Computing Isogenies Between Montgomery Curves Using the Action of (0, 0)
A recent paper by Costello and Hisil at Asiacrypt’17 presents efficient formulas for computing isogenies with odd-degree cyclic kernels on Montgomery curves. We provide a constructive proof of a generalization of this theorem which shows the connection between the shape of the isogeny and the simple action of the point \((0,0)\). This generalization removes the restriction of a cyclic kernel and allows for any separable isogeny whose kernel does not contain \((0,0)\). As a particular case, we provide efficient formulas for 2-isogenies between Montgomery curves and show that these formulas can be used in isogeny-based cryptosystems without expensive square root computations and without knowledge of a special point of order 8. We also consider elliptic curves in triangular form containing an explicit point of order 3.
KeywordsVélu’s formulas Montgomery form 2-isogenies SIDH Post-quantum cryptography
I would like to thank Craig Costello for valuable suggestions and feedback during the creation of this document, and Chloe Martindale for comments on a first version of the paper, in particular to improve the proof of Theorem 1. I thank the anonymous reviewers of PQCrypto 2018 for their constructive comments.
- [Acc99]Accredited Standards Committee X9. American National Standard X9.62-1999, Public key cryptography for the financial services industry: the elliptic curve digital signature algorithm (ECDSA). Technical report, ANSI (1999)Google Scholar
- [CH17]Costello, C., Hisil, H.: A simple and compact algorithm for SIDH with arbitrary degree isogenies. Cryptology ePrint Archive, Report 2017/504 (2017)Google Scholar
- [CLN16b]Costello, C., Longa, P., Naehrig, M.: SIDH Library (2016). http://research.microsoft.com/en-us/downloads/bd5fd4cd-61b6-458a-bd94-b1f406a3f33f/
- [Cou06]Couveignes, J.M.: Hard Homogeneous Spaces. IACR Cryptology ePrint Archive (2006)Google Scholar
- [KAK16]Koziel, B., Azarderakhsh, R., Mozaffari-Kermani, M.: Fast hardware architectures for supersingular isogeny diffie-hellman key exchange on FPGA. In: Dunkelman, O., Sanadhya, S.K. (eds.) INDOCRYPT 2016. LNCS, vol. 10095, pp. 191–206. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49890-4_11CrossRefGoogle Scholar
- [RS06]Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. IACR Cryptology ePrint Archive, 2006:145 (2006)Google Scholar
- [Sho94]Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, 1994 Proceedings, pp. 124–134. IEEE (1994)Google Scholar
- [ZJP+17]Zanon, G.H.M., Simplicio Jr., M.A., Pereira, G.C.C.F., Doliskani, J., Barreto, P.S.L.M.: Faster isogeny-based compressed key agreement. Cryptology ePrint Archive, Report 2017/1143 (2017). https://eprint.iacr.org/2017/1143