A note on the security of CSIDH

TL;DR

This paper introduces a new algorithm for computing isogenies between elliptic curves, outperforming existing methods in asymptotic complexity, with implications for the security of the CSIDH cryptographic scheme.

Contribution

It presents a novel heuristic algorithm with improved asymptotic complexity for isogeny computation, applicable to both ordinary and supersingular elliptic curves used in CSIDH.

Findings

Algorithm has heuristic asymptotic runtime $e^{O(\sqrt{\log(|\Delta|)})}$.

Requires polynomial quantum memory and exponential classical memory.

A variant achieves similar runtime with only polynomial memory.

Abstract

We propose an algorithm for computing an isogeny between two elliptic curves $E_1,E_2$ defined over a finite field such that there is an imaginary quadratic order $\mathcal{O}$ satisfying $\mathcal{O}\simeq \operatorname{End}(E_i)$ for $i = 1,2$. This concerns ordinary curves and supersingular curves defined over $\mathbb{F}_p$ (the latter used in the recent CSIDH proposal). Our algorithm has heuristic asymptotic run time $e^{O\left(\sqrt{\log(|\Delta|)}\right)}$ and requires polynomial quantum memory and $e^{O\left(\sqrt{\log(|\Delta|)}\right)}$ classical memory, where $\Delta$ is the discriminant of $\mathcal{O}$. This asymptotic complexity outperforms all other available method for computing isogenies. We also show that a variant of our method has asymptotic run time $e^{\tilde{O}\left(\sqrt{\log(|\Delta|)}\right)}$ while requesting only polynomial memory (both quantum and classical).