Optimized Method for Computing Odd-Degree Isogenies on Edwards Curves

In this paper, we present an efficient method to compute arbitrary odd-degree isogenies on Edwards curves. By using the $w$-coordinate, we optimized the isogeny formula on Edwards curves by Moody and Shumow. We demonstrate that Edwards curves have an additional benefit when recovering the coefficient of the image curve during isogeny computation. For $\ell$-degree isogeny where $\ell=2s+1$, our isogeny formula on Edwards curves outperforms Montgomery curves when $s \geq 2$. To better represent the performance improvements when $w$-coordinate is used, we implement CSIDH using our isogeny formula. Our implementation is about 20\% faster than the previous implementation. The result of our work opens the door for the usage of Edwards curves in isogeny-based cryptography, especially for CSIDH which requires higher degree isogenies

The Q-curve construction for endomorphism-accelerated elliptic curves

We give a detailed account of the use of $\mathbb{Q}$-curve reductions to construct elliptic curves over $\mathbb{F}\_{p^2}$ with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant--Lambert--Vanstone (GLV) and Galbraith--Lin--Scott (GLS) endomorphisms. Like GLS (which is a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves, and thus finding secure group orders when $p$ is fixed for efficient implementation. Unlike GLS, we also offer the possibility of constructing twist-secure curves. We construct several one-parameter families of elliptic curves over $\mathbb{F}\_{p^2}$ equipped with efficient endomorphisms for every p \textgreater{} 3, and exhibit examples of twist-secure curves over $\mathbb{F}\_{p^2}$ for the efficient Mersenne prime $p = 2^{127}-1$.Comment: To appear in the Journal of Cryptology. arXiv admin note: text overlap with arXiv:1305.540

Optimizations of Isogeny-based Key Exchange

Supersingular Isogeny Diffie-Hellman (SIDH) is a key exchange scheme that is believed to be quantum-resistant. It is based on the difficulty of finding a certain isogeny between given elliptic curves. Over the last nine years, optimizations have been proposed that significantly increased the performance of its implementations. Today, SIDH is a promising candidate in the US National Institute for Standards and Technology’s (NIST’s) post-quantum cryptography standardization process. This work is a self-contained introduction to the active research on SIDH from a high-level, algorithmic lens. After an introduction to elliptic curves and SIDH itself, we describe the mathematical and algorithmic building blocks of the fastest known implementations. Regarding elliptic curves, we describe which algorithms, data structures and trade-offs regard- ing elliptic curve arithmetic and isogeny computations exist and quantify their runtime cost in field operations. These findings are then tailored to the situation of SIDH. As a result, we give efficient algorithms for the performance-critical parts of the protocol

Рандомізація алгоритму CSIDH на квадратичних та скручених кривих Едвардса

The properties of quadratic and twisted supersingular Edwards curves that form quadratic twist pairs with order over a prime field are considered. A modification of the CSIDH algorithm based on the isogenies of these curves is presented. The parameters of these two classes of supersingu-lar Edwards curves for are calculated and tabulated. An example of the implementation of the CSIDH algorithm as a non-interactive secret sharing scheme based on the secret and public keys of Alice and Bob is given. A new randomized CSIDH algorithm with random equiprobable selection of a curve from two classes at each step of the isogeny chain is proposed. This algorithm is proposed as an alternative to "constant time CSIDH". An estimate of the probability of a successful side channel at-tack in a randomized algorithm is given. It is noted that all calculations in the CSIDH algorithm neces-sary to calculate the common secret are reduced only to the calculation of the isogenic curve parameter and are performed by field operations, scalar multiplication and doubling the points of the isogeny kernel. In the new algorithm, it is proposed to abandon the calculation of the isogenic function of a random point , which significantly speeds up the algorithm.Розглянуто властивості квадратичних і скручених суперсингулярних кривих Едвардса, які утворюють квадратичні кручені пари з порядком над простим полем . Представлено модифікацію алго-ритму CSIDH на основі ізогенії цих кривих. Параме-три цих двох класів суперсингулярних кривих Едва-рдса для розраховані та зведені в таблицю. На-ведено приклад реалізації алгоритму CSIDH як неін-терактивної схеми обміну секретами на основі секре-тного та відкритого ключів Аліси та Боба. Запропо-новано новий рандомізований алгоритм CSIDH з ви-падковим рівноймовірним вибором кривої з двох класів на кожному кроці ланцюга ізогенії. Цей алго-ритм пропонується як альтернатива "constant time CSIDH ". Дано оцінку ймовірності успішного галсу побічного каналу за рандомізованим алгоритмом. За-значається, що всі обчислення в алгоритмі CSIDH, необхідні для обчислення загального секрету, зво-дяться лише до обчислення параметра ізогенної кри-вої та виконуються за допомогою польових операцій, скалярного множення та подвоєння точок ядра ізоге-нії. У новому алгоритмі пропонується відмовитися від обчислення ізогенної функції випадкової точки, що значно прискорює роботу алгоритму

