One of the things that I have come to like about elliptic curve cryptography is that the key only needs to be twice as long as the desired security level. That's a very small expansion (I also like it aesthetically). The sizes for the public key and private key are also the same. Unfortunately, ECC is not secure against quantum algorithms and quantum computers capable of breaking uses of elliptic curves seem to be coming up within a decade or two. What is more is that many post-quantum cryptosystems—the ones I am familiar with, at least—have idiotically huge keys and signatures. The best key sizes seem to be achieved by lattice-based cryptosystems and one variant of code-based cryptography. Are there any candidates with smaller key and signature sizes? Any as small 10 times larger than the desired security level? Any as small as ECC ones?
2 Answers
It appears that SIDH, or Supersingular Isogeny Diffie-Hellman, is the post-quantum candidate with the smallest key size. When using compression, public key size can be reduced to 330 bytes (2640 bits) to achieve the 128-bit security level. For classical Diffie-Hellman, this value is often quoted at 3072 bits. From the above-linked paper describing the attractiveness of the small public key size of SIDH:
Not only are high-security SIDH public keys smaller than their lattice- and code-based counterparts, they are even smaller than some of the traditional (i.e., finite field) Diffie-Hellman public keys.
The SIDH-based public key encryption and key encapsulation scheme submitted to the NIST post-quantum cryptography process is called SIKE, for Supersingular Isogeny Key Encapsulation, and specifies parameters called SIKEp503 to obtain a 378-byte (3024-bit) public key for the 128-bit security target. However, note that SIKE has been badly broken.
- 15,626
- 2
- 49
- 103
With candidates it must be SIKE, but with non-candidates there is another option: CSIDH. CSIDH with security level $128$ bits has a key length of 64B only two times as large as ECC. It is also about $10$ times slower than SIKE.
- 2,653
- 1
- 13
- 35
- 11