1 Introduction
The Diffie–Hellman keyexchange protocol is, both literally and figuratively, at the foundation of publickey cryptography. The goal is for two parties, Alice and Bob, to derive a shared secret from each other’s public keys and their own private keys. Diffie and Hellman’s original solution [51] is beautifully and brutally simple: given a fixed prime and a primitive element in the finite field (that is, a generator of the multiplicative group ), Alice and Bob choose secret keys and , respectively, in . Alice computes and publishes her public key , and Bob his public key ; the shared secret value is , which Alice computes as , Bob as .
The security of the shared secret depends on the hardness of the Computational Diffie–Hellman Problem (CDHP), which is to compute given only , , and the public data of the structures that they belong to. For finitefield Diffie–Hellman, this means computing given only , , and . The principal approach to solving the CDHP is to solve the Discrete Logarithm Problem (DLP), which is to compute from and . We thus recover from (or, equivalently, from ), then power by (or by ) to recover . Attacking the DLP means directly attacking one of the public keys, regardless of any particular shared secret they may be used to derive.
Over the past four decades, the Diffie–Hellman protocol has been generalized from multiplicative groups of finite fields to a range of other algebraic groups, most notably elliptic curves. Partly motivated by this cryptographic application, there has been great progress in discrete logarithm algorithms for some groups, most notably Barbulescu, Gaudry, Joux, and Thomé’s quasipolynomial algorithm for discrete logarithms in finite fields of fixed tiny characteristic [11].
The most stunning development in discrete logarithm algorithms came with the rise of the quantum computation paradigm: Shor’s quantum algorithm [125] solves the discrete logarithm problem—and thus breaks Diffie–Hellman—in any group in polynomial time and space on a quantum computer.^{1}^{1}1More generally, Armknecht, Gagliardoni, Katzenbeisser, and Peter have shown that no grouphomomorphic cryptosystem can be secure against a quantum adversary, essentially because of the existence of Shor’s algorithm [8]. The development of quantum computers of even modest capacity capable of running Shor’s algorithm remains an epic challenge in experimental physics: at the time of writing, the largest implementation of Shor’s algorithm was used to factor the integer 21, so there is some way to go [96]. But in anticipation, cryptographic research has already bent itself to the construction of postquantum cryptosystems, designed to be used on conventional computers while resisting known quantum attacks.
Nowadays, Diffie–Hellman is often an elementary component of a more complicated protocol, rather than the entire protocol itself. For example, the TLS protocol used to establish secure internet connections includes an ephemeral Diffie–Hellman [118]. But to give a more interesting example, the X3DH protocol [95] used to establish connections in Signal and WhatsApp includes four simple Diffie–Hellmans between various short and longterm keypairs. The common use of Diffie–Hellman as a component makes the search for a dropin postquantum replacement for classical Diffie–Hellman particularly relevant today.
While many promising postquantum candidates for publickey encryption and signatures have been developed—the first round of the NIST postquantum standardization process [109] saw 59 encryption/KEM schemes and 23 signature schemes submitted—finding a simple postquantum dropin replacement for Diffie–Hellman (as opposed to a KEM) has proven to be surprisingly complicated. Some interesting postquantum “noisy Diffie–Hellman” key exchange protocols based on hard problems in codes, lattices, and RingLWE have been put forward over the years (including [4], [52], [53], [111], [6], [23], and [49]), but these typically require a reconciliation phase to ensure that Alice and Bob have the same shared secret value (as opposed to an approximate shared secret with acceptable noise on each side); we will not discuss these protocols further here. Perhaps surprisingly, given the loudly trumpeted quantum destruction of elliptic curve cryptography by Shor’s algorithm, the most serious candidates for postquantum Diffie–Hellman come from isogenybased cryptography, which is founded in the deeper theory of elliptic curves.
The key idea in moving from conventional ellipticcurve cryptography to isogenybased cryptography is that points on curves are replaced with entire curves, and relationships between points (scalars and discrete logarithms) are replaced with relationships between curves (isogenies). Isogeny classes have just enough algebraic structure to define efficient asymmetric cryptosystems, but not enough to make them vulnerable to Shor’s algorithm.
But what should a “postquantum Diffie–Hellman” scheme be, and how closely should it match classical Diffie–Hellman functionalities and semantics? To what extent can the intuition and theoretical lore built up over decades of classical Diffie–Hellman carry over to these new protocols? This survey is an attempt to begin addressing these questions. The aim is to help cryptographers, mathematicians, and computer scientists to understand the similarities and differences between classical Diffie–Hellman and the new postquantum protocols.
The plan.
We begin with a quick survey of classical groupbased Diffie–Hellman in §§25. We discuss modern ellipticcurve Diffie–Hellman in §7; this dispenses with the underlying group on some levels, and thus forms a pivot for moving towards postquantum Diffie–Hellman. We review Couveignes’ hard homogeneous spaces framework in §8 and §9, before introducing HHS cryptosystems in the abstract in §10; we go deeper into the underlying hard problems in §11 and §12. Moving into the concrete, we recall basic facts about isogenies in §13, before discussing commutative isogenybased key exchange in §14 and the stranger SIDH scheme in §15. Our focus is mostly constructive, and our discussion of quantum cryptanalysis will be purely asymptotic, for reasons discussed in §6.
Limiting scope.
The basic Diffie–Hellman scheme is completely unauthenticated: it is obviously vulnerable to a maninthemiddle attack where Eve impersonates Bob to Alice, and Alice to Bob. Alice and Bob must therefore authenticate each other outside the Diffie–Hellman protocol, but we do not discuss authentication mechanisms here. We also ignore the provablesecurity aspects of these protocols, beyond noting that each has been proven sessionkey secure in Canetti and Krawczyk’s adversarial authenticatedlinks model [33] (see [60, §5.3] for a proof for commutative isogeny key exchange, and [45, §6] for SIDH). As we noted above, we do not discuss noisy Diffie–Hellman schemes here, mostly for lack of time and space, but also because these are further from being dropin replacements for classical Diffie–Hellman. Finally, we must pass over decision Diffie–Hellmanbased protocols in silence, partly for lack of space, but mostly because at this early stage it seems hard to say anything nontrivial about decision Diffie–Hellman in the postquantum setting. We do this with some reluctance: as Boneh declared in [19], “the decision Diffie–Hellman assumption is a gold mine” (at least for theoretical cryptographers). Revisiting [19] in the postquantum setting would be highly interesting, but this is neither the time nor the place for that investigation.
