Supersingular Isogeny Diffie-Hellman: A Beautiful Idea That Almost Worked

On July 30, 2022, two Belgian cryptographers posted a paper to the IACR ePrint archive. Within days, the most mathematically distinctive candidate in NIST's post-quantum competition was dead. The attack ran in about ten minutes on a laptop core, and in roughly an hour on 2013-vintage server hardware. SIKE, the Key Encapsulation Mechanism built around Supersingular Isogeny Diffie-Hellman, had survived five years of cryptanalysis and was a Round 4 NIST candidate. Then Wouter Castryck and Thomas Decru connected it to a 1997 paper on genus-2 curves, and it was over.

This is the story of how that happened, and what the mathematics looked like.

Why we need more than one post-quantum family

Why care about isogeny-based schemes specifically? NIST finalized three post-quantum standards in August 2024: ML-KEM (key encapsulation), ML-DSA (signatures), and SLH-DSA (hash-based signatures). ML-KEM and ML-DSA both rest on structured-lattice hardness assumptions, Module-LWE and Module-SIS. Two of the three first-wave standards collapse if structured-lattice problems turn out to be easier than we think.

The diversity argument has a classical analogy. Finite-field Diffie-Hellman and elliptic-curve Diffie-Hellman are both discrete-log protocols. They share the same logical structure but live in different mathematical worlds. When index-calculus algorithms made finite-field discrete log weaker per bit than expected, the ecosystem had ECDH as an escape hatch: same problem, different group. You could switch without redesigning your protocol layer.

Post-quantum security needs the same property. We want KEMs and signature schemes whose security claims don't all collapse under a single mathematical hammer. The post-quantum families in play today are genuinely distinct:

Lattice-based (ML-KEM, ML-DSA, FALCON): hardness of Learning With Errors and Short Integer Solution. Fast, compact, well-studied since Regev (2005).
Code-based (Classic McEliece, HQC, BIKE): hardness of decoding a random linear code. McEliece dates to 1978 — one of the oldest public-key proposals still standing.
Hash-based (SLH-DSA / SPHINCS+): security reduces to collision resistance of an underlying hash. Extremely conservative; signatures are large.
Isogeny-based (formerly SIDH/SIKE; now CSIDH and SQIsign): hardness of finding isogenies between elliptic curves. The smallest keys of any post-quantum family.
Multivariate and symmetric (UOV, MAYO, FAEST, and others): various other mathematical frameworks, mostly targeting signatures.

The isogeny family was the most algebraically interesting of the lot, and SIDH specifically had the smallest public keys of any post-quantum KEM ever seriously proposed. When it broke, it broke structurally: not because someone found a better algorithm for the underlying hard problem, but because the protocol design leaked more information than was safe. That distinction matters.

Elliptic curves over finite fields

An elliptic curve over a field $K$ (with $\mathrm{char}(K) \neq 2, 3$ ) is, in short Weierstrass form, a smooth projective variety defined by

$E\,:\, y^2 = x^3 + ax + b, \qquad \Delta(E) = -16(4a^3 + 27b^2) \neq 0$

The condition $\Delta \neq 0$ rules out singular points (cusps and nodes). Together with a "point at infinity" $\mathcal{O}$ as the identity, the $K$ -rational points $E(K)$ form an abelian group under the chord-and-tangent addition law: draw the line through two points, take the third intersection with the curve, reflect over the $x$ -axis.

The $j$ -invariant of $E$ is the quantity

$j(E) = 1728 \cdot \frac{4a^3}{4a^3 + 27b^2}$

Two elliptic curves are isomorphic over the algebraic closure $\overline{K}$ if and only if they have the same $j$ -invariant. So $j(E)$ is the curve's address: knowing it tells you which isomorphism class you're in. In SIDH, the shared secret turns out to be a $j$ -invariant, which is why this invariant matters.

