On the Performance Analysis for CSIDH-Based Cryptosystems

: In this paper, we present the performance and security analysis for various commutative SIDH (CSIDH)-based algorithms. As CSIDH offers a smaller key size than SIDH and provides a relatively efﬁcient signature scheme, numerous CSIDH-based key exchange algorithms have been proposed to optimize the CSIDH. In CSIDH, the private key is an ideal class in a class group, which can be represented by an integer vector. As the number of ideal classes represented by these vectors determines the security level of CSIDH, it is important to analyze whether the different vectors induce the same public key. In this regard, we generalize the existence of a collision for a base prime p ≡ 7 mod 8. Based on our result, we present a new interval for the private key to have a similar security level for the various CSIDH-based algorithms for a fair comparison of the performance. Deduced from the implementation result, we conclude that for a prime p ≡ 7 mod 8, CSIDH on the surface using the Montgomery curves is the most likely to be efﬁcient. For a prime p ≡ 3 mod 8, CSIDH on the ﬂoor using the hybrid method with Onuki’s collision-free method is the most likely to be efﬁcient and secure.


Introduction
Isogeny-based cryptography was first proposed by Couveignes in 1997 [1] and is constructed using the isogeny classes of ordinary elliptic curves defined over a finite field F p . The scheme proposed by Couveignes was later rediscovered by Rostovtsev and Stolbunov, which we now typically call as the CRS scheme. While the CRS scheme is attractive for having a small key size, the scheme was extremely inefficient and even suffered from the quantum sub-exponential algorithm proposed by Childs et al. [2]. The isogeny-based cryptosystem began to gain attention after the introduction of the SIDH key exchange by Jao, De Feo, and Plût in 2011 [3]. As SIDH is constructed using the isogenies between supersingular elliptic curves, the cryptosystem resists against the attack proposed in [2], as the endomorphism ring of supersingular curves is non-commutative while the attack in [2] exploits the commutativity of the endomorphism ring of an ordinary curve. Until now, the best known classical and quantum attacks against the underlying problem are both exponential. The Supersingular Isogeny Key Encapsulation (SIKE), based on SIDH, was submitted as one of the candidates to the NIST post-quantum cryptography standardization project [4]. Currently, SIKE is an alternative candidate in Round 3 of the NIST standardization project. However, one of the drawbacks of isogeny-based cryptography is that not only the algorithm is slower than any other post-quantum cryptography algorithms, but it is also hard to design various cryptographic primitives. computation of the large degree isogenies corresponds to the performance degradation of CSIDH, CSURF proposed a way to use 2-isogenies more and use a fewer number of large degree isogenies at the same security level. To summarize, all of this work focuses on optimizing the performance of CSIDH while enhancing the security level.
In this paper, we analyze the performance and security of the various CSIDH-based algorithms in order to find out what sort of prime p and which method is most efficient. The following list details the main contribution of this work. • We implement the CSIDH-based algorithms in the same environment for the exact performance comparison. More explicitly, we implement CSURF [13,14] in projective coordinates. The algorithm in [13] has not been previously implemented. For CSURF, the authors presented only Magma-based implementation. We implemented both of the algorithms in C for an exact comparison with CSIDH [6]. The projectivized formula for the building blocks for both of the algorithms is presented in Section 2. • We generalize the existence of a collision for a base prime p such that p ≡ 7 mod 8.
As CSIDH-based algorithms use ideal classes expressed by an integer vector as a private key, the number of ideal classes represented by these vectors determines the security level of CSIDH. Hence, analyzing whether different private key results in the same public key is important. The collisions for CSIDH and CSURF were examined in [13,15], respectively. We generalize this idea to the prime p ≡ 7 mod 8. Details of our proof are presented in Section 3.4 • We analyze the performance and the security of the three algorithms-CSIDH, CSURF, and Onuki's CSIDH over the prime p with p ≡ 3 mod 8 and p ≡ 7 mod 8. Additionally, we present a new interval for the private key to have a similar security level for the various CSIDH-based algorithms. The details of our implementation are presented in Section 4. From the implementation result, we conclude that for a prime p ≡ 7 mod 8, CSIDH on the surface using the Montgomery curves is the most likely to be efficient. For a prime p ≡ 3 mod 8, CSIDH on the floor using the hybrid method with Onuki's collision-free method is the most likely to be efficient and secure.
This paper is organized as follows. In Section 2, we introduce two types of elliptic curves, which will be used for the implementation. We also present the computational cost of the lower-level functions to construct CSIDH-based algorithms over these curves. In Section 3, we review the CSIDH algorithms and two of its variants. The implementation results are presented in Section 4, and we draw our conclusions and future work in Section 5.

