31 Aug 2022
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Maintained by Hanno Böck.
A post-quantum key exchange method once considered promising is apparently insecure and can be completely broken with classical computers. Researchers recently published attacks on both supersingular isogeny Diffie-Hellman (SIDH) and the supersingular isogeny key encapsulation (SIKE) variation that was submitted for NIST's post-quantum competition.
These key exchange methods use so-called isogenies over supersingular elliptic curves. Using these mathematical objects for cryptography is a relatively new idea: the SIDH algorithm was published in 2011 by Luca de Feo, David Jao, and Jérôme Plût.
SIDH was seen as promising because the key size was relatively small compared to many other post-quantum methods. Also, as the name indicates, the algorithm works similarly to the Diffie-Hellman key exchange.
But all of this has probably become irrelevant, as a paper posted by Wouter Castryck and Thomas Decru from KU Leuven described an attack that allows for completely breaking SIDH and SIKE in less than an hour. Independently, the attack was also described by Luciano Maino and Chloe Martindale from the University of Bristol. These attacks would only work in special cases of SIDH, but a later improvement of the attack by Damien Robert from Inria Bordeaux completely breaks SIDH. Steven Galbraith has given a description of the mathematical ideas behind the attack in a blog post and explained how the three different published papers relate to each other in a second blog post. Galbraith was also a guest in the Security. Cryptography. Whatever. podcast episode that covered the attack.
Although cryptographers had been sometimes concerned that cryptography based on isogenies was insufficiently studied, this devastating attack was still a surprise for many. Chris Peikert, an expert in lattices and post-quantum cryptography, commented on Twitter: "Wow! This completely breaks SIDH/SIKE level-1 parameters on a single core in an hour. A monumental result."
While the attack completely breaks SIDH and SIKE, other variations of isogeny-based cryptography may still be secure. Currently, the CSIDH key exchange and several signature algorithms based on isogenies remain safe. Luca de Feo created a web page that provides an overview.
There are a few takeaways from this episode. It shows that public key cryptography is hard and that surprising breakthroughs can happen. This comes just months after another promising post-quantum algorithm, the Rainbow signature scheme, was also completely broken (as mentioned in our February Newsletter).
Both Rainbow and SIKE were considered by NIST as potential candidates for standardization as part of its post-quantum competition.
But there's also an optimistic takeaway: because isogeny-based cryptography was widely seen as a field that hadn’t been studied enough to create confidence, cryptographers were careful about SIDH. Therefore, SIDH and SIKE haven’t been used in any significant real-world systems.
This subscription is just for the newsletter; we won't send you anything else.
Here are some things that caught our attention since the previous newsletter:
Here are some interesting jobs we've come across in the last month:
If you know of similar jobs that our readers might be interested in, for example cryptography, TLS, or PKI, let us know and we may add them to future newsletters.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.