Computing 22-isogenies between Kummer lines

We use theta groups to study $2$-isogenies between Kummer lines, with a particular focus on the Montgomery model. This allows us to recover known formula, along with more efficient forms for translated isogenies, which require only $2S+2m_0$ for evaluation. We leverage these translated isogenies to build a hybrid ladder for scalar multiplication on Montgomery curves with rational $2$-torsion which cost $3M+6S+2m_0$ by bits, compared to $5M+4S+1m_0$ for the standard Montgomery ladder

The Generalized Montgomery Coordinate:A New Computational Tool for Isogeny-based Cryptography

Recently, some studies have constructed one-coordinate arithmetics on elliptic curves. For example, formulas of the 𝑥-coordinate of Montgomery curves, 𝑥-coordinate of Montgomery− curves, 𝑤-coordinate of Edwards curves, 𝑤-coordinate of Huff’s curves, 𝜔-coordinates of twisted Jacobi intersections have been proposed. These formulas are useful for isogeny-based cryptography because of their compactness and efficiency. In this paper, we define a novel function on elliptic curves called the generalized Montgomery coordinate that has the five coordinates described above as special cases. For a generalized Montgomery coordinate, we construct an explicit formula of scalar multiplication that includes the division polynomial, and both a formula of an image point under an isogeny and that of a coefficient of the codomain curve. Finally, we present two applications of the theory of a generalized Montgomery coordinate. The first one is the construction of a new efficient formula to compute isogenies on Montgomery curves. This formula is more efficient than the previous one for high degree isogenies as the√élu’s formula in our implementation. The second one is the construction of a new generalized Montgomery coordinate for Montgomery−curves used for CSURF

Fast algorithms for computing isogenies between ordinary elliptic curves in small characteristic

The problem of computing an explicit isogeny between two given elliptic curves over F_q, originally motivated by point counting, has recently awaken new interest in the cryptology community thanks to the works of Teske and Rostovstev & Stolbunov. While the large characteristic case is well understood, only suboptimal algorithms are known in small characteristic; they are due to Couveignes, Lercier, Lercier & Joux and Lercier & Sirvent. In this paper we discuss the differences between them and run some comparative experiments. We also present the first complete implementation of Couveignes' second algorithm and present improvements that make it the algorithm having the best asymptotic complexity in the degree of the isogeny.Comment: 21 pages, 6 figures, 1 table. Submitted to J. Number Theor

Complete Analysis of Implementing Isogeny-based Cryptography using Huff Form of Elliptic Curves

In this paper, we present the analysis of Huff curves for implementing isogeny-based cryptography. In this regard, we first investigate the computational cost of the building blocks when compression functions are used for Huff curves. We also apply the square-root V\\u27elu formula on Huff curves and present a new formula for recovering the coefficient of the curve, from a given point on a Huff curve. From our implementation, the performance of Huff-SIDH and Montgomery-SIDH is almost the same, and the performance of Huff-CSIDH is 6\% faster than Montgomery-CSIDH. We further optimized Huff-CSIDH by exploiting Edwards curves for computing the coefficient of the image curve and present the Huff-Edwards hybrid model. As a result, the performance of Huff-Edwards CSIDH is almost the same as Montgomery-Edwards CSIDH. The result of our work shows that Huff curves can be quite practical for implementing isogeny-based cryptography but has some limitations

How to Construct CSIDH on Edwards Curves

CSIDH is an isogeny-based key exchange protocol proposed by Castryck \textit{et al.} in 2018. It is based on the ideal class group action on $\mathbb{F}_p$-isomorphism classes of Montgomery curves. The original CSIDH algorithm requires a calculation over $\mathbb{F}_p$ by representing points as $x$-coordinate over Montgomery curves. There is a special coordinate on Edwards curves (the $w$-coordinate) to calculate group operations and isogenies. If we try to calculate the class group action on Edwards curves by using the $w$-coordinate in a similar way on Montgomery curves, we have to consider points defined over $\mathbb{F}_{p^4}$. Therefore, it is not a trivial task to calculate the class group action on Edwards curves with $w$-coordinates over only $\mathbb{F}_p$. In this paper, we prove some theorems about the properties of Edwards curves. By these theorems, we construct the new CSIDH algorithm on Edwards curves with $w$-coordinates over $\mathbb{F}_p$. This algorithm is as fast as (or a little bit faster than) the algorithm proposed by Meyer and Reith. This paper is an extend version of [25]. We added the construction of a technique similar to Elligator on Edwards curves. This technique contributes the efficiency of the constant-time CSIDH algorithm. We also added the construction of new formulas to compute isogenies in $\tilde{O}(\sqrt{\ell})$ times on Edwards curves. It is based on formulas on Montgomery curves proposed by Bernstein \textit{et al.} ($\sqrt{\vphantom{2}}$élu\u27s formulas). In our analysis, these formulas on Edwards curves is a little bit faster than those on Montgomery curves

