A note on the security of CSIDH
Abstract
We propose an algorithm for computing an isogeny between two elliptic curves E1,E2 defined over a finite field such that there is an imaginary quadratic order O satisfying O End(Ei) for i = 1,2. This concerns ordinary curves and supersingular curves defined over Fp (the latter used in the recent CSIDH proposal). Our algorithm has heuristic asymptotic run time eO((||)) and requires polynomial quantum memory and eO((||)) classical memory, where is the discriminant of O. This asymptotic complexity outperforms all other available method for computing isogenies. We also show that a variant of our method has asymptotic run time eO((||)) while requesting only polynomial memory (both quantum and classical).
Turn this paper into a lesson
ArcXiv compiles a structured reading guide from this paper's metadata: plain-English importance, contributions, prerequisite concepts, which sections to read first, flashcards, and a quiz. Grounded in the abstract, never invented.