Notation.
We will use abelian groups written additively and multiplicatively, depending on the context. To minimise confusion, we adopt these typographical conventions for groups and elements:

always denotes an abelian group written additively, with group operation , inverse , and identity element .

always denotes an abelian group written multiplicatively, with group operation , inverse , and identity element .
Acknowledgements.
I am grateful to Luca De Feo, Florian Hess, Jean Kieffer, and Antonin Leroux for the many hours they spent discussing these cryptosystems with me, and the organisers, chairs, and community of WAIFI 2018.
2 Abstract groups and discrete logarithms
Diffie and Hellman presented their key exchange in the multiplicative group of a finite field, but nothing in their protocol requires the field structure. We will restate the protocol in the setting of a general finite abelian group in §3; but first, we recall some basic facts about abstract groups and discrete logarithms.
Let be a finite abelian group of order (written additively, following the convention above). We can assume is cyclic. For every integer we have an exponentiation endomorphism , called scalar multiplication, defined for nonnegative by
and for negative by . We can compute in operations using a variety of addition chains; typically .
The fundamental hard algorithmic problem in is computing the inverse of the scalar multiplication operation: that is, computing discrete logarithms.
Definition 1 (Dlp)
The Discrete Logarithm Problem in is, given and in , compute an such that .
Any DLP instance in any can always be solved using operations in , using (for example) Shanks’ babystep giantstep algorithm (BSGS), which also requires space [124]; Pollard’s algorithm reduces the space requirement to [115]. If is composite and its (partial) factorization is known, then we can do better using the Pohlig–Hellman–Silver algorithm [114], which solves the DLP by reducing to the DLP in subgroups of (see §12 below).
The DLP enjoys random selfreducibility: if we have an algorithm that solves DLPs for a large fraction of all possible inputs, then we can solve DLPs for all possible inputs after an expected random attempts. Suppose we want to solve an arbitrary DLP instance . We choose a random integer , try to solve for , and if we succeed then we recover . After randomizations, we expect to find an for which lands in the set of inputs to which the algorithm applies.
In the pure abstract, we consider as a blackbox group: operations are performed by oracles, and elements are identified by (essentially random) bitstrings. This models the absence of useful information that we could derive from any concrete representation of . In this setting, Shoup [126] has proven that the complexity of solving the DLP is not merely in , but in . But in the real world, we do not have blackbox groups; every group has a specific concrete element representation and an explicit algorithmic group law. The difficulty of the DLP then varies with the representation, as we will see in §5.
3 Prequantum Diffie–Hellman
Now let us consider Diffie–Hellman in the abstract. Let be a cyclic group, and fix a public generator of . Public keys are elements of ; private keys are bitstrings, interpreted as elements of . Each (public,private)keypair presents a DLP instance in .
The Diffie–Hellman protocol takes place in into two logical phases, which in practice may be separated by a significant period of time. In the first phase, the parties generate their keypairs using Algorithm 1 (KeyPair):

Alice generates her keypair as and publishes ;

Bob generates his as and publishes .
In the second phase, they compute the shared secret with Algorithm 2 (DH):

Alice computes ;

Bob computes .
Alice and Bob have the same value because
The security of the (entire) shared secret depends on the hardness of the Computational Diffie–Hellman Problem (CDHP) in .
Definition 2 (Cdhp)
The Computational Diffie–Hellman Problem in is, given , , and in , to compute .
While it is obvious that an algorithm that solves the DLP in can solve the CDHP in , constructing a reduction in the other direction—that is, efficiently solving DLP instances given access to an oracle solving CDHP instances—is a much more subtle matter. It is now generally believed, following the work of Den Boer [48], Maurer and Wolf [97, 98], Muzereau, Smart, and Vercauteren [107], Bentahar [13], and Boneh and Lipton [20] that the DLP and CDHP are equivalent for the kinds of that cryptographers use in practice.^{2}^{2}2Suppose is prime. The Maurer reduction for groups of order requires an auxiliary elliptic curve over whose order is smooth—that is, such that every prime dividing the order of the auxiliary curve is less than —for some small which determines the efficiency of the reduction. If we require polynomially small , then we get a polynomialtime reduction; but the hypothesis that such curves exist and can be efficiently constructed for arbitrary is extremely strong, if not wildly overoptimistic. If is simply smaller than , then we get a reduction that is dominated by the cost of an equivalent DLP calculation, which is better than nothing; it is not so hard to construct such curves (as Bentahar does). The middle ground is to accept subexponential , and hence a subexponential reduction, as Muzereau, Smart, and Vercauteren do. Brown [28] takes a more constructive approach, constructing cryptographic elliptic curves equipped with a polynomially smooth auxiliary curve. Since solving DLP instances is the only way we know to solve CDHP instances, Diffie–Hellman is generally considered to be a member of the DLPbased family of cryptosystems.
The shared secret is not suitable for use as a key for symmetric cryptosystems^{3}^{3}3Some protocols do use the shared secret as a key, most notably the textbook ElGamal encryption presented at the start of §4. ; rather, it should be treated with a Key Derivation Function (KDF) to produce a proper symmetric key . This essentially hashes the secret , spreading the entropy of uniformly throughout , so deriving any information about requires computing the whole of , hence solving a CDHP in . The indistinguishability of , and hence its security as a key, depends on the weaker Decisional Diffie–Hellman Problem, which is beyond the scope of this article.
The lifespan of keypairs is crucial in Diffie–Hellmanbased cryptosystems. In ephemeral Diffie–Hellman, Alice and Bob’s keypairs are unique to each execution of the protocol. Ephemeral Diffie–Hellman is therefore essentially interactive. In contrast, static Diffie–Hellman uses longterm keypairs across many sessions. Alice may obtain Bob’s longterm public key and complete a Diffie–Hellman key exchange with him—and start using the shared secret—without any active involvement on his part. Static Diffie–Hellman is therefore an important example of a NonInteractive Key Exchange (NIKE) protocol [62].
