Browse > Article
http://dx.doi.org/10.13089/JKIISC.2021.31.6.1137

On the Use of Radical Isogenies for CSIDH Implementation  

Kim, Suhri (Sungshin Women's University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.31, no.6, 2021 , pp. 1137-1148 More about this Journal
Abstract
The main obstacle for implementing CSIDH-based cryptography is that it requires generating a kernel of a small prime order to compute the group action using Velu's formula. As this is a quite painstaking process for small torsion points, a new approach called radical isogeny is recently proposed to compute chains of isogenies from a coefficient of an elliptic curve. This paper presents an optimized implementation of radical isogenies and analyzes its ideal use in CSIDH-based cryptography. We tailor the formula for transforming Montgomery curves and Tate normal form and further optimized the radical 2- and 3- isogeny formula and a projective version of radical 5- and 7- isogeny. For CSIDH-512, using radical isogeny of degree up to 7 is 15.3% faster than standard constant-time CSIDH. For CSIDH-4096, using only radical 2-isogeny is the optimal choice.
Keywords
Post-quantum cryptography CSIDH; Velu's formula; isogeny-based cryptography; radical isogeny;
Citations & Related Records
연도 인용수 순위
  • Reference
1 C. Costello and H. Hisil, "A simple and compact algorithm for SIDH with arbitrary degree isogenies," ASIACRYPT, LNCS 10625, pp. 303-329, Dec. 2017
2 De Feo. et al. "Towards practical key exchange from ordinary isogeny graphs," ASIACRYPT, LNCS 11274, pp. 365-394, Dec. 2018
3 D. Heo et al. "On the performance analysis for CSIDH-based cryptosystems," Applied Sciences, vol. 10, no. 19, 2020
4 D. Jao, L. De Feo "Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies," PQCrypto, LNCS 7071, pp. 19-34, Aug. 2011
5 S. Kim et al. "New hybrid method for isogeny-based cryptosystems using Edwards curves," IEEE transactions on Information Theory, vol. 66, no. 3, pp. 1934-1943, 2020   DOI
6 M. Meyer et al. "On lions and elligators: An efficient constant-time implementations of CSIDH", PQCrypto, LNCS 11505, pp. 307-325, 2019
7 M. Meyer et al. "On hybrid SIDH schemes using Edwards and Montgomery curve arithmetic," IACR Cryptology ePrint Archive, 2017:1213, 2017
8 A. Stolbunov, "Constructing public-key cryptographic schemes based on class group action on a set of isogenous ellitpic curves," Advances in Mathematics of Communication, vol. 4, no. 2, pp. 215-235, 2010   DOI
9 W. Casrtyck, T. Decru, and F. Vercauteren, "Radical isogenies," ASIACRYPT, LNCS 12492, pp. 440-463, Dec. 2020
10 S. Kim, "On the use of twisted Montgomery curves for CSIDH-based cryptography", Journal of the Korea Institute of Infromation Security and Cryptology, 31(3), pp. 497-508, 2021
11 H. Onuki and T. Moriya, "Radical isogenies on Montgomery curves", IACR Cryptology ePrint Archive, 2021:699, 2021
12 T. Kawashima, "An efficient authenticated key exchange from random self-reducibility on CSIDH," IACR Cryptology ePrint Archive, 2020:1178, 2020
13 D. Moody and D. Shumow, "Analogues of Velu's formula for isogenies on alternate models of elliptic curves," Mathematics of Computations, vol. 85, no. 300, pp. 1929-1951, 2016
14 A. Jalali, "Towards optimized and constant-time CSIDH on embedded devices," International Workshop on Constructive Side-Channel Analysis and Secure Design, pp. 215-231, 2019
15 J.J. Chi-Domiguez et al. "On new Velu's formulae and their applications to CSIDH and BSIDH constant-time implementations," IACR Cryptology ePrint Archive, 2020:1109, 2020
16 W. Castryck and T. Decru "CSIDH on the surface," PQCrypto, LNCS 12100, pp.111-129, April, 2020
17 A. Childs et al. "Constructing elliptic curve isogenies in quantum subexponential time," Journal of Mathematical Cryptology, vol. 8, no. 1, pp. 1-29, 2014   DOI
18 J.M. Couveignes, "Hard homogenous spaces," IACR Cryptology ePrint Archive, 2006:291, 2006
19 D. Heo et al. "Optimized CSIDH implementation using a 2-torsion point," Cryptography, vol. 4, no. 3, 2020
20 M. Meyer and S. Reith "A faster way to the CSIDH," INDOCRYPT, LNCS 11356, pp. 137-152, 2018
21 J.J. Chi-Domiguez and K. Reijnders, "Fully projective radical isogenies in constant-time" IACR Cryptology ePrint Archive, 2021:259, 2021
22 J.J. Chi-Domiguez et al, "The SQALE of CSIDH: Square-root Velu quantum-resistant isogeny action with low exponents", IACR Cryptology ePrint Archive, 2020:1520, 2020
23 C. Costello, "B-SIDH supersingular isogeny Diffie-Hellman using twisted torsion," ASIACRYPT, LNCS 12492, pp. 440-463, Dec. 2020
24 H. Onuki et al. "A constant-time algorithm of CSIDH keeping two points," IEICE Transactions on Fundamentals of Electronics, Communications, and Computer Sciences, vol. E103.A, no. 10, pp. 1174-1182, 2020   DOI
25 D. Bernstein et al. "Faster computation of isogenies of large prime degree," IACR Cryptology ePrint Archive, 2020:341, 2020
26 W. Beullens et al. "CSI-FiSh: efficient isogeny based signatures through class group computations," ASIACRYPT, LNCS 11921, pp. 227-247, Dec. 2019
27 W. Castryck et al. "CSIDH: An efficient post-quantum commutaitve group action," ASIACRYPT, LNCS 11274, pp.395-427, Dec. 2018
28 D. Cervantes-Vazquez et al. "Stronger and faster side-channel protections for CSIDH," LATINCRYPT, LNCS 11774, pp. 173-193, Sept. 2019