2019.06.19 11:11:18 (1141272231382794242) from Daniel J. Bernstein, replying to "Steven Galbraith (@EllipticKiwi)" (1141164379829751810):
The literature has plausible physical architectures for getting to a huge number of qubits. It doesn't have plausible physical architectures for low-cost fault-tolerant quantum access to large arrays. See, e.g., https://arxiv.org/pdf/1502.03450.pdf, which Peikert's paper simply ignores.
2019.06.19 03:58:19 (1141163269387776001) from "Steven Galbraith (@EllipticKiwi)":
I have not fully checked the new paper by @ChrisPeikert on Kuperberg, but the results are v interesting. The quantum hardness of CSIDH relies mostly on the high cost of the quantum circuit for group operation. So CSIDH still seems safe.
2019.06.19 04:02:44 (1141164379829751810) from "Steven Galbraith (@EllipticKiwi)", replying to "Steven Galbraith (@EllipticKiwi)" (1141163269387776001):
See https://eprint.iacr.org/2018/1059 for analysis of the quantum circuit. A possible future world has quantum computers of scale to run Shor on thousand bit numbers but still far from being able to compute CSIDH oracle. Other possible futures exist.