Skip to content
BY 4.0 license Open Access Published by De Gruyter November 17, 2020

A trade-off between classical and quantum circuit size for an attack against CSIDH

Jean-François Biasse EMAIL logo , Xavier Bonnetain , Benjamin Pring , André Schrottenloher and William Youmans


We propose a heuristic algorithm to solve the underlying hard problem of the CSIDH cryptosystem (and other isogeny-based cryptosystems using elliptic curves with endomorphism ring isomorphic to an imaginary quadratic order 𝒪). Let Δ = Disc(𝒪) (in CSIDH, Δ = −4p for p the security parameter). Let 0 < α < 1/2, our algorithm requires:

  • A classical circuit of size 2O˜log(|Δ|)1α.

  • A quantum circuit of size 2O˜log(|Δ|)α.

  • Polynomial classical and quantum memory.

Essentially, we propose to reduce the size of the quantum circuit below the state-of-the-art complexity 2O˜log(|Δ|)1/2 at the cost of increasing the classical circuit-size required. The required classical circuit remains subexponential, which is a superpolynomial improvement over the classical state-of-the-art exponential solutions to these problems. Our method requires polynomial memory, both classical and quantum.

MSC 2010: 94A60; 68Q12; 68Q15; 81P68; 11Y16; 14Q05

1 Introduction

Given two elliptic curves E1, E2 defined over a finite field 𝔽q, the isogeny problem consists in computing an isogeny ϕ:E1E2, i.e. a non-constant morphism that maps the identity point on E1 to the identity point on E2. A hash function construction based on supersingular isogeny graphs was first proposed in [9], with a security based on the hardness of computing isogenies. An isogeny-based key-exchange was described by Couveignes [12], and its concept was independently rediscovered by Stolbunov [31].

Childs, Jao and Soukharev observed in [10] that the problem of finding an isogeny between two ordinary elliptic curves E1 and E2 defined over 𝔽q and having the same endomorphism ring could be reduced to the problem of solving the Hidden Subgroup Problem (HSP) for a generalized dihedral group. More specifically, if the endomorphism ring of the curves is isomorphic to an imaginary quadratic order 𝒪, then the problem of finding an isogeny between E1 and E2 can be reduced to the problem of finding an ideal aO such that [a]E1=E2 where * is the action of the ideal class group Cl(𝒪), [𝖆] is the class of a in Cl(𝒪) and Ēi is the isomorphism class of the curve Ei. Let N := | Cl(𝒪)|. Using Kuperberg’s sieve [25], this task requires 2Olog(N) queries to an oracle that computes the action of the class of an element in Cl(𝒪). Using the heuristic oracle of [4], the cost of the oracle can be brought down to 2O˜log(N)3, thus giving an overall complexity of 2Olog(N) where N|Δ|.

Although neither the CRS [12, 31] nor the CSIDH (a similar system [8] using supersingular curves defined over 𝔽p) cryptosystems are NIST candidates, it is natural to evaluate their security according to the methodology proposed by NIST for its standardization process [26]. In particular, Level I is defined in [26, Page 16] as follows: “any attack that breaks [this] security definition must require computational resources comparable to or greater than those required for key search on a block cipher with a 128-bit key (e.g. AES-128).” Hence, this corresponds to 2128 classical AES evaluations (2143 classical gates, according to the document) or to 287.5 quantum gates (with 2953 logical qubits), according to the counts given in [17] on the universal Clifford + T set. We point out that this “or” has no reason to be exclusive: a quantum adversary can also run massive classical computations.


We propose a different trade-off between classical and quantum circuits in the cryptanalysis of CRS and CSIDH relying on the resolution of the Hidden Shift Problem. Let E1, E 2 be two elliptic curves and 𝒪 be an imaginary quadratic order of discriminant Δ such that End(Ei)O for i = 1, 2. Then assuming Heuristic 1 for constant 0 < α < 1/2 and Heuristic 2, there is a quantum algorithm for computing [𝖆] such that [a]E1=E2 requiring:

  1. A classical circuit of size 2O˜log(|Δ|)1α.

  2. A quantum circuit of size 2O˜log(|Δ|)α.

  3. Polynomial classical and quantum memory.

Related Works

After the publication of CSIDH, there has been a line of works on the quantum security of CRS and CSIDH. Some of these works concern the security of concrete CSIDH [8] parameters. These include [6] and [3], which give a quantum circuit for computing isogenies for the 512-bit CSIDH parameters. On the asymptotic side, which is our main focus here, both [4] and [19] present algorithms for computing isogenies with quantum (and classical) circuit size in 2O˜log(|Δ|)1/2 and polynomial space, which yields a subexponential quantum attack on CSIDH and CRS with polynomial quantum space. While these two previous works focused on isogeny computations, in this paper, we complement the analysis of the Hidden Shift resolution underlying the attack procedure common to all these works. With our trade-off, we can obtain a superpolynomial improvement on the size of the quantum circuit.

The rest of the paper is organized as follows: Section 2 contains background information on isogenies. Section 3 shows the connection between the Dihedral Hidden Subgroup Problem and the computation of isogenies. Section 4 give a high level description of the idea for the resolution of the Dihedral HSP. Section 5 introduces the concept of trading-off quantum gates for classical gates in the resolution of the Dihedral HSP. Section 6 Describes a heuristic oracle compatible with the intended trade-off. Section 7 discusses the heuristic made for the validity of the oracle. Section 8 describes the challenges of a fault-tolerant implementation. Section 9 concludes and discusses the relevance of this result to the evaluation of the security with respect to NIST security levels.

