A note on the security of CSIDH
We propose an algorithm for computing an isogeny between two elliptic curves E_1,E_2 defined over finite field such that there is an imaginary quadratic order O satisfying O≃End(E_i) for i = 1,2. This concerns ordinary curves and supersingular curves defined over F_p (used in the recent CSIDH proposal). Our algorithm has heuristic asymptotic run time e^O(√((|Δ|))) and requires polynomial quantum space in Poly((|Δ|)) where Δ is the discriminant of O. We also describe a probabilistic attack against CSIDH that takes advantage of the structure of the ideal class group Cl(O) of O. Suppose M satisfies M| N where N := #Cl(O), then there is a quantum attack with run time e^O(√((N'))) and a classical attack in time O(√(N')) that succeeds with probability 1/M where N' := N/M.
READ FULL TEXT