Review of Chosen Isogeny-Based Cryptographic Schemes

: Public-key cryptography provides security for digital systems and communication. Traditional cryptographic solutions are constantly improved, e.g., to suppress brute-force attacks. However, Shor’s algorithm suited for quantum computers can break the bedrock of most currently used systems, i.e., the RSA problem and discrete logarithm problem. Post-quantum cryptography can withstand attacks carried out by quantum computers. Several families of post-quantum systems exist; one of them is isogeny-based cryptography. As a main contribution, in this paper, we provide a survey of chosen, fundamental isogeny-based schemes. The target audience of this review is researchers interested in practical aspects of this ﬁeld of cryptography; therefore the survey contains exemplary implementations. Our goal was not to develop an efﬁcient implementation, but to provide materials that make it easier to analyze isogeny-based cryptography.


Introduction
Without secure solutions offered by asymmetric cryptography, our digital lives and digital businesses would be much less advanced than today. Public-key cryptography nowadays is essentially indispensable and used in almost all devices connected to a network. Public-key algorithms are a foundation of, e.g., secure and private web browsing over Transport Layer Security (TLS), encrypted messaging with OpenPGP, or any online service such as e-government. It is critically important to maintain sufficient security levels; thus, a lot of attempts have been made. As computational power and cost-efficiency of computers improve over time, key sizes are increased to suppress brute-force attacks. However, there are threats to classical asymmetric cryptography security that cannot be held back by a simple key size increase.
Public-key (asymmetric) cryptography is a system that utilizes a pair of keys. One of the keys may be known to everyone (public key), while the other key must not be known to anyone else but the owner (private key). Asymmetric cryptography is based on mathematical problems known as one-way functions, i.e., a function which is easy to compute on any input, but it is hard to compute its input given a result. Usually, to generate such a key pair, the private key is chosen at random, then the public key is computed as the result of the selected one-way function with the private key as the input. The most popular asymmetric cryptography systems are based on two hard problems: the RSA problem and discrete logarithm problem (DLP).

Problem Statement
In 1994, a groundbreaking algorithm suited for quantum computers was presented. Shor's algorithm [1] is a polynomial-time quantum computer algorithm for integer factorization. It means that cryptosystems such as RSA [2] could be broken by constructing a sufficiently large quantum computer.
Shor's algorithm is composed of two parts. The first part may be implemented on a classical computer and is responsible for turning the factorization problem into the problem

Contribution
The goal of this article is to introduce to the reader chosen constructions based on supersingular isogeny Diffie-Hellman (SIDH) [10] and SIDH itself. Our intention is to familiarize the reader with fundamental schemes based on isogenies: supersingular isogeny Diffie-Hellman key exchange (SIDH) [10], isogeny-based digital signature (IBDS) [11], strong designated verifier signature (SDVS) [12], undeniable signatures [13], and supersingular isogeny oblivious transfer (SIOT) [14]. Moreover, our goal is to illustrate high-level algorithms with implementations. We assume that such detailed level will help the reader to fully understand isogeny nuances and allow us to design fresh schemes with new functionalities. In this article: • We discuss several fundamental solutions based on supersingular isogenies, provide summary of high-level mathematical aspects, constructions and algorithms. • Most of the source publications use similar notations but there are some differences. We provide unified notation that allows easier comprehension and comparison of the solutions. • We provide implementations of the chosen constructions in concise but clear code developed with easy to understand technologies. We discuss the solutions from the perspective of a programmer and comment the algorithms in more detail.
We note that implementations described in this article are not meant to assess the performance of the chosen schemes. Instead, we want to use code snippets as another tool (next to pseudocode) to describe the reviewed constructions. Pseudocode may not be clear enough in some cases, especially when complicated mathematical operations are involved. Instead, the reader can use our implementations to analyze the algorithms. The source codes can be executed and tweaked. We hope these implementations can be a helpful resource for every isogeny-based cryptography beginner or even for more experienced researchers. Some of the publications focused on isogeny-based cryptography provide low-level, fast implementations. These works are certainly a great feat; however, the implementations in C, C++, and assembly are much harder to comprehend. We also provide time measurements of our implementations. These results are only for illustrative purposes and allow us to compare the chosen schemes. We do not intend to improve current state-of-the-art isogeny computations methods.

Organization of the Article
The article is organised into following sections. Section 2 contains characterisation of supersingular elliptic curve isogeny, mathematical definitions, isogeny algebra, and definitions of hard problems which provide security for isogeny-based cryptography. It also describes technologies used in implementations and common building blocks for all implemented solutions. Security assumptions for isogeny-based cryptography are stated in Section 3. In Section 4, SIDH, IBDS, SDVS, undeniable signatures, and SIOT schemes are presented. For each of the constructions, first a high-level description of the solution and algorithms are given. Then, implementation of the scheme is shown together with general comments and mappings to specific algorithms. Generic constructions used in the chosen schemes are presented in Section 5 together with an example of vulnerable application. Section 6 contains measurements of execution times of implemented cryptographic schemes. Finally, Section 7 contains conclusions.

Supersingular Elliptic Curve Isogeny Cryptography
Supersingular elliptic curve isogeny cryptography is a family of schemes based on the properties of supersingular elliptic curves and supersingular isogeny graphs. Isogenybased schemes use the mathematics of supersingular elliptic curves to create a Diffie-Hellman-like key exchange. This means isogeny cryptography provides a straightforward quantum computing resistant replacement for widely used key exchange methods. Isogenybased schemes boast significantly smaller key sizes than most of the popular post-quantum alternatives. There are two distinct families of systems based on isogeny algebra: supersingular isogeny Diffie-Hellman (SIDH) [10] and commutative supersingular isogeny Diffie-Hellman (CSIDH) [15]. The only scheme of this type still in NIST Post-Quantum Cryptography Competition is Supersingular Isogeny Key Encapsulation (SIKE) [16] which is based on SIDH. Many more cryptographic schemes similar to SIDH were proposed in the literature. We will focus only on the SIDH family.
Apart from public-key cryptography based on isogenies, other isogeny-based cryptographic schemes have been proposed. A recent example is Oblivious Pseudorandom Functions from Isogenies [17].

