Skip to main content

On the Security of OSIDH

Part of the Lecture Notes in Computer Science book series (LNSC,volume 13177)


The Oriented Supersingular Isogeny Diffie–Hellman is a post-quantum key exchange scheme recently introduced by Colò and Kohel. It is based on the group action of an ideal class group of a quadratic imaginary order on a subset of supersingular elliptic curves, and in this sense it can be viewed as a generalization of the popular isogeny based key exchange CSIDH. From an algorithmic standpoint, however, OSIDH is quite different from CSIDH. In a sense, OSIDH uses class groups which are more structured than in CSIDH, creating a potential weakness that was already recognized by Colò and Kohel. To circumvent the weakness, they proposed an ingenious way to realize a key exchange by exchanging partial information on how the class group acts in the neighborhood of the public curves, and conjectured that this additional information would not impact security.

In this work we revisit the security of OSIDH by presenting a new attack, building upon previous work of Onuki. Our attack has exponential complexity, but it practically breaks Colò and Kohel’s parameters unlike Onuki’s attack. We also discuss countermeasures to our attack, and analyze their impact on OSIDH, both from an efficiency and a functionality point of view.


  • Post-quantum cryptography
  • Isogenies
  • Cryptographic group actions

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-97121-2_3
  • Chapter length: 30 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   84.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-97121-2
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   109.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.


  1. 1.

    The “Commutative Supersingular Diffie–Hellman”, pronounced sea-side.

  2. 2.

    CSIDH-512 was originally claimed to match the NIST-1 security level. Recent works have questioned the quantum security of CSIDH [8, 33], but to this day CSIDH-512’s classical security claim still holds unchanged.

  3. 3.


  4. 4.



  1. Aggarwal, D., Mukhopadhyay, P.: Improved algorithms for the shortest vector problem and the closest vector problem in the infinity norm (2018)

    Google Scholar 

  2. Alamati, N., De Feo, L., Montgomery, H., Patranabis, S.: Cryptographic group actions and applications. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 411–439. Springer, Cham (2020).

    CrossRef  Google Scholar 

  3. Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem (shortened version). In: STACS (1985)

    Google Scholar 

  4. Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Krauthgamer, R. (ed.) 27th SODA, pp. 10–24. ACM-SIAM, January 2016.

  5. Beullens, W., Katsumata, S., Pintore, F.: Calamari and Falafl: logarithmic (linkable) ring signatures from isogenies and lattices. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 464–492. Springer, Cham (2020).

    CrossRef  Google Scholar 

  6. Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 227–247. Springer, Cham (2019).

    CrossRef  Google Scholar 

  7. Boneh, D., Kogan, D., Woo, K.: Oblivious pseudorandom functions from isogenies. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 520–550. Springer, Cham (2020).

    CrossRef  Google Scholar 

  8. Bonnetain, X., Schrottenloher, A.: Quantum security analysis of CSIDH. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 493–522. Springer, Cham (2020).

    CrossRef  Google Scholar 

  9. Brassard, G., Yung, M.: One-way group actions. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 94–107. Springer, Heidelberg (1991).

    CrossRef  Google Scholar 

  10. Bröker, R., Lauter, K., Sutherland, A.V.: Modular polynomials via isogeny volcanoes. Math. Comput. 81(278), 1201–1231 (2011)

    Google Scholar 

  11. Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018).

    CrossRef  Google Scholar 

  12. Chavez-Saab, J., Chi-Dominguez, J.J., Jaques, S., Rodriguez-Henriquez, F.: The SQALE of CSIDH: square-root Vélu quantum-resistant isogeny action with low exponents. Cryptology ePrint Archive, Report 2020/1520 (2020).

  13. Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, Heidelberg (1993).

