Efficient Isogeny Computations on Twisted Edwards Curves

Kim, Suhri; Yoon, Kisoon; Kwon, Jihoon; Hong, Seokhie; Park, Young-Ho

doi:https://doi.org/10.1155/2018/5747642

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2018 | Article ID 5747642 | https://doi.org/10.1155/2018/5747642

Efficient Isogeny Computations on Twisted Edwards Curves

Suhri Kim,¹Kisoon Yoon,²Jihoon Kwon,¹Seokhie Hong,¹and Young-Ho Park³

Academic Editor: Mun-Kyu Lee

Received06 Apr 2018

Accepted26 Jun 2018

Published15 Jul 2018

Abstract

The isogeny-based cryptosystem is the most recent category in the field of postquantum cryptography. However, it is widely studied due to short key sizes and compatibility with the current elliptic curve primitives. The main building blocks when implementing the isogeny-based cryptosystem are isogeny computations and point operations. From isogeny construction perspective, since the cryptosystem moves along the isogeny graph, isogeny formula cannot be optimized for specific coefficients of elliptic curves. Therefore, Montgomery curves are used in the literature, due to the efficient point operation on an arbitrary elliptic curve. In this paper, we propose formulas for computing 3 and 4 isogenies on twisted Edwards curves. Additionally, we further optimize our isogeny formulas on Edwards curves and compare the computational cost of Montgomery curves. We also present the implementation results of our isogeny computations and demonstrate that isogenies on Edwards curves are as efficient as those on Montgomery curves.

1. Introduction

The security of public key cryptosystems is mostly based on a number of theoretic problems such as the hardness of factoring large numbers or solving discrete logarithms over the finite field. However, due to Shor’s algorithm, these problems can be solved in polynomial time by the quantum adversary, consequently threatening the security of current public key cryptosystems [1]. Therefore, demands for quantum-secure cryptographic primitives are inevitable.

Postquantum cryptography (PQC) is alternative cryptographic primitives that are safe against the quantum adversary. Numerous studies have been made on PQC in order to substitute or interoperate with existing systems. The main categories of PQC are multivariate-based cryptography, code-based cryptography, lattice-based cryptography, hash-based digital signature, and isogeny-based cryptography. Although isogeny-based cryptography is the most recent field in PQC, it is considered as one of the prominent candidates due to its short key sizes and the reason that it can be implemented over currently used elliptic curve primitives.

The security of isogeny-based cryptography is based on the hardness of finding isogeny between given two elliptic curves. The first isogeny-based cryptosystems using ordinary elliptic curves were proposed by Couveignes and later by Stolbunov [2, 3]. The proposed scheme was extremely inefficient and even suffered from the quantum subexponential algorithm proposed by Childs et al. [4]. In 2011, Jao and De Feo presented a new cryptosystem based on the difficulty of constructing isogenies between supersingular elliptic curves, which is still infeasible against the known quantum attacks [5]. In 2016, Azarderakhsh et al. proposed a key compression method for supersingular isogeny key exchange, which was later improved by Costello et al. [6, 7]. Azarderakhsh et al. also implemented key exchange protocol on ARM-NEON and FPGA devices [8, 9]. Costello et al. proposed faster computation methods and library for supersingular isogeny key exchange [10]. In 2017, isogeny-based digital signature schemes were proposed by Galbraith et al. and Yoo et al., which brought diversity in the isogeny-based cryptography [11, 12]. Additionally, after the National Institute of Standards and Technology (NIST) announced a standardization project for PQC, Supersingular Isogeny Key Encapsulation (SIKE) was submitted as one of the candidates [13]. As stated above, extensive researches have been done in isogeny-based cryptography.

Since any curve in isogeny-based cryptosystem has group structure , for prime , either the curve or its twist has a point of order four [5]. As a result, it is isomorphic to a twisted Edwards curve and to a Montgomery curve [14]. Moreover, as coefficients of the elliptic curves change randomly in the isogeny-based cryptosystem, Montgomery curves are used in the state-of-the-art implementations. This is due to the fact that Montgomery ladder reduces the cost of point operations on Montgomery curves compared with any other forms of elliptic curves. However, whether other forms of elliptic curves are efficient as Montgomery curves is still unclear. Costello et al. proposed explicit formulas for 3 and 4 isogenies and also remarked that there might exist savings to be gained in Supersingular Isogeny Diffie–Hellman (SIDH) twisted Edwards version [15]. Meyer et al. proposed the hybrid SIDH scheme which exploits the fact that arithmetic in Edwards curves are efficient in certain cases [16]. Their method uses Edwards curves for point operations and Montgomery curves for isogeny computation. Independent from isogeny-based cryptosystem, Moody and Shumow were the first to propose isogeny formula on elliptic curves other than Weierstrass form [17]. They applied Vélu’s formula on twisted Edwards curves and Huff curves. However, isogeny construction on these curves for cryptographic usage has not been done.

