Paper 2018/1198

On Lions and Elligators: An efficient constant-time implementation of CSIDH

Michael Meyer, Fabio Campos, and Steffen Reith


The recently proposed CSIDH primitive is a promising candidate for post quantum static-static key exchanges with very small keys. However, until now there is only a variable-time proof-of-concept implementation by Castryck, Lange, Martindale, Panny, and Renes, recently optimized by Meyer and Reith, which can leak various information about the private key. Therefore, we present an efficient constant-time implementation that samples key elements only from intervals of nonnegative numbers and uses dummy isogenies, which prevents certain kinds of side-channel attacks. We apply several optimizations, e.g. Elligator and the newly introduced SIMBA, in order to get a more efficient implementation.

Available format(s)
Publication info
Preprint. MINOR revision.
CSIDHPost-Quantum Cryptographyconstant-timeSupersingular Elliptic Curve Isogenies
Contact author(s)
michael meyer @ hs-rm de
2019-02-12: revised
2018-12-18: received
See all versions
Short URL
Creative Commons Attribution


      author = {Michael Meyer and Fabio Campos and Steffen Reith},
      title = {On Lions and Elligators: An efficient constant-time implementation of CSIDH},
      howpublished = {Cryptology ePrint Archive, Paper 2018/1198},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.