2 Mathematical background

An elliptic curve E defined over a finite field 𝔽q of characteristic p ≠ 2, 3 is a projective algebraic curve with an affine plane model given by an equation of the form y2 = x3 + ax + b, where a, b ∈ 𝔽q and 4a3 + 27b2 ≠ 0. The set of points of an elliptic curve is equipped with an additive group law. Details about the arithmetic of elliptic curves can be found in many references, such as [30, Chap. 3].

Let E1, E2 be two elliptic curves defined over 𝔽q. An isogeny ϕ:E1E2overFq (resp. over Fq ) is a non-constant rational map defined over 𝔽q (resp. over Fq ) which sends the identity point on E1 to the identity point on E2. The degree of an isogeny is its degree as a rational map, and an isogeny of degree is called an -isogeny. Moreover, E1, E2 are said to be isomorphic over 𝔽q, or 𝔽q-isomorphic, if there exist isogenies ϕ1:E1E2andϕ2:E2E1 over 𝔽q whose composition is the identity. Two Fq -isomorphic elliptic curves have the same j-invariant given by j:=17284a34a3+27b2.

An order 𝒪 in a number field K such that [K : ℚ] = n is a subring of K which is a ℤ-module of rank n. A fractional ideal of 𝒪, is a set of the form a=1dI where I is an ideal of 𝒪 and d ∈ ℤ>0. A fractional ideal I is said to be invertible if there exists a fractional ideal J such that IJ = 𝒪. The invertible fractional ideals form a multiplicative group I. Let 𝒫 be the subgroup consisting of the invertible principal ideals. The ideal class group Cl(𝒪) is Cl(𝒪) := 𝒥/𝒫. We denote by [𝖆] the class of the fractional ideal a in Cl(𝒪). The ideal class group is finite and its cardinality h𝒪 satisfies hO|Δ|ln(|Δ|) (see [11, §5.10.1]), where Δ is the discriminant of 𝒪.

Let E be an elliptic curve defined over 𝔽q. An endomorphism of E is either an isogeny defined over F̄q between E and itself, or the zero morphism. The set of endomorphisms of E forms a ring that is denoted by End(E). For elliptic curves, End(E) is either an order in an imaginary quadratic field (and has ℤ-rank 2) or a maximal order in a quaternion algebra ramified at p (the characteristic of the base field) and ∞ (and has ℤ-rank 4). In the former case, E is said to be ordinary while in the latter it is called supersingular. When a supersingular curve is defined over 𝔽p, then the ring of its 𝔽p-endomorphisms, denoted by EndFp (E), is isomorphic to an imaginary quadratic order, much like in the ordinary case.

When E is ordinary (resp. supersingular over 𝔽p), the class group of End(E) (resp. EndFp (E)) acts transitively on isomorphism classes of elliptic curves having the same endomorphism ring. More precisely, the class of an ideal aO acts on Ē with End(E)O an isogeny of degree 𝒩(a) (the algebraic norm of a). Likewise, each isogeny φ : EE where End(E)End(E)O corresponds (up to isomorphism) to a class in Cl(𝒪). From an ideal a and the -torsion (where = 𝒩(a)), one can recover the kernel of φ, and then using Vélu’s formulae [34], one can derive the corresponding isogeny. We denote by [a]E the action of the ideal class of a on E. To evaluate the action of [𝖆], we decompose it as a product of classes of prime ideals of small norm , and evaluate the action of each prime ideal as an -isogeny. This strategy was described by Couveignes [12], Galbraith–Hess–Smart [15], and later by Bröker–Charles–Lauter [7] and reused in many subsequent works.

3 Isogenies from solutions to the HSP

As shown in [5, 10], the computation of an isogeny between E1 and E2 defined over 𝔽q such that there is an imaginary quadratic order with 𝒪 ≃ End(Ei) for i = 1, 2 can be done by exploiting the action of the ideal class group of 𝒪 on isomorphism classes of curves with endomorphism ring isomorphic to 𝒪. This concerns the cases of ordinary curves, and supersingular curves defined over 𝔽p.

Assume we are looking for 𝖆 such that t[a]E1=E2. This is precisely the hard mathematical problem of the CSIDH [8] and CRS [12, 29] cryptosystems. Let A=Zd1××ZdkCl(O) We define f:Z2AFq by

(1) f(x,y):=[ay]E¯1ifx=0,[ay]E¯2ifx=1,

where [ay] is the element of Cl(𝒪) corresponding to yA via the isomorphism Cl(𝒪) ≃ A. Let H be the subgroup of ℤ2A such that f(x,y)=f(x,y) if and only if (x,y)(x,y)H. Then H={(0,0),(1,s)} where ⃗sA such that [as]E1=E2. The computation of ⃗s can thus be done through the resolution of the Hidden Subgroup Problem in ℤ2A.

Algorithm 1

Quantum algorithm for evaluating the action in Cl(𝒪)

Input: Elliptic curves E1, E2, imaginary quadratic order 𝒪 such that End(Ei) ≃ 𝒪 for i = 1, 2 such that there is [𝖆] ∈ Cl(𝒪) satisfying [a]E1=E2.
Output: [𝖆]
 1: Compute A=Zd1××Zdk such that ACl(O).
 2: Find H = {(0, 0), (1, s)} by solving the HSP in ℤ2A with oracle (1).
 3: return [as]

4 Sieve algorithms for solving the HSP

Kuperberg’s original algorithm

Assume that we want to find a secret subgroup H = {(0, 0), (1, d)} in DN:=Z2ZN given a function (oracle) f : D NX where X is a finite set. Additionally, we assume that N = 2n for simplicity. Using a circuit implementing f , we can prepare the state |ψkd,N:=12|0+e2πikdN|1 . We want to recover d from many states |ψkd,N where k is distributed uniformly at random in ℤN. When we restrict ourselves to N = 2n, this task consists in recovering d bit by bit. To get the least significant bit of d, we only need |ψ2n1d,2n=12|0+(1)d|1. As shown in [24], the repetition of this process yields all bits of d. When N is not a power of 2, the process terminated with a quantum phase estimation step.

