# CSIDH: Commutative Supersingular Isogeny Diffie-Hellman

**Source**: https://quantumsequrity.com/blog/csidh-explained
**Category**: PQC Algorithms

---

[← Back to Blog](../../blog.html) PQC Algorithms

# CSIDH: Commutative Supersingular Isogeny Diffie-Hellman

10 min read

CSIDH (pronounced "sea-side") is an isogeny-based key exchange protocol introduced in 2018 by Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, and Joost Renes. Unlike SIDH, which Castryck and Decru broke in 2022, CSIDH uses a fundamentally different mathematical structure called a commutative class group action. The Castryck-Decru attack does not apply to CSIDH, which is why CSIDH survived the SIDH break and remains a candidate for non-interactive key exchange in 2026.

CSIDH has tradeoffs. It is much slower than SIDH was. Its security parameters are still being calibrated. Its key sizes are small but not as small as SIDH's were. But its conservative design and survival through the 2022 cryptanalytic earthquake have kept it on the post-quantum research map.

This article explains what CSIDH is, why it survived where SIDH fell, and where it might fit in future deployments.

## The Garden With One-Way Gates

Imagine a garden with thousands of plots arranged in a geometric pattern. Between every pair of plots, there is a one-way gate. To get from plot A to plot B, you might need to pass through dozens of gates in a particular order. The gates have a beautiful property: it does not matter which order you visit a sequence of gates, you always end up at the same destination. This is what mathematicians call commutativity.

CSIDH operates on this kind of garden. Two parties each pick a secret path of gates. They publish their final plots. They then walk through the other person's published plot using their own secret path of gates. Because the gates commute, both parties end up at the same final plot, which becomes the shared secret.

SIDH worked differently. In SIDH, the gates did not commute, so the protocol had to publish auxiliary points to reconcile the paths. Those auxiliary points were what Castryck and Decru attacked. CSIDH avoids the issue by using a commutative gate structure that does not need auxiliary points.

## The Origin: 2018, Castryck-Lange-Martindale-Panny-Renes

The original paper, "CSIDH: An Efficient Post-Quantum Commutative Group Action", was presented at ASIACRYPT 2018. The team made a deliberate choice to revisit an older idea (commutative group actions on supersingular curves, due to Couveignes 1997 and Rostovtsev-Stolbunov 2006) and engineer it into a practical scheme.

Couveignes had proposed a commutative isogeny-based key exchange in an unpublished 1997 manuscript. Rostovtsev and Stolbunov independently rediscovered and published the idea in 2006. Both proposals were considered too slow to be practical. The CSIDH team showed that with careful parameter choices and modern computing, the scheme could be made fast enough to be relevant.

### Why "Commutative" Matters

In SIDH, Alice's isogeny and Bob's isogeny do not commute. Alice's isogeny followed by Bob's gives a different curve than Bob's isogeny followed by Alice's. Reconciling them required the auxiliary points.

In CSIDH, Alice's class-group action and Bob's class-group action commute. Alice's followed by Bob's equals Bob's followed by Alice's. Both parties just compute the action of their own secret on the other's public element, and they arrive at the same shared element. No auxiliary points needed.

The price is that CSIDH operates in a smaller, more constrained mathematical setting. The class group action is computationally expensive to evaluate. Each "gate" in our garden metaphor takes meaningful CPU time, and a CSIDH key exchange might require evaluating hundreds of them.

## CSIDH Performance and Sizes

The 2018 paper gave initial performance numbers:

- **Public key size at 128-bit classical security**: 64 bytes (512 bits).
- **Computation time**: Around 80 milliseconds per key exchange on a modern CPU.

The 80 ms figure is a problem. ECDH on the same machine takes microseconds. Even Kyber's 512-bit security level takes well under a millisecond. CSIDH is genuinely slow because evaluating the class group action involves hundreds of low-level finite-field operations that cannot be parallelised effectively.

Subsequent work has reduced the time. Optimisations by Bernstein, De Feo, Leroux, Smith, and others have brought CSIDH below 10 ms in some implementations. But it is still orders of magnitude slower than competing schemes for the same security level.

