Efficient Commutative PQC Algorithms on Isogenies of Edwards Curves

Preprint

Article

Efficient Commutative PQC Algorithms on Isogenies of Edwards Curves

Altmetrics

Downloads

137

Views

Comments

A peer-reviewed article of this preprint also exists.

Anatoly Bessalov,

Volodymyr Sokolov^*,Sergey Abramov

Anatoly Bessalov,

Volodymyr Sokolov^*,Sergey Abramov

This version is not peer-reviewed

Submitted:

22 June 2024

Posted:

24 June 2024

You are already at the latest version

Alerts

Abstract

The article presents the author’s works in the field of modifications and modeling of the PQC CSIDH algorithm on non-cyclic supersingular Edwards curves and its predecessor CRS scheme on ordinary non-cyclic Edwards curves are reviewed. Lower estimates of the computational speed gains of the modified algorithms over the original ones are obtained. The most significant results were obtained by choosing classes of non-cyclic Edwards curves connected as quadratic twist pairs instead of cyclic complete Edwards curves, as well as the method of algorithm randomization as an alternative to “constant time CSIDH.” It is shown that in the CSIDH and CSIKE algorithms, there are two independent cryptosystems with the possibility of parallel computation, eliminating the threat of side-channel attacks. For the CRS scheme, there are four such cryptosystems. Integral lower bound estimates of the performance gain of the modified CSIDH algorithm are obtained at 1.5 ∙ 29, and for the CRS scheme are 3 ∙ 29.

Keywords:

Subject: Computer Science and Mathematics - Other

1. Introduction

The announcement of the Post-Quantum Cryptography (PQC) Commutative Supersingular Isogeny Diffie-Hellman (CSIDH) algorithm [1], based on the original CRS scheme [2], was accompanied by the author’s statement that it has the smallest known key length of 512 bits with a security level of 128 bits. However, problems with vulnerability to side-channel attacks and fast performance were noted. To overcome the slowness of the implementation of the Couveignes-Rostovtsev-Stolbunov (CRS) scheme [3], the authors justified their choice of supersingular elliptic curves in Montgomery form instead of ordinary (non-supersingular) ones in [2], which speeds up the implementation by a factor of 2,000 [1].

A significant acceleration of CSIDH [1] implementation (20%) was achieved in [4] with Farashahi-Hosseini [5] calculations in projective coordinates (W:Z). The CSIDH model [4] uses the Edwards isogenies of complete curves technique [6] with computations of isogenic curve parameters using formulas [7].

In our articles [8,9,10,11,12,13,14,15] we disagreed with the ambiguous terminology of curves in Edwards form in the pioneering [6] and proposed a more correct classification of them into three non-isomorphic classes [8]. The present article has two aims. First, we give an overview of our most promising modifications of the CSIDH algorithm, which improve the efficiency of the algorithm. Along with this, here for the first time we obtain an integral lower bound estimate of the gain in the speed of computation of isogenic chains γ = 3 ∙ 2⁹ in the speed of computing isogenic chains due to all proposed modifications.

Section 2 gives the rationale for the choice of non-cyclic classes of quadratic and twisted supersingular Edwards curves defined as a pair of quadratic twists over a prime field

F_{p}

, where

p \equiv 7 m o d 8

[8,9,10,11]. Their advantages over the class of complete supersingular Edwards curves are the doubling of the set of all curves and, most importantly, the elimination of the laborious operation of inversion of the

d^{- 1}

parameter

d

in the transition to quadratic twist. In this article, we obtain the first partial estimate of the gain

γ_{1} γ_{2} = 2^{5}

in the speed of computation in CSIDH on non-cyclic supersingular Edwards curves compared to complete supersingular Edwards curves.

In Section 3, based on the estimates obtained in [10] of the computational cost in projective coordinates

(W : Z)

Farashahi-Hosseini [5] parameter

d

of the isogenic curve and isogenic function

ϕ (x, y)

we obtained an estimate of the gain in computational speed in CSIDH

γ_{3} = 2.235

due to the refusal of the redundant calculation of the function

ϕ (x, y) .

In Section 4, we consider the method of randomization of the CSIDH algorithm [12] and justify estimates of the speed gain of its implementation. We emphasize the existence of two isomorphic cryptosystems with parallel computation capability, which removes the threat of side-channel and doubles the performance of the algorithm. Here, the partial estimate of the speed gain of the algorithm is

γ_{4} γ_{5} γ_{6} = 2^{3} .

Section 5 is devoted to the optimization of the distribution of isogeny degrees in CSIDH [14], which is not dense and has discontinuities in the table of prime numbers. It is shown that, while preserving the security parameters, it is possible to reduce the degree of the senior isogeny and obtain a linear estimate of the CSIDH acceleration by a factor of 1.5.

The original and fast key encapsulation algorithm Commutative Supersingular Isogeny Key Encapsulation (CSIKE) [13] and its model implementation are discussed in Section 6. Here a single public key of the recipient is used instead of two in CSIDH, which gives a security gain.

In Section 7, we consider aspects of the CRS model implementation of the Diffie-Hellman secret sharing scheme on 4-degree isogenies

{3,5, 7,37}

of ordinary non-cyclic Edwards curves. An important advantage of these curves is the existence of 4-independent cryptosystems with the possibility of parallel computation and performance quadrupling (or doubling compared to CSIDH). Other interesting problems and modifications of cryptosystems are considered in [15].

2. Selection of Classes and Types of Edwards Curves

Depending on the quadratic properties of the parameters

a

and

d

we in [8] also propose a more correct classification of curves into three non-intersecting classes than in [6]:

A. Complete Edwards curves:

χ (a) = 1, χ (d) = - 1

;

B. Quadratic Edwards curves:

χ (a) = χ (d) = 1

;

C. Twisted Edwards curves:

χ (a) = χ (d) = - 1 .

The well-known implementation of the CSIDH algorithm [4] is based on complete Edwards curves A in the Farashahi-Hosseini

(W : Z)

coordinate system, which accelerated its performance by 20% compared to Montgomery curves in the

(X : Z)

coordinate system. We have justified and utilized non-cyclic curves of classes B and C as quadratic twist pairs in [9,10,11,12,13,14,15]. They have two important advantages over the complete Edwards curves A:

Doubling the number of all curves in the algorithm over a single class A doubles the set of all isogenic curves of classes B and C with a corresponding gain in security. This can be exchanged for a gain in computational speed $γ_{1} = 2$ ;
For half of all computable isogenic curves with negative exponents $e_{i}$ given by the secret key $Ω$ (see Section 4), no time-consuming inversion of the parameter d of the class A isogenic curve is required. The corresponding gain in speed $γ_{2}$ in computational speed should be estimated.

Let us define curves B and C as a pair of quadratic twists at

p \equiv 7 m o d 8

by the equations:

E_{1, d} : x^{2} + y^{2} = 1 + d x^{2} y^{2}, a, d \in F_{p}^{*}, a = 1, χ (d) = 1,

(1)

E_{- 1, - d} : x^{2} - y^{2} = 1 - d x^{2} y^{2}, a, d \in F_{p}^{*}, a = - 1, χ (d) = 1 .

(2)

In the twisted curve (2), both parameters of the curve are multiplied by

(- 1)

and become non-square. The orders of all supersingular Edwards curves are equal to

# E = p + 1 = 8 n,

where for the CSIDH algorithm

n = \prod_{i = 1}^{K} l_{i}

, where

l_{i}

are the degrees of prime odd isogenies (see Section 4). The maximum order of a point of a non-cyclic curve is

4 n

, so it is sufficient to multiply any random point by four to obtain odd-order points.

It follows from (1) and (2) that the transition to quadratic twist for classes B and C is practically free, whereas within class A such a transition is achieved by inversion of the parameter

d

, which according to a known estimate [16] requires (10..50)

M

, where

M

is the cost of multiplication in the group

F_{p}^{*} .

Taking conditionally the complexity of the transition between curves (1) and (2) as

1 M

, we obtain a conditional average estimate of the gain

γ_{2} \approx 2^{5}

in computational speed compared to complete curves A. Since in the CSIDH algorithm the transition to quadratic twist is required for approximately half of the isogenic curves, we can use a conditional lower estimate of the gain

γ_{2} \approx 2^{4} .

By curve type here we mean supersingular curves with trace

t = 0

or ordinary curves with order

# E = p + 1 - t

, where

t

is the trace of the Frobenius equation,

t \neq 0

. Since the set of the former is

\sqrt{p}

times wider than the set of supersingular curves, interesting unique applications of this type of Edwards curves are discussed in [15] and Section 7.

An important tool in analyzing isogenies is the J-invariant [6]

J (a, d) = \frac{16 (a^{2} + d^{2} + 14 a d)^{3}}{a d (a - d)^{4}}, a d (a - d) \neq 0 .

(3)

This parameter distinguishes between isogenic (with different J-invariants) and isomorphic (with equal J-invariants) curves. Since the J-invariant retains its value for all isomorphic curves and quadratic twist pairs [17]

,

it is the same for a pair of quadratic and twisted supersingular Edwards curves (

a = \pm 1

), so we will use the invariant

J (d)

. It is useful both in finding supersingular curves and in constructing isogeny chain graphs. One of the properties of J-invariants

J (d) = J (d^{- 1})

For the considered classes of supersingular Edwards curves the substitution

d \to d^{- 1}

gives an isomorphism, and for complete Edwards curves a quadratic twist.