To go from many |ψkd,N with random k to |ψ2n1d,2n, Kuperberg’s sieve [24] proceeds by small iterations. Given two states |ψk1d,N,|ψk2d,N where k1, k2 share the same initial l bits, there is a simple procedure that computes |ψk1k2d,N with constant probability, thus killing l bits of the decomposition of the index k. At the end of the process we end up with states of the form |ψ2n1d,2n and |ψ0d,2n. As we saw above, the latter gives us the least significant bit of d. The sieve starts with a set L0 of states of the form |ψkd,N with |L0|=2O(n) and at each steps recombines all states sharing the same last m=n1 bits. At each step of the way, the cardinality of the set gets divided by 4. At the end, Lm contains states of the form |ψ2n1d,2n and |ψ0d,2n. The cost of the procedure is dominated by the creation of L0 with takes 2O(n) calls to the circuit implementing f.

In CSIDH, Cl(𝒪) is cyclic with high probability, but this applies to non-cyclic groups [10, Appendix A]. Here, we consider the HSP in D N with N = 2n.

Low memory variants

The main disadvantage of Kuperberg’s sieve is that the memory requirements are proportional to the gate complexity, which is in 2O(n). That is a subexponential space complexity. Regev’s variant [27] offers a classical and quantum polynomial space complexity at the cost of a slight increase of the runtime. The idea is to only keep a polynomial amount of qubits at all time and to recombine to produce states of the form |ψkd,N with initial bits of k being zero. Kuperberg also described a second Hidden Shift algorithm [25] that uses a different combination method. It has also a time cost in 2O(n), and uses only a polynomial amount of qubits. It however has a classical memory requirement as large as the classical time.

5 Trade-off classical/quantum

Regev’s variant of Kuperberg’s sieve can be seen as an n1-step process which is paused at each step to perform a classical brute-force enumeration of cost 2O(n2). Instead of balancing the classical and quantum effort, we propose to spend more effort performing the classical search to reduce the size of the quantum circuit. Let nn1n2, with n1 = O (nα) and n2 = O (n1−α) for some 0 < α < 1. The case α = 1/2 is essentially Regev’s variant [27].

Algorithm 2

Iteration of the sieve procedure based on [27]

Input: Integers n1, n2 and n2 + 4 states of the form |ψkd,N for random ki having their initial tn2 bits equal to 0.
Output: |ψkd,N for a random k having its initial (t + 1)n2 bits equal to 0.
 1: k(k1,,kn2+4).
 2: From in2+4|ψkid,N, get 12n2+4b{0,1}n2+4e2iπdbkN|b|b.k mod 2n2.
 3: Measure the second register to obtain z ∈ {0, . . . , 2n2 − 1}.
 4: Compute the number m of b{0,1}n2+4 such that bk mod 2n2=z.
 5: if m ∉[2, 32] then return failure.
 6: b1,bm the m vectors that satisfy bjk mod 2n2=z.
 7: |ψ12|0+e2iπdb2b1kN|1 with a measurement on Span b1,b2.
 8: return |ψ〉.

Proposition 5.1

Let 0 < α < 1/2, then there is a quantum algorithm to solve the HSP in DN with a circuit satisfying:

  1. 2O˜(nα) calls to a circuit implementing f are made.

  2. The number of quantum gate beside the oracle is in 2O˜(nα).

  3. The number of classical gates is in 2O(n1α).


As long as n2 → ∞, the main ingredients of the proof of the validity and run time of [27] still hold. Namely, a direct application of Chebyshev’s inequality shows that Step 5 (and therefore Algorithm 2) has a constant probability of success. Following the approach of [27], the algorithm to solve the HSP consists in the production of states |ψkd,N for random k with an oracle implementing f , and 2n1 successive applications of Algorithm 2 to produce |ψ2n1d,2n. An application of the Chernoff bound shows that the number of calls to the oracle implementing f that guarantees the success of the overall procedure is n2O(n1)=2O˜(nα). Meanwhile, each brute force search of the number m of vectors b{0,1}n2+4 such that bk mod 2n2=z is performed by a classical circuit of size 2O(n1α).  □

The quality of the trade-off depends on the cost of the oracle. Indeed, if the quantum circuit to implement the oracle f is larger than 2O˜(nα) for the chosen α, then the size of the circuit to implement f will dominate the number of quantum gates. This issue particularly impacts the resolution of the isogeny problem between elliptic curves whose endomorphism ring is isomorphic to an imaginary quadratic order (i.e. ordinary curves and supersingular curves defined over 𝔽p).

