Abstract
We propose an efficient commutative group action suitable for noninteractive key exchange in a postquantum setting. Our construction follows the layout of the Couveignes–Rostovtsev–Stolbunov cryptosystem, but we apply it to supersingular elliptic curves defined over a large prime field \(\mathbb F_p\), rather than to ordinary elliptic curves. The Diffie–Hellman scheme resulting from the group action allows for publickey validation at very little cost, runs reasonably fast in practice, and has public keys of only 64 bytes at a conjectured AES128 security level, matching NIST’s postquantum security category I.
Author list in alphabetical order; See https://www.ams.org/profession/leaders/culture/CultureStatement04.pdf. This work was supported in part by the Commission of the European Communities through the Horizon 2020 program under project number 643161 (ECRYPTNET), 645622 (PQCRYPTO), 645421 (ECRYPTCSA), and CHISTERA USEIT (NWO project 651.002.004); the Technology Foundation STW (project 13499 – TYPHOON) from the Dutch government; and the Research Foundation  Flanders (FWO) through the WOG Coding Theory and Cryptography. The first listed author is affiliated on a free basis with the Department of Mathematics, Ghent University. Date of this document: 2018.09.07.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
 Postquantum cryptography
 Classgroup action
 Isogenybased cryptography
 Noninteractive key exchange
 Key confirmation
1 Introduction
During the past five to ten years, ellipticcurve cryptography (ECC) has taken over publickey cryptography on the internet and in security applications. Many protocols such as Signal (https://signal.org) or TLS 1.3 rely on the small key sizes and efficient computations to achieve forward secrecy, often meaning that keys are used only once. However, it is also important to notice that security does not break down if keys are reused. Indeed, some implementations of TLS, such as Microsoft’s SChannel, reuse keys for some fixed amount of time rather than for one connection [2]. Google’s QUIC (https://chromium.org/quic) relies on servers keeping their keys fixed for a while to achieve quick session resumption. Several more examples are given by Freire, Hofheinz, Kiltz, and Paterson in their paper [25] formalizing noninteractive key exchange. Some applications require this functionality and for many it provides significant savings in terms of roundtrips or implementation complexity. Finding a postquantum system that permits noninteractive key exchange while still offering decent performance is considered an open problem. Our paper presents a solution to this problem.
Isogenybased cryptography is a relatively new kind of ellipticcurve cryptography, whose security relies on (various incarnations of) the problem of finding an explicit isogeny between two given isogenous elliptic curves over a finite field \(\mathbb F_q\). One of the main selling points is that quantum computers do not seem to make the isogenyfinding problem substantially easier. This contrasts with regular ellipticcurve cryptography, which is based on the discretelogarithm problem in a group and therefore falls prey to a polynomialtime quantum algorithm designed by Shor in 1994 [57].
The first proposal of an isogenybased cryptosystem was made by Couveignes in 1997 [17]. It described a noninteractive key exchange protocol where the space of public keys equals the set of \(\mathbb F_q\)isomorphism classes of ordinary elliptic curves over \(\mathbb F_q\) whose endomorphism ring is a given order \(\mathcal O\) in an imaginary quadratic field and whose trace of Frobenius has a prescribed value. It is wellknown that the idealclass group \(\mathrm {cl}(\mathcal O)\) acts freely and transitively on this set through the application of isogenies. Couveignes’ central observation was that the commutativity of \(\mathrm {cl}(\mathcal O)\) naturally allows for a keyexchange protocol in the style of Diffie and Hellman [23]. His work was only circulated privately and thus not picked up by the community; the corresponding paper [17] was never formally published and posted on ePrint only in 2006. The method was eventually independently rediscovered by Rostovtsev and Stolbunov in 2004 (in Stolbunov’s master’s thesis [60] and published on ePrint as [54] in 2006). In 2010, Childs, Jao and Soukharev [12] showed that breaking the Couveignes–Rostovtsev–Stolbunov scheme amounts to solving an instance of the abelian hiddenshift problem, for which quantum algorithms with a time complexity of \(L_q[1/2]\) are known to exist; see [43, 52]. While this may be tolerable (e.g., classical subexponential factorization methods have not ended the widespread use of RSA), a much bigger concern is that the scheme is unacceptably slow: despite recent clever speedups due to De Feo, Kieffer, and Smith [21, 41], several minutes are needed for a single key exchange at a presumed classical security level of 128 bits. Nevertheless, in view of its conceptual simplicity, compactness, and flexibility, it seems a shame to discard the Couveignes–Rostovtsev–Stolbunov scheme.
The attack due to Childs–Jao–Soukharev strongly relies on the fact that \(\mathrm {cl}(\mathcal O)\) is commutative, hence indirectly on the fact that \(\mathcal O\) is commutative. This led Jao and De Feo [38] to consider the use of supersingular elliptic curves, whose full ring of endomorphisms is an order in a quaternion algebra; in particular it is noncommutative. Their resulting (interactive) keyagreement scheme, which nowadays goes under the name “Supersingular Isogeny Diffie–Hellman” (SIDH), has attracted almost the entire focus of isogenybased cryptography over the past six years. The current stateoftheart implementation is SIKE [37], which was recently submitted to the NIST competition on postquantum cryptography [48].
It should be stressed that SIDH is not the Couveignes–Rostovtsev–Stolbunov scheme in which one substitutes supersingular elliptic curves for ordinary elliptic curves; in fact SIDH is much more reminiscent of a cryptographic hash function from 2006 due to Charles, Goren, and Lauter [11]. SIDH’s public keys consist of the codomain of a secret isogeny and the image points of certain public points under that isogeny. Galbraith, Petit, Shani, and Ti showed in [29] that SIDH keys succumb to active attacks and thus should not be reused, unless combined with a CCA transform such as the Fujisaki–Okamoto transform [26].
In this paper we show that adapting the Couveignes–Rostovtsev–Stolbunov scheme to supersingular elliptic curves is possible, provided that one restricts to supersingular elliptic curves defined over a prime field \(\mathbb F_p\). Instead of the full ring of endomorphisms, which is noncommutative, one should consider the subring of \(\mathbb F_p\)rational endomorphisms, which is again an order \(\mathcal O\) in an imaginary quadratic field. As before \(\mathrm {cl}(\mathcal O)\) acts via isogenies on the set of \(\mathbb F_p\)isomorphism classes of elliptic curves whose \(\mathbb F_p\)rational endomorphism ring is isomorphic to \(\mathcal O\) and whose trace of Frobenius has a prescribed value; in fact if \(p \ge 5\) then there is only one option for this value, namely 0, in contrast with the ordinary case. See e.g. [70, Theorem 4.5], with further details to be found in [8, 22] and in Sect. 3 of this paper. Starting from these observations, the desired adaptation of the Couveignes–Rostovtsev–Stolbunov scheme almost unrolls itself; the details can be found in Sect. 4. We call the resulting scheme CSIDH, where the C stands for “commutative”.^{Footnote 1}
While this fails to address Jao and De Feo’s initial motivation for using supersingular elliptic curves, which was to avoid the \(L_q[1/2]\) quantum attack due to Childs–Jao–Soukharev, we show that CSIDH eliminates the main problem of the Couveignes–Rostovtsev–Stolbunov scheme, namely its inefficiency. Indeed, in Sect. 8 we will report on a proofofconcept implementation which carries out a noninteractive key exchange at a presumed classical security level of 128 bits and a conjectured postquantum security level of 64 bits in about 80 ms, while using key sizes of only 64 bytes. This is over 2000 times faster^{Footnote 2} than the current stateoftheart instantiation of the Couveignes–Rostovtsev–Stolbunov scheme by De Feo, Kieffer and Smith [21, 41], which itself presents many new ideas and speedups to even achieve that speed.
For comparison, we remark that SIDH, which is the NIST submission with the smallest combined key and ciphertext length, uses public keys and ciphertexts of over 300 bytes each. More precisely SIKE’s version p503 uses uncompressed keys of 378 bytes long [37] for achieving CCA security. The optimized SIKE implementation is about ten times faster than our proofofconcept C implementation, but even at \(80\,\mathrm {ms}\), CSIDH is practical.
Another major advantage of CSIDH is that we can efficiently validate public keys, making it possible to reuse a key without the need for transformations to confirm that the other party’s key was honestly generated.
Finally we note that just like the original Couveignes–Rostovtsev–Stolbunov scheme, CSIDH relies purely on the isogenyfinding problem; no extra points are sent that could potentially harm security, as argued in [50].
To summarize, CSIDH is a new cryptographic primitive that can serve as a dropin replacement for the (EC)DH keyexchange protocol while maintaining security against quantum computers. It provides a noninteractive (static–static) key exchange with full publickey validation. The speed is practical while the publickey size is the smallest for key exchange or KEM in the portfolio of postquantum cryptography. This makes CSIDH particularly attractive in the common scenario of prioritizing bandwidth over computational effort. In addition, CSIDH is compatible with 0RTT protocols such as QUIC.
Why supersingular? To understand where the main speedup comes from, it suffices to record that De Feo–Kieffer–Smith had the idea of choosing a field of characteristic p, where p is congruent to \(1\) modulo all small odd primes \(\ell \) up to a given bound. They then look for an ordinary elliptic curve \(E / \mathbb F_p\) such that \(\# E(\mathbb F_p)\) is congruent to 0 modulo as many of these \(\ell \)’s as possible, i.e., such that points of order \(\ell \) exist over \(\mathbb F_p\). These properties ensure that \(\ell \mathcal O\) decomposes as a product of two prime ideals \(\mathfrak {l}= (\ell , \pi  1)\) and \(\overline{\mathfrak {l}}= (\ell , \pi + 1)\), where \(\pi \) denotes the Frobenius endomorphism. For such primes the action of the corresponding ideal classes \([\mathfrak {l}]\) and \([\overline{\mathfrak {l}}] = [\mathfrak {l}]^{1}\) can be computed efficiently through an application of Vélutype formulae to E (resp. its quadratic twist \(E^t\)), the reason being that only \(\mathbb F_p\)rational points are involved. If this works for enough primes \(\ell \), we can expect that a generic element of \(\mathrm {cl}(\mathcal O)\) can be written as a product of small integral powers of such \([\mathfrak {l}]\), so that the classgroup action can be computed efficiently. However, finding an ordinary elliptic curve \(E / \mathbb F_p\) such that \(\# E(\mathbb F_p)\) is congruent to 0 modulo many small primes \(\ell \) is hard, and the main focus of De Feo–Kieffer–Smith is on speeding up this search. In the end it is only practical to enforce this for 7 primes, thus they cannot take full advantage of the idea.
However, in the supersingular case the property \(\# E(\mathbb F_p) = p + 1\) implies that \(\# E(\mathbb F_p)\) is congruent to 0 modulo all primes \(\ell \mid p+1\) that we started from in building p! Concretely, our proofofconcept implementation uses 74 small odd primes, corresponding to prime ideals \(\mathfrak {l}_1, \mathfrak {l}_2, \ldots , \mathfrak {l}_{74}\) for which we heuristically expect that almost all elements of our 256bit size class group can be written as \([\mathfrak {l}_1]^{e_1} [\mathfrak {l}_2]^{e_2} \cdots [\mathfrak {l}_{74}]^{e_{74}}\), where the exponents \(e_i\) are taken from the range \(\{5,\dots ,5\}\); indeed, one verifies that \(\log \,(2 \cdot 5 + 1)^{74} \approx 255.9979\). The action of such an element can be computed as the composition of at most \(5 \cdot 74 = 370\) easy isogeny evaluations. This should be compared to using 7 small primes, where the same approach would require exponents in a range of length about \(2^{256/7} \approx 2^{36}\), in view of which De Feo–Kieffer–Smith also resort to other primes with less beneficial properties, requiring to work in extensions of \(\mathbb F_p\).