3. Computation of Odd-Degree Isogenies on Edwards Curves and Complexity Estimation

Isogenies of an elliptic curve

E (K)

over the field

K

into a curve

E^{'} (K)

is a homomorphism

ϕ : E (\bar{K}) \to E^{'} (\bar{K})

given by rational functions. This means that there exists a rational function [17]

ϕ (x, y) = (\frac{p (x)}{q (x)}, y \frac{f (x)}{g (x)}) = (x^{'}, y^{'}),

(4)

mapping the points of the curve

E

to the points of the curve

E^{'}

, and for all

P, Q \in E (K)

ϕ (P + Q) = ϕ (P) + ϕ (Q)

. The isogeny degree is the maximum of the degrees

l = \deg ϕ (x, y) = \max {\deg p (x), \deg q (x)}

and its kernel

\ker ϕ = G

is the subgroup

G \subseteq E

whose points are mapped by the function

ϕ (x, y)

into a neutral element

O

of the group

E^{'}

. The degree of the separable isogeny is equal to the ordering

l

of its kernel. The isogeny compresses the set of points of the curve E в

l

times (

l

curve points

E

are mapped to a single point on the curve

E^{'}

The computation of isogenies of Edwards curves of classes A and B of odd powers is performed according to Theorem 2 [7]. In [9] we generalized it to curves of class C in the following theorem.

Theorem 1.Let

G = {(1,0), \pm Q_{1}, \pm Q_{2}, \dots, \pm Q_{s}}

is a subgroup of odd order of

l = 2 s + 1

points of

\pm Q_{i} = (α_{i}, \pm β_{i})

curve

E_{d}

over the field

F_{p}

Let’s determine

ϕ (P) = (x^{'}, y^{'}) = (\prod_{Q \in G} \frac{x_{P + Q_{i}}}{x_{Q_{i}}} \frac{x_{P - Q_{i}}}{x_{- Q_{i}}}, \prod_{Q \in G} \frac{y_{P + Q_{i}}}{x_{Q_{i}}} \frac{y_{P - Q_{i}}}{x_{- Q_{i}}}) .

(5)

Then

ϕ (x, y)

there is l-isogeny with the kernel G from the curve

E_{a, d}

into a curve

E_{a^{'}, d^{'}}^{'}

with parameters

a^{'} = a^{l} d^{'} = A^{8} d^{l}

, where

A = \prod_{i = 1}^{s} α_{i}

, and the mapping function

ϕ (x, y) = (\frac{x}{A^{2}} \prod_{i = 1}^{s} \frac{(α_{i} x)^{2} - a^{2} (β_{i} y)^{2}}{1 - (d α_{i} β_{i} x y)^{2}}, \frac{y}{A^{2}} \prod_{i = 1}^{s} \frac{(α_{i} y)^{2} - (β_{i} x)^{2}}{1 - (d α_{i} β_{i} x y)^{2}})

(6)

ϕ (x, y) = (\frac{x}{A^{2}} \prod_{i = 1}^{s} \frac{x^{2} - a {β_{i}}^{2}}{1 - d β_{i} x^{2}}, - \frac{y}{A^{2}} \prod_{i = 1}^{s} \frac{x^{2} - {a_{i}}^{2}}{a - d α_{i} x^{2}}) .

(7)

Proof of Theorem 1. Its proof is given in [9]. It is important to note that the isogenic function (7) includes the parameter

a

, which is absent in the original Theorem 2 [7]. □

The parameters of the isogenic curve according to Theorem 2 [7] are calculated by the formulas

a^{'} = a^{l} d^{'} = A^{8} d^{l}, A = \prod_{i = 1}^{s} α_{i}

(8)

The task of this section is a comparative evaluation of the complexity of computing the isogenic function

ϕ (x, y)

and the parameter

d^{'}

of the isogenic curve

E_{a^{'}, d^{'}}^{'}

. This will allow us to estimate the gain in computational speed in the CSIDH algorithm when giving up the computation of the function

ϕ (x, y)

(justified in Section 4).

The fastest results today for curve isogenies in Edwards form are obtained in projective coordinates

(W : Z)

with the introduction of a generalized Farashahi-Hosseini variable

w = d x^{2} y^{2}

[5]. For isogenies of degree

l

are calculated

s = (l - 1) / 2

points

Q_{i} = (α_{i}, β_{i})

of the isogeny kernel together with the coordinates

w_{i} = d α_{i}^{2} β_{i}^{2}

, then according to Theorem 2 [4]

w (ϕ) = w \prod_{i = 1}^{s} \frac{w - w_{i}}{1 - w w_{i}} .

(9)

Let

M

complexity of multiplication in the field

F_{p}

S

is the complexity of squaring, and let us use the results of [4]. Taking into account the complexity of calculating the coordinates of the kernel points, the complexity of calculating the function

ϕ (x, y)

is equal to

C_{ϕ} = s (8 M + 2 S) + S - 2 M .

(10)

The cost of calculating the parameter

d^{'}

of the isogenic curve

E^{'}

, respectively,

C_{d} = s (6 M + 2 S) + 5 S - 4 M .

(11)

Let’s take the known estimate

S = \frac{2}{3} M

[6]. Then we have

C_{ϕ} = \frac{28}{3} s M - \frac{4}{3} M, C_{d} = \frac{22}{3} s M - \frac{2}{3} M .

(12)

The gain in computing speed without taking into account

C_{ϕ}

equals

γ_{3} = \frac{C_{d} + C_{ϕ}}{C_{d}} = 1 + \frac{C_{ϕ}}{C_{d}} = 1 + \frac{14 s - 2}{11 s - 1} .

(13)

For

l

at the maximum

s \approx 300

and minimum

s = 1

this gain is equal to 2.27 and 2.20, respectively. On average, we obtain

γ_{3} = 2.235 .

Thus, the acceleration of the CSIDH algorithm when refusing the redundant calculation of the function

ϕ (x, y)

is estimated by the coefficient

γ_{3} = 2.235 .

4. Randomization of the CSIDH Algorithm on Non-Cyclic Edwards Curves

The PQC CSIDH algorithm is proposed by the authors [1] to solve the classical Diffie-Hellman key exchange problem. Isogenic curve mapping

E

of order

# E

over a prime field

F_{p}

into a curve

E^{'}

is defined as the class-group action and is commutative. Compared to the known original CRS scheme (Couveignes [18] and Rostovtsev et al. [2]) on ordinary curves, the use of isogenies of supersingular curves allowed us to speed up the algorithm and obtain the smallest known key size (512 bits with a security level of 128 bits in [1]).

Let the curve

E

of order

# E

contain points of small odd orders

l_{k}, k = 1,2, \dots, K .

Then there exists an isogenic curve

E^{'}

of the same order

# E

as a mapping of degree

l_{k} : E \to E^{'} = [l_{k}] * E

. Repetition of this operation

e_{k}

times is denoted as

[{l_{k}}^{e_{k}}] * E

. The values of the exponents of the isogenies

e_{k} \in Z

determine the length of the chain of isogenies of degree

l_{k}

. In [1] the interval of exponent values is adopted

[- m \leq e_{k} \leq m]

m = 5

K = 74

, which provides a security level of 128 bits during attacks on a quantum computer. Negative values of the exponent

e_{i}

mean transition to the supersingular curve of quadratic twist.

Non-interactive key exchange using the Diffie-Hellman scheme involves steps [1]:

Parameter selection. For small prime odd $l_{k}$ is calculated $n = \prod_{k = 1}^{K} l_{k}$ where the value $K$ is determined by the security level, a suitable field modulus $p = 2^{m} \prod_{k = 1}^{K} l_{k} - 1, m \geq 3$ , and the starting elliptic curve $E_{0}$ are chosen;
Public key computation. Alice uses her secret key $Ω_{A} = (e_{1}, e_{2}, \dots, e_{K})$ constructs an isogenic mapping $Θ_{A} = [{l_{1}}^{e_{1}}, {l_{2}}^{e_{2}}, \dots, {l_{K}}^{e_{K}}]$ and computes the isogenic curve $E_{A} = Θ_{A} * E_{0}$ as her public key. Bob, based on the secret key $Ω_{B}$ and function $Θ_{В}$ performs the same computation and obtains his public key $E_{B} = Θ_{B} * E_{0}$ These curves are defined by their parameters with exact isomorphism;
Key exchange. The protocol here is similar to Step 2 with a change $E_{0} \to E_{B}$ for Alice and $E_{0} \to E_{A}$ for Bob. Knowing Bob’s public key, Alice calculates $E_{B A} = Θ_{A} * E_{B} = Θ_{A} Θ_{B} * E_{0}$ . Bob’s similar action gives the result $E_{A B} = Θ_{B} * E_{A} = Θ_{B} Θ_{A} * E_{0}$ , coinciding with the first one due to the commutativity of the group operation. As a shared secret we take J-invariant of the curve $E_{A В} (E_{В А}) .$

Below we give a modification of Alice’s computation algorithm according to Section 3 [1] using isogenies of quadratic and twisted supersingular Edwards curves.

Algorithm 1. Evaluation of the class-group action on quadratic and twisted supersingular Edwards curves.

Input:

d_{A} \in E_{A}, χ (d) = 1

and a list of integers

Ω_{A} = (e_{1}, e_{2}, \dots, e_{K})

Output:

d_{B}

such that

[{l_{1}}^{e_{1}}, {l_{2}}^{e_{2}}, \dots, {l_{K}}^{e_{K}}] * E_{A} = E_{B}

, where

E_{A, B} : x^{2} + a y^{2} = 1 + a d_{A, B} x^{2} y^{2}

1. WHILE some

e_{i} \neq 0

2. Sample a random

x \in F_{p}

;

3. Set

a \leftarrow 1

E_{A} : x^{2} + y^{2} = 1 + d_{A} x^{2} y^{2}

\frac{1 - x^{2}}{1 - d y^{2}}

is a square in

F_{p}

;

4. ELSE

a \leftarrow - 1

E_{A} : x^{2} - y^{2} = 1 - d_{A} x^{2} y^{2}

;

5. Let

S = {i | a e_{i} > 0}

. IF

G = \emptyset

then start over to Line 2 while

a \leftarrow - a

;

6. Let

n = \prod_{i \in S} l_{i}

and compute

R \leftarrow \frac{p + 1}{2 n} P, P \leftarrow P (x, y)

;

7. FOR each

i \in S

8. Compute

Q \leftarrow \frac{k}{l_{i}} R

;

9. IF

Q \neq (1,0)

compute an isogeny

ϕ : E_{A} \to E_{B}

with

\ker ϕ = Q

;

10. Set

d_{A} \leftarrow d_{B}

R \leftarrow ϕ (R)

e_{i} \leftarrow e_{i} - a

;

11. Skip

i

S

and

n \leftarrow \frac{n}{l_{i}}

e_{i} = 0

;

12. RETURN

d_{А}

. □

Compared to Algorithm 2 in [1], Algorithm 1 adapted to quadratic and twisted supersingular Edwards curves, makes modifications that are discussed in [11]. In this section, we present an analysis of the speed gains of the randomized algorithm [12] compared to the algorithm [1].