  14. Colò, L., Kohel, D.: Orienting supersingular isogeny graphs. J. Math. Cryptol. 14(1), 414–437 (2020).

    CrossRef  MathSciNet  MATH  Google Scholar 

  15. Couveignes, J.M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006).

  16. Cox, D.A.: Primes of the form \(x^2+ny^2\). Wiley (2013)

    Google Scholar 

  17. Dartois, P., De Feo, L.: On the security of OSIDH. Cryptology ePrint Archive, Report 2021/1681 (2021).

  18. De Feo, L., Galbraith, S.D.: SeaSign: compact isogeny signatures from class group actions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 759–789. Springer, Cham (2019).

    CrossRef  Google Scholar 

  19. De Feo, L., Meyer, M.: Threshold schemes from isogeny assumptions. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12111, pp. 187–212. Springer, Cham (2020).

    CrossRef  Google Scholar 

  20. de Saint Guilhem, C.D., Orsini, E., Petit, C., Smart, N.P.: Semi-commutative masking: a framework for isogeny-based protocols, with an application to fully secure two-round isogeny-based OT. In: Krenn, S., Shulman, H., Vaudenay, S. (eds.) CANS 2020. LNCS, vol. 12579, pp. 235–258. Springer, Cham (2020).

    CrossRef  Google Scholar 

  21. Ducas, L., Laarhoven, T., van Woerden, W.P.J.: The randomized slicer for CVPP: sharper, faster, smaller, batchier. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12111, pp. 3–36. Springer, Cham (2020).

    CrossRef  Google Scholar 

  22. Eisenträger, K., Hallgren, S., Lauter, K., Morrison, T., Petit, C.: Supersingular isogeny graphs and endomorphism rings: reductions and solutions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 329–368. Springer, Cham (2018).

    CrossRef  Google Scholar 

  23. Espitau, T., Kirchner, P.: The nearest-colattice algorithm: Time-approximation tradeoff for approx-CVP. Open Book Ser. 4, 251–266 (2020).

  24. Galbraith, S.D., Hess, F., Smart, N.P.: Extending the GHS Weil descent attack. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 29–44. Springer, Heidelberg (2002).

    CrossRef  Google Scholar 

  25. Galbraith, S.D., Stolbunov, A.: Improved algorithm for the isogeny problem for ordinary elliptic curves. Appl. Algebra Eng. Commun. Comput. 24(2), 107–131 (2013).

    CrossRef  MathSciNet  MATH  Google Scholar 

  26. Jaques, S., Schrottenloher, A.: Low-gate quantum golden collision finding. Cryptology ePrint Archive, Report 2020/424 (2020).

  27. Kohel, D.: Endomorphism rings of elliptic curves over finite fields (1996).

  28. Kohel, D.R., Lauter, K., Petit, C., Tignol, J.P.: On the quaternion-isogeny path problem. LMS J. Comput. Math. 17(A), 418–432 (2014)

    Google Scholar 

  29. Kuperberg, G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005)

    Google Scholar 

  30. Lai, Y.F., Galbraith, S.D., de Saint Guilhem, C.: Compact, efficient and UC-secure isogeny-based oblivious transfer. Cryptology ePrint Archive, Report 2020/1012 (2020).

  31. Milne, J.S.: Complex multiplication (2020).

  32. Onuki, H.: On oriented supersingular elliptic curves (2020).

  33. Peikert, C.: He gives C-sieves on the CSIDH. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 463–492. Springer, Cham (2020).

    CrossRef  Google Scholar 

  34. Petit, C.: Faster algorithms for isogeny problems using torsion point images. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 330–353. Springer, Cham (2017).

    CrossRef  Google Scholar 

  35. Pohlig, S.E., Hellman, M.E.: An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Trans. Inf. Theor. IT 24(1), 106–110 (1978)

    Google Scholar 

  36. Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 (2006).

  37. Schnorr, C.P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)

    Google Scholar 

  38. Silverman, J.H.: Advanced Topics in The Arithmetic of Elliptic Curves. Springer, New York (1994).

  39. Silverman, J.H.: Integral points on elliptic curves. In: The Arithmetic of Elliptic Curves. GTM, vol. 106, pp. 269–307. Springer, New York (2009).

