CSIDH: Commutative Supersingular Isogeny DH
- CSIDH is a post-quantum key exchange protocol that uses the commutative action of the ideal class group on supersingular elliptic curves to achieve Diffie–Hellman-style exchanges with compact keys.
- It employs efficient isogeny evaluations via differential addition chains and constant-time implementations to mitigate side-channel and quantum attack vulnerabilities.
- Optimized hardware and software strategies, including dummy-free approaches and FPGA/ASIC acceleration, enable subsecond key generation and robust security guarantees.
Commutative Supersingular Isogeny Diffie–Hellman (CSIDH) is a post-quantum non-interactive key exchange protocol based on the commutative action of the ideal class group of an imaginary quadratic order on the set of supersingular elliptic curves defined over a prime field. Distinguished by its abelian group structure, small public key sizes, and static-key friendliness, CSIDH achieves Diffie–Hellman-style exchange with compact representations and static key validation, while addressing the threat landscape of quantum adversaries through non-group-homomorphic hard homogeneous space assumptions.
1. Mathematical Structure and Protocol Foundations
CSIDH operates over a prime field , where is of special form for distinct small odd primes . The set of interest is isomorphism classes of supersingular elliptic curves with , ; equivalently, with (Smith, 2018, Xiao et al., 2022).
The principal homogeneous space is the set of such curves acted on by the ideal class group . Each ideal class 0 corresponds to a sequence of isogenies of odd prime degree, realized as 1 via Vélu’s or Costello–Hisil formulas. The group action is commutative: 2 (Colò et al., 2020, Smith, 2018).
Key generation samples small exponents 3 for each 4, representing 5. The public key is the coefficient (e.g., Montgomery 6 or 7-invariant) of 8.
2. Protocol Workflow
2.1 Key Generation
- Choose secret exponents 9.
- Compute 0.
- Obtain public key 1 (published as 2).
2.2 Key Exchange
- Alice and Bob exchange their public curves 3, 4.
- Each applies their secret to the other's public curve: Alice computes 5, Bob computes 6.
- By commutativity, both arrive at 7 with matching 8-invariant (Colò et al., 2020).
2.3 Isogeny Evaluation
- Each isogeny of degree 9 requires calculating 0 for each prime.
- Kernel points are computed via differential addition chains (DACs); batching up to 16 primes per loop optimizes scalar multiplications (Bagheri et al., 14 Aug 2025).
3. Security Analysis and Quantum Attacks
The security relies on the hardness of finding an ideal class effecting an isogeny between given supersingular curves, known as the vectorization problem in a non-group-homomorphic principal homogeneous space (Smith, 2018, Xiao et al., 2022). Best known classical attacks (meet-in-the-middle) require 1 steps, while quantum attacks leveraging hidden shift techniques (Kuperberg’s algorithm) achieve a subexponential runtime 2, outperforming classical algorithms for current parameters (Biasse et al., 2018, Agathocleous et al., 1 Oct 2025).
Empirically, this yields quantum attack costs of 3 for 4 a 512-bit prime, lower than the original 5 estimate. To achieve 128-bit quantum security, 6 would require bitlengths around 7 (16,384 bits), which is impractical in current CSIDH variants (Biasse et al., 2018).
Countermeasures include increasing 8, avoiding small class numbers with smooth subgroup structure, and considering “twisted” variants of the protocol to raise discriminant 9 (Biasse et al., 2018).
4. Implementation Strategies: Constant-Time and Hardware Acceleration
Critical for security in practice is constant-time evaluation to resist side-channel (timing and power) attacks.
4.1 Hardware Architecture
- The hardware design described in (Bagheri et al., 14 Aug 2025) employs a top-level FSM controlling a deeply pipelined 512-bit ALU (adder, subtractor, schoolbook multiplier).
- Modular multiplication leverages Montgomery reduction in 87 clock cycles; a parallelized 512x512-bit multiplication completes in 22 cycles (FPGA) or 23 cycles (ASIC).
- Side-channel resistance is provided by dummy isogenies (performing exactly max0 isogenies per prime, indistinguishable by timing/power) and by masking (all ALU subunits activated every cycle with only requested operation processing true data).