The CSIDH algorithm [1] is constructed in such a way that the computation of isogenic chains according to functions

Θ_{A, В} = [{l_{1}}^{e_{1}}, {l_{2}}^{e_{2}}, \dots, {l_{K}}^{e_{K}}]

are performed in two stages: first the set is formed

S

with key exponents

e_{k}

of one sign, then, after zeroing of all

e_{k}

, of the other. At each stage, the kernels and parameters of exactly

| e_{k} |

of isogenic curves of isogenies of degrees

l_{k}

constructed on curves of the same class (

E_{d}

E_{- 1, - d}

). This gives rise to the threat of a side-channel attack based on measuring the time of these computations, proportional to the length of the

| e_{k} |

and degree

l_{k}

of each chain

[{l_{k}}^{e_{k}}]

. In this regard, most articles on this topic [19,20] consider different variants of “constant time CSIDH” in which the secret exponents are

e_{k}

are built up to an upper bound

m

by fictitious chains of isogenies. Such protection is achieved by significant redundancy and slowing down the algorithm by half.

We propose in [12] another method for solving the problem is the randomization of the path of isogenic chains. The idea is that any random coordinate of the

x

of an elliptic curve always generates a random point

P = (x, y)

of one of the two curves of a pair of quadratic twist pair (1) or (2). Then instead of trying (unsuccessfully with probability ½) to find a point of a curve of a given class and succeeding with probability 1, we determine the class of curve (in our case it is the curve

E_{d}

(1) or

E_{- 1, - d}

(2), one of which the point belongs to

P = (x, y)

). Then we calculate the first isogenic curve in this class

E^{(1)} = [l_{k}] * E^{(0)}

isogeny degree

l_{k}

corresponding to the sign of the exponent

e_{k}

. The selection

l_{k}

is randomized, and the value

| e_{k} |

is decreased by one. In the next step with a new value of the parameter

d^{(1)}

the random point

P = (x, y)

of one of the curves

E_{d}

E_{- 1, - d}

, the isogeny kernel of the randomly chosen degree is determined

l_{k}

and the parameter

d^{(2)}

of the chain. The process continues until all

e_{k} = 0

. The corresponding randomized CSIDH Algorithm 2 is given below.

Algorithm 2.Randomized evaluation of the class-group action on quadratic and twisted supersingular Edwards curves.

Input:

d_{A} \in E_{A}, χ (d) = 1

and a list of integers

Ω_{A} = (e_{1}, e_{2}, \dots, e_{K})

Output:

d_{B}

such that

[{l_{1}}^{e_{1}}, {l_{2}}^{e_{2}}, \dots, {l_{K}}^{e_{K}}] * E_{A} = E_{B}

, where

E_{A, B} : x^{2} + y^{2} = 1 + d_{A, B} x^{2} y^{2}

1. Let

S_{0} = {k | e_{k} > 0}

S_{1} = {k | e_{k} < 0}

n_{0} = \prod_{k \in S_{0}} l_{k}

n_{1} = \prod_{k \in S_{1}} l_{k}

;

2. WHILE some

e_{k} \neq 0

3. Sample a random

x \in F_{p}

;

4. Set

a \leftarrow 1

s \leftarrow 0

E_{A} : x^{2} + y^{2} = 1 + d_{A} x^{2} y^{2}

χ (\frac{x^{2} - 1}{d x^{2} - 1}) = 1

;

5. ELSE

a \leftarrow - 1

s \leftarrow 1

E_{A} : x^{2} - y^{2} = 1 - d_{A} x^{2} y^{2}

;

6. Compute

y

-coordinate of the point

P = (x, y) \in E_{A}

;

7. Compute

R \leftarrow \frac{p + 1}{2 n_{s}} P

;

8. Sample a random

l_{k} | k \in S_{s}

;

9. Compute

Q \leftarrow \frac{n_{s}}{l_{k}} R

;

10. IF

Q \neq (1,0)

compute kernel

G

l_{k}

-isogeny

ϕ : E_{A} \to E_{B}

;

11. ELSE start over to Line 3;

12. Compute

d_{B}

of curve

E_{B}

d_{A} \leftarrow d_{B}

e_{k} \leftarrow e_{k} - s

;

13. Skip

k

V_{s}

and set

n_{s} \leftarrow \frac{n_{s}}{l_{k}}

e_{k} = 0

;

14. RETURN

d_{А}

. □

Here instead of one set

S

in Algorithm 1 two sets

S_{0}

and

S_{1}

are formed, in which the numbers of isogeny degrees corresponding to the key positions are recorded

Ω_{A}

with positive and negative exponents

e_{k},

respectively. At any random choice of

x

is coordinate we obtain a random point

P = (x, y)

, belonging to the curve (1) or (2). Its multiplication by four in Step 7 gives a point of

R

of odd order. The scalar multiplication in Step 9 calculates the point of the

Q

of the isogeny kernel, then the coordinates of all points of the kernel

G .

are calculated. Finally, in Step 12, according to (8), we calculate the parameter

d'

of the isogenic curve

E^{'} .

Note that in classical CSIDH there is already a guaranteed level of protection against the type of side channel attack described above. It is determined by the sign of the secret exponent

e_{k}

of the key. Since each component of

[l_{k}]

function

Θ

computation time

[{l_{k}}^{+ 1}]

and

[{l_{k}}^{- 1}]

is the same, the probability of the analyst’s success even in the conditions of error-free values of

l_{k}

is equal to

2^{- K} = 2^{- 74}

(for the data of [1]). For the average length of

\frac{m + 1}{2} = 3

chain of isogenies of each degree

l_{k}

the total length of the chain of isogenies of the function is

Θ = 3 ∙ 74 = 222

steps. Let

p_{1}

be the probability of error-free determination of degree

l_{k}

by the analyst at one step of the randomized CSIDH protocol, then its probability of success can be estimated by the value

2^{- 74} {p_{1}}^{222}, p_{1} < 1

. For example, at

p_{1} = \frac{1}{2}

the analyst’s probability of success is

2^{- 296}

, and at

p_{1} = \frac{3}{4}

this probability is close to the value

2^{- 165}

that is well below the safety level

2^{- 128}

. Various modifications of the proposed randomization method are possible with insertions of single dummy exponents into the sample components of the

[l_{k}]

functions

Θ

that will not introduce redundancy into the calculations. Note that one mistake of an analyst destroys all his labor-intensive work.

Algorithm 2 does not include the computation of the isogenic function

ϕ (x, y)

, which gives an estimate of the speed gain of Algorithm 2

γ_{3} = 2.235 .

The following gain

γ_{4} = 2

randomization method provides that instead of choosing one of the curves (1) or (2) with probability ½ in Algorithm 2, any choice is good. There is also an approximate gain

γ_{5} = 2

compared to “constant time CSIDH” in which close to half of the isogenies are fictitious, which is not the case in Algorithm 2.

Finally, we’ll justify the gain

γ_{6} = 2

due to parallel computations in two cryptosystems with isomorphic curves. This article is described for the first time. The idea is that in classes B and C for any Edwards curve (1) and (2) with parameter

d

there exists an isomorphic curve with parameter

d^{- 1}

. Fixing the starting curve

E_{0}

, we construct chains of isogenies of all degrees of the first cryptosystem with the secret key

Ω_{1}

. The second cryptosystem with the secret key

Ω_{2}

can be easily constructed on the set of all curves isomorphic to the first one. For this purpose, another starting curve is chosen by inverting the parameter

d

of any curve of the first cryptosystem. These two sets of curves do not intersect, and it is possible to solve two problems simultaneously instead of one, which doubles the computational performance. In addition, parallel computing removes the threat of side-channel attacks altogether and makes the “constant time CSIDH” redundancy meaningless.

Reducing for simplicity the estimate

γ_{3}

and taking

γ_{3} = 2

, we obtain from the results of this section a partial estimate of the computational speed gain of the CSIDH algorithm

γ_{3} γ_{4} γ_{5} γ_{6} = 2^{4}

. Thus, the final lower speedup estimate of the CSIDH algorithm modified in [9,10,11,12,13,14,15] is no less than

\prod_{k = 1}^{6} γ_{k} \geq 2^{9}

. In the following sections, we consider further modifications of CSIDH and their performance evaluations.

5. Optimization of Isogeny Degree Set in CSIDH

In this section, we optimize the distribution of isogeny degrees

{{l}_{k}}

in [14] and evaluate the gains

γ_{7}

of this optimization in comparison with the CSIDH model [1].

We found that 74 degrees

l_{k}

isogenies in [1] with the value of

l_{m a x} = 587

runs only a fraction of all minimal prime numbers from 3 to

587,

the total number of which is 106. In other words, 32 values of prime numbers are not included in the list of degrees

l_{k}

in the model [1], which means discontinuities (gaps) in the set of

{{l}_{k}}

. With an average cost of each degree of 8 bits, a rough estimate of the cost of the removed degrees is

32 \cdot 8 = 256

bits. These losses are unnecessary and generate a slowdown of the algorithm at excessively high degrees of isogenies.

We set a task to analyze possible distributions of sets of prime numbers of the set

L = {{l}_{k}}^{K}

with size

K

and to find variants of optimization (compaction) of this distribution. According to the table of prime numbers up to 587, the complete set

L = {{l}_{k}}^{N} = {3,5, 7, \dots, 587}

contains

N = 106

all prime numbers.