The use of supersingular elliptic curves over \(\mathbb F_p\) has various other advantages. For instance, their trace of Frobenius t is 0, so that the absolute value of the discriminant \(t^2  4p = 4p\) is as large as possible. As a consequence, generically the size of the class group \(\mathrm {cl}(\mathcal O)\) is close to its maximal possible value for a fixed choice of p. Conversely, this implies that for a fixed security level we can make a closetominimal choice for p, which directly affects the key size. Note that this contrasts with the CM construction from [9], which could in principle be used to construct ordinary elliptic curves having many points of small order, but whose endomorphism rings have very small class groups, ruling them out for the Couveignes–Rostovtsev–Stolbunov key exchange.
To explain why key validation works, note that we work over \(\mathbb F_p\) with \(p \equiv 3 \pmod 8\) and start from the curve \(E_0:y^2 = x^3 + x\) with \(\mathbb F_p\)rational endomorphism ring \(\mathcal O= \mathbb Z[\pi ]\). As it turns out, all Montgomery curves \(E_A:y^2 = x^3 + Ax^2 + x\) over \(\mathbb F_p\) that are supersingular appear in the \(\mathrm {cl}(\mathcal O)\)orbit of \(E_0\). Moreover their \(\mathbb F_p\)isomorphism class is uniquely determined by A. So all one needs to do upon receiving a candidate public key \(y^2 = x^3 + Ax^2 + x\) is check for supersingularity, which is an easy task; see Sect. 5. The combination of large size of \(\mathrm {cl}(\mathcal O)\) and representation by a single \(\mathbb F_p\)element A explains the small key size of 64 bytes.
1.1 OneWay Group Actions
Although noninteractive key exchange is the main application of our primitive, it is actually more general: It is (conjecturally) an instance of Couveignes’ hard homogeneous spaces [17], ultimately nothing but a finite commutative group action for which some operations are easy to compute while others are hard. Such group actions were first formalized and studied by Brassard and Yung [7]. We summarize Couveignes’ definition:
Definition 1
A hard homogeneous space consists of a finite commutative group G acting freely and transitively on some set X.
The following tasks are required to be easy (e.g., polynomialtime):

Compute the group operations in G.

Sample randomly from G with (close to) uniform distribution.

Decide validity and equality of a representation of elements of X.

Compute the action of a group element \(g\in G\) on some \(x\in X\).
The following problems are required to be hard (e.g., not polynomialtime):

Given \(x,x'\in X\), find \(g\in G\) such that \(g*x = x'\).

Given \(x,x',y\in X\) such that \(x'=g*x\), find \(y'=g*y\).
Any such primitive immediately implies a natural Diffie–Hellman protocol: Alice and Bob’s private keys are random elements a, b of G, their public keys are \(a*x_0\) resp. \(b*x_0\), where \(x_0\in X\) is a public fixed element, and the shared secret is \(b*(a*x_0)=a*(b*x_0)\). The private keys are protected by the difficulty of the first hard problem above, while the shared secret is protected by the second problem. Note that traditional Diffie–Hellman on a cyclic group C is an instance of this, where X is the set of generators of C and G is the multiplicative group \((\mathbb Z/{\#C})^*\) acting by exponentiation.
1.2 Notation and Terminology
We stress that throughout this paper, we consider two elliptic curves defined over the same field identical whenever they are isomorphic over that field. Note that we do not identify curves that are only isomorphic over some extension field, as opposed to what is done in SIDH, for instance. In the same vein, for an elliptic curve E defined over a finite field \(\mathbb F_p\), we let \(\mathrm {End}_p(E)\) be the subring of the endomorphism ring \(\mathrm {End}(E)\) consisting of endomorphisms defined over \(\mathbb F_p\).^{Footnote 3} This subring is always isomorphic to an order in an imaginary quadratic number field. Conversely, for a given order \(\mathcal O\) in an imaginary quadratic field and an element \(\pi \in \mathcal O\), we let denote the set of elliptic curves E defined over \(\mathbb F_p\) with \(\mathrm {End}_p(E)\cong \mathcal O\) such that \(\pi \) corresponds to the \(\mathbb F_p\)Frobenius endomorphism of E. In particular, this implies that \(\varphi \circ \beta = \beta \circ \varphi \) for all \(\mathbb F_p\)isogenies \(\varphi \) between two curves in and all \(\beta \in \mathcal O\) interpreted as endomorphisms.
Ideals are always assumed to be nonzero.
The notation “\(\log \)” refers to the base2 logarithm.
Acknowledgements. This project started during a research retreat on postquantum cryptography, organized by the European PQCRYPTO and ECRYPTCSA projects in Tenerife from 29 January until 1 February 2018. We would like to thank Jeffrey Burdges, whose quest for a flexible postquantum key exchange protocol made us look for speedups of the Couveignes–Rostovtsev–Stolbunov scheme. We are grateful to Luca De Feo, Jean Kieffer, and Ben Smith for sharing a draft of their paper in preparation, and to Daniel J. Bernstein, Luca De Feo, Jeroen Demeyer, Léo Ducas, Steven Galbraith, David Jao, and Fré Vercauteren for helpful feedback.
2 Isogeny Graphs
Good mixing properties of the underlying isogeny graph are relevant for the security of isogenybased cryptosystems. Just as in the original Couveignes–Rostovtsev–Stolbunov cryptosystem, in our case this graph is obtained by taking the union of several large subgraphs (each being a union of large isomorphic cycle graphs) on the same vertex set, one for each prime \(\ell \) under consideration; see Fig. 1 for a (small) example. Such a graph is the Schreier graph associated with our classgroup action and the chosen generators. We refer to the lecture notes of De Feo [19, Sect. 14.1] for more background and to [40] for a discussion of its rapid mixing properties. One point of view on this is that one can quickly move between distant nodes in the subgraph corresponding to one generator by switching to the subgraph corresponding to another generator. This thereby replaces the squareandmultiply algorithm in exponentiationbased cryptosystems (such as classical Diffie–Hellman).
The goal of this section is to analyze the structure of the individual cycles.
Definition 2
For a field k and a prime \(\ell \not \mid \mathrm {char}\, k\), the k rational \(\ell \) isogeny graph \(G_{k, \ell }\) is defined as having all the elliptic curves defined over k as its vertices, and having a directed edge \((E_1, E_2)\) for each krational \(\ell \)isogeny from \(E_1\) to \(E_2\).^{Footnote 4}
Remark 3
A priori \(G_{k, \ell }\) is a directed graph, but given two elliptic curves \(E_1\) and \(E_2\) whose jinvariants are not in \(\{0, 1728\}\), there are exactly as many edges \((E_2,E_1)\) as \((E_1,E_2)\), obtained by taking dual isogenies. Annoyingly, the nodes with jinvariants 0 and 1728 are more complicated, since these are exactly the curves with extra automorphisms: an elliptic curve E in \(G_{k,\ell }\) has fewer incoming than outgoing edges if and only if either \(j(E)=0\) and \(\sqrt{3}\in k\), or if \(j(E)=1728\) and \(\sqrt{1}\in k\). Throughout this paper, we will assume for simplicity that \(\sqrt{3}, \sqrt{1} \notin k\), so that neither of these automorphisms are defined over k and we may view \(G_{k, \ell }\) as an undirected graph. In the case of a finite prime field \(k = \mathbb F_p\), it suffices to restrict to \(p \equiv 11 \pmod {12}\), which will be satisfied in the class of instantiations we suggest.
If \(k = \mathbb F_q\) is a finite field, then \(G_{k, \ell }\) is a finite graph that is the disjoint union of ordinary connected components and supersingular connected components. The ordinary components were studied in Kohel’s PhD thesis [42]. Due to their regular structure, these components later became known as isogeny volcanoes.
In general (e.g. over nonprime fields), the supersingular components may bear no similarity at all to the volcanoes of the ordinary case. Traditionally, following Pizer [51], one instead studies the unique supersingular component of \(G_{k,\ell }\) where \(k = \overline{\mathbb F}_q\), which turns out to be a finite \((\ell {+}1)\)regular Ramanujan graph and forms the basis for the SIDH protocol.
However, Delfs and Galbraith [22] showed that if \(k = \mathbb F_p\) is a finite prime field, then all connected components are volcanoes, even in the supersingular case (where the depth is at most 1 at \(\ell =2\) and 0 otherwise). We present a special case of a unified statement, restricting our attention to the cases in which \(G_{\mathbb F_p,\ell }\) is a cycle. Recall that \(\mathrm {End}_p(E)\) is an order \(\mathcal O\) in the imaginary quadratic field
where \(t\le 2\sqrt{p}\) denotes the (absolute value of the) trace of the Frobenius endomorphism, and that two curves are isogenous over \(\mathbb F_p\) if and only if their traces of Frobenius are equal [66, Theorem 1].
Theorem 4
(Kohel, Delfs–Galbraith). Let \(p \ge 5\) be a prime number and let V be a connected component of \(G_{\mathbb F_p, \ell }\). Assume that \(p \equiv 11 \pmod {12}\) or that V contains no curve with jinvariant 0 or 1728. Let t be the trace of Frobenius common to all vertices in V, and let K be as above. Assume that \(\ell \not \mid t^2  4p\).
Then all elliptic curves in V have the same \(\mathbb F_p\)rational endomorphism ring \(\mathcal O\subseteq K\), and \(\mathcal O\) is locally maximal at \(\ell \). Moreover if \(t^2  4p\) is a (nonzero) square modulo \(\ell \), then V is a cycle whose length equals the order of \([\mathfrak {l}]\) in \(\mathrm {cl}(\mathcal O)\), where \(\mathfrak {l}\) is a prime ideal dividing \(\ell \mathcal O\). If not, then V consists of a single vertex and no edges.
Proof
In the case of an ordinary component this is just a special case of [65, Theorem 7]. In the case of a supersingular component this follows from the proof of [22, Theorem 2.7]. (In both cases, we could alternatively (re)prove this theorem by proving that an \(\ell \)isogeny can only change the conductor of the endomorphism ring of an elliptic curve locally at \(\ell \) and applying Theorem 7.) \(\square \)
In the ordinary case a curve and its quadratic twist can never appear in the same component because they have a different trace of Frobenius. This is the main difference with the supersingular case, where this possibility is not excluded. To avoid confusion, we clarify that by the quadratic twist of a given elliptic curve \(E:y^2 = f(x)\) over \(\mathbb F_p\) we mean the curve \(E^t:dy^2 = f(x)\), where \(d \in \mathbb F_p^*\) is any nonsquare. If \(p \equiv 3 \pmod 4\) and \(j(E) = 1728\) then this may deviate from what some readers are used to, because in this case \(E^t\) and E are \(\mathbb F_p\)isomorphic. Note that such a curve is necessarily supersingular.
Remark 5
In fact, if \(p \equiv 3 \bmod 4\) then there are two nonisomorphic curves over \(\mathbb F_p\) with jinvariant 1728, namely \(y^2 = x^3  x\) and \(y^2 = x^3 + x\), whose endomorphism rings are the full ring of integers \(\mathbb Z[(1+ \sqrt{p})/2]\) and the order \(\mathbb Z[\sqrt{p}]\) of conductor 2 respectively. The connected component of each curve is “symmetric”: if E is n steps along \(G_{\mathbb F_p,\ell }\) in one direction from a curve of jinvariant 1728 then the curve that is n steps in the other direction is the quadratic twist of E. In the case of \(G_{\mathbb F_{83},3}\) we can see this in Fig. 2, which is taken from [22, Fig. 8].
