Isogeny-based cryptography
Isogeny-based cryptography builds public-key schemes on the difficulty of finding an isogeny, a structured algebraic map, between two elliptic curves. Once considered a promising post-quantum family for its very small keys, it suffered the field's most dramatic reversal: the SIDH and SIKE key-encapsulation schemes were broken by classical attacks in 2022. What remains active is narrower, slower, and still under study.
Isogenies and supersingular graphs
An isogeny is a non-constant map between two elliptic curves that preserves their group structure. For a chosen class of curves the isogenies of a fixed small degree connect them into a graph in which each curve is a node and each isogeny is an edge. Supersingular isogeny graphs over a finite field are highly connected and expand rapidly, so a walk of many steps lands on a curve that is hard to trace back to the start. The security assumption is that, given two curves known to be connected, recovering the connecting isogeny (the path through the graph) is computationally hard, including for quantum computers. Because a curve can be described very compactly, isogeny schemes advertised the smallest public keys of any post-quantum candidate, often a few hundred bytes.
SIDH and SIKE, and their 2022 break
SIDH (Supersingular Isogeny Diffie-Hellman), introduced by Jao and De Feo in 2011, adapted the Diffie-Hellman idea to these graphs. Its productized KEM, SIKE, advanced to the fourth round of the NIST standardization process as one of the remaining KEM candidates.
To make the protocol work, SIDH published extra information: the images of certain torsion points under the secret isogeny. In July 2022 Wouter Castryck and Thomas Decru showed that this auxiliary data is fatal. Their attack recovers the secret key by gluing the curves into a higher-dimensional abelian surface and detecting when a guessed isogeny is correct, running on a single classical computer in about an hour for the top SIKE parameters (Castryck and Decru, 2022). Within weeks, independent work by Maino, Martindale and coauthors generalized the attack to arbitrary starting curves (2022/1026), and Damien Robert proved a polynomial-time version using higher-dimensional isogenies (2022/1038). The break was classical, not quantum: no quantum computer was involved. SIKE was withdrawn, and the episode is a standing reminder that post-quantum candidates can fall to conventional mathematics, one reason NIST also standardized lattice, hash, and code based schemes on different assumptions.
What survives
The Castryck-Decru attack targets the published torsion point images, so isogeny constructions that do not expose that data escape it.
CSIDH (Commutative Supersingular Isogeny Diffie-Hellman), from 2018, uses a commutative group action over supersingular curves defined on the base field and does not publish torsion images (Castryck and others, 2018). It offers a genuine non-interactive key exchange with small keys and survives the 2022 attacks. Its caveats are serious: it is slow, its correct quantum security level is disputed because a quantum computer can attack the underlying hidden-shift problem subexponentially, and its parameter sizes remain contested. It is not standardized.
SQIsign is a digital signature scheme, not a KEM, derived from the deuring correspondence between isogenies and quaternion orders. Its selling point is size: signatures and public keys of a few hundred bytes each, far smaller than lattice or hash-based signatures, at the cost of slow signing and verification. SQIsign was submitted to NIST's additional-signatures onramp, the call for signature schemes beyond the original selections, and advanced to the second round of that evaluation (NIST additional signatures). It remains a research-stage design under active cryptanalysis, not a standard.
Assessment
Isogeny-based cryptography is the most cautionary of the post-quantum families. Its assumptions are younger and less battle-tested than the decoding and lattice problems, and the 2022 SIDH break showed how quickly a structured scheme can collapse once the right attack geometry is found, a fragility it shares with the Rainbow break in multivariate cryptography the same year. The compact key sizes remain attractive, so work on CSIDH and especially SQIsign continues, but any deployment should treat the family as promising and unsettled rather than mature.
Frequently asked questions
Are SIDH and SIKE still secure?
No. Both were broken by classical key-recovery attacks in 2022 that recover the private key in minutes to hours, and SIKE was withdrawn from the NIST process.
Does the SIDH break affect all isogeny cryptography?
No. The attack exploits auxiliary torsion point data specific to SIDH. CSIDH and SQIsign do not publish that data and are not broken by it, though they carry their own open questions.
Sources
- An efficient key recovery attack on SIDH (IACR ePrint (Castryck, Decru), 2022)
- A direct key recovery attack on SIDH (IACR ePrint (Maino, Martindale, Panny, Pope, Wesolowski), 2022)
- Breaking SIDH in polynomial time (IACR ePrint (Robert), 2022)
- CSIDH: An Efficient Post-Quantum Commutative Group Action (IACR ePrint (Castryck, Lange, Martindale, Panny, Renes), 2018)
- SQIsign (official site) (SQIsign team, 2023)
- Post-Quantum Cryptography: Digital Signature Schemes (additional signatures onramp) (NIST, 2023)
Cite this entry
"Isogeny-based cryptography." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/isogeny-based-cryptography@misc{pqwiki-isogeny-based-cryptography,
title = {Isogeny-based cryptography},
howpublished = {\url{https://postquantum.wiki/isogeny-based-cryptography}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}