Montgomery Curve and Tweaked Montgomery Curve
This section introduces two types of Montgomery elliptic curves, which will be used throughout the paper. Then, we analyze the computational cost of elliptic curve arithmetic and isogeny computation on both curves, which are the main building blocks for implementing CSIDH-based algorithms.
Let K be a field with the characteristic not equal to 2 or 3. The Montgomery curves over K are denoted by M a,b : where b(a 2 − 4) = 0. We shall write M a when b = 1 throughout the paper. Moreover, the tweaked Montgomery curves over K are denoted by where b(a 2 + 4) = 0. We shall write M t a when b = 1 in this paper. Similar to the arithmetic on M a , the elliptic curve arithmetic on M t a can also be constructed using only x-coordinate. For the remainder of this section, we introduce the elliptic curve arithmetic and isogeny formulas and analyze the computational cost for each operation on both curves. As the projective curve coefficient and projective coordinate are used for implementing isogeny-based cryptography, we shall evaluate the computational cost on both curves in these circumstances. For the elliptic curve arithmetic, we mainly focus on differential addition and doubling formula. For isogeny computation, we consider odd-degree isogenies.

Elliptic Curve Arithmetic on M a and M t a
Let P = (x P , y P ) and Q = (x Q , y Q ) be a point on a Montgomery curve M a such that x P = x Q . Let P − Q = (x P−Q , y P−Q ) be given. Then the x coordinates of their sum P + Q and the doubling of P, x [2]P can be computed as follows: For a tweaked Montgomery curve M t a , let P = (x P , y P ) and Q = (x Q , y Q ) be a point on M t a such that x P = x Q . Let P − Q = (x P−Q , y P−Q ) be given. Then the x coordinates of their sum P + Q and the doubling of P, x [2]P can be computed as follows [14]: At a glance, the computational costs of the differential addition and doubling on both curves are the same. However, when projective x-coordinate (XZ-coordinate) and projective curve coefficients are used, the computational costs are slightly different for both curves. Now let P = (X P : Z P ) and Q = (X Q , Z Q ) be a point on a Montgomery curve M a such that x P = X P /Z P and x Q = X Q /Z Q for x P = x Q . Let P − Q = (X P−Q : Z P−Q ) be the given difference of P and Q in projective coordinates such that x P−Q = X P−Q /Z P−Q . Then the addition formula in projective coordinates can be decomposed as follows [16]: The computational cost is 4M+2S, where the M and S refers to a field multiplication and squaring, respectively. The doubling of P gives [2]P = (X [2]P : Z [2]P ), where X [2]P and Z [2]P are defined as: where a = A/C. The computational cost is 4M+2S. On the other hand, for a tweaked Montgomery curve, let P = (X P : Z P ) and Q = (X Q , Z Q ) be a point on M t a such that x P = X P /Z P and x Q = X Q /Z Q for x P = x Q . Let P − Q = (X P−Q : Z P−Q ) be the given difference of P and Q in projective coordinates such that x P−Q = X P−Q /Z P−Q . Then the sum P + Q in projective coordinates can be computed as follows: and the concrete computation process is presented as below: In this case, the techniques used to compute the differential addition on a curve M a cannot be used, so that the computational cost of the addition formula in the tweaked Montgomery curves is 6M+2S. The doubling of P gives [2]P = (X [2]P : Z [2]P ), where X [2]P and Z [2]P are defined as: where a = A/C. Moreover, the concrete computation process is presented as below: The computational cost of the doubling formula in the tweaked Montgomery curves is 5M+3S.

