Patrick Longa

Are the p503 public keys smaller?

Smaller p, smaller key size, less security

Yep, this is supposed to be 128bit

Or more precisely, it is intended for matching the security of AES128. There are still too many open questions in quantum cryptanalysis. But, if isogenies stand the pass of time, there is a chance that p503 will become the most attractive option for most applications.

There is a lot to love about SIKEp503: speed, code simplicity and compactness, security against active attackers, and the smallest public keys in the PQ world, only 378 bytes w/o compression.

Wait, isn't AES128 64bit security against Grover?

Quantum sec. appears to be more complicated than simply applying Grover directly. As preliminary analysis, NIST is considering not only quantum circuit size but also circuit depth (limitation in running time on a quantum circuit). Check out Section 4.A.5, https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf …

Cool!

How fast is SIDH over p503?

10 milliseconds (KEM encapsulation + KEM decapsulation) on my 3.4GHz Intel Skylake machine.

Same timing for SIDHp503 (10 msec., full ephemeral kex).

Hi Patrick, I found a minor “issue” in SIKEp751/ec isogeny, generic impl. Ping me for details/contact.