Paper 2018/383

CSIDH: An Efficient Post-Quantum Commutative Group Action

Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, and Joost Renes


We propose an efficient commutative group action suitable for non-interactive key exchange in a post-quantum setting. Our construction follows the layout of the Couveignes-Rostovtsev-Stolbunov cryptosystem, but we apply it to supersingular elliptic curves defined over a large prime field $\mathbb F_p$, rather than to ordinary elliptic curves. The Diffie-Hellman scheme resulting from the group action allows for public-key validation at very little cost, runs reasonably fast in practice, and has public keys of only 64 bytes at a conjectured AES-128 security level, matching NIST's post-quantum security category I.

Available format(s)
Public-key cryptography
Publication info
A minor revision of an IACR publication in ASIACRYPT 2018
post-quantum cryptographyisogeny-based cryptographyclass group actionnon-interactive key exchangekey confirmation
Contact author(s)
l s panny @ tue nl
2018-11-23: last of 2 revisions
2018-04-30: received
See all versions
Short URL
Creative Commons Attribution


      author = {Wouter Castryck and Tanja Lange and Chloe Martindale and Lorenz Panny and Joost Renes},
      title = {CSIDH: An Efficient Post-Quantum Commutative Group Action},
      howpublished = {Cryptology ePrint Archive, Paper 2018/383},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.