Odd-Degree Isogeny Formulas on M a and M t a
In [16], Costello and Hisil proposed a formula for computing an arbitrary odd-degree isogenies on the Montgomery curves. Let P = (x 1 , y 1 ) be a point on a Montgomery curve M a , having order = 2d + 1 and let ( Then the evaluation of an isogeny refers to the computation of the image point of φ. Let Q = (X : Z) be another point on M a and φ(Q) = (X : Z ). Then X and Z are as follows: The computational cost of this formula is (4d)M + 2S. For the coefficient of the image curve a , Castryck et al. present a formula in projective coordinate in [6], which is as follows: . For the isogeny evaluation and computing the curve coefficient of the image curve of a tweaked Montgomery curve M t a presented in [14], f (x) is now defined as: Let P be a point on M t a , having order = 2d + 1. In projective coordinate, let [i]P = P i = (X i : Z i ), where x i = X i /Z i and P 1 = P. Let φ be an -isogeny from M t a to M t a = M t a / P . Let Q = (X : Z) be another point on M t a and let φ(Q) = (X : Z ). Then X and Z are as follows: Similar to the case for computing the differential addition, note that for (5) and (6), the optimized computation methods like (3) and (4) do not exist. So, the computational cost of odd-degree isogeny point evaluation on the tweaked Montgomery curve is (6d)M + 2S. Formula in [14] for computing the coefficient of the image curve a , is similar to the formula for Montgomery curve which is . This can be computed in (6d − 2)M + 3S. Summarizing the section, Table 1 presents the computational cost of the elliptic curve arithmetic and isogeny operations on Montgomery and tweaked Montgomery curves. In Table 1, DBLADD refers to the differential addition with doubling, and DBL refers to the doubling. -isogeny eval. denotes the evaluation of an -isogeny, and -isogeny coeff. denotes the computation of the coefficient of the image curve for an -isogeny.

Montgomery Curves Tweaked Montgomery Curves
Remark 1. In [10], Meyer and Reith proposed a hybrid version of CSIDH, which exploits Edwards curves for recovering the coefficient of the image curve. By using the efficiency of the birational equivalence between Montgomery and Edwards curves, the coefficient of the image curve is obtained using the Edwards isogeny formula. The obtained Edwards curve coefficient is then transformed into the Montgomery coefficient. The computational cost is (2d)M + 6S + 2w( ), where w( ) is the cost of the -th power on F p [13].

CSIDH-Based Schemes
In this section, we introduce the CSIDH key exchange and two main CSIDH-based algorithms-CSURF [14] and collision-free CSIDH proposed by Onuki and Takagi [13]-to compare the performance and security. As CSIDH made a noticeable improvement by exploiting supersingular elliptic curves to instantiate the CRS scheme, various methods began to propose in order to optimize the performance and improve the security. The former is the CSURF, which proposes a way to exploit efficient horizontal 2-isogenies for a speed-up, and the later is the method by Onuki and Takagi, where they analyzed the existence of a collision in the private keyspace and provided a method to eliminate such collisions. Before going into the details of the algorithms, we present three primes, p 1 , p 2 , and p 3 , which will be used throughout the paper.
First, we use the primes p 1 and p 2 presented as below, in order to match the size of the base field for a fair comparison.
On the other hand, in [14], Castryck and Decru used the prime p 3 defined as below for CSURF. In this paper, we use p 3 to explain the CSURF algorithm, but p 3 will not be used for the implementation as the size of the prime is larger than p 1 .

CSIDH
CSIDH is an isogeny-based Diffie-Hellman protocol proposed by Castryck et al. [6] using supersingular curves defined over F p and commutative group action. The prime p of the base field is of the form p = 4 ∏ n i=1 i − 1, where i 's are odd primes. For an order O = End F p (E), it is well-known that the class group cl(O) acts freely and transitively on and an ideal class [a] ∈ cl(O). Since E is a supersingular curve with #E(F p ) = p + 1 = 4 · 1 · · · n , for each i, there is F p -rational subgroup of order i . Moreover, let π = √ −p be the F p -Frobenius endomorphism of E. Then, since p = −1 mod i , for a prime i , it is well-known that i O splits into two prime ideals l i = ( i , π − 1) and l −1 i = ( i , π + 1). Using Velu's formula, we compute [l i ]E through the isogeny φ l i with the kernel generated by a point of order i , which lies in the kernel of π − 1 and compute [l