6 The cost of the isogeny oracle

Let 𝔭1, . . . , 𝔭u be prime ideals generating Cl(𝒪). Let 𝔏 be the lattice of relations between 𝔭1, . . . , 𝔭u, i.e. the lattice of all the vectors (f1, . . . , fu) ∈ ℤu such that ipifi is principal. In other words, the ideal class ipifi is the neutral element of Cl(𝒪). The high-level strategy for computing the action of [a]Cl(O)onE1 is the following: (i) Compute a basis B for 𝔏, (ii) Find a BKZ-reduced basis B of 𝔏, (iii) Find (h1, . . . , hu) ∈ ℤu such that [a]=ipihi, (iv) Use Babai’s nearest plane method on B to find short (h1,,hu)Zu such that [a]=ipihi (v) Evaluate the action of ipihi by applying repeatedly the action of the pi for i = 1, . . . , u. Step 1 is a precomputation. It takes quantum polynomial time. Step 2 can be performed as a precomputation requiring only classical gates.

Heuristic 1

(With parameter 0 < α < 1/2) Let 0 < α < 1/2 and 𝒪 be an imaginary quadratic order of discriminant Δ. There are (pi)ikfork=log1α(|Δ|) split prime ideals of norm in Poly(log(|Δ|) whose classes generate Cl(𝒪). Furthermore, each class of Cl(𝒪) has a representative of the form ipini for |ni|elogα|Δ|.

Algorithm 3

Precomputation for the oracle

Input: Order 𝒪 of discriminant Δ and 0 < α < 1/2.
Output: Split prime ideals 𝔭1, . . . , 𝔭s whose classes generate Cl(𝒪) where s = log1−α(|Δ|), reduced basis B of the lattice 𝔏 of vectors (e1, . . . , es) such that ipiei is trivial, generators 𝔤1, . . . , 𝔤l such that Cl(𝒪) = 〈𝔤1〉 ×· ··× 〈𝔤l〉 and vectors vi such that gi=jpjvi,j.
 1: Find 𝔭1, . . . , 𝔭s satisfying the conditions of Heuristic 1 with [4, Alg. 2].
 2: 𝔏 ← lattice of vectors (e1, . . . , es) such that ipiei is principal.
 3: Compute a BKZ-reduced matrix B ∈ ℤs×s of a basis of 𝔏 with block size log12α(|Δ|).
 4: Compute U, V ∈ GLs(ℤ) such that UBV = diag(d1, . . . , ds) is the Smith Normal Form of B.
 5: lminis{i  di1}.Foril,viith column of V.
 6: VV−1. For il,gijspjvi,j
 7: return {p1,,ps},B,{g1,,gl},{v1,,vl}.

Lemma 6.1

Let 𝔏 be an n-dimensional lattice with input basis B ∈ ℤn×n, and let β < n be a block size. Then the BKZ variant of [18] used with Kannan’s enumeration technique [22] returns a basis b1,,bn such that b1enβln(β)1+o(1)λ1L, using time Poly(n,Size(B))ββ12e+o(1) and polynomial space.


See proof of [4, Lem. 1]  □

Corollary 6.2

Assuming Heuristic 1 for α, Algorithm 3 is correct, runs in time 2O˜log(|Δ|)12α and has polynomial space complexity. It returns a basis of 𝔏 whose first vector b1 satisfies b12O˜log(|Δ|)α.

We implement Algorithm 4 reversibly by using generic techniques due to Bennett [2] to convert any algorithm taking time T and space S into a reversible algorithm taking time T1+ε, for an arbitrary small ε > 0, and space O(S log T). To bound the cost of Algorithm 4, we assume the following standard heuristic.

Heuristic 2

(GSA) The basis B computed in Algorithm 3 satisfies the Geometric Series Assumption (GSA): there is 0 < q < 1 such that biˆ=qi1b1 where biˆin is the Gram-Schmidt basis corresponding to B.

Proposition 6.3

Assuming Heuristic 1 for 0 < α < 1/2 and Heuristic 2, Algorithm 4 is correct and runs in quantum time 2O˜log(|Δ|)α with polynomial space.

Algorithm 4

Quantum oracle for implementing f defined in (1)

Input: Curves E1, E2. Order 𝒪 of discriminant Δ such that End(Ei) ≃ 𝒪 for i = 1, 2. Split prime ideals 𝔭1, . . . , 𝔭s whose classes generate Cl(𝒪) where s = log1−α(|Δ|), reduced basis B of the lattice 𝔏 of vectors (e1, . . . , es) such that ipiei is trivial, generators 𝔤1, . . . , 𝔤l such that Cl(𝒪) = 〈𝔤1〉 ×· ··× 〈𝔤l〉 and vectors vi such that gi=jpjvi,j. Ideal class [ay]Cl(O) represented by the vector ⃗y = (y1, . . . , yl) ∈ ℤ/d1ℤ ×· · · × ℤ/dlℤ ≃ Cl(𝒪), and x ∈ ℤ/2ℤ.
Output: f (x, ⃗y).
 1: yilyiviZs (now [ay]=ipiyi ).
 2: Use Babai’s nearest plane method with the basis B to find ⃗u ∈ 𝔏 close to ⃗y.
 3: yyu.
 4: If x = 0 then E¯E¯1elseE¯E¯2.
 5: for i s do
 6:   for j yi do
 7:     E[pi]E
 8:  end for
 9: end for
 10: return |E.


Each group action of Step 7 is polynomial in log(p) and in 𝒩(pi). Moreover, Babai’s algorithm runs in polynomial time and returns u such that


Therefore, the yi are in 2O˜log(|Δ|)α, which is the cost of Steps 5 to 9. The main observation allowing us to reduce the search to a close vector to the computation of a BKZ-reduced basis is that Heuristic 1gives us the promise that there is ⃗u ∈ 𝔏 at distance less than 2O˜log(|Δ|)α from y.  □

Algorithm 5

Hybrid algorithm for finding the group action.