Definitions and Isogeny Algebra
This section contains essential mathematical Definitions related to isogenies. Further details on the mathematical foundations of isogenies are presented in, e.g., [10,18]. We use the following notation: • Variables named n, d, e, , f represent integers, variables p, q are prime numbers. • Let φ be an isogeny.
• Let y 1 , . . . , y n R ← − Y denote each y i is sampled uniformly at random from the set Y. • Elliptic curves are named E, the j-invariant of the elliptic curve E is denoted as j(E). • P, Q denote generators of a torsion subgroup.
The group of points on an elliptic curve E over a finite field F q of cardinality q with a specified point O is denoted as E(F q ). The group contains a point at infinity and a set of points (x, y) that satisfy the short Weierstrass form: where a, b, x, y ∈ F q . The j-invariant of an elliptic curve given by the Weierstrass equation is given by the formula: j(E) = 1728 4a 3 4a 3 + 27b 2 . (2) Two elliptic curves E 1 and E 2 are isomorphic to each other if and only if they have the same j-invariant, i.e., j(E 1 ) = j(E 2 ).
Isogeny-based cryptography does not use elliptic curve's abelian group over point addition. Instead, it uses a map between curves called isogenies. An isogeny φ : E 1 → E 2 over F q is a non-constant rational map from E 1 to E 2 , which is a group homomorphism with a finite kernel. It follows that φ(O E 1 ) = O E 2 , where O denotes the identity element on an elliptic curve. An isogeny φ can be written as: where f 1 , f 2 , g 1 , g 2 are polynomials in variables x, y with coefficients in F q . The degree of φ is its degree as an algebraic map, deg(φ) = max{deg( f 1 ), deg( f 2 )}. If the isogeny is separable, the degree of the isogeny is equal to the cardinality of its kernel. In this work, only separable isogenies are considered. An isogeny of degree is referred to as an -isogeny. Two elliptic curves are -isogenous if there exists an -isogeny between them. Each -isogeny φ : E 1 → E 2 has a dual isogenyφ : where [ ] is the multiplication by map. Isogenyφ is also an -isogeny. For any natural we define -torsion group E[ ] as the kernel of the multiplication by map over the algebraic closureF q of F q , i.e., The endomorphism ring End(E) under the operations of point-wise addition and functional composition is defined as the set of all isogenies from E to itself, defined over the algebraic closureF q of F q . If dim(End(E)) = 4 then E is supersingular otherwise E is ordinary. Two isogenous curves are always both ordinary or both supersingular.
The kernel K of φ uniquely defines φ up to isomorphism so the codomain E 2 of the isogeny φ : E 1 → E 2 can be denoted as E 1 /K. Any generator of the kernel will produce a unique isogeny up to isomorphism.
An isogeny graph is a graph in which nodes are j-invariants (representing isomorphism classes of elliptic curves), and in which edges are isogenies between them. The isogeny graph is undirected since each isogeny has a dual isogeny. It is hard to find a path of a given length between two random nodes in the isogeny graph. This hardness is the basis of isogeny-based cryptosystems.

Implementation Outline
For each of the chosen implemented schemes we include listings of code, corresponding comments, and mappings to algorithms. For each scheme, an exemplary execution is presented with one-run time measurements for order of magnitude reference, these were run on a single core of Intel Core i7-9750H processor. The following implementations are designated to be proof-of-concept implementations that help to understand the ideas behind the constructions and do not represent industrial grade level of security. Their main goal is to allow easy, fast modifications and experiments; thus, they use interpreted programming language and prioritize readability over execution speed and security. The implementations are not hardened against, e.g., timing attacks.

Common Building Blocks
All of the chosen schemes are implemented similarly, each implementation uses Python in version 3.9.5 and SageMath version 9.3. The implemented schemes are SIDH-based; thus, common code related to parameters of SIDH is presented in this subsection. When not stated otherwise, implementations will use these shared parameters and functions.
For better performance, a different set of programming languages and libraries can be used. Microsoft's SIDH Library is a fast and portable library written in C that implements supersingular isogeny cryptographic schemes. Cloudflare provides SIDH library written in Go that ports portions of Microsoft's library. Those libraries make use of arithmetic written in assembly and allow us to compile the source code for a specific platform. Compared to SageMath, Microsoft's and Cloudflare's libraries are much better suited for a productionready implementation; however, implementations written in Python and SageMath are easier to understand and experiment with.

SIDH Public Parameters
Public parameters that are common for most of the schemes described in Section 4 are a prime p = e A A e B B · f ± 1, a field F p 2 , a supersingular elliptic curve E(F p 2 ), and P A , Q A , P B , Q B . This section contains listings with their definitions.
Comment (Listing 1): The above code creates a prime p = e A A e B B · f ± 1 using SIKEp434 [16] parameters, i.e., p = 2 216 3 137 − 1. Then, a finite field Fp is created together with its quadratic extension Fp2, i.e., F p 2 = F p (i) with i 2 + 1 = 0. Finally, a starting curve E over that quadratic extension is created, defined by y 2 = x 3 + x. Integer p must be prime and the starting elliptic curve must be supersingular, both these properties are tested in the assertions.
, respectively, are generated dynamically with functions defined above. Function get_rand_point_ord returns a random point of order order on an elliptic curve E by first selecting a random point and then decreasing its order to the target value. This approach succeeds with high probability on the first try. Function get_random_base finds two points, P and Q, that are independent of each other. For that, the Weil pairing is computed and its order must be equal to the order of points. Generators for Alice and Bob are computed in the following way.

Isogeny Computation
SageMath allows to compute an isogeny using a library function, but that approach is inefficient for large parameters.
Comment (Listing 4): A better approach to computing e -isogeny is to compute a composition of e individual -isogenies. The function isogeny_graph_walk computes an isogeny, which is defined by a point P, from a curve E to a curve E_prime. It can also move points P_oth and Q_oth through that isogeny. The loop in line 5 in the above listing computes e individual -isogenies. The function returns a tuple matching SIDH public key, i.e., the final curve E_prime and the images of other party's public basis points.