Onuki's CSIDH
In [13], Onuki and Takagi proposed a new interval of the secret exponent and a new method for computing the coefficient of the image curve using 4-torsion points for CSIDH protocol. In CSIDH, the ideal classes, which are used as a private key, are represented by vectors with integer coefficients. As the number of ideal classes represented by these vectors determines the security level of CSIDH, it is important to examine the correspondence between the ideal classes and the vectors. They proved that the vector (1, . . . , 1) corresponds to an ideal class of order 3. This means that a secret exponent (e 1 , e 2 , . . . , e n ) and (e 1 + 3, e 2 + 3, . . . , e n + 3) represents the same ideal class. Since CSIDH-512 selects a secret exponent (e 1 , e 2 , . . . , e n ) from a range [−5, 5], there exists the collision of the form (e 1 + 3, e 2 + 3, . . . , e n + 3). Thus, Onuki and Takagi used the ideal l 0 = (4, π − 1) instead of using the ideal l n = ( n , π − 1). Therefore, a secret exponent proposed in [13] is of the form (e 0 , e 1 , . . . , e n−1 ) to compute class group action [a]E := [l e 0 0 l e 1 1 · · · l e n−1 n−1 ]E, where e 0 ∈ [−1, 1] and e i ∈ [−m, m] for 1 ≤ i ≤ n − 1. They also proposed a new formula for computing the actions of the ideal classes represented by (1, . . . , 1) and (−1, . . . , −1) by using degree 4 isogenies. Let P − and P + be a point of M a of x-coordinate -1 and 1, respectively. Then, for 4-isogenies φ : M a → M a used in this algorithm with ker φ = P − resp. ker φ = P + , a is computed as The former case is computed if e 0 = 1, and the later case is computed when e 0 = −1. respectively. These sets are defined as below, Note that a ± 2 are both square in F p if a ∈ S + p,2 , and a ± 2 are not both square in F p if a ∈ S + p,1 by Theorem 2 in [11]. Assume that we apply above former 4-isogeny. Since a = (2a − 12)/(a + 2), a + 2 = 4(a − 2) a + 2 and a − 2 = −16 a + 2 .
If a ∈ S + p,1 , then a ± 2 are both square in F p , so that a ∈ S + p,2 . If a ∈ S + p,2 , then a + 2 is square and a − 2 is not square in F p , so that a ∈ S p,O . That is, the image curve M a is on the floor. Similarly, the case of later 4-isogeny does not preserve the same ( , π − 1) action class.
We summarize the result of Proposition 1 in Table 2. Moreover, Onuki and Takagi presented a new formula for computing the image coefficient of the image curve using 4-torsion points. For a (2d + 1)-isogeny φ : M a → M a with ker φ = P , a is computed as below, where [i]P = (X i : Z i ), a = A/C, and a = A /C . The computational cost of this formula is (5d − 1)M + 2S.
This collision-free CSIDH proposed by Onuki and Takagi offers little extra security to the original CSIDH. For the implementation of Onuki's algorithm, we use the prime p 1 with n = 74 and m = 5, as the parameters are not explicitly described in [13]. This setting gives 3 · 11 73 ≈ 2 254.123 distinct exponents.

CSURF
Since CSIDH protocol used a prime of the form p ≡ 3 mod 8, the Montgomery curves M a (F p ) has no F p -rational 2-torsion point except for (0, 0). Using only odd-degree isogenies without 2-isogenies resulted in the inefficiency of computing the class group action. To overcome this problem, Castryck and Decru presented a new hard homogeneous space using tweaked Montgomery curves in [14]. The CSURF protocol uses a prime of the form p ≡ 7 mod 8 and the tweaked Montgomery curves M t a /F p . Thus, the F p -endomorphism ring of M t a /F p is isomorphic to Z[(1 + √ −p)/2] and every curve in this setting has three F p -rational 2-torsion points. Hence, CSURF can now exploit horizontal 2-isogenies with the ideal l 0 = (2, ) to help compute the class group action. For a supersingular Montgomery curve M a , the Montgomery coefficient a and F p -isomorphism class of M a are one-to-one correspondence when the base prime p is of the form p ≡ 3 mod 8. Likewise, for a supersingular tweaked Montgomery curve M t a , the tweaked Montgomery coefficient a and F p -isomorphism class of M t a are also one-to-one correspondence when the base prime p is of the form p ≡ 7 mod 8. This is summarized in Table 3. Thus, Castryck and Decru can construct well-defined free and transitive group action. Finally, they used a secret exponent (e 0 , e 1 , . . . , e n ) to compute class group action [a]M t a := [l e 0 0 l e 1 1 · · · l e n n ]M t a .

