The SIKE Break
The SIKE break is the moment a serious NIST post-quantum finalist was taken apart by an ordinary laptop. In July 2022, SIKE, the key-encapsulation mechanism built on isogeny cryptography and still standing as a NIST Round 4 candidate, was broken by a purely classical attack that recovered its private key in about ten minutes on a single processor core, no quantum computer anywhere in the story. Wouter Castryck and Thomas Decru published the attack, SIKE was withdrawn within weeks, and the field of standardized key-encapsulation mechanisms consolidated on lattice- and code-based designs. It is the single clearest cautionary tale in the whole transition, and it is the reason NIST hedges across multiple math families instead of betting everything on the most elegant one.
Source: Castryck & Decru, “An Efficient Key Recovery Attack on SIDH,” IACR ePrint 2022/975, July 2022, eprint.iacr.org/2022/975.
The short version:
- SIKE (Supersingular Isogeny Key Encapsulation) was built on SIDH and prized for its tiny keys, by far the most compact of the post-quantum families, and it had advanced to Round 4 of the NIST process as an alternate for continued study.
- In July 2022, Castryck and Decru published a classical, polynomial-time key-recovery attack. It ran on one core of an ordinary computer with no quantum hardware, and it recovered the private key.
- The weakest parameter set fell in minutes, the NIST level 1 set in about ten minutes, and the strongest level 5 set in roughly a day, all on a single core.
- The attack exploited the extra torsion-point images SIDH publishes as part of its exchange, using higher-dimensional mathematics in the lineage of Kani’s theorem that the designers had not anticipated.
- SIKE was withdrawn. It appears in no NIST standard, and it must never be deployed.
- Isogeny signatures like SQIsign survived because they do not expose the same torsion-point images, so the break was specific to the SIDH construction, not to isogenies as a whole.
- The durable lesson is that “post-quantum” means “resists the quantum attacks we know today,” not “proven safe forever,” which is exactly why NIST values diversity and conservatism.
What was SIKE, and why was it attractive?
SIKE, short for Supersingular Isogeny Key Encapsulation, was a key encapsulation mechanism built on SIDH, the Supersingular Isogeny Diffie-Hellman key exchange. Its security rested on the difficulty of recovering a secret walk through a vast graph of elliptic curves, where each step is a structured map called an isogeny, given only the public endpoints of that walk. It was one of the more mature ideas in isogeny-based cryptography, studied for roughly a decade before the break.
The draw was size. SIKE’s public keys and ciphertexts were dramatically smaller than the lattice-based ML-KEM, which made it the standout choice for bandwidth- and memory-constrained settings where ML-KEM’s kilobyte-scale artifacts are a genuine burden. That compactness carried it deep into the NIST process. When NIST finalized its first selections in 2022, SIKE was retained as an alternate candidate in Round 4, flagged for continued study rather than eliminated, precisely because the small-key property was worth keeping in the running.
Source: NIST, “Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process,” NIST IR 8413, July 2022 (SIKE advanced to Round 4 as an alternate KEM candidate), csrc.nist.gov/pubs/ir/8413/upd1/final.
That standing is what makes the break so instructive. This was not a fringe proposal that never got scrutiny. It was a decade-old design that survived multiple rounds of an adversarial international competition and was one step from potential standardization.
How was SIKE broken, and how fast?
In July 2022, Wouter Castryck and Thomas Decru of KU Leuven published “An Efficient Key Recovery Attack on SIDH.” The attack was classical and polynomial-time. It ran on an ordinary computer, used no quantum hardware at all, and reconstructed the private key directly from the public information exchanged in the protocol. Within days of the initial posting, other researchers had reproduced and accelerated it.
The speeds are what turned a technical result into a headline across the cryptography world:
| SIKE parameter set | Claimed security | Broken classically on a single core in |
|---|---|---|
| SIKEp217 (Microsoft $IKEp182/217 challenge) | challenge instance | under 5 minutes |
| SIKEp434 | NIST level 1 | about ten minutes |
| SIKEp751 | NIST level 5 | roughly a day (about 20 hours) |
Source: Castryck & Decru, “An Efficient Key Recovery Attack on SIDH,” IACR ePrint 2022/975, July 2022, eprint.iacr.org/2022/975.