Let’s call the set of prime numbers ordered in ascending order

{{l}_{k}}^{K}

is optimal if at known

l_{m i n} = l_{m}

and

K

product

\prod_{k = m}^{K + m - 1} l_{k} = m a x .

It follows from the definition that the optimal set of prime numbers is dense (without skips) with elements

{{l_{m}, l}_{m + 1}, \dots, l_{K + m - 1}} L

. It is constructed as a segment of length

K

of ordered prime numbers. Removing at least one number (except the extreme numbers) from the middle of the segment gives a non-optimal set

{{l}_{k}}^{K} \notin L .

Removal of one of the extreme numbers

l_{m}, l_{m a x}

of the segment gives two different optimal sets of size

K - 1

. Any subset (segment of length

K)

of the complete set

L

is an optimal set. A non-optimal set contains skips that violate the condition

\prod_{k = m}^{K + m - 1} l_{k} = m a x .

The complete set

{L = {l}_{k}}^{106} = {3,5, 7, \dots, 587}^{106}

is optimal by definition. Removing 32 numbers from it gives a set

{{l}_{k}}^{K = 74}

that is far from optimal. This set

{{l}_{k}}

in [1]. We associate the notion of optimality exclusively with the maximization of the product of elements of the set.

Let’s divide

L

into subsets

L h = {{l}_{k}}^{K_{h}}, h = 1, \dots, 6

which includes prime numbers in the hundreds of numbers with numbers

h

. For the first hundred, for example, we have the subset

L 1 = {3,5, 7, \dots, 97}^{K_{1}},

where

K_{1} = 24 .

For all six subsets

L h

these numbers

K_{h}

are given in the second row of Table 1.

Each degree

l_{k}

in binary form has a

l o g {(l}_{k})

bit. For all products of numbers

l_{k}

in subsets

L h

we calculate the bit length

B_{h} = \sum_{l_{k} \in L h} l o g {(l}_{k})

of the degrees of isogenies. The values

B_{h}

are given in the third row of Table 1. These results allow us to draw interesting conclusions. First, the sum of all bits of the third row

\sum_{h = 0}^{6} B_{h} = 792.772 = 793

bits, defining the product of all 106 prime numbers

{3, \dots, 587}

, has a redundancy of 283 bits compared to the minimum lower threshold of 510 bits (

4 n > 2^{512}

) [1] security requirements. Second, prime numbers in the 5th and 6th hundreds (

L 5

and

L 6

) can be removed, since

\sum_{h = 1}^{4} B_{h} = 533.855 = 534

bits, which satisfies with a margin of 24 bits the requirement

4 n > 2^{512}

. Ignoring the last two columns of Table 1, we obtain 77 values of the elements of the optimal set of

{{l}_{k}}^{K = 77} = {3, \dots, 397}

of prime numbers. Further, we propose to remove the 3 lowest degrees in the first hundred

{3,5, 7}

and construct the optimal set of isogeny degrees

L o p t = {11,13, \dots, 397}^{74}

of the same size 74 as in [1]. This preserves the length

K = 74

of the secret key. Given the equality

\log (3 * 5 * 7) = 6.714

, the product n of all

l_{k}

of the optimal set

L o p t

is evaluated by a binary number of length 528 bits. Adding 2 bits, we obtain the estimate

l o g p = 530

bit. For the distribution

L o p t

we can adjust Table 1: in column

h = 1

of the table we should put the values of

K_{1} = 21, B_{1} = 113.081

and the last two columns of the table should be deleted. Then

\sum_{h = 1}^{4} K_{h} = 74, \sum_{h = 1}^{4} B_{h} = 527.141 = 528

bits,

l o g p = 530

bit. Such an optimal distribution of degrees

{{l}_{k}}

isogenies ensures that the minimal security threshold of 512 bits of the algorithm is exceeded by 18 bits.

Note that the reserve of 18 bits can be used up by removing the two maximum isogeny degrees 397 and 389 for a total cost of 18 bits and taking

l_{m a x} = 383 .

However, this requires reducing the length

K \leftarrow K - 2

of the secret key by two.

The main advantage of the set of isogeny degrees proposed here

L o p t

over the one used in [1] is a significant (by a factor of 1.5) decrease of

l_{m a x} = 587

up to

l_{m a x} = 397

with an optimal distribution of prime numbers. The real gain requires experimental estimation of the complexity of CSIIDH implementation at such a radical reduction of the value of

l_{m a x} .

So, a linear estimate of the gain in computational speed due to the optimization of the isogeny degree distribution is equal to

γ_{7} = 1.5

. Together with the total gain of the previous sections, we obtain a speedup of the CSIIDH algorithm by a factor of

1.5 * 2^{9} ≅ 770

times.

6. CSIKE Algorithm

The classical non-interactive Diffie-Hellman algorithm is based on the use of two public keys. The same problem of generating a shared secret can be solved in a protocol with one transmission session and one recipient’s public key, which is more secure. To do this, Alice generates a shared secret, encrypts it with Bob’s public key, and sends him the encrypted key. On receipt, Bob decrypts it with his secret key. This protocol is called key encapsulation. It involves the steps [21]:

Secret key generation $k$ . Alice uses a random number sensor to find the secret encapsulation vector $Ω_{k} = (e_{1}, e_{2}, \dots, e_{K})$ , constructs the class function of the class group action $Θ_{k} = [{l_{1}}^{e_{1}}, {l_{2}}^{e_{2}}, \dots, {l_{K}}^{e_{K}}]$ and computes an isogenic curve $E_{k} = Θ_{k} * E_{0}$ , whose parameter $d_{k}$ is taken as the secret key $d_{k} = k$ .
Key encapsulation. It’s Alice’s procedure for encrypting the key $k$ with Bob’s public key $E_{B}$ . To do this, Alice computes an isogenic curve $Θ_{k} * E_{B} = E_{k B}$ . The parameter $d_{k B}$ of this curve is sent to Bob.
Key decapsulation. Bob’s decryption of the curve $E_{k B}$ with his secret key $Ω_{B}$ is reduced to his computation of an isogenic curve $\bar{Θ_{B}} * E_{k B} = E_{k}$ where the mapping $\bar{Θ_{B}}$ is constructed by inversion of all signs of the exponents of Bob’s secret key $Ω_{B} \to (- Ω_{B})$ .

In [13], we propose the original CSIKE algorithm as a modification of CSIDH, replacing Alice’s secret key with a secret vector

Ω_{k}

, with which she computes a curve

E_{k} = Θ_{k} * E_{0}

and the shared secret key

d_{k} = k

. Alice then encrypts it with Bob’s public key

E_{B}

. and computes the curve

E_{k B} = Θ_{k} * E_{B} = Θ_{k} * Θ_{В} * E_{0}

. Bob decapsulates his cipher using a multiplicative inverse function

\bar{Θ_{В}}

(such that

Θ_{B} * \bar{Θ_{В}} = I

, where

I = {[1,1, \dots, 1]|}_{K}

), thereby restoring the curve

E_{k} = Θ_{k} * E_{0}

. As the key of encapsulation by both parties, we can take J-invariant of the curve

E_{k}

We consider a simple model of the implementation of the CSIKE algorithm on quadratic and twisted supersingular Edwards curves that form pairs of quadratic twist curves with order

p + 1

. Such curves exist only at

p \equiv - 1 \mod 8

and have order

# E = # E^{t} = p + 1 = c n (n - o d d), c \equiv 0 \mod 8 .

Let such a pair of curves contain kernels of order 3, 5, and 7. At the value

n = 105

of the minimal prime

p = 8 n - 1 = 839

, then the order of these curves

# E = 8 n = 840

. The parameter

d

of the whole family of 418 quadratic Edwards curves can be taken as squares

d = r^{2} \mod p, r = 2, \dots, 419 .

Of these, 66 pairs of quadratic and twisted supersingular Edwards curves are found with parameters

a = \pm 1

and

χ (a d) = 1 .

Table 2 summarizes the values of the parameter

d

for pairs of quadratic

E_{d}

and twisted

E_{- 1, - d}

supersingular Edwards curves. They are written as squares

d = r^{2} \mod p, r = 2, \dots, 419

in ascending order

r

. In this example, the relative proportion of supersingular Edwards curves is close to 16%. Note that for each curve in Table 2, there is at least one isomorphic curve with a parameter

d^{- 1}

and the same J-invariant (2).

For the first quadratic curve

E_{d}^{(0)} = E_{144}

from Table 2, we can construct 3-, 5-, and 7-isogenies and find the parameters

d^{(i)}

of a chain of isogenic curves

E_{d}^{(i)}, i = 0,1, 2, \dots, Т

such that

d^{(T)} = d^{(0)}

. Period

T

of the chain of isogenies divides the number

66 = 2 \cdot 3 \cdot 11

of all supersingular Edwards curves. The calculations of the parameters of

d^{(i)}

chains of respectively 3-, 5-, and 7-isogenies quadratic supersingular Edwards curves are useful only for illustrating the properties of chains of isogenies of quadratic twist pair curves and we omit them in this article. We only note that the period of the 3-isogeny

T_{3} = 33,

and the other two

T_{5} = T_{7} = 11 .

The fragments of isogenic chains of quadratic supersingular Edwards curves in the tables are read from left to right, for twisted ones—from right to left. At each step

i

isogeny of degree

l = 2 s + 1

coordinates

α_{1}, \dots, α_{s}, s = (l - 1) / 2

points of the kernel, after which the parameter of the

d^{(i + 1)}

of the isogenic curve

E_{d}^{(i + 1)}

according to (8) is calculated. Calculation of the isogenic function

ϕ (x, y)

, according to Algorithm 1 of Section 5 is not necessary.

Example 5.1. Suppose Alice has generated a secret vector

Ω_{k} = (7, - 5,8),

which by isogenic mapping

Θ_{k} = [3^{7}, 5^{- 5}, 7^{8}]

at the first stage transforms it into a shared secret key

k

i.e., calculates the curve

E_{k} = Θ_{k} * E_{0}

Then at the second stage, she encrypts this key with Bob’s public key.

d_{B} .