It is also interesting to observe that the symmetry around \(j=1728\) confirms the known fact that the class numbers of \(\mathbb Z[(1+ \sqrt{p})/2]\) and \(\mathbb Z[\sqrt{p}]\) are odd, at least in the case that \(p \equiv 3 \pmod 4\); see [47].
3 The ClassGroup Action
It is wellknown that the idealclass group of an imaginary quadratic order \(\mathcal O\) acts freely via isogenies on the set of elliptic curves with \(\mathbb F_p\)rational endomorphism ring \(\mathcal O\). Using this group action on a set of ordinary elliptic curves for cryptographic purposes was first put forward by Couveignes [17] and independently rediscovered later by Rostovtsev and Stolbunov [54, 60]. Our suggestion is to use the equivalent of their construction in the supersingular setting, thus the following discussion covers both cases at once. For concreteness, we focus on prime fields with \(p\ge 5\) and point out that the ordinary (but not the supersingular) case generalizes to all finite fields. We recall the following standard lemma:
Lemma 6
Let \(E/\mathbb F_p\) be an elliptic curve and G a finite \(\mathbb F_p\)rational (i.e., stable under the action of the \(\mathbb F_p\)Frobenius) subgroup of E. Then there exists an elliptic curve \(E'/\mathbb F_p\) and a separable isogeny \(\varphi :E\rightarrow E'\) defined over \(\mathbb F_p\) with kernel G. The codomain \(E'\) and isogeny \(\varphi \) are unique up to \(\mathbb F_p\)isomorphism.^{Footnote 5}
Proof
[59, Proposition III.4.12, Remark III.4.13.2, and Exercise III.3.13e]. \(\square \)
The idealclass group. We recall the definitions and basic properties of class groups of quadratic orders that will be needed in the following. This section is based on [18, Sect. 7]. Let K be a quadratic number field and \(\mathcal O\subseteq K\) an order (that is, a subring which is a free \(\mathbb Z\)module of rank 2). The norm of an \(\mathcal O\)ideal \(\mathfrak {a}\subseteq \mathcal O\) is defined as \(\mathrm {N}(\mathfrak {a})=\mathcal O/\mathfrak {a}\); it is equal to \(\gcd (\{\mathrm {N}(\alpha )\mid \alpha \in \mathfrak {a}\})\). Norms are multiplicative: \(\mathrm {N}(\mathfrak {a}\mathfrak {b})=\mathrm {N}(\mathfrak {a})\mathrm {N}(\mathfrak {b})\).
A fractional ideal of \(\mathcal O\) is an \(\mathcal O\)submodule of K of the form \(\alpha \mathfrak {a}\), where \(\alpha \in K^*\) and \(\mathfrak {a}\) is an \(\mathcal O\)ideal.^{Footnote 6} Fractional ideals can be multiplied and conjugated in the evident way, and the norm extends multiplicatively to fractional ideals. A fractional \(\mathcal O\)ideal \(\mathfrak {a}\) is invertible if there exists a fractional \(\mathcal O\)ideal \(\mathfrak {b}\) such that \(\mathfrak {a}\mathfrak {b}=\mathcal O\). If such a \(\mathfrak {b}\) exists, we define \(\mathfrak {a}^{1} = \mathfrak {b}\). Clearly all principal fractional ideals \(\alpha \mathcal O\), where \(\alpha \in K^*\), are invertible.
By construction, the set of invertible fractional ideals \(I(\mathcal O)\) forms an abelian group under ideal multiplication. This group contains the principal fractional ideals \(P(\mathcal O)\) as a (clearly normal) subgroup, hence we may define the idealclass group of \(\mathcal O\) as the quotient
Every ideal class \([\mathfrak {a}]\in \mathrm {cl}(\mathcal O)\) has an integral representative, and for any nonzero \(M\in \mathbb Z\) there even exists an integral representative of norm coprime to M.
There is a unique maximal order of K with respect to inclusion called the ring of integers and denoted \(\mathcal O_K\). The conductor of \(\mathcal O\) (in \(\mathcal O_K\)) is the index \(f=[\mathcal O_K:\mathcal O]\). Away from the conductor, ideals are wellbehaved; every \(\mathcal O\)ideal of norm coprime to the conductor is invertible and factors uniquely into prime ideals.
The classgroup action. Fix a prime \(p\ge 5\) and an (ordinary or supersingular) elliptic curve E defined over \(\mathbb F_p\). The Frobenius endomorphism \(\pi \) of E satisfies a characteristic equation
in \(\mathrm {End}_p(E)\), where \(t\in \mathbb Z\) is the trace of Frobenius. The curve E is supersingular if and only if \(t=0\). The \(\mathbb F_p\)rational endomorphism ring \(\mathrm {End}_p(E)\) is an order \(\mathcal O\) in the imaginary quadratic field , where \(\varDelta =t^24p\). We note that \(\mathcal O\) always contains the Frobenius endomorphism \(\pi \), and hence the order \(\mathbb Z[\pi ]\).
Any invertible ideal \(\mathfrak {a}\) of \(\mathcal O\) splits into a product of \(\mathcal O\)ideals as \((\pi \mathcal O)^r\mathfrak {a}_s\), where \(\mathfrak {a}_s\nsubseteq \pi \mathcal O\). This defines an elliptic curve \(E/\mathfrak {a}\) and an isogeny
of degree \(\mathrm {N}(\mathfrak {a})\) as follows [70]: the separable part of \(\varphi _\mathfrak {a}\) has kernel \(\bigcap _{\alpha \in \mathfrak {a}_s}\ker \alpha \), and the purely inseparable part consists of r iterations of Frobenius. The isogeny \(\varphi _\mathfrak {a}\) and codomain \(E/\mathfrak {a}\) are both defined over \(\mathbb F_p\) and are unique up to \(\mathbb F_p\)isomorphism (by Lemma 6), justifying the notation \(E/\mathfrak {a}\). Multiplication of ideals corresponds to the composition of isogenies. Since principal ideals correspond to endomorphisms, two ideals lead to the same codomain if and only if they are equal up to multiplication by a principal fractional ideal. Moreover, every \(\mathbb F_p\)isogeny \(\psi \) between curves in comes from an invertible \(\mathcal O\)ideal in this way, and the ideal \(\mathfrak {a}_s\) can be recovered from \(\psi \) as \(\mathfrak {a}_s=\{\alpha \in \mathcal O\mid \ker \alpha \supseteq \ker \psi \}\). In other words:
Theorem 7
Let \(\mathcal O\) be an order in an imaginary quadratic field and \(\pi \in \mathcal O\) such that is nonempty. Then the idealclass group \(\mathrm {cl}(\mathcal O)\) acts freely and transitively on the set via the map
in which \(\mathfrak {a}\) is chosen as an integral representative.
Proof
See [70, Theorem 4.5]. Erratum: [55, Theorem 4.5]. \(\square \)
To emphasize the fact that we are dealing with a group action, we will from now on write \([\mathfrak {a}] *E\) or simply \([\mathfrak {a}]E\) for the curve \(E/\mathfrak {a}\) defined above.
The structure of the class group. The class group \(\mathrm {cl}(\mathcal O)\) is a finite abelian group whose cardinality is asymptotically [58]
More precise heuristics actually predict that \(\#\mathrm {cl}(\mathcal O)\) grows a little bit faster than \(\sqrt{\varDelta }\), but the ratio is logarithmically bounded so we content ourselves with the above estimate. The exact structure of the class group can be computed in subexponential time \(L_{\varDelta }[1/2;\sqrt{2}+o(1)]\) using an algorithm of Hafner and McCurley [33]. Unfortunately, this requires too much computation for the sizes of \(\varDelta \) we are working with, but there are convincing heuristics concerning the properties of the class group we need. See Sect. 7.1 for these arguments. If the absolute value \(t \) of the trace of Frobenius is “not too big”, the discriminant \(\varDelta \) is about the size of p, hence by the above approximation we may assume \(\#\mathrm {cl}(\mathcal O)\approx \sqrt{p}\). This holds in particular when E is supersingular, where \(t=0\), hence \(\varDelta =4p\).
We are interested in primes \(\ell \) that split in \(\mathcal O\), i.e., such that there exist (necessarily conjugate) distinct prime ideals \(\mathfrak {l},\overline{\mathfrak {l}}\) of \(\mathcal O\) with \(\ell \mathcal O=\mathfrak {l}\overline{\mathfrak {l}}\). Such \(\ell \) are known as Elkies primes in the pointcounting literature. The ideal \(\mathfrak {l}\) is generated as \(\mathfrak {l}=(\ell ,\pi \lambda )\), where \(\lambda \in \mathbb Z/{\ell }\) is an eigenvalue of the Frobenius endomorphism \(\pi \) on the \(\ell \)torsion, and its conjugate is \(\overline{\mathfrak {l}}=(\ell ,\pi p/\lambda )\), where by abuse of notation \(p/\lambda \) denotes any integral representative of that quotient modulo \(\ell \). Note that \(\ell \) splits in \(\mathcal O\) if and only if \(\varDelta \) is a nonzero square modulo \(\ell \).
Computing the group action. Any element of the class group can be represented as a product of small prime ideals [10, Propositions 9.5.2 and 9.5.3], hence we describe how to compute \([\mathfrak {l}]E\) for a prime ideal \(\mathfrak {l}=(\ell ,\pi \lambda )\). There are (at least) the following ways to proceed, which vary in efficiency depending on the circumstances [21, 41]:

Find \(\mathbb F_p\)rational roots of the modular polynomial \(\varPhi _\ell (j(E),y)\) to determine the two jinvariants of possible codomains (i.e., up to four nonisomorphic curves, though in the ordinary case wrong twists can easily be ruled out); compute the kernel polynomials [42] \(\chi \in \mathbb F_p[x]\) for the corresponding isogenies (if they exist); if \((x^p,y^p)=[\lambda ](x,y)\) modulo \(\chi \) and the curve equation, then the codomain was correct, else another choice is correct.

Factor the \(\ell \) ^{th} division polynomial \(\psi _\ell (E)\) over \(\mathbb F_p\); collect irreducible factors with the right Frobenius eigenvalues (as above); use Kohel’s algorithm [42, Sect. 2.4] to compute the codomain.

Find a basis of the \(\ell \)torsion—possibly over an extension field—and compute the eigenspaces of Frobenius; apply Vélu’s formulas [69] to a basis point of the correct eigenspace to compute the codomain.
As observed in [21, 41], the last method is the fastest if the necessary extension fields are small. The optimal case is \(\lambda =1\); in that case, the curve has a rational point defined over the base field \(\mathbb F_p\). If in addition \(p/\lambda =1\), the other eigenspace of Frobenius modulo \(\ell \) is defined over \(\mathbb F_{p^2}\), so both codomains can easily be computed using Vélu’s formulas over an at most quadratic extension (but in fact, a good choice of curve model allows for pure prime field computations, see Sect. 8; alternatively one could switch to the quadratic twist). Note that if \(p\equiv 1\pmod \ell \), then \(\lambda =1\) automatically implies \(p/\lambda =1\).