Radical Isogenies on Montgomery Curves

We work on some open problems in radical isogenies. Radical isogenies are formulas to compute chains of $N$-isogenies for small $N$ and proposed by Castryck, Decru, and Vercauteren in Asiacrypt 2020. These formulas do not need to generate a point of order $N$ generating the kernel and accelerate some isogeny-based cryptosystems like CSIDH. On the other hand, since these formulas use Tate normal forms, these need to transform Tate normal forms to curves with efficient arithmetic, e.g., Montgomery curves. In this paper, we propose radical-isogeny formulas of degrees 3 and 4 on Montgomery curves. Our formulas compute some values determining Montgomery curves, from which one can efficiently recover Montgomery coefficients. And our formulas are more efficient for some cryptosystems than the original radical isogenies. In addition, we prove a conjecture left open by Castryck et al. that relates to radical isogenies of degree 4

How to compute an isogeny on the extended Jacobi quartic curves?

Computing isogenies between elliptic curves is a significantpart of post-quantum cryptography with many practicalapplications (for example, in SIDH, SIKE, B-SIDH, or CSIDHalgorithms). Comparing to other post-quantum algorithms, themain advantages of these protocols are smaller keys, the similaridea as in the ECDH, and a large basis of expertise aboutelliptic curves. The main disadvantage of the isogeny-basedcryptosystems is their computational efficiency - they are slowerthan other post-quantum algorithms (e.g., lattice-based). That iswhy so much effort has been put into improving the hithertoknown methods of computing isogenies between elliptic curves.In this paper, we present new formulas for computing isogeniesbetween elliptic curves in the extended Jacobi quartic formwith two methods: by transforming such curves into the shortWeierstrass model, computing an isogeny in this form and thentransforming back into an initial model or by computing anisogeny directly between two extended Jacobi quartics

How to compute an isogeny on the extended Jacobi quartic curves?

Computing isogenies between elliptic curves is a significantpart of post-quantum cryptography with many practicalapplications (for example, in SIDH, SIKE, B-SIDH, or CSIDHalgorithms). Comparing to other post-quantum algorithms, themain advantages of these protocols are smaller keys, the similaridea as in the ECDH, and a large basis of expertise aboutelliptic curves. The main disadvantage of the isogeny-basedcryptosystems is their computational efficiency - they are slowerthan other post-quantum algorithms (e.g., lattice-based). That iswhy so much effort has been put into improving the hithertoknown methods of computing isogenies between elliptic curves.In this paper, we present new formulas for computing isogeniesbetween elliptic curves in the extended Jacobi quartic formwith two methods: by transforming such curves into the shortWeierstrass model, computing an isogeny in this form and thentransforming back into an initial model or by computing anisogeny directly between two extended Jacobi quartics

Computing supersingular isogenies on Kummer surfaces

We apply Scholten\u27s construction to give explicit isogenies between the Weil restriction of supersingular Montgomery curves with full rational 2-torsion over $GF(p^2)$ and corresponding abelian surfaces over $GF(p)$. Subsequently, we show that isogeny-based public key cryptography can exploit the fast Kummer surface arithmetic that arises from the theory of theta functions. In particular, we show that chains of 2-isogenies between elliptic curves can instead be computed as chains of Richelot (2,2)-isogenies between Kummer surfaces. This gives rise to new possibilities for efficient supersingular isogeny-based cryptography

The Generalized Montgomery Coordinate: A New Computational Tool for Isogeny-based Cryptography

Recently, some studies have constructed one-coordinate arithmetics on elliptic curves. For example, formulas of the $x$-coordinate of Montgomery curves, $x$-coordinate of Montgomery$^-$ curves, $w$-coordinate of Edwards curves, $w$-coordinate of Huff\u27s curves, $\omega$-coordinates of twisted Jacobi intersections have been proposed. These formulas are useful for isogeny-based cryptography because of their compactness and efficiency. In this paper, we define a novel function on elliptic curves called the generalized Montgomery coordinate that has the five coordinates described above as special cases. For a generalized Montgomery coordinate, we construct an explicit formula of scalar multiplication that includes the division polynomial, and both a formula of an image point under an isogeny and that of a coefficient of the codomain curve. Finally, we present two applications of the theory of a generalized Montgomery coordinate. The first one is the construction of a new efficient formula to compute isogenies on Montgomery curves. This formula is more efficient than the previous one for high degree isogenies as the $\sqrt{\vphantom{2}}$\\u27{e}lu\u27s formula in our implementation. The second one is the construction of a new generalized Montgomery coordinate for Montgomery$^-$ curves used for CSURF