This page is part of the Isogeny-based cryptography school.
This part covers the public-key schemes CSIDH and SIDH and is taught by
Tanja Lange
Coding Theory and Cryptology
Eindhoven Institute for the Protection of Systems and Information
Department of Mathematics and Computer Science
Technische Universiteit Eindhoven
P.O. Box 513
5600 MB Eindhoven
Netherlands
The easiest ways to reach Tanja is by e-mail: tanja@hyperelliptic.org

Once upon a time this was meant to be an in-person school in summer 2020 running for just one week. It is now held online, stretching over many more weeks and topics and covering topics in more depth. This part is officially week three and the two live sessions take place in week three, but feel free to reach out during later weeks via the Zulip chat if you have questions.

Live sessions

Lecture notes

Exercises

Here is the exercise sheet for the (C)SIDH unit.

Papers

SIDH was introduced by David Jao and Luca de Feo at PQCrypto 2011. An extended version, by Luca De Feo, David Jao, and Jérôme Plût Towards Quantum-Resistant Cryptosystems From Supersingular Elliptic Curve Isogenies, was published in Journal of Mathematical Cryptology (2014).

CSIDH was introduced by Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, Joost Renes in CSIDH: An Efficient Post-Quantum Commutative Group Action. It builds on Public-Key Cryptosystem Based on Isogenies by Alexander Rostovtsev and Anton Stolbunov and Hard Homogeneous Spaces by Jean-Marc Couveignes but uses supersingular curves where those used ordinary ones.

Take a look at https://csidh.isogeny.org for more information on CSIDH and at https://sike.org/ for more information on SIDH. SIKE is a candidate in the NIST cmpetition on post-quantum cryptography and is based on SIDH.

Videos

For a course on post-quantum cryptography that I taught Spring 2021 I recorded six videos which you might like to watch. There is a lot of overlap with what you have seen already in week 1 by Lorenz Panny. I also owe a lot of the slides to Lorenz, all new typos are mine. As Lorenz didn't provide videos for this school and CSIDH is split over multiple of the videos I'm just posting them all here. The links here go to https://www.youtube-nocookie.com, but when you click through you get to the regular YouTube channel. Use as you like and matching your appetite for cookies.

The first video recalls some background on elliptic curves. This was covered, in greater detail, by Lorenz Panny in week 1.

See also the slides.
I fixed the definitions of discriminant and j-invariant.

The second video recalls the Diffie-Hellman key-exchange and presents exponentiation as a walk on graphs, We will see similar walks for isogenies soon. For the graphs that multiply by g^2, g^4, and g^8 I assume that those values are precomputed. So, you can change the DH parameters to G, g, g^2, g^4, g^8, so have those as part of the system.

See also the slides.

This video gets to isogenies and shows how one can use the isogeny graph to get a DH-like structure. The definition of isogenies and examples were covered in week 1 already by Lorenz, the rest is a precursor to CSIDH and might be worth watching.

See also the slides.

This video got a bit too long, but covers all the remaining math background that we need. The first part, apart from quadratic twists, has been covered by Lorenz. There is a lot more about ideal class groups in Jean-Francois Biasse's course Ideal Class Groups which ran in week 1 of this school. If you're caught up on both of these courses, this is easy listening, introducing bits of CSIDH between math that you know already. If you want to be motivated to go back to those course notes, see how far you get and where you get eager to know more.

See also the slides.
To give proper credit:
Tate's theorem says that two curves over a field F_q are isogenous if and only if they have the same number of points,

This video gives the full description of the CSIDH system. You need the previous video to really understand why this works, but you can also watch this one first for motivation.

See also the slides.

SIDH is a different system based on isogenies. It is a bit harder to understand but we now have all material necessary to do so.

See also the slides.

Further reading/watching:

• Chloe Martindale gave a lecture on isogeny-based cryptography at the PQCRYPTO summerschool in 2017. Note that that was before the CSIDH system was invented, so she covers only the math background and SIDH.
  For that school we have videos (Long form) as well as slides and exercises.
• Lorenz Panny gave a lecture on isogeny-based cryptography at the Executive School on Post-Quantum Cryptography 2019, where he does cover CSIDH as well.
• Luca de Feo wrote a nice overview paper Mathematics of Isogeny Based Cryptography in 2017.