post-quantum cryptography algorithm still in the NIST competition, SIKE has been under thorough examination by the international cryptography research community for many years. Yet, this is the second time this year that one of the NIST contenders suffered a devastating attack -- the post-quantum signature scheme Rainbow got broken by Ward Beullens in February 2022.

SIKE is short for Supersingular Isogeny Key Encapsulation. This is a Diffie-Hellman type key exchange protocol where the hardness relies on the so-called Supersingular Isogeny Problem (SSI), which is to find a certain mapping (called isogeny) between two given supersingular elliptic curves. It is a problem that had been analyzed for over 10 years, but SIKE now got an unexpected blow by a smart application of a 25-year-old theorem by the German-Canadian mathematics professor Ernst Kani. We refer to the University of Auckland professor Steven Galbraith’s excellent blog post for a few more details on the math behind this attack.

Now, the quintet of post-quantum KEMs up for (possible) standardization through NIST is down to four: NIST's 3^rd-round winner CRYSTALS-KYBER is to be standardized over the next two years, and the three still-in-the-race 4^th-round candidates will go through further analysis by the cryptography research community. While no one can predict what will happen to any of these algorithms in the future, the take-away from this new lesson is, yet again, that becoming crypto-agile is more important than ever. Given the ongoing advancements in quantum computing, the currently deployed classical cryptographic techniques such as RSA and elliptic curve cryptography (ECC) will have to be replaced or enhanced by quantum-resistant techniques. This can be easiest accomplished if your cryptography applications are, by design, as algorithm-independent as possible, so that switching from one cryptographic algorithm to another can occur without significant delay, just like changing a light bulb in your office without having to rewire your house. See our recommendations on how to future-proof your use of cryptography by implementing this crypto-agility. 

With Cryptomathic's Crypto Service Gateway (CSG), organizations can afford true crypto-agility through the abstraction layer between the applications using cryptography and the HSMs that provide the secure key usage and storage. Multiple applications can connect to the CSG platform and use the broad range of crypto functionality provided by the HSMs without having to hard-code complex crypto parameters into the applications. As all the cryptographic functions and policy settings are managed by CSG through the remote admin client, it’s as close as you can get to plug-and-play high-security cryptography - enabling rapid changes to algorithms that are being used by the applications, with virtually no changes to the application code.