For SIDH, we work over the field $\mathbb{F}_{p^2}$ , the degree-2 extension of a prime field. Over finite fields, a fundamental structural theorem says that the $N$ -torsion subgroup (the points killed by multiplication by $N$ , for $\gcd(N, p) = 1$ ) looks like

$E[N] = \{P \in E(\overline{\mathbb{F}_q}) : [N]P = \mathcal{O}\} \cong \mathbb{Z}/N \times \mathbb{Z}/N$

This two-dimensional structure is essential to how SIDH constructs its commutative square.

Ordinary and supersingular curves

Most elliptic curves over $\mathbb{F}_p$ are ordinary: their trace of Frobenius $t$ is nonzero mod $p$ , and their endomorphism ring $\End(E)$ is an order in an imaginary quadratic field, which is a commutative ring of rank 2 over $\mathbb{Z}$ .

A curve is supersingular when $t \equiv 0 \pmod{p}$ , which over $\mathbb{F}_p$ with $p > 3$ is equivalent to $t = 0$ and $\#E(\mathbb{F}_p) = p + 1$ . Equivalently, a supersingular curve has no nontrivial $p$ -torsion points over $\overline{\mathbb{F}_p}$ .

Definition: Supersingular elliptic curve

An elliptic curve $E/\mathbb{F}_p$ is supersingular if $E[p](\overline{\mathbb{F}_p}) = \{\mathcal{O}\}$ : there are no nontrivial points of $p$ -torsion in characteristic $p$ . Equivalently, its endomorphism ring $\End(E)$ is an order in a quaternion algebra over $\mathbb{Q}$ (a noncommutative ring of rank 4 over $\mathbb{Z}$ ), rather than an imaginary quadratic field.

The name is misleading: these are perfectly smooth, nonsingular curves. The word "singular" refers to a classical notion from the theory of complex multiplication and has nothing to do with the curve having singular points.

What matters cryptographically is the quaternionic endomorphism ring. For ordinary curves, $\End(E)$ is commutative: the isogeny problem naturally admits group-action structure, and group-action problems are vulnerable to quantum hidden-shift attacks (Kuperberg's algorithm). For supersingular curves, $\End(E)$ is noncommutative, and the isogeny problem in this noncommutative setting is believed to be exponentially hard even for quantum computers. There is no known analog of Kuperberg's algorithm that exploits noncommutative structure.

There are roughly $\lfloor p/12 \rfloor$ supersingular $j$ -invariants in $\mathbb{F}_{p^2}$ . They are rare, but they are the entire vertex set of the graph that SIDH walks.

Isogenies: maps between curves

An isogeny $\varphi: E_1 \to E_2$ is a nonconstant rational map of projective varieties that is also a group homomorphism. Because of elliptic curve structure, any nonconstant morphism automatically sends the identity to the identity, so "nonconstant morphism" and "isogeny" coincide. An isogeny carries three pieces of data:

Its kernel $\ker \varphi \subset E_1$ , a finite subgroup.
Its degree $\deg \varphi$ : for separable isogenies, this equals $\#\ker \varphi$ .
The fact that the kernel determines the isogeny up to isomorphism: given any finite subgroup $G \subset E_1$ , there is a unique-up-to-isomorphism isogeny $E_1 \to E_1/G$ with kernel $G$ .

Definition: Isogeny

An isogeny between elliptic curves is a nonconstant morphism $\varphi: E_1 \to E_2$ that is also a group homomorphism. It is to elliptic curves what a group homomorphism is to groups, but with extra geometric structure: it is an algebraic map of varieties, defined by rational functions, and its kernel is always a finite subgroup of $E_1$ .

Vélu's formulas (Vélu 1971) give an explicit construction: given $E: y^2 = x^3 + ax + b$ and a cyclic kernel $G = \langle Q \rangle$ of odd prime order $\ell$ , the codomain curve $E' = E/G$ has coefficients

$a' = a - 5\sum_{R \in G \setminus \{\mathcal{O}\}} v_R, \qquad b' = b - 7\sum_{R \in G \setminus \{\mathcal{O}\}} w_R$

where $v_R, w_R$ are explicit polynomials in the coordinates of $R$ . The naive cost is $O(\ell)$ field operations. In practice, SIDH computes large isogenies of degree $2^{e_A}$ or $3^{e_B}$ as chains of small steps: $e_A$ degree-2 isogenies in sequence.

