Advertisement

How to Construct CSIDH on Edwards Curves

  • Tomoki MoriyaEmail author
  • Hiroshi Onuki
  • Tsuyoshi Takagi
Conference paper
  • 61 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12006)

Abstract

CSIDH is an isogeny-based key exchange protocol proposed by Castryck, Lange, Martindale, Panny, and Renes in 2018. CSIDH is based on the ideal class group action on \(\mathbb {F}_p\)-isomorphism classes of Montgomery curves. In order to calculate the class group action, we need to take points defined over \(\mathbb {F}_{p^2}\). The original CSIDH algorithm requires a calculation over \(\mathbb {F}_p\) by representing points as x-coordinate over Montgomery curves. Meyer and Reith proposed a faster CSIDH algorithm in 2018 which calculates isogenies on Edwards curves by using a birational map between a Montgomery curve and an Edwards curve. There is a special coordinate on Edwards curves (the w-coordinate) to calculate group operations and isogenies. If we try to calculate the class group action on Edwards curves by using the w-coordinate in a similar way on Montgomery curves, we have to consider points defined over \(\mathbb {F}_{p^4}\). Therefore, it is not a trivial task to calculate the class group action on Edwards curves with w-coordinates over only \(\mathbb {F}_p\).

In this paper, we prove a number of theorems on the properties of Edwards curves. By using these theorems, we extend the CSIDH algorithm to that on Edwards curves with w-coordinates over \(\mathbb {F}_p\). This algorithm is as fast as (or a little bit faster than) the algorithm proposed by Meyer and Reith.

Keywords

Isogeny-based cryptography Montgomery curves Edwards curves CSIDH Post-quantum cryptography 

Notes

Acknowlegements

This work was supported by JST CREST Grant Number JPMJCR14D6, Japan.

References

  1. 1.
    Azarderakhsh, R., et al.: Supersingular isogeny key encapsulation. Submission to the NIST Post-Quantum Standardization Project (2017)Google Scholar
  2. 2.
    Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted edwards curves. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 389–405. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-68164-9_26CrossRefGoogle Scholar
  3. 3.
    Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 29–50. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-76900-2_3CrossRefGoogle Scholar
  4. 4.
    Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-03332-3_15CrossRefGoogle Scholar
  5. 5.
    Cervantes-Vázquez, D., Chenu, M., Chi-Domínguez, J.-J., De Feo, L., Rodríguez-Henríquez, F., Smith, B.: Stronger and faster side-channel protections for CSIDH. In: Schwabe, P., Thériault, N. (eds.) LATINCRYPT 2019. LNCS, vol. 11774, pp. 173–193. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-30530-7_9CrossRefGoogle Scholar
  6. 6.
    Costello, C., Hisil, H.: A simple and compact algorithm for sidh with arbitrary degree isogenies. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 303–329. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70697-9_11CrossRefGoogle Scholar
  7. 7.
    Costello, C., Smith, B.: Montgomery curves and their arithmetic: the case of large characteristic fields. IACR Cryptology ePrint Archive, 2017:212 (2017). https://ia.cr/2017/212
  8. 8.
    Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(\mathbb{F}_p\). Designs Codes Cryptogr. 78, 425–440 (2016)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Edwards, H.: A normal form for elliptic curves. Bull. Am. Math. Soc. 44, 393–422 (2007)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Farashahi, R.R., Hosseini, S.G.: Differential addition on twisted edwards curves. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017. LNCS, vol. 10343, pp. 366–378. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-59870-3_21CrossRefGoogle Scholar
  11. 11.
    Hisil, H., Wong, K.K.-H., Carter, G., Dawson, E.: Twisted Edwards curves revisited. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 326–343. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-89255-7_20CrossRefGoogle Scholar
  12. 12.
    Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25405-5_2CrossRefzbMATHGoogle Scholar
  13. 13.
    Kim, S., Yoon, K., Park, Y.-H., Hong, S.: Optimized method for computing odd-degree isogenies on Edwards curves. IACR Cryptology ePrint Archive, 2019:110 (2019). https://ia.cr/2019/110. (to appear at ASIACRYPT 2019)
  14. 14.
    Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Meyer, M., Campos, F., Reith, S.: On lions and elligators: an efficient constant-time implementation of CSIDH. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 307–325. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-25510-7_17CrossRefGoogle Scholar
  16. 16.
    Meyer, M., Reith, S.: A faster way to the CSIDH. In: Chakraborty, D., Iwata, T. (eds.) INDOCRYPT 2018. LNCS, vol. 11356, pp. 137–152. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-05378-9_8CrossRefGoogle Scholar
  17. 17.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986).  https://doi.org/10.1007/3-540-39799-X_31CrossRefGoogle Scholar
  18. 18.
    Montgomery, P.L.: Speeding the pollard and elliptic curve methods of factorization. Math. Comput. 48, 243–264 (1987)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Moody, D., Shumow, D.: Analogues of Vélu’s formulas for isogenies on alternate models of elliptic curves. Math. Comput. 85, 1929–1951 (2016)CrossRefGoogle Scholar
  20. 20.
    Moriya, T., Onuki, H., Takagi, T.: How to construct CSIDH on Edwards curves. IACR Cryptology ePrint Archive, 2019:843 (2019). https://ia.cr/2019/843
  21. 21.
    National Institute of Standards and Technology. Post-quantum cryptography standardization, December 2016. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Post-Quantum-Cryptography-Standardization
  22. 22.
    Onuki, H., Aikawa, Y., Yamazaki, T., Takagi, T.: (Short Paper) A faster constant-time algorithm of CSIDH keeping two points. In: Attrapadung, N., Yagi, T. (eds.) IWSEC 2019. LNCS, vol. 11689, pp. 23–33. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-26834-3_2CrossRefGoogle Scholar
  23. 23.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120–126 (1978)MathSciNetCrossRefGoogle Scholar
  24. 24.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE (1994)Google Scholar
  25. 25.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41, 303–332 (1999)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Silverman, J.H.: The Arithmetic of Elliptic Curves, vol. 106. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-0-387-09494-6 CrossRefzbMATHGoogle Scholar
  27. 27.
    Vélu, J.: Isogénies entre courbes elliptiques. CR Acad. Sci. Paris Sér. A 305–347 (1971)Google Scholar
  28. 28.
    Waterhouse, W.C.: Abelian varieties over finite fields. In: Annales scientifiques de l’École Normale Supérieure, pp. 521–560 (1969)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Department of Mathematical InformaticsThe University of TokyoBunkyōJapan

Personalised recommendations