Collisions for CSIDH-Based Algorithms
In this subsection, we examine the correspondence between the ideal classes and the vectors for the CSIDH-based algorithms. As denoted in [6,13,14], the private keys in CSIDH-based algorithms are ideal classes in the class group cl(O). Due to the design choices, this ideals can be expected to have the form ∏ n i=1 l e i i , for small e i . Hence, selecting an ideal classes corresponds to selecting an integer vector (e 1 , . . . , e n ). Therefore, for an exact security evaluation, analyzing whether two different integer vectors (e 1 , . . . , e n ) and (e 1 , . . . , e n ) represent the same ideal class is important. In CSIDH-based schemes, there are different collisions depending on the prime of the base field and the F p -endomorphism ring End p (E) of the elliptic curve E. As we use two different types of prime p 1 and p 2 for our implementation, we examine the collision in this prime field. We first state the main theorem in [13] and the following corollary.
CSIDH-512 use p 1 as the base prime, where p 1 ≡ 3 mod 8. Hence, the collisions pointed out in [13] exists for the original parameters of CSIDH-512. Similarly, in [15] Fan et al. proved that there also exist collisions of the form (e 0 + 1, e 1 + 2, e 2 + 1, . . . , e 74 + 1) for the CSURF prime p 3 . Now, we generalize the idea of [15] to a prime p ≡ 7 mod 8 of a certain form.
Since collisions in a secret exponent reduce the size of the private keyspace, we must either avoid the collisions or endure the risk for collisions by counting the number of possible public keys. Theorem 3 deals with the number of ideal classes that a secret exponent can represent, assuming that a collision exists. Theorem 3. Assume that a secret exponent (e 0 , e 1 , . . . , e n ) has the collision so that it represent the same ideal class as (e 0 + c 0 , e 1 + c 1 , . . . , e n + c n ), where e i ∈ [−m i , m i ], and c i ∈ Z. Then, there are ∏ n i=0 (2m i + 1 − c i ) collisions. Therefore the order of the private key space [l e 0 0 l Proof. If every exponent e i is equal to or greater than c i − m i , then the secret exponent (e 0 , e 1 , . . . , e n ) and (e 0 − c 0 , e 1 − c 1 , . . . , e n − c n ) represent the same ideal class. So, there are To avoid this type of collision, we can consider two options -dropping some degree of an isogeny or adding supplementary factors to the prime of the base field. The former method is used in [13,15] and has the advantage of avoiding computation of some large odd-degree isogenies. However, the interval adjustment of a secret exponent is inevitable to guarantee the security of the protocol. The latter method is to let exponent r i of i in p for at least one i to be bigger than 2m i . In this case, we must choose the prime having those factors. The advantage of this method is that we can expect that CSIDH protocols to have a certain level of the resistance for subexponential quantum attack [2,17,18] by expanding the size of the base field.