Input: Curves E1, E2, 0 < α < 1/2, order 𝒪 such that End(Ei) ≃ 𝒪 for i = 1, 2, n1, n2 with N=21+n1n2 for Cl(𝒪) ≃ ℤN.
Output: X ∈ ℤN ↔ [𝖆] ∈ Cl(𝒪) such that [a]E1=E2
 1: Compute 𝔭1, . . . , 𝔭s, B, g, ⃗v with Algorithm 3.
 2: b ← 0, n ← 0, X ← 0, fn defined by (1).
 3: while n < 1 + n1n2 do
 4:  Repeat Algorithm 5 using the oracle fn implemented with Algorithm 4 and using p1,,ps,B,g,v to compute b ∈ {0, 1}.
 5:   XX+b2n,nn+1,fn←</p>{(x,y)DN/2nfn1(x,2y+b)}.
 6: end while
 7: return X.

Corollary 6.4

Let E1, E2 be two elliptic curves and 𝒪 be an imaginary quadratic order of discriminant Δ such that End(Ei) ≃ 𝒪 for i = 1, 2. Then assuming Heuristic 1 for 0 < α < 1/2, Algorithm 5 finds [𝖆], with [a]E1=E2 using:

  1. A classical circuit of size 2O˜log(|Δ|)1α.

  2. A quantum circuit of size 2O˜log(|Δ|)α.

  3. Polynomial classical and quantum memory.

Similar modifications to [24] and [10, Appendix A] extend this to arbitrary class groups.

7 Discussion on Heuristic 1

The idea behind Heuristic 1 is that the number of vectors of length log(|Δ|)1−α with entries bounded by elog(|Δ|)α is |Δ| while |Cl(O)||Δ|. If the class of ipixi yielded by a vector ⃗x were known to be distributed uniformly at random in Cl(𝒪), then we would cover all of Cl(𝒪) with high probability. Unfortunately, the distribution of the classes of these ideals is not known (unless we consider products over the first log(|Δ|)2+ε split primes [20], but this is incompatible with our restriction on α). To support Heuristic 1, we drew 5000 elements of Cl(𝒪) for various 𝒪 of increasing discriminant. At each discriminant size, we report the maximal exponent in the decomposition of the random classes with respect to the fist log(|Δ|)1−α split primes. We systematically observe that it is significantly lower than elog(|Δ|)α In Table 1, we present the evolution of the maximal exponent for α = 0.4 and Disc(𝒪) = −p for p the first prime greater than 2i such that −p is a fundamental discriminant and i between 35 and 160. In Appendix A we present similar results for α = 0.1, . . . , 0.5 and smaller increments in the size of Δ. Heuristic 1 intersects ongoing research in number theory, and it is a motivation for more study on the structure of the class group. The samples presented in this paper are admittedly low, but they support the fact that Heuristic 1 holds true more than 98% of the time (at least for the sizes of Δ that were inspected). Such a success rate makes Heuristic 1 relevant for discussions within the field of cryptography.

Table 1

Maximal exponent in short decompositions (over 5000 random elements of the class group).

log2(|Δ|) log0.6(|Δ|) Maximal exponent elog0.4(|Δ|)
35 7 4 36
60 9 8 85
85 12 11 165
110 13 19 287
135 15 24 466
160 17 30 718

8 On fault tolerant implementations

All the asymptotic results regarding the proposed trade-off between classical and quantum circuits only apply to logical qubits. If we incorporate the cost of error correction, then the quantum circuit has to idle while the classical circuit searches for the number m of vectors b{0,1}n2+4 such that bkmod2n2=z. The logical gate representation of this circuit does not include the cost of idling, but in all realistic models of fault tolerant qubits, operations need to be performed on a qubit that is being stored while the classical computation is being done. There is currently an ongoing debate in the cryptographic community as to how to assign a cost-metric to a quantum algorithm given its representation in the logical quantum circuit-model of computation [3, 21]. One approach is the quantum circuit-size and the other is the product of the quantum circuit-width (#qubits) and the quantum circuit-depth (time taken). We have previously studied our tradeoff in light of the circuit-size metric. We now briefly make some remarks with regards to the latter, which is proposed as it captures the difficulties in performing quantum error-correction.

Regardless of the architecture chosen for quantum computers and method used to perform quantum error-correction, it is clear from theoretical error models regarding physical qubits that if we consider discrete timesteps, then applying single or two-qubit gates induce an error in the qubit with a significantly higher probability than if it were simply resting (or "idling") [13, 14, 23, 28, 33]. As the resources we must expend on error-correction is intrinsically linked to the probability of an error occuring, it is plain that the resources to protect an idle quantum state have the potential to be lower than those required to protect a quantum state undergoing active manipulation. For one example of the proposed gaps and tradeoffs that can exist for different architectures, see [32, Tab 2]. In Table 2, we observe that the error rate while storing a qubit is lower than when applying gates in most system.

Table 2

Gates and Memory Errors (Table 3 of [32]).