Efficient publickey validation—that is, checking that a public key was honestly generated—is an important, if often overlooked, requirement for many Diffie–Hellman systems, particularly those where keys are reused. Suppose Alice derives a shared secret key from a Diffie–Hellman exchange with Bob’s public key , and then uses to communicate with Bob. A malicious Bob might construct an invalid public key in such a way that reveals information about Alice’s secret key . If is ephemeral then Bob has learned nothing useful about , since it will never be used again; but the keypair is to be reused, as in static Diffie–Hellman, then secret information has been leaked, and Alice thus becomes vulnerable to active attacks (see e.g. [93] for an example). Public key validation is simple in a finite field: it usually suffices to check the order of the element. Antipa, Brown, Menezes, Struik, and Vanstone describe the process for ellipticcurve public keys [7], and their methods extended to most curvebased algebraic groups without serious difficulty. We will see that this is a more serious problem in postquantum systems.
4 Encryption and key encapsulation
The classic ElGamal publickey encryption scheme [56] is closely related to Diffie–Hellman key exchange. Its key feature is that messages are viewed as elements of the group , so adding a randomlooking element of to a message in acts as encryption.
Algorithm 3 lets Alice encrypt a message to Bob. Alice first generates an ephemeral keypair , completes the Diffie–Hellman on her side using Bob’s static public key to compute a shared secret , which she uses as a (symmetric) key to encrypt an element of via (with corresponding decryption ). Sending her ephemeral public key together with the ciphertext allows Bob to compute and decrypt with Algorithm 4. Since the secret key here is the bare shared secret , untreated by a KDF, the security of this protocol depends not on the CDHP but rather on the (easier) decisional Diffie–Hellman problem in .
It is important to note that this cryptosystem does not provide semantic security. For example, if and are encryptions of and , respectively, then is a legitimate encryption of . While this property is desirable for certain applications (such as EVoting [12]), in most contexts textbook ElGamal cannot be safely used for publickey encryption.
The homomorphic nature of the scheme is due to the fact that the group law is being used as the encryption and decryption algorithm. But even if this behaviour is actually desired, requiring the message to be an element of poses two further problems. First, it imposes a hard and inconvenient limit on the size of the message space; second, it requires an efficient encoding of messages to group elements (and an efficient decoding to match). At first glance, this second requirement seems straightforward for ElGamal instantiated in , since bitstrings of length can be immediately interpreted as integers in , and hence elements of ; but this embedding does not map into the primeorder subgroups where the protocol typically operates. This complication is worse in the elliptic curve setting, where the messagelength limit is even more restrictive.
The modern, semantically secure version of ElGamal encryption is an example of hybrid encryption, best approached through the more general setting of Key Encapsulation Mechanisms (KEMs) and Data Encryption Mechanisms (DEMs) [44, 79]. We establish encryption keys using an asymmetric system (the KEM), before switching to symmetric encryption for data transport (the DEM).
Algorithms 5 and 6 illustrate a simple Diffie–Hellmanbased KEM. In Algorithm 5, Bob has already generated a longterm keypair and published . Alice takes , generates an ephemeral keypair , completes the Diffie–Hellman on her side, and derives a cryptographic key from the shared secret . She can use to encrypt messages to Bob^{4}^{4}4If Alice immediately encrypts a message under and sends the ciphertext to Bob with , then this is “hashed ElGamal” encryption (see [1] for a full encryption scheme in this style). , while encapsulates for transport. To decapsulate and decrypt messages from Alice, Bob follows Algorithm 6, completing the Diffie–Hellman on his side and deriving the cryptographic key from the shared secret .
Remark 1
While KEMs provide a convenient API and formalism for key establishment, they cannot always be used as a replacement for plainold Diffie–Hellman, especially as a component in more complicated protocols.
5 Concrete groups and discrete logarithms
So far, everything has been presented in the abstract; but if we want to use any of these schemes in practice, then we need to choose a concrete group . As we noted in §2, the hardness of the DLP (and hence the CDHP) varies according to the representation of , and may fall far short of the ideal. Here we give a very brief overview of the main candidate groups for groupbased Diffie–Hellman, and DLPbased cryptography in general. We refer the reader to Guillevic and Morain’s excellent survey [77] for further detail on discrete logarithm algorithms.
The DLP in prime finite fields, as used by Diffie and Hellman, is subexponential: the General Number Field Sieve [91] solves DLP instances in in time .^{5}^{5}5Recall that . In extension fields of large characteristic, or when the characteristic has a special form, the complexity is lower, while still subexponential (see [77]); in the extreme case of extension fields of tiny characteristic, the DLP is quasipolynomial in the field size [11]. These algorithms can also be used to attack DLPs in algebraic tori, which are compact representations of subgroups of which offer smaller key sizes and efficient arithmetic [122, 92].
Elliptic curves have long been recognised by number theorists as a generalization of the multiplicative group (indeed, both the multiplicative and additive groups can be seen as degenerate elliptic curves; see e.g. [34, §9]). Once Diffie and Hellman had proposed their protocol in a multiplicative group, then, it was perhaps only a matter of time before number theorists proposed ellipticcurve Diffie–Hellman; and within a decade Miller [102] and Koblitz [83] did just this, independently and almost simultaneously. The subexponential finitefield DLP algorithms do not apply to general elliptic curves, and so far we know of no algorithm with complexity better than for the DLP in a general primeorder elliptic curve. Indeed, the only way we know to make use of the geometric structure for general curves over prime fields is to run generic algorithms on equivalence classes modulo , but this only improves the running time by a factor of roughly [18].^{6}^{6}6More generally, we can work on equivalence classes modulo a (sub)group of automorphisms, as in [54]; but in the case of elliptic curves, for any fixed , there are only two isomorphism classes of curves with automorphisms other than . We can do better for some elliptic curves defined over some extension fields [74, 139, 71], and for some small special classes of curves [100, 10, 63, 128] (notably pairingfriendly curves); but in the more than thirty years since Miller and Koblitz introduced elliptic curve cryptography, this speedup represents the only real nonquantum algorithmic improvement for the general ellipticcurve DLP.^{7}^{7}7At least, it is the only improvement as far as algorithmic complexity is concerned: implementation and distribution have improved substantially. It is, nevertheless, quite dumbfounding that in over thirty years of cryptographicallymotivated research, we have only scraped a tiny constant factor away from the classical algorithmic complexity of the DLP in a generic primeorder elliptic curve over a prime finite field.