- Resource and timing metrics: on a Xilinx Zynq UltraScale+ FPGA, CSIDH-512 key generation completes in 0.515 s; on a 180nm ASIC, latency is 0.591 s with area 4.1x4.1 mm² (Bagheri et al., 14 Aug 2025).
4.2 Software Countermeasures
- Constant-time variants (CTIDH, dCTIDH) group primes into batches, pad DACs to uniform length (with dummy steps in vanilla CTIDH) or use new dummy-free approaches (DACsHUND, reformulated Matryoshka) for batch-wise equal-cost isogeny chains (Banegas et al., 16 Sep 2025).
- Dummy-free CSIDH eliminates attack surfaces exploitable by fault injection while retaining constant-time and deterministic execution, at minimal performance penalty (4% faster than CTIDH, 4x faster than dCSIDH) (Banegas et al., 16 Sep 2025, Cervantes-Vázquez et al., 2019).
4.3 Performance Summary
| Platform | Keygen Cycles | Latency | Notes |
|---|---|---|---|
| Xilinx UltraScale+ | 1 | 0.515 s @200MHz | 66.3k LUTs, 128 DSPs (FPGA) (Bagheri et al., 14 Aug 2025) |
| SMIC180 ASIC | 2 | 0.591 s @180MHz | 4.1mm², 566k standard cells |
| Intel i7-7700 (3GHz) | 3 | 0.4 s | Software (group action only) |
Hardware acceleration reduces key generation from minutes/seconds to subsecond intervals, bridging compact key sizes and computational practicality (Bagheri et al., 14 Aug 2025).
5. Side-Channel and Fault-Injection Resistance
Traditional constant-time CSIDH implementations use dummy operations (fixed number of isogeny steps per prime), but these are vulnerable to advanced side-channel and fault-injection attacks. Recent dummy-free protocols (e.g., dummy-free dCTIDH, Matryoshka 2.0, DACsHUND) eliminate dummy steps by enforcing equal DAC lengths across batches and using algebraic manipulations to maintain fixed operation counts without padding (Banegas et al., 16 Sep 2025, Cervantes-Vázquez et al., 2019).
Intermediate point validation (via permutation checks) ensures no tampered multiples are accepted, further strengthening resistance to injected faults (Banegas et al., 16 Sep 2025).
Derandomized CSIDH, which uses larger 4 to ensure 5-rational torsion for all 6, eliminates PRNG dependencies for deterministic, timing-independent execution, albeit at increased field sizes and cost (Cervantes-Vázquez et al., 2019).
6. Mathematical and Cryptanalytic Details
The correspondence between supersingular 7-isomorphism classes and reduced binary quadratic forms of discriminant 8 or 9 provides an explicit model for isogeny computations and underlies security reductions (Xiao et al., 2022). The action of the ideal class group on curves translates directly to form class multiplication; inverting the key exchange equates to solving the explicit Hilbert class polynomial correspondence or composing/decomposing quadratic forms, for which no polynomial-time classical or quantum algorithms are known for large discriminants (Xiao et al., 2022, Biasse et al., 2018).
Variants such as higher-degree CSIDH (with endomorphism ring 0 for 1) generalize the group action and protocol structure, maintaining the same security reduction and attack landscape but over larger parameter sets (Chenu et al., 2021).
7. Applicability, Extensions, and Outlook
CSIDH’s commutative structure enables protocols requiring static keys and public validation, unlike non-commutative SIDH-based schemes. Its compact key representation and free key-validation underpin its suitability for long-term key agreement in post-quantum settings (Smith, 2018, Colò et al., 2020).
Research continues in addressing quantum attack efficiency, minimizing side-channel and fault-injection risk, and extending group-action cryptography beyond the 2 case via generalized CSIDH (higher-degree permutations, graph expansion properties) (Chenu et al., 2021). The use of isogeny graphs and association schemes further connects CSIDH to emerging cryptographic primitives (e.g., quantum onion routing) leveraging abelian class group actions and their commutative properties (Agathocleous et al., 1 Oct 2025).
The aggregated research directions focus on parameter selection for desired quantum security levels, continuous improvement in constant-time, dummy-free implementations, and hardware-software co-design for broad deployment of isogeny-based post-quantum key exchange (Bagheri et al., 14 Aug 2025, Banegas et al., 16 Sep 2025, Biasse et al., 2018).