⚠️ In July 2022, Wouter Castryck (KU Leuven) and Thomas Decru (KU Leuven) published an article "An efficient key recovery attack on SIDH" which provides an efficient attack on SIKE. As a result, the implementation below should only be used for research purposes and not for production deployment.

SIKE for Java is a software library that implements experimental supersingular isogeny cryptographic schemes that aim to provide protection against attackers running a large-scale quantum computer. The library is a result of a security research cooperation between Wultra and Raiffeisen Bank International Competence Centre for Cryptology and Biometrics.

We advise the readers who are new to SIDH or SIKE to check the official resources, which provide many educational materials.

• The "Supersingular isogeny key exchange for beginners" article explains the main concepts nicely.
• Official SIKE documentation: https://sike.org
• SIKE specification from round 3 NIST submission: https://sike.org/files/SIDH-spec.pdf
• The "Mathematics of Isogeny Based Cryptography" paper provides an introduction to the mathematics used by these algorithms.

The port of SIKE to Java provides the following functionality:

• Key generation
• SIDH key exchange
• SIKE public key encryption (PKE)
• SIKE key encapsulation mechanism (KEM)

Following SIKE parameter sets are supported:

• SIKEp434
• SIKEp503
• SIKEp610
• SIKEp751

The project provides implementation ports for both reference and optimized implementations, and it is possible to switch the implementation type. The port currently does not support compressed keys. The field arithmetics is based on Java BigInteger in the reference implementation. The optimized implementation uses an unsigned long array representation of field elements, and the field arithmetics does not use any native code.

The private and public keys can be exported into:

• an octet representation as defined in the SIKE specification
• a byte array representation useful for a more optimal encoding

The private and public keys can be imported from either of these serialization formats.

The port includes KAT test vectors for all supported SIKE parameter sets.

Note that this port's aim was not to create a 100% identical port with the C code because the original syntax is not object-oriented. There are small differences between the C and Java implementations. However, given the passing KAT test vectors, the implementations should be 100% compatible.

If you prefer watching a video over reading a manual, you can watch the Getting Started Video which provides an introduction to using this library.

SIKE for Java provides an easy to use interface for generating keys and computing shared secrets.

The artifacts are currently not published in any public repository given the experimental stage of the implementation. Clone the project and install the artifact in the local Maven repository to use the library by running the following commands:

$ git clone https://github.com/wultra/sike-java.git
$ cd sike-java
$ git checkout tags/0.1.0 -b tags/0.1.0
$ mvn clean install

After that, add the following dependency in your project pom.xml file:

<dependency>
    <groupId>com.wultra.security</groupId>
    <artifactId>sike-java</artifactId>
    <version>0.1.0</version>
</dependency>

Alternatively, use a pre-compiled sike-java.jar artifact from the releases page.

As the first step, initialize the Bouncy Castle provider:

Security.addProvider(new BouncyCastleProvider());

On Android, first remove the default Bouncy Castle provider:

Security.removeProvider("BC");
Security.addProvider(new BouncyCastleProvider());

Initialize Bouncy Castle at the application start before using any of the SIKE for Java functionality.

Before generating keys, choose one of the available algorithm parameter sets depending on the desired NIST security level and parameter size (in bytes):

Two implementations are available:

• REFERENCE - slow implementation with a focus on readability of code
• OPTIMIZED - fast implementation with a focus on performance and security

The selected SIKE parameters need to be created using:

SikeParam sikeParam = new SikeParamP434(ImplementationType.OPTIMIZED);

Generate key pairs using the KeyGenerator class:

KeyGenerator keyGenerator = new KeyGenerator(sikeParam);

Before generating a key pair, decide whether the party is ALICE or BOB.

For SIKE, ALICE is the server, and BOB is the client that initiates the communication.