Going beyond elliptic curves, a range of other algebraic groups have been proposed for use in cryptography. Koblitz proposed cryptosystems in Jacobians of hyperelliptic curves as an obvious generalization of elliptic curves [84]. Others have since suggested Jacobians of general algebraic curves, and abelian varieties [106, 119]; but as the genus of the curve (or the dimension of the abelian variety) grows, indexcalculus algorithms become more effective, quickly outperforming generic DLP algorithms. At best, the DLP for curves of fixed genus is exponential, but easier than [75, 129, 50, 73]; at worst, as the genus and field size both tend to infinity, the DLP becomes subexponential [57]. Déchène proposed generalized Jacobians as a bridge between ellipticcurve and finitefield cryptography [46], but these offer no constructive advantage [69].
The groups mentioned above are all algebraic groups: elements are represented by tuples of field elements, and group operations are computed using polynomial formulæ. Algebraic groups are wellsuited to efficient computation on realworld computer architectures, but they are not the only such groups: another kind consists of class groups of number fields. Buchmann and Williams proposed Diffie–Hellman schemes in class groups of quadratic imaginary orders [32], leading to a series of DLPbased cryptosystems set in more general rings (see [31] for a survey); but ultimately these are all vulnerable to subexponential indexcalculus attacks.
In the classical world, therefore, elliptic curves over and and genus2 Jacobians over present the hardest known DLP instances with respect to group size (and hence key size). Elliptic curves over prime fields have become, in a sense, the gold standard to which all other groups are compared.
6 Concrete hardness and security levels
It is important to note that our understanding of DLP hardness is not just a matter of theory and sterile asymptotics; all of the algorithms above are backed by a tradition of experimental work. Recently discrete logarithms have been computed in bit general and bit special prime fields [82, 64], and in bit and bit binary elliptic curve groups [138, 17]. A table of various record finite field discrete logarithm computations can be found at [76].
These computations give us confidence in defining cryptographic parameters targeting concrete security levels against classical adversaries. For example, it is generally accepted that DLPbased cryptosystems in with or in with for a wellchosen should meet a classical approximate 128bit security level: that is, a classical adversary equipped with current algorithms should spend around
computational resources to break the system with nonnegligable probability.
For quantum adversaries, we know that DLPs can be solved in polynomial time—but we still know relatively little about the concrete difficulty and cost of mounting quantum attacks against DLPbased cryptosystems, let alone against candidate postquantum systems. For example, we mentioned above that the current record for Shor’s factoring algorithm is 21; but to our knowledge, Shor’s algorithm for discrete logarithms has never been implemented. Roetteler, Naehrig, Svore and Lauter have estimated the quantum resources required to compute ellipticcurve discrete logarithms
[120], which is an important first step.The situation becomes even murkier for the quantum algorithms we will meet below, including the Kuperberg, Regev, Tani, and Childs–Jao–Soukharev algorithms. We have asymptotic estimates, but no concrete estimates (or real data points, for that matter). It is not clear what the most useful performance metrics are for these algorithms, or how to combine those metrics with classical ones to estimate overall problem difficulty.
For this reason, we will refrain from giving any concrete security estimates or recommendations for keylengths for the postquantum systems in the second half of this article. We look forward to detailed theoretical estimates along the lines of [120], and to the eventual development of quantum computers sufficiently large to implement these algorithms and get some actual cryptanalysis done.
7 Modern ellipticcurve Diffie–Hellman
At first glance, ellipticcurve cryptography is just finitefield cryptography with a different algebraic group seamlessly swapped in^{8}^{8}8Not entirely seamlessly: some operations, like hashing into , become slightly more complicated when we pass from finite fields to elliptic curves (see [110]). , and no theoretical modification. But Miller’s original article [102] ends with an interesting observation that departs from the multiplicative group perspective:
Finally, it should be remarked, that even though we have phrased everything in terms of points on an elliptic curve, that, for the key exchange protocol (and other uses as oneway functions), that only the coordinate needs to be transmitted. The formulas for multiples of a point cited in the first section make it clear that the coordinate of a multiple depends only on the coordinate of the original point.
Miller is talking about elliptic curves in Weierstrass models , where , so coordinates correspond to group elements modulo sign. The mapping is mathematically welldefined, because every commutes with ; but it can also be computed efficiently.
In Diffie–Hellman, then, instead of using
Miller is proposing that we use  
Clearly, we lose nothing in terms of security by doing this: the coordinate CDHP reduces immmediately to the CDHP in the elliptic curve. Given a CDHP oracle for , we can compute from by choosing arbitrary lifts to signed points on and calling the oracle there; conversely, given an coordinate CDHP oracle, we can solve CDHP instances on by projecting to the line, calling the oracle there, and then guessing the sign on .
The idea of transmitting only the coordinates may seem advantageous in terms of reducing bandwidth, but in reality, where elliptic curve point keys are systematically compressed to an coordinate plus a single bit to indicate the “sign” of the corresponding coordinate, there is little to be gained here beyond avoiding the small effort required for compression and decompression. The real practical value in Miller’s idea is that working with only coordinates is faster, and requires less memory: can be computed from and using fewer field operations than would be required to compute from and .
This advantage was convincingly demonstrated by Bernstein’s Curve25519 software [14], which put Miller’s idea into practice using carefully selected curve parameters optimized for Montgomery’s ladder algorithm, which computes the pseudoscalar multiplications using a particularly efficient and regular differential addition chain [103, 42]. The result was not only a clear speed record for Diffie–Hellman at the 128bit security level, but a new benchmark in design for key exchange software. Curve25519 is now the Diffie–Hellman to which all others are compared in practice.
The elliptic curve cryptosystems that were standardized in the 1990s and early 2000s, such as the socalled NIST [108] and Brainpool [94] curves, are based on full elliptic curve arithmetic and are not optimized for only arithmetic. More recently, Curve25519 and similar systems have been standardized for future internet applications [90]. These systems are also preferred in newer practical applications, such as the Double Ratchet algorithm used for key management within the Signal protocol for endtoend encrypted messaging [112].
In theory, Miller’s idea of working modulo signs (or, more generally, automorphisms) extends to any algebraic group.^{9}^{9}9While quotienting by is useful in curvebased cryptosystems, it is counterproductive in multiplicative groups of finite fields. There, the pseudoscalar multiplication is ; computing this is slightly slower than computing simple exponentiations, and saves no space at any point. For example, the quotients of Jacobians of genus2 curves by are Kummer surfaces. Under suitable parametrizations, these have highly efficient pseudoscalar multiplications [72], which have been used in highspeed Diffie–Hellman implementations [16, 117].
