Modeling of 3- and 5-Isogenies of Supersingular Edwards Curves

An analysis is made of the properties and conditions for the existence of 3- and 5-isogenies of complete and quadratic supersingular Edwards curves. For the encapsulation of keys based on the SIDH algorithm, it is proposed to use isogeny of minimal odd 3 and 5 degrees, which allows bypassing the problem of singular points of the 2nd and 4th orders, characteristic of 2-isogenies. A review of the main properties of the classes of complete, quadratic and twisted Edwards curves over a simple field is given. Formulas for the isogeny of odd degrees are reduced to a form adapted to curves in Weierstrass form. To do this, the modified law of addition of curve points in the generalized Edwards form is used, which preserves the horizontal symmetry of the curve’s return points. Examples of the calculation of 3- and 5-isogenies of complete Edwards supersingular curves over small simple fields are given, and the properties of the isogeny composition for computing isogenies with large-order kernels are discussed. Formulas of upper bounds for the complexity of computing isogeny of odd degrees 3 and 5 in the classes of complete and quadratic Edwards curves in projective coordinates are obtained. Algorithms for calculating 3- and 5-isogenies of Edwards curves with complexity and 12M+5S, respectively, are constructed. The conditions for the existence of supersingular complete and quadratic Edwards curves of the order 4·3m·5n and 8·3m·5n are found. Some parameters of the cryptosystem were determined during the implementation of the SIDH algorithm at the quantum security level of 128 bits

3- and 5-Isogenies of Supersingular Edwards Curves

An analysis is made of the properties and conditions for the existence of 3- and 5-isogenies of complete and quadratic supersingular Edwards curves. For the encapsulation of keys based on the SIDH algorithm, it is proposed to use isogeny of minimal odd degrees 3 and 5, which allows bypassing the problem of singular points of the 2nd and 4th orders, characteristic of 2-isogenies. A review of the main properties of the classes of complete, quadratic, and twisted Edwards curves over a simple field is given. Equations for the isogeny of odd degrees are reduced to a form adapted to curves in the form of Weierstrass. To do this, use the modified law of addition of curve points in the generalized Edwards form, which preserves the horizontal symmetry of the curve return points. Examples of the calculation of 3- and 5-isogenies of complete Edwards supersingular curves over small simple fields are given, and the properties of the isogeny composition for their calculation with large-order kernels are discussed. Equations are obtained for upper complexity estimates for computing isogeny of odd degrees 3 and 5 in the classes of complete and quadratic Edwards curves in projective coordinates; algorithms are constructed for calculating 3- and 5-isogenies of Edwards curves with complexity 6M + 4S and 12M + 5S, respectively. The conditions for the existence of supersingular complete and quadratic Edwards curves of order 4x3mx5n and 8x3mx5n are found. Some parameters of the cryptosystem are determined when implementing the SIDH algorithm at the level of quantum security of 128 bits

Modeling CSIKE Algorithm on Non-Cyclic Edwards Curves

An original key encapsulation scheme is proposed as a modification of the CSIDH algorithm built on the isogenies of non-cyclic Edwards curves. The corresponding CSIKE algorithm uses only one public key of the recipient. A brief review of the properties of non-cyclic quadratic and twisted supersingular Edwards curves is given. We use a new scheme for modeling the CSIKE algorithm on isogenies of 4 degrees 3, 5, 7, 11 for p = 9239. In contrast to the CSIDH models of previous works, this scheme does not use precomputations and tabulation of the parameters of isogenic chains, but uses one known supersingular starting curve Ed with the parameter d = 2. Examples of calculations of isogenic chains by Alice and Bob at three stages of CSIKE operation using a randomized algorithm are given. It also proposes to abandon the calculation of the isogenic function ϕ(R) of a random point R, which significantly speeds up the algorithm

On isogeny classes of Edwards curves over finite fields

We count the number of isogeny classes of Edwards curves over finite fields, answering a question recently posed by Rezaeian and Shparlinski. We also show that each isogeny class contains a {\em complete} Edwards curve, and that an Edwards curve is isogenous to an {\em original} Edwards curve over \F_q if and only if its group order is divisible by 8 if $q \equiv -1 \pmod{4}$, and 16 if $q \equiv 1 \pmod{4}$. Furthermore, we give formulae for the proportion of d \in \F_q \setminus \{0,1\} for which the Edwards curve $E_d$ is complete or original, relative to the total number of $d$ in each isogeny class.Comment: 27 page

Optimizations of Isogeny-based Key Exchange

Supersingular Isogeny Diffie-Hellman (SIDH) is a key exchange scheme that is believed to be quantum-resistant. It is based on the difficulty of finding a certain isogeny between given elliptic curves. Over the last nine years, optimizations have been proposed that significantly increased the performance of its implementations. Today, SIDH is a promising candidate in the US National Institute for Standards and Technology’s (NIST’s) post-quantum cryptography standardization process. This work is a self-contained introduction to the active research on SIDH from a high-level, algorithmic lens. After an introduction to elliptic curves and SIDH itself, we describe the mathematical and algorithmic building blocks of the fastest known implementations. Regarding elliptic curves, we describe which algorithms, data structures and trade-offs regard- ing elliptic curve arithmetic and isogeny computations exist and quantify their runtime cost in field operations. These findings are then tailored to the situation of SIDH. As a result, we give efficient algorithms for the performance-critical parts of the protocol

The Generalized Montgomery Coordinate:A New Computational Tool for Isogeny-based Cryptography

Recently, some studies have constructed one-coordinate arithmetics on elliptic curves. For example, formulas of the 𝑥-coordinate of Montgomery curves, 𝑥-coordinate of Montgomery− curves, 𝑤-coordinate of Edwards curves, 𝑤-coordinate of Huff’s curves, 𝜔-coordinates of twisted Jacobi intersections have been proposed. These formulas are useful for isogeny-based cryptography because of their compactness and efficiency. In this paper, we define a novel function on elliptic curves called the generalized Montgomery coordinate that has the five coordinates described above as special cases. For a generalized Montgomery coordinate, we construct an explicit formula of scalar multiplication that includes the division polynomial, and both a formula of an image point under an isogeny and that of a coefficient of the codomain curve. Finally, we present two applications of the theory of a generalized Montgomery coordinate. The first one is the construction of a new efficient formula to compute isogenies on Montgomery curves. This formula is more efficient than the previous one for high degree isogenies as the√élu’s formula in our implementation. The second one is the construction of a new generalized Montgomery coordinate for Montgomery−curves used for CSURF

Computing cardinalities of Q-curve reductions over finite fields

We present a specialized point-counting algorithm for a class of elliptic curves over F\_{p^2} that includes reductions of quadratic Q-curves modulo inert primes and, more generally, any elliptic curve over F\_{p^2} with a low-degree isogeny to its Galois conjugate curve. These curves have interesting cryptographic applications. Our algorithm is a variant of the Schoof--Elkies--Atkin (SEA) algorithm, but with a new, lower-degree endomorphism in place of Frobenius. While it has the same asymptotic asymptotic complexity as SEA, our algorithm is much faster in practice.Comment: To appear in the proceedings of ANTS-XII. Added acknowledgement of Drew Sutherlan