Isogeny Cryptography After SIKE
Isogeny-based cryptography did not end when SIDH/SIKE fell in 2022, but it narrowed sharply, and the part that survived is the signature direction rather than the key exchange. The Castryck-Decru attack broke the specific SIDH construction by exploiting the auxiliary torsion-point information that the SIDH key exchange published to make its Diffie-Hellman structure work, and schemes that never publish that data were left standing. The survivors that matter are CSIDH, a commutative group action that supports a slower but structurally different key exchange, its signature scheme CSI-FiSh, and SQIsign, the compact isogeny signature under evaluation in NIST’s additional-signatures process. The break was aimed at a feature of one design, so the field lost its flagship key exchange while keeping a live research base in signatures.
Source: Wouter Castryck and Thomas Decru, “An Efficient Key Recovery Attack on SIDH,” IACR ePrint 2022/975.
The short version:
- The 2022 break hit SIDH/SIKE specifically, a isogeny key exchange that fell to a classical, polynomial-time attack. The full account is in The SIKE Break.
- The attack exploited auxiliary torsion-point data that SIDH published to let two parties reach the same shared curve. That data is what the Castryck-Decru attack fed on, and the signature schemes do not expose it.
- CSIDH survives as a different construction: a commutative group action of an ideal class group on supersingular curves over a prime field, usable for non-interactive key exchange with very small keys, though far slower than SIDH was.
- CSI-FiSh is a signature built on CSIDH via the Fiat-Shamir transform, made practical by a one-time computation of the CSIDH-512 class-group structure.
- SQIsign is the isogeny signature that carried the direction forward into NIST’s onramp, valued for the smallest signatures of any candidate and its mathematical distance from the lattice mainstream.
- None of these is a finalized NIST standard, so isogeny cryptography today is a research and diversification lane, and none of the current NIST-standardized algorithms is isogeny-based.
What exactly broke in 2022, and what did the attack need?
The break hit SIDH, the Supersingular Isogeny Diffie-Hellman key exchange, and the SIKE key-encapsulation mechanism built on it. In July 2022, Wouter Castryck and Thomas Decru published a classical, polynomial-time key-recovery attack that ran on an ordinary computer with no quantum hardware and recovered the private key, breaking even the highest parameter set in about a day on a single core. The event is treated in full in The SIKE Break; what matters here is the mechanism, because it explains why some isogeny schemes fell and others did not.
SIDH had a specific structural requirement. To let two parties who each walk their own secret path through the isogeny graph arrive at the same shared curve, the protocol published extra information alongside each public key: the images of certain torsion points under the secret isogeny. That auxiliary torsion-point data is what made the Diffie-Hellman commutativity work, and it is exactly what the attack exploited, using results in the lineage of Kani’s theorem to turn the published points into a route back to the secret. The break was a property of that published data, so any isogeny scheme whose security does not depend on exposing torsion-point images was outside the attack’s reach.
Source: Wouter Castryck and Thomas Decru, “An Efficient Key Recovery Attack on SIDH,” IACR ePrint 2022/975.
Why did CSIDH survive when SIDH fell?
CSIDH survived because it is a structurally different construction that never publishes the torsion-point data the attack fed on. Introduced in 2018 by Castryck, Lange, Martindale, Panny, and Renes, CSIDH (Commutative Supersingular Isogeny Diffie-Hellman) is built as a commutative group action: an ideal class group acts on a set of supersingular elliptic curves over a large prime field, and a shared secret is reached by applying secret group elements in either order to land on the same curve. Its security rests on the difficulty of recovering the secret group action from the endpoints, and it publishes only a curve as the public key, with no auxiliary points.
That difference is the whole reason CSIDH is still a live construction. It is a genuine non-interactive key exchange with very compact public keys, 64 bytes at its base parameter set, which is smaller than the lattice-based ML-KEM. The cost is speed and a subtler quantum-security question: the commutative group action is vulnerable to a sub-exponential quantum attack (Kuperberg’s algorithm for the hidden-shift problem), so CSIDH parameters have to be sized generously against that attack, which makes it slow. So CSIDH is the surviving isogeny key exchange, valued for size and mathematical diversity, weighed down by performance and an ongoing debate about how large its parameters must be.
