Paper 2019/353

A Faster Constant-time Algorithm of CSIDH keeping Two Points

Hiroshi Onuki, Yusuke Aikawa, Tsutomu Yamazaki, and Tsuyoshi Takagi


At ASIACRYPT 2018, Castryck, Lange, Martindale, Panny and Renes proposed CSIDH, which is a key-exchange protocol based on isogenies between elliptic curves, and a candidate for post-quantum cryptography. However, the implementation by Castryck et al. is not constant-time. Specifically, a part of the secret key could be recovered by the side-channel Attacks. Recently, Meyer, Campos and Reith proposed a constant-time implementation of CSIDH by introducing dummy isogenies and taking secret exponents only from intervals of non-negative integers. Their non-negative intervals make the calculation cost of their implementation of CSIDH twice that of the worst case of the standard (variable-time) implementation of CSIDH. In this paper, we propose a more efficient constant-time algorithm that takes secret exponents from intervals symmetric with respect to the zero. For using these intervals, we need to keep two torsion points in an elliptic curve and calculation for these points. We evaluate the costs of our implementation and that of Meyer et al. in terms of the number of operations on a finite prime field. Our evaluation shows that our constant-time implementation of CSIDH reduces the calculation cost by 28.23% compared with the implementation by Mayer et al. We also implemented our algorithm by extending the implementation in C of Meyer et al. (originally from Castryck et al.). Then our implementation achieved 152.8 million clock cycles, which is about 29.03% faster than that of Meyer et al. and confirms the above reduction ratio in our cost evaluation.

Note: This paper is a full version of the paper of the same name to appear at IWSEC 2019.

Available format(s)
Public-key cryptography
Publication info
Preprint. MINOR revision.
CSIDHpost-quantum cryptographyIsogeny-based cryptographyconstant-time implementationsupersingular elliptic curve isogenies
Contact author(s)
onuki @ mist i u-tokyo ac jp
2019-06-06: last of 2 revisions
2019-04-03: received
See all versions
Short URL
Creative Commons Attribution


      author = {Hiroshi Onuki and Yusuke Aikawa and Tsutomu Yamazaki and Tsuyoshi Takagi},
      title = {A Faster Constant-time Algorithm of CSIDH keeping Two Points},
      howpublished = {Cryptology ePrint Archive, Paper 2019/353},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.