Much of De Feo–Kieffer–Smith’s work [21, 41] is devoted to finding an ordinary elliptic curve E with many small Elkies primes \(\ell \) such that both E and its quadratic twist \(E^t\) have an \(\mathbb F_p\)rational \(\ell \)torsion point. Despite considerable effort leading to various improvements, the results are discouraging. With the best parameters found within 17 000 h of CPU time, evaluating one classgroup action still requires several minutes of computation to complete. This suggests that without new ideas, the original Couveignes–Rostovtsev–Stolbunov scheme will not become anything close to practical in the foreseeable future.
4 Construction and Design Choices
In this section, we discuss the construction of our proposed group action and justify our design decisions. For algorithmic details, see Sect. 8. Notice that the main obstacle to performance in the Couveignes–Rostovtsev–Stolbunov scheme—constructing a curve with highly composite order—becomes trivial when using supersingular curves instead of ordinary curves, since for \(p\ge 5\) any supersingular elliptic curve over \(\mathbb F_p\) has exactly \(p+1\) rational points.
The cryptographic group action described below is a straightforward implementation of this construction. Note that we require \(p\equiv 3\pmod 4\) so that we can easily write down a supersingular elliptic curve over \(\mathbb F_p\) and so that an implementation may use curves in Montgomery form. It turns out that this choice is also beneficial for other reasons. In principle, this constraint is not necessary for the theory to work, although the structure of the isogeny graph changes slightly (see [22] and Remark 3 for details).
Parameters. Fix a large prime p of the form \(4\ \cdot \ \ell _1\cdots \ell _n1\), where the \(\ell _i\) are small distinct odd primes. Fix the elliptic curve \(E_0:y^2=x^3+x\) over \(\mathbb F_p\); it is supersingular since \(p\equiv 3\pmod 4\). The Frobenius endomorphism \(\pi \) satisfies \(\pi ^2=p\), so its \(\mathbb F_p\)rational endomorphism ring is an order in the imaginary quadratic field \(\mathbb Q(\sqrt{p})\). More precisely, Proposition 8 (below) shows \(\mathrm {End}_p(E_0) = \mathbb Z[\pi ]\), which has conductor 2.
Rational Elkies primes. By Theorem 4, the choices made above imply that the \(\ell _i\)isogeny graph is a disjoint union of cycles. Moreover, since \(\pi ^21\equiv 0\pmod {\ell _i}\) the ideals \(\ell _i\mathcal O\) split as \(\ell _i\mathcal O=\mathfrak {l}_i\overline{\mathfrak {l}_i}\), where \(\mathfrak {l}_i=(\ell _i,\pi 1)\) and \(\overline{\mathfrak {l}_i}=(\ell _i,\pi +1)\). In other words, all the \(\ell _i\) are Elkies primes. In particular, we can use any one of the three algorithms described at the end of Sect. 3 to walk along the cycles.
Furthermore, the kernel of \(\varphi _{\mathfrak {l}_i}\) is the intersection of the kernels of the scalar multiplication \([\ell _i]\) and the endomorphism \(\pi 1\). That is, it is the subgroup generated by a point \(P\) of order \(\ell _i\) which lies in the kernel of \(\pi 1\) or, in other words, is defined over \(\mathbb F_p\). Similarly, the kernel of \(\varphi _{\overline{\mathfrak {l}_i}}\) is generated by a point Q of order \(\ell _i\) that is defined over \(\mathbb F_{p^2}\) but not \(\mathbb F_p\) and such that \(\pi (Q)=Q\). This greatly simplifies and accelerates the implementation, since it allows performing all computations over the base field (see Sect. 8 for details).
Sampling from the class group. Ideally,^{Footnote 7} we would like to know the exact structure of the idealclass group \(\mathrm {cl}(\mathcal O)\) to be able to sample elements uniformly at random. However, such a computation is currently not feasible for the size of discriminant we need, hence we resort to heuristic arguments. Assuming that the \(\mathfrak {l}_i\) do not have very small order and are “evenly distributed” in the class group, we can expect ideals of the form \(\mathfrak {l}_1^{e_1}\mathfrak {l}_2^{e_2}\cdots \mathfrak {l}_n^{e_n}\) for small \(e_i\) to lie in the same class only very occasionally. For efficiency reasons, it is desirable to sample the exponents \(e_i\) from a short range centered around zero, say \(\{m,\dots ,m\}\) for some integer m. We will argue in Sect. 7.1 that choosing m such that \(2m+1\ge \root n \of {\#\mathrm {cl}(\mathcal O)}\) is sufficient. Since the prime ideals \(\mathfrak {l}_i\) are fixed global parameters, the ideal \(\prod _i\mathfrak {l}_i^{e_i}\) may simply be represented as a vector \((e_1,\dots ,e_n)\).
Evaluating the classgroup action. Computing the action of an ideal class represented by \(\prod _i\mathfrak {l}_i^{e_i}\) on an elliptic curve E proceeds as outlined in Sect. 3. Since \(\pi ^2=p\equiv 1\pmod {\ell _i}\), we are now in the favourable situation that the eigenvalues of Frobenius on all \(\ell _i\)torsion subgroups are \(+1\) and \(1\). Hence we can efficiently compute the action of \(\mathfrak {l}_i\) (resp. \(\overline{\mathfrak {l}_i}\)) by finding an \(\mathbb F_p\)rational point (resp. \(\mathbb F_{p^2}\)rational with Frobenius eigenvalue \(1\)) of order \(\ell _i\) and applying Vélutype formulas. This step could simply be repeated for each ideal \(\mathfrak {l}_i^{\pm 1}\) whose action is to be evaluated, but see Sect. 8 for a more efficient method.
5 Representing and Validating \(\mathbb F_p\)isomorphism Classes
A major unsolved problem of SIDH is its lack of publickey validation, i.e., the inability to verify that a public key was honestly generated. This shortcoming leads to polynomialtime active attacks [29] on static variants for which countermeasures are expensive. For example, the actively secure variant SIKE [37] applies a transformation proposed by Hofheinz, Hövelmanns, and Kiltz [36] which is similar to the Fujisaki–Okamoto transform [26], essentially doubling the running time on the recipient’s side compared to an ephemeral key exchange.
The following proposition tackles this problem for our family of CSIDH instantiations. Moreover, it shows that the Montgomery coefficient forms a unique representative for the \(\mathbb F_p\)isomorphism class resulting from the group action, hence may serve as a shared secret without taking jinvariants.
Proposition 8
Let \(p\ge 5\) be a prime such that \(p\equiv 3\pmod 8\), and let \(E/\mathbb F_p\) be a supersingular elliptic curve. Then \(\mathrm {End}_p(E) = \mathbb Z[\pi ]\) if and only if there exists \(A \in \mathbb F_p\) such that E is \(\mathbb F_p\)isomorphic to the curve \(E_A:y^2 = x^3 + Ax^2 + x\). Moreover, if such an \(A\) exists then it is unique.
Proof
First suppose that E is isomorphic over \(\mathbb F_p\) to \(E_A\) for some \(A\in \mathbb F_p\). If \(E_A\) has full \(\mathbb F_p\)rational \(2\)torsion, then Table 1 of [16] shows that either \(E_A\) or its quadratic twist must have order divisible by 8. However, both have cardinality \(p+1\equiv 4\pmod 8\). Hence \(E_A\) can only have one \(\mathbb F_p\)rational point of order 2. With Theorem 2.7 of [22], we can conclude \(\mathrm {End}_p(E)=\mathrm {End}_p(E_A)=\mathbb Z[\pi ]\).
Now assume that \(\mathrm {End}_p(E) = \mathbb Z[\pi ]\). By Theorem 7, the class group \(\mathrm {cl}(\mathbb Z[\pi ])\) acts transitively on , so in particular there exists \([\mathfrak {a}]\in \mathrm {cl}(\mathbb Z[\pi ])\) such that \([\mathfrak {a}]E_0 = E\), where \(E_0:y^2 = x^3 + x\). Choosing a representative \(\mathfrak {a}\) that has norm coprime to 2p yields a separable \(\mathbb F_p\)isogeny \(\varphi _\mathfrak {a}:E_0 \rightarrow E\) of odd degree. Thus, by [53, Proposition 1] there exists an \(A\in \mathbb F_p\) and a separable isogeny \(\psi :E_0 \rightarrow E_A:y^2 = x^3 + Ax^2 + x\) defined over \(\mathbb F_p\) such that \(\ker \psi =\ker \varphi _\mathfrak {a}\). As isogenies defined over \(\mathbb F_p\) with given kernel are unique up to postcomposition with \(\mathbb F_p\)isomorphisms (Lemma 6), we conclude that \(E\) is \(\mathbb F_p\)isomorphic to \(E_A\).
Finally, let \(B\in \mathbb F_p\) such that \(E_A\cong E_B:Y^2 = X^3 + BX^2 + X\). Then by [59, Proposition III.3.1(b)] there exist \(u\in \mathbb F_p^*\) and \(r,s,t\in \mathbb F_p\) such that
Substituting this into the curve equation for \(E_A\) and subtracting the equation of \(E_B\) (scaled by \(u^6\)) equals zero in the function field and thus leads to a linear relation over \(\mathbb F_p\) between the functions 1, X, \(X^2\), Y, and \(XY\). Writing \(\infty \) for the point at infinity of \(E_B\), it follows from Riemann–Roch [59, Theorem 5.4] that \(\mathcal {L}(5(\infty ))\) is a 5dimensional \(\mathbb F_p\)vector space with basis \(\{1,X,Y,X^2,XY\}\). Hence the obtained linear relation must be trivial, and a straightforward computation yields the relations
But since \(E_A\) only has a single \(\mathbb F_p\)rational point of order 2, the only \(r\in \mathbb F_p\) such that \(r^3 + Ar^2 + r = 0\) is simply \(r = 0\). In that case \(u^4 = 1\), and hence \(u = \pm 1\) since \(p\equiv 3\pmod 8\). In particular, \(u^2 = 1\) and thus \(A = B\). \(\square \)
Therefore, by choosing public keys to consist of a Montgomery coefficient \(A\in \mathbb F_p\), Proposition 8 guarantees that A represents a curve in the correct isogeny class , where \(\pi =\sqrt{p}\) and \(\mathcal O=\mathbb Z[\pi ]\), under the assumption that it is smooth (i.e. \(A\notin \{\pm 2\}\)) and supersingular.
Verifying supersingularity. As \(p\ge 5\), an elliptic curve E defined over \(\mathbb F_p\) is supersingular if and only if \(\#E(\mathbb F_p)=p+1\) [59, Exercise 5.10]. In general, proving that an elliptic curve has a given order N is easy if the factorization of N is known; exhibiting a subgroup (or in particular, a single point) whose order d is a divisor of N greater than \(4\sqrt{p}\) implies the order must be correct. Indeed, the condition \(d>4\sqrt{p}\) implies that there exists only one multiple of d in the Hasse interval \([p+12\sqrt{p};\, p+1+2\sqrt{p}]\) [35]. This multiple must be the group order by Lagrange’s theorem.
Now note that a random point generally has very large order \(d\). In our case \( E(\mathbb F_p) \cong \mathbb Z/{4} \times \prod _{i=1}^n\mathbb Z/{\ell _i} \text{, }\) so that \(\ell _i\mid d\) with probability \((\ell _i1)/\ell _i\). Ignoring the even part, this shows that the expected order is lower bounded by
This product is about the same size as p, and it is easily seen that a random point will with overwhelming probability have order (much) greater than \(4\sqrt{p}\). This observation leads to a straightforward verification method, see Algorithm 1.^{Footnote 8}
If the condition \(d>4\sqrt{p}\) does not hold at the end of Algorithm 1, the point P had too small order to prove \(\#E(\mathbb F_p)=p+1\). In this case one may retry with a new random point P (although this outcome has negligible probability and could just be ignored). There is no possibility of wrongly classifying an ordinary curve as supersingular.