The supersingular isogeny graph

Fix a prime $p$ and a small prime $\ell \neq p$ . The supersingular $\ell$ -isogeny graph $\mathcal{G}_\ell$ over $\mathbb{F}_{p^2}$ is:

Vertices: the supersingular $j$ -invariants in $\mathbb{F}_{p^2}$ , of which there are $\sim p/12$ .
Edges: $\ell$ -isogenies between curves (up to post-composition with isomorphism). Because $E[\ell] \cong (\mathbb{Z}/\ell)^2$ , each vertex has exactly $\ell + 1$ outgoing edges — one for each of the $\ell + 1$ cyclic subgroups of $E[\ell]$ .

The graph is $(\ell+1)$ -regular, and it is connected: every pair of supersingular curves over $\overline{\mathbb{F}_p}$ is connected by a chain of $\ell$ -isogenies.

Theorem (Pizer, 1990).

For any prime $\ell \neq p$ , the supersingular $\ell$ -isogeny graph $\mathcal{G}_\ell$ is a Ramanujan graph: every non-trivial eigenvalue $\lambda$ of its adjacency matrix satisfies

$|\lambda| \le 2\sqrt{\ell}$

This matches the Alon-Boppana lower bound for $(\ell+1)$ -regular graphs, making $\mathcal{G}_\ell$ an asymptotically optimal expander.

The Ramanujan property means random walks on this graph mix in $O(\log p)$ steps: they reach the uniform distribution over all supersingular curves very quickly, with no shortcuts. This is the mathematical fact that makes the graph useful for cryptography. If Alice walks $e_A$ steps from $E_0$ to $E_A$ , and $e_A = O(\log p)$ , the endpoint $E_A$ "looks like" a random supersingular curve. An adversary who sees $E_A$ and $E_0$ faces the problem of finding the walk, and the Ramanujan property gives a formal sense in which this is hard.

This expander property was first exploited cryptographically by Charles, Goren, and Lauter in 2006 to construct a hash function: hash by walking the graph, use the final $j$ -invariant as the hash value. SIDH, proposed by Jao and De Feo in 2011, was the next step: use the walk as a Diffie-Hellman analog.

The SIDH protocol

Setting up

SIDH uses two small primes $\ell_A$ and $\ell_B$ (in the SIKE implementation: $\ell_A = 2$ , $\ell_B = 3$ ) and requires a prime of the form

$p = \ell_A^{e_A}\,\ell_B^{e_B}\,f - 1$

for large exponents $e_A, e_B$ and a small cofactor $f$ . For SIKE-p434 (the NIST Level 1 parameter set), this is $p = 2^{216} \cdot 3^{137} - 1$ , a 434-bit prime.

Why this ugly prime shape? It forces the starting curve $E_0 : y^2 = x^3 + x$ over $\mathbb{F}_{p^2}$ to have order $(p+1)^2 = (\ell_A^{e_A} \ell_B^{e_B} f)^2$ . That means both $E_0[\ell_A^{e_A}]$ and $E_0[\ell_B^{e_B}]$ are subgroups living entirely inside $E_0(\mathbb{F}_{p^2})$ , so Alice and Bob can work with explicit generators without going to larger extension fields.

Fix public bases: $\{P_A, Q_A\}$ generating $E_0[\ell_A^{e_A}]$ and $\{P_B, Q_B\}$ generating $E_0[\ell_B^{e_B}]$ . These are public parameters.

The exchange

Alice picks a secret integer $\alpha \in \mathbb{Z}/\ell_A^{e_A}$ . She forms the subgroup $\langle P_A + [\alpha]Q_A \rangle \subset E_0[\ell_A^{e_A}]$ , computes the corresponding isogeny $\varphi_A: E_0 \to E_A$ via a chain of $e_A$ degree- $\ell_A$ Vélu steps, and publishes:

$\bigl(E_A,\; \varphi_A(P_B),\; \varphi_A(Q_B)\bigr)$

That is: her codomain curve, plus the images of Bob's torsion basis under her secret isogeny.