While the only approach to elliptic curve Diffie–Hellman is particularly useful in practice, it also highlights an important theoretical point: on a formal level, Diffie–Hellman does not require a group structure.^{10}^{10}10Buchmann, Scheidler, and Williams later proposed what they claimed was the first groupless key exchange in the infrastructure of real quadratic fields [29]. Mireles Morales investigated the infrastructure in the analogous evendegree hyperelliptic function field case [104], relating it to a subset of the class group of the field; in view of his work, it is more appropriate to describe infrastructure key exchange as groupbased. In any case, coming nearly a decade after Miller, this would not have been the first nongroup Diffie–Hellman. By this, we mean that the group law never explicitly appears in the protocol—and this is precisely why Diffie–Hellman works on elliptic coordinates, where there is no group law (but where there are maps induced by scalar multiplication).
The group structure is still lurking behind the scenes, of course. It plays several important roles:

Correctness. The group law gives an easy proof that the pseudoscalar multiplication operations exist and commute.

Efficiency. The group law induces biquadratic relations on coordinates that we use to efficiently compute pseudoscalar multiplications using suitable differential addition chains [15].

Security. The hardness of the CDHP in the full group underwrites the hardness of the coordinate CDHP.
Remark 2
Can we do without a group entirely? Heading into the pure abstract, we can consider a Diffie–Hellman protocol with minimal algebraic structure. For example, we could take a set of public keys in place of the group , and sample private keys from a set of functions defined by the property^{11}^{11}11If we require this property to hold for all in , then is a commutative magma. Diffie–Hellman protocols where is equipped with a semigroup or semiring structure have been investigated [99], though the results are only of theoretical interest.
The associated Diffie–Hellman protocol is then defined by
We need to be large enough to prevent brute force attacks on ; we must be able to efficiently sample functions from , and evaluate them at elements of ; and we need to justify the hardness of the associated CDHP. An algebraic structure on may not be strictly necessary to ensure all of this, but it certainly makes life easier.
8 Principal homogeneous spaces
At the time of writing, the closest thing we have to a postquantum analogue of Diffie–Hellman comes from isogenybased cryptography, whose origins go back to Couveignes’ “Hard Homogeneous Spaces” manuscript [43]. This went unpublished for ten years, before appearing online more or less at the same time as its ideas were independently rediscovered by Rostovtsev and Stolbunov [121].
Couveignes’ work is a convenient framework for reasoning about isogenybased cryptosystems: the hard detail on class groups and isogeny classes is abstracted away into groups acting on sets. We warn the reader that from now on we will mostly be working with abelian groups written multiplicatively, which we denote by in accordance with the convention from §1.
Recall that a (left) action of a group on a set is a mapping , written , compatible with the group operation in : that is,
In our case is abelian, so for all , , and .
Definition 3 (Phs)
A principal homogeneous space (PHS) for an abelian group is a set equipped with a simple, transitive action of : that is, for any and in , there is a unique in such that . Equivalently, for every in , the map defined by is a bijection.
Example 1
The trivial example of a PHS is a group acting on itself via its own group operation: that is, , with .
Example 2
The classic first example of a nontrivial PHS is a vector space acting by translation on its underlying affine space.
Example 2 illustrates a classic informal definition: a PHS is a group whose identity element has been forgotten (mislaid, not omitted). Affine spaces have no distinguished “origin”; on the other hand, as soon as one is (arbitrarily) chosen, then each point defines an implicit displacement vector, and we can identify the affine space with a vector space. More generally, for each in , if we define then we get a welldefined group structure on ; in fact, we get a different group structure for each choice of . The idea therefore is not so much that the identity element has been forgotten, yet might still be remembered; it is rather that every single element is an equally plausible identity.
Example 3
Let be the set of points on a curve of genus 1, and let be the group of degree0 divisor classes on . By the Riemann–Roch theorem, for every class in and point on , there exists a unique on such that . We therefore have an explicit action of on , defined by . If we fix a choice of distinguished “base point” in , then we can identify each class with the point , and thus, by transport of structure, we get a group law on . (Cognoscenti will recognise the definition of the group law on an arbitrary elliptic curve via the Picard group.)
Our final example of a PHS is fundamental in isogenybased cryptography. It is far more complicated to define than Examples 1, 2, and 3; we will give an extremely brief description here, returning to it in greater detail in §13 and §14.
Example 4
Let be a prime power and an integer with ; let be the ring of integers of the imaginary quadratic field , where . Let be the set of isomorphism classes of elliptic curves whose endomorphism ring is isomorphic to (and where the image of the Frobenius endomorphism of in has trace ). Then is a PHS under the ideal class group of , with ideals acting by , where is the intersection of the kernels of the endomorphisms in . This PHS is central to the theory of Complex Multiplication; there is also a welldeveloped algorithmic theory for it, used to compute fundamental numbertheoretic objects such as modular and Hilbert class polynomials (see e.g. [27]).
Example 4 highlights another view of PHSes: we can consider as a version of whose structure is hidden by the maps . In this case, the elements of are invariants, and (when the class group is sufficiently large) look like random elements of ; the class group itself has no such encoding.
9 Hard homogeneous spaces
Let be a PHS under . From now on we assume we can efficiently compute group operations, evaluate actions, test equality, and hash elements of and . We also assume we can uniformly randomly sample elements of . Figure 1 illustrates the two interesting computational problems in this setting, which Couveignes called vectorization (Definition 4) and parallelization (Definition 5).
Definition 4 (Vectorization)
The vectorization problem in a PHS under is, given and in , to compute the unique in such that .
Definition 5 (Parellelization)
The parallelization problem in a PHS under is, given , , and in , to compute the unique in such that where and . (Note that then .)
Definition 6 (Hhs)
Let be a PHS under . We say is a hard homogeneous space (HHS) if the action of on is efficiently computable, but the vectorization and parallelization problems are computationally infeasible.
