Skip to content
This repository has been archived by the owner on Apr 19, 2023. It is now read-only.
/ sike-java Public archive

SIKE for Java is a software library that implements experimental supersingular isogeny cryptographic schemes that aim to provide protection against attackers running a large-scale quantum computer.

License

Notifications You must be signed in to change notification settings

wultra/sike-java

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

⚠️ In July 2022, Wouter Castryck (KU Leuven) and Thomas Decru (KU Leuven) published an article "An efficient key recovery attack on SIDH" which provides an efficient attack on SIKE. As a result, the implementation below should only be used for research purposes and not for production deployment.

SIKE for Java

Build Status GitHub issues Twitter License: AGPL v3

SIKE for Java is a software library that implements experimental supersingular isogeny cryptographic schemes that aim to provide protection against attackers running a large-scale quantum computer. The library is a result of a security research cooperation between Wultra and Raiffeisen Bank International Competence Centre for Cryptology and Biometrics.

We advise the readers who are new to SIDH or SIKE to check the official resources, which provide many educational materials.

Features

The port of SIKE to Java provides the following functionality:

  • Key generation
  • SIDH key exchange
  • SIKE public key encryption (PKE)
  • SIKE key encapsulation mechanism (KEM)

Following SIKE parameter sets are supported:

  • SIKEp434
  • SIKEp503
  • SIKEp610
  • SIKEp751

The project provides implementation ports for both reference and optimized implementations, and it is possible to switch the implementation type. The port currently does not support compressed keys. The field arithmetics is based on Java BigInteger in the reference implementation. The optimized implementation uses an unsigned long array representation of field elements, and the field arithmetics does not use any native code.

The private and public keys can be exported into:

  • an octet representation as defined in the SIKE specification
  • a byte array representation useful for a more optimal encoding

The private and public keys can be imported from either of these serialization formats.

The port includes KAT test vectors for all supported SIKE parameter sets.

Note that this port's aim was not to create a 100% identical port with the C code because the original syntax is not object-oriented. There are small differences between the C and Java implementations. However, given the passing KAT test vectors, the implementations should be 100% compatible.

Getting Started

If you prefer watching a video over reading a manual, you can watch the Getting Started Video which provides an introduction to using this library.

Usage

SIKE for Java provides an easy to use interface for generating keys and computing shared secrets.

Installation

Install Using Maven

The artifacts are currently not published in any public repository given the experimental stage of the implementation. Clone the project and install the artifact in the local Maven repository to use the library by running the following commands:

$ git clone https://github.com/wultra/sike-java.git
$ cd sike-java
$ git checkout tags/0.1.0 -b tags/0.1.0
$ mvn clean install

After that, add the following dependency in your project pom.xml file:

<dependency>
    <groupId>com.wultra.security</groupId>
    <artifactId>sike-java</artifactId>
    <version>0.1.0</version>
</dependency>

Use JAR File

Alternatively, use a pre-compiled sike-java.jar artifact from the releases page.

Initialization

As the first step, initialize the Bouncy Castle provider:

Security.addProvider(new BouncyCastleProvider());

On Android, first remove the default Bouncy Castle provider:

Security.removeProvider("BC");
Security.addProvider(new BouncyCastleProvider());

Initialize Bouncy Castle at the application start before using any of the SIKE for Java functionality.

Before generating keys, choose one of the available algorithm parameter sets depending on the desired NIST security level and parameter size (in bytes):

SIKE Parameter Set NIST Security Level Private Key Size Public Key Size Shared Secret Size
SIKEp434 1 374 330 16
SIKEp503 2 434 378 24
SIKEp610 3 524 462 24
SIKEp751 5 644 564 32

Two implementations are available:

  • REFERENCE - slow implementation with a focus on readability of code
  • OPTIMIZED - fast implementation with a focus on performance and security

The selected SIKE parameters need to be created using:

SikeParam sikeParam = new SikeParamP434(ImplementationType.OPTIMIZED);

Generating Keys

Generate key pairs using the KeyGenerator class:

KeyGenerator keyGenerator = new KeyGenerator(sikeParam);

Before generating a key pair, decide whether the party is ALICE or BOB.

For SIKE, ALICE is the server, and BOB is the client that initiates the communication.

To generate a key pair for ALICE, use:

KeyPair keyPairA = keyGenerator.generateKeyPair(Party.ALICE);

To generate a key pair for BOB, use:

KeyPair keyPairB = keyGenerator.generateKeyPair(Party.BOB);

Obtain the keys from the key pair using:

PrivateKey priv = keyPair.getPrivate();
PublicKey pub = keyPair.getPublic();

To export the keys into a byte array, call either of these methods:

  • getEncoded() - returns the byte array representation of the key
  • toOctetString() - converts the key to an octet string as defined in SIKE specification, you need to cast the key to SidhPrivateKey or SidhPublicKey to access this method

Obtain the numeric representation of keys using:

  • priv.getKey() - returns the FpElement representing the private key
  • pub.getPx() - returns the Fp2Element representing the public key element phi(Px)
  • pub.getQx() - returns the Fp2Element representing the public key element phi(Qx)
  • pub.getRx() - returns the Fp2Element representing the public key element phi(Rx)

Obtain the BigInteger representations of the keys using:

  • priv.getM() - returns the BigInteger representing the private key
  • pub.getPx().getX0().getX() - returns the BigInteger representing the real part of public key x coordinate phi(Px)
  • pub.getPx().getX1().getX() - returns the BigInteger representing the imaginary part of public key x coordinate phi(Px)

Obtaining BigInteger representations of x coordinates of phi(Qx) and phi(Rx) is analogous to phi(Px).

