This Haskell code simulates and benchmarks a generalization of Kuperberg's quantum collimation sieve algorithm for arbitrary cyclic groups. We have used it to estimate the quantum (in)security of CSIDH ("Commutative SIDH"), a proposed "post quantum" drop-in replacement for noninteractive Diffie-Hellman-style key agreement and encryption. See our paper for further details.
-
Make sure you have a recent version of Haskell stack installed. (Warning: pre-1.0 versions of stack will crash with a parsing error.)
-
Clone this repository and do
stack build. Go have a hot chocolate while several packages build (just this one time).
-
Run the sieve with
stack run <log N> <log L> <log S> [threshold]where
Nis the group order (uselog N=0for the exact CSIDH-512 group order),Lis the desired phase vector length,Sis the desired range size, andthreshold < 1(optional, defaults to 0.25) is the factor that determines whether a phase vector is too short (i.e., any vector shorter thanthreshold * Lis discarded). -
Small parameters like
log N=150,log L=16,log S=16will cause the sieve to finish relatively quickly (and use relatively little memory), and will give you an idea of how it works and how to interpret the output. -
stack runwill use as many CPU cores as it deems appropriate, which may not give the best performance. To specify the number of cores and other options, usestack execwith RTS options. (Caution:stack runsilently ignores RTS options!) For example,stack exec -- collimation-sieve-exe <args> +RTS -N4 -s -RTSruns on 4 cores, and outputs various memory and garbage-collection statistics at the end.
-
WARNING: a length limit in Haskell's
vectorpackage effectively imposes a length limit of 2^30 on the sieve's vectors, so the sieve will not run reliably forlog L >= 26unlessthresholdis increased somewhat, e.g., to0.4(and even this is not a guarantee). We are working on a tweak to address this, but in any case note thatlog L >= 26can use 100 GB of RAM or more.