The names “vectorization” and “parallelization” are intuitive in the context of Example 2: vectorization is computing the displacement vector between points and in the space , while parallelization is completing the parallelogram with vertices , , and . These are routine operations in vector and affine spaces, so the PHS of Example 2 is typically not something that we would consider an HHS. Similarly, the PHS of Example 3 is not an HHS, because we can always vectorize by formally subtracting points to form a degree0 divisor. Couveignes suggested that the PHS of Example 4 might be an HHS—and with the current state of classical and quantum class group and isogeny algorithms, it is.
10 Cryptography in hard homogeneous spaces
On a purely symbolic level, the vectorization problem in a PHS bears an obvious formal resemblance to the DLP in a group, just as the parallelization problem resembles the CDHP . The presence of abelian groups in each problem suggests deeper connections—connections that do not necessarily exist. Indeed, we saw above that parallelization in a PHS is an implicit computation of the group law, while the Diffie–Hellman operation in a group is something completely different.
But irrespective of the relationship between parallelizations and CDHPs, this syntactical resemblance allows us to define a cryptosystem analogous to Diffie–Hellman. Algorithms 7 and 8 define Couveignes’ key exchange in the HHS setting, with security depending on the hardness of parallelization.
Algorithms 7 and 8 immediately raise some important restrictions on the kinds of and that we can use. The first is that we need some kind of canonical representation for elements of , to ensure that Alice and Bob can derive equal shared cryptographic keys from the shared secret . This property is also important in settings where public keys are required to be unique for a given private key. We also need to be able to efficiently draw uniformly random samples from ; and then, given a random element of , we need to be able to efficiently compute its action on arbitrary elements of . An alternative approach is to repeatedly randomly sample from a subset of efficientlycomputable elements of
, building a sequence of such elements to be used as the secret key, with the action of the key being the composition of the action of its components. This approach requires an argument that the distribution of these compositions is sufficiently close to the uniform distribution on the whole of
. Both approaches are relevant in isogenybased cryptography, as we will see in §14.Many CDHPbased cryptosystems have obvious HHS analogues. We can define an HHSbased KEM (and implicitly, a hashedElGamaltype public key encryption scheme) along the lines of Algorithms 5 and 6, by replacing the calls to Algorithms 1 and 2 with calls to Algorithms 7 and 8, respectively. But not all DLPbased protocols have HHSbased analogues: for example, the obvious HHS analogue of Schnorr’s signature scheme [123] would appear to require an efficient (decisional) parallelization algorithm in order to verify signatures.
HHSDiffie–Hellman is not a natural generalization of groupDiffie–Hellman. As we noted in §7, in groupDH, we have a ring (integers modulo ) acting on the group ; the composition operation at the heart of DH is ring multiplication, but the ring only forms a group under addition. Formally, in groupDH we only use the fact that the scalars form a commutative magma; but algorithmically, we exploit the fact that the elements form an abelian group and the scalars form a commutative ring, mapping addition in the ring onto the group law, in order to efficiently evaluate scalar multiplications using addition chains.
More concretely, we noted in §8 that the maps can be seen as hiding the group in . The parallelization can be written as
; that is, parallelization computes the group law in the hidden representation of
in corresponding to . From this perspective, HHSDiffie–Hellman is a hidden version of the ridiculous key exchange where the shared secret is the product of the two public keys: obviously, without the hiding, this offers no security whatsoever.11 Vectorization and parallelization
To argue about the security of the schemes in §10, we must address the following questions: how hard are vectorization and parallelization? What is the relationship between these problems, and to what extent does our common intuition relating the DLP and CDHP carry over to vectorization and parallelization in the PHS setting?
It might seem excessive to require the simple and transitive action of a PHS in all this: we could relax and set up the same cryptosystems with a group acting on a set in any old way. While we might lose uniqueness and/or existence of vectorizations and parallelizations, many of the arguments in this section would still go through. However, using PHSes instead of general group actions makes one thing particularly simple: the proof of random selfreducibility for vectorization and parallelization is identical to the usual arguments for groups, which we sketched in §5. More precisely: if an algorithm successfully solves vectorizations in with a probability of , then we can solve any vectorization in with an expected calls to the algorithm. Given a target vectorization , we attempt to solve for randomly chosen and in ; we expect to land in the subset of inputs where the algorithm succeeds within attempts, and then recovering from is trivial. This means that the average and worstcase difficulties for vectorization are equivalent; a similar argument yields the same result for parallelization.
Now, consider the relationship between vectorization and parallelization. If we can solve vectorizations , then we can can solve parallelizations , so parallelization is notionally easier than vectorization.
As we have seen, the parallelization operation acts as the group law induced on by when elements are hidden by . Given a parallelization oracle for a PHS with respect to one fixed base point (call this parallelization), we can view as an efficiently computable group, and thus apply any blackbox group algorithm to . Further, given an efficient parallelization algorithm, the map becomes an efficiently computable group homomorphism. Even further, if we have a parallelization oracle for all in , then the mapping becomes an efficiently computable bilinear pairing (viewing as a version of hidden by one ).
The efficient homomorphism implied by a parallelization oracle is of course an isomorphism (because ), but its inverse is not necessarily efficient^{12}^{12}12The term oneway group action is used for the HHS framework in [35] and [22]. This hints at a more general setting, where actions are not necessarily simple or transitive. : if it were, then we could solve vectorizations because . Conversely, if we can vectorize with respect to , then we can invert : the preimage of any in is the vectorization of with respect to . Parallelization therefore yields an efficient isomorphism in one direction, while vectorization yields the inverse as well.
In the case where a group has prime order, we can use a CDHP oracle to view as a blackbox field in the sense of Boneh and Lipton [20]. Given a base point in , each element of is implicitly identified with its discrete logarithm . The Diffie–Hellman operation becomes an implicit multiplication, allowing us to view as a model of , and thus to apply various subexponential and polynomialtime reductions from the DLP to the CDHP in (as we noted in §3). A parallelization oracle for , however, only allows us to view as a blackbox group, not a blackbox field; we therefore have no equivalent of the den Boer or Maurer reductions in the HHS setting.
The separation between vectorization and parallelization therefore seems more substantial than the somewhat thin and rubbery separation between the DLP and CDHP. However, we would still like to have some upper bounds for the hardness of these problems. For vectorization, we can give some algorithms.