The strongest parameter set, the one meant to stand against the most capable adversaries at NIST security level 5, fell in about a day on a single processor core, with no cluster, supercomputer, or quantum machine involved. A number that was supposed to represent decades of adversary effort collapsed into an afternoon of ordinary computation, and it did so years after people had begun to treat the scheme as trustworthy.
Why did the torsion-point attack work?
The break exploited a feature the SIDH designers deliberately built in for the protocol to function. To let both parties complete the key exchange, SIDH publishes the endpoint of each secret isogeny walk together with the images of certain known torsion points under that walk. Those torsion-point images are auxiliary information, and they had long been suspected as a possible weakness that stayed hypothetical until someone turned the suspicion into a working attack.
Castryck and Decru turned it into one. Their method uses Kani’s reducibility criterion, a result about isogenies between products of elliptic curves, to embed the secret one-dimensional SIDH isogeny inside a higher-dimensional structure that the torsion-point images make computable. Once the problem is lifted into that higher-dimensional setting (a glue-and-split construction over abelian surfaces), the secret walk can be recovered step by step in polynomial time. The mathematics came from a corner of the theory the scheme’s authors had not anticipated as attack-relevant, which is a recurring pattern in cryptanalysis: the fatal weakness is rarely in the part everyone was watching.
Source: Castryck & Decru, “An Efficient Key Recovery Attack on SIDH,” IACR ePrint 2022/975, July 2022 (attack based on Kani’s reducibility criterion applied to the torsion-point images SIDH exposes), eprint.iacr.org/2022/975.
The precision of that observation matters for what survived. The attack fed on the specific torsion-point images SIDH exposes. Isogeny constructions that do not publish those images were untouched, which is why the break did not end isogeny cryptography as a research area, only the SIDH and SIKE line built on it.
Why did SIKE survive scrutiny for so long?
SIKE had been studied for roughly a decade, made it deep into a rigorous, adversarial standardization process watched by cryptographers worldwide, and was still broken outright while people expected at most a slow weakening. That combination is the core of the story, and it resists the easy explanations. The scheme was well-known, heavily reviewed, and closely watched, so the flaw hid in plain sight rather than in obscurity.
The honest reading is that the assumption underneath SIDH was younger and less battle-tested than the number-theoretic problems behind RSA and elliptic curves, which have absorbed decades of concentrated attack. Isogeny cryptography brought a genuinely new hard problem, and a new problem carries a hidden risk: the community has had less time to find the mathematics that breaks it. The torsion-point images had been flagged as a soft spot for years, and it simply took until 2022 for someone to connect them to the higher-dimensional tools that made the attack efficient. A design can look solid for a decade and then fall the moment the right piece of theory arrives.
What survived, and what does SQIsign have to do with it?
Isogeny cryptography as a research area did not die with SIKE. The broken thing was the SIDH construction and the SIKE KEM built on it, both of which lean on published torsion-point images. Newer isogeny designs that avoid exposing that information carry no relationship to the break beyond the shared mathematical setting.
The clearest example is SQIsign, an isogeny-based signature scheme under evaluation in NIST’s onramp for additional signatures. SQIsign survived the Castryck-Decru attack for a concrete structural reason: it does not reveal the torsion-point images that the attack depends on, so the mechanism that unraveled SIDH has nothing to grip. SQIsign is valued precisely because it offers very small signatures and mathematical diversity from the lattice mainstream, and it is a distinct construction with its own security story rather than a patched SIDH. The lesson is narrow and exact: the SIDH design leaked the information that killed it, and isogeny schemes that do not make that leak remain live candidates.