Bob symmetrically picks $\beta$ , computes $\varphi_B: E_0 \to E_B$ with kernel $\langle P_B + [\beta]Q_B \rangle$ , and publishes:

$\bigl(E_B,\; \varphi_B(P_A),\; \varphi_B(Q_A)\bigr)$

The key exchange: Alice uses Bob's published data to compute $\varphi_A': E_B \to E_{AB}$ with kernel

$\ker \varphi_A' = \langle \varphi_B(P_A) + [\alpha]\varphi_B(Q_A) \rangle$

Bob computes $\varphi_B': E_A \to E_{AB}$ with kernel $\langle \varphi_A(P_B) + [\beta]\varphi_A(Q_B) \rangle$ . The diagram commutes:

\begin{array}{ccc} E_0 & \xrightarrow{\;\varphi_A\;} & E_A \\[4pt] \big\downarrow{\scriptstyle\varphi_B} & & \big\downarrow{\scriptstyle\varphi_B'} \\[4pt] E_B & \xrightarrow{\;\varphi_A'\;} & E_{AB} \end{array}

Both parties arrive at curves isomorphic to $E_{AB}$ , so both can compute the same $j(E_{AB})$ , a field element in $\mathbb{F}_{p^2}$ that serves as the shared secret. This is the analog of $g^{ab}$ in classical Diffie-Hellman: Alice's secret acts on Bob's curve, Bob's secret acts on Alice's curve, and the commutativity of the diagram guarantees they meet at the same place.

SIKE

SIKE wrapped SIDH in an IND-CCA Key Encapsulation Mechanism using a Hofheinz-Hövelmanns-Kiltz-style transform. It was a NIST PQC submission from Round 1 in 2017 through Round 4 in 2022. The public keys were small: 330 bytes uncompressed, 197 bytes with compression, at NIST Level 1. ML-KEM-512 uses 800-byte public keys.

The torsion-image publication step

Notice the asymmetry in what Alice publishes. She sends her codomain curve $E_A$ along with $\varphi_A(P_B)$ and $\varphi_A(Q_B)$ , the images of Bob's torsion basis under her secret isogeny. This is what makes the commutative square work: Alice needs these to evaluate $\varphi_A'$ starting from $E_B$ rather than $E_0$ . It is also, as we will see, what makes the protocol breakable.

Most other isogeny-based systems (the CGL hash function, CSIDH, SQIsign) reveal only the codomain curve. SIDH reveals more. It hands the adversary the action of Alice's secret transformation on a known basis. For a decade, no one knew how to weaponize that. Then Castryck and Decru did.

The unease

The torsion-image publication had made some cryptographers uncomfortable for years. In 2017, Petit showed that revealing additional torsion-point information could enable attacks, but only on deliberately unbalanced parameter sets where $e_A \gg e_B$ or vice versa. SIKE's balanced parameters seemed to escape this. The community's working conclusion was that the structural information leak was present but manageable, and that the protocol's other attractive properties outweighed the theoretical unease.

That comfort lasted five more years.

Kani's lemma: the 1997 paper that waited 25 years

In 1997, Ernst Kani published a paper in Journal für die reine und angewandte Mathematik titled "The number of curves of genus two with elliptic differentials." It was pure algebraic geometry. The paper counted certain arithmetic objects and proved a structural criterion about when a map between products of elliptic curves decomposes into a product of maps between individual curves.

The key object is an isogeny between abelian surfaces: 2-dimensional abelian varieties, which arise naturally as products $E_1 \times E_2$ of two elliptic curves. Given four elliptic curves and isogenies forming a "diamond":

$F: E_1 \times E_2 \longrightarrow E_3 \times E_4$

of degree $N^2$ , Kani's theorem characterizes exactly when $F$ is reducible, meaning its kernel decomposes as a product of subgroups of $E_1[N]$ and $E_2[N]$ rather than being "mixed" in a way that produces a Jacobian of a genus-2 curve.