In the classical setting, Couveignes noted that Shanks’ babystep giantstep (BSGS) and Pollard’s probabilistic algorithms for DLPs in groups extend to vectorizations in PHSes. Algorithm 9 is a BSGS analogue for a PHS under .^{13}^{13}13Algorithm 9 becomes the usual BSGS for DLPs in if we let (with the group operation as the action), let , and let be the discrete log target. Given and in and a generator for (a subgroup of) , Algorithm 9 computes an exponent such that , if it exists (if lies outside the subgroup generated by , then the algorithm will fail and return ).
Vectorization in a PHS under can always be solved classically in time and space using Algorithm 9 and random selfreducibility, provided a generator of a polynomialindex subgroup of is known. Algorithm 9 does more than what is required: it returns not just the desired vectorization , but the discrete logarithm of with respect to . This betrays the fact that Algorithm 9 is just a blackbox group algorithm operating on a hidden version of .
Pollard’s algorithms also generalize easily to the HHS setting, because we can compute the pseudorandom walks using only translations, or “shifts”, by group elements. These translations in the group setting can be replaced by actions by the same elements in the HHS setting. The space complexity of vectorization can thus be reduced to as little as for the same time complexity.
Moving to the quantum setting: despite its resemblance to the DLP, vectorization cannot be solved with Shor’s algorithm. In fact, vectorization is an instance of the abelian hidden shift problem [136]: given functions and such that for all and some “shift” , find . The hidden shift instance corresponding to the vectorization instance has , , and . Kuperberg reduces the abelian hidden shift problem to an instance of the dihedral hidden subgroup problem, which is then solved with a quantum algorithm with a query complexity of , where according to [37]. Kuperberg’s original algorithm [88] uses subexponential space; Regev’s simpler algorithm [116] uses polynomial quantum space; and Kuperberg’s most recent work [89] uses linear quantum space, but subexponential classical space. More detailed perspectives on these algorithms in the context of the isogeny class HHS appear in [35, 60, 22].
12 The difficulty of exploiting subgroup structures
Moving back to the abstract: when we think about DLPs, in blackbox or in concrete groups, we implicitly and systematically apply the Pohlig–Hellman–Silver algorithm to reduce to the primeorder case. It is interesting to note that for PHSes, no such reduction is known: it appears difficult to exploit the subgroup structure of when solving vectorization problems in .^{14}^{14}14
It might seem odd that some blackbox group algorithms like BSGS and Pollard
adapt easily to PHSes, but not others like Pohlig–Hellman. But looking closer, BSGS and Pollard in groups only require translations, and not a full group law. We can therefore see BSGS and Pollard not as blackbox group algorithms, but rather as blackbox PHS algorithms that are traditionally applied with .Algorithm 10 presents the Pohlig–Hellman–Silver algorithm for discrete logarithms in a group whose order has known factorization . Line 10 applies a DLPsolving algorithm (like BSGS, Pollard , or a specialized algorithm for a concrete group) in the order subgroup of . If the factorization is complete and the are prime, then the global DLP is reduced to a polynomial number smaller primeorder subDLPs.
The key steps involve producing the subgroup DLPs. Lines 10 and 10 project the DLP instance into the order subgroup of . Lines 10 and 10 then produce a DLP instance in the order subgroup. This is always done by exponentiation by and ; indeed, this is the only way that the factors are used in the algorithm.
In the PHS setting, subgroup DLPs should be replaced with subgroup vectorizations. Line 10 could be replaced with a call to Algorithm 9, using as the subgroup generator; the problem is to produce a vectorization instance in a subPHS acted on by the corresponding subgroup. We cannot naively concatenate “” (or “”) to most lines of the algorithm to turn group elements and operations into PHS elements and operations: Line 10, for example, would require computing from , , and , but this amounts to an iterated parallelization—and parallelization is supposed to be hard in an HHS.
A thorough investigation of the possibility and difficulty of exploiting subgroup structures for vectorization and parallelization would require working with subgroup actions on quotient spaces; we do not have room to discuss this here. We note, however, that in some protocols a limited number of exploitable parallelizations are provided by the protocol itself, as in the groupbased protocols subject to Cheon’s attack [36], and this should have some consequences for the security of any HHS analogues of these protocols.
13 A quick introduction to isogenies
This section provides enough background on isogenies and endomorphisms of elliptic curves to make sense of the HHS from Example 4 before we describe cryptosystems based on it in §14. We also want to fill in some background on supersingular curves before we need it in §15. We assume a basic familiarity with the arithmetic of elliptic curves; readers familiar with isogenies and isogeny graphs can safely skip this section. As a mathematical reference, we suggest [127] and [86]; for greater detail focused on the cryptographic use case, see [59].
We want to talk about relationships between elliptic curves over a fixed finite field , where is a power of some prime . We can assume that or , to simplify, though the theory applies to those cases as well. We will work with elliptic curves as short Weierstrass models , with and in : in practice we might compute using other curve models (many isogenybased cryptosystem implementations have preferred Montgomery arithmetic [42]), but since we end up working with curves up to isomorphism, and every curve is isomorphic to a short Weierstrass model, we lose nothing in restricting to this simple and universal curve shape in this article. The torsion of is the subgroup of points such that .
A homomorphism is, by definition^{15}^{15}15An elliptic curve is by definition a pair , where is a curve of genus 1 and is a distinguished point on (which becomes the identity element of the group of points; cf. Example 3); so it makes sense that a morphism in the category of elliptic curves should be a mapping of algebraic curves preserving the distinguished points, that is, mapping onto . , a rational map such that . Homomorphisms induce homomorphisms on groups of points [127, §III.4], but not every homomorphism of groups of points is induced by a homomorphism of curves. An homomorphism is one that is defined over : that is, the rational functions defining it as a rational map have coefficients in . Every homomorphism here will be defined over , unless explicitly stated otherwise.
Isogenies are nonzero homomorphisms of elliptic curves. If there is an isogeny from to , then we say that and are isogenous. We will see below that for each isogeny there is a dual isogeny , so isogeny is an equivalence relation on elliptic curves.
Isomorphisms are invertible homomorphisms. The invariant of a curve is ; two curves and are isomorphic if and only if . We need to work with the stronger notion of isomorphism, where the invariant does not tell the whole story. Curves that are isomorphic but not isomorphic are called twists. The most important example is the quadratic twist, which is isomorphic over but not : the quadratic twist of is , where is any nonsquare in (the choice of nonsquare makes no difference up to isomorphism, which is why we say the rather than a quadratic twist). The isomorphism is defined by ; this is clearly not defined over , yet . The quadratic twist of a curve is its only twist, up to isomorphism, unless or (in which case there may be four or two more twists, respectively). Specifying an isomorphism class therefore comes down to specifying a invariant and a choice of twist.
