Optimized Method for Computing Odd-Degree Isogenies on Edwards Curves

In this paper, we present an efficient method to compute arbitrary odd-degree isogenies on Edwards curves. By using the $w$-coordinate, we optimized the isogeny formula on Edwards curves by Moody and Shumow. We demonstrate that Edwards curves have an additional benefit when recovering the coefficient of the image curve during isogeny computation. For $\ell$-degree isogeny where $\ell=2s+1$, our isogeny formula on Edwards curves outperforms Montgomery curves when $s \geq 2$. To better represent the performance improvements when $w$-coordinate is used, we implement CSIDH using our isogeny formula. Our implementation is about 20\% faster than the previous implementation. The result of our work opens the door for the usage of Edwards curves in isogeny-based cryptography, especially for CSIDH which requires higher degree isogenies

CSIKE-ENC Combined Encryption Scheme with Optimized Degrees of Isogeny Distribution

For the PQC CSIDH and CSIKE algorithms, the advantages of two classes of quadratic and twisted supersingular Edwards curves over complete Edwards curves are justified. These classes form pairs of quadratic twist curves with order p + 1 ≡ 0mod8 over the prime field Fp and double the space of all curves in the algorithms. The randomized algorithms CSIDH and CSIKE are presented. An analysis of the degrees lk isogenies distribution is given, and an optimal distribution within the given conditions is proposed with the degree lmax = 397 instead of lmax = 587 while maintaining the number K = 74 of all degrees. A probabilistic analysis of random odd order points R was carried out, probability estimates are obtained, and it is recommended to avoid isogenies with small values of the degrees lk in algorithms. The features of the CSIKE algorithm with one public key of Bob in the problem of encapsulation by Alice of the secret key κ, which Bob calculates at the stage of decapsulation with his secret key, are considered. A CSIKE-ENC scheme for combined encryption of the key κ and message M based on two asymmetric algorithms CSIDH and CSIKE with Alice’s authentication and the well-known symmetric message encryption standard is proposed. The security aspects of the scheme are discussed

Як побудувати CSIDH на квдратичних та скручених кривих Едвардса

In one of the famous works, an incorrect formulation and an incorrect solution of the implementation problem of the CSIDH algorithm on Edwards curves is discovered. A detailed critique of this work with a proof of the fallacy of its concept is given. Specific properties of three non-isomorphic classes of supersingular curves in the generalized Edwards form is considered: complete, quadratic, and twisted Edwards curves. Conditions for the existence of curves of all classes with the order of curves over a prime field are determined. The implementation of the CSIDH algorithm on isogenies of odd prime degrees based on the use of quadratic twist pairs of elliptic curves. To this end, the CSIDH algorithm can be construct both on complete Edwards curves with quadratic twist within this class, and on quadratic and twisted Edwards curves forming pairs of quadratic twist. In contrast to this, the authors of a well-known work are trying to prove theorems with statement about existing a solution within one class of curves with a parameter that is a square. The critical analysis of theorems, lemmas, and erroneous statements in this work is given. Theorem 2 on quadratic twist in classes of Edwards curves is proved. A modification of the CSIDH algorithm based on isogenies of quadratic and twisted Edwards curves is presented. To illustrate the correct solution of the problem, an example of Alice and Bob calculations in the secret sharing scheme according to the CSIDH algorithm is considered.В одної з відомих робіт виявлені некоректна постановка і невірне рішення задачі імплементації алгоритму CSIDH на кривих Едвардса . Дана розгорнена критика цієї роботи с доведенням неспроможності її концепції. Розглянуті специфічні властивості трьох неізоморфних класів суперсингулярних кривих в узагальненої формі Едвардса: повних, квадратичних та скручених кривих Едвардса. Визначені умови існування кривих усіх 3-х класів з порядком кривих над простим полем . Імплементація алгоритму CSIDH на ізогеніях непарних простих степенів базується на застосуванні пар квадратичного кручення еліптичних кривих. З цією метою алгоритм CSIDH можна будувати як на повних кривих Едвардса з квадратичним крученням всередині цього класу, або на квадратичних і скручених кривих Едвардса, які створюють пари квадратичного кручення. В противагу до цього автори відомої роботи намагаються довести теореми, які стверджують о наявності рішення всередині одного класу кривих з параметром , який є квадратом. Проведено критичний аналіз теорем, лем, помилкових стверджень в цієї роботі. Доведено теорема 2 про квадратичне кручення в класах кривих Едвардса. Приведено модифікація алгоритму CSIDH, побудованого на ізогеніях квадратичних і скручених кривих Едвардса, Для ілюстрації коректного рішення задачі розглянуто приклад обчислень Аліси і Боба в схемі розподілу секретів згідно алгоритму CSIDH при

Further Optimizations of CSIDH: A Systematic Approach to Efficient Strategies, Permutations, and Bound Vectors