Computing of Odd Degree Isogenies on Supersingular Twisted Edwards Curves

An overview of the properties of three classes of curves in generalized Edwards form Ea,d with two parameters is given. The known formulas for the odd degree isogenies on curves Ed with one parameter are generalized to all classes of curves in Edwards form, and Theorem 1 on the isogenic mapping of the points of these curves is proved. The analysis of the known effective method for computing isogenies in Farashahi-Hosseini w-coordinates, justified for the curve Ed, is given. Theorem 2 proves the applicability of this method to the class of twisted Edwards curves. Examples of 3- and 5-isogenies of twisted Edwards curves are given. Methods for bypassing the exceptional points of such curves in PQC cryptosystems like CSIDH are proposed

Modeling CSIKE Algorithm on Non-Cyclic Edwards Curves

An original key encapsulation scheme is proposed as a modification of the CSIDH algorithm built on the isogenies of non-cyclic Edwards curves. The corresponding CSIKE algorithm uses only one public key of the recipient. A brief review of the properties of non-cyclic quadratic and twisted supersingular Edwards curves is given. We use a new scheme for modeling the CSIKE algorithm on isogenies of 4 degrees 3, 5, 7, 11 for p = 9239. In contrast to the CSIDH models of previous works, this scheme does not use precomputations and tabulation of the parameters of isogenic chains, but uses one known supersingular starting curve Ed with the parameter d = 2. Examples of calculations of isogenic chains by Alice and Bob at three stages of CSIKE operation using a randomized algorithm are given. It also proposes to abandon the calculation of the isogenic function ϕ(R) of a random point R, which significantly speeds up the algorithm

CSIKE-ENC Combined Encryption Scheme with Optimized Degrees of Isogeny Distribution

For the PQC CSIDH and CSIKE algorithms, the advantages of two classes of quadratic and twisted supersingular Edwards curves over complete Edwards curves are justified. These classes form pairs of quadratic twist curves with order p + 1 ≡ 0mod8 over the prime field Fp and double the space of all curves in the algorithms. The randomized algorithms CSIDH and CSIKE are presented. An analysis of the degrees lk isogenies distribution is given, and an optimal distribution within the given conditions is proposed with the degree lmax = 397 instead of lmax = 587 while maintaining the number K = 74 of all degrees. A probabilistic analysis of random odd order points R was carried out, probability estimates are obtained, and it is recommended to avoid isogenies with small values of the degrees lk in algorithms. The features of the CSIKE algorithm with one public key of Bob in the problem of encapsulation by Alice of the secret key κ, which Bob calculates at the stage of decapsulation with his secret key, are considered. A CSIKE-ENC scheme for combined encryption of the key κ and message M based on two asymmetric algorithms CSIDH and CSIKE with Alice’s authentication and the well-known symmetric message encryption standard is proposed. The security aspects of the scheme are discussed