Papers
Topics
Authors
Recent
Search
2000 character limit reached

CSIDH: Commutative Supersingular Isogeny DH

Updated 13 June 2026
  • CSIDH is a post-quantum key exchange protocol that uses the commutative action of the ideal class group on supersingular elliptic curves to achieve Diffie–Hellman-style exchanges with compact keys.
  • It employs efficient isogeny evaluations via differential addition chains and constant-time implementations to mitigate side-channel and quantum attack vulnerabilities.
  • Optimized hardware and software strategies, including dummy-free approaches and FPGA/ASIC acceleration, enable subsecond key generation and robust security guarantees.

Commutative Supersingular Isogeny Diffie–Hellman (CSIDH) is a post-quantum non-interactive key exchange protocol based on the commutative action of the ideal class group of an imaginary quadratic order on the set of supersingular elliptic curves defined over a prime field. Distinguished by its abelian group structure, small public key sizes, and static-key friendliness, CSIDH achieves Diffie–Hellman-style exchange with compact representations and static key validation, while addressing the threat landscape of quantum adversaries through non-group-homomorphic hard homogeneous space assumptions.

1. Mathematical Structure and Protocol Foundations

CSIDH operates over a prime field Fp\mathbb{F}_p, where pp is of special form p=4i=1ni1p = 4 \prod_{i=1}^n \ell_i - 1 for distinct small odd primes i\ell_i. The set of interest is isomorphism classes of supersingular elliptic curves E/FpE/\mathbb{F}_p with End(E)Z[π]\operatorname{End}(E) \cong \mathbb{Z}[π], π2=pπ^2 = -p; equivalently, E:y2=x3+Ax2+xE: y^2 = x^3 + A x^2 + x with AFpA \in \mathbb{F}_p (Smith, 2018, Xiao et al., 2022).

The principal homogeneous space is the set of such curves acted on by the ideal class group Cl(Z[π])\operatorname{Cl}(\mathbb{Z}[π]). Each ideal class pp0 corresponds to a sequence of isogenies of odd prime degree, realized as pp1 via Vélu’s or Costello–Hisil formulas. The group action is commutative: pp2 (Colò et al., 2020, Smith, 2018).

Key generation samples small exponents pp3 for each pp4, representing pp5. The public key is the coefficient (e.g., Montgomery pp6 or pp7-invariant) of pp8.

2. Protocol Workflow

2.1 Key Generation

  • Choose secret exponents pp9.
  • Compute p=4i=1ni1p = 4 \prod_{i=1}^n \ell_i - 10.
  • Obtain public key p=4i=1ni1p = 4 \prod_{i=1}^n \ell_i - 11 (published as p=4i=1ni1p = 4 \prod_{i=1}^n \ell_i - 12).

2.2 Key Exchange

  • Alice and Bob exchange their public curves p=4i=1ni1p = 4 \prod_{i=1}^n \ell_i - 13, p=4i=1ni1p = 4 \prod_{i=1}^n \ell_i - 14.
  • Each applies their secret to the other's public curve: Alice computes p=4i=1ni1p = 4 \prod_{i=1}^n \ell_i - 15, Bob computes p=4i=1ni1p = 4 \prod_{i=1}^n \ell_i - 16.
  • By commutativity, both arrive at p=4i=1ni1p = 4 \prod_{i=1}^n \ell_i - 17 with matching p=4i=1ni1p = 4 \prod_{i=1}^n \ell_i - 18-invariant (Colò et al., 2020).

2.3 Isogeny Evaluation

  • Each isogeny of degree p=4i=1ni1p = 4 \prod_{i=1}^n \ell_i - 19 requires calculating i\ell_i0 for each prime.
  • Kernel points are computed via differential addition chains (DACs); batching up to 16 primes per loop optimizes scalar multiplications (Bagheri et al., 14 Aug 2025).

3. Security Analysis and Quantum Attacks

The security relies on the hardness of finding an ideal class effecting an isogeny between given supersingular curves, known as the vectorization problem in a non-group-homomorphic principal homogeneous space (Smith, 2018, Xiao et al., 2022). Best known classical attacks (meet-in-the-middle) require i\ell_i1 steps, while quantum attacks leveraging hidden shift techniques (Kuperberg’s algorithm) achieve a subexponential runtime i\ell_i2, outperforming classical algorithms for current parameters (Biasse et al., 2018, Agathocleous et al., 1 Oct 2025).

Empirically, this yields quantum attack costs of i\ell_i3 for i\ell_i4 a 512-bit prime, lower than the original i\ell_i5 estimate. To achieve 128-bit quantum security, i\ell_i6 would require bitlengths around i\ell_i7 (16,384 bits), which is impractical in current CSIDH variants (Biasse et al., 2018).

Countermeasures include increasing i\ell_i8, avoiding small class numbers with smooth subgroup structure, and considering “twisted” variants of the protocol to raise discriminant i\ell_i9 (Biasse et al., 2018).

4. Implementation Strategies: Constant-Time and Hardware Acceleration

Critical for security in practice is constant-time evaluation to resist side-channel (timing and power) attacks.