Theorem (Kani's Reducibility Criterion (informal)).

Given elliptic curves $E_1, E_2$ and an isogeny $F: E_1 \times E_2 \to E_3 \times E_4$ of degree $N^2$ arising from a "diamond" of isogenies, $F$ is reducible (its codomain is a product of elliptic curves, not a Jacobian of a genus-2 curve) if and only if a specific torsion anti-isometry condition holds between the corner isogenies. When $F$ is reducible, its kernel can be read off explicitly, giving the component isogenies $E_1 \to E_3$ and $E_2 \to E_4$ .

The punchline for cryptography: if you can engineer a situation where Kani's criterion applies and gives reducibility, you can read off an isogeny you weren't supposed to know.

The Castryck-Decru attack

Castryck and Decru's insight was that SIDH's published torsion-point images were exactly the data needed to set up Kani's theorem, and the prime form $p = 2^{e_A} \cdot 3^{e_B} \cdot f - 1$ was exactly the structure needed to make the reducibility condition hold.

Here is the high-level construction (Castryck-Decru 2022).

Step 1: Find an auxiliary isogeny. The starting curve $E_0: y^2 = x^3 + x$ has $j$ -invariant 1728 and complex multiplication by $\mathbb{Z}[i]$ . So it has a small-degree endomorphism: $(x, y) \mapsto (-x, iy)$ where $i^2 = -1$ in $\mathbb{F}_{p^2}$ . This endomorphism is the "auxiliary curve" the attack needs, a structural feature of SIKE's specific parameter set.

Step 2: Build the abelian surface map. Using the auxiliary endomorphism and the public torsion images $\varphi_A(P_B), \varphi_A(Q_B)$ , construct an isogeny

$F: E_0 \times E_A \longrightarrow E' \times E''$

of degree $2^{2e_A}$ , whose kernel is determined by the published data. The SIKE prime form guarantees that $2^{e_A} + 3^{e_B}$ has the right shape to satisfy Kani's reducibility criterion.

Step 3: Execute the chain. Compute $F$ as a sequence of $(2,2)$ -isogenies on the abelian surface (Richelot isogenies, a construction from 19th-century algebraic geometry). Each step is concrete linear algebra on Mumford coordinates; the chain has length $e_A$ .

Step 4: Read off the secret. The reducible decomposition of the codomain reveals the component $E_0 \to E_3$ , which encodes $\ker \varphi_A$ directly. Recover Alice's secret $\alpha$ without any search.

The original SageMath implementation ran in about ten minutes for SIKE-p434 on a laptop. A public reproduction by Giacomo Pope took roughly 62 minutes on a single core of a 2013 Intel Xeon E5-2630v2. Microsoft paid out the $50,000 SIKE bounty to the authors. The bounty system worked exactly as intended.

Timeline

July 5, 2022: NIST announces Kyber, Dilithium, FALCON, SPHINCS+ for standardization; SIKE moves to Round 4 as a continued candidate.
July 30, 2022: Castryck-Decru post to ePrint (2022/975).
August 5, 2022: SIKE-p434 broken in ~62 minutes on a single 2013-vintage Xeon core.
August 8, 2022: Maino-Martindale post (2022/1026) extending the attack to arbitrary starting curves — not just SIKE's $E_0 : y^2 = x^3 + x$ .
August 10, 2022: Damien Robert posts a polynomial-time break (2022/1038) using higher-dimensional abelian varieties (dimension 4, then 8).
September 15, 2022: SIKE team publishes final spec acknowledging the break; SIKE is withdrawn.

Maino and Martindale's follow-up matters because it kills the "just use a different starting curve" response. Castryck-Decru's original attack relied on the specific endomorphism available at $E_0: y^2 = x^3 + x$ . Maino and Martindale found a way to construct the necessary auxiliary structure for any supersingular starting curve, removing that dependency.