Source: NIST, “Additional Digital Signature Schemes for the Post-Quantum Cryptography Standardization Process” (SQIsign among the isogeny-based signature submissions under evaluation), csrc.nist.gov/projects/pqc-dig-sig.
Why does NIST value diversity and conservatism after this?
The SIKE break is the sharpest argument in the field for spreading bets across different math and for preferring assumptions that have absorbed the most punishment. NIST standardized the main line on lattice problems, then deliberately selected a code-based backup, HQC, built on a decades-old and independent assumption, so that a future break in one family does not leave the world with no key-establishment option. That deliberate spread is the direct institutional response to watching a compact, elegant, well-studied family fall in an afternoon.
Two design values come out of it. The first is diversity: relying on a single hard problem is the real risk, and standardizing across families is the hedge, which is the whole subject of cryptographic monoculture. The second is conservatism: the most cautious signature standard, SLH-DSA, rests only on the strength of hash functions, an assumption with a very long track record, precisely so the standards keep at least a single scheme leaning on the most battle-tested math available. SIKE’s compactness was seductive, and NIST’s post-break posture treats seduction by elegance as a hazard to manage rather than a virtue to reward.
The practical takeaway for anyone planning a migration is that “post-quantum” is a label about resisting known quantum attacks rather than a proof of permanent safety. The correct response is to migrate to the standardized algorithms now and build so the next algorithm change is a configuration update, which is exactly what crypto-agility delivers. You migrate to an architecture that lets you swap again when, not if, the next cryptanalytic result lands.
Common misconceptions
- “SIKE was broken by a quantum computer.” It was broken by an ordinary classical computer on a single core. That is what made the result so striking: a candidate meant to resist quantum machines fell to a laptop.
- “The break means isogeny cryptography is dead.” The break killed the SIDH and SIKE line, which published the torsion-point images the attack needed. Isogeny signatures like SQIsign that avoid exposing those images survived and remain under NIST evaluation.
- “A NIST candidate can’t be seriously flawed.” SIKE was a Round 4 alternate after a decade of study and multiple competition rounds, and it was still broken outright. The process working means it caught the flaw before standardization, which is the point of running the competition in the open.
- “Post-quantum means proven unbreakable.” It means believed secure against the quantum attacks known today. SIKE is the proof that a family can look solid for years and then fall to new classical mathematics.
- “The fix was to patch SIKE.” There was no patch. The attack struck the core of how SIDH exchanges keys, so SIKE was withdrawn entirely and the standards concentrated on lattice- and code-based KEMs.
Questions people ask
Was SIKE actually a real NIST post-quantum candidate? Yes. SIKE advanced to Round 4 of the NIST post-quantum standardization process as an alternate key-encapsulation candidate marked for continued study, on the strength of its unusually small keys, right up until the July 2022 break.
How long did it take to break SIKE? On a single processor core, the NIST level 1 parameter set fell in about ten minutes and the strongest level 5 set in roughly a day, with a smaller challenge instance broken in under 5 minutes. No quantum computer or specialized hardware was involved.
Did the attack use a quantum computer? No. The Castryck-Decru attack is classical and polynomial-time. It runs on an ordinary computer, which is what made a scheme designed to resist quantum machines so alarming to lose to a laptop.
Why did SQIsign survive when SIKE didn’t? Because SQIsign does not expose the torsion-point images that the attack exploits. The break fed specifically on information SIDH publishes to complete its key exchange, and isogeny schemes that avoid publishing it were untouched.
Can I still use SIKE if I only need small keys? No. SIKE is broken, appears in no NIST standard, and must never be deployed. For key establishment, use the standardized ML-KEM, with HQC as the code-based backup on independent math.
What is the real lesson of the SIKE break? That an algorithm’s “post-quantum” label certifies resistance to known quantum attacks, not permanent safety, and that betting on a single family is the danger. It is the strongest case for diversity across math families and for building crypto-agility so the next break is a configuration change.
Everything here is the map, given freely. When your team needs help telling durable post-quantum choices from ones that only look safe, that’s what an alignment briefing is for.
Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.