soft3/mudra/dCTIDH.md

dCTIDH

optimized constant-time implementation of CSIDH (Commutative Supersingular Isogeny Diffie-Hellman). a non-interactive key exchange primitive with conjectured post-quantum security.

mechanism

a class group acts on supersingular elliptic curves over a prime field F_p. each party's secret key is a vector of integer exponents; the public key is the resulting curve.

Setup:
  E₀: supersingular elliptic curve over F_p
  Class group action: [a] · E₀ = E_a    (secret isogeny)

Alice:  secret a → public E_a = [a] · E₀
Bob:    secret b → public E_b = [b] · E₀

Shared secret:
  Alice computes: [a] · E_b = [a] · [b] · E₀
  Bob computes:   [b] · E_a = [b] · [a] · E₀

  [a]·[b]·E₀ = [b]·[a]·E₀               commutativity

commutativity is the key property: the class group action commutes, so both parties arrive at the same curve without exchanging messages. this is non-interactive key exchange (NIKE).

why dCTIDH over CSIDH

the original CSIDH implementation leaks timing information through variable-time isogeny computation. dCTIDH uses dummy isogenies and constant-time arithmetic to resist side-channel attacks. "d" stands for dummy-free (using a division-based approach), "CT" for constant-time.

parameters

variant classical security public key size status
dCTIDH-512 ~64 bit 64 bytes research
dCTIDH-1024 ~128 bit 128 bytes research
dCTIDH-2048 ~256 bit 256 bytes research

public keys are remarkably compact compared to lattice-based schemes (ML-KEM public keys are 800-1568 bytes).

applications in cyber

  • stealth addresses: sender creates a cyberlink detectable and decryptable only by the intended recipient, without prior communication
  • non-interactive key exchange: two neurons derive a shared secret from public graph data, no message round-trip needed
  • anonymous channels: the shared secret reveals nothing about which neurons communicate

tradeoffs

  • slower than lattice KEM (~5x for dCTIDH-2048 vs ML-KEM)
  • the isogeny assumption is less studied than lattice assumptions — SIDH was broken in 2022, though CSIDH survived those attacks
  • active research area, not yet standardized

see crypto/key-exchange, crypto/encryption, crypto/quantum, cryptography

Graph