Let Bob’s secret

Ω_{B} = (- 8,6, - 5)

, respectively, its function of the class-group action

Θ_{B} = [3^{- 8}, 5^{6}, 7^{- 5}] .

Let us perform their key computations

k, d_{B} .

As the starting curve of the chain of isogenies, we take the curve

E_{d}^{(0)} = E_{144}

. Then

E_{k} = E_{0} * Θ_{k}

E_{B} = E_{0} * Θ_{B}

To simplify the record in the algorithm for calculating the isogenic curve

E_{k} = E_{0} * Θ_{k}

we will use only the parameters

d^{(i)}

which completely defines the curves

E_{d}^{(i)} (e_{k} > 0)

and

E_{- 1, - d}^{(i)} (e_{k} < 0)

as pairs of quadratic twists. In the parameter chain

d^{(i)}

below we write in parentheses the degree of isogeny, above the arrow the number of steps with the exponent sign

e_{k} .

For example, according to the function

Θ_{k} = [3^{7}, 5^{- 5}, 7^{8}]

and the curve

E_{d}^{(0)} = E_{144}

without resorting to the randomization method (see Section 4), Alice computes a chain of

\frac{d_{0} = 144}{(7)} \overset{8}{\to} \frac{258}{(5)} \overset{- 5}{\to} \frac{112}{(3)} \overset{7}{\to} 286 = k .

(14)

So, the shared secret key

k = 286

. Similarly, Bob calculates his public key based on the curve

E_{144}

and a function

Θ_{B} = [3^{- 8}, 5^{6}, 7^{- 5}]

\frac{d_{0} = 144}{(5)} \overset{6}{\to} \frac{788}{(7)} \overset{- 5}{\to} \frac{258}{(3)} \overset{- 8}{\to} 514 = d_{B} .

(15)

So Bob’s public key

d_{В} = 514

. Then, in the second encapsulation step, Alice encrypts Bob’s public key with the secret key

k = 286

and calculates

E_{B k} = E_{B} * Θ_{k}

\frac{d_{B} = 514}{(3)} \overset{7}{\to} \frac{683}{(5)} \overset{- 5}{\to} \frac{38}{(7)} \overset{8}{\to} 259 \Rightarrow d_{B k} = 259 .

(16)

Finally, in the third step of decapsulation, Bob from the curve

d_{B k} = 259

removes his secret key using the inverse function

\bar{Θ_{B}} = [3^{8}, 5^{- 6}, 7^{5}]

\frac{d_{0} = 259}{(7)} \overset{5}{\to} \frac{578}{(5)} \overset{- 6}{\to} \frac{38}{(3)} \overset{8}{\to} 286 \Rightarrow d_{k} = 286 .

(17)

He ends up with a shared secret key

k = 286

calculated for him by Alice. To avoid ambiguity when obtaining isomorphic curves, J-invariant (3) is taken as the encapsulation key by both parties

J (d_{k}) = 525

curve

E_{286}

The above example gives a concise illustration of the CSIKE algorithm. Its efficiency increases significantly after using the randomization method (see Section 4). For example, Alice’s computation of the encapsulation key

k .

based on the secret vector

Ω_{κ} = (7, - 5,8)

can be realized by a pseudo-random chain of isogenic curves in 20 steps

\frac{d_{0} = 144}{(3)} \overset{2}{\to} \frac{405}{(5)} \overset{- 1}{\to} \frac{15}{(7)} \overset{1}{\to} \frac{488}{(5)} \overset{- 1}{\to} \frac{43}{(7)} \overset{2}{\to} \frac{508}{(5)} \overset{- 1}{\to} \frac{289}{(3)} \overset{2}{\to} \frac{43}{(7)} \overset{3}{\to} \overset{3}{\to} \frac{405}{(5)} \overset{- 1}{\to} \frac{15}{(3)} \overset{1}{\to} \frac{243}{(5)} \overset{- 1}{\to} \frac{293}{(7)} \overset{3}{\to} \frac{636}{(3)} \overset{1}{\to} 286 \Rightarrow d_{k} = k = 286 .

(18)

This result is, understandably, the same as the first result above. In Table 2, exactly half of the parameters

d

are marked with asterisks. These 33 values are included in the period

T = 33

3-isogeny and form a set of parameters

d^{*}

of the first cryptosystem with the starting curve

E_{144}

(or any other curve of this set

d^{*}

). In our example, all isogenic curves belong to this set. The parameters not labeled in Table 2 form the set of 33-parameter

d^{- 1}

isomorphic curves, on which we can build a second cryptosystem independent of the first one with the possibility of parallel computation. For example, from the starting curve with

d^{*} = 144

parameter inversion we come to an isomorphic curve

E_{705}

of the second cryptosystem (see Table 2). Further, by specifying different secrets

Ω_{k 1}

and

Ω_{k 2}

in the two cryptosystems, we can double the key length (

512 \to 1024

bit in CSIDH). Parallel computation, moreover, makes a side-channel attack hopeless. Note also that this possibility arises when only classes of non-cyclic Edwards curves (1) and (2) are used. □

We can conclude that the CSIKE algorithm and modifications of the CSIDH algorithm proposed in our works [13] on quadratic and twisted supersingular Edwards curves provide an efficient and secure alternative to various variants of “Constant time CSIDH” [19,20] with lower estimates in computational speed up to

1.5 \cdot 2^{9}

. Computation of odd degree isogenies in coordinates

(W : Z)

[4], allows us to realize the fastest computations to date in the construction of PQC protocols CSIDH, CSIKE, and similar. Examples of such implementation for simple models of CSIDH and CSIKE algorithms are given in [9,10,11,12,13,14,15]. The possibility of refusing to compute the isogenic function

ϕ (R)

of a random point

R

, which more than doubles the speedup of the algorithm, is justified. The above results cast doubt on the assertion of the author of [22] about the insufficient efficiency of the CSIDH algorithm. The largest computational costs in the algorithms are associated with scalar multiplications of random points, the costs of which require rather experimental evaluation.

7. CRS Encryption Scheme on Isogenies of Ordinary Non-Cyclic Edwards Curves

The presentation of Castryck et al. [1] of the PQC CSIDH algorithm cites the CRS scheme as the first proposed scheme on isogenies of ordinary elliptic curves [2]. Its remarkable properties are the commutativity of isogenic transitions, flexibility, and simplicity due to the use of prime field arithmetic

F_{p}

. The CSIDH algorithm already uses the technology of supersingular elliptic curves, which is justified by the relatively faster implementation of the algorithms. For example, it is noted that CRS encryption is prohibitively slow and can take several minutes at a security level of 128 bits [1].

In [15], we attempted to find reasons for the slowness of the CRS scheme compared to CSIDH and found only immeasurable redundancy in the choice of cryptosystem parameters [2,3]. Then, dealing with the modeling and modification problems of CSIDH, we constructed a prime 4-isogenous model of the CRS scheme with degrees

{3,5, 7,37}

with our modifications [15]. Since the set of ordinary elliptic curves is approximately

\sqrt{p}

times wider than the set of supersingular curves, we should expect that their advantages would be discovered as well. Indeed, such advantages turned out to be the growth of the number of degrees of isogenies at a given or close modulus of the

p

field, and the presence of four parallel independent cryptosystems instead of two in CSIDH, which doubles the speed of the CRS scheme algorithm comparably to CSIDH.

In this survey article, we only consider aspects related to the encryption model and omit the multifunctionality of the scheme described in the original article [15].

The order of an elliptic curve

E

over a prime field

F_{p}

is defined as

# E = p + 1 - t

, where

t

is the trace of the Frobenius endomorphism equation

| t | \leq 2 \sqrt{p}

. For a curve of quadratic twist

E^{t}

this order

{# E}^{t} = p + 1 + t

is symmetric concerning the mean value

p + 1 .

For the supersingular curve

t = 0

and the orders of both curves

p + 1

coincide and the sets of isogeny degrees are the same, but the signs of the exponents of the degrees are reversed, as in CSIDH. In the case of ordinary curves, the orders of the quadratic twist pairs differ by

2 t

, then there exist different degrees of isogenies on curves of two classes related as quadratic twist pairs with different orders. This is the main specificity of ordinary curves. The exponents of the degrees of isogenies of these two curves, as in CSIDH, have opposite signs. The alternation of the degrees of isogenies according to the randomization method is random, and the simplicity of the transitions of the chain of isogenies from one class of non-cyclic Edwards curves (1) and (2) to another is achieved by the fact that their parameters are additively inverse:

(a, d) \leftrightarrow (- a, - d)

(see Section 2).

By analogy with CSIDH, it is not difficult to form general parameters of CRS—similar cryptosystem on isogenies of ordinary Edwards curves of order

# E \equiv 0 m o d 8

over a field with modulus

p \equiv 7 m o d 8

. Let

n_{0} = \prod_{k = 1}^{K} l_{k}

and

N = 8 n_{0}

is the order of a quadratic supersingular Edwards curve over a field with modulus

p_{0} = N - 1 .

Setting the values of the Frobenius trace

t = \pm 8 m, m = 1,2, 3, \dots

we determine the sum

p_{0} \pm 8 m = p

, equal to a prime number

p .

Then over the field

F_{p}

there exists a quadratic ordinary Edwards curve (1) of order

{# E}_{d} = 8 n_{0}

and a twisted curve (2) of order

# E_{- 1, - d} {= N \pm 16 m = 8 n}_{1} .

For example, for the set of degrees of isogenies {

l_{k}} = \{3,5, 7\}, n_{0} = 105, N = 840, p_{0} = 839

, then at

m = 3

we obtain a prime number

p = 839 + 24 = 863 .

Thus the orders of the curves of the pair of quadratic twists are

{# E}_{d} = 840 = 8 \cdot 3 \cdot 5 \cdot 7

and

{# E}_{- 1, - d} = N + 48 = 888 = 8 \cdot 3 \cdot 37

n_{1} = 111 = 3 \cdot 37 .