    CrossRef  Google Scholar 

  40. Sutherland, A.V.: Structure computation and discrete logarithms in finite abelian \(p\)-groups. Math. Comput. 80(273), 477–500 (2010)

    Google Scholar 

  41. The FPLLL development team: FPyLLL, a Python wraper for the fplll lattice reduction library, Version: 0.5.6 (2021).

  42. The Sage Developers: SageMath, the Sage Mathematics Software System (Version 9.2) (2021).

  43. Vélu, J.: Isogénies entre courbes elliptiques. Comptes-rendus de l’Académie des Sciences 273, 238–241 (1971).

  44. Waterhouse, W.C.: Abelian varieties over finite fields. Annales scientifiques de l’École Normale Supérieure 2(4), 521–560 (1969).

  45. Wesolowski, B.: The supersingular isogeny path and endomorphism ring problems are equivalent. Cryptology ePrint Archive, Report 2021/919 (2021).

  46. Yoshinori Aono, T.E., Nguyen, P.Q.: Random lattices: theory and practice.

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Pierrick Dartois .

Editor information

Editors and Affiliations


A Time Complexity of the Chain Attack of Sect. 3.3

We refer to Sect. 3.3 for the notations. As explained in Sect. 3.3, the dominant step in the attack is to find a close vector to \(\mathbf {e}_{i+1}\) in \(L_{i+1}\) and compute the action of \([\mathfrak {a}_i\cdot \mathfrak {b}_i]\) on \(E_{i+1}\). This operation has to be repeated at most \(\simeq \ell \) times for all \(i\in \llbracket 0~;~n-1\rrbracket \), so at most \(n\ell \) times.

If we find \(\mathbf {c}\in L_{i+1}\) close to \(\mathbf {e}_{i+1}\) and set \(\mathbf {e}'_{i+1}:=\mathbf {e}_{i+1}-\mathbf {c}\), so that \([\mathfrak {a}_i\cdot \mathfrak {b}_i]=\prod _{j=1}^t[\mathfrak {q}_j]^{e'_{i+1,j}}\) in \(\text {Cl}(\mathcal {O}_{i+1})\), then the time complexity of the operation \([\mathfrak {a}_i\cdot \mathfrak {b}_i]\cdot E_{i+1}\) is

$$\begin{aligned} \varTheta \left( (i+1)\sum _{j=1}^tP(q_j,n)|e'_{i+1,j}|\right) , \end{aligned}$$

where P is a polynomial. Hence, the complexity is \(\varTheta (\Vert \mathbf {e}'_{i+1}\Vert _1)\) up to a polynomial factor (in nt and the \(q_j\)). Since \(\Vert \mathbf {e}'_{i+1}\Vert _2\le \Vert \mathbf {e}'_{i+1}\Vert _1\le \sqrt{t}\Vert \mathbf {e}'_{i+1}\Vert _2\), the complexity becomes \(\varTheta (\Vert \mathbf {e}'_{i+1}\Vert _2)\) up to a polynomial factor.

Theorem 3

[23, Theorem 3.3]. Let \(\varLambda \subseteq \mathbb {Z}^d\) be a lattice of rank d, \(B:=(\mathbf {b}_1,\ldots , \mathbf {b}_d)\), a basis of \(\varLambda \), a target \(\mathbf {x}\in \mathbb {R}^d\) and \(k\in \mathbb {N}^*\) such that \(d>2k\). Under some heuristic assumptions, there exists an algorithm finding \(\mathbf {c}\in \varLambda \) such that

$$\begin{aligned} \Vert \mathbf {x}-\mathbf {c}\Vert _2=\varTheta \left( GH(k)^{\frac{d}{2k}}\text {Covol}(\varLambda )^{\frac{1}{d}}\right) , \end{aligned}$$

where GH is the Gaussian heuristic function: \(GH(k):=\varGamma (k/2+1)^{1/k}/\sqrt{\pi }\). This algorithm runs in time

$$\begin{aligned} (T_{CVP}(k)+T_{SVP}(k))P\left( k,d,\log \Vert \mathbf {x}\Vert _2,\log \max _{1\le i\le d}\Vert \mathbf {b}_i\Vert _2\right) , \end{aligned}$$

where \(T_{CVP}(k)\) and \(T_{SVP}(k)\) are the time complexities of oracles for CVP and SVP in dimension k for the norm \(\ell _2\) respectively and P is a polynomial.