Note moreover that if xonly Montgomery arithmetic is used (as we suggest) and the point P is obtained by choosing a random xcoordinate in \(\mathbb F_p\), there is no need to differentiate between points defined over \(\mathbb F_p\) and \(\mathbb F_{p^2}\); any xcoordinate in \(\mathbb F_p\) works. Indeed, any point that has an xcoordinate in \(\mathbb F_p\) but is only defined over \(\mathbb F_{p^2}\) corresponds to an \(\mathbb F_p\)rational point on the quadratic twist, which is supersingular if and only if the original curve is supersingular.
There are more optimized variants of this algorithm; the bulk of the work are the scalar multiplications required to compute the points \(Q_i=[(p+1)/\ell _i]P\). Since they are all multiples of P with shared factors, one may more efficiently compute all \(Q_i\) at the same time using a divideandconquer strategy (at the expense of higher memory usage). See Sect. 8, and in particular Algorithm 3, for details.
6 Noninteractive Key Exchange
Starting from the classgroup action on supersingular elliptic curves and the parameter choices outlined in Sects. 3 and 4, one obtains the following noninteractive keyexchange protocol.
Remark 9
Besides key exchange, we expect that our cryptographic group action will have several other applications, given the resemblance with traditional Diffie–Hellman and the ease of verifying the correctness of public keys. We refer to previous papers on group actions for a number of suggestions in this direction, in particular Brassard–Yung [7], Couveignes [17, Sect. 4], and Stolbunov [61]. We highlight the following 1bit identification scheme, which in our case uses a key pair \(([\mathfrak {a}], A)\) as above. One randomly samples an element \([\mathfrak {b}]\in \mathrm {cl}(\mathcal O)\) and commits to a curve \(E' = [\mathfrak {b}]E_0\). Depending on a challenge bit \(b\), one then releases either \([\mathfrak {b}]\) or \([\mathfrak {c}] := [\mathfrak {b}][\mathfrak {a}]^{1} \), as depicted in Fig. 3. As already pointed out in Stolbunov’s PhD thesis [62, Sect. 2.B], this can be turned into a signature scheme by repeated application of the 1bit protocol and by applying the Fiat–Shamir [24] or Unruh [68] transformation. However, we point out that it is not immediately clear how to represent \([\mathfrak {c}] \) in a way that is efficiently computable and leaks no information about the secret key \([\mathfrak {a}]\). We leave a resolution of this issue for future research, but mention that a related problem was recently tackled by Galbraith, Petit and Silva [30] who studied a similar triangular identification protocol in the context of SIDH.^{Footnote 9}
7 Security
The central problem of our new primitive is the following analogue to the classical discretelogarithm problem.
Problem 10
(Key recovery). Given two supersingular elliptic curves \(E,E'\) defined over \(\mathbb F_p\) with the same \(\mathbb F_p\)rational endomorphism ring \(\mathcal O\), find an ideal \(\mathfrak {a}\) of \(\mathcal O\) such that \([\mathfrak {a}]E=E'\). This ideal must be represented in such a way that the action of \([\mathfrak {a}]\) on a curve can be evaluated efficiently, for instance \(\mathfrak {a}\) could be given as a product of ideals of small norm.
Note that just like in the classical groupbased scenario, security notions of Diffie–Hellman schemes built from our primitive rely on slightly different hardness assumptions (cf. Sect. 1.1) that are straightforward translations of the computational and decisional Diffie–Hellman problems. However, continuing the analogy with the classical case, and since we are not aware of any ideas to attack the key exchange without recovering one of the keys, we will assume in the following analysis that the best approach to breaking the keyexchange protocol is to solve Problem 10.
We point out that the “inverse DiffieHellman problem” is easy in the context of CSIDH: given \([\mathfrak {a}]E_0\) we can compute \([\mathfrak {a}]^{1}E_0\) by mere quadratic twisting; see Remark 5. This contrasts with the classical groupbased setting [28, Sect. 21.1]. Note that just like identifying a point (x, y) with its inverse \((x,y)\) in an ECDLP setting, this implies a security loss of one bit under some attacks: An attacker may consider the curves \([\mathfrak {a}]E\) and \([\mathfrak {a}]^{1}E\) identical, which reduces the search space by half.
No torsionpoint images. One of the most worrying properties of SIDH seems to be that Alice and Bob publish the images of known points under their secret isogenies along with the codomain curve, i.e., a public key is of the form \((E',\varphi (P),\varphi (Q))\) where \(\varphi :E\rightarrow E'\) is a secret isogeny and \(P,Q\in E\) are publicly known points. Although thus far nobody has succeeded in making use of this extra information to break the original scheme, Petit presented an attack using these points when overstretched, highly asymmetric parameters are used [50]. The Couveignes–Rostovtsev–Stolbunov scheme, and consequently our new scheme CSIDH, does not transmit such additional points—a public key consists of only an elliptic curve. Thus we are confident that a potential future attack against SIDH based on these torsion points would not apply to CSIDH.
Chosenciphertext attacks. As explained in Sect. 5, the CSIDH group action features efficient publickey validation. This implies it can be used without applying a CCA transform such as the Fujisaki–Okamoto transform [26], thus enabling efficient noninteractive key exchange and other applications in a postquantum world.
7.1 Classical Security
We begin by considering classical attacks.
Exhaustive key search. The most obvious approach to attack any cryptosystem is to simply search through all possible keys. In the following, we will argue that our construction provides sufficient protection against key search attacks, including dumb brute force and (less naïvely) a meetinthemiddle approach.
As explained in Sect. 4, a private key of our scheme consists of an exponent vector \((e_1,\dots ,e_n)\) where each \(e_i\) is in the range \(\{m,\dots ,m\}\), representing the ideal class \([\mathfrak {l}_1^{e_1}\mathfrak {l}_2^{e_2}\cdots \mathfrak {l}_n^{e_n}]\in \mathrm {cl}(\mathcal O)\). There may (and typically will) be multiple such vectors that represent the same ideal class and thus form equivalent private keys. However, we argue (heuristically) that the number of short representations per ideal class is small. Here and in the following, “short” means that all \(e_i\) are in the range \(\{m,\dots ,m\}\). The maximum number of such short representations immediately yields the minentropy^{Footnote 10} of our sampling method, which measures the amount of work a bruteforce attacker has to do while conducting an exhaustive search for the key.
We assume in the following discussion that \(\mathrm {cl}(\mathcal O)\) is “almost cyclic” in the sense that it has a very large cyclic component, say of order N not much smaller than \(\#\mathrm {cl}(\mathcal O)\). According to a heuristic of Cohen and Lenstra, this is true with high probability for a “random” imaginary quadratic field [13, Sect. 9.I], and this conjecture is in line with our own experimental evidence. So suppose
is a surjective group homomorphism (which may be thought of as a projection to the large cyclic subgroup followed by an isomorphism) and define \(\alpha _i=\rho ([\mathfrak {l}_i])\). We may assume that \(\alpha _1=1\); this can be done without loss of generality whenever at least one of the \([\mathfrak {l}_i]\) has order N in the class group. For some fixed \([\mathfrak {a}]\in \mathrm {cl}(\mathcal O)\), any short representation \([\mathfrak {l}_1^{e_1}\mathfrak {l}_2^{e_2}\cdots \mathfrak {l}_n^{e_n}]=[\mathfrak {a}]\) yields a short solution to the linear congruence
so counting solutions to this congruence gives an upper bound on the number of short representations of \([\mathfrak {a}]\). These solutions are exactly the points in some shifted version (i.e., a coset) of the integer lattice spanned by the rows of the matrix
so by applying the Gaussian heuristic [49, Chap. 2, Definition 8] one expects
short solutions. Since we assumed \(\mathrm {cl}(\mathcal O)\) to be almost cyclic, this ratio is not much bigger than \((2m+1)^n/\#\mathrm {cl}(\mathcal O)\), which is not very large for our choice of m as small as possible with \((2m+1)^n\ge \#\mathrm {cl}(\mathcal O)\).
As a result, we expect the complexity of a bruteforce search to be around \(2^{\log \sqrt{p}\varepsilon }\) for some positive \(\varepsilon \) that is small relative to \(\log \sqrt{p}\). To verify our claims, we performed computer experiments with many choices of p of up to 40 bits (essentially bruteforcing the number of representations for all elements) and found no counterexamples to the heuristic result that our sampling method loses only a few bits of bruteforce security compared to uniform sampling from the class group. For our sizes of p, the minentropy was no more than 4 bits less than that of a perfectly uniform distribution on the class group (i.e. \(\varepsilon \le 4\)). Of course this loss factor may grow in some way with bigger choices of p (a plot of the data points for small sizes suggests an entropy loss proportional to \(\log \log p\)), but we see no indication for it to explode beyond a few handfuls of bits, as long as we find m and n so that \((2m+1)^n\) is not much larger than \(\#\mathrm {cl}(\mathcal O)\).
Meetinthemiddle key search. Since a private key trivially decomposes into a product of two smooth ideals drawn from smaller sets (e.g. splitting \([\mathfrak {l}_1^{e_1}\mathfrak {l}_2^{e_2}\cdots \mathfrak {l}_n^{e_n}]\) as \([\mathfrak {l}_1^{e_1}\cdots \mathfrak {l}_{\nu }^{e_{\nu }}]\cdot [\mathfrak {l}_{\nu +1}^{e_{\nu +1}}\cdots \mathfrak {l}_n^{e_n}]\) for some \(\nu \in \{1,\dots ,n\}\)), the usual timememory tradeoffs à la babystep giantstep [56] with an optimal time complexity of \(O\big (\sqrt{\#\mathrm {cl}(\mathcal O)}\big )\approx O(\root 4 \of {p})\) apply.^{Footnote 11} Another interpretation of this algorithm is finding a path between two nodes in the underlying isogeny graph by constructing a breadthfirst tree starting from each of them, each using a certain subset of the edges, and looking for a collision. Details, including a memoryless variation of this concept, can be found in Delfs and Galbraith’s paper [22], and for the ordinary case in [27].
Remark 11
The algorithms mentioned thus far scale exponentially in the size of the key space, hence they are asymptotically more expensive than the quantum attacks outlined below which is subexponential in the classgroup size. This implies one could possibly balance the costs of the different attacks and use a key space smaller than \(\#\mathrm {cl}(\mathcal O)\) without any loss of security (unless the key space is chosen particularly badly, e.g., as a subgroup), which leads to improved performance. We leave a more thorough analysis of this idea for future work.
Pohlig–Hellmanstyle attacks. Notice that the set we are acting on does not form a group with efficiently computable operations (that are compatible with the action of \(\mathrm {cl}(\mathcal O)\)). Thus there seems to be no way to apply Pohlig–Hellmanstyle algorithms making use of the decomposition of finite abelian groups. In fact, the Pohlig–Hellman algorithm relies on efficiently computable homomorphisms to proper subgroups, which in the setting at hand would correspond to an efficient algorithm that “projects” a given curve to the orbit of \(E_0\) under a subgroup action. Therefore, we believe the structure of the class group to be largely irrelevant (assuming it is big enough); in particular, we do not require it to have a large primeorder subgroup.
