Elliptic Curves in Montgomery Form with B=1 and Their Low Order Torsion

In this note we first characterize the class of Montgomery curves with B=1 by the simplicity of their transformation into short Weierstrass form and explicitly determine their torsion points of order 2 and 4. We then consider two ``verifiably random\u27\u27 elliptic curves in the SECG standards and show that they are B=1 Montgomery curves that can also be simply transformed into Edwards form over their ground fields

The Q-curve construction for endomorphism-accelerated elliptic curves

We give a detailed account of the use of $\mathbb{Q}$-curve reductions to construct elliptic curves over $\mathbb{F}\_{p^2}$ with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant--Lambert--Vanstone (GLV) and Galbraith--Lin--Scott (GLS) endomorphisms. Like GLS (which is a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves, and thus finding secure group orders when $p$ is fixed for efficient implementation. Unlike GLS, we also offer the possibility of constructing twist-secure curves. We construct several one-parameter families of elliptic curves over $\mathbb{F}\_{p^2}$ equipped with efficient endomorphisms for every p \textgreater{} 3, and exhibit examples of twist-secure curves over $\mathbb{F}\_{p^2}$ for the efficient Mersenne prime $p = 2^{127}-1$.Comment: To appear in the Journal of Cryptology. arXiv admin note: text overlap with arXiv:1305.540

Isogeny-based post-quantum key exchange protocols

The goal of this project is to understand and analyze the supersingular isogeny Diffie Hellman (SIDH), a post-quantum key exchange protocol which security lies on the isogeny-finding problem between supersingular elliptic curves. In order to do so, we first introduce the reader to cryptography focusing on key agreement protocols and motivate the rise of post-quantum cryptography as a necessity with the existence of the model of quantum computation. We review some of the known attacks on the SIDH and finally study some algorithmic aspects to understand how the protocol can be implemented

A Generic Approach to Searching for Jacobians

We consider the problem of finding cryptographically suitable Jacobians. By applying a probabilistic generic algorithm to compute the zeta functions of low genus curves drawn from an arbitrary family, we can search for Jacobians containing a large subgroup of prime order. For a suitable distribution of curves, the complexity is subexponential in genus 2, and O(N^{1/12}) in genus 3. We give examples of genus 2 and genus 3 hyperelliptic curves over prime fields with group orders over 180 bits in size, improving previous results. Our approach is particularly effective over low-degree extension fields, where in genus 2 we find Jacobians over F_{p^2) and trace zero varieties over F_{p^3} with near-prime orders up to 372 bits in size. For p = 2^{61}-1, the average time to find a group with 244-bit near-prime order is under an hour on a PC.Comment: 22 pages, to appear in Mathematics of Computatio

Efficient arithmetic on elliptic curves in characteristic 2

International audienceWe present normal forms for elliptic curves over a field of characteristic 2 analogous to Edwards normal form, and determine bases of addition laws, which provide strikingly simple expressions for the group law. We deduce efficient algorithms for point addition and scalar multiplication on these forms. The resulting algorithms apply to any elliptic curve over a field of characteristic 2 with a 4-torsion point, via an isomorphism with one of the normal forms. We deduce algorithms for duplication in time $2M + 5S + 2m_c$ and for addition of points in time $7M + 2S$, where $M$ is the cost of multiplication, $S$ the cost of squaring , and $m_c$ the cost of multiplication by a constant. By a study of the Kummer curves $\mathcal{K} = E/\{\pm1]\}$, we develop an algorithm for scalar multiplication with point recovery which computes the multiple of a point P with $4M + 4S + 2m_c + m_t$ per bit where $m_t$ is multiplication by a constant that depends on $P$

Post-Quantum Cryptography from Supersingular Isogenies (Theory and Applications of Supersingular Curves and Supersingular Abelian Varieties)

This paper is based on a presentation made at RIMS conference on “Theory and Applications of Supersingular Curves and Supersingular Abelian Varieties”, so-called “Supersingular 2020”. Post-quantum cryptography is a next-generation public-key cryptosystem that resistant to cryptoanalysis by both classical and quantum computers. Isogenies between supersingular elliptic curves present one promising candidate, which is called isogeny-based cryptography. In this paper, we give an introduction to two isogeny-based key exchange protocols, SIDH [17] and CSIDH [2], which are considered as a standard in the subject so far. Moreover, we explain briefly our recent result [24] about cycles in the isogeny graphs used in some parameters of SIKE, which is a key encapsulation mechanism based on SIDH

Families of fast elliptic curves from Q-curves

We construct new families of elliptic curves over \FF_{p^2} with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant-Lambert-Vanstone (GLV) and Galbraith-Lin-Scott (GLS) endomorphisms. Our construction is based on reducing \QQ-curves-curves over quadratic number fields without complex multiplication, but with isogenies to their Galois conjugates-modulo inert primes. As a first application of the general theory we construct, for every $p > 3$, two one-parameter families of elliptic curves over \FF_{p^2} equipped with endomorphisms that are faster than doubling. Like GLS (which appears as a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves, and thus finding secure group orders when $p$ is fixed. Unlike GLS, we also offer the possibility of constructing twist-secure curves. Among our examples are prime-order curves equipped with fast endomorphisms, with almost-prime-order twists, over \FF_{p^2} for $p = 2^{127}-1$ and $p = 2^{255}-19$

Optimizations of Isogeny-based Key Exchange

Supersingular Isogeny Diffie-Hellman (SIDH) is a key exchange scheme that is believed to be quantum-resistant. It is based on the difficulty of finding a certain isogeny between given elliptic curves. Over the last nine years, optimizations have been proposed that significantly increased the performance of its implementations. Today, SIDH is a promising candidate in the US National Institute for Standards and Technology’s (NIST’s) post-quantum cryptography standardization process. This work is a self-contained introduction to the active research on SIDH from a high-level, algorithmic lens. After an introduction to elliptic curves and SIDH itself, we describe the mathematical and algorithmic building blocks of the fastest known implementations. Regarding elliptic curves, we describe which algorithms, data structures and trade-offs regard- ing elliptic curve arithmetic and isogeny computations exist and quantify their runtime cost in field operations. These findings are then tailored to the situation of SIDH. As a result, we give efficient algorithms for the performance-critical parts of the protocol