Security of the Chosen Schemes
In this article, we do not repeat security proofs of the schemes we survey. We advise the readers interested in detailed security analysis of the schemes to refer to the corresponding original publications for security analysis and proofs.
The security of SIDH, IBDS, SDVS, undeniable signatures, and SIOT is provable and has been proven by reduction in which an adversary breaking each of the schemes could be used to break assumptions for isogeny-based cryptography. The following problems (from [10]) are believed to be intractable even for quantum computers and are the basis of security of isogeny-based cryptosystems.
Definition 1 (Decisional Supersingular Isogeny (DSSI) problem). Let E, E A be supersingular curves defined over F p 2 . Decide whether E A is e A A -isogenous to E.
Definition 2 (Computational Supersingular Isogeny (CSSI) problem). Let φ A : E → E A be an isogeny whose kernel is S A , where S A is a random point with order Definition 3 (Supersingular Computational Diffie-Hellman (SSCDH) problem). Let φ A : E → E A be an isogeny whose kernel is S A , where S A is a random point with order e A A , let φ B : E → E B be an isogeny whose kernel is S B , where S B is a random point with order e B B . Given the curves E A , E B and the points φ Definition 4 (Supersingular Decision Diffie-Hellman (SSDDH) problem). Given a tuple sampled with probability 1/2 from one of the following two distributions, determine from which distribution the tuple is sampled: • E 1 is chosen randomly among curves of the same cardinality as E, and φ : On top of that, the undeniable signatures from [13] also use modified assumptions related to supersingular isogenies. Additionally, the schemes based on SIDH include security proofs of modifications and extensions that provide new functionalities.
The security of the chosen isogeny-based schemes is based on the problem of searching for an isogeny between elliptic curves having all information that a passive adversary could gather listening to the protocols' executions. To break these cryptosystems, one needs to find the secret isogeny between the starting elliptic curve E and the elliptic curve in the public key, e.g., E A . The adversary knows not only the preimage and image curves of the secret isogeny but also the public parameters, i.e., basis points and their images in public keys. One of the main assumption in the chosen schemes is that the additional information does not give any advantage to a passive adversary in solving the problem of computing the isogeny. This assumption remains valid; no known passive attacks use auxiliary points.
The authors of [19] show that an active adversary can reconstruct the secret if parties reuse their secret keys for many protocol executions. A malicious party can send to an honest party a public key with a modified auxiliary point and learn the secret key bit by bit. Currently, there is no known method for an honest party to check if the other public key is malicious. It is required that all parties use ephemeral secret keys or that a generic transformation is used, which allows one party to reuse their secret. SIKE applies such a transformation to SIDH.
The following approaches can be used for finding the secret isogeny.
• Brute-force attack: finding a path from the starting curve E until reaching the curve in the public key, e.g., E A . In brute-force attacks the number of isogeny computations is estimated to be linear to the size of the isogeny graph. It is not the best method for solving the isogeny problem because it does not take advantage of the fact that the secret isogeny has fixed and known degree. The task is in fact easier than a general problem of finding a path among all nodes. The parties take only e A or e B steps in an isogeny graph walk which is much shorter than the diameter of the graph. • Meet in the middle: to depict the method let us use SIDH as an example, and fix p = 2 216 3 137 − 1. We are searching for Alice's secret isogeny φ A : E → E A of degree 2 216 . Instead of trying to find one path, two walks of 108 steps are performed starting from both E and E A . At some point, these walks meet in the middle, and with high probability, these connected two paths form the walk that Alice took. To implement this attack one builds a table of all 2 108 -isogenous elliptic curves to E A . Then, each 2 108 -isogeny is computed from E until a match is found in the The authors of [20] argue that the generic meet in the middle algorithm also is not the best attack. They provide an nalysis showing that the van Oorschot-Wiener golden collision search is the best attack for finding the secret isogeny.
The hypothesis that these classical approaches cannot be improved using quantum computers is based on the following reasoning shown in [21]. To compute a walk of e isogenies it is necessary to compute each isogeny successively. These computations cannot be parallelized because in each step the j-invariant changes. It also applies to quantum computers. Indeed, the author of [22] compares the best classical and quantum attacks and shows that "quantum computers don't really help".

Chosen Schemes
This article reviews by far the most popular isogeny-based protocol, i.e., SIDH. SIDH attracted almost the entire focus of isogeny-based cryptography in recent years. We also review a family of schemes based on SIDH. The main principle that determined which protocol is included in the review was the similarity to SIDH, e.g., in the form of public keys, and the flow of exchanged messages. In each of the reviewed protocols, it is clear how they build on top of SIDH. For this reason, e.g., commutative SIDH (CSIDH) was not included in the review since it differs greatly from SIDH, i.e., there are no auxiliary points exchanged, and it is possible to verify if the other party's key was generated honestly.
Since IBDS, SDVS, undeniable signatures, and SIOT are very much based on SIDH, we shall start the review with that scheme. It is the least complicated and we use it to also show how isogeny operations work in general.

Construction and Algorithms
The Diffie-Hellman key exchange [23] is one of the earliest, practical, cryptographic key exchange protocols. It is also the first publicly known work that proposed the idea of a private key and a corresponding public key. In the traditional Diffie-Hellman, exponents commute to produce a shared secret g ab = (g a ) b = (g b ) a where g is a generator of a multiplicative group G of prime order q such that discrete logarithm problem and computational Diffie-Hellman problem hold, and a, b are private keys of two parties. An efficient algorithm to solve the DLP would make DH key exchange insecure; thus, quantum-secure alternatives are needed.
The scheme that started an increased interest in isogeny based cryptography is supersingular isogeny Diffie-Hellman (SIDH) protocol [10] due to Jao and De Feo. More isogeny systems are based on SIDH so the initial setting is very often the same. SIDH works in the quadratic extensions of large prime fields F p , typically F p 2 = F p (i) with i 2 + 1 = 0; thus, elements can be represented as a + bi where a, b ∈ F p . SIDH takes primes of the form Then, she computes her secret isogeny φ A : E → E A , where E A = E/ S A . This can be done as a composition of e A isogenies of degree A (taking e A steps defined by S A in A -isogeny graph). Alice's public key is the image curve E A and the images of Bob's public basis points: Bob creates his private key by choosing sk B ∈ {0, 1, . . . , e B B − 1} and computing Then, he computes his secret isogeny φ B : This can be done as a composition of e B isogenies of degree B (taking e B steps defined by S B in B -isogeny graph). Bob's public key is the image curve E B and the images of Alice's public basis points: Alice, having her secret integer sk A and Bob's public key, computes the secret subgroup Computations carried out by Alice and Bob are an isogeny graph walk. Both parties start from the initial curve E, then Alice and Bob use their secret values and move to E A with φ A and E B with φ B , respectively. After exchanging their public keys, they can continue their walks. Alice starts from E B and moves to E AB with φ A , Bob proceeds mutatis mutandis and arrives in E BA . Both parties end up in the same node of the isogeny graph so they can use j(E AB ) = j(E BA ) as their shared secret value. The isogeny graph walk of Alice and Bob is shown in Figure 1. A short description of SIDH is given in Table 1.

Remark 1.
Both parties need to include images of each other's basis points through their secret isogenies. A composition of isogenies φ A and φ B does not make sense because of domain and codomain mismatch. Alice needs to start the second part of shared key computations from E B , and Bob needs to start from E A . This problem is solved by moving each other's basis points through the secret isogeny during key generation. In the end, they arrive at the same j-invariant. Except for that one difference, SIDH and classical DH share many common properties, like: both parties compute shared value, having a public key it is infeasible to compute the corresponding secret key, and knowing the secret key it is easy to compute the shared value.

Remark 2.
Since SIDH and classical DH are so similar it seems natural we should be able to construct a lot of isogeny-based schemes based on SIDH just like in classical cryptography. DH is a foundation for many more constructions with a broad set of functionalities and security properties. However, this is not the case in isogeny-based cryptography. In classical cryptography we can use two operations, namely: exponentiation and addition of exponents. So far there is no second operation in isogeny-based cryptography. It seems to be the main difficulty in developing new isogeny-based schemes.