Import private keys from their byte array representation:

SikeParam sikeParam = new SikeParamP434(ImplementationType.OPTIMIZED);
byte[] secret = secretBytes;
PrivateKey priv = new SidhPrivateKey(sikeParam, Party.ALICE, secret);

It is also possible to import private keys from their octet string representation:

SikeParam sikeParam = new SikeParamP434(ImplementationType.OPTIMIZED);
String secret = secretOctets;
PrivateKey priv = new SidhPrivateKey(sikeParam, Party.ALICE, secret);

Finally, it is also possible to import private keys from their BigInteger representation:

SikeParam sikeParam = new SikeParamP434(ImplementationType.OPTIMIZED);
BigInteger secret = new BigInteger(secretNumber);
PrivateKey priv = new SidhPrivateKey(sikeParam, Party.ALICE, secret);

Once having a private key, derive the public key using:

PublicKey pub = keyGenerator.derivePublicKey(Party.ALICE);

Public keys can also be imported from various serialization formats using the SidhPublicKey class constructors.

SIDH Key Agreement

SIDH is an underlying algorithm used in SIKE. Unlike SIKE, SIDH alone provides insufficient security (it is an IND-CPA scheme) and should only be used with ephemeral keys on both sides of the key exchange. As a result, we recommend not using SIDH for anything else but experiments. This documentation mentions SIDH mostly for the purpose of completeness.

⚠️ Continue Reading About SIDH

After initializing the keys for both parties, it is easy to compute the shared secret using SIDH. The process is the same for both parties. Similarly to DH or ECDH, SIDH uses the opposite public and private keys:

Sidh sidh = new Sidh(sikeParam);
Fp2Element secretA = sidh.generateSharedSecret(Party.ALICE, keyPairA.getPrivate(), keyPairB.getPublic());
Fp2Element secretB = sidh.generateSharedSecret(Party.BOB, keyPairB.getPrivate(), keyPairA.getPublic());

Obtain the byte array representing secret j-invariants of both sides using:

byte[] encoded = secret.getEncoded();

Both secrets secretA and secretB are equal in case the key agreement succeeded. The shared secret sizes match the Fp2Element sizes in the chosen SIKE parameter set, which is 1/3 of the public key size. Using a hashing function on the shared secret value is advised to obtain shorter shared secret sizes as well as eliminate any risks related to using the numeric representation of the j-invariant directly.

SIKE Key Encapsulation

The SIKE encapsulation and decapsulation process is different for either of the parties and starts on BOB's side:

SikeParam sikeParam = new SikeParamP434(ImplementationType.OPTIMIZED);
KeyGenerator keyGenerator = new KeyGenerator(sikeParam);
KeyPair keyPairB = keyGenerator.generateKeyPair(Party.BOB);

BOB transports his public key keyPairB to ALICE, who uses the public key for the encapsulation phase of the KEM:

Sike sike = new Sike(sikeParam);
EncapsulationResult encapsulationResult = sike.encapsulate(keyPairB.getPublic());

At this point, ALICE can calculate the shared secret and the encrypted message:

byte[] secretA = encapsulationResult.getSecret();
EncryptedMessage encryptedMessage = encapsulationResult.getEncryptedMessage();

The encryptedMessage is converted into a byte array representation encodedMessage and transported back to BOB who uses the public key and cipher text included in the message for the decapsulation phase of KEM. Obtain the byte array from the encrypted message for transport over network:

byte[] encodedMessage = encryptedMessage.getEncoded();

The encrypted message is recreated by BOB after the message transport and decapsulation is performed:

EncryptedMessage transportedMessage = new EncryptedMessage(sikeParam, encodedMessage);
byte[] secretB = sike.decapsulate(keyPairB.getPrivate(), keyPairB.getPublic(), transportedMessage);

Both secrets secretA and secretB are equal in case the key encapsulation and decapsulation succeeded. The shared secret sizes are listed in the table presented in the Initialization chapter. Using a hashing function on the shared secret value is advised to obtain shorter shared secret sizes.

Note that SIKE provides higher security than SIDH. It is an IND-CCA2 scheme and can be used with long term keys.

License

SIKE for Java is currently licensed using GNU AGPLv3 license. We may change the license in the future to a less restrictive one. Please consult us at [email protected] for the software use.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

About

SIKE for Java is a software library that implements experimental supersingular isogeny cryptographic schemes that aim to provide protection against attackers running a large-scale quantum computer.

Topics

Resources

License

Security policy

Stars

Watchers

Forks

Packages

No packages published

Languages