A Faster Way to the CSIDH

  • Michael MeyerEmail author
  • Steffen Reith
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11356)


Recently Castryck, Lange, Martindale, Panny, and Renes published CSIDH, a new key exchange scheme using supersingular elliptic curve isogenies. Due to its small key sizes and the possibility of a non-interactive and a static-static key exchange, CSIDH seems very interesting for practical applications. However, the performance is rather slow. Therefore, we employ some techniques to speed up the algorithms, mainly by restructuring the elliptic curve point multiplications and by using twisted Edwards curves in the isogeny image curve computations, yielding a speed-up factor of 1.33 in comparison to the implementation of Castryck et al. Furthermore, we suggest techniques for constant-time implementations.


CSIDH Post-quantum cryptography Supersingular elliptic curve isogenies 



This work was partially supported by Elektrobit Automotive, Erlangen, Germany. We thank Fabio Campos, Marc Stöttinger, and the anonymous reviewers for their helpful and valuable comments.


  1. 1.
    Azarderakhsh, R., et al.: Supersingular isogeny key encapsulation, Round 1 submission, NIST Post-Quantum Cryptography Standardization (2017).
  2. 2.
    Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted Edwards curves. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 389–405. Springer, Heidelberg (2008). Scholar
  3. 3.
    Bernstein, D.J., Birkner, P., Lange, T., Peters, C.: ECM using Edwards curves. Math. Comput. 82(282), 1139–1179 (2013)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Biasse, J.F., Jacobson Jr., M.J., Iezzi, A.: A note on the security of CSIDH. arXiv preprint arXiv:1806.03656 (2018)
  5. 5.
    Bonnetain, X., Schrottenloher, A.: Quantum security analysis of CSIDH and ordinary isogeny-based schemes. Cryptology ePrint Archive, Report 2018/537 (2018).
  6. 6.
    Bos, J.W., Friedberger, S.: Arithmetic considerations for isogeny based cryptography. Cryptology ePrint Archive, Report 2018/376 (2018).
  7. 7.
    Castryck, W., Galbraith, S., Farashahi, R.R.: Efficient arithmetic on elliptic curves using a mixed Edwards-Montgomery representation. Cryptology ePrint Archive, Report 2008/218 (2008),
  8. 8.
    Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action (2018). Scholar
  9. 9.
    Childs, A., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptology 8(1), 1–29 (2014)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Costello, C., Hisil, H.: A simple and compact algorithm for SIDH with arbitrary degree isogenies. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 303–329. Springer, Cham (2017). Scholar
  11. 11.
    Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). Scholar
  12. 12.
    Couveignes, J.M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006).
  13. 13.
    De Feo, L.: Mathematics of isogeny based cryptography. Notes from a summer school on Mathematics for Post-quantum cryptography (2017).
  14. 14.
    Edwards, H.M.: A normal form for elliptic curves. Bull. Am. Math. Soc. 44, 393–422 (2007)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Feo, L.D., Kieffer, J., Smith, B.: Towards practical key exchange from ordinary isogeny graphs. Cryptology ePrint Archive, Report 2018/485 (2018).
  16. 16.
    Jao, D., De Feo, L., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptology 8(3), 209–247 (2014)MathSciNetzbMATHGoogle Scholar
  17. 17.
    Marin, L.: Differential elliptic point addition in Twisted Edwards curves. In: 2013 27th International Conference on Advanced Information Networking and Applications Workshops, pp. 1337–1342 (2013)Google Scholar
  18. 18.
    Meyer, M., Reith, S., Campos, F.: On hybrid SIDH schemes using Edwards and Montgomery curve arithmetic. Cryptology ePrint Archive, Report 2017/1213 (2017).
  19. 19.
    Montgomery, P.L.: Speeding the Pollard and Elliptic Curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Moody, D., Shumow, D.: Analogues of Vélu’s formulas for isogenies on alternate models of elliptic curves. Math. Comput. 85(300), 1929–1951 (2016)CrossRefGoogle Scholar
  21. 21.
    Renes, J.: Computing Isogenies between montgomery curves using the action of (0, 0). In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 229–247. Springer, Cham (2018). Scholar
  22. 22.
    Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 (2006).
  23. 23.
    The National Institute of Standards and Technology (NIST): Submission requirements and evaluation criteria for the post-quantum cryptography standardization process (2016)Google Scholar
  24. 24.
    Vélu, J.: Isogénies entre courbes elliptiques. C.R. Acad. Sci. Paris, Série A 271, 238–241 (1971)zbMATHGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of Applied Sciences WiesbadenWiesbadenGermany
  2. 2.Department of MathematicsUniversity of WürzburgWürzburgGermany

Personalised recommendations