Implementation
SIDH is an interactive protocol between two parties, namely Alice and Bob. They both execute similar operations but using different parameters. Each party is implemented as an object of class Entity; however, objects representing Alice and Bob are created with different sets of parameters.
Comment (Listing 5): In the above listing, the object constructor __init__ corresponds to the key generation algorithm in Table 1. In line 9, a secret key sk is generated. In line 10, a generator S of a secret isogeny kernel is created. In the end, a call to isogeny_graph_walk with the secret key and other party's basis points produce the public key. A shared secret value is computed in the gen_shared_key method, which implements secret generation algorithm in Table 1. In line 20, a new generator S of a secret isogeny kernel is created. That generator is a point on the other party's public key curve. With that value, it is possible to compute the next isogeny in an isogeny graph. The target curves of both parties are in the same node of the graph; thus, its j-invariant is returned as a secret.
Comment (Listing 6): The above listing shows an example code that executes SIDH. First, an Entity A is created for Alice, then an Entity B for Bob. Alice can generate her shared value with Bob by passing object B as an argument to the gen_shared_key method in line 10. Bob computes his shared key with Alice in line 13 by passing object A as an argument to the gen_shared_key method. Both Alice and Bob must compute the same value, that condition is asserted in line 16.

.1. Construction and Algorithms
The scheme published in [11] by Yoo, Azarderakhsh, Jalali, Jao, and Soukharev is the first general-purpose digital signature scheme secure against quantum adversaries based on supersingular elliptic curve isogenies. The scheme uses Unruh's construction [25] of non-interactive zero-knowledge (NIZK) proofs applied to an interactive zero-knowledge proof presented in the same paper as SIDH [10]. This is similar to applying the Fiat-Shamir transform to an interactive zero-knowledge proof to build a secure signature scheme in classical cryptography. The Fiat-Shamir transform is only known to be secure against classical adversaries, as [26,27] show this construction is not secure against quantum computers. The Unruh's construction is secure against quantum adversaries.
The public parameters of the isogeny-based digital signature (IBDS) are similar to the parameters of SIDH with one difference: only generators P B and Q B must be known publicly. IBDS simulates interactions in a sigma protocol using hashes. Parties run the protocol 2λ times, where λ is the security parameter and the challenge domain is {0, 1}. Let G, H be quantum random oracles, G has the same domain and range, while H outputs 2λ bits for challenges. A classical random oracle is modeled as a random hash function O : {0, 1} * → {0, 1} * , it is possible to learn a value O(x) by querying the classical state x. A quantum(-accessible) random oracle can be evaluated in superposition by submitting a quantum state. An attacker can query a random oracle with a superposition of many states, and the oracle must be evaluated at all points in the superposition. Unlike in Fiat-Shamir transform, H will not be evaluated only on the commitments. The parameters for the hash function also include hashes from G of the responses to each possible challenge for each commitment. The signature consists of the commitments, all possible challenges, hashed responses, and responses to the challenges given by H. The verifier gets the same challenge bits from H and verifies the responses in each round. The scheme consists of three algorithms: KeyGen, Sign, and Verify.
To implement KeyGen algorithm, shown in Algorithm 1, it suffices to use an implementation of Alice's key generation procedure from the SIDH protocol.
To generate keys, sample a random point S of order e A A , compute the isogeny φ : E → E/ S and calculate images of public points P B and Q B . Sampling S can be implemented as S = P A + sk Q A for some sk ∈ Z/ e A A Z. The public key is composed of the target curve E/ S and public generators P B , The signing procedure uses Unruh's construction and emulates the execution of an interactive zero-knowledge proof of knowledge.
For each of 2λ rounds of the sigma protocol, a signer chooses a random point R of order e B B (this corresponds to Bob's key generation from SIDH) and continues with all computations in the sigma protocol. Then, the signer hashes all the responses. In the last step, data from all rounds is hashed with the message m to obtain the challenge bits J 1 || . . . ||J 2λ . All of the operations until the very last hash function call can be precomputed in parallel even before the message is known.
Each round of the signing procedure is an independent isogeny graph walk. Figure 2 shows a walk computed in one round of the simulation. The upper part in the isogeny graph is fixed during signing, i.e., the starting point E, the private isogeny φ, and a part of the signer's public key E/ S . The lower part of the figure is random and changes in each round. This simulates the interactions of Alice with different parties. Figure 2. Isogeny graph walk in one round of the signing algorithm.
The signature verification corresponds to the verification of data (commitments, challenges, and responses) in each round of the simulated sigma protocol.
First, a verifier computes the same hash value J 1 || · · · ||J 2λ and checks each ZKP round based on data in the signature. The verification starts with checking the challenge bit for this round, then the hash value for the response selected by the challenge bit is verified. Depending on the challenge bit, properties of the corresponding response are tested. If all checks succeed, then the signature is correct.

Implementation
Before implementations of algorithms are given, it is important to define schemespecific functions used in those algorithms. Both functions are based on a SHA3-256 hash function output. In case of function G, the result is just a SHA3-256 output. This does not influence a proof-of-concept implementation, although random oracle G has the same domain and range according to the scheme. That property of G is used only in the proof that this construction is secure in the quantum oracle model. The proof exploits the fact that the random oracle G is indistinguishable from a random permutation, and replaces G with an efficiently invertible function, which is unnoticeable by any quantum PPT adversary. That modification allows the hashes to be inverted to obtain the hidden responses in the adversary's forged proof. Function H returns an array of integers in {0, 1} of length len, i.e., 2λ. These values correspond to the challenge bits J 1 || . . . ||J 2λ . Usage of SHA3-256 in function H sets the limit of security parameter to λ = 128. The exact definitions of functions G and H can be easily modified to achieve higher security levels.

Comment
Comment (Listing 9): Helper functions used in the verification procedure are also defined. Function generates_kernel checks if a point P generates a kernel of the e -isogeny from E1 to E2 by checking if E2 is the same node as E1/ P in an isogeny graph. Despite the fact that SageMath provides a method to calculate a point's order, it is too expensive to use it in the testing if the point is of the correct order. Instead, function has_order is defined to test if a point P has order e by checking if e multiplications by scalar l bring the point to a point at infinity. return True return False A signer role is implemented similarly to the class Entity from Listing 5, a secret and a public keys are generated with exactly the same code. A scheme specific method gen_shared_key is replaced with a sign method.
Comment (Listing 11): The verification Algorithm 3 is implemented in a form of a standalone function as the verification procedure is universal. The verification of a signature sigma for a message m, allegedly signed by a signer signer, starts with unpacking the signature in line 4. With those values, together with the signer's public key, challenge bits J are computed in line 6. The loop in line 8 tests each round of simulation embedded into the signature. Depending on a challenge bit, the response is verified against the correct hash value in line 9. Then, the commitment and the response are unpacked. Next, the properties of each element are tested with helper functions. In case all the checks succeed, the signature is accepted as valid.  Algorithm 3: Verify(pk, m, σ)