CSIDH is a recent post-quantum key establishment protocol based on constructing isogenies between supersingular elliptic curves. Several recent works give constant-time implementations of CSIDH along with some optimizations of the ideal class group action evaluation algorithm, including the SIMBA technique of Meyer et al. and the two-point method of Onuki et al. A recent work of Cervantes-Vazquez et al. details a number of improvements to the works of Meyer et al. and Onuki et al. Several of these optimizations---in particular, the choice of ordering of the primes, the choice of SIMBA partition and strategies, and the choice of bound vector which defines the secret keyspace---have been made in an ad hoc fashion, and so while they yield performance improvements it has not been clear whether these choices could be improved upon, or how to do so. In this work we present a framework for improving these optimizations using (respectively) linear programming, dynamic programming, and convex programming techniques. Our framework is applicable to any CSIDH security level, to all currently-proposed paradigms for computing the class group action, and to any choice of model for the underlying curves. Using our framework we find improved parameter sets for the two major methods of computing the group action: in the case of the implementation of Meyer et al. we obtain a 12.77% speedup without applying the further optimizations proposed by Cervantes-Vazquez et al., while for that of Cervantes-Vazquez et al. under the two-point method we obtain a speedup of 5.06%, giving the fastest constant-time implementation of CSIDH to date

Implementation of the CSIDH Algorithm Model on Supersingular Twisted and Quadratic Edwards Curves

The properties of twisted and quadratic supersingular Edwards curves forming pairs of quadratic torsion with the order p + 1 over the simple field Fp are considered. A modification of the CSIDH algorithm using the isogenies of these curves in replacement of the extended arithmetic’s of the isogenies of curves in the Montgomery form is presented. The isogeny parameters of the CSIDH algorithm model are calculated and tabulated on the basis of the theorems proved in the previous work. The example of Alice’s and Bob’s calculations according to the non-interactive Diffy-Hellman circuit, illustrating the separation of their secrets, is considered. The use of the known projective (W:Z)-coordinates for the given classes of curves provides the fastest execution of the CSIDH algorithm to-date

Modeling CSIKE Algorithm on Non-Cyclic Edwards Curves

An original key encapsulation scheme is proposed as a modification of the CSIDH algorithm built on the isogenies of non-cyclic Edwards curves. The corresponding CSIKE algorithm uses only one public key of the recipient. A brief review of the properties of non-cyclic quadratic and twisted supersingular Edwards curves is given. We use a new scheme for modeling the CSIKE algorithm on isogenies of 4 degrees 3, 5, 7, 11 for p = 9239. In contrast to the CSIDH models of previous works, this scheme does not use precomputations and tabulation of the parameters of isogenic chains, but uses one known supersingular starting curve Ed with the parameter d = 2. Examples of calculations of isogenic chains by Alice and Bob at three stages of CSIKE operation using a randomized algorithm are given. It also proposes to abandon the calculation of the isogenic function ϕ(R) of a random point R, which significantly speeds up the algorithm

Рандомізація алгоритму CSIDH на квадратичних та скручених кривих Едвардса

The properties of quadratic and twisted supersingular Edwards curves that form quadratic twist pairs with order over a prime field are considered. A modification of the CSIDH algorithm based on the isogenies of these curves is presented. The parameters of these two classes of supersingu-lar Edwards curves for are calculated and tabulated. An example of the implementation of the CSIDH algorithm as a non-interactive secret sharing scheme based on the secret and public keys of Alice and Bob is given. A new randomized CSIDH algorithm with random equiprobable selection of a curve from two classes at each step of the isogeny chain is proposed. This algorithm is proposed as an alternative to "constant time CSIDH". An estimate of the probability of a successful side channel at-tack in a randomized algorithm is given. It is noted that all calculations in the CSIDH algorithm neces-sary to calculate the common secret are reduced only to the calculation of the isogenic curve parameter and are performed by field operations, scalar multiplication and doubling the points of the isogeny kernel. In the new algorithm, it is proposed to abandon the calculation of the isogenic function of a random point , which significantly speeds up the algorithm.Розглянуто властивості квадратичних і скручених суперсингулярних кривих Едвардса, які утворюють квадратичні кручені пари з порядком над простим полем . Представлено модифікацію алго-ритму CSIDH на основі ізогенії цих кривих. Параме-три цих двох класів суперсингулярних кривих Едва-рдса для розраховані та зведені в таблицю. На-ведено приклад реалізації алгоритму CSIDH як неін-терактивної схеми обміну секретами на основі секре-тного та відкритого ключів Аліси та Боба. Запропо-новано новий рандомізований алгоритм CSIDH з ви-падковим рівноймовірним вибором кривої з двох класів на кожному кроці ланцюга ізогенії. Цей алго-ритм пропонується як альтернатива "constant time CSIDH ". Дано оцінку ймовірності успішного галсу побічного каналу за рандомізованим алгоритмом. За-значається, що всі обчислення в алгоритмі CSIDH, необхідні для обчислення загального секрету, зво-дяться лише до обчислення параметра ізогенної кри-вої та виконуються за допомогою польових операцій, скалярного множення та подвоєння точок ядра ізоге-нії. У новому алгоритмі пропонується відмовитися від обчислення ізогенної функції випадкової точки, що значно прискорює роботу алгоритму