The best known algorithms for CVP and SVP are due to [21] and [4] respectively. They run in time \(T_{CVP}(k)=2^{c_1 k+o(k)}\) and \(T_{SVP}(k)=\left( \frac{3}{2}\right) ^{k/2+o(k)}=2^{c_2 k+o(k)}\) respectively, with \(c_1\approx 0.264\) and \(c_2\approx 0.292\). The time complexity of the attack follows

$$\begin{aligned} T:=2^{c_2k+o(k)}+\frac{1}{\sqrt{\pi }^{\frac{1}{k}}}\varGamma \left( \frac{k}{2}+1\right) ^{\frac{t}{2k^2}}\ell ^{\frac{n}{t}} \end{aligned}$$

up to polynomial factors, where we used the fact that \(\text {Covol}(L_n)=\#\text {Cl}(\mathcal {O}_{n})\simeq \ell ^n\) and neglected \(T_{CVP}(k)\) compared to \(T_{SVP}(k)\). Using the Stirling equivalent \(\varGamma (k/2+1)\sim \sqrt{\pi k}(k/2e)^{k/2}\) as \(k\rightarrow +\infty \) and setting \(k:=\lfloor \kappa \sqrt{t\log _2(t)}\rfloor \), with \(\kappa :=1/\sqrt{8c_2}\) in order to optimize the complexity, we get

$$\begin{aligned} T=2^{(\sqrt{c_2/8}+o(1))\sqrt{t\log _2(t)}}=\exp ((c+o(1))\sqrt{t\log (t)}), \end{aligned}$$

with \(c:=\sqrt{c_2/8\log (2)}\simeq 0.229\), assuming that \(\ell \) and n are constant and \(t\rightarrow ~+\infty \).

B Complexity Analysis of Onuki’s Attack Presented in Sect. 4.1

We use the notations of Sect. 4.1 explaining Onuki’s attack which consists in computing a K-oriented endomorphism \(\iota '_n(\beta )\in \text {End}(F_n)\) for \(\beta \in \mathcal {O}_n\setminus \mathcal {O}_{n+1}\). We look for \(\beta \) such that \(\beta \mathcal {O}_n=I\cdot J\), with a big factor \(I:=\prod _{j=1}^t(\mathfrak {q}_j\cap \mathcal {O}_n)^{e_j}\), where \(e_1,\cdots ,e_t\in \llbracket -r~;~r\rrbracket \), and a small factor J. Then \(\iota '_n(\beta )\) will be computed as the composite of the isogeny associated to I and the isonegy associated to J. The first one is easy to compute with the knowledge of the action of powers of \(\mathfrak {q}_j\) on \(F_n\). The second one can be computed by a meet-in-the-middle strategy in \(\varOmega (\sqrt{N(J)})\) operations (as explained in Sect. 4.3).

We proceed as follows to select a suitable \(\beta \). Let \(\theta \) be a generator of \(\mathcal {O}_K\), so that \(\ell ^n\theta \) generates \(\mathcal {O}_n\). We sample \(\beta :=a+b\ell ^n\theta \) with a and b sampled uniformly at random in \(\llbracket -m~;~m\rrbracket \) and \(\llbracket -m~;~m\rrbracket \setminus \ell \mathbb {Z}\) respectively, for m big enough. We stop the sampling when \(N(\beta )\) has a big enough divisor \(Q:=\prod _{j=1}^t q_j^{e'_j}\) with \(e'_1, \cdots , e'_t\in \llbracket 0~;~r\rrbracket \), let’s say \(Q\ge x\), where the threshold x is to be chosen. We make the heuristic assumption that \(N(\beta )\) has the same arithmetic properties as a uniform variable in \(\llbracket N_{min}~;~N_{max}\rrbracket \). Under this assumption, we have the following result:

Lemma 6

The average time complexity of Onuki’s attack [32, §6.3] is:

$$\begin{aligned} C(x)\ge \frac{x}{(r+1)^t}+\frac{\kappa \sqrt{N_{max}}}{\sqrt{x}(r+1)^t}, \end{aligned}$$

where \(\kappa :=\frac{1}{2\sqrt{q_1}}\left( 1-\frac{1}{q_1}\right) \) and x is the threshold for the value of the norm of the ideal \(J=\prod _{j=1}^t\mathfrak {q}_j^{e_j}\) dividing \(\beta \). The optimal value for the threshold is \(x_m:=(\kappa /2)^{2/3}N_{max}^{1/2}(r+1)^{t/3}\) and the optimal average time complexity is:

$$\begin{aligned} C(x_m)=\varOmega \left( \frac{\sqrt{N_{max}}}{(r+1)^{\frac{t}{3}}}\right) =\varOmega \left( \frac{\ell ^{\frac{2n}{3}}}{(r+1)^{\frac{t}{3}}}\right) , \end{aligned}$$

since \(N_{max}\ge N_{min}\ge \ell ^{2n}\).


Under the heuristic assumption we made, we can assume that \(N:=N(\beta )\) is a uniform random variable in the range \(\llbracket N_{min}~;~N_{max}\rrbracket \). We define the random variable:

$$\begin{aligned} Q:=Q(N)=\prod _{j=1}^t q_j^{\min (r,v_{q_j}(N))}. \end{aligned}$$

The cost of the exhaustive search for a suitable \(\beta \) is then:

$$\begin{aligned} C_1(x)=\frac{1}{\mathbb {P}(Q(N)\ge x)}=\frac{N_{max}-N_{min}}{\#S(x)}, \end{aligned}$$


$$\begin{aligned}S(x)&:=\left\{ y\in \llbracket N_{min}~;~N_{max}\rrbracket \Bigg | \ \prod _{j=1}^t q_j^{\min (r,v_{q_j}(y))}\ge x\right\} \\&=\bigcup _{\begin{array}{c} (e_1, \cdots , e_t)\in \llbracket 0~;~r\rrbracket ^t\\ x\le \prod _{j=1}^t q_j^{e_j}\le N_{max} \end{array}}\left\{ k\prod _{j=1}^t q_j^{e_j}\Bigg | \ k\in \llbracket \left\lceil \frac{N_{min}}{\prod _{j=1}^t q_j^{e_j}}\right\rceil ~;~\left\lfloor \frac{N_{max}}{\prod _{j=1}^t q_j^{e_j}}\right\rfloor \rrbracket \right\} \end{aligned}$$

so that:

$$\begin{aligned} \#S(x)&\le \sum _{\begin{array}{c} (e_1, \cdots , e_t)\in \llbracket 0~;~r\rrbracket ^t \\ x\le \prod _{j=1}^t q_j^{e_j}\le N_{max} \end{array}}\left( \left\lfloor \frac{N_{max}}{\prod _{j=1}^t q_j^{e_j}}\right\rfloor -\left\lceil \frac{N_{min}}{\prod _{j=1}^t q_j^{e_j}}\right\rceil \right) \nonumber \\&\le \sum _{\begin{array}{c} (e_1, \cdots , e_t)\in \llbracket 0~;~r\rrbracket ^t\\ x\le \prod _{j=1}^t q_j^{e_j}\le N_{max} \end{array}}\frac{N_{max}-N_{min}}{\prod _{j=1}^t q_j^{e_j}}\nonumber \\&\le \frac{N_{max}-N_{min}}{x}\#\left\{ (e_1, \cdots , e_t)\in \llbracket 0~;~r\rrbracket ^t \Bigg | x\le \prod _{j=1}^t q_j^{e_j}\le N_{max}\right\} \nonumber \\&\le (N_{max}-N_{min})\frac{(r+1)^t}{x}. \end{aligned}$$