### The Quantum Security Question

A subtle issue with CSIDH is its quantum security level. The classical attack on commutative isogeny-based schemes is subexponential. The quantum attack, using Kuperberg's algorithm or Regev's algorithm, is also subexponential but with different constants. Different research groups have proposed different parameter sizes for the same target quantum security level.

The 512-bit CSIDH parameter set provides somewhere between 60 and 128 bits of post-quantum security depending on which analysis you trust. The community has not converged on a single answer, which is part of why CSIDH has not been standardised.

NIST's post-quantum signature on-ramp (2023) included CSIDH-based schemes for evaluation. The evaluation continues, with the parameter calibration question still open.

## Why CSIDH Survived the SIDH Break

The Castryck-Decru attack on SIDH used Kani's theorem about isogenies between abelian surfaces. The attack required two ingredients:

1. **Auxiliary points**: SIDH publishes pairs of points on the public curve.
2. **Specific isogeny degree structure**: SIDH's degrees factor in a way that Kani's theorem can exploit.

CSIDH lacks both. CSIDH does not publish auxiliary points (the commutative structure makes them unnecessary). CSIDH's isogeny degrees do not have the structure that Kani's theorem requires.

After the SIDH break, the entire isogeny cryptography community examined whether the attack could be extended to CSIDH. The consensus, confirmed in multiple follow-up papers in 2022 and 2023, is that CSIDH is not affected by Castryck-Decru. The mathematical foundation is genuinely different.

That said, the SIDH break did teach the community to be more cautious about all isogeny schemes. Researchers continue to look for new attack vectors. As of 2026, no successful attack on CSIDH has been published.

## Where CSIDH Might Fit

CSIDH's distinguishing feature is that it is a non-interactive key exchange (NIKE). Both parties can publish their public keys independently, and anyone can compute the shared secret from both public keys without further interaction.

Most post-quantum KEMs (ML-KEM, HQC, Classic McEliece) are interactive: one party encapsulates against the other's public key, producing a ciphertext that the other party decapsulates. NIKE eliminates the interactive round, which is useful for:

- **Asynchronous messaging**: Both parties may not be online at the same time.
- **Identity-based encryption**: Public keys can be derived from identities without per-recipient interaction.
- **Long-term archival**: A key exchange computed once can be used decades later without revisiting the protocol.

CSIDH is currently the only post-quantum NIKE candidate that is not catastrophically broken. Lattice and code-based KEMs are interactive by design and have no efficient NIKE variant.

The use case is niche but real. Some asynchronous-messaging protocols are evaluating CSIDH for parts of their handshake. It is unlikely to ever replace ML-KEM in TLS, but it could fill specific roles where NIKE is needed.

## CSIDH in NIST's Pipeline

CSIDH itself is not on the NIST FIPS standardisation track. The NIST signature on-ramp (2023 call) includes some isogeny-based candidates, but CSIDH-style key exchange is not on a standardisation track in 2026.

Several CSIDH-derived signature schemes (CSI-FiSh, CSI-RAShi, SeaSign) have been proposed. They build identification protocols around CSIDH and turn them into signatures via the Fiat-Shamir transform. These schemes are research-grade but not yet production-ready.

For 2026 production deployment, CSIDH is not a viable choice. It is a research direction with potential for niche scenarios, not a standardised primitive.

### What Could Change

Several things could shift CSIDH into wider use:

- **Better quantum security analysis**: If the community converges on a single answer for CSIDH's quantum security level, parameter calibration becomes settled.
- **Performance improvements**: Continued optimisation could reduce CSIDH's computation cost from 10 ms to under 1 ms, making it competitive with Kyber for some scenarios.
- **NIKE demand**: If post-quantum messaging protocols (Signal, MLS) standardise on a NIKE-based handshake, CSIDH could become the underlying primitive.
- **Standardisation**: NIST's signature on-ramp could include a CSIDH-based signature in a future round.

None of these are imminent in 2026, but none are excluded either.

## CSIDH in QNSQY

QNSQY does not ship CSIDH. The scheme is not NIST FIPS-standardised, and QNSQY's policy is FIPS-only for post-quantum primitives. The KEM portfolio is ML-KEM and HQC.