Source: Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, Joost Renes, “CSIDH: An Efficient Post-Quantum Commutative Group Action,” ASIACRYPT 2018, IACR ePrint 2018/383.
What is CSI-FiSh, and how does the signature direction work?
CSI-FiSh is an isogeny-based digital signature scheme built on top of CSIDH, and it is the clearest example of why the signature direction outlived the key exchange. Published in 2019 by Ward Beullens, Thorsten Kleinjung, and Frederik Vercauteren, CSI-FiSh (short for CSIDH-based Fiat-Shamir signatures) turns the CSIDH group action into a signature by applying the Fiat-Shamir transform to an identification protocol, which converts a challenge-response proof of knowledge into a non-interactive signature. Its practical breakthrough was computing the exact class-group structure of CSIDH-512, a heavy one-time calculation that let the scheme sample and represent group elements efficiently, producing signatures of about 263 bytes.
The reason this construction was untouched by the 2022 attack is the same reason it works differently from SIDH. A signature proves knowledge of a secret group element by responding to a random challenge, and it never publishes torsion-point images the way SIDH’s key exchange did, so the Castryck-Decru mechanism has nothing to grip. The signature direction pays for that safety with its own costs, since CSI-FiSh’s reliance on the precomputed CSIDH-512 class group ties it to a particular parameter set and inherits CSIDH’s quantum-security debate, but it stands as a working isogeny signature where SIDH’s key exchange does not.
Source: Ward Beullens, Thorsten Kleinjung, Frederik Vercauteren, “CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations,” ASIACRYPT 2019, IACR ePrint 2019/498.
Where does SQIsign fit in the surviving landscape?
SQIsign is the isogeny signature that carried the field’s momentum into NIST’s standardization pipeline, and it is the most important survivor for anyone tracking where isogeny cryptography could still land in a standard. SQIsign (Short Quaternion and Isogeny Signature) is built on a different isogeny foundation from CSIDH, using the correspondence between supersingular isogenies and quaternion orders (the Deuring correspondence), and it produces the smallest signatures of any candidate in NIST’s additional-signatures onramp, a fraction of the size of a lattice signature like ML-DSA. That compactness is its whole value proposition, and it is why NIST kept it in evaluation despite its slower signing and verification.
The reason SQIsign was never in the blast radius of the 2022 break is structural, the same pattern as CSI-FiSh. As a signature it proves knowledge of a secret isogeny through a Fiat-Shamir-style protocol rather than publishing the torsion-point images that doomed SIDH’s key exchange, so the Castryck-Decru attack does not apply to it. SQIsign is a research candidate rather than a deployable standard, so it belongs in the track-it column alongside the other NIST onramp signatures, and its detailed treatment lives in SQIsign. It is the clearest evidence that isogeny cryptography still has a plausible future, concentrated entirely in the signature direction.
Source: NIST, “Request for Additional PQC Digital Signature Schemes,” September 6, 2022, csrc.nist.gov/News/2022/request-additional-pqc-digital-signature-schemes.
Why did the signature direction survive while key exchange fell?
Because the vulnerability was tied to a feature the key exchange needed and the signatures never used. SIDH’s Diffie-Hellman structure required both parties to publish auxiliary torsion-point images so their independent secret walks could converge on a shared curve, and that published data was the exact surface the attack exploited. A signature has no such requirement. It proves possession of a secret isogeny by answering a random challenge, so the secret walk is demonstrated without ever exposing the torsion-point images, which removes the attack’s foothold entirely.