7.2 Quantum Security
We now discuss the state of quantum algorithms to solve Problem 10.
Grover’s algorithm and claw finding. Applying Grover search [32] via claw finding as described in [38] is fully applicable to CSIDH as well, leading to an attack on Problem 10 in \(O(\root 6 \of {p})\) calls to a quantum oracle that computes our group action. The idea is to split the search space for collisions into a classical \(O(\root 6 \of {p})\) target part and a \(O(\root 3 \of {p})\) search part on which a quantum search is applied. Our choices of \(p\) that lead to classical security are also immediately large enough to imply quantum security against this attack (cf. [48, Sect. 4.A.5 in Call for Proposals]). That is, the number of queries to our quantum oracle necessary to solve Problem 10 is larger than the number of quantum queries to an AES oracle needed to retrieve the key of the corresponding AES instantiation via Grover’s algorithm. For example, an AES128 key can be recovered with approximately \(2^{64}\) (quantum) oracle queries, which requires us to set \(p>2^{384}\). However, \(p\) is much larger than that (see Table 1) due to the existence of subexponential quantum attacks.
The abelian hiddenshift problem. A crucial result by Kuperberg [43] is an algorithm to solve the hiddenshift problem with time, query and space complexity \(2^{O(\sqrt{\log N})}\) in an abelian group \(H\) of order \(N\). He also showed that any abelian hiddenshift problem reduces to a dihedral hiddensubgroup problem on a different but closely related oracle. A subsequent alternative algorithm by Regev [52] achieves polynomial quantum space complexity with an asymptotically worse time and query complexity of \(2^{O(\sqrt{\log N\log \log N})}\). A followup algorithm by Kuperberg [44] uses \(2^{O(\sqrt{\log N})}\) time, queries and classical space, but only \(O(\log {N})\) quantum space. All these algorithms have subexponential time and space complexity.
Attacking the isogeny problem. The relevance of these quantum algorithms to Problem 10 has been observed by Childs–Jao–Soukharev [12] in the ordinary case and by Biasse–Jao–Sankar [4] in the supersingular setting. By defining functions as \(f_0:[\mathfrak {b}]\mapsto [\mathfrak {b}]E\) and \(f_1:[\mathfrak {b}]\mapsto [\mathfrak {b}]E'=[\mathfrak {b}][\mathfrak {a}]E\), the problem can be viewed as an abelian hiddenshift problem with respect to \(f_0\) and \(f_1\). We note that each query requires evaluating the functions \(f_i\) on arbitrary ideal classes (i.e. without being given a representative that is a product of ideals of small prime norm) which is nontrivial. However, Childs–Jao–Soukharev show this can be done in subexponential time and space [12, Sect. 4].
Subexponential vs. practical. An important remark about all these quantum algorithms is that they do not immediately lead to estimates for runtime and memory requirements on concrete instantiations with \(H = \mathrm {cl}(\mathcal O)\). Although the algorithms by Kuperberg and Regev are shown to have subexponential complexity in the limit, this asymptotic behavior is not enough to understand the space and time complexity on actual (small) instances. For example, Kuperberg’s first paper [43, Theorem 3.1] mentions \(O(2^{3\sqrt{\log N}})\) oracle queries to achieve a nonnegligible success probability when N is a power of a small integer. It also presents a second algorithm that runs in \(\tilde{O}(3^{\sqrt{2\log _3 N}}) = O(2^{1.8\sqrt{\log N}})\) [43, Theorem 5.1]. His algorithms handle arbitrary group structures but he does not work out more exact counts for those. Of course, this does not contradict the time complexity of \(2^{O(\sqrt{\log N})}\) as stated above, but for a concrete security analysis the hidden constants certainly matter a lot and ignoring the O typically underestimates the security. Childs–Jao–Soukharev [12, Theorem 5.2] prove a query complexity of
where \(N = \# \mathrm {cl}(\mathcal O)\), for using Regev’s algorithm for solving the hiddenshift problem. This estimates only the query complexity, so does not include the cost of queries to the quantum oracle (i.e. the isogeny oracle). Childs–Jao–Soukharev present two algorithms to compute the isogeny oracle, the fastest of which is due to Bisson [5]. In [12, Remark 4.8] Childs–Jao–Soukharev give an upper bound of
on the running time of Bisson’s algorithm.
Remark 12
Childs–Jao–Soukharev compute the total cost for computing the secret isogeny in [12, Remark 5.5] to be \(L_p[1/2,3/\sqrt{2}]\) (using Regev and Bisson’s algorithms, requiring only polynomial space). They appear to obtain this by setting \(N=p\) when multiplying (1) and (2), but as \(N \sim \sqrt{p}\) this is an overestimation and should be \(L_p[1/2,1+1/\sqrt{2}]\). Either way, this is the largest asymptotic complexity of the estimates. Also, Galbraith and Vercauteren [31] point out this algorithm actually has superpolynomial space complexity due to the high memory usage of the isogeny oracle in [12], but see [39].
Childs–Jao–Soukharev additionally compute the total time \(L_p[1/2,1/\sqrt{2}]\) for computing the secret isogeny combining Kuperberg [43] and Bisson. This requires superpolynomial storage (also before considering the memory usage of the oracle). Note that in this combination the costs of the oracle computation dominate asymptotically.
It is important to mention that asymptotically worse algorithms may provide practical improvements on our “small” instances over either of the algorithms studied by Childs–Jao–Soukharev: For example, Couveignes [17, Sect. 5] provides heuristic arguments that one can find smooth representatives of ideal classes by computing the classgroup structure (which can be done in polynomial time on a quantum computer [34]) and applying a latticebasisreduction algorithm such as LLL [45] to its lattice of relations. This might be more efficient than using Childs–Jao–Soukharev’s subexponential oracle. However, note that this method makes evaluating the oracle several times harder for the attacker than for legitimate users, thus immediately giving a few additional bits of security, since users only evaluate the action of very smooth ideals by construction. We believe further research in this direction is necessary and important, since it will directly impact the cost of an attack, but we consider a detailed analysis of all these algorithms and possible tradeoffs to be beyond the scope of this work.^{Footnote 12}
Remark 13
After we posted a first version of this paper on the Cryptology ePrint Archive, there were three independent attempts at assessing the security of CSIDH.
Biasse, Iezzi, and Jacobson [3] work out some more details of the attack ideas mentioned above for Regev’s algorithm. They focus on the classgroupcomputation part of the oracle and they work out how to represent random elements of the class group as a product of small prime ideals. Their analysis is purely asymptotic and an assessment of the actual cost on specific instances is explicitly left for future work.
Bonnetain and Schrottenloher [6] determine (quantum) query complexities for breaking CSIDH under the assumption that the quantum memory can be made very large, which implies that Kuperberg’s faster algorithms would be applicable. They estimate the number of oracle queries as \((5\pi ^2/4) 2^{1.8\sqrt{\log N}}\). The 1.8 appears to approximate the \(\sqrt{2\log 3}\) in Kuperberg [43, Theorem 5.1]. They state \(2^{1.8\sqrt{\log N} + 2.3}\) for the number of qubits.
While we ignored Kuperberg’s algorithm due to the large memory costs, they take the stance that “the most timeefficient version is relevant”, and so do not ignore this algorithm. For small N the number of qubits stated in [6] might be possible, which makes Kuperberg’s algorithm indeed relevant for these sizes. However, this also highlights the high cost of computing the oracle, which Childs–Jao–Soukharev placed at \(L_p[1/2,1/\sqrt{2}]\). Bonnetain and Schrottenloher investigate the oracle computation using Couveignes’ LLL idea and improve it using better lattice basis reduction.
The current version of Bonnetain–Schrottenloher [6] also presents concrete estimates for the attack costs for our parameter sets, but unfortunately this version ignores most of the cost of evaluating isogenies. For example: (1) Algorithm 2 in our paper makes heavy use of inputdependent branches, which is impossible in superposition [39, Sect. 4]; (2) [6] skips finding points of order \(\ell _i\) which are needed as the kernel of the \(\ell _i\) isogeny; (3) [6] applies a result for multiplication costs in \(\mathbb F_{2^n}\) to multiplications in \(\mathbb F_p\). We analyzed the (significantly higher) cost of a quantum oracle for isogeny evaluation and conclude that the current estimates of Bonnetain–Schrottenloher do not imply that the 512bit parameters stated below are broken under NIST level 1.
Jao, LeGrow, Leonardi, and RuizLopez recently made a preprint [39] of their MathCrypt paper available to us. They address the issue of superpolynomial space in the oracle computation identified by Galbraith and Vercauteren (stated above) and give a new algorithm for finding short representations of elements. Their paper focuses on the asymptotic analysis of the oracle step so that they achieve overall polynomial quantum space, but does not obtain any concrete cost estimates.
7.3 Instantiations
Finally we present estimates for some sizes of \(p\).
Security estimates. As explained in Sect. 7.1, the best classical attack has query complexity \(O(\root 4 \of {p})\), and the number of queries has been worked out for different quantum attacks. We consider [12] in combination with Regev and Kuperberg (\(L_p\big [1/2,3/\sqrt{2}\big ]\) and \(L_p\big [1/2,1/\sqrt{2}\big ]\), respectively) as well as the pure query complexity of Regev’s and Kuperberg’s algorithms (\(L_N\big [1/2,\sqrt{2}\big ]\), \(O(2^{3\sqrt{\log N}})\), and \(O(2^{1.8\sqrt{\log N}})\), respectively). We summarize the resulting attack complexities, ignoring the memory costs and without restricting the maximum depth of quantum circuits, for some sizes of \(p\) in Table 1. We note again that we expect these complexities to be subject to more careful analysis, taking into account the implicit constants, the (in)feasibility of long sequential quantum operations, and the large memory requirement. We also include the recent estimates on the query complexity and full attack complexity by Bonnetain and Schrottenloher [6].
We point out a recent analysis [1] which shows that the classical attack on SIDH (which is the same for CSIDH) is likely slower in practice than current parameter estimates assumed, which is due to the huge memory requirements of the searches. Similarly, the cost of the quantum attacks is significantly higher than just the query complexity times the cost of the group action because evaluating the oracle in superposition is significantly more expensive than a regular group action.
Recall that public keys consist of a single element \(A\in \mathbb F_p\), which may be represented using \(\lceil \log p\rceil \) bits. A private key is represented as a list of n integers in \(\{m,\dots ,m\}\), where m was chosen such that \(n \log (2m+1)\approx \log \sqrt{p}\), hence it may be stored using roughly \((\log p)/2\) bits. Therefore the rows of Table 1 correspond to public key sizes of 64, 128, and 224 bytes, and private keys are approximately half that size when encoded optimally.
Security levels. We approximate security levels as proposed by NIST for the postquantum standardization effort [48, Sect. 4.A.5]. That is, the \(k\)bit security level means that the required effort for the best attacks is at least as large as that needed for a keyretrieval attack on a block cipher with a \(k\)bit key (e.g. AES\(k\) for \(k\in \{128,192,256\}\)). In other words, under the assumption that the attacks query an oracle on a circuit at least as costly as AES, we should have a query complexity of at least \(2^{k1}\) resp. \(\sqrt{2^k}\) to a classical resp. quantum oracle. NIST further restricts the power of the quantum computation to circuits of maximum depth \(2^{40}\) up to \(2^{96}\), meaning that theoretically optimal tradeoffs (such as the formulas in Table 1 above) might not be possible for cryptographic sizes.