It follows that the search for \(\beta \) costs:

$$\begin{aligned} C_1(x)\ge \frac{x}{(r+1)^t}. \end{aligned}$$

The average cost of the meet-in-the-middle procedure to find the isogeny associated to J is:

$$\begin{aligned} C_2(x)\ge \mathbb {E}\left[ \sqrt{\frac{N}{Q(N)}}\mid Q(N)\ge x\right] \ge \sqrt{A}\mathbb {P}(N\ge A Q(N)|Q(N)\ge x), \end{aligned}$$

where we used Markov’s inequality with \(A>0\) to be chosen. Hence:

$$\begin{aligned} C_2(x)\ge \sqrt{A}\frac{\mathbb {P}(\{N\ge A Q(N)\}\cap \{Q(N)\ge x\})}{\mathbb {P}(Q(N)\ge x)}=\frac{\sqrt{A}\#T(A)}{\#S(x)} ,\end{aligned}$$


$$\begin{aligned} T(A):=&\Bigg \{k\prod _{j=1}^tq_j^{e_j}\Bigg | \ N_{max}\ge \prod _{j=1}^tq_j^{e_j}\ge x \\&\text{ and } \quad k\in \llbracket \max \left( \lceil A\rceil ,\left\lceil \frac{N_{min}}{\prod _{j=1}^t q_j^{e_j}}\right\rceil \right) ~;~\left\lfloor \frac{N_{max}}{\prod _{j=1}^t q_j^{e_j}}\right\rfloor \rrbracket \Bigg \}. \end{aligned}$$

We take \(A:=N_{max}/(q_1 x)\), so that for all \(e_1, \cdots ,e_t\in \llbracket 0~;~r\rrbracket \) such that \(N_{max}\ge \prod _{j=1}^tq_j^{e_j}\ge x\), we have:

$$\begin{aligned} \frac{N_{min}}{\prod _{j=1}^tq_j^{e_j}}\le \frac{N_{min}}{x}<\frac{N_{max}}{q_1x}=A, \end{aligned}$$

since \(N_{max}/N_{min}\simeq m^2\gg q_1\). Without loss of generality, we can assume that x is a product of the \(q_j\). Hence:

$$\begin{aligned} \#T(A)\ge \left\lfloor \frac{N_{max}}{x}\right\rfloor -A\ge \frac{N_{max}}{x}-\frac{N_{max}}{q_1x}-1=\frac{N_{max}}{2x}\left( 1-\frac{1}{q_1}\right) , \end{aligned}$$

under the fair assumption that \(x\le N_{max}/2(1-1/q_1)\). This inequality combined with Eq. (1) and Eq. (3) leads to:

$$\begin{aligned} C_2(x)&\ge \frac{(N_{max})^{\frac{3}{2}}(1-1/q_1)}{2\sqrt{q_1 x}(r+1)^t(N_{max}-N_{min})}\ge \frac{\sqrt{N_{max}}}{2\sqrt{q_1 x}(r+1)^t}\left( 1-\frac{1}{q_1}\right) .\end{aligned}$$

Combining Eq. (2) and Eq. (4), we find that Onuki’s attack has average complexity:

$$\begin{aligned} C(x)\ge C_1(x)+C_2(x)\ge \frac{x}{(r+1)^t}+\frac{\kappa \sqrt{N_{max}}}{\sqrt{x}(r+1)^t}, \end{aligned}$$

with \(\kappa :=\frac{1}{2\sqrt{q_1}}\left( 1-\frac{1}{q_1}\right) \). The optimal value for x is obtained by differenciating of the function defined over \(\mathbb {R}_+^*\):

$$\begin{aligned} x\longmapsto \frac{x}{(r+1)^t}+\frac{\kappa \sqrt{N_{max}}}{\sqrt{x}(r+1)^t}. \end{aligned}$$

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Dartois, P., De Feo, L. (2022). On the Security of OSIDH. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds) Public-Key Cryptography – PKC 2022. PKC 2022. Lecture Notes in Computer Science(), vol 13177. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-97120-5

  • Online ISBN: 978-3-030-97121-2

  • eBook Packages: Computer ScienceComputer Science (R0)