. Construction and Algorithms
The scheme proposed in [12] by Sun, Tian, and Wang is the first strong designated verifier signature scheme that may be secure against a quantum computer. The scheme combines two ideas, the first one is a method of constructing an SDVS based on Diffie-Hellman key exchange, and the second concept used in the proposed construction is SIDH instead of classical key exchange. The public parameters and assumptions of the SDVS scheme are almost the same as in SIDH. Let p = e A A e B B · f ± 1, E(F p 2 ), P A , Q A , P B , Q B be defined exactly as in SIDH. Let H : {0, 1} * → {0, 1} k be a secure hash function, where k is a security parameter.
The key generation Algorithm 4 executes similarly to the SIDH key generation. A signer follows the computations of Alice while a verifier computes as Bob.
The signing algorithm is based on the secret generation steps of Alice from SIDH in Table 1 and introduces operations based on a value shared between a signer and a designated verifier.
To sign a message m for a designated verifier, a signer follows SIDH secret generation and obtains a j-invariant j AB of the final node in an isogeny graph walk of the signer with the designated verifier's public key. The designation part of the signature creation is achieved through the use of the designated verifier's public key in the computations. The signature is created as σ = H(m||j AB ), where || denotes bits concatenation.
In this SDVS scheme, the signature is an HMAC of a message with a shared secret as the key, and the key is established in the execution of SIDH protocol. Both a signer and a designated verifier follow computations of Alice and Bob, respectively, and calculate the shared j-invariant. This value is then concatenated with a message, and the final bits are hashed.
The verification algorithm is also based on the secret generation steps from SIDH but follows computations of Bob in Table 1.
A signature σ for a message m can be verified by a designated verifier as follows: using the verifier's secret key and the signer's public key compute an isogeny graph walk similarly to Bob's computations in SIDH, compute a j-invariant j BA of the final curve, then σ = H(m||j BA ). The signature is correct if and only if σ = σ . The designated verifier can simulate a correct signature for m by outputting σ as the signature.

Implementation
The SDVS scheme is a simple extension of SIDH key exchange; thus, its implementation is heavily based on the SIDH implementation from Section 4.1.

. Construction and Algorithms
The scheme presented in [13] by Jao, and Soukharev is an example of isogeny-based undeniable signature. It is related to SIDH in assumptions and basic principles but introduces more changes than previously described schemes. Let p be a prime of the form , let H : {0, 1} * → Z. In general, the scheme is designed to use points in P A , Q A for keys, points in P M , Q M are associated with messages, and points in P C , Q C are linked to commitments.
A signer creates a key pair (Algorithm 7) following the steps of Alice's key generation in SIDH key exchange. Instead of using Bob's basis points, {P C , Q C } are moved through the secret isogeny.
To sign a message m (Algorithm 8), a signer computes a final node in an isogeny graph walk similarly to an isogeny graph in SIDH. The difference is that instead of Bob's side, values are based on a hash value over the message. The signature consists of E AM and auxiliary points φ M,AM (φ M (P C )), φ M,AM (φ M (Q C )). Isogeny graph walk of signing procedure is shown in Figure 3.

Algorithm 7: KeyGen()
The signature verification is done in an interactive confirmation of E AM . Isogenies used to produce E AM must not be revealed; thus, this curve will be blinded with a third step in an isogeny graph walk. A signer computes commitment as in Algorithm 9.

Algorithm 9: Confirmation-commitment(S
A verifier chooses at random b R ← − {0, 1}. If b = 0, the signer returns resp = ker(φ C ), if b = 1, the signer returns resp = ker(φ C,AC ) and the verifier can continue with verification shown in Algorithm 10. The isogeny graph walk computed during confirmation protocol is shown in Figure 4. The disavowal protocol is executed when a signer wants to prove that a falsified signature (E F , F P , F Q ) for a message m is invalid. Here, E F , F P , F Q correspond to E AM and auxiliary points φ M,AM (φ M (P C )), φ M,AM (φ M (Q C )), respectively. The signer shows that E F is an invalid signature without revealing correct E AM . Elliptic curve E AM must not be disclosed because it is a part of a valid signature over m that the signer does not intend to sign. This can be achieved by blinding E AM once again to obtain E AMC . Additional information allows the verifier to compute E FC and then verify that E FC = E AMC . The disavowal protocol begins similarly to confirmation protocol, i.e., the signer sends E C , E AC , E MC , E AMC , ker(φ C,MC ) as the commitment, more detailed steps are provided in Algorithm 9.
A verifier chooses at random b R ← − {0, 1}. If b = 0, the signer returns resp = ker(φ C ), if b = 1, the signer returns resp = ker(φ C,AC ) and the verifier checks all properties as given in Algorithm 11. Disavowal-verification(comm, b, resp, m, σ) if b = 0 then compute φ C compute φ M,MC using knowledge of ker(φ M ) compute φ A,AC using the signer's public key compute φ F : The isogeny graph walk computed during disavowal protocol is shown in Figure 5.

Implementation
The undeniable signature scheme needs the most changes among all schemes described in this work. The implementation of the scheme differs in many aspects compared to SIDH, including public parameters. In the implementation, isogenies are called explicitly only in the isogeny_graph_walk function. The rest of the code operates on elliptic curves, their j-invariants, and points on elliptic curves. This is because the schemes use e -isogenies, while such isogeny never exists in a running program. An e -isogeny is always computed as a composition of e individualisogenies. However, the undeniable signatures scheme needs to move a varying number of points through e -isogenies; thus, the isogeny_graph_walk function accepts a list of points.
All computations of a signer are grouped as methods of class Signer.
Comment (Listing 21): Object constructor __init__ creates a private key of a signer and computes a corresponding public key in the gen_pub_key method as a triple of the secret isogeny's target curve and images of P C , Q C . The sign method implements Algorithm 8. A secret integer for a message m together with a generator SM are computed in lines 15 and 16. The generator is used to calculate an elliptic curve EM in line 17 and images of basis points. Then, the basis points connected with commitments are moved from the elliptic curve EM to EAM. These points and the elliptic curve EAM together are returned as a signature.
Both confirmation and disavowal protocols use commitments of the same form. The get_commitment_conf methods is used during confirmation protocol. Before a signer proceeds with its execution, a signature in question is checked. In case a signer concludes this is not a legitimate signature, an exception is raised in line 27 and no commitment is sent. When a signer decides to participate in the confirmation protocol, a commitment is returned according to the scheme. Algorithm 9 is implemented in the get_commitment_disavow method. In line 34, a random value is generated. Then, elliptic curves EC, EMC, EAC, and EAMC are computed. All auxiliary points that are needed are also moved through the corresponding isogenies. In line 43, responses are saved for later use. Curves EC, EMC, EAC, EAMC, and kernel ker(φ C,MC ) are returned as a commitment.
The get_response method simply returns a correct response saved before, depending on a challenge bit b.
The confirmation and disavowal protocols are implemented as methods of the class Verifier. However, both methods could be plain functions as the scheme does not authenticate a verifier. The above listing presents the confirmation protocol.
Comment (Listing 22): The confirmation method takes a message m, a signature signature, and a signer Signer as parameters. The verifier asks the signer to execute the confirmation protocol with a call to the get_commitment_conf method in line 4 with the message and the signature. In case the signer throws an exception, the execution is aborted. This corresponds to a situation in which the signer claims the signature is forged. In that scenario, both parties could engage in the disavowal protocol covered below. Otherwise, a commitment is returned and stored in comm. In lines 8 and 9, the verifier coins at random a challenge bit b and asks for a response resp. Starting from line 12, Algorithm 10 is implemented. Depending on the challenge bit b, the correct response is unpacked. Then, codomains of isogenies are computed according to the algorithm. Both loops in lines 24 and 41 verify recomputed elliptic curves against the commitment. In line 29, the kernel from the commitment is also verified. The disavowal protocol is implemented in the disavowal method defined below.
Comment (Listing 23): The disavowal method also takes a message m, a signature signature, and a signer Signer as parameters. The verifier asks the signer to execute the disavowal protocol with a call to the get_commitment_disavow method in line 3 with the message and the signature. This time no exception is expected at that point. In lines 4 and 5, the verifier coins at random a challenge bit b and asks for a response resp. Starting from line 8, Algorithm 11 is implemented. The verification in disavowal protocol executes somewhat similarly, i.e., in one case a different elliptic curve is computed and the verification is extended. In line 18, the elliptic curve E FC (see Figure 5) is computed, then it is verified against E AMC in line 31. The else clause in line 33, similarly to the confirmation protocol, checks that the right face of the cube commutes, i.e., the commitment is correct. Comment (Listing 24): The above listing shows an example code executing the undeniable signatures scheme. In the first line, the security parameter lamb (or λ) that controls the number of rounds is set to 128. In lines 5 and 6, two signers S1 and S2 are created. The while loop in 7 ensures these two signers have different public keys. It is forced by the usage of such small parameters in the implementation. A verifier V is created in line 9, and both signers sign the same message m in lines 13 and 14. In line 17, the confirmation protocol is used with a valid message-signature-signer combination. The confirmation method calls from lines 18 and 19 test the cases where a signer is presented with a modified message and someone's else signature, respectively. In line 25, the disavowal method is called with a correct message-signature-signer combination. Lines 26 and 27 execute disavowal protocol for a modified message and different signature cases, respectively. Comment (Listing 25): This listing presents the output of the above program. It shows that the correct signature was successfully confirmed while an altered message and somebody's else signature were detected. The signer refused to proceed with the execution and threw exceptions. The signer was unable to prove that they did not sign a previously signed message. However, disavowal succeeded for an altered message and an invalid signature.

