A Simple and Compact Algorithm for SIDH with Arbitrary Degree Isogenies

We derive a new formula for computing arbitrary odd-degree isogenies between elliptic curves in Montgomery form. The formula lends itself to a simple and compact algorithm that can efficiently compute any low odd-degree isogenies inside the supersingular isogeny Diffie-Hellman (SIDH) key exchange protocol. Our implementation of this algorithm shows that, beyond the commonly used 3-isogenies, there is a moderate degradation in relative performance of \((2d+1)\)-isogenies as d grows, but that larger values of d can now be used in practical SIDH implementations.

[1]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[2]  Joppe W. Bos,et al.  Fast Arithmetic Modulo 2xpy± 1 , 2016, IACR Cryptol. ePrint Arch..

[3]  Steven D. Galbraith,et al.  On the Security of Supersingular Isogeny Cryptosystems , 2016, ASIACRYPT.

[4]  Scott R. Fluhrer,et al.  Cryptanalysis of ring-LWE based key exchange with key share reuse , 2016, IACR Cryptol. ePrint Arch..

[5]  Daniel Shumow,et al.  Analogues of Vélu's formulas for isogenies on alternate models of elliptic curves , 2015, Math. Comput..

[6]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[7]  Craig Costello,et al.  Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE , 2016, IACR Cryptol. ePrint Arch..

[8]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[9]  Anton Stolbunov,et al.  Cryptographic Schemes Based on Isogenies , 2012 .

[10]  Tung Chou,et al.  QcBits: Constant-Time Small-Key Code-Based Cryptography , 2016, CHES.

[11]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[12]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[13]  Reza Azarderakhsh,et al.  Post-Quantum Cryptography on FPGA Based on Isogenies on Elliptic Curves , 2017, IEEE Transactions on Circuits and Systems I: Regular Papers.

[14]  Peter Schwabe,et al.  McBits: Fast Constant-Time Code-Based Cryptography , 2013, CHES.

[15]  Jean Marc Couveignes,et al.  Hard Homogeneous Spaces , 2006, IACR Cryptol. ePrint Arch..

[16]  Joseph H. Silverman,et al.  The arithmetic of elliptic curves , 1986, Graduate texts in mathematics.

[17]  Paulo S. L. M. Barreto,et al.  MDPC-McEliece: New McEliece variants from Moderate Density Parity-Check codes , 2013, 2013 IEEE International Symposium on Information Theory.

[18]  Tatsuaki Okamoto,et al.  How to Enhance the Security of Public-Key Encryption at Minimum Cost , 1999, Public Key Cryptography.

[19]  Craig Costello,et al.  Efficient Algorithms for Supersingular Isogeny Diffie-Hellman , 2016, CRYPTO.

[20]  Michele Mosca,et al.  Cybersecurity in an Era with Quantum Computers: Will We Be Ready? , 2017, IEEE Security & Privacy.

[21]  Craig Costello,et al.  Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem , 2015, 2015 IEEE Symposium on Security and Privacy.

[22]  Reza Azarderakhsh,et al.  Key Compression for Isogeny-Based Cryptosystems , 2016, AsiaPKC '16.

[23]  Kazukuni Kobara,et al.  Semantically Secure McEliece Public-Key Cryptosystems-Conversions for McEliece PKC , 2001, Public Key Cryptography.

[24]  G. Ballew,et al.  The Arithmetic of Elliptic Curves , 2020, Elliptic Curves.

[25]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[26]  Alexander Rostovtsev,et al.  Public-Key Cryptosystem Based on Isogenies , 2006, IACR Cryptol. ePrint Arch..

[27]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[28]  Steven D. Galbraith,et al.  Mathematics of Public Key Cryptography , 2012 .

[29]  Tanja Lange,et al.  Post-quantum cryptography , 2008, Nature.

[30]  David Jao,et al.  Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies , 2011, J. Math. Cryptol..

[31]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[32]  Chris Peikert,et al.  Lattice Cryptography for the Internet , 2014, PQCrypto.

[33]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[34]  David Jao,et al.  Efficient Compression of SIDH Public Keys , 2017, EUROCRYPT.

[35]  D. Kohel Endomorphism rings of elliptic curves over finite fields , 1996 .

[36]  Douglas Stebila,et al.  Post-quantum Key Exchange for the Internet and the Open Quantum Safe Project , 2016, SAC.

[37]  Tanja Lange,et al.  Twisted Edwards Curves , 2008, AFRICACRYPT.

[38]  Reza Azarderakhsh,et al.  A Post-quantum Digital Signature Scheme Based on Supersingular Isogenies , 2017, Financial Cryptography.

[39]  Wouter Castryck,et al.  Efficient arithmetic on elliptic curves using a mixed Edwards-Montgomery representation , 2008, IACR Cryptol. ePrint Arch..

[40]  Joppe W. Bos,et al.  Fast Arithmetic Modulo 2^x p^y ± 1 , 2017, 2017 IEEE 24th Symposium on Computer Arithmetic (ARITH).

[41]  L. Washington Elliptic Curves: Number Theory and Cryptography , 2003 .