The aim of this work is to identify whether (twisted) Edwards curves are as efficient as Montgomery curves for isogeny-based cryptosystems. The following list details the main contributions of this work.(i)We propose the optimized 3- and 4-isogeny formulas on twisted Edwards curves to be applied in the isogeny-based cryptography. Previous works on constructing isogenies on alternate curves are mostly for the theoretical foundations. To the best of our knowledge, we are the first to propose 4-isogeny formula on (twisted) Edwards curves, given an arbitrary subgroup. The details of our isogeny formulas on twisted Edwards curves are presented in Section 3.(ii)We propose the optimized 3- and 4-isogeny formulas on Edwards curves. The proposed 3- and 4-isogeny formulas on Edwards curves require 6M+5S and 7M+5S, respectively, where M (resp., S) refers to field multiplication (resp., a field squaring). All of our formulas are given in terms of projective -coordinates, which can later combine with -coordinates only point operations on Edwards curves. The details of our isogeny formulas on Edwards curves are presented in Section 4.(iii)We present the implementation results of our isogeny formulas and comprehensive analysis of their performance. We demonstrate that implementation results of isogenies on Edwards curves are similar to Montgomery curves. Therefore, the current isogeny-based cryptosystem can also work with Edwards curves.

This paper is organized as follows: A review of some special forms of elliptic curves is provided in Section 2. The description of isogeny of elliptic curves and Vélu’s formula to compute isogeny is also presented in Section 2. Specifically, we introduce an existing application of Vélu’s formula on Montgomery curves and twisted Edwards curves. In Section 3, we present our method to compute isogenies in twisted Edwards curves. Our optimized formulas for isogeny on Edwards curves and their implementations are given in Section 4. We draw our conclusions and future work in Section 5.

2. Preliminaries

In this section, we introduce the definition of special forms of elliptic curves. There are various forms of elliptic curves, but we will focus on twisted Edwards curves and Montgomery curves in this paper. Next, an isogeny of elliptic curves and Vélu’s formulas are introduced. Due to the work of Vélu, isogeny can be constructed given a finite subgroup. We describe a previous method that applied Vélu’s formula on twisted Edwards curves and Montgomery curves [5, 17].

2.1. Models of Elliptic Curve

Let be a field with the characteristic not equal to 2 or 3. An elliptic curve defined over is a smooth, projective algebraic curve of genus 1 with a distinguished point. It is well known that the points of an elliptic curve form an additive group with the distinguished point as the identity element. From the Riemann–Roch theorem, every elliptic curve can be defined by a cubic polynomial equation in two variables. For example, an elliptic curve can be defined by a short Weierstrass equationor by a Montgomery equationThe -invariants of the above curves are defined as and , respectively.

Two algebraic curves are said to be birationally equivalent if their function fields are isomorphic to each other. The representative of a birational class is called a model. An elliptic curve expressed in Montgomery equation is called Montgomery model and Weierstrass model if it is expressed in Weierstrass equation. Two models play important roles in the implementation of elliptic curves for cryptographic usage. Note that has either three rational points of order two or a rational point of order four (possibly both) [19, 20].

Another important model is the Edwards model defined by the equationIn fact, is not an elliptic curve as it has singular points and at infinity. In Edwards curves, the point is the identity element, and the point has order two. The points and have order four. The condition that always has a rational point of order four restricts the use of elliptic curves in the Edwards model. To overcome this deficiency, Bernstein et al. proposed twisted Edwards curves which are defined by the equationfor distinct nonzero elements [14]. Clearly, is isomorphic to an Edwards curve over . Later in this paper we demonstrate that it is efficient to work with both projective coordinates and projective curve coefficients. Let where such that and . Then can be expressed as

The addition law on twisted Edwards curve is defined as follows, and doubling can be performed with exactly the same formula.

Bernstein et al. showed the following cryptographically interesting relations on the above three models of elliptic curve [14].

Theorem 1. Let be an elliptic curve defined over a field with the characteristic not equal to 2. The group of rational points has an element of order 4 if and only if is birationally equivalent over to an Edwards curve.

Theorem 2. Let be a field with ; then every Montgomery curve over is birationally equivalent over to an Edwards curve.

As Theorem 2 is used to compute 4-isogeny formula in Edwards curves, we shall define with in the remainder of this paper, unless otherwise specified.

2.1.1. Relation between Twisted Edwards Curves and Montgomery Curves

In [14], Bernstein et al. proved that every twisted Edwards curve over is birationally equivalent over to a Montgomery curve. Since this relation is used later in this paper, we shall describe it briefly. Let and be nonzero elements in . Then every twisted Edwards curve is birationally equivalent to a Montgomery form viawhere and . The inverse of the map from to is defined as

The first coordinate in map (7) is computed by using only -coordinate and the second coordinate in map (8) uses only -coordinate. In projective coordinates, this map becomes remarkably simple [21]. A point on a Montgomery curve can be transformed to the corresponding Edwards -coordinates and vice versa:Therefore, the point conversion between these two curves costs only two additions.

2.2. Isogeny and Vélu’s Formulas

An isogeny between two elliptic curves and is a surjective group homomorphism with a finite kernel. Two elliptic curves and are said to be isogenous over if there exists an isogeny defined over . If the degree of the isogeny is equal to the order of the kernel of , then is called a separable isogeny. An isogeny of degree is called an -isogeny. Throughout this paper, an -