Paper 2021/259

Fully projective radical isogenies in constant-time

Jesús-Javier Chi-Domínguez and Krijn Reijnders


At PQCrypto-2020, Castryck and Decru proposed CSURF (CSIDH on the surface) as an improvement to the CSIDH protocol. Soon after that, at Asiacrypt-2020, together with Vercauteren they introduced radical isogenies as a further improvement. The main improvement in these works is that both CSURF and radical isogenies require only one torsion point to initiate a chain of isogenies, in comparison to Vélu isogenies which require a torsion point per isogeny. Both works were implemented using non-constant-time techniques, however, in a realistic scenario, a constant-time implementation is necessary to mitigate risks of timing attacks. The analysis of constant-time CSURF and radical isogenies was left as an open problem by Castryck, Decru, and Vercauteren. In this work, we analyze this problem. A straightforward constant-time implementation of CSURF and radical isogenies encounters too many issues to be cost-effective, but we resolve some of these issues with new optimization techniques. We introduce projective radical isogenies to save costly inversions and present a hybrid strategy for the integration of radical isogenies in CSIDH implementations. These improvements make radical isogenies almost twice as efficient in constant-time, in terms of finite field multiplications. Using these improvements, we then measure the algorithmic performance in a benchmark of CSIDH, CSURF and CRADS (an implementation using radical isogenies) for different prime sizes. Our implementation provides a more accurate comparison between CSIDH, CSURF and CRADS than the original benchmarks, by using state-of-the-art techniques for all three implementations. Our experiments illustrate that the speed-up of constant-time CSURF-512 with radical isogenies is reduced to about 3% in comparison to the fastest state-of-the-art constant-time CSIDH-512 implementation. The performance is worse for larger primes, as radical isogenies scale worse than Vélu isogenies.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. CT-RSA 2022
isogeny-based cryptographyCSIDHCSURFradical isogeniesconstant-time
Contact author(s)
jesus dominguez @ tii ae
krijn @ cs ru nl
2021-12-02: last of 6 revisions
2021-03-03: received
See all versions
Short URL
Creative Commons Attribution


      author = {Jesús-Javier Chi-Domínguez and Krijn Reijnders},
      title = {Fully projective radical isogenies in constant-time},
      howpublished = {Cryptology ePrint Archive, Paper 2021/259},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.