A Note on the Security of CSIDH

  • Jean-François BiasseEmail author
  • Annamaria Iezzi
  • Michael J. JacobsonJr.
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11356)


We propose a quantum algorithm for computing an isogeny between two elliptic curves \(E_1,E_2\) defined over a finite field such that there is an imaginary quadratic order \(\mathcal {O}\) satisfying \(\mathcal {O}\simeq {\text {End}}(E_i)\) for \(i = 1,2\). This concerns ordinary curves and supersingular curves defined over \(\mathbb {F}_p\) (the latter used in the recent CSIDH proposal). Our algorithm has heuristic asymptotic run time \(e^{O\left( \sqrt{\log (|\varDelta |)}\right) }\) and requires polynomial quantum memory and \(e^{O\left( \sqrt{\log (|\varDelta |)}\right) }\) quantumly accessible classical memory, where \(\varDelta \) is the discriminant of \(\mathcal {O}\). This asymptotic complexity outperforms all other available methods for computing isogenies.

We also show that a variant of our method has asymptotic run time \(e^{\tilde{O}\left( \sqrt{\log (|\varDelta |)}\right) }\) while requesting only polynomial memory (both quantum and classical).



The authors thank Léo Ducas for useful comments on the memory requirements of the BKZ algorithm. The authors thank Noah Stephens-Davidowitz for information on the resolution of the approximate CVP. The authors also thank Tanja Lange and Benjamin Smith for useful comments on an earlier version of this draft.


