[curves] SIDH

Trevor Perrin trevp at trevp.net
Fri Apr 29 11:20:09 PDT 2016

This looks interesting:


As I understand it, it's an elliptic curve approach to post-quantum security.

Some advertised benefits:

 - Gives a DH function and apparently allows reuse of DH keypairs
(e.g. ephemeral-static DH, static-static DH), so allows protocols
similar to current ECDH (though the public-key validation to make this
safe roughly doubles the cost of the DH).

 - There's a hybrid mode where a more traditional ECDH is integrated
(though I'm not sure whether this is significantly better than just
performing a 25519 or something alongside the SIDH, and hashing the

Reasonable-sized keys (< 1KB).  Performance seems a couple orders of
magnitude above a well-optimized 25519, but that's not horrible for
some cases.  And perhaps there's room for more optimization?


More information about the Curves mailing list