Error Superconductors Ion Traps Quantum Dots Photonics I
Gate 1.00 × 10−5 3.19 × 10−9 9.89 × 10−1 1.01 × 10−1
Memory 1.00 × 10−5 2.52 × 10−12 3.47 × 10−2 9.80 × 10−4
Table 3

Maximal exponent in short decompositions (over 5000 random elements of the class group).

log2(|Δ|) log0.9(|Δ|) Maximal exponent elog0.1(|Δ|)
30 15 2 4
35 18 2 4
40 20 2 4
45 22 2 4
50 24 2 4
55 26 2 4
60 29 2 4
65 31 2 4
70 33 3 4
75 35 3 4
80 37 3 4
85 39 3 4
90 41 3 5
95 43 3 5
100 45 3 5
105 47 3 5
110 49 3 5
115 51 3 5
120 53 3 5
125 55 3 5
130 57 3 5
135 59 4 5
140 61 3 5
145 63 3 5
150 65 3 5
155 67 3 5
160 69 4 5

Furthermore, classical gates could be significantly faster in practice than quantum gates, thus reducing the quantum cost of idling. In fact, most recent resource estimations [1] can show that, given the current trajectory of quantum architectures, a quantum computation requires inherently a corresponding amount of classical computations. From the counts in [16] a Grover search for an AES-128 key requires 2106 classical computations, hence approximately 220 classical computations per quantum gate.

Our tradeoff therefore allows for agility in cryptanalysis depending upon the eventual architecture of quantum computers and opens the door for improvements and further tradeoffs if smarter methods of performing the brute-force enumeration step are discovered. A simple example of a further trade-off would be to employ parallelism in this stage so that if m classical processors are available, then the classical time would be proportional to 2O(n1−α)/m+O(m), thus reducing the time of quantum idling even more. A full examination of this work under current projections involving quantum error-correction is left for future work.

9 Conclusion

We proposed an asymptotic trade-off between the size of the classical and quantum circuits required to attack CSIDH. This angle is motivated by the fact that to use the full power of the NIST metric, we should authorize 2128 classical computations and 287.5 quantum gates simultaneously. This work showed that such a hybrid attack could be performed with a quantum and a classical circuit that are both asymptotically smaller than the state-of-the-art. The study of the impact of this attack against the parameters for a specific security level (ex: Level I) is left for future work. In the case of CSIDH-512, the number of Clifford + T gates required to run a reversible CSIDH isogeny computation has been estimated in [3] to approximately 251. This is costly, but if we adjust α such that log(|Δ|)1−α ≈ 128 for log(|Δ|) = 512 (since log(|Δ|) ≈ log(p) where p is the security parameter), we get α ≈ 0.22. Then log(|Δ|)α ≈ 4, which indicates that the size of the quantum circuit besides oracle calls might be moderate, thus leaving the door open for the relevance of our algorithms to the analysis of the NIST Level I security of CSIDH.


This work was supported by the U.S. National Science Foundation under grant 1839805, and grant 1846166, by NIST under grant 60NANB17D184, by a Seed Grant of the Florida Center for Cybersecurity, by the USF Proposal Enhancement Grant, and by the ERC Starting Grant QUASYModo.


[1] M. Amy, O. Di Matteo, V. Gheorghiu, M. Mosca, A. Parent and J. Schanck, Estimating the Cost of Generic Quantum Pre-image Attacks on SHA-2 and SHA-3, in: SAC, Lecture Notes in Computer Science 10532, pp. 317–337, Springer, 2016.10.1007/978-3-319-69453-5_18Search in Google Scholar

[2] C. H. Bennett, Time/space trade-offs for reversible computation, SIAM Journal on Computing 18 (1989), 766–776.10.1137/0218053Search in Google Scholar

[3] D. Bernstein, T. Lange, C. Martindale and L. Panny, Quantum Circuits for the CSIDH: Optimizing Quantum Evaluation of Isogenies, in: EUROCRYPT (2), Lecture Notes in Computer Science 11477, pp. 409–441, Springer, 2019.10.1007/978-3-030-17656-3_15Search in Google Scholar

[4] J.-F. Biasse, A. Iezzi and M. Jacobson Jr., A Note on the Security of CSIDH, in: Progress in Cryptology - INDOCRYPT 2018 - 19th International Conference on Cryptology in India, New Delhi, India, December 9-12, 2018, Proceedings (D. Chakraborty and T. Iwata, eds.), Lecture Notes in Computer Science 11356, pp. 153–168, Springer, 2018.10.1007/978-3-030-05378-9_9Search in Google Scholar

[5] J.-F. Biasse, D. Jao and A. Sankar, A Quantum Algorithm for Computing Isogenies between Supersingular Elliptic Curves, in: Progress in Cryptology - INDOCRYPT 2014 - 15th International Conference on Cryptology in India, New Delhi, India, December 14-17, 2014, Proceedings (W. Meier and D. Mukhopadhyay, eds.), Lecture Notes in Computer Science 8885, pp. 428–442, Springer, 2014.10.1007/978-3-319-13039-2_25Search in Google Scholar

[6] X. Bonnetain and A. Schrottenloher, Quantum Security Analysis of CSIDH and Ordinary Isogeny-based Schemes, Cryptology ePrint Archive, Report 2018/537, 2018, in Google Scholar

[7] R. Bröker, D. Xavier Charles and K. Lauter, Evaluating Large Degree Isogenies and Applications to Pairing Based Cryptography, in: Pairing-Based Cryptography - Pairing 2008, Second International Conference, Egham, UK, September 1-3, 2008. Proceedings (S. Galbraith and K. Paterson, eds.), Lecture Notes in Computer Science, pp. 100–112, Springer, 2008.10.1007/978-3-540-85538-5_7Search in Google Scholar

[8] W. Castryck, T. Lange, C. Martindale, L. Panny and J. Renes, CSIDH: An Efficient Post-Quantum Commutative Group Action, Cryptology ePrint Archive, Report 2018/383, 2018, to appear in Asiacrypt 2018.Search in Google Scholar

[9] D. Charles, K. Lauter and E. Goren, Cryptographic hash functions from expander graphs, Jornal of cryptology 22 (2009), 93–113.10.1007/s00145-007-9002-xSearch in Google Scholar

