The Case for SIKE: A Decade of the Supersingular Isogeny Problem [article]

Craig Costello
2021 IACR Cryptology ePrint Archive  
To mark the 10-year anniversary of supersingular isogeny Diffie-Hellman, I will touch on 10 points in defense and support of the SIKE protocol, including the rise of classical hardness, the fact that quantum computers do not seem to offer much help in solving the underlying problem, and the importance of concrete cryptanalytic clarity. In the final section I present the two SIKE challenges: $55k USD is up for grabs for the solutions of mini instances that, according to the SIKE team's security
more » ... nalysis, provide significantly less than 64 bits of classical security. I conclude by urging the proponents of other schemes to construct analogous challenge instances. "SIKE is a fantastic scheme, but its computation is by far the most expensive, and the problem is relatively new. Who knows here?" -Daniel Apon (NIST) [3]. A decade unscathed "Which post-quantum submissions (1) haven't suffered security losses since the #NIST-PQC competition began and (2) are among the 26 submissions in round 2 (which is ending soon)? I think there are exactly 3: SIKE (which scares me for being too new), Classic McEliece, and SPHINCS+." -Daniel J. Bernstein 1 * Opinions are my own and are not the views of my employer nor of the SIKE team. Opinions indicate a strong partisan bias, but for what it's worth this comes from being (both in spirit and chronologically) an SIDH fanboy first, and a member of the SIKE team second.
dblp:journals/iacr/Costello21 fatcat:ydg626m5effxbjqahbpgexsxoa