Litcius/Paper detail

Optimizations and Practicality of High-Security CSIDH

Fábio Campos, Jorge Chávez-Saab, Jesús-Javier Chi-Domínguez, Michaël Meyer, Krijn Reijnders, Francisco Rodríguez‐Henríquez, Peter Schwabe, Thom Wiggers

2024IACR Communications in Cryptology13 citationsDOIOpen Access PDF

Abstract

In this work, we assess the real-world practicality of CSIDH, an isogeny-based non-interactive key exchange. We provide the first thorough assessment of the practicality of CSIDH in higher parameter sizes for conservative estimates of quantum security, and with protection against physical attacks. This requires a three-fold analysis of CSIDH. First, we describe two approaches to efficient high-security CSIDH implementations, based on SQALE and CTIDH. Second, we optimize such high-security implementations, on a high level by improving several subroutines, and on a low level by improving the finite field arithmetic. Third, we benchmark the performance of high-security CSIDH. As a stand-alone primitive, our implementations outperform previous results by a factor up to 2.53×. As a real-world use case considering network protocols, we use CSIDH in TLS variants that allow early authentication through a NIKE. Although our instantiations of CSIDH have smaller communication requirements than post-quantum KEM and signature schemes, even our highly-optimized implementations result in too-large handshake latency (tens of seconds), showing that CSIDH is only practical in niche cases.

Topics & Concepts

Computer scienceImplementationHandshakeIsogenyKey exchangeBenchmark (surveying)Authentication (law)Latency (audio)Theoretical computer scienceComputer engineeringComputer securityPublic-key cryptographyComputer networkElliptic curveEncryptionMathematicsProgramming languageMathematical analysisGeodesyTelecommunicationsAsynchronous communicationGeographyCryptographic Implementations and SecurityCryptography and Residue ArithmeticCryptography and Data Security
Optimizations and Practicality of High-Security CSIDH | Litcius