. Construction and Algorithms
The scheme due to Barreto, Oliveira, and Benits proposed in [14] is Oblivious Transfer (OT) protocol based on supersingular isogenies. This construction is a combination of the OT scheme of Chou and Orlandi [28], and SIDH. Once again, the public parameters of SIOT are based on SIDH. In OT scheme the sender (Alice) has two messages x 0 , x 1 and wants to send one of them to the receiver (Bob). Bob can choose which message he will receive and will never learn the other message. The choice of Bob is unknown to Alice. Let M be a set of all messages with binary strings of fixed length and (x 0 , x 1 ) ∈ M. Let C be a set of all ciphertexts with binary strings of fixed length and (c 1 , c 2 ) ∈ C. Alice and Bob agree to use a symmetric encryption scheme Enc(j, x) taking a shared key j and a message x to encrypt. The shared key j is a j-invariant of a shared supersingular elliptic curve.
The scheme needs a secure coin-flipping subprotocol so Alice and Bob can agree on an ephemeral, uniformly random bit string w. That part of the scheme is not covered in this article, the authors of SIOT suggest to use, e.g., Wagner's bit commitment protocol [29]. Alice and Bob also need to agree on a deterministic algorithm that maps w into a pair of points U, V ∈ E B [ e A A ]. The key generation algorithm for Alice executes just like in SIDH. However, Bob on top of SIDH computations will also modify his key depending on his choice b of the message to receive.
Alice, upon receiving Bob's public key, is able to generate the same points U, V. Now Alice needs to encrypt her two messages. To do so securely, she first computes two keys (j-invariants) by taking isogeny graph walks.
Bob can follow SIDH steps to compute the elliptic curve shared with Alice-but only the one that corresponds to his choice b.

Implementation
Although SIOT is heavily based on SIDH, it introduces a lot of modifications in the middle of computations. On top of that, computations of Alice and Bob are not symmetrical. Those properties make it difficult to reuse previous implementations for SIOT. Most of helper functions (e.g., isogeny walk) and global parameters of SIDH can be reused. The following listing presents new and modified helper functions for SIOT.

Comment (Listing 26):
The get_key function is a wrapper for the SHA3-256 hash function that returns 16 byte long keys for any input j. The get_u_v function is used by Alice and Bob to obtain the shared points U, V. Both parties hash the bit string w to compute the coefficients α and β. Bob computes U = αG B + βH B and V = − α β V. The coefficients α, β are computed as SHA3-256 hashes of w with appended bitstring alpha in line 10 and beta in line 14, respectively. Alice can use exactly the same computations to obtain the correct points. She will useĜ B andĤ B instead of G B and H B . It will work in both possible values of blinded public key of Bob. After obtaining coefficients, U is computed in line 15, and V in line 18. Note that α, β ∈ Z/ e A A Z, and inversion of β is also calculated modulo e A A . The following listing contains the modified definition of SIDH's Entity class which will be a base class for Alice and Bob.
Comment (Listing 27): The only difference between SIDH and SIOT in the definition of class Entity is that the method gen_shared_key takes an elliptic curve and two points instead of the other party's object. It is because Bob works on the public key of Alice, but Alice works on the blinded public key of Bob. self.sk = random.randrange(self.l ** self.e) 10 self.S = self.P + self.sk * self.Q # assert self.l ** self.e == self.S.order() self.pk = self.gen_pub_key(get_other(self.name)) The class Alice inherits from the Entity class and is a container for computations of Alice. In this case an object representing Alice is initiated with a given bitstring w. In practice, Alice and Bob would use a secure coin-flipping protocol to agree on a uniformly random bit string. We did not implement it as it is not relevant to isogenies. In line 5, Alice creates two random messages x. Those messages are encrypted according to Algorithm 12 in the produce_response function that takes the blinded public key of Bob pk_hat_B. She computes two j-invariants in line 12 and encrypts the ith message in line 15. The key used for encryption is derived from the corresponding j-invariant in line 13.
Comment (Listing 29): The class Bob inherits from the Entity class and is a container for computations of Bob. Since the focus is on isogeny-based cryptography, Bob is given the same w just like Alice. In line 5, Bob chooses the message b and in lines 7-10 blinds his public key according to Algorithm 13. The function get_result is used to decrypt the chosen message according to Algorithm 14. The shared j-invariant is computed in line 14, which is then used to derive the correct AES key in line 15. The bth message is decrypted in line 16.
return ((pk A , sk A ), (pk B , sk B )) Algorithm 14: Decrypt(sk B , c 0 , c 1 , pk A ) Comment (Listing 30): The listing shows an example code that executes SIOT. First, a bitstring w is created. Note that in practice Alice and Bob would use a secure coin-flipping protocol to compute that value. Then, objects for Alice A and Bob B are created. In line 13, the method produce_response of Alice is used to compute ciphertexts c. The blinded key of Bob pk_hat is used as the input. The get_result method of Bob with public key of Alice is used in line 16 to decrypt the chosen message xb. Bob must obtain the same value as the one in possession of Alice. The assertion in line 19 checks that condition.

