It turns out that breaking an encryption algorithm meant to withstand the most powerful cyberattacks imaginable might not be as tough as we’d been led to believe. In a paper published over the weekend, researchers demonstrated that a PC with a single-core processor (weaker than a decent laptop) could break a “post-quantum” algorithm that had been a contender to be the gold standard for encryption in just one hour.
Last month, The National Institute of Standards and Technology, or NIST, announced the winners of a years-long competition to develop new encryption standards, the likes of which have been designed to protect against a hypothetical (for now) threat that hasn’t been invented yet: quantum computers. Such hardware is projected to someday be so powerful that it will have the ability to easily decrypt our present-day public-key encryption (standards like RSA and Diffie-Hellman). To stave off this future threat, the U.S. government has invested in the creation of new encryption standards that can weather attacks by hardware of the days to come.
NIST selected four encryption algorithms that it said would provide adequate protections and that it plans to standardize, meaning others would be measured against them. The contest took years to unfold and involved droves of contenders from all over the world. After the four finalists were selected, NIST announced another four that were being considered as other potential candidates for standardization.
Unfortunately, one of those additional four algos doesn’t seem so sturdy. SIKE — which stands for Supersingular Isogeny Key Encapsulation — was one of NIST’s secondary finalists, but a recently discovered cyberattack managed to break SIKE relatively easily. Worse, the computer running the attack was about as far from a quantum computer as you could get: instead, it was a single-core PC (meaning that it’s a lot slower than your typical PC, which has a multi-core processor), and it only took an hour for the little machine to unwind SIKE’s supposedly tricksy encryption.
“The newly uncovered weakness is clearly a major blow to SIKE,” David Jao, one of the algorithm’s creators, told Ars Technica. “The attack is really unexpected.”
The attack on SIKE was discovered by a group of security researchers attached to the Computer Security and Industrial Cryptography, which is operated by Belgian university KU Leuven. The group published a paper that shows how a simple computer can use high-octane maths to unwind SIKE’s encryption and nab the encryption keys that keep the algorithm secure. The attack involves an attack at a protocol called Supersingular Isogeny Diffie-Hellman, or SIDH, which is one of the fundamental components of SIKE, Ars Technica reports.
The whole process of decrypting SIKE reportedly took 60 minutes or so, the amount of time it takes for your DoorDasher to arrive. The maths, which I will never understand, can be read in the research team’s paper.
Suffice it to say, creating digital protections is no easy task — especially when you’re dealing with new territory. Still, we apparently have a ways to go before all our secrets are safe from the world’s most talented maths nerds.