Robert's polynomial-time result is more decisive. In dimension $d \ge 4$ , you can construct endomorphism matrices of degree $u_1^2 + u_2^2 + \cdots + u_d^2$ , and Lagrange's four-square theorem guarantees every positive integer is a sum of four squares. So in dimension $\ge 4$ , the norm equation Castryck-Decru had to solve for specific SIKE primes always has a solution; no special structure on $p$ is required. The dimension-8 variant makes the algorithm polynomial-time and deterministic. SIDH is broken unconditionally, for any prime and any starting curve.

What was actually broken

The Castryck-Decru attack did not break the supersingular isogeny problem in general (the problem of finding an isogeny between two given supersingular curves). That problem is still believed to be exponentially hard classically and quantumly.

What it broke was the SIDH protocol, specifically the decision to publish torsion-point images. The images $\varphi_A(P_B)$ and $\varphi_A(Q_B)$ are not needed for the underlying hardness claim. They exist only to make the commutative square work without Alice and Bob sharing a common starting basis. That engineering convenience turned out to be a catastrophic information leak.

The structural lesson

You cannot fix SIDH by choosing larger parameters. The attack runs in time polynomial in $\log p$ , so bigger primes make it negligibly slower. The flaw is in the protocol's information structure, not in the size of any quantity. This is qualitatively different from, say, a key-size attack.

The timeline is worth pausing on. SIDH was proposed in 2011. The Kani lemma dates to 1997. For fourteen years, the connection between a 1997 paper on genus-2 curves and a 2011 cryptographic protocol went unnoticed. The attack does not brute-force anything. It reframes the problem geometrically, notices that the published data is exactly sufficient to invoke a classical algebraic result, and reads off the secret as a consequence.

What survives

The break killed SIKE but not the isogeny research program. Several directions remain active.

CSIDH

CSIDH (pronounced "sea-side," Castryck-Lange-Martindale-Panny-Renes 2018) is a different protocol that was never affected by Castryck-Decru. Where SIDH works over $\mathbb{F}_{p^2}$ and uses the full supersingular isogeny graph, CSIDH works with supersingular curves defined over $\mathbb{F}_p$ and uses the action of the ideal class group $\mathrm{cl}(\mathcal{O})$ of the imaginary-quadratic order $\mathcal{O} = \mathbb{Z}[\sqrt{-p}]$ . The protocol never publishes torsion-point images; the only public data is the codomain curve.

CSIDH has its own problems. Its class-group action is commutative, which means Kuperberg's quantum hidden-shift algorithm applies and a quantum adversary can solve the relevant problem in subexponential time. Achieving genuinely post-quantum security at NIST Level 1 likely requires CSIDH primes of 2500-5000 bits, which loses the compact-key advantage that made isogeny schemes attractive in the first place. CSIDH is not a NIST candidate but remains an active research topic.

Masked variants: M-SIDH and MD-SIDH

Fouotsa, Moriya, and Petit (2023) proposed masking the torsion images: Alice publishes $[\mu]\varphi_A(P_B)$ and $[\mu]\varphi_A(Q_B)$ for a secret scalar $\mu$ satisfying $\mu^2 \equiv 1 \pmod{N_B}$ . Without the exact images, the attacker cannot set up the Kani construction. MD-SIDH additionally masks the degree of the secret isogeny.

The cost is severe. M-SIDH public keys for NIST Level 1 are roughly 4,434 bytes, versus 330 bytes for original SIKE-p434. That's a 13x blowup, and subsequent cryptanalysis has continued chipping away at the parameter sets. M-SIDH is not currently on a standardization track.

FESTA

Basso, Maino, and Pope (2023) took a different approach: invert the Castryck-Decru attack and use the dimension-2 isogeny trick as a trapdoor for public-key encryption. In FESTA, decryption is literally "run the SIDH attack on a structured input." The attack becomes the feature. FESTA is IND-CCA secure in the quantum random oracle model, but it is research-stage and not on any standardization track.