Other variants of calculating the ordinary Edwards curve parameters are given in [15]. Thus, we have four degrees of isogenies

{{l}_{k}} = \{3,5, 7,37\},

the first three of which are factors of order 840 of the quadratic curve (1), and degrees 3 and 37 share order 888 of the twisted curve (2) over the field

F_{863}

and the trace of the Frobenius endomorphism equation

t = - 24 .

For the first curve (1), the signs of the exponents of the isogenies are

e_{k} > 0,

and for the curve (2)

e_{k} < 0

. Here degree 3 is bidirectional (admits both signs), and degrees 5 and 7 (

e_{k} > 0

) and 37 (

e_{k} < 0

) are unidirectional.

With a relatively small field modulus

p = 863

it is not difficult to find the estimated

\sqrt{p}

parameters

d

of all curves (1) with order 840. Since they are squares, a complete search modulo

p

of all

c = 2,3, \dots, 431,

and

d = c^{2}

yields the set of all 62 values of the parameters d of the ordinary Edwards curves (1) and (2) given in Table 3. All curves together, respectively, are 124. Here the number of parameters is even since for each curve there exists an isomorphic curve with parameter

d \leftrightarrow d^{- 1}

and the same J-invariant (3). For example,

169^{- 1} = 623

J (169) = J (623) = 826

. Then there are 31 non-isomorphic curves (1), the same number of curves (2). Isogenies of all degrees have a prime period

π = 31 .

All parameter values of Table 3 can be found by computing chains of any degree isogeny

\{3,5, 7,37\}

in period

π = 31

. For example, let us compute the chain of 3-isogenies of the quadratic curve (1) in the same way as in [10] for CSIDH on supersingular curves of order 840 over the field

F_{839}

. Choosing the first curve in Table 3 as the starting curve, we obtain for the curve (1)

\frac{d^{(0)} = 169}{(3)} \overset{1}{\to} \frac{503}{(3)} \overset{1}{\to} \frac{318}{(3)} \overset{1}{\to} \frac{652}{(3)} \overset{1}{\to} \frac{181}{(3)} \overset{1}{\to} \frac{551}{(3)} \overset{1}{\to} \frac{326}{(3)} \overset{1}{\to} \frac{161}{(3)} \overset{1}{\to} \frac{618}{(3)} \overset{1}{\to} \frac{436}{(3)} \overset{1}{\to} \frac{302}{(3)} \overset{1}{\to} \overset{1}{\to} \frac{186}{(3)} \overset{1}{\to} \frac{665}{(3)} \overset{1}{\to} \frac{400}{(3)} \overset{1}{\to} \frac{43}{(3)} \overset{1}{\to} \frac{858}{(3)} \overset{1}{\to} \frac{835}{(3)} \overset{1}{\to} \frac{210}{(3)} \overset{1}{\to} \frac{705}{(3)} \overset{1}{\to} \frac{311}{(3)} \overset{1}{\to} \frac{27}{(3)} \overset{1}{\to} \frac{728}{(3)} \overset{1}{\to} \overset{1}{\to} \frac{616}{(3)} \overset{1}{\to} \frac{840}{(3)} \overset{1}{\to} \frac{472}{(3)} \overset{1}{\to} \frac{283}{(3)} \overset{1}{\to} \frac{444}{(3)} \overset{1}{\to} \frac{113}{(3)} \overset{1}{\to} \frac{673}{(3)} \overset{1}{\to} \frac{852}{(3)} \overset{1}{\to} \frac{253}{(3)} \overset{1}{\to} \frac{169 = d^{(31)}}{(3)} .

(19)

The number above Arrow 1 denotes one step of the 3-isogeny chain of the quadratic ordinary Edwards curve (1) with exponent

e_{k} > 0

. Under the value of the parameter

d^{(i)}

in parentheses, we write the degree of isogeny.

For the curved curve (2) with

e_{k} < 0

there also exists a 3-isogeny of the same period

π =

\frac{d^{(0)} = 169}{(3)} \overset{- 1}{\to} \frac{253}{(3)} \overset{- 1}{\to} \frac{852}{(3)} \overset{- 1}{\to} \frac{673}{(3)} \overset{- 1}{\to} \frac{113}{(3)} \overset{- 1}{\to} \frac{444}{(3)} \overset{- 1}{\to} \frac{283}{(3)} \overset{- 1}{\to} \frac{472}{(3)} \overset{- 1}{\to} \frac{840}{(3)} \overset{- 1}{\to} \overset{- 1}{\to} \frac{616}{(3)} \overset{- 1}{\to} \frac{728}{(3)} \overset{- 1}{\to} \frac{27}{(3)} \overset{- 1}{\to} \frac{311}{(3)} \overset{- 1}{\to} \frac{705}{(3)} \overset{- 1}{\to} \frac{210}{(3)} \overset{- 1}{\to} \frac{835}{(3)} \overset{- 1}{\to} \frac{858}{(3)} \overset{- 1}{\to} \frac{43}{(3)} \overset{- 1}{\to} \overset{- 1}{\to} \frac{400}{(3)} \overset{- 1}{\to} \frac{665}{(3)} \overset{- 1}{\to} \frac{186}{(3)} \overset{- 1}{\to} \frac{302}{(3)} \overset{- 1}{\to} \frac{436}{(3)} \overset{- 1}{\to} \frac{618}{(3)} \overset{- 1}{\to} \frac{161}{(3)} \overset{- 1}{\to} \frac{326}{(3)} \overset{- 1}{\to} \overset{- 1}{\to} \frac{551}{(3)} \overset{- 1}{\to} \frac{181}{(3)} \overset{- 1}{\to} \frac{652}{(3)} \overset{- 1}{\to} \frac{318}{(3)} \overset{- 1}{\to} \frac{503}{(3)} \overset{- 1}{\to} \frac{169 = d^{(31)}}{(3)},

(20)

having a reverse order of alternation of isogenic curves (the last chain and (19) are read in reverse order). The number above the arrow (–1) means one step of the isogenic curve (1) with negative parameters. Do not forget that the pair of twist curves

E_{d}

and

E_{- 1, - d}

here are orders of 840 and 888, respectively. For any other degree of isogeny, we can construct similar (19) and (20) chains of isogenic curves of period

π = 31

with the same set of parameters

d^{(i)}

, but with different orders of alternation. In Table 3, these 31 parameters

d

are marked with asterisks. This is the set of parameters

d

of the first cryptosystem. Inverting each parameter

d^{*}

we get unlabeled 31 parameters

d

of the second cryptosystem. As in Section 6 when describing CSIKE (CSIDH), here we also have two isomorphic cryptosystems with the possibility of parallel computation.

A remarkable property of ordinary curves in comparison with supersingular curves is the existence of two more isomorphic cryptosystems. The idea is prime: we can swap the orders of the quadratic (1) and twisted (2) ordinary Edwards curves. The corresponding cryptosystem will be called dual.

Let the orders of the curves (1) and (2) over the field

F_{863}

{# E}_{d} = 888

{# E}_{- 1, - d} = 840 .

For a dual cryptosystem, we can compute an array of parameter values

d

instead of the brute-force method for Table 3. Let us find just one curve (1) with an order

{# E}_{d} = 888

and parameter

d = 6 .

Let us compute a 37-isogeny chain like (19) with a starting value

d = 6

, and its values marked with an asterisk are entered in the first three rows of Table 4. In the same sequence, in the next three rows of the array, we will write the inverted values of the

d^{- 1}

of the isomorphic curves (not marked with an asterisk). The upper and lower parts of Table 4 form equal-sized sets of the parameters of the

d

of two isomorphic dual cryptosystems.

So, using an ordinary instead of supersingular Edwards curve, we get four independent cryptosystems instead of two, which in parallel computing provides a 4-fold gain in cryptosystem performance compared to classical CSIDH. Parallel computation must make it impossible to realize side channel attack and redundancy in “constant time CSIDH” meaningless. Redundant cryptosystems can be used both for the 4-fold increase of key length in encapsulation algorithms and for simplification of the algorithm (reducing the number of isogeny degrees at fixed key length).

Let us consider an example of the implementation of the Diffie-Hellman secret-sharing algorithm on the first cryptosystem with 31 parameters

d^{*}

from Table 4. In our model with isogenies of degrees

{3,5, 7,37}

, to equalize the selection probabilities of the quadratic twist pair curves, we assume all degrees are unidirectional, then in the secret keys of degrees

{5,7}

we attribute the quadratic curve

(e_{k} > 0)

and degrees

{3,37}^{t}

to the twisted curve

{(e}_{k} < 0) .

Let’s take Alice’s secret keys

Ω_{A} = (- 2,5, 1, - 4)

and Bob’s

Ω_{B} = (- 1,3, 3, - 5)

Let’s compute for 12 randomly chosen isogeny steps for each of their public keys.

Alice’s public key with randomly chosen curves and degrees is defined as

\frac{d^{(0)} = 169}{(5)} \overset{1}{\to} \frac{840}{(3)} \overset{- 1}{\to} \frac{616}{(5)} \overset{1}{\to} \frac{43}{(5)} \overset{1}{\to} \frac{326}{(5)} \overset{1}{\to} \frac{852}{(3)} \overset{- 1}{\to} 673 = d^{(6)},

(21)

\frac{d^{(6)} = 673}{(37)} \overset{- 1}{\to} \frac{472}{(7)} \overset{1}{\to} \frac{551}{(37)} \overset{- 1}{\to} \frac{503}{(5)} \overset{1}{\to} \frac{472}{(37)} \overset{- 1}{\to} \frac{27}{(37)} \overset{- 1}{\to} 835 = d^{(12)} \Rightarrow \Rightarrow d_{A} = 835 .

