On isogeny classes of Edwards curves over finite fields

We count the number of isogeny classes of Edwards curves over finite fields, answering a question recently posed by Rezaeian and Shparlinski. We also show that each isogeny class contains a {\em complete} Edwards curve, and that an Edwards curve is isogenous to an {\em original} Edwards curve over \F_q if and only if its group order is divisible by 8 if $q \equiv -1 \pmod{4}$, and 16 if $q \equiv 1 \pmod{4}$. Furthermore, we give formulae for the proportion of d \in \F_q \setminus \{0,1\} for which the Edwards curve $E_d$ is complete or original, relative to the total number of $d$ in each isogeny class.Comment: 27 page

3- and 5-Isogenies of Supersingular Edwards Curves

An analysis is made of the properties and conditions for the existence of 3- and 5-isogenies of complete and quadratic supersingular Edwards curves. For the encapsulation of keys based on the SIDH algorithm, it is proposed to use isogeny of minimal odd degrees 3 and 5, which allows bypassing the problem of singular points of the 2nd and 4th orders, characteristic of 2-isogenies. A review of the main properties of the classes of complete, quadratic, and twisted Edwards curves over a simple field is given. Equations for the isogeny of odd degrees are reduced to a form adapted to curves in the form of Weierstrass. To do this, use the modified law of addition of curve points in the generalized Edwards form, which preserves the horizontal symmetry of the curve return points. Examples of the calculation of 3- and 5-isogenies of complete Edwards supersingular curves over small simple fields are given, and the properties of the isogeny composition for their calculation with large-order kernels are discussed. Equations are obtained for upper complexity estimates for computing isogeny of odd degrees 3 and 5 in the classes of complete and quadratic Edwards curves in projective coordinates; algorithms are constructed for calculating 3- and 5-isogenies of Edwards curves with complexity 6M + 4S and 12M + 5S, respectively. The conditions for the existence of supersingular complete and quadratic Edwards curves of order 4x3mx5n and 8x3mx5n are found. Some parameters of the cryptosystem are determined when implementing the SIDH algorithm at the level of quantum security of 128 bits

Modeling of 3- and 5-Isogenies of Supersingular Edwards Curves

An analysis is made of the properties and conditions for the existence of 3- and 5-isogenies of complete and quadratic supersingular Edwards curves. For the encapsulation of keys based on the SIDH algorithm, it is proposed to use isogeny of minimal odd 3 and 5 degrees, which allows bypassing the problem of singular points of the 2nd and 4th orders, characteristic of 2-isogenies. A review of the main properties of the classes of complete, quadratic and twisted Edwards curves over a simple field is given. Formulas for the isogeny of odd degrees are reduced to a form adapted to curves in Weierstrass form. To do this, the modified law of addition of curve points in the generalized Edwards form is used, which preserves the horizontal symmetry of the curve’s return points. Examples of the calculation of 3- and 5-isogenies of complete Edwards supersingular curves over small simple fields are given, and the properties of the isogeny composition for computing isogenies with large-order kernels are discussed. Formulas of upper bounds for the complexity of computing isogeny of odd degrees 3 and 5 in the classes of complete and quadratic Edwards curves in projective coordinates are obtained. Algorithms for calculating 3- and 5-isogenies of Edwards curves with complexity and 12M+5S, respectively, are constructed. The conditions for the existence of supersingular complete and quadratic Edwards curves of the order 4·3m·5n and 8·3m·5n are found. Some parameters of the cryptosystem were determined during the implementation of the SIDH algorithm at the quantum security level of 128 bits

Analysis of 2-Isogeny Properties of Generalized Form Edwards Curves

The analysis of the 2-isogeny existence conditions of generalized Edwards form curves over a prime field, including complete, quadratic, and twisted Edwards curves, is presented. An overview of the properties of these three classes of curves is given. Generalization of the results known for the classes of complete and quadratic curves to the class of twisted Edwards curves is obtained. A modified law of point’s addition is used to correctly determine the isogeny degree

Analogues of Velu\u27s Formulas for Isogenies on Alternate Models of Elliptic Curves

Isogenies are the morphisms between elliptic curves, and are accordingly a topic of interest in the subject. As such, they have been well-studied, and have been used in several cryptographic applications. Velu’s formulas show how to explicitly evaluate an isogeny, given a specification of the kernel as a list of points. However, Velu’s formulas only work for elliptic curves specified by a Weierstrass equation. This paper presents formulas similar to Velu’s that can be used to evaluate isogenies on Edwards curves and Huff curves, which are normal forms of elliptic curves that provide an alternative to the traditional Weierstrass form. Our formulas are not simply compositions of Velu’s formulas with mappings to and from Weierstrass form. Our alternate derivation yields efficient formulas for isogenies with lower algebraic complexity than such compositions. In fact, these formulas have lower algebraic complexity than Velu’s formulas on Weierstrass curves

FourQ: four-dimensional decompositions on a Q-curve over the Mersenne prime

We introduce FourQ, a high-security, high-performance elliptic curve that targets the 128-bit security level. At the highest arithmetic level, cryptographic scalar multiplications on FourQ can use a four-dimensional Gallant-Lambert-Vanstone decomposition to minimize the total number of elliptic curve group operations. At the group arithmetic level, FourQ admits the use of extended twisted Edwards coordinates and can therefore exploit the fastest known elliptic curve addition formulas over large prime characteristic fields. Finally, at the finite field level, arithmetic is performed modulo the extremely fast Mersenne prime $p=2^{127}-1$. We show that this powerful combination facilitates scalar multiplications that are significantly faster than all prior works. On Intel\u27s Broadwell, Haswell, Ivy Bridge and Sandy Bridge architectures, our software computes a variable-base scalar multiplication in 50,000, 56,000, 69,000 cycles and 72,000 cycles, respectively; and, on the same platforms, our software computes a Diffie-Hellman shared secret in 80,000, 88,000, 104,000 cycles and 112,000 cycles, respectively. These results show that, in practice, FourQ is around four to five times faster than the original NIST P-256 curve and between two and three times faster than curves that are currently under consideration as NIST alternatives, such as Curve25519

On isogeny classes of Edwards curves over finite fields

We count the number of isogeny classes of Edwards curves over odd characteristic finite fields, answering a question recently posed by Rezaeian and Shparlinski. We also show that each isogeny class contains a complete Edwards curve, and that an Edwards curve is isogenous to an original Edwards curve over Fq if and only if its group order is divisible by 8 if q ≡ −1 (mod 4), and 16 if q ≡ 1 (mod 4). Furthermore, we give formulae for the proportion of d ∈ Fq ____ {0, 1} for which the Edwards curve Ed is complete or original, relative to the total number of d in each isogeny clas

On isogeny classes of Edwards curves over finite fields

We count the number of isogeny classes of Edwards curves over finite fields, answering a question recently posed by Rezaeian and Shparlinski. We also show that each isogeny class contains a {\em complete} Edwards curve, and that an Edwards curve is isogenous to an {\em original} Edwards curve over $\mathbb{F}_q$ if and only if its group order is divisible by $8$ if $q \equiv -1 \pmod{4}$, and $16$ if $q \equiv 1 \pmod{4}$. Furthermore, we give formulae for the proportion of $d \in \mathbb{F}_q$ \ {0,1} for which the Edwards curve $E_d$ is complete or original, relative to the total number of $d$ in each isogeny class