On the Cost of Computing Isogenies Between Supersingular Elliptic Curves

  • Gora Adj
  • Daniel Cervantes-Vázquez
  • Jesús-Javier Chi-Domínguez
  • Alfred Menezes
  • Francisco Rodríguez-HenríquezEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11349)


The security of the Jao-De Feo Supersingular Isogeny Diffie-Hellman (SIDH) key agreement scheme is based on the intractability of the Computational Supersingular Isogeny (CSSI) problem—computing \({\mathbb F}_{p^2}\)-rational isogenies of degrees \(2^e\) and \(3^e\) between certain supersingular elliptic curves defined over \({\mathbb F}_{p^2}\). The classical meet-in-the-middle attack on CSSI has an expected running time of \(O(p^{1/4})\), but also has \(O(p^{1/4})\) storage requirements. In this paper, we demonstrate that the van Oorschot-Wiener golden collision finding algorithm has a lower cost (but higher running time) for solving CSSI, and thus should be used instead of the meet-in-the-middle attack to assess the security of SIDH against classical attacks. The smaller parameter p brings significantly improved performance for SIDH.



We thank Steven Galbraith for the suggestion to traverse the MITM trees using depth-first search. We also thank Sam Jaques for the many discussions on Grover’s and Tani’s algorithms.


  1. 1.
    Adj, G., Cervantes-Vázquez, D., Chi-Domínguez, J., Menezes, A., Rodríguez-Henríquez, F.: On the cost or computing isogenies between supersingular elliptic curves. Cryptology ePrint Archive: Report 2018/313.
  2. 2.
    Bernstein, D.: Cost analysis of hash collisions: will quantum computers make SHARCS obsolete? In: Workshop Record of SHARCS 2009: Special-purpose Hardware for Attacking Cryptographic Systems (2009).
  3. 3.
    Brassard, G., Høyer, P., Tapp, A.: Quantum cryptanalysis of hash and claw-free functions. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 163–169. Springer, Heidelberg (1998). Scholar
  4. 4.
    Charles, D., Goren, E., Lauter, K.: Cryptographic hash functions from expander graphs. J. Cryptol. 22, 93–113 (2009)MathSciNetCrossRefGoogle Scholar
  5. 5.
  6. 6.
    Costello, C., Hisil, H.: A simple and compact algorithm for SIDH with arbitrary degree isogenies. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 303–329. Springer, Cham (2017). Scholar
  7. 7.
    Costello, C., Jao, D., Longa, P., Naehrig, M., Renes, J., Urbanik, D.: Efficient compression of SIDH public keys. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 679–706. Springer, Cham (2017). Scholar
  8. 8.
    Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). Scholar
  9. 9.
    De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8, 209–247 (2014)MathSciNetzbMATHGoogle Scholar
  10. 10.
    Faz-Hernández, A., López, J., Ochoa-Jiménez, E., Rodríguez-Henríquez, F.: A faster software implementation of the supersingular isogeny Diffie-Hellman key exchange protocol. IEEE Trans. Comput. 67, 1622–1636 (2018)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Galbraith, S.D., Petit, C., Silva, J.: Identification protocols and signature schemes based on supersingular isogeny problems. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 3–33. Springer, Cham (2017). Scholar
  12. 12.
    Grover, L.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual Symposium on Theory of Computing – STOC 1996. ACM Press, pp. 212–219 (1996)Google Scholar
  13. 13.
    Jao, D., et al.: Supersingular isogeny key encapsulation. Round 1 submission, NIST Post-Quantum Cryptography Standardization, 30 November 2017Google Scholar
  14. 14.
    Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). Scholar
  15. 15.
    Jao, D., Soukharev, V.: Isogeny-based quantum-resistant undeniable signatures. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 160–179. Springer, Cham (2014). Scholar
  16. 16.
    Jaques, S., Schanck, J.: Quantum cryptanalysis in the RAM model. Preprint (2018)Google Scholar
  17. 17.
    Koziel, B., Azarderakhsh, R., Mozaffari-Kermani, M.: Fast hardware architectures for supersingular isogeny Diffie-Hellman key exchange on FPGA. In: Dunkelman, O., Sanadhya, S.K. (eds.) INDOCRYPT 2016. LNCS, vol. 10095, pp. 191–206. Springer, Cham (2016). Scholar
  18. 18.
    National Institute of Standards and Technology: Submission requirements and evaluation criteria for the post-quantum cryptography standardization process, December 2016.
  19. 19.
    van Oorschot, P.C., Wiener, M.J.: Improving implementable meet-in-the-middle attacks by orders of magnitude. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 229–236. Springer, Heidelberg (1996). Scholar
  20. 20.
    van Oorschot, P., Wiener, M.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12, 1–28 (1999)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Petit, C.: Faster algorithms for isogeny problems using torsion point images. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 330–353. Springer, Cham (2017). Scholar
  22. 22.
    Schnorr, C., Shamir, A.: An optimal sorting algorithm for mesh connected computers. In: Proceedings of the Eighteenth Annual Symposium on Theory of Computing – STOC 1986. ACM Press, pp. 255–263 (1986)Google Scholar
  23. 23.
    Schoof, R.: Nonsingular plane cubic curves over finite fields. J. Comb. Theory Ser. A 46, 183–211 (1987)MathSciNetCrossRefGoogle Scholar
  24. 24.
    Shamir, A.: Factoring large numbers with the TWINKLE device. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 2–12. Springer, Heidelberg (1999). Scholar
  25. 25.
    Shamir, A., Tromer, E.: Factoring large numbers with the TWIRL device. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 1–26. Springer, Heidelberg (2003). Scholar
  26. 26.
    Tani, S.: Claw finding algorithms using quantum walk. Theor. Comput. Sci 410, 5285–5297 (2009)MathSciNetCrossRefGoogle Scholar
  27. 27.
    Vélu, J.: Isogénies entre courbes elliptiques. C. R. Acad. Sc. Paris 273, 238–241 (1971)zbMATHGoogle Scholar
  28. 28.
  29. 29.
  30. 30.
    Yoo, Y., Azarderakhsh, R., Jalali, A., Jao, D., Soukharev, V.: A post-quantum digital signature scheme based on supersingular isogenies. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 163–181. Springer, Cham (2017). Scholar
  31. 31.
    Zalka, C.: Grover’s quantum searching algorithm is optimal. Phys. Rev. A 60, 2746–2751 (1999)CrossRefGoogle Scholar
  32. 32.
    Zanon, G.H.M., Simplicio, M.A., Pereira, G.C.C.F., Doliskani, J., Barreto, P.S.L.M.: Faster isogeny-based compressed key agreement. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 248–268. Springer, Cham (2018). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Gora Adj
    • 1
  • Daniel Cervantes-Vázquez
    • 2
  • Jesús-Javier Chi-Domínguez
    • 2
  • Alfred Menezes
    • 1
  • Francisco Rodríguez-Henríquez
    • 2
    Email author
  1. 1.Department of Combinatorics and OptimizationUniversity of WaterlooWaterlooCanada
  2. 2.Computer Science DepartmentCINVESTAV-IPNMexico CityMexico

Personalised recommendations