With the evolution of a quantum computing environment, currently used public key cryptosystems based on factorization and discrete logarithm problems, such as RSA and ECC, will not be able to guarantee their security in the near future. This has led to the need for post-quantum cryptography (PQC) that is secure, even in quantum computing environments. The National Institute of Standards and Technology (NIST) opened the PQC standardization project, which is now in Round 2. Among the PQC categories, isogeny-based cryptography interests many researchers, as it offers smaller key sizes than any other PQC candidates. The isogeny-based cryptography is based on the difficulty of finding a specific isogeny between two elliptic curves defined on the same finite field. Despite having a fairly small key size, isogeny-based cryptography has the disadvantage of being considerably slower than most of the PQC candidates.
The isogeny-based cryptography was first proposed by Couveignes in 2006 [1
]. This is a non-interactive key exchange protocol, which uses a set of
-isomorphism classes of ordinary elliptic curves that are defined on
. The endomorphism ring between these curves is given by the order
in an imaginary quadratic field. Subsequently, the ideal class group
acts freely and transitively on this endomorphism ring through an isogeny operation. Couveignes designed the Diffie-Hellman style key exchange protocol using the commutativity of
. This method was rediscovered by Rostovtsev and Stolbunov and is called CRS-scheme. On the other hand, the underlying problem of CRS-scheme can be classified as an abelian hidden-shift problem. It is shown by Childs et al. that there is a subexponential quantum attack algorithm with time complexity of
]. When considering that RSA is widely used, even in subexponential complexity in classical computers this was not considered to be a big problem. However, very slow execution time was pointed out as the biggest problem, as it took several minutes for a single key exchange.
The isogeny-based cryptography was noticed again with a rapid speed improvement by De Feo et al. [3
]. They proposed a new key exchange protocol, called SIDH, while using a supersingular curve. As Childs-Jao-Soukharev’s attack exploits the commutativity of
of an ordinary curve, their attack cannot be applied to SIDH since it uses supersingular curves, which have non-commutative full endomorphism ring. Until now, the best known attacks against SIDH have exponential time complexity, even in quantum computing environments.
SIKE (Supersingular Isogeny Key Encapsulation), which is based on SIDH, is currently on the NIST PQC standardization Round 2 [4
]. On the other hand, in the case of SIDH-based scheme, the key validation problem could not be efficiently solved. To solve this problem, SIKE applied a transformation that was similar to the Fujisaki–Okamoto transformation proposed in [5
In the CRS-scheme, efficient key validation is possible, so that CCA-secure encryption can only be achieved by the basic algorithm itself, without the need of applying FO-transformation. This allows for a non-interactive key exchange, where several of the previously proposed PQC algorithms do not efficiently provide this property. With this in mind, De Feo et al. proposed a method to efficiently perform CRS-schemes on ordinary curves in [6
]. However, there was still a problem that it was difficult to select parameters that satisfy a certain condition because of the characteristics of ordinary curves. Independently, Castryck et al. proposed CSIDH (Commutative Supersingular Isogeny Diffie-Hellman), an algorithm that increases efficiency over conventional techniques by using the supersingular curve defined over a prime field
in the CRS-scheme [7
]. By using supersingular curves, CSIDH solved the parameter selection problem of ordinary curves in the algorithm proposed by De Feo et al.
CSIDH uses a subring that consists of
-rational endomorphisms instead of using a full endomorphism ring, and it uses the commutativity of
and has the same protocol as CRS-scheme. The CSIDH-512 provides a key size of 64 bytes, which is smaller than SIKE for the same security level. Even when considering the subexponential time attack, the key size is expected to be relatively smaller than SIKE. Recently, various papers that were related to CSIDH have been submitted to PQCrypto 2019 and Eurocrypt 2019, and the various researches, such as digital signature, efficient implementation techniques, various attack techniques, and side-channel resistant implementations, have been conducted [8
However, one disadvantage of CSIDH is that it has a slower execution speed than the state-of-the-art implementation of SIKE. On the other hand, since the key validation can be performed efficiently, a non-interactive key exchange can be provided, and a smaller key size and a simpler algorithm can be designed. In addition, when considering a more efficient digital signature scheme than SIDH can be derived, it is possible to say that CSIDH has more potential for developing various cryptographic applications. Hence, various studies are being actively conducted to improve the speed of CSIDH [8
The original implementation of CSIDH in [7
] uses Montgomery curves, as they were known to provide efficient isogeny computation. However, one drawback of using Montgomery curves is that the computational cost for recovering the coefficient of the image curve is higher than Edwards curves for large degree isogenies. Because tge CSIDH protocol uses large odd-degree isogenies, this can be an obstacle for CSIDH to entirely implement on Montgomery curves.
In this paper, we apply an optimization technique that was proposed by Costello and Hisil in CSIDH in order to obtain image curve coefficients during isogeny computations [12
]. The following are the main contributions of this work.
We present a new initial curve and a new prime of the form
, enabling the use of the two-torsion method by Costello and Hisil [12
]. In the parameter presented in the original CSIDH,
-rational two-torsion points do not exist, except for
, so that this method cannot be used for recovering the coefficient of the image curve in CSIDH. Compared to Meyer’s method [8
], computing the coefficient of the image curve is the main bottleneck for implementing faster CSIDH entirely on Montgomery curves. By using our prime,
-rational two-torsion points exist, so that the coefficient can be efficiently computed.
We also prove that our algorithm assures one-to-one correspondence between image curves and elliptic curve isomorphism classes. Given a Montgomery curve
on the surface with curve coefficient A
and base field prime p
, we prove that the ideal-class group
acts freely and transitively on the set
]. The details of our proof are denoted in Section 4
We present the implementation results of our proposed method. The group action of our implementation is about 7.1% faster than the original CSIDH. The entire key exchange is about 6.4% faster than the original CSIDH. Although the proposed CSIDH implementation is slower than [8
], we stress the fact that we provide the fastest performance using only Montgomery curves. Section 5
denote details of our implementation and results.
This paper is organized, as follows. In Section 2
, we review on background of elliptic curves and CSIDH key exchange. In Section 3
, we introduce the various way of odd-degree isogeny computations. In Section 4
, we present a new parameter that makes the use of the two-torsion point and our optimization methods. Section 5
describes the specific implementation process and the result of comparing the costs and speed. We draw our conclusions and future work in Section 6
In this paper, we proposed the optimized method for improving the performance of CSIDH and provided a new parameter to use our method. We set the parameters, so that the three two-torsion points on a Montgomery curve are all in . Therefore, by using a two-torsion point, we optimized the cost of computing the coefficient of the image curve of odd-degree isogeny required in the group action. When our algorithm is used, the group action is about 7.1% faster than the original CSIDH and the entire key exchange is about 6.4% faster than the original CSIDH.
As mentioned before, the proposed method in this paper is still slower than the Montgomery–Edwards hybrid method presented in [8
]. However, we examined that Montgomery-only implementation is still competitive enough through various studies, like [16
To apply our method, the prime of the base field and the initial elliptic curve must be well-selected for a target security level. If we choose the parameter, which enables applying the two-torsion method, then CSIDH will be optimized further by studying the application of two-isogeny as in [13