(22)

Bob’s similar calculations give

\frac{d^{(0)} = 169}{(3)} \overset{- 1}{\to} \frac{253}{(5)} \overset{1}{\to} \frac{616}{(5)} \overset{1}{\to} \frac{43}{(7)} \overset{1}{\to} \frac{444}{(7)} \overset{1}{\to} \frac{161}{(5)} \overset{1}{\to} 253 = d^{(6)},

(23)

\frac{d^{(6)} = 253}{(7)} \overset{1}{\to} \frac{186}{(37)} \overset{- 1}{\to} \frac{161}{(37)} \overset{- 1}{\to} \frac{652}{(37)} \overset{- 1}{\to} \frac{253}{(37)} \overset{- 1}{\to} \frac{444}{(37)} \overset{- 1}{\to} 616 = d^{(12)} \Rightarrow \Rightarrow d_{B} = 616 .

(24)

As a result, the two parties have public keys

d_{A} = 835

and

d_{B} = 616

. Next, Alice uses her secret key to compute

Ω_{A} = (- 2,5, 1, - 4)

curve

E_{B A}

\frac{d^{(0)} = 616}{(3)} \overset{- 1}{\to} \frac{728}{(3)} \overset{- 1}{\to} \frac{27}{(5)} \overset{1}{\to} \frac{665}{(5)} \overset{1}{\to} \frac{181}{(5)} \overset{1}{\to} \frac{113}{(5)} \overset{- 1}{\to} 311 = d^{(6)},

(25)

\frac{d^{(6)} = 311}{(5)} \overset{- 1}{\to} \frac{186}{(7)} \overset{1}{\to} \frac{840}{(37)} \overset{- 1}{\to} \frac{311}{(37)} \overset{- 1}{\to} \frac{858}{(37)} \overset{- 1}{\to} \frac{186}{(37)} \overset{- 1}{\to} 161 = d^{(12)} \Rightarrow \Rightarrow d_{B A} = 161 .

(26)

Bob’s symmetric calculus

\frac{d^{(0)} = 835}{(5)} \overset{1}{\to} \frac{618}{(3)} \overset{- 1}{\to} \frac{161}{(5)} \overset{1}{\to} \frac{253}{(5)} \overset{1}{\to} \frac{616}{(7)} \overset{1}{\to} \frac{652}{(7)} \overset{1}{\to} 858 = d^{(6)},

(27)

\frac{d^{(6)} = 858}{(7)} \overset{1}{\to} \frac{113}{(37)} \overset{- 1}{\to} \frac{840}{(37)} \overset{- 1}{\to} \frac{311}{(37)} \overset{- 1}{\to} \frac{858}{(37)} \overset{- 1}{\to} \frac{186}{(37)} \overset{- 1}{\to} d^{(12)} \Rightarrow \Rightarrow d_{A B} = 161

(28)

give the same result due to the commutativity of isogenies

d_{A B} = d_{B A} = 161,

which defines the quadratic curve

E_{161}

of the shared secret. As noted above, this value is unique (for a given starting curve). It is not required here in the shared secret

k = 161

to go to the J-invariant. Similar calculations with other starting curves and keys can be performed in parallel in other 3-independent cryptosystems to solve different problems.

9. Discussion

Let us summarize the main and composite results of the present and previous [9,10,11,12,13,14,15] works:

The results obtain a lower estimate of the computational speed gain of the modified CSIDH algorithm on non-cyclic supersingular Edwards curves by a $γ = 1.5 \cdot 2^{9}$ times;
The transition from the class of complete Edwards curves to the classes of quadratic and twisted Edwards curves double the set of curves and does not require inversion of the parameter $d$ of the Edwards curves, which is evaluated by a partial gain estimate of a $2^{5}$ times;
The method of randomization of the CSIDH algorithm and avoiding the computation of the isogenic function $ϕ (x, y)$ in the projective coordinates $(W : Z)$ of Farashahi-Hosseini speeds up the algorithm more than $2^{3}$ times;
Optimizing the isogeneity degrees of the CSIDH algorithm reduces the maximum isogeneity degree with a linear estimate of the algorithm speedup by a factor of 1.5;
For every non-cyclic Edwards curve, there exists an isomorphic Edwards curve with an inverted parameter, which gives rise to the existence of two independent cryptosystems with parallel computation capability. This doubles the performance of the CSIDH algorithm and eliminates the threat of side-channel attacks. The CSIKE scheme also allows doubling the length of the secret key to 1024 bits;
An original CSIKE key encapsulation scheme with one public key instead of two in CSIDH is proposed and modeled, which provides improved security of the algorithm;
A model of Diffie-Hellman secret sharing on isogenies of degrees ${3,5, 7,37}$ of non-cyclic Edwards curves is constructed for the CRS scheme of ordinary curves. It is shown that instead of two isomorphic cryptosystems in the CSIDH algorithm, the transition to a set of ordinary Edwards curves gives rise to four independent cryptosystems with parallel computation capability. This can double the above estimate of the computational speed gain up to $γ = 3 \cdot 2^{9} .$

Although in [22] it is stated that a drawback of CSIDH is that it is still considered to be inefficient when compared to other algorithms, taking into account the optimization data of the algorithm, it can be assumed that the algorithm can be used on an equal basis with other PQC algorithms.

9. Conclusions

Based on the results of these calculations, we can conclude that the integral improvement of the characteristics of PQC algorithms allows us to significantly increase the speed of the algorithm (about 1,500 times). Taking into account the short key length and the increased speed of the algorithm, it is promising to use it to ensure secure exchange in embedded systems and systems with limited computing resources. In addition, the parallelization of computations allows for minimizing the exploitation of side-channel vulnerabilities. We believe that CSIDH and CRS technologies should not be contrasted but should be developed as promising technologies, taking into account the features and advantages of each of them.

Future research is planned to investigate new approaches to form isogeny degree sets in CRS encryption and digital signature schemes.

Author Contributions

Conceptualization, A.B.; methodology, A.B.; software, S.A.; validation, A.B. and V.S.; formal analysis, V.S.; investigation, S.A.; resources, V.S.; original draft preparation, V.S.; review and editing, V.S.; visualization, V.S.; funding acquisition, V.S. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

The raw data supporting the conclusions of this article will be made available by the authors upon request.

Conflicts of Interest

The authors declare no conflicts of interest.

References

Castryck, W.; Lange, T.; Martindale, C.; Panny, L.; Renes, J. CSIDH: An efficient post-quantum commutative group action. In 24^th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT), Brisbane, QLD, Australia, 2–6 December 2018, vol. 11274, 395–427. [CrossRef]
Rostovtsev, A.; Stolbunov, A. Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Paper 2006/145, 2006 (preprint) [https://eprint.iacr.org/2006/145].
Stolbunov, A. Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Advances in Mathematics of Communications 2010, 4(2), 215–235. [Google Scholar] [CrossRef]
Kim, S.; Yoon, K.; Park, Y.-H.; Hong, S. Optimized method for computing odd-degree isogenies on Edwards curves. In 25^th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT), Kobe, Japan, 8–12 December 2019, part II, vol. 11922, 273–292. [CrossRef]
Farashahi, R.R.; Hosseini, S.G. Differential addition on twisted Edwards curves. In 22^nd Australasian Conference (ACISP), Auckland, New Zealand, 3–5 July 2017, part II, vol. 10343, 366–378. [CrossRef]
Bernstein, D.J.; Birkner, P.; Joye, M.; Lange, T.; Peters, C. Twisted Edwards curves. In 1^st International Conference on Cryptology in Africa (AFRICACRYPT), Casablanca, Morocco, 11–14 June 2008, vol. 5023, 389–405. [CrossRef]
Moody, D.; Shumow, D. Analogues of Vélu’s formulas for isogenies on alternate models of elliptic curves. Mathematics of Computation 2015, 85(300), 1929–1951. [Google Scholar] [CrossRef]
Bessalov, A. Elliptic Curves in Edwards Form and Cryptography; Polytechnic: Kyiv, Ukraine, 2017 (in Russian).
Bessalov, A.; Sokolov, V.; Skladannyi, P. Modeling of 3- and 5-isogenies of supersingular Edwards curves. In 2^nd International Workshop on Modern Machine Learning Technologies and Data Science (MoMLeT&DS), Lviv-Shatsk, Ukraine, 2–3 June 2020, vol. 2631(I), 30–39.
Bessalov, A. On correctness of conditions for the CSIDH algorithm implementation on Edwards curves. Radiotekhnika 2022, 208, 16–27. [Google Scholar] [CrossRef]
Bessalov, A.; Sokolov, V.; Skladannyi, P.; Mazur, N.; Ageyev, D. Implementation of the CSIDH algorithm model on supersingular twisted and quadratic Edwards curves. In Workshop on Cybersecurity Providing in Information and Telecommunication Systems II (CPITS-II), Kyiv, Ukraine, 26 October 2021, vol. 3187(1), 302–309.
Bessalov, A.; Kovalchuk, L.; Abramov, S. Randomization of CSIDH algorithm on quadratic and twisted Edwards curves. Cybersecurity: Education, Science, Technique 2022, 1(17), 128–144. [CrossRef]
Bessalov, A.; Sokolov, V.; Skladannyi, P.; Abramov, S.; Zhyltsov, O. Modeling CSIKE algorithm on non-cyclic Edwards curves. In Workshop on Cybersecurity Providing in Information and Telecommunication Systems (CPITS), Kyiv, Ukraine, 13 October 2022, vol. 3288, 1–10.
Bessalov, A.; Abramov, S.; Sokolov, V.; Mazur, N. CSIKE-ENC combined encryption scheme with optimized degrees of isogeny distribution. In Workshop on Cybersecurity Providing in Information and Telecommunication Systems (CPITS), Kyiv, Ukraine, 28 February 2023, vol. 3421, 36–45.
Bessalov, A.; Abramov, S.; Sokolov, V.; Skladannyi, P.; Zhyltsov, O. Multifunctional CRS encryption scheme on isogenies of non-supersingular Edwards curves. In Workshop on Classic, Quantum, and Post-Quantum Cryptography (CQPC), Kyiv, Ukraine, 1 August 2023, vol. 3504, 12–25.
Koblitz, N.; Menezes, A. A riddle wrapped in an Enigma. IEEE Security & Privacy, 2016; 14, 34–42. [Google Scholar] [CrossRef]
Washington, L.C. Elliptic Curves: Number Theory and Cryptography, 2nd ed.; Chapman & Hall / CRC: Boca Raton, USA, 2008. [Google Scholar]
Couveignes, J.-M. Hard homogeneous spaces. Cryptology ePrint Archive, Paper 2006/291, 2006 (preprint). [https://eprint.iacr.org/2006/291.
Onuki, H.; Aikawa, Y.; Yamazaki, T.; Takagi, T. A faster constant-time algorithm of CSIDH keeping two points. In 14^th International Workshop on Security (IWSEC), Tokyo, Japan, 28–30 August 2019, vol. 11689, 23–33. [CrossRef]
Jalali, A.; Azarderakhsh, R.; Kermani, M.M.; Jao, D. Towards optimized and constant-time CSIDH on embedded devices. In 10^th International Workshop (COSADE), Darmstadt, Germany, 3–5 April 2019, vol. 11421, 215–231. [CrossRef]
Yoneyama, K. Post-quantum variants of ISO/IEC standards. In 5^th ACM Workshop on Security Standardisation Research Workshop (SSR), London, United Kingdom, 11 November 2019, 13–21. [CrossRef]
Galbraith, S.D.; Perrin, D.; Voloch, J.F. CSIDH with level structure. Cryptology ePrint Archive, Paper 2023/1726, 2023 (preprint). [https://eprint.iacr.org/2023/1726].

