The cr.yp.to microblog: 2019.06.18 23:55:54

2019.06.18 23:55:54 (1141102259712999429) from Daniel J. Bernstein, replying to "hannoπŸ’‰πŸ’‰πŸ’‰πŸ’‰ (@hanno)" (1141096846045171712):

No, CSIDH is fine. All known attacks are exponential in n^(1/2+o(1)), and the question is simply how big the o(1) is. For CSIDH-512 in particular, the new paper is claiming a total of 2^56 qubit operations, but this is under very optimistic assumptions for the attacker.

Context

2019.06.18 22:41:37 (1141083566731698176) from "Chris Peikert (@ChrisPeikert)":

🚨 NEW PAPER cryptanalyzing CSIDH using Kuperberg's quantum "collimation sieve." Bottom line: CSIDH-512 key recovery with only, e.g., ~2^16 quantum group-action evaluations and ~2^40 q-accessible classical memory. Paper: http://web.eecs.umich.edu/~cpeikert/pubs/csidh-sieve.pdf Code: https://github.com/cpeikert/CollimationSieve

2019.06.18 23:34:23 (1141096846045171712) from "hannoπŸ’‰πŸ’‰πŸ’‰πŸ’‰ (@hanno)":

Am I translating this right as "CSIDH is dead"? and does this have implications for other isogeny-based systems? https://twitter.com/ChrisPeikert/status/1141083566731698176