4.1 Hardware Architecture

  • The hardware design described in (Bagheri et al., 14 Aug 2025) employs a top-level FSM controlling a deeply pipelined 512-bit ALU (adder, subtractor, schoolbook multiplier).
  • Modular multiplication leverages Montgomery reduction in 87 clock cycles; a parallelized 512x512-bit multiplication completes in 22 cycles (FPGA) or 23 cycles (ASIC).
  • Side-channel resistance is provided by dummy isogenies (performing exactly maxE/FpE/\mathbb{F}_p0 isogenies per prime, indistinguishable by timing/power) and by masking (all ALU subunits activated every cycle with only requested operation processing true data).
  • Resource and timing metrics: on a Xilinx Zynq UltraScale+ FPGA, CSIDH-512 key generation completes in 0.515 s; on a 180nm ASIC, latency is 0.591 s with area 4.1x4.1 mm² (Bagheri et al., 14 Aug 2025).

4.2 Software Countermeasures

  • Constant-time variants (CTIDH, dCTIDH) group primes into batches, pad DACs to uniform length (with dummy steps in vanilla CTIDH) or use new dummy-free approaches (DACsHUND, reformulated Matryoshka) for batch-wise equal-cost isogeny chains (Banegas et al., 16 Sep 2025).
  • Dummy-free CSIDH eliminates attack surfaces exploitable by fault injection while retaining constant-time and deterministic execution, at minimal performance penalty (4% faster than CTIDH, 4x faster than dCSIDH) (Banegas et al., 16 Sep 2025, Cervantes-Vázquez et al., 2019).

4.3 Performance Summary

Platform Keygen Cycles Latency Notes
Xilinx UltraScale+ E/FpE/\mathbb{F}_p1 0.515 s @200MHz 66.3k LUTs, 128 DSPs (FPGA) (Bagheri et al., 14 Aug 2025)
SMIC180 ASIC E/FpE/\mathbb{F}_p2 0.591 s @180MHz 4.1mm², 566k standard cells
Intel i7-7700 (3GHz) E/FpE/\mathbb{F}_p3 0.4 s Software (group action only)

Hardware acceleration reduces key generation from minutes/seconds to subsecond intervals, bridging compact key sizes and computational practicality (Bagheri et al., 14 Aug 2025).

5. Side-Channel and Fault-Injection Resistance

Traditional constant-time CSIDH implementations use dummy operations (fixed number of isogeny steps per prime), but these are vulnerable to advanced side-channel and fault-injection attacks. Recent dummy-free protocols (e.g., dummy-free dCTIDH, Matryoshka 2.0, DACsHUND) eliminate dummy steps by enforcing equal DAC lengths across batches and using algebraic manipulations to maintain fixed operation counts without padding (Banegas et al., 16 Sep 2025, Cervantes-Vázquez et al., 2019).

Intermediate point validation (via permutation checks) ensures no tampered multiples are accepted, further strengthening resistance to injected faults (Banegas et al., 16 Sep 2025).

Derandomized CSIDH, which uses larger E/FpE/\mathbb{F}_p4 to ensure E/FpE/\mathbb{F}_p5-rational torsion for all E/FpE/\mathbb{F}_p6, eliminates PRNG dependencies for deterministic, timing-independent execution, albeit at increased field sizes and cost (Cervantes-Vázquez et al., 2019).

6. Mathematical and Cryptanalytic Details

The correspondence between supersingular E/FpE/\mathbb{F}_p7-isomorphism classes and reduced binary quadratic forms of discriminant E/FpE/\mathbb{F}_p8 or E/FpE/\mathbb{F}_p9 provides an explicit model for isogeny computations and underlies security reductions (Xiao et al., 2022). The action of the ideal class group on curves translates directly to form class multiplication; inverting the key exchange equates to solving the explicit Hilbert class polynomial correspondence or composing/decomposing quadratic forms, for which no polynomial-time classical or quantum algorithms are known for large discriminants (Xiao et al., 2022, Biasse et al., 2018).

Variants such as higher-degree CSIDH (with endomorphism ring End(E)Z[π]\operatorname{End}(E) \cong \mathbb{Z}[π]0 for End(E)Z[π]\operatorname{End}(E) \cong \mathbb{Z}[π]1) generalize the group action and protocol structure, maintaining the same security reduction and attack landscape but over larger parameter sets (Chenu et al., 2021).

7. Applicability, Extensions, and Outlook

CSIDH’s commutative structure enables protocols requiring static keys and public validation, unlike non-commutative SIDH-based schemes. Its compact key representation and free key-validation underpin its suitability for long-term key agreement in post-quantum settings (Smith, 2018, Colò et al., 2020).

Research continues in addressing quantum attack efficiency, minimizing side-channel and fault-injection risk, and extending group-action cryptography beyond the End(E)Z[π]\operatorname{End}(E) \cong \mathbb{Z}[π]2 case via generalized CSIDH (higher-degree permutations, graph expansion properties) (Chenu et al., 2021). The use of isogeny graphs and association schemes further connects CSIDH to emerging cryptographic primitives (e.g., quantum onion routing) leveraging abelian class group actions and their commutative properties (Agathocleous et al., 1 Oct 2025).

The aggregated research directions focus on parameter selection for desired quantum security levels, continuous improvement in constant-time, dummy-free implementations, and hardware-software co-design for broad deployment of isogeny-based post-quantum key exchange (Bagheri et al., 14 Aug 2025, Banegas et al., 16 Sep 2025, Biasse et al., 2018).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Commutative Supersingular Isogeny Diffie–Hellman (CSIDH).