Table 1. Distribution of the number

K_{h}

prime numbers in subsets

L h

and their products

B_{h}

within hundreds with numbers

h

Table 1. Distribution of the number

K_{h}

prime numbers in subsets

L h

and their products

B_{h}

within hundreds with numbers

h

h	1	2	3	4	5	6
$K_{h}$	24	21	16	16	17	12
$B_{h}$	119.795	151.245	127.623	135.192	149.782	109.134

Table 2. Values of 66 parameters

d

of quadratic and twisted supersingular Edwards curves

(a = \pm 1)

p = 839

and

# E = 840

Table 2. Values of 66 parameters

d

of quadratic and twisted supersingular Edwards curves

(a = \pm 1)

p = 839

and

# E = 840

144	*	289	*	784		2	*	61	*	258	*	508	*	365		488	*	30		705
742		56		259	*	180	*	329		135		640		32		38	*	28	*	90
564		772	*	286	*	40		610		98		475		63		511		43	*	795
414	*	76	*	752	*	800		405	*	666	*	112	*	413		200		236	*	433	*
15	*	683	*	293	*	750		808		578	*	288		636	*	514	*	276		773	*
243	*	45		788	*	172	*	777		427		21	*	810		552		420		230

* A set of 33 parameters that have mutually inverse pairs of parameters for parallel computing.

Table 3. The array of 62-parameter values of

d

quadratic and twisted ordinary Edwards curves

(a = \pm 1)

p = 863

{# E}_{d} = 840

{# E}_{- 1, - d} = 888

(

t = 24

Table 3. The array of 62-parameter values of

d

quadratic and twisted ordinary Edwards curves

(a = \pm 1)

p = 863

{# E}_{d} = 840

{# E}_{- 1, - d} = 888

(

t = 24

169	*	400	*	729		161	*	818		210	*	436	*	309		43	*	665	*	840	*
19		779		111		308		253	*	116		705	*	503	*	32		573		472	*
71		616	*	618	*	444	*	302	*	192		486		318	*	852	*	231		728	*
300		113	*	311	*	858	*	673	*	725		589		75		684		551	*	307
688		843		339		623		706		281		181	*	27	*	186	*	652	*	130
835	*	409		345		283	*	596		326	*	236

* A set of 31 parameters that have mutually inverse pairs of parameters for parallel computing.

Table 4. The grouped array of 62-parameter values of

d

quadratic and twisted ordinary Edwards curves

(a = \pm 1)

p = 863

# E_{d} = 888

{# E}_{- 1, - d} = 840

(

t = 24

Table 4. The grouped array of 62-parameter values of

d

quadratic and twisted ordinary Edwards curves

(a = \pm 1)

p = 863

# E_{d} = 888

{# E}_{- 1, - d} = 840

(

t = 24

6	*	678	*	703	*	212	*	611	*	420	*	248	*	159	*	821	*	562	*	538	*
546	*	12	*	581	*	136	*	654	*	464	*	438	*	313	*	361	*	191	*	392	*
837	*	29	*	199	*	246	*	683	*	695	*	751	*	24	*	553	*
144		849		685		460		613		150		87		38		226		453		470
49		72		254		514		128		478		664		670		153		122		284
697		744		425		214		513		488		732		36		103

* A set of 31 parameters that have mutually inverse pairs of parameters for parallel computing.

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

Copyright: This open access article is published under a Creative Commons CC BY 4.0 license, which permit the free download, distribution, and reuse, provided that the author and preprint are cited in any reuse.

MDPI Initiatives

Important Links

Choose an area of interest and we will send you notifications of new preprints at your preferred frequency.

Disclaimer

144	*	289	*	784		2	*	61	*	258	*	508	*	365		488	*	30		705
742		56		259	*	180	*	329		135		640		32		38	*	28	*	90
564		772	*	286	*	40		610		98		475		63		511		43	*	795
414	*	76	*	752	*	800		405	*	666	*	112	*	413		200		236	*	433	*
15	*	683	*	293	*	750		808		578	*	288		636	*	514	*	276		773	*
243	*	45		788	*	172	*	777		427		21	*	810		552		420		230

169	*	400	*	729		161	*	818		210	*	436	*	309		43	*	665	*	840	*
19		779		111		308		253	*	116		705	*	503	*	32		573		472	*
71		616	*	618	*	444	*	302	*	192		486		318	*	852	*	231		728	*
300		113	*	311	*	858	*	673	*	725		589		75		684		551	*	307
688		843		339		623		706		281		181	*	27	*	186	*	652	*	130
835	*	409		345		283	*	596		326	*	236

6	*	678	*	703	*	212	*	611	*	420	*	248	*	159	*	821	*	562	*	538	*
546	*	12	*	581	*	136	*	654	*	464	*	438	*	313	*	361	*	191	*	392	*
837	*	29	*	199	*	246	*	683	*	695	*	751	*	24	*	553	*
144		849		685		460		613		150		87		38		226		453		470
49		72		254		514		128		478		664		670		153		122		284
697		744		425		214		513		488		732		36		103

144	*	289	*	784		2	*	61	*	258	*	508	*	365		488	*	30		705
742		56		259	*	180	*	329		135		640		32		38	*	28	*	90
564		772	*	286	*	40		610		98		475		63		511		43	*	795
414	*	76	*	752	*	800		405	*	666	*	112	*	413		200		236	*	433	*
15	*	683	*	293	*	750		808		578	*	288		636	*	514	*	276		773	*
243	*	45		788	*	172	*	777		427		21	*	810		552		420		230

169	*	400	*	729		161	*	818		210	*	436	*	309		43	*	665	*	840	*
19		779		111		308		253	*	116		705	*	503	*	32		573		472	*
71		616	*	618	*	444	*	302	*	192		486		318	*	852	*	231		728	*
300		113	*	311	*	858	*	673	*	725		589		75		684		551	*	307
688		843		339		623		706		281		181	*	27	*	186	*	652	*	130
835	*	409		345		283	*	596		326	*	236

6	*	678	*	703	*	212	*	611	*	420	*	248	*	159	*	821	*	562	*	538	*
546	*	12	*	581	*	136	*	654	*	464	*	438	*	313	*	361	*	191	*	392	*
837	*	29	*	199	*	246	*	683	*	695	*	751	*	24	*	553	*
144		849		685		460		613		150		87		38		226		453		470
49		72		254		514		128		478		664		670		153		122		284
697		744		425		214		513		488		732		36		103

Efficient Commutative PQC Algorithms on Isogenies of Edwards Curves

Abstract

1. Introduction

2. Selection of Classes and Types of Edwards Curves

3. Computation of Odd-Degree Isogenies on Edwards Curves and Complexity Estimation

4. Randomization of the CSIDH Algorithm on Non-Cyclic Edwards Curves

5. Optimization of Isogeny Degree Set in CSIDH

6. CSIKE Algorithm

7. CRS Encryption Scheme on Isogenies of Ordinary Non-Cyclic Edwards Curves

9. Discussion

9. Conclusions

Author Contributions

Funding

Data Availability Statement

Conflicts of Interest

References

MDPI Initiatives

Important Links

Subscribe

144	*	289	*	784		2	*	61	*	258	*	508	*	365		488	*	30		705
742		56		259	*	180	*	329		135		640		32		38	*	28	*	90
564		772	*	286	*	40		610		98		475		63		511		43	*	795
414	*	76	*	752	*	800		405	*	666	*	112	*	413		200		236	*	433	*
15	*	683	*	293	*	750		808		578	*	288		636	*	514	*	276		773	*
243	*	45		788	*	172	*	777		427		21	*	810		552		420		230

169	*	400	*	729		161	*	818		210	*	436	*	309		43	*	665	*	840	*
19		779		111		308		253	*	116		705	*	503	*	32		573		472	*
71		616	*	618	*	444	*	302	*	192		486		318	*	852	*	231		728	*
300		113	*	311	*	858	*	673	*	725		589		75		684		551	*	307
688		843		339		623		706		281		181	*	27	*	186	*	652	*	130
835	*	409		345		283	*	596		326	*	236

6	*	678	*	703	*	212	*	611	*	420	*	248	*	159	*	821	*	562	*	538	*
546	*	12	*	581	*	136	*	654	*	464	*	438	*	313	*	361	*	191	*	392	*
837	*	29	*	199	*	246	*	683	*	695	*	751	*	24	*	553	*
144		849		685		460		613		150		87		38		226		453		470
49		72		254		514		128		478		664		670		153		122		284
697		744		425		214		513		488		732		36		103