CSIDH's slow performance also limits its fit for QNSQY's use case. QNSQY's typical operation is encrypting a file, which involves running the KEM once. ML-KEM does this in microseconds. CSIDH would do it in tens of milliseconds. For a single file the difference is invisible, but for batch operations (encrypting thousands of files) the gap matters.

If a customer with a non-interactive messaging requirement asks specifically for CSIDH, the QNSQY hybrid envelope format is extensible. But the default deployment uses ML-KEM, with HQC as the non-lattice diversity option.

For more on the alternatives, see [HQC Explained](hqc-explained.html), [SIDH History](sidh-history.html), [SIKE Broken Explained](sike-broken-explained.html), and [Lattice-Based Cryptography Explained](lattice-based-cryptography-explained.html).

### The NIKE Question

A subtle architectural question is whether non-interactive key exchange will become important enough that CSIDH or a similar scheme needs to enter mainstream deployment. Today, almost all secure protocols (TLS, IKEv2, MLS, Signal) use interactive handshakes where one party initiates and the other responds. NIKE is useful in narrower scenarios: forward-secret offline messaging, identity-based encryption derived from public attributes, archival schemes where the recipient may be offline at encryption time.

If NIKE-based protocols become more prominent (for example, if a major messaging platform adopts a NIKE-based protocol for offline sealing), CSIDH's slow performance could be amortised across rare use, making it acceptable. As of 2026, this is speculative; most messaging platforms use interactive handshakes plus pre-published key bundles, which work fine with interactive KEMs like ML-KEM.

## Frequently Asked Questions

### Is CSIDH the same as SIDH?

No. SIDH (broken in 2022) used non-commutative isogenies and required auxiliary points. CSIDH uses a commutative class group action and does not publish auxiliary points. The mathematical foundations are different, and the Castryck-Decru attack on SIDH does not apply to CSIDH. Despite the similar names, they are very different schemes. See [SIDH History](sidh-history.html) for context.

### Could CSIDH be broken the same way SIDH was?

Almost certainly not. The Castryck-Decru attack used Kani's theorem and required SIDH's specific auxiliary-point structure. CSIDH has neither. As of 2026, no successful attack on CSIDH has been published, and the community has examined the question carefully after the SIDH break.

### Why is CSIDH so slow?

Because evaluating the class group action involves hundreds of finite-field operations that cannot be parallelised. Each "step" of the action is small, but the total step count is high. ECDH or Kyber compute a single point multiplication or polynomial multiplication; CSIDH chains together many smaller operations.

### Does CSIDH provide NIST Category 1 security?

The honest answer is "the community is still calibrating." Different research groups have proposed different parameter sizes for the same target post-quantum security. The most commonly cited parameter set (CSIDH-512) provides somewhere between 60 and 128 bits of post-quantum security. NIST has not blessed any specific parameter set as Category 1 yet.

## Sources

1. Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J. "CSIDH: An Efficient Post-Quantum Commutative Group Action." ASIACRYPT 2018. https://eprint.iacr.org/2018/383
2. Rostovtsev, A., Stolbunov, A. "Public-key cryptosystem based on isogenies." IACR ePrint 2006/145. https://eprint.iacr.org/2006/145
3. Couveignes, J.-M. "Hard Homogeneous Spaces." IACR ePrint 2006/291. https://eprint.iacr.org/2006/291
4. NIST. "Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process." NIST IR 8528, March 2025. https://csrc.nist.gov/pubs/ir/8528/final
5. Bernstein, D. J., De Feo, L., Leroux, A., Smith, B. "Faster computation of isogenies of large prime degree." IACR ePrint 2020/341. https://eprint.iacr.org/2020/341
6. Castryck, W., Decru, T. "An efficient key recovery attack on SIDH." IACR ePrint 2022/975. https://eprint.iacr.org/2022/975

## Related Articles

- [SIDH History](sidh-history.html)
- [SIKE Broken Explained](sike-broken-explained.html)
- [HQC Explained](hqc-explained.html)
- [Lattice-Based Cryptography Explained](lattice-based-cryptography-explained.html)
- [What Is Post-Quantum Cryptography?](what-is-post-quantum-cryptography.html)

---

### Protect Your Data Before Q-Day Arrives

QNSQY's NIST-standardized post-quantum encryption protects files against both current and quantum-era threats.

[Try QNSQY](../../pricing.html)