Error-Prone Applications
The last 10 years have seen a rapid development of isogeny-based cryptography. Many new constructions and protocols are based on the SIDH key exchange from 2011. The increased interest in cryptographic systems based on isogenies was caused, among others, by similarities of SIDH to classical cryptography key exchange. New solutions are searched for in order to bring more functionalities from classical cryptography to post-quantum. Some techniques can be used: Unruh's construction, SDVS from HMAC, and PAKE using encryption. However, usage of such generic methods does not make automatically the resulting scheme secure. New construction can be vulnerable, PAKE scheme from Section 5.2 is an example. Even though the scheme is based on secure SIDH protocol and correct construction from Section 5.1 it is vulnerable. The attack [30] on that scheme is presented in Section 5.3.
All of the schemes described in Section 4, except SIDH, are based on the SIDH key exchange. The chosen schemes show specific constructions, that can turn a key exchange protocol into different types of cryptographic primitives. Some of these constructions are described in this section. Most of them are similar to constructions used in classical cryptography or present the same, generic approach.

Generic Constructions
Unruh's construction: As the Fiat-Shamir transform might not be secure against quantum computers, it would be very practical to have an analogous construction that is proven to be quantum-safe. The scheme described in Section 4.2 uses a quantum-resistant alternative to the Fiat-Shamir transform, known as Unruh's construction. Since the scheme is closely linked to that concept, its more detailed description is also provided in Section 4.2.
Unruh's construction transforms an interactive zero-knowledge proof system into a non-interactive one. It follows that Unruh's construction can be used to build signature schemes similarly to classical cryptography, i.e., based on previous constructions. It is a crucial property of cryptography as it is easier to build new schemes and analyze their security if some well-studied building blocks are reused.
Unruh's construction applies to any interactive zero-knowledge proof system, not only isogeny-based ones. Thus, it is a very important building block of all post-quantum cryptography.
SDVS from HMAC: In the literature, several classical strong designated verifier signature schemes based on HMAC have been proposed, e.g., [31][32][33]. The general construction used in the verification algorithm of message-signature pair (m, σ) uses the verification equation like: where H is some public and secure hash function, and k is a key. The key k can be computed as where values x are secret keys, and y are corresponding public keys of parties A and B. Any key exchange protocol can be used to compute a key for HMAC, including more advanced variants such as a pairing-based key exchange. An isogeny-based example of an SDVS scheme is described in Section 4.3.
It is sometimes argued, e.g., [34], that this construction is not a signature scheme. Most of the SDVS schemes do not have the undeniability property. Such SDVS schemes are more like a message authentication code rather than a digital signature, and that could be problematic. PAKE using encryption: In classical cryptography, the Diffie-Hellman key exchange can be tweaked in many straightforward ways to construct PAKE schemes, e.g., EKE [35], SPEKE [36], PAK [37]. Encrypted Key Exchange (EKE) is general construction, that can add mutual authentication on top of any existing key exchange protocol. At least one party encrypts an ephemeral public key using a password, and only then sends it to a second party. The second party first decrypts the message with the same password, then continues with computation of a shared key according to the underlying protocol.
EKE-like encryption is a popular method of constructing PAKEs. This approach is used in EAP-EKE [38], and there is an isogeny-based SIDH-EKE scheme.

Construction and Algorithms
The first password-authenticated key agreement methods are Encrypted Key Exchange (EKE) methods [35]. The scheme is based on the Diffie-Hellman key exchange and introduces one modification. Instead of exchanging public keys in a clear form, the messages are encrypted with a shared password. The scheme SIDH-EKE due to Terada, and Yoneyama presented in [39] is a straightforward construction based on SIDH instead of classical DH.
All parameters of SIDH-EKE are defined as in SIDH. Let (Enc, Dec) be a symmetric key encryption scheme where Enc is an encryption algorithm and Dec is a decryption algorithm. Alice and Bob have a password pw.
In SIDH-EKE, public keys are generated as in SIDH but the keys are never published in a clear form. Alice and Bob both encrypt their keys with symmetric cipher and a password known only to them.
After exchanging the ciphertexts, Alice and Bob can decrypt each other's public keys with the same password. That way they achieve mutual authentication. Having public keys in a clear form, they can proceed with computations just like in the secret generation of SIDH.

Implementation
The SIDH-EKE scheme is a simple extension of the SIDH scheme; thus, both implementations are quite similar. The implementation uses AES for public-key encryption and defines a function to transform a short password into a usable AES key.
Comment (Listing 32): The get_key function is a wrapper for the SHA3-256 hash function that returns 16 byte long keys for any input pw. Parties Alice and Bob are implemented as objects of a modified class Entity.

Attack on SIDH-Eke
Although EKE scheme is secure in a classical setting and EAP-EKE is successfully used in practice, the isogeny-based straightforward construction SIDH-EKE from Section 5.2 is susceptible to man-in-the-middle and offline dictionary attacks. The following attack was presented in [30].
For the SIDH-EKE scheme to be secure, public keys must be indistinguishable from random bitstrings. This property is necessary to fulfill the offline dictionary attack resistance security requirement of PAKE. However, in practice, public keys of SIDH are distinguishable from random bitstrings; thus, it is possible to construct an oracle that can determine if a password guess was correct.
A passive eavesdropper Eve can observe SIDH-EKE execution between Alice and Bob. After key generation Algorithm 15 finishes, Alice and Bob exchange encrypted public keys pk A = Enc pw (E A , φ A (P B ), φ A (Q B )), and pk B = Enc pw (E B , φ B (P A ), φ B (Q A )). Eve can perform an offline dictionary attack on Alice's public key as shown in Algorithm 17, analogous approach can be applied for public key of Bob.
In SIDH, a public key is a structured data set, a triple of the form (E, φ(P), φ(Q)), where E is a supersingular elliptic curve, and φ(P), φ(Q) are basis points. The authors of SIDH-EKE claim the scheme prevents offline dictionary attacks because the attacker cannot determine if a password guess is valid or not. That is because the encryption scheme is modeled as an ideal cipher. However, it is simple to check if the decryption of a public key yields valid values. Eve can observe Alice sending her public key pk A , and then try to guess a password pw . For each password, Eve decrypts the key Dec pw (pk A ), parses the values (E A , φ A (P B ) , φ A (Q B ) ) and checks all properties according to Algorithm 17. For a random password, the probability that even some of these criteria are met is extremely low, so if all checks succeed, pw is a correct guess with high probability.
Algorithm 17: SIDH offline dictionary attack observe pk A guess pw and decrypt ( The same reasoning applies to optimized practical implementations of SIDH and SIKE. Even when the public parameters are compressed, e.g., sending the x-coordinates φ A (P B ), φ A (Q B ), and φ A (Q B − P B ) instead of directly sending the elliptic curve, enough information is sent to recover E A , φ A (P B ), and φ A (Q B ). Thus, the offline dictionary attack is still applicable.
The original EKE scheme is based on discrete logarithm; thus, unencrypted public keys are just very large numbers. A decryption of a public key with a random password would produce a bitstring that can be interpreted as a number, so it could be a valid public key. As a result, a password oracle similar to SIDH-EKE does not exist. An elliptic curve discrete logarithm variant of EKE would be also vulnerable to offline dictionary attacks.
Another isogeny-based PAKE is presented in [40]. The protocol does not use encryption of public keys, instead, auxiliary points are obfuscated with a reversible algebraic operation.
Remark 3. Some of isogeny-based schemes use exactly the same or very similar, generic constructions known in classical cryptography to achieve new security properties from other types of cryptographic primitives. Analogies between SIDH and DH may suggest that some constructions should be secure against attacks against quantum computers. However, cryptography is tricky and it is not always true. Some mistakes may render isogeny-based schemes vulnerable even against classical computers. SIDH-EKE is an example and a valuable lesson.

