Paper 2021/633

CTIDH: faster constant-time CSIDH

Gustavo Banegas, Daniel J. Bernstein, Fabio Campos, Tung Chou, Tanja Lange, Michael Meyer, Benjamin Smith, and Jana Sotáková


This paper introduces a new key space for CSIDH and a new algorithm for constant-time evaluation of the CSIDH group action. The key space is not useful with previous algorithms, and the algorithm is not useful with previous key spaces, but combining the new key space with the new algorithm produces speed records for constant-time CSIDH. For example, for CSIDH-512 with a 256-bit key space, the best previous constant-time results used 789000 multiplications and more than 200 million Skylake cycles; this paper uses 438006 multiplications and 125.53 million cycles.

Available format(s)
Publication info
Preprint. MINOR revision.
post-quantum cryptographynon-interactive key exchangesmall keysisogeny-based cryptographyCSIDHconstant-time algorithms
Contact author(s)
gustavo @ cryptme in
authorcontact-ctidh-djb @ box cr yp to
campos @ sopmac de
blueprint @ crypto tw
tanja @ hyperelliptic org
michael @ random-oracles org
j s sotakova @ uva nl
2021-05-26: revised
2021-05-17: received
See all versions
Short URL
Creative Commons Attribution


      author = {Gustavo Banegas and Daniel J.  Bernstein and Fabio Campos and Tung Chou and Tanja Lange and Michael Meyer and Benjamin Smith and Jana Sotáková},
      title = {CTIDH: faster constant-time CSIDH},
      howpublished = {Cryptology ePrint Archive, Paper 2021/633},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.