To generate a key pair for ALICE, use:

KeyPair keyPairA = keyGenerator.generateKeyPair(Party.ALICE);

To generate a key pair for BOB, use:

KeyPair keyPairB = keyGenerator.generateKeyPair(Party.BOB);

Obtain the keys from the key pair using:

PrivateKey priv = keyPair.getPrivate();
PublicKey pub = keyPair.getPublic();

To export the keys into a byte array, call either of these methods:

• getEncoded() - returns the byte array representation of the key
• toOctetString() - converts the key to an octet string as defined in SIKE specification, you need to cast the key to SidhPrivateKey or SidhPublicKey to access this method

Obtain the numeric representation of keys using:

• priv.getKey() - returns the FpElement representing the private key
• pub.getPx() - returns the Fp2Element representing the public key element phi(Px)
• pub.getQx() - returns the Fp2Element representing the public key element phi(Qx)
• pub.getRx() - returns the Fp2Element representing the public key element phi(Rx)

Obtain the BigInteger representations of the keys using:

• priv.getM() - returns the BigInteger representing the private key
• pub.getPx().getX0().getX() - returns the BigInteger representing the real part of public key x coordinate phi(Px)
• pub.getPx().getX1().getX() - returns the BigInteger representing the imaginary part of public key x coordinate phi(Px)

Obtaining BigInteger representations of x coordinates of phi(Qx) and phi(Rx) is analogous to phi(Px).

Import private keys from their byte array representation:

SikeParam sikeParam = new SikeParamP434(ImplementationType.OPTIMIZED);
byte[] secret = secretBytes;
PrivateKey priv = new SidhPrivateKey(sikeParam, Party.ALICE, secret);

It is also possible to import private keys from their octet string representation:

SikeParam sikeParam = new SikeParamP434(ImplementationType.OPTIMIZED);
String secret = secretOctets;
PrivateKey priv = new SidhPrivateKey(sikeParam, Party.ALICE, secret);

Finally, it is also possible to import private keys from their BigInteger representation:

SikeParam sikeParam = new SikeParamP434(ImplementationType.OPTIMIZED);
BigInteger secret = new BigInteger(secretNumber);
PrivateKey priv = new SidhPrivateKey(sikeParam, Party.ALICE, secret);

Once having a private key, derive the public key using:

PublicKey pub = keyGenerator.derivePublicKey(Party.ALICE);

Public keys can also be imported from various serialization formats using the SidhPublicKey class constructors.

SIDH is an underlying algorithm used in SIKE. Unlike SIKE, SIDH alone provides insufficient security (it is an IND-CPA scheme) and should only be used with ephemeral keys on both sides of the key exchange. As a result, we recommend not using SIDH for anything else but experiments. This documentation mentions SIDH mostly for the purpose of completeness.

Sidh sidh = new Sidh(sikeParam);
Fp2Element secretA = sidh.generateSharedSecret(Party.ALICE, keyPairA.getPrivate(), keyPairB.getPublic());
Fp2Element secretB = sidh.generateSharedSecret(Party.BOB, keyPairB.getPrivate(), keyPairA.getPublic());

byte[] encoded = secret.getEncoded();

The SIKE encapsulation and decapsulation process is different for either of the parties and starts on BOB's side:

SikeParam sikeParam = new SikeParamP434(ImplementationType.OPTIMIZED);
KeyGenerator keyGenerator = new KeyGenerator(sikeParam);
KeyPair keyPairB = keyGenerator.generateKeyPair(Party.BOB);

BOB transports his public key keyPairB to ALICE, who uses the public key for the encapsulation phase of the KEM:

Sike sike = new Sike(sikeParam);
EncapsulationResult encapsulationResult = sike.encapsulate(keyPairB.getPublic());

At this point, ALICE can calculate the shared secret and the encrypted message:

byte[] secretA = encapsulationResult.getSecret();
EncryptedMessage encryptedMessage = encapsulationResult.getEncryptedMessage();

The encryptedMessage is converted into a byte array representation encodedMessage and transported back to BOB who uses the public key and cipher text included in the message for the decapsulation phase of KEM. Obtain the byte array from the encrypted message for transport over network:

byte[] encodedMessage = encryptedMessage.getEncoded();

The encrypted message is recreated by BOB after the message transport and decapsulation is performed:

EncryptedMessage transportedMessage = new EncryptedMessage(sikeParam, encodedMessage);
byte[] secretB = sike.decapsulate(keyPairB.getPrivate(), keyPairB.getPublic(), transportedMessage);

Both secrets secretA and secretB are equal in case the key encapsulation and decapsulation succeeded. The shared secret sizes are listed in the table presented in the Initialization chapter. Using a hashing function on the shared secret value is advised to obtain shorter shared secret sizes.

Note that SIKE provides higher security than SIDH. It is an IND-CCA2 scheme and can be used with long term keys.

SIKE for Java is currently licensed using GNU AGPLv3 license. We may change the license in the future to a less restrictive one. Please consult us at [email protected] for the software use.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.