Endomorphisms are homomorphisms from a curve to itself. The endomorphisms of a given curve form a ring , with the group law on inducing addition of endomorphisms and composition of endomorphisms corresponding with multiplication. The structure of the set of isogenies from to other curves is deeply connected to the structure of , and vice versa.
The scalar multiplication maps are endomorphisms, so always contains a copy of . It also includes the Frobenius endomorphism , which satisfies the quadratic equation for some integer in the Hasse interval ; we call the trace of Frobenius (and of ). Since points in are precisely the points fixed by , we have . If is the quadratic twist of and we pull back the Frobenius on to an endomorphism on via the twisting isomorphism, then the result is , so the trace of is the negative of the trace of .
Now consider the set of all elliptic curves over . Tate’s theorem tells us that two elliptic curves are isogenous if and only if they have the same trace (and hence the same number of rational points). This means that the set of all elliptic curves is partitioned into isogeny classes, indexed by the integers in the Hasse interval (via the trace). Since the trace of a curve over is the negative of the trace of its quadratic twist, and the quadratic twist is generally the only twist, we can use the invariant to uniquely identify elements of the isogeny class of trace up to isomorphism, even though
normally only classifies curves up to
isomorphism. We can handle and as rare special cases, but for the case we need to be more careful.Now let us focus on a single isogeny class. The isogeny class immediately breaks up into a union of isomorphism classes. The modern way of looking at an isogeny class is as a graph, with isomorphism classes of curves for vertices, and isomorphism classes of isogenies for edges (isogenies and are isomorphic if there are isomorphisms and such that ).
Tate’s theorem is not constructive, so we generally don’t know how to get from one point to another in an isogeny graph. The difficulty of computing a path representing an unknown isogeny between given elliptic curves in the same isogeny class is the source of most hard problems in isogenybased cryptography.
To take a closer look at the structure of isogeny graphs we need to classify isogenies, and to break them down to into fundamental components. Our main tool for this is the degree. Since an isogeny is defined by nonconstant rational maps, it induces an extension of function fields; the degree of is defined to be the degree of that extension. (We extend the definition of degree to homomorphisms by defining the degree of zero maps to be 0.) If and are isogenies, then . Two examples are particularly important: , and . If , then we say that is a isogeny.
Another important quality of isogenies is (in)separability, which we define according to the (in)separability of the corresponding function field extension. For our purposes, the purely inseparable isogenies are all iterated compositions of powering (such as Frobenius); these can be factored out of any other isogeny, and then what remains is separable.
Suppose is a finite subgroup of . Now must include , and it is also fixed by ; so is determined precisely by the coordinates of its nonzero elements. We can therefore encode as a polynomial , where the product runs over the nonzero points of in such a way that is included iff is not. The subgroup is defined over if and only if the polynomial has coefficients in .
Being homomorphisms, isogenies have kernels. The kernel of an isogeny is always a finite subgroup of . If is separable, then . The points of are generally defined over an extension of , but can be encoded as the kernel polynomial , which is defined over . Separable isogenies are defined by their kernels, up to isomorphism.
Going in the other direction, given a finite subgroup of defined over , there exists a separable quotient isogeny with . The isogeny and the curve are both defined up to isomorphism; they can be computed using Vélu’s formulæ [137]. (If is encoded as the polynomial , then we compute using the symmetric version of Vélu’s formulæ in [86, §2.4].)
Given an ideal , we can consider the subgroup . This is the kernel of an isogeny ; the isogenies that arise in this way are central to the key exchange of §14. The degree of is the norm of in . If is principal, then is isomorphic to .
Given any isogeny , we can compute the subgroup , and then the quotient is a isogeny such that has kernel ; hence, is isomorphic to a isogeny such that on (and on ). We call the dual of . The upshot is that every isogeny has a corresponding isogeny .
Every isogeny can be factored into a composition of isogenies of prime degree, though there are two important caveats: factorization is not unique, and generally a factorization may only exist over some extension field. For example, if is prime, then , so there are order subgroups , each the kernel of a different isogeny , and then the dual isogeny gives us a factorization . Each decomposition is only defined over the field of definition of the associated subgroup .
Just as we decompose isogenies into isogenies, so consider the subgraphs formed by isogenies. The structures of isogeny graphs depend strongly on the endomorphism rings of curves in the isogeny class, as we will see.
A curve is supersingular if divides its trace (over , this implies the trace is ). If is not supersingular, then it is ordinary. The invariant of any supersingular curve is in or , so any supersingular curve is isomorphic to one defined over or . There are roughly supersingular invariants in , of which are in (more precisely, this number is the class number of ). Since supersingularity is defined by the trace, either all of the curves in an isogeny class are supersingular, or all of them are ordinary; the two kinds of curves do not mix.
There are two possibilities for the general structure of the endomorphism ring of an elliptic curve over a finite field:
 commutative

is isomorphic to an order in a quadratic imaginary field; or
 noncommutative

is isomorphic to a maximal order in a quaternion algebra.
All ordinary curves have commutative endomorphism rings. If a supersingular curve is defined over , then its endomorphism ring is commutative^{16}^{16}16If we consider endomorphisms defined over , then the ring is noncommutative. ; if it is defined over , then its endomorphism ring is noncommutative.
The commutative case is relatively simple: each is an order in containing the quadratic ring . The discriminant of is , where is the fundamental discriminant of . The algorithmic exploration of ordinary isogeny graphs begins with Kohel’s thesis [86, Chapter 4]; these graphs are now mainstream computational tools in the arithmetic of elliptic curves and elliptic curve cryptography [66, 61, 67, 81]. The analogous theory for supersingular curves over , whose endomorphism rings are commutative and thus behave like ordinary curves, was explored by Delfs and Galbraith [47].
If is an isogeny of endomorphism rings with commutative endomorphism rings (with prime), then there are three possibilities: (we say is horizontal), with index (we say is ascending), or with index (we say is descending). An isogeny can only be ascending or descending if divides the conductor of in , and an isogeny can only be horizontal if and