[10] A. Childs, D. Jao and V. Soukharev, Constructing elliptic curve isogenies in quantum subexponential time, Journal of Mathematical Cryptology 8 (2013), 1 – 29.10.1515/jmc-2012-0016Search in Google Scholar

[11] H. Cohen, A course in computational algebraic number theory, Graduate Texts in Mathematics 138, Springer-Verlag, 1991.Search in Google Scholar

[12] J.-M. Couveignes, Hard homgeneous spaces, in Google Scholar

[13] D. Crow, R. Joynt and M. Saffman, Improved error thresholds for measurement-free error correction, Physical review letters 117 (2016), 130503.10.1103/PhysRevLett.117.130503Search in Google Scholar PubMed

[14] A. Fowler, M. Mariantoni, J. Martinis and A. Cleland, Surface codes: Towards practical large-scale quantum computation, Physical Review A 86 (2012), 032324.10.1103/PhysRevA.86.032324Search in Google Scholar

[15] S. Galbraith, F. Hess and N. Smart, Extending the GHS Weil Descent Attack, in: Advances in Cryptology - EUROCRYPT 2002, International Conference on the Theory and Applications of Cryptographic Techniques, Amsterdam, The Netherlands, April 28 - May 2, 2002, Proceedings (L. Knudsen, ed.), Lecture Notes in Computer Science 2332, pp. 29–44, Springer, 2002.10.1007/3-540-46035-7_3Search in Google Scholar

[16] V. Gheorghiu and M. Mosca, Quantumcryptanalysis of symmetric, public-key and hash-based cryptographic schemes, arXiv preprint arXiv:1902.02332 (2019).Search in Google Scholar

[17] M. Grassl, B. Langenberg, M. Roetteler and R. Steinwandt, Applying Grover’s Algorithm to AES: Quantum Resource Estimates, in: Post-Quantum Cryptography - 7th International Workshop, PQCrypto 2016, Fukuoka, Japan, February 24-26, 2016, Proceedings (T. Takagi, ed.), Lecture Notes in Computer Science 9606, pp. 29–43, Springer, 2016.10.1007/978-3-319-29360-8_3Search in Google Scholar

[18] G. Hanrot, X. Pujol and D. Stehlé, Terminating BKZ, IACR Cryptology ePrint Archive 2011 (2011), 198.Search in Google Scholar

[19] D. Jao, J. LeGrow, C. Leonardi and L. Ruiz-Lopez, A Subexponential-Time, Polynomial Quantum Space Algorithm for Inverting the CM Action, Slides of presentation at the MathCrypt conference, 2018, in Google Scholar

[20] D. Jao, D. Miller, S. and R. Venkatesan, Expander graphs based on GRH with an application to elliptic curve cryptography, J. Number Theory 129 (2009), 1491–1504.10.1016/j.jnt.2008.11.006Search in Google Scholar

[21] S. Jaques and J. Schanck, Quantum cryptanalysis in the RAM model: Claw-finding attacks on SIKE, IACR Cryptology ePrint Archive 2019 (2019), 103, To appear in the proceedings of CRYPTO 2019.10.1007/978-3-030-26948-7_2Search in Google Scholar

[22] R. Kannan, Improved Algorithms for Integer Programming and Related Lattice Problems, in: Proceedings of the 15th Annual ACM Symposium on Theory of Computing, 25-27 April, 1983, Boston, Massachusetts, USA (D. Johnson, S. Fagin, M. Fredman, D. Harel, R. Karp, N. Lynch, C. Papadimitriou, R. Rivest, W. Ruzzo and J. Seiferas, eds.), pp. 193–206, ACM, 1983.Search in Google Scholar

[23] E. Knill, R. Laflamme and W. Zurek, Resilient quantum computation: error models and thresholds, Proceedings of the Royal Society of London. Series A: Mathematical, Physical and Engineering Sciences 454 (1998), 365–384.10.1098/rspa.1998.0166Search in Google Scholar

[24] G. Kuperberg, A Subexponential-Time Quantum Algorithm for the Dihedral Hidden Subgroup Problem, SIAM J. Comput. 35 (2005), 170–188.10.1137/S0097539703436345Search in Google Scholar

[25] G. Kuperberg, Another Subexponential-time Quantum Algorithm for the Dihedral Hidden Subgroup Problem, in: 8th Conference on the Theory of Quantum Computation, Communication and Cryptography, TQC 2013, May 21-23, 2013, Guelph, Canada (S. Severini and F. Brandão, eds.), LIPIcs 22, pp. 20–34, Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 2013.Search in Google Scholar

[26] NIST, Submission Requirements and Evaluation Criteria for the Post-Quantum Cryptography Standardization Process, 2016.Search in Google Scholar

[27] O. Regev, A Subexponential Time Algorithm for the Dihedral Hidden Subgroup Problem with Polynomial Space, arXiv:quant-ph/0406151.Search in Google Scholar

[28] B. Reichardt, Fault-tolerant quantum error correction for Steane’s seven-qubit color code with few or no extra qubits, arXiv preprint arXiv: 1804.06995 (2018).Search in Google Scholar

[29] A. Rostovtsev and A. Stolbunov, Public-Key Cryptosystem Based on Isogenies, IACR Cryptology ePrint Archive 2006 (2006), 145.Search in Google Scholar

[30] J. Silverman, The arithmetic of elliptic curves, Graduate texts in Mathematics 106, Springer-Verlag, 1992.Search in Google Scholar