  1. 1.
    Adj, G., Cervantes-Vázquez, D., Chi-Domínguez, J.-J., Menezes, A., Rodríguez-Henríquez, F.: The cost of computing isogenies between supersingular elliptic curves. Cryptology ePrint Archive, Report 2018/313 (2018).
  2. 2.
    Azarderakhsh, R., Jao, D., Leonardi, C.: Post-quantum static-static key agreement using multiple protocol instances. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 45–63. Springer, Cham (2018). Scholar
  3. 3.
    Bennett, C.H.: Time/space trade-offs for reversible computation. SIAM J. Comput. 18(4), 766–776 (1989)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Biasse, J.-F., Fieker, C., Jacobson Jr., M.J.: Fast heuristic algorithms for computing relations in the class group of a quadratic order, with applications to isogeny evaluation. LMS J. Comput. Math. 19(A), 371–390 (2016)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Biasse, J.-F., Jao, D., Sankar, A.: A quantum algorithm for computing isogenies between supersingular elliptic curves. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 428–442. Springer, Cham (2014). Scholar
  6. 6.
    Biasse, J.-F., Song, F.: Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In: Krauthgamer, R. (ed.) Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2016, Arlington, VA, USA, 10–12 January 2016, pp. 893–902. SIAM (2016)Google Scholar
  7. 7.
    Bonnetain, X., Schrottenloher, A.: Quantum security analysis of CSIDH and ordinary isogeny-based schemes. Cryptology ePrint Archive, Report 2018/537 (2018).
  8. 8.
    Bosma, W., Stevenhagen, P.: On the computation of quadratic 2-class groups. Journal de Théorie des Nombres de Bordeaux 8(2), 283–313 (1996)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Bröker, R., Charles, D., Lauter, K.: Evaluating large degree isogenies and applications to pairing based cryptography. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 100–112. Springer, Heidelberg (2008). Scholar
  10. 10.
    Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. Cryptology ePrint Archive, Report 2018/383 (2018). to appear in Asiacrypt 2018Google Scholar
  11. 11.
    Childs, A., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2013)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Cohen, H.: A Course in Computational Algebraic Number Theory. Graduate Texts in Mathematics, vol. 138, p. xii+534. Springer, Berlin (1993). Scholar
  13. 13.
    Couveignes, J.-M.: Hard homogeneous spaces.
  14. 14.
    Diffie, W., Helman, M.: New directions in cryptography. IEEE Trans. Inf. Soc. 22(6), 644–654 (1976)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Feo, L.D., Kieffer, J., Smith, B.: Towards practical key exchange from ordinary isogeny graphs. Cryptology ePrint Archive, Report 2018/485 (2018). to appear in Asiacrypt 2018
  16. 16.
    Galbraith, S.D., Hess, F., Smart, N.P.: Extending the GHS weil descent attack. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 29–44. Springer, Heidelberg (2002). Scholar
  17. 17.
    Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). Scholar
  18. 18.
    Gauß, C.F., Waterhouse, W.C.: Disquisitiones Arithmeticae. Springer, New York (1986). translated by A.A. ClarkCrossRefGoogle Scholar
  19. 19.
    Hafner, J., McCurley, K.: A rigorous subexponential algorithm for computation of class groups. J. Am. Math. Soc. 2, 839–850 (1989)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Hamdy, S., Saidak, F.: Arithmetic properties of class numbers of imaginary quadratic fields. JP J. Algebra Number Theory Appl. 6(1), 129–148 (2006)MathSciNetzbMATHGoogle Scholar
  21. 21.
    Hanrot, G., Pujol, X., Stehlé, D.: Terminating BKZ. IACR Cryptology ePrint Archive 2011, 198 (2011)Google Scholar
  22. 22.
    Hanrot, G., Stehlé, D.: Improved analysis of kannan’s shortest lattice vector algorithm. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 170–186. Springer, Heidelberg (2007). Scholar
  23. 23.
    Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). Scholar
  24. 24.
    Jao, D., LeGrow, J., Leonardi, C., Ruiz-Lopez, L.: A subexponential-time, polynomial quantum space algorithm for inverting the cm action. In: Slides of Presentation at the MathCrypt Conference (2018).
  25. 25.
    Kabatyanskii, A., Levenshtein, V.: Bounds for packings. On a sphere and in space. Proulcmy Peredacha informatsü 14, 1–17 (1978)MathSciNetzbMATHGoogle Scholar
  26. 26.
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: Johnson, D., et al. (eds.) Proceedings of the 15th Annual ACM Symposium on Theory of Computing, 25–27 April, 1983, Boston, Massachusetts, USA, pp. 193–206. ACM (1983)Google Scholar
  27. 27.
    Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In: Severini, S., Brandão, F. (eds.) 8th Conference on the Theory of Quantum Computation, Communication and Cryptography, TQC 2013, May 21–23, 2013, Guelph, Canada, vol. 22 of LIPIcs, pp. 20–34. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik (2013)Google Scholar
  28. 28.
    Nagell, T.: Über die Klassenzahl imaginär-quadratischer Zahlkörper. Abh. Math. Sem. Univ. Hamburg 1, 140–150 (1922)MathSciNetCrossRefGoogle Scholar
  29. 29.
    National Institute of Standards and Technology. Post quantum cryptography project (2018).
  30. 30.
    Regev, O.: A subexponential time algorithm for the dihedral hidden subgroup problem with polynomial space. arXiv:quant-ph/0406151
  31. 31.
    Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(2), 181–199 (1994)MathSciNetCrossRefGoogle Scholar
  32. 32.
    Shanks, D.: Gauss’s ternary form reduction and the 2-sylow subgroup. Math. Comput. 25(116), 837–853 (1971)MathSciNetzbMATHGoogle Scholar
  33. 33.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106, p. xii+400. Springer, New York (1992). Scholar
  34. 34.
    Stolbunov, A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010)MathSciNetCrossRefGoogle Scholar
  35. 35.
    Storjohann, A.: Algorithms for Matrix Canonical Forms. Ph.D. thesis, Department of Computer Science, Swiss Federal Institute of Technology - ETH (2000)Google Scholar
  36. 36.
    Tate, J.: Endomoprhisms of abelian varieties over finite fields. Inventiones Mathematica 2, 134–144 (1966)CrossRefGoogle Scholar
  37. 37.
    Vélu, J.: Isogénies entre courbes elliptiques. C. R. Acad. Sci. Paris Sér. A-B 273, A238–A241 (1971)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Jean-François Biasse
    • 1
    Email author
  • Annamaria Iezzi
    • 1
  • Michael J. JacobsonJr.
    • 2
  1. 1.Department of Mathematics and StatisticsUniversity of South FloridaTampaUSA
  2. 2.Department of Computer ScienceUniversity of CalgaryCalgaryCanada

Personalised recommendations