SQIsign

SQIsign (De Feo, Kohel, Leroux, Petit, Wesolowski, ASIACRYPT 2020) is the surviving isogeny scheme on a standardization path. It is a signature scheme, not a KEM, and it was unaffected by Castryck-Decru from the start: SQIsign never publishes torsion-point images.

SQIsign's security rests on the Endomorphism Ring Problem (ERP): given a supersingular curve $E$ , compute $\End(E)$ as a maximal order in the quaternion algebra $B_{p,\infty}$ . Wesolowski showed that ERP is equivalent to the general supersingular isogeny problem, so breaking SQIsign is as hard as the isogeny problem itself, the same abstract problem that SIDH claimed to reduce to but, via the torsion images, actually didn't.

SQIsign's computational engine is the Deuring correspondence:

$\{\text{supersingular } E/\overline{\mathbb{F}_p} \text{ up to iso}\} \longleftrightarrow \{\text{maximal orders in } B_{p,\infty} \text{ up to conjugation}\}$

and more finely, isogenies between curves correspond to left ideals connecting the relevant maximal orders. The prover in SQIsign does most of its work as quaternion ideal arithmetic (concrete linear algebra over $\mathbb{Z}$ -modules of rank 4) and translates back to elliptic curves only at the end.

SQIsign status (2024-2025)

NIST selected SQIsign as one of 14 Round-2 signature on-ramp candidates in October 2024 (announcement). Round-2 spec: sqisign.org. Performance on Intel Core i7-13700K at NIST Level 1: signing ~30 ms, verification ~1.5 ms. Signature size: ~177 bytes; public key: ~64 bytes. Signing is slow (an order of magnitude slower than ML-DSA) but the keys and signatures are tiny, beating RSA-2048.

The cost is signing speed and algorithmic complexity. SQIsign's signing path involves Eichler orders, KLPT-style ideal-to-isogeny translation, and a response computation that requires finding a smooth-norm ideal in a noncommutative order. A complete security proof appeared only in 2024-2025. It is not a drop-in replacement for anything, but it is the only isogeny-based scheme with a realistic path to standardization.

What cryptographic agility actually demands

The post-quantum situation after SIKE's fall is not a crisis. ML-KEM works, ML-DSA works, and HQC (selected as a backup KEM in March 2025) provides code-based diversity. The lattice assumptions underlying ML-KEM and ML-DSA have been studied for twenty years, and there is no current threat to them.

The SIKE story is still a useful stress test for the diversity argument. SIKE's break was total and structural, not incremental. The scheme was not weakened; it was eliminated. If SIKE had been the only post-quantum KEM in NIST's portfolio rather than an alternate alongside Kyber, BIKE, HQC, and Classic McEliece, the 2022 break would have been much more disruptive. As it happened, it was a shock to the isogeny community and not a crisis for post-quantum cryptography as a field.

The more durable lesson is about information leakage in protocol design. SIDH's designers needed Alice and Bob to construct each other's isogenies on each other's curves. The solution they found, publishing the torsion images, was elegant and made the mathematics work out cleanly. For a decade it looked like a reasonable design choice that happened to leak a little extra structure. Castryck and Decru showed that "a little extra structure" can be a complete key recovery when the right classical mathematics is brought to bear.

The principle for protocol designers: every bit you publish beyond what is strictly necessary for correctness is a bit an attacker might weaponize. That isn't a new principle; minimal disclosure has always been foundational to good cryptographic design. SIDH is a reminder of how long an information-theoretic surplus can sit harmlessly in a protocol before someone figures out what to do with it.

The supersingular isogeny graph is still a beautiful mathematical object. The Ramanujan property, the Deuring correspondence, the connection to modular forms and quaternion algebras: none of that disappeared when SIKE was withdrawn. SQIsign is built on the same graph and the same deep algebraic structure, but it releases only what correctness requires. The math goes on. The protocol that leaked too much doesn't.

References: Jao-De Feo (2011); Castryck-Decru (2022); Maino et al. (2022); Robert (2022); M-SIDH (2023); FESTA (2023); CSIDH (2018); SQIsign (2020); Kani (1997); Silverman, Arithmetic of Elliptic Curves.