[31] A. Stolbunov, Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves, Adv. in Math. of Comm. 4 (2010), 215–235.10.3934/amc.2010.4.215Search in Google Scholar

[32] M. Suchara, A. Faruque, C.-Y. Lai, G. Paz, F. Chong and J. Kubiatowicz, Estimating the Resources for Quantum Computation with the QuRE Toolbox, EECS Department, University of California, Berkeley, Report no. UCB/EECS-2013-119,May 2013, in Google Scholar

[33] K. Svore, B. Terhal and D. DiVincenzo, Local fault-tolerant quantum computation, Physical Review A 72 (2005), 022317.10.1103/PhysRevA.72.022317Search in Google Scholar

[34] J. Vélu, Isogénies entre courbes elliptiques, C. R. Acad. Sci. Paris Sér. A-B 273 (1971), A238–A241.Search in Google Scholar

A Numerical data in support of Heuristic 1

In this section, we provide additional numerical data in support of the heuristic made in Section 7. For each i in 30, 35, . . . , 160 and α = 0.1, . . . , 0.5, we select the first prime p ≥ 2i such that Δ = −p is a fundamental discriminant. For each discriminant, we compute the corresponding ideal class group and produce a reduced basis of the lattice of relations between the classes of the split primes pi of norm less than log1−α(|Δ|). Then we draw 5000 ideal classes uniformly at random and compute a short decomposition over the split primes of norm less than log1−α(|Δ|). To compute a short decomposition of [𝖆], we solve an instance of the approximate Closest Vector Problem between a vector ⃗x such that [Πi pi] = [𝖆] and the lattice 𝔏 of relations. We solve approximate CVP by reducing the basis of 𝔏 with the BKZ algorithm and calling Babai’s nearest plane algorithm. We do not necessarily find the shortest ⃗x, however, all our exponents are below the intended bound elogα(|Δ|). In each table, we show the largest exponent occurring in a decomposition next to elogα(|Δ|) for each Δ. Our heuristic is systematically satisfied. Moreover, aside from the case α = 0.1 where the intended bound is already very small (between 4 and 5), we observe that our heuristic seems in fact very conservative. For example, for log2(|Δ|) = 160 and α = 0.5, the maximal exponent recorded over 5000 short decompositions is 188 while the intended bound is elog0.5(|Δ|)=37462.

Table 4

Maximal exponent in short decompositions (over 5000 random elements of the class group).

log2(|Δ|) log0.8(|Δ|) Maximal exponent elog0.2(|Δ|)
30 11 2 6
35 13 2 7
40 14 3 7
45 16 2 7
50 17 3 8
55 18 3 8
60 20 3 8
65 21 3 9
70 22 3 9
75 24 3 9
80 25 3 9
85 26 3 10
90 27 4 10
95 28 4 10
100 30 4 10
105 31 4 11
110 32 5 11
115 33 4 11
120 34 4 11
125 35 4 11
130 37 4 12
135 38 4 12
140 39 5 12
145 40 5 12
150 41 5 13
155 42 5 13
160 43 5 13
Table 5

Maximal exponent in short decompositions (over 5000 random elements of the class group).

log2(|Δ|) log0.7(|Δ|) Maximal exponent elog0.3(|Δ|)
30 8 2 12
35 9 3 14
40 10 4 15
45 11 3 17
50 12 5 18
55 13 4 20
60 14 4 21
65 14 5 23
70 15 6 25
75 16 5 26
80 17 6 28
85 17 6 30
90 18 7 32
95 19 6 34
100 19 6 35
105 20 7 37
110 21 7 39
115 21 8 41
120 22 7 43
125 23 7 45
130 23 8 47
135 24 8 50
140 25 8 52
145 25 9 54
150 26 9 56
155 26 9 58
160 27 10 61
Table 6

Maximal exponent in short decompositions (over 5000 random elements of the class group).

log2(|Δ|) log0.6(|Δ|) Maximal exponent elog0.4(|Δ|)
30 6 3 29
35 7 4 36
40 7 7 44
45 8 6 52
50 8 9 62
55 9 8 73
60 9 8 85
65 10 7 98
70 10 11 113
75 11 10 129
80 11 12 146
85 12 11 165
90 12 14 186
95 12 16 208
100 13 14 233
105 13 18 259
110 13 19 287
115 14 17 318
120 14 20 351
125 15 18 387
130 15 22 425
135 15 24 466
140 16 22 510
145 16 24 557
150 16 25 607
155 17 26 661
160 17 30 718
Table 7

Maximal exponent in short decompositions (over 5000 random elements of the class group).

log2(|Δ|) log0.5(|Δ|) Maximal exponent elog0.5(|Δ|)
30 5 5 96
35 5 7 138
40 5 16 194
45 6 9 266
50 6 16 360
55 6 20 480
60 6 26 632
65 7 18 822
70 7 27 1060
75 7 35 1353
80 7 44 1714
85 8 38 2155
90 8 47 2693
95 8 58 3343
100 8 64 4128
105 9 60 5070
110 9 60 6198
115 9 83 7541
120 9 92 9138
125 9 120 11029
130 9 154 13261
135 10 107 15889
140 10 122 18976
145 10 145 22591
150 10 177 26814
155 10 228 31736
160 11 188 37462
Received: 2019-06-05
Accepted: 2019-07-01
Published Online: 2020-11-17

© 2020 J.-F. Biasse et al., published by De Gruyter

This work is licensed under the Creative Commons Attribution 4.0 International License.

Downloaded on 27.11.2022 from
Scroll Up Arrow