CSIDH on the Surface

For primes p equivalent to 3 mod 4, we show that setting up CSIDH on the surface, i.e., using supersingular elliptic curves with endomorphism ring Z[(1 + root-p)/2], amounts to just a few sign switches in the underlying arithmetic. If p equivalent to 7 mod 8 then horizontal 2-isogenies can be used to help compute the class group action. The formulas we derive for these 2-isogenies are very efficient (they basically amount to a single exponentiation in F-p) and allow for a noticeable speed-up, e.g., our resulting CSURF-512 protocol runs about 5.68% faster than CSIDH-512. This improvement is completely orthogonal to all previous speedups, constant-time measures and construction of cryptographic primitives that have appeared in the literature so far. At the same time, moving to the surface gets rid of the redundant factor Z(3) of the acting ideal-class group, which is present in the case of CSIDH and offers no extra security.