Implementation and Security Analysis
In this section, we provide the implementation results and security analysis for the algorithms presented in previous chapters. First, we measure the performance of each algorithm using the initial parameters. However, for implementing the algorithms on the surface, we choose p 2 as the prime of the base field to match the cost of the field arithmetic with p 1 , as much as possible. Then, we present the performance result by modifying the interval of the private key of each algorithm in order to match the security level.
All of the algorithms in this paper are implemented in C language to evaluate the performance of each algorithm. To this end, we use the field arithmetic implemented in [6]. Moreover, wall-clock times and clock cycles are obtained on one core of an Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz, running Ubuntu 18.04.1 LTS. For compilation, we used GNU GCC version 7.5.0 with compile option -O3 using the benchmark provided by [6]. All results are averaged over 500,000 rounds.
Note that the prime p 1 and the initial curve y 2 = x 3 + x are used for implementing the original CSIDH and Onuki's CSIDH, and the prime p 2 and the initial curve y 2 = x 3 − x are used for implementing CSURF. When implementing CSIDH over p 2 , as a rational 2-torsion point exist, the 2-torsion method in [11,16] is used for the implementation. Therefore, for CSIDH over p 2 , the curve y 2 = x 3 + ax 2 + x is used as the initial curve, where a of the initial curve is presented in [11]. We also implement Meyer's hybrid method for a fair comparison. The prime and the base curve for implementing Meyer's hybrid method follows the setting of CSIDH. Table 4 shows the implementation results for each scheme, using the intervals provided in the original papers. For Onuki's CSIDH, as [13] does not specified the intervals of the secret exponents, we arbitrarily set the intervals according the the security level. The security in Table 4 is the result of considering the collisions mentioned in Section 3.4. For CSIDH over p 1 and p 2 , this equals to 11 74 − 8 74 ≈ 2 255.998 and 11 73 − 8 73 ≈ 2 252.536 , respectively. For CSURF over p 2 , this equals to 275 · 9 28 · 11 45 − 273 · 6 · 8 27 · 9 · 10 44 ≈ 2 252.535 . As CSURF is an algorithm only applicable on the surface of supersingular curves, the result using p 1 does not exist. Similarly, Onuki's method cannot be applied directly on the surface using p 2 , so that the result using this prime does not exist. This is because 4-isogenies presented in [13] do not preserve the same ( , π − 1) action class of the Montgomery curves used on the surface, as proved in the Proposition 1.
Lastly, we provide the performance of CSIDH-based algorithms by modifying the intervals of the secret exponents for a similar security level. As in [6,13,14], we heuristically expect that these exponents represent the elements of the class group quasi-uniformly. Note that the intervals are modified in a way so that the first three 3-, 5-, and 7-isogenies are performed up to four times, as in line with the idea in [14]. We manage to select the exponent of the first three primes small since probability of selecting a random small torsion point is lower than selecting a random large torsion point.

Remark 2.
We do not apply other technical optimization methods like SIMBA [19], new addition chains for a scalar multiplication [20], and Velusqrt algorithm [21]. This is because we intend to present the comparison results of primitive algorithms as possible. Except for applying Velusqrt to the original CSIDH and the Onuki's method, those techniques are applicable for all of the algorithms in this paper.
As denote in Table 4 and 5, CSIDH using p 2 is faster than CSIDH using p 1 . While this speed gap is meaningless because the hybrid method surpasses both algorithms, we conclude that the potential derived from the applicability of 2-isogenies makes CSIDH on the surface more attractive as computing 2-isogeny in CSURF [14] does not require sampling of a 2-torsion point. On the other hand, CSURF is slower than other algorithms, since the tweaked Montgomery curves have inefficient elliptic curve arithmetic -DBLADD and isogeny evaluation -compared to the Montgomery curves in projective coordinates. Thus, deducing from the implementation of CSIDH and CSURF, instead of using tweaked Montgomery curves, CSIDH on the surface can be executed more efficiently by using a prime of the form p ≡ 7 mod 8 and the Montgomery curves. When prime p ≡ 3 mod 8 is used, then we can implement CSIDH efficiently on the floor by exploiting the hybrid method proposed in [10]. Moreover, it is recommended to use Onuki's collision-free method, since an attack on the collision can potentially exist.

Conclusions
In this paper, we provide the performance and security analysis for the various CSIDH-based algorithms. First, we implement the CSIDH-based algorithms presented in [6,13,14] in C for a fair comparison between those algorithms. By projectivizing the arithmetic formula in the tweaked Montgomery curve, we conclude that using this curve is inefficient compared to using the Montgomery curves, as of now.
Moreover, we analyze the security against brute-force attack on the private key by generalizing the possible collisions in CSIDH executed on the surface. In this regard, we present a new interval for the private key to have a similar security level for those algorithms. Thus, we can compare fairly the performances of three algorithms and offer optimization scenarios for using each parameter.
From the implementation result, we conclude that for a prime p ≡ 7 mod 8, then CSIDH on the surface using the Montgomery curves is the most likely to be efficient. For a prime p ≡ 3 mod 8 CSIDH on the floor, using the hybrid method Onuki's collision-free method is the most likely to be efficient and secure.
For future work, we plan to study a potential attack against CSIDH-based algorithms with the collisions presented in this paper. Additionally, we plan to implement an optimized algorithm for each form of base primes and to provide more obvious standards for parameter selection by applying the various optimization methods as in [19][20][21].