Paper 2020/1520

The SQALE of CSIDH: Sublinear Vélu Quantum-resistant isogeny Action with Low Exponents

Jorge Chávez-Saab, Jesús-Javier Chi-Domínguez, Samuel Jaques, and Francisco Rodríguez-Henríquez


Recent independent analyses by Bonnetain-Schrottenloher and Peikert in Eurocrypt 2020 significantly reduced the estimated quantum security of the isogeny-based commutative group action key-exchange protocol CSIDH. This paper refines the estimates of a resource-constrained quantum collimation sieve attack to give a precise quantum security to CSIDH. Furthermore, we optimize large CSIDH parameters for performance while still achieving the NIST security levels 1, 2, and 3. Finally, we provide a C-code constant-time implementation of those CSIDH large instantiations using the square-root-complexity Vélu’s formulas recently proposed by Bernstein, De Feo, Leroux and Smith.

Note: Small updates throughout the manuscript

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. Minor revision. Journal of Cryptographic Engineering (JCEN)
CSIDHisogeny-based cryptographyKuperberg attackquantum collimation sieve attack
Contact author(s)
jorgechavezsaab @ gmail com
jesus dominguez @ tii ae
sam @ samueljaques com
francisco @ cs cinvestav mx
2022-01-18: last of 3 revisions
2020-12-04: received
See all versions
Short URL
Creative Commons Attribution


      author = {Jorge Chávez-Saab and Jesús-Javier Chi-Domínguez and Samuel Jaques and Francisco Rodríguez-Henríquez},
      title = {The SQALE of CSIDH: Sublinear Vélu Quantum-resistant isogeny Action with Low Exponents},
      howpublished = {Cryptology ePrint Archive, Paper 2020/1520},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.