CSI-FiSh: Efficient Isogeny Based Signatures Through Class Group Computations

  • Ward BeullensEmail author
  • Thorsten Kleinjung
  • Frederik Vercauteren
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11921)


In this paper we report on a new record class group computation of an imaginary quadratic field having 154-digit discriminant, surpassing the previous record of 130 digits. This class group is central to the CSIDH-512 isogeny based cryptosystem, and knowing the class group structure and relation lattice implies efficient uniform sampling and a canonical representation of its elements. Both operations were impossible before and allow us to instantiate an isogeny based signature scheme first sketched by Stolbunov. We further optimize the scheme using multiple public keys and Merkle trees, following an idea by De Feo and Galbraith. We also show that including quadratic twists allows to cut the public key size in half for free. Optimizing for signature size, our implementation takes 390 ms to sign/verify and results in signatures of 263 bytes, at the expense of a large public key. This is 300 times faster and over 3 times smaller than an optimized version of SeaSign for the same parameter set. Optimizing for public key and signature size combined, results in a total size of 1468 bytes, which is smaller than any other post-quantum signature scheme at the 128-bit security level.


Isogeny based cryptography Digital signature Class group Group action Fiat-Shamir 



We would like to thank the department of Electrical Engineering at KU Leuven for providing the necessary computing power through the HTCondor framework. Many thanks also to Léo Ducas for computing the HKZ basis of the relation lattice and discussions on CVP solvers.


  1. 1.
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Beullens, W.: CSI-FiSh: GitHub repository (2019).
  3. 3.
    Beullens, W., Preneel, B.: Field lifting for smaller UOV public keys. In: Patra, A., Smart, N.P. (eds.) INDOCRYPT 2017. LNCS, vol. 10698, pp. 227–246. Springer, Cham (2017). Scholar
  4. 4.
    Biasse, J.-F.: Improvements in the computation of ideal class groups of imaginary quadratic number fields. Adv. Math. Commun. 4(2), 141–154 (2010)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Bonnetain, X., Schrottenloher, A.: Submerging CSIDH. Cryptology ePrint Archive, Report 2018/537 (2018).
  6. 6.
    Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). Scholar
  7. 7.
    Childs, A.M., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Coppersmith, D.: Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm. Math. Comput. 62, 333–350 (1994)MathSciNetzbMATHGoogle Scholar
  9. 9.
    Couveignes, J.M.: Hard Homogeneous Spaces. IACR Cryptology ePrint Archive 2006/291 (1997).
  10. 10.
    De Feo, L.: Mathematics of isogeny based cryptography (2017).
  11. 11.
    De Feo, L., Galbraith, S.D.: SeaSign: compact isogeny signatures from class group actions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 759–789. Springer, Cham (2019). Scholar
  12. 12.
    Decru, T., Panny, L., Vercauteren, F.: Faster SeaSign signatures through improved rejection sampling. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 271–285. Springer, Cham (2019). Scholar
  13. 13.
    Don, J., Fehr, S., Majenz, C., Schaffner, C.: Security of the Fiat-Shamir transformation in the quantum random-oracle model. arXiv preprint arXiv:1902.07556 (2019)
  14. 14.
    Doulgerakis, E., Laarhoven, T., de Weger, B.: Finding closest lattice vectors using approximate Voronoi cells. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 3–22. Springer, Cham (2019). Scholar
  15. 15.
    De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)MathSciNetzbMATHGoogle Scholar
  16. 16.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). Scholar
  17. 17.
    Galbraith, S.D., Petit, C., Silva, J.: Identification protocols and signature schemes based on supersingular isogeny problems. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 3–33. Springer, Cham (2017). Scholar
  18. 18.
    Hafner, J.L., McCurley, K.S.: A rigorous subexponential algorithm for computation of class groups. J. Am. Math. Soc. 2, 837–850 (1989)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). Scholar
  20. 20.
    Jacobson, M.J.: Applying sieving to the computation of quadratic class groups. Math. Comput. 68, 859–867 (1999)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Jao, D., et al.: SIKE. Submission to [29].
  22. 22.
    Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). Scholar
  23. 23.
    Kleinjung, T.: Quadratic sieving. Math. Comput. 85(300), 1861–1873 (2016)MathSciNetCrossRefGoogle Scholar
  24. 24.
    Korkine, A., Zolotareff, G.: Sur les formes quadratiques. Mathematische Annalen 6(3), 366–389 (1873)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Kuperberg, G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In: TQC, LIPIcs, vol. 22, pp. 20–34. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik (2013)Google Scholar
  27. 27.
    Laarhoven, T.: Sieving for closest lattice vectors (with preprocessing). In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 523–542. Springer, Cham (2017). Scholar
  28. 28.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)MathSciNetCrossRefGoogle Scholar
  29. 29.
    National Institute of Standards and Technology. Post-Quantum Cryptography Standardization, December 2016.
  30. 30.
    Peikert, C.: He gives c-sieves on the CSIDH. Cryptology ePrint Archive, Report 2019/725 (2019).
  31. 31.
    Rostovtsev, A., Stolbunov, A.: Public-Key Cryptosystem Based on Isogenies. IACR Cryptology ePrint Archive 2006/145 (2006).
  32. 32.
    Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53(2–3), 201–224 (1987)MathSciNetCrossRefGoogle Scholar
  33. 33.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics. Springer, Dordrecht (2009). Scholar
  34. 34.
    Stolbunov, A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Comm. 4(2), 215–235 (2010)MathSciNetCrossRefGoogle Scholar
  35. 35.
    Stolbunov, A.: Cryptographic schemes based on isogenies. Doctoral thesis, NTNU (2012)Google Scholar
  36. 36.
    Vélu, J.: Isogénies entre courbes elliptiques. CR Acad. Sci. Paris Ser. A. 273, 305–347 (1971)zbMATHGoogle Scholar
  37. 37.
    Wiedemann, D.H.: Solving sparse linear equations over finite fields. IEEE Trans. Inf. Theory 32(1), 54–62 (1986)MathSciNetCrossRefGoogle Scholar
  38. 38.
    Yoo, Y., Azarderakhsh, R., Jalali, A., Jao, D., Soukharev, V.: A post-quantum digital signature scheme based on supersingular isogenies. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 163–181. Springer, Cham (2017). Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Ward Beullens
    • 1
    Email author
  • Thorsten Kleinjung
    • 2
  • Frederik Vercauteren
    • 1
  1. 1.imec-COSIC, ESATKU LeuvenLeuvenBelgium
  2. 2.EPFL IC LACALLausanneSwitzerland

Personalised recommendations