How to Construct CSIDH on Edwards Curves

CSIDH is an isogeny-based key exchange protocol proposed by Castryck \textit{et al.} in 2018. It is based on the ideal class group action on $\mathbb{F}_p$-isomorphism classes of Montgomery curves. The original CSIDH algorithm requires a calculation over $\mathbb{F}_p$ by representing points as $x$-coordinate over Montgomery curves. There is a special coordinate on Edwards curves (the $w$-coordinate) to calculate group operations and isogenies. If we try to calculate the class group action on Edwards curves by using the $w$-coordinate in a similar way on Montgomery curves, we have to consider points defined over $\mathbb{F}_{p^4}$. Therefore, it is not a trivial task to calculate the class group action on Edwards curves with $w$-coordinates over only $\mathbb{F}_p$. In this paper, we prove some theorems about the properties of Edwards curves. By these theorems, we construct the new CSIDH algorithm on Edwards curves with $w$-coordinates over $\mathbb{F}_p$. This algorithm is as fast as (or a little bit faster than) the algorithm proposed by Meyer and Reith. This paper is an extend version of [25]. We added the construction of a technique similar to Elligator on Edwards curves. This technique contributes the efficiency of the constant-time CSIDH algorithm. We also added the construction of new formulas to compute isogenies in $\tilde{O}(\sqrt{\ell})$ times on Edwards curves. It is based on formulas on Montgomery curves proposed by Bernstein \textit{et al.} ($\sqrt{\vphantom{2}}$élu\u27s formulas). In our analysis, these formulas on Edwards curves is a little bit faster than those on Montgomery curves

CSIKE-ENC Combined Encryption Scheme with Optimized Degrees of Isogeny Distribution

For the PQC CSIDH and CSIKE algorithms, the advantages of two classes of quadratic and twisted supersingular Edwards curves over complete Edwards curves are justified. These classes form pairs of quadratic twist curves with order p + 1 ≡ 0mod8 over the prime field Fp and double the space of all curves in the algorithms. The randomized algorithms CSIDH and CSIKE are presented. An analysis of the degrees lk isogenies distribution is given, and an optimal distribution within the given conditions is proposed with the degree lmax = 397 instead of lmax = 587 while maintaining the number K = 74 of all degrees. A probabilistic analysis of random odd order points R was carried out, probability estimates are obtained, and it is recommended to avoid isogenies with small values of the degrees lk in algorithms. The features of the CSIKE algorithm with one public key of Bob in the problem of encapsulation by Alice of the secret key κ, which Bob calculates at the stage of decapsulation with his secret key, are considered. A CSIKE-ENC scheme for combined encryption of the key κ and message M based on two asymmetric algorithms CSIDH and CSIKE with Alice’s authentication and the well-known symmetric message encryption standard is proposed. The security aspects of the scheme are discussed