The parameters for CSIDH\(\log p\) were chosen to match the query complexity of Regev’s attack on the hiddenshift problem (see the third column in Table 1) for roughly \(2^{k/2}\), which should match NIST levels 13 as the group action computation has depth at least as large as AES.
Some other algorithms give lower estimates which makes it necessary to evaluate the exact cost of the oracle queries or compute the lowerorder terms in the complexity. The analysis in [6, Table 8] states lower overall costs compared to AES. While this is a signficant improvement, we believe that this does not affect our security claim when accounting precisely for the actual cost of oracle queries, as stated above. Our preliminary analysis shows costs of more than \(2^{50}\) qubit operations for evaluating the oracle for \(\log p = 512\), where [6] assumes \(2^{37}\). This means that the NIST levels are reached even with the low query numbers in [6]. More analysis is certainly needed and it is unclear whether that will result in larger or smaller choices of p.
Note that adjusting parameters only involves changing the prime \(p\) (and a few numbers derived from it) and is therefore very simple, should it turn out that our initial estimates are insufficient.
8 Implementation
In this section, we outline our most important tricks to make the system easier to implement or the code faster. As pointed out earlier, the crucial step is to use a field of size \(4\cdot \ell _1\cdots \ell _n1\), where the \(\ell _i\) are small distinct odd primes; this implies that all \(\ell _i\) are Elkies primes for a supersingular elliptic curve over \(\mathbb F_p\) and that the action of ideals \((\ell _i,\pi \pm 1)\) can be computed efficiently using \(\mathbb F_p\)rational points. See Sect. 4 for these design decisions. The following section focuses on lowerlevel implementation details.
Montgomery curves. The condition \(p\,+\,1\,\equiv \,4\pmod 8\) implies that all curves in can be put in the form \(y^2 = x^3 + Ax^2 + x\) (cf. Proposition 8) for some \(A\in \mathbb F_p\) via an \(\mathbb F_p\)isomorphism. This is commonly referred to as the Montgomery form [46] of an elliptic curve and is popular due to the very efficient arithmetic on its \(x\)line. This extends well to computations of isogenies on the \(x\)line, as was first shown by Costello–Longa–Naehrig [15, Sect. 3]. Our implementation uses exactly the same formulas for operations on curves. For isogeny computations on Montgomery curves we use a projectivized variant (to avoid almost all inversions) of the formulas from Costello–Hisil [14] and Renes [53]. This can be done as follows.
For a fixed prime \(\ell \ge 3\), a point P of order \(\ell \), and an integer \(k\in \{1,\dots ,\ell 1\}\), let \((X_k:Z_k)\) be the projectivized xcoordinate of \([k]P\). Then by defining \(c_i\in \mathbb F_p\) such that
as polynomials in w, we observe that
where
and \(A\) is the Montgomery coefficient of the domain curve. By noticing that \(x([k]P) = x([\ell k]P)\) for all \(k\in \{1,\ldots ,(\ell 1)/2\}\) we can reduce the computation needed by about half. That is, we can compute \((\tau (A3\sigma ) : 1)\) iteratively in about operations^{Footnote 13}, noting that \(\tau (A3\sigma )\) is the Montgomery coefficient of the codomain curve of an isogeny with kernel \(\langle P\rangle \) [53, Proposition 1]. If necessary, a single division at the end of the computation suffices to obtain an affine curve constant. We refer to the implementation for more details.
Note that for a given prime \(\ell \), we could reduce the number of field operations by finding an appropriate representative of the isogeny formulas modulo (a factor of) the \(\ell \)division polynomial \(\psi _\ell \) (as done in [15] for 3 and 4isogenies). Although this would allow for a more efficient implementation, we do not pursue this now for the sake of simplicity.
Rational points. Recall that the goal is to evaluate the action of (the class of) an ideal \( \mathfrak {l}_1^{e_1}\cdots \mathfrak {l}_n^{e_n} \) on a curve , where each \(\mathfrak {l}_i=(\ell _i,\pi 1)\) is a prime ideal of small odd norm \(\ell _i\) and the \(e_i\) are integers in a short range \(\{m,\dots ,m\}\). We assume E is given in the form \(E_A:y^2=x^3+Ax^2+x\).
The obvious way to do this is to consider each factor \(\mathfrak {l}_i^{\pm 1}\) in this product and to find the abscissa of a point \(P\) of order \(\ell _i\) on E, which (depending on the sign) is defined over \(\mathbb F_p\) or \(\mathbb F_{p^2}\!\setminus \!\mathbb F_p\). This exists by our choice of p and \(\ell _i\) (cf. Sect. 4). Finding such an abscissa amounts to sampling a random \(\mathbb F_p\)rational xcoordinate, checking whether \(x^3+Ax^2+x\) is a square or not (for \(\mathfrak {l}_i^{+1}\) resp. \(\mathfrak {l}_i^{1}\)) in \(\mathbb F_p\) (and resampling if it was wrong), followed by a multiplication by \((p+1)/\ell _i\) and repeating from the start if the result is \(\infty \). The kernel of the isogeny given by \(\mathfrak {l}_i^{\pm 1}\) is then \(\langle P\rangle \), so the isogeny may be computed using Vélutype formulas. Repeating this procedure for all \(\mathfrak {l}_i^{\pm 1}\) gives the result.
However, fixing a sign before sampling a random point effectively means wasting about half of all random points, including an ultimately useless square test. Moreover, deciding on a prime \(\ell _i\) before sampling a point and doing the cofactor multiplication wastes another proportion of the points, including both an ultimately useless square test and a scalar multiplication. Both of these issues can be remedied by not fixing an \(\ell _i\) before sampling a point, but instead taking any xcoordinate, determining the smallest field of definition (i.e. \(\mathbb F_p\) or \(\mathbb F_{p^2}\)) of the corresponding point, and then performing whatever isogeny computations are possible using that point (based on its field of definition and order). The steps are detailed in Algorithm 2.
Due to the commutativity of \(\mathrm {cl}(\mathcal O)\), and since we only decrease (the absolute value of) each \(e_i\) once we successfully applied the action of \(\mathfrak {l}_i^{\pm 1}\) to the current curve, this algorithm indeed computes the action of \([\mathfrak {l}_1^{e_1}\mathfrak {l}_2^{e_2}\cdots \mathfrak {l}_n^{e_n}]\).
Remark 14
Since the probability that a random point has order divisible by \(\ell _i\) (and hence leads to an isogeny step in Algorithm 2) grows with \(\ell _i\), the isogeny steps for big \(\ell _i\) are typically completed before those for small \(\ell _i\). Hence it may make sense to sample the exponents \(e_i\) for ideals \(\mathfrak {l}_i\) from different ranges depending on the size of \(\ell _i\), or to not include any very small \(\ell _i\) in the factorization of \(p+1\) at all to reduce the expected number of repetitions of the loop above. Note moreover that doing so may also improve the performance of straightforward constanttime adaptions of our algorithms, since it yields stronger upper bounds on the maximum number of required loop iterations (at the expense of slightly higher cost per isogeny computation). Varying the choice of the \(\ell _i\) can also lead to performance improvements if the resulting prime p has lower Hamming weight. Finding such a p is a significant computational effort but needs to be done only once; all users can use the same finite field.
Remark 15
Algorithm 2 is obviously strongly variabletime when implemented naïvely. Indeed, the number of points computed in the isogeny formulas is linear in the degree, hence the iteration counts of certain loops in our implementation are very directly related to the private key. We note that it would not be very hard to create a constanttime implementation based on this algorithm by always performing the maximal required number of iterations in each loop and only storing the results that were actually needed (using constanttime conditional instructions), although this incurs quite a bit of useless computation, leading to a doubling of the number of curve operations on average. We leave the design of optimized constanttime algorithms for future work.
Publickey validation. Recall that the publickey validation method outlined in Sect. 5 essentially consists of computing \([(p+1)/\ell _i]P\) for each i, where P is a random point on E. Performing this computation in the straightforward way is simple and effective. On the other hand, a divideandconquer approach, such as the following recursive algorithm, yields better speeds at the expense of slightly higher memory usage. Note that Algorithm 3 only operates on public data, hence need not be constanttime in a sidechannel resistant implementation.
This routine can be used for verifying that an elliptic curve \(E/\mathbb F_p\) is supersingular as follows: Pick a random point \(P\in E(\mathbb F_p)\) and run Algorithm 3 on input [4]P and \((\ell _1,\dots ,\ell _n)\) to obtain the points \(Q_i=[(p+1)/\ell _i]P\). Then continue like in Algorithm 1 to verify that E is supersingular using these precomputed points.
In practice, it is not necessary to run Algorithm 3 as a blackbox function until it returns all the points \(Q_1,\dots ,Q_n\): The order checking in Algorithm 1 can be performed as soon as a new point \(Q_i\) becomes available, i.e., in the base case of Algorithm 3. This reduces the memory usage (since the points \(Q_i\) can be discarded immediately after use) and increases the speed (since the algorithm terminates as soon as enough information was obtained) of publickey validation using Algorithms 1 and 3. We note that the improved performance of this algorithm compared to Algorithm 1 alone essentially comes from a timespace tradeoff, hence the memory usage is higher (cf. Sect. 8.1). On severely memoryconstrained devices one may instead opt for the naïve algorithm, which requires less space but is slower.
8.1 Performance Results
On top of a minimal implementation in the sage computer algebra system [67] for demonstrative purposes, we created a somewhat optimized proofofconcept implementation of the CSIDH group action for a particular 512bit prime p. While this implementation features 512bit field arithmetic written in assembly (for Intel Skylake processors), it also contains generic C code supporting other field sizes and can therefore easily be ported to other computer architectures or parameter sets if desired.^{Footnote 14}
The prime p is chosen as \(p=4\cdot \ell _1\cdots \ell _{74}1\) where \(\ell _1\) through \(\ell _{73}\) are the smallest 73 odd primes and \(\ell _{74}=587\) is the smallest prime distinct from the other \(\ell _i\) that renders p prime. This parameter choice implies that public keys have a size of 64 bytes. Private keys are stored in 37 bytes for simplicity, but an optimal encoding would reduce this to only 32 bytes. Table 2 summarizes performance numbers for our proofofconcept implementation. Note that privatekey generation is not listed as it only consists of sampling n random integers in a small range \(\{m,\dots ,m\}\), which has negligible cost.
We emphasize that both our implementations are intended as a proof of concept and unfit for production use; in particular, they are explicitly not sidechannel resistant and may contain any number of bugs. We leave the design of hardened and more optimized implementations for future work.
Notes
 1.
Since this work was started while being very close to a wellknown large body of salt water, we pronounce CSIDH as rather than spelling out all the letters.
 2.
This speedup is explained in part by comparing our own C implementation to the sage implementation of De Feo–Kieffer–Smith.
 3.
This constraint only makes a difference for supersingular curves: in the ordinary case, all endomorphisms are defined over the base field.
 4.
Due to our convention of identifying kisomorphic curves, we also identify isogenies if they are kisomorphic, i.e., equal up to postcomposition with a kisomorphism.
 5.
This statement remains true in vast generality, but we only need this special case.
 6.
Note that the use of the word “ideal” is inconsistent in the literature. We make the convention that “ideal” without qualification refers to an integral \(\mathcal O\)ideal (i.e., an ideal in the sense of ring theory), while fractional ideals are clearly named as such.
 7.
No pun intended.
 8.
The same idea gives rise to a simpler Monte Carlo algorithm which does not require the factorization of \(p+1\) but has a chance of false positives [64, Sect. 2.3].
