• Review of KIISC
• /
• v.32 no.1
• /
• pp.19-29
• /
• 2022

2011 Jao와 De Feo에 의해 제안된 SIDH가 기존 타원곡선 사이의 isogeny를 이용한 암호보다 효율적인 성능을 제공하고, 그 후 2016년 Costello 등의 효율적인 연산 방법으로 SIDH 속도가 3배 이상 향상되면서, 타원곡선 사이의 isogeny를 이용한 암호가 양자 컴퓨팅 환경에서 RSA와 ECC를 대체할 암호로 주목을 받기 시작했다. 특히 isogeny 기반 암호는 다른 PQC 암호에 비해 작은 키 사이즈를 제공한다는 장점으로 현재까지 활발히 연구가 진행되고 있으며, SIDH를 기반으로 둔 SIKE는 NIST PQC 표준화 공모전 Round 3의 대체 후보이다. 다른 PQC 암호에 비해 속도가 느리다는 점이 isogeny 기반 암호의 단점인 만큼, isogeny 기반 암호는 처음 제안된 후 10년 동안 최적화를 중심으로 큰 발전을 이뤄왔다. 본 논문에서는 isogeny 기반 암호의 최신 연구 동향을 소개한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.6
• /
• pp.1137-1148
• /
• 2021

The main obstacle for implementing CSIDH-based cryptography is that it requires generating a kernel of a small prime order to compute the group action using Velu's formula. As this is a quite painstaking process for small torsion points, a new approach called radical isogeny is recently proposed to compute chains of isogenies from a coefficient of an elliptic curve. This paper presents an optimized implementation of radical isogenies and analyzes its ideal use in CSIDH-based cryptography. We tailor the formula for transforming Montgomery curves and Tate normal form and further optimized the radical 2- and 3- isogeny formula and a projective version of radical 5- and 7- isogeny. For CSIDH-512, using radical isogeny of degree up to 7 is 15.3% faster than standard constant-time CSIDH. For CSIDH-4096, using only radical 2-isogeny is the optimal choice.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.1
• /
• pp.73-83
• /
• 2018

There has been increasing interest from NIST and other companies in studying post-quantum cryptography in order to resist against quantum computers. Multivariate polynomial based, code based, lattice based, hash based digital signature, and isogeny based cryptosystems are one of the main categories in post quantum cryptography. Among these categories, isogeny based cryptosystem is known to have shortest key length. In this paper, we implemented Supersingular Isogeny Diffie-Hellman (SIDH) protocol efficiently on low-end mobile device. Considering the device's specification, we select supersingular curve on 523 bit prime field, and generate efficient isogeny computation tree. Our implementation of SIDH module is targeted for 32bit environment.

• Bulletin of the Korean Mathematical Society
• /
• v.46 no.4
• /
• pp.789-802
• /
• 2009

We show that computation of a sequence of Richelot isogenies from specified supersingular Jacobians of genus-2 curves over $\mathbb{F}_p$ can be executed in $\mathbb{F}_{p2}$ or $\mathbb{F}_{p4}$ . Based on this, we describe a practical algorithm for computing a Richelot isogeny sequence.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.1
• /
• pp.19-30
• /
• 2021

In this paper, when SIDH is instantiated using only 3- and 5-isogeny, we demonstrate which curve is more efficient among the Montgomery, Edwards, and Huff curves. To this end, we present the computational cost of the building blocks of SIDH on Montgomery, Edwards, and Huff curves. We also present the prime we used and parameter settings for implementation. The result of our work shows that the performance of SIDH on Montgomery and Huff curves is almost the same and they are 0.8% faster than Edwards curves. With the possibility of using isogeny of degree other than 3 and 4, the performance of 5-isogeny became even more essential. In this regard, this paper can provide guidelines on the selection of the form of elliptic curves for implementation.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.2
• /
• pp.151-164
• /
• 2023

Recently, the development of quantum computers means a great threat to existing public key system based on discrete algebra problems or factorization problems. Accordingly, NIST is currently in the process of contesting and screening PQC(Post Quantum Cryptography) that can be implemented in both the computing environment and the upcoming quantum computing environment. Among them, SIKE is the only Isogeny-based cipher and has the advantage of a shorter public key compared to other PQC with the same safety. However, like conventional cryptographic algorithms, all quantum-resistant ciphers must be safe for existing cryptanlysis. In this paper, we studied power analysis-based cryptographic analysis techniques for SIKE, and notably we analyzed SIKE through wavelet transformation and deep learning-based clustering power analysis. As a result, the analysis success rate was close to 100% even in SIKE with applied masking response techniques that defend the accuracy of existing clustering power analysis techniques to around 50%, and it was confirmed that was the strongest attack on SIKE.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2019.10a
• /
• pp.427-431
• /
• 2019

본 논문에서는 Edwards 곡선의 w-coordinate를 이용한 isogeny로 SIDH를 구현하는 방법에 대해 처음으로 제안한다. 이를 위해, 먼저 division polynomial을 이용하여 기존 제안된 w-coordinate 3-isogeny를 4M+6S에서 2M+3S로 연산량을 감소시켜 50%의 속도 향상을 달성하였다. 또한, w-coordinate isogney공식을 사용하기 위해 새로 유한체를 제안하였으며 안전성을 분석하였다. 본 논문의 결과 Edwards 곡선을 이용한 SIDH는 Montgomery 곡선과 비해 2.29% 이상의 속도 향상을 예상할 수 있다.

• Journal of the Korean Mathematical Society
• /
• v.36 no.5
• /
• pp.945-958
• /
• 1999

Let E be an elliptic curve over with complex multiplication. Suppose that E is defined over F= (j(E)). We study possible degrees of F-isogenies of E.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.13 no.5
• /
• pp.169-177
• /
• 2003

We establish the security requirements and derive a generic condition of elliptic curve scalar multiplication to resist against DPA and Goubin’s attack. Also we show that if a scalar multiplication algorithm satisfies our generic condition, then both attacks are infeasible. Showing that the randomized signed scalar multiplication using Ha-Moon's receding algorithm satisfies the generic condition, we recommend the randomized signed scalar multiplication using Ha-Moon's receding algorithm to be protective against both attacks. Also we newly design a random recoding method to Prevent two attacks. Finally, in efficiency comparison, it is shown that the recommended method is a bit faster than Izu-Takagi’s method which uses Montgomery-ladder without computing y-coordinate combined with randomized projective coordinates and base point blinding or isogeny method. Moreover. Izu-Takagi’s method uses additional storage, but it is not the case of ours.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.3
• /
• pp.497-508
• /
• 2021

In this paper, we focus on optimizing the performance of CSURF, which uses the tweaked Montgomery curves. The projective version of elliptic curve arithmetic is slower on tweaked Montgomery curves than on Montgomery curves, so that CSURF is slower than the hybrid version of CSIDH. However, as the square-root Velu formula uses less number of ellitpic curve arithmetic than the standard Velu formula, there is room for optimization We optimize the square-root Velu formula and 2-isogeny formula on tweaked Montgomery curves. Our CSURFis 14% faster than the standard CSURF, and 10.8% slower than the CSIDH using the square-root Velu formula. The constant-time CSURF is 6.8% slower than constant-time CSIDH. Compared to the previous implementations, this is a remarkable result.