Isogeny-Based Cryptography
Isogeny-based cryptography is a post-quantum approach that builds its security on the difficulty of finding a secret mapping (an isogeny) between elliptic curves. It’s worth understanding for one reason above all: its flagship scheme, SIDH/SIKE, was a serious NIST post-quantum candidate right up until 2022, when it was broken by an ordinary classical computer in under an hour and withdrawn. That collapse is the single best cautionary tale in the whole transition, and any resource that still lists isogeny cryptography as healthy, live post-quantum protection without mentioning it is out of date.
The short version:
- Isogeny cryptography’s appeal was small keys, by far the most compact of the post-quantum families, which made it attractive for constrained environments.
- Its leading construction, SIDH (and the KEM built on it, SIKE), was a NIST Round 4 candidate. In July 2022 a classical attack recovered its private key in minutes to hours, on a single processor, no quantum computer required.
- SIKE was withdrawn. It’s broken, it appears in no NIST standard, and it must never be deployed.
- The broader research area continues with different designs (for example the signature scheme SQIsign), but those are separate constructions, and none of the current NIST-standardized algorithms are isogeny-based.
Why was isogeny cryptography attractive, and how did it work?
An isogeny is a structured map between two elliptic curves. Isogeny-based schemes hide a secret walk through a vast graph of curves, where each step is an isogeny, and security rests on how hard it is to recover that secret path from the public endpoints. SIDH (Supersingular Isogeny Diffie-Hellman) used this to do a Diffie-Hellman-style key exchange, and SIKE (Supersingular Isogeny Key Encapsulation) packaged it as a key encapsulation mechanism and entered the NIST post-quantum process.
The draw was size. SIKE’s keys and ciphertexts were dramatically smaller than the lattice-based ML-KEM, which made it appealing for bandwidth- and memory-constrained settings where ML-KEM’s kilobyte-scale artifacts are a burden. It advanced as an alternate candidate to Round 4 of the NIST process, marked for continued study.
How did SIDH/SIKE break, and why does it matter?
In July 2022, Wouter Castryck and Thomas Decru published an efficient key-recovery attack on SIDH. It was a classical, polynomial-time attack: it ran on an ordinary computer, used no quantum hardware at all, and recovered the private key.
| SIKE parameter set | Claimed security | Broken (classical, single core) in |
|---|---|---|
| SIKEp217 (Microsoft challenge) | n/a | under 5 minutes |
| SIKEp434 | NIST level 1 | under 1 hour |
| SIKEp751 | NIST level 5 | about 20 hours |
The strongest parameter set, meant to stand against the most capable adversaries, fell in under a day on one processor core. The attack drew on deep mathematics connecting isogenies to higher-dimensional structures (results in the lineage of Kani’s theorem), a direction the scheme’s designers hadn’t anticipated. SIKE was withdrawn from the NIST process, and the field of standardized KEMs concentrated on lattice- and code-based designs.
Source: Castryck & Decru, “An Efficient Key Recovery Attack on SIDH,” IACR ePrint 2022/975.
The reason this matters far beyond one algorithm: SIDH had been studied for roughly a decade, made it deep into a rigorous international standardization process, and was still broken, not slowly weakened, but broken outright, by a classical computer, years after people had begun to trust it. That’s the clearest possible proof that “post-quantum” does not mean “proven safe forever.” A post-quantum label means an algorithm resists the quantum attacks we know about today; it’s not a guarantee against tomorrow’s classical mathematics.
This is exactly the argument for crypto-agility. You migrate not to a single algorithm you’ll trust forever, but to an architecture that lets you swap again when, not if, the next result lands. It’s also the modern echo of a very old mistake: trusting a cipher because it feels unbreakable, the way Mary Queen of Scots trusted a cipher that Walsingham’s codebreakers had already cracked. The math is new. The lesson is 400 years old.
Where does isogeny cryptography stand now?
Isogeny-based cryptography as a research area isn’t dead. Newer constructions using different underlying problems continue to be studied, and one isogeny-based signature scheme, SQIsign, is under evaluation in NIST’s onramp for additional signatures, valued precisely because it offers small signatures and mathematical diversity from the lattice mainstream. But those are distinct designs with their own security stories, and they carry no relationship to the broken SIDH/SIKE line beyond the shared mathematical setting.
For anyone planning a migration today, the practical takeaway is simple: none of the NIST-standardized post-quantum algorithms (ML-KEM, ML-DSA, SLH-DSA, FN-DSA, HQC) is isogeny-based. If a product or a glossary presents SIKE or SIDH as a viable post-quantum option, treat that as a sign the source hasn’t been updated since 2022.
Everything here is the map, given freely. When your team needs help telling durable post-quantum choices from ones that only look safe, that’s what an alignment briefing is for.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.