Як побудувати CSIDH на квдратичних та скручених кривих Едвардса

In one of the famous works, an incorrect formulation and an incorrect solution of the implementation problem of the CSIDH algorithm on Edwards curves is discovered. A detailed critique of this work with a proof of the fallacy of its concept is given. Specific properties of three non-isomorphic classes of supersingular curves in the generalized Edwards form is considered: complete, quadratic, and twisted Edwards curves. Conditions for the existence of curves of all classes with the order of curves over a prime field are determined. The implementation of the CSIDH algorithm on isogenies of odd prime degrees based on the use of quadratic twist pairs of elliptic curves. To this end, the CSIDH algorithm can be construct both on complete Edwards curves with quadratic twist within this class, and on quadratic and twisted Edwards curves forming pairs of quadratic twist. In contrast to this, the authors of a well-known work are trying to prove theorems with statement about existing a solution within one class of curves with a parameter that is a square. The critical analysis of theorems, lemmas, and erroneous statements in this work is given. Theorem 2 on quadratic twist in classes of Edwards curves is proved. A modification of the CSIDH algorithm based on isogenies of quadratic and twisted Edwards curves is presented. To illustrate the correct solution of the problem, an example of Alice and Bob calculations in the secret sharing scheme according to the CSIDH algorithm is considered.В одної з відомих робіт виявлені некоректна постановка і невірне рішення задачі імплементації алгоритму CSIDH на кривих Едвардса . Дана розгорнена критика цієї роботи с доведенням неспроможності її концепції. Розглянуті специфічні властивості трьох неізоморфних класів суперсингулярних кривих в узагальненої формі Едвардса: повних, квадратичних та скручених кривих Едвардса. Визначені умови існування кривих усіх 3-х класів з порядком кривих над простим полем . Імплементація алгоритму CSIDH на ізогеніях непарних простих степенів базується на застосуванні пар квадратичного кручення еліптичних кривих. З цією метою алгоритм CSIDH можна будувати як на повних кривих Едвардса з квадратичним крученням всередині цього класу, або на квадратичних і скручених кривих Едвардса, які створюють пари квадратичного кручення. В противагу до цього автори відомої роботи намагаються довести теореми, які стверджують о наявності рішення всередині одного класу кривих з параметром , який є квадратом. Проведено критичний аналіз теорем, лем, помилкових стверджень в цієї роботі. Доведено теорема 2 про квадратичне кручення в класах кривих Едвардса. Приведено модифікація алгоритму CSIDH, побудованого на ізогеніях квадратичних і скручених кривих Едвардса, Для ілюстрації коректного рішення задачі розглянуто приклад обчислень Аліси і Боба в схемі розподілу секретів згідно алгоритму CSIDH при

The Generalized Montgomery Coordinate:A New Computational Tool for Isogeny-based Cryptography

Recently, some studies have constructed one-coordinate arithmetics on elliptic curves. For example, formulas of the 𝑥-coordinate of Montgomery curves, 𝑥-coordinate of Montgomery− curves, 𝑤-coordinate of Edwards curves, 𝑤-coordinate of Huff’s curves, 𝜔-coordinates of twisted Jacobi intersections have been proposed. These formulas are useful for isogeny-based cryptography because of their compactness and efficiency. In this paper, we define a novel function on elliptic curves called the generalized Montgomery coordinate that has the five coordinates described above as special cases. For a generalized Montgomery coordinate, we construct an explicit formula of scalar multiplication that includes the division polynomial, and both a formula of an image point under an isogeny and that of a coefficient of the codomain curve. Finally, we present two applications of the theory of a generalized Montgomery coordinate. The first one is the construction of a new efficient formula to compute isogenies on Montgomery curves. This formula is more efficient than the previous one for high degree isogenies as the√élu’s formula in our implementation. The second one is the construction of a new generalized Montgomery coordinate for Montgomery−curves used for CSURF

L1L_1-Norm Ball for CSIDH: Optimal Strategy for Choosing the Secret Key Space

Isogeny-based cryptography is a kind of post-quantum cryptography whose security relies on the hardness of an isogeny problem over elliptic curves. In this paper, we study CSIDH, which is one of isogeny-based cryptography presented by Castryck et al. in Asiacrypt 2018. In CSIDH, the secret key is taken from an $L_\infty$-norm ball of integer vectors and the public key is generated by calculating the action of an ideal class corresponding to a secret key. For faster key exchange, it is important to accelerate the algorithm calculating the action of the ideal class group, many such approaches have been studied recently. Several papers showed that CSIDH becomes more efficient when a secret key space is changed to weighted $L_\infty$-norm ball. In this paper, we revisit the approach and try to find an optimal secret key space which minimizes the computational cost of the group action. At first, we obtain an optimal secret key space by analyzing computational cost of CSIDH with respect to the number of operations on $\mathbb{F}_p$. Since the optimal key space is too complicated to sample a secret key uniformly, we approximate the optimal key space by using $L_1$-norm ball and propose algorithms for uniform sampling with some precomputed table. By experiment with CSIDH-512, we show that the computational cost of the $L_1$-norm ball is reduced by about 20\% compared to that of the $L_\infty$-norm ball, using a precomputed table of 160 Kbytes. The cost is only 1.08 times of the cost of the optimal secret key space. Finally, we also discuss possible sampling algorithms using other norm balls and their efficiency