The split is worth stating precisely because it is easy to overgeneralize. The 2022 result did not prove that isogeny cryptography is unsound; it proved that publishing torsion-point data the way SIDH did is unsound. The surviving schemes rest on isogeny problems that do not leak that data:
| Scheme | Type | Foundation | Exposed to the 2022 attack? |
|---|---|---|---|
| SIDH / SIKE | Key exchange / KEM | Supersingular isogeny with published torsion points | Yes, broken and withdrawn |
| CSIDH | Key exchange (group action) | Commutative class-group action, no auxiliary points | No |
| CSI-FiSh | Signature | CSIDH group action via Fiat-Shamir | No |
| SQIsign | Signature | Quaternion / Deuring correspondence | No |
So the honest summary is that isogeny key exchange in the SIDH style is finished, while isogeny signatures and the group-action key exchange remain open research with real, if slower, constructions. It is also the sharpest live illustration of why the transition hedges across math families and leans on crypto-agility: a decade-old, deeply studied scheme fell to new mathematics, and the architecture that assumes another result could land is the one that stays safe.
Source: Wouter Castryck and Thomas Decru, “An Efficient Key Recovery Attack on SIDH,” IACR ePrint 2022/975.
Common misconceptions
- “The 2022 attack killed all isogeny cryptography.” It broke SIDH/SIKE specifically, by exploiting the torsion-point data that key exchange published. CSIDH, CSI-FiSh, and SQIsign rest on isogeny problems that do not expose that data and were untouched.
- “CSIDH is just a patched version of SIDH.” They are different constructions. CSIDH is a commutative group action with no auxiliary torsion points, while SIDH published those points to make its Diffie-Hellman work, which is the exact difference that mattered.
- “Isogeny signatures are as broken as isogeny key exchange.” Signatures prove knowledge of a secret isogeny without publishing torsion-point images, so the Castryck-Decru attack does not apply. CSI-FiSh and SQIsign are working signature schemes.
- “An isogeny algorithm is in the NIST standards.” None of the finalized NIST-standardized algorithms is isogeny-based. SQIsign is under evaluation in the additional-signatures onramp, which is a research track rather than a published standard.
- “CSIDH has no quantum weakness at all.” Its commutative group action is subject to a sub-exponential quantum attack (Kuperberg’s algorithm for the hidden-shift problem), so its parameters must be sized against that, which is the main reason it is slow. It has no known polynomial-time break.
Questions people ask
Is isogeny cryptography dead after the SIKE break? No, it narrowed. The 2022 break ended SIDH/SIKE, the isogeny key exchange, but CSIDH survives as a different key-exchange construction and the signature direction, CSI-FiSh and SQIsign, remains active research. None is a finalized NIST standard yet.
Why did SIDH break but SQIsign survive? SIDH published auxiliary torsion-point data to make its key exchange work, and the Castryck-Decru attack exploited exactly that data. SQIsign is a signature that proves knowledge of a secret isogeny without publishing those points, so the attack has nothing to grip.
What is CSIDH? CSIDH is a post-quantum key exchange built as a commutative group action of an ideal class group on supersingular curves over a prime field. It has very small public keys but is slow, because its parameters must be sized against a sub-exponential quantum attack on the group action.
What is CSI-FiSh? CSI-FiSh is an isogeny signature scheme built on CSIDH using the Fiat-Shamir transform, made practical by a one-time computation of the CSIDH-512 class-group structure, producing signatures of about 263 bytes.
Should I deploy any isogeny cryptography today? For production, no. None of the isogeny schemes is a finalized NIST standard, so a migration today uses the standardized algorithms (ML-KEM for key establishment, ML-DSA and SLH-DSA for signatures). SQIsign is worth tracking as a compact-signature candidate, not building on yet.
What is the broad lesson of the SIKE break for isogeny crypto? That a “post-quantum” label means resistance to the quantum attacks known today, not a guarantee against tomorrow’s mathematics. A deeply studied scheme fell to a new classical result, which is the argument for crypto-agility and for spreading the transition across multiple math families.
Everything here is the map, given freely. When your team needs to tell durable post-quantum choices from ones that only look safe, and to know which research directions are worth watching, that’s what an alignment briefing is for.
Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.