An efficient post-quantum KEM from CSIDH

Abstract The SIDH and CSIDH are now the two most well-known post-quantum key exchange protocols from the supersingular isogeny-based cryptography, which have attracted much attention in recent years and served as the building blocks of other supersingular isogeny-based cryptographic schemes. The famous SIKE is a post-quantum key encapsulation mechanism (KEM) constructed on the SIDH, motivated by which, this article presents a new post-quantum KEM-based on the CSIDH, which is thereby named as CSIKE. The presented CSIKE has much higher computation efficiency in the decapsulation part by involving an additional tag in the encapsulation results. The new CSIKE is formally proved to be IND-CCA secure under the standard isogeny-based quantum resistant security assumption. Moreover, by comparing the new CSIKE with the only two existing CSIDH-based KEM schemes, i.e., CSIDH-PSEC-KEM and CSIDH-ECIES-KEM, it can be easily found that the new CSIKE has a slightly longer encapsulation size than CSIDH-PSEC-KEM and CSIDH-ECIES-KEM, but (i) it beats the CSIDH-PSEC-KEM by the improvement of approximately 50% in decapsulation speed, and (ii) it has a certain advantage over the CSIDH-ECIES-KEM in security since in the random oracle model, the security proof for CSIDH-ECIES-KEM needs to rely on the stronger CSI-GDH assumption, while the new CSIKE just needs to rely on the basic CSI-CDH assumption.