Computational Complexity and Benchmarks
This section contains time measurements of the implementations. The previous sections show only executions of the scheme as a whole together with time measurements from one run. Averaged time measurement in seconds of many runs of each of the algorithms from Section 4 is also provided. When applicable, different schemes are also compared. Tests were run on a single core of Intel Core i7-9750H processor. Table 2 contains measurements of running times of the key generation and secret generation algorithms. The benchmark was run using SIKEp434 [16] parameters, i.e., p = 2 216 3 137 − 1.  Table 2 it is possible to draw two conclusions.

Supersingular Isogeny Diffie-Hellman Key Exchange (SIDH)
• Bob can generate his key and a shared secret faster than Alice. It follows from the choice of parameters, Alice has to compute 216 isogenies of degree 2, while Bob computes 137 isogenies of degree 3. For different parameters from SIKE specification, Bob always needs to compute a smaller number of isogenies than Alice. • Although Alice always computes 216 isogenies of degree 2, and Bob computes 137 isogenies of degree 3, for both parties secret value generation is faster than a key generation. The difference between the key and shared value generation algorithms is that during secret value generation no auxiliary points need to be moved, thus allowing shorter running times.

Isogeny-Based Digital Signature (Ibds)
Table 3 contains measurements of running times of the key generation, signing, and verification algorithms. The benchmark was run using SIKEp434 [16] parameters, i.e., p = 2 216 3 137 − 1, and the security parameter λ = 8.  Table 3 shows results matching Table 2. The running time of the IBDS key generation algorithm is similar to the running time of key generation of Alice in SIDH. It is expected since those algorithms perform the same computations. The running time of the signing algorithm also matches the expected time, i.e., it is about 2λ times longer than SIDH Bob's key and secret generation. The running time of the verification algorithm matches the expected time of 2λ · 1.5 times longer than SIDH Bob's secret generation. The 1.5 cofactor is a result of the fact that depending on the challenge bit, 2 or 1 values of the response are validated in each of the 2λ rounds. Table 4 contains measurements of running times of the key generation, signing, and verification algorithms. The benchmark was run using SIKEp434 [16] parameters, i.e., p = 2 216 3 137 − 1. The SDVS scheme is heavily based on the SIDH key exchange. The running times of the key generation algorithm for a signer and a verifier are similar to the times of SIDH Alice and Bob, respectively. The time needed for signing matches the time of Alice's secret generation, while verification takes as much as Bob's secret generation. All of these results are expected. Table 5 contains measurements of running times of the key generation, signing, confirmation, and disavowal algorithms. The benchmark was run using toy-size parameters, i.e., p = 3 3 2 4 5 2 − 1, and the security parameter λ = 128. In the case of the undeniable signatures implementation, it is difficult to compare the results to the previous implementations. The scheme differs the most from the other schemes and the implementation uses a different set of parameters. Comparing orders of magnitude of running times of the key generation algorithms across all implementations it is expected that running times of the confirmation and disavowal protocols will increase at least a few hundred times if parameters matching SIKEp434 are used. The difference between times of the confirmation and disavowal protocols in Table 5 is caused by the fact that in each round of the confirmation protocol a signer checks the validity of a signature before a commitment is returned. The time needed for the confirmation protocol can be reduced to time close to the running time of disavowal protocol if each of the λ rounds is not treated as a completely independent execution, i.e., a signer would check a signature only once and then return λ commitments. Table 6 presents running times of algorithms executed in SIOT. The benchmark was run using SIKEp434 [16] parameters, i.e., p = 2 216 3 137 − 1. Times measured during the key generation algorithm execution are very similar to the times of corresponding values in Table 2. Both parties in SIOT need to execute additional steps on top of SIDH computations. Alice chooses two random messages while Bob chooses bit b and performs some point computations on an elliptic curve. However, all of those new steps are inexpensive when compared to computational cost of isogeny computations.

Supersingular Isogeny Oblivious Transfer (SIOT)
The time needed for decryption of the message chosen by Bob matches the time of Bob's secret generation in SIDH. It is expected since the only additional step in SIOT is the decryption of the message with the shared secret as the key. Alice needs about twice as much time for encryption as Alice needs to compute shared secret in SIDH. That correlation follows from the fact that in SIOT Alice has to compute two different keys-one for each of the messages.

Conclusions
The goal of this article was a review of the state-of-the-art functionalities provided by existing isogeny-based cryptosystems. The schemes include key exchange protocol, oblivious transfer, and several types of digital signatures. For each of the schemes, similarities between them and analogies to classical cryptography were highlighted. The research covers a detailed description of chosen isogeny-based schemes. Software solutions for isogeny-based cryptography were briefly discussed and the chosen schemes were implemented. The goal of implementations was not maximum performance but clarity of code that could help to understand the schemes and isogeny-based cryptography in general. Common blocks of the implementations can be used for fast prototyping of new cryptosystems. In the end, time benchmarks were provided for comparison.
From the conducted research and implementation work, the following conclusions can be drawn.

•
The properties of SIDH imply it can be a natural candidate to replace commonly used Diffie-Hellman and elliptic curve Diffie-Hellman key exchange. • Analogies between SIDH and DH caused rapid development of isogeny-based cryptosystems using constructions analogous to classical cryptography. • SIDH key can be used for symmetric encryption schemes, similarities of SIDH and DH allow building ElGamal-like public key encryption. • Isogeny-based cryptography needs a more cautious approach, PAKE that is badly designed in an obvious way is a valuable lesson. • Most of the post-quantum isogeny signatures are far from being practical; however, some more practical signatures exist, e.g., CSI-FiSh [41].