 9.
 10.
The minentropy of a random variable is the negative logarithm of the probability of the most likely outcome.
 11.
Strictly speaking, the complexity depends on the size of the subset one samples private keys from, rather than the size of the class group, but as was argued before, these are approximately equal for our choice of m and n.
 12.
The page margins are certainly too narrow to contain such an analysis.
 13.
Here M and S denote a multiplication and squaring in \(\mathbb F_p\).
 14.
All our code is published in the public domain and is available for download at https://yx7.cc/code/csidh/csidhlatest.tar.xz.
References
Adj, G., CervantesVázquez, D., ChiDomínguez, J.J., Menezes, A., RodríguezHenríquez, F.: On the cost of computing isogenies between supersingular elliptic curves. In: SAC 2018 (2018)
Bernstein, D.J., van Gastel, B., Janssen, W., Lange, T., Schwabe, P., Smetsers, S.: TweetNaCl: a crypto library in 100 tweets. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 64–83. Springer, Cham (2015). https://doi.org/10.1007/9783319162959_4
Biasse, J.F., Iezzi, A., Jacobson Jr., M.J.: A note on the security of CSIDH (2018). https://arxiv.org/abs/1806.03656. To be published at Kangacrypt 2018
Biasse, J.F., Jao, D., Sankar, A.: A quantum algorithm for computing isogenies between supersingular elliptic curves. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 428–442. Springer, Cham (2014). https://doi.org/10.1007/9783319130392_25
Bisson, G.: Computing endomorphism rings of elliptic curves under the GRH. J. Math. Cryptol. 5(2), 101–114 (2012)
Bonnetain, X., Schrottenloher, A.: Quantum security analysis of CSIDH and ordinary isogenybased schemes. IACR Cryptology ePrint Archive 2018/537, version 20180621:135910 (2018). https://eprint.iacr.org/2018/537/20180621:135910
Brassard, G., Yung, M.: Oneway group actions. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 94–107. Springer, Heidelberg (1991). https://doi.org/10.1007/3540384243_7
Bröker, R.: A \(p\)adic algorithm to compute the Hilbert class polynomial. Math. Comput. 77(264), 2417–2435 (2008)
Bröker, R., Stevenhagen, P.: Efficient CMconstructions of elliptic curves over finite fields. Math. Comput. 76(260), 2161–2179 (2007)
Buchmann, J., Vollmer, U.: Binary Quadratic Forms: An Algorithmic Approach. Algorithms and Computation in Mathematics, vol. 20. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540463689
Charles, D.X., Lauter, K.E., Goren, E.Z.: Cryptographic hash functions from expander graphs. J. Cryptol. 22(1), 93–113 (2009)
Childs, A.M., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014)
Cohen, H., Lenstra Jr., H.W.: Heuristics on class groups of number fields. In: Jager, H. (ed.) Number Theory Noordwijkerhout 1983. LNM, vol. 1068, pp. 33–62. Springer, Heidelberg (1984)
Costello, C., Hisil, H.: A simple and compact algorithm for SIDH with arbitrary degree isogenies. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 303–329. Springer, Cham (2017). https://doi.org/10.1007/9783319706979_11
Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny DiffieHellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662530184_21
Costello, C., Smith, B.: Montgomery curves and their arithmetic: the case of large characteristic fields. IACR Cryptology ePrint Archive 2017/212 (2017). https://ia.cr/2017/212
Couveignes, J.M.: Hard homogeneous spaces. IACR Cryptology ePrint Archive 2006/291 (2006). https://ia.cr/2006/291
Cox, D.A.: Primes of the Form \(x^2+ny^2\): Fermat, Class Field Theory, and Complex Multiplication. Pure and Applied Mathematics, 2nd edn. Wiley, Hoboken (2013)
De Feo, L.: Mathematics of isogeny based cryptography (2017). https://arxiv.org/abs/1711.04062
De Feo, L., Jao, D., Plût, J.: Towards quantumresistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)
De Feo, L., Kieffer, J., Smith, B.: Towards practical key exchange from ordinary isogeny graphs. In: Galbraith, S.D., Peyrin, T. (eds.) ASIACRYPT 2018, LNCS, vol. 11274, pp. xx–yy. Springer, Heidelberg (2018)
Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(\mathbb{F}_p\). Des. Codes Cryptogr. 78(2), 425–440 (2016)
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3540477217_12
Freire, E.S.V., Hofheinz, D., Kiltz, E., Paterson, K.G.: Noninteractive key exchange. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 254–271. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642363627_17
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3540484051_34
Galbraith, S.D.: Constructing isogenies between elliptic curves over finite fields. LMS J. Computat. Math. 2, 118–138 (1999)
Galbraith, S.D.: Mathematics of PublicKey Cryptography. Cambridge University Press, Cambridge (2012)
Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662538876_3
Galbraith, S.D., Petit, C., Silva, J.: Identification protocols and signature schemes based on supersingular isogeny problems. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 3–33. Springer, Cham (2017). https://doi.org/10.1007/9783319706948_1
Galbraith, S.D., Vercauteren, F.: Computational problems in supersingular elliptic curve isogenies. Quant. Inf. Process. 17. IACR Cryptology ePrint Archive 2017/774 (2018). https://ia.cr/2017/774
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: STOC, pp. 212–219. ACM (1996)
Hafner, J.L., McCurley, K.S.: A rigorous subexponential algorithm for computation of class groups. J. Am. Math. Soc. 2(4), 837–850 (1989)
Hallgren, S.: Fast quantum algorithms for computing the unit group and class group of a number field. In: STOC, pp. 468–474. ACM (2005)
Hasse, H.: Zur Theorie der abstrakten elliptischen Funktionenkörper III. Die Struktur des Meromorphismenrings. Die Riemannsche Vermutung. J. für die reine und angewandte Mathematik 175, 193–208 (1936)
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A Modular analysis of the FujisakiOkamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/9783319705002_12
Jao, D., Azarderakhsh, R., Campagna, M., Costello, C., De Feo, L., Hess, B., Jalali, A., Koziel, B., LaMacchia, B., Longa, P., Naehrig, M., Renes, J., Soukharev, V., Urbanik, D.: SIKE. Submission to [48]. http://sike.org
Jao, D., De Feo, L.: Towards quantumresistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642254055_2
Jao, D., LeGrow, J., Leonardi, C., RuizLopez, L.: A subexponentialtime, polynomial quantum space algorithm for inverting the CM group action. In: MathCrypt 2018 (2018, to appear)
Jao, D., Miller, S.D., Venkatesan, R.: Expander graphs based on GRH with an application to elliptic curve cryptography. J. Number Theory 129(6), 1491–1504 (2009)
Kieffer, J.: Étude et accélération du protocole d’échange de clés de CouveignesRostovtsevStolbunov. Mémoire du Master 2, Université Paris VI (2017). https://arxiv.org/abs/1804.10128
Kohel, D.: Endomorphism rings of elliptic curves over finite fields. Ph.D. thesis, University of California at Berkeley (1996)
Kuperberg, G.: A subexponentialtime quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005)
Kuperberg, G.: Another subexponentialtime quantum algorithm for the dihedral hidden subgroup problem. In: TQC, LIPIcs, vol. 22, pp. 20–34. Schloss Dagstuhl  LeibnizZentrum für Informatik (2013)
Lenstra Jr., H.W., Lenstra, A.K., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)
Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)
Mordell, L.J.: The congruence \((p1/2)! \equiv \pm 1\ ({\rm mod}\ p)\). Am. Math. Mon. 68(2), 145–146 (1961)
National Institute of Standards and Technology: Postquantum Cryptography Standardization, December 2016. https://csrc.nist.gov/Projects/PostQuantumCryptography/PostQuantumCryptographyStandardization
Nguyen, P.Q., Vallée, B. (eds.): The LLL Algorithm. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642022951
Petit, C.: Faster algorithms for isogeny problems using torsion point images. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 330–353. Springer, Cham (2017). https://doi.org/10.1007/9783319706979_12
Pizer, A.K.: Ramanujan graphs and Hecke operators. Bull. Am. Math. Soc. (N.S.) 23(1), 127–137 (1990)
Regev, O.: A subexponential time algorithm for the dihedral hidden subgroup problem with polynomial space (2004). https://arxiv.org/abs/quantph/0406151
Renes, J.: Computing isogenies between Montgomery curves using the action of (0, 0). In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 229–247. Springer, Cham (2018). https://doi.org/10.1007/9783319790633_11
Rostovtsev, A., Stolbunov, A.: Publickey cryptosystem based on isogenies. IACR Cryptology ePrint Archive 2006/145 (2006). https://ia.cr/2006/145
Schoof, R.: Nonsingular plane cubic curves over finite fields. J. Comb. Theory Ser. A 46(2), 183–211 (1987)
Shanks, D.: Class number, a theory of factorization, and genera. In: Proceedings of Symposia in Pure Mathematics, vol. 20, pp. 415–440 (1971)
Shor, P.W.: Polynomialtime algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)
Siegel, C.: Über die Classenzahl quadratischer Zahlkörper. Acta Arithmetica 1(1), 83–86 (1935)
Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106, 2nd edn. Springer, New York (2009). https://doi.org/10.1007/9780387094946
Stolbunov, A.: Publickey encryption based on cycles of isogenous elliptic curves. Master’s thesis, SaintPetersburg State Polytechnical University (2004). (in Russian)
Stolbunov, A.: Constructing publickey cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010)
Stolbunov, A.: Cryptographic schemes based on isogenies. Ph.D. thesis, Norwegian University of Science and Technology (2011)
Sutherland, A.V.: Order computations in generic groups. Ph.D. thesis, Massachusetts Institute of Technology (2007). https://groups.csail.mit.edu/cis/theses/sutherlandphd.pdf
Sutherland, A.V.: Identifying supersingular elliptic curves. LMS J. Comput. Math. 15, 317–325 (2012)
Sutherland, A.V.: Isogeny volcanoes. In: ANTS X. Open Book Series, vol. 1, pp. 507–530. MSP (2012). https://arxiv.org/abs/1208.5370
Tate, J.: Endomorphisms of abelian varieties over finite fields. Inventiones Mathematicae 2(2), 134–144 (1966)
The Sage Developers: SageMath, The Sage Mathematics Software System, Version 8.1 (2018). https://sagemath.org
Unruh, D.: Quantum proofs of knowledge. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 135–152. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642290114_10
Vélu, J.: Isogénies entre courbes elliptiques. Comptes Rendus de l’Académie des Sciences de Paris 273, 238–241 (1971)
Waterhouse, W.C.: Abelian varieties over finite fields. Annales scientifiques de l’École Normale Supérieure 2, 521–560 (1969)
Yoo, Y., Azarderakhsh, R., Jalali, A., Jao, D., Soukharev, V.: A postquantum digital signature scheme based on supersingular isogenies. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 163–181. Springer, Cham (2017). https://doi.org/10.1007/9783319709727_9
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 International Association for Cryptologic Research
About this paper
Cite this paper
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J. (2018). CSIDH: An Efficient PostQuantum Commutative Group Action. In: Peyrin, T., Galbraith, S. (eds) Advances in Cryptology – ASIACRYPT 2018. ASIACRYPT 2018. Lecture Notes in Computer Science(), vol 11274. Springer, Cham. https://doi.org/10.1007/9783030033323_15
Download citation
DOI: https://doi.org/10.1007/9783030033323_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030033316
Online ISBN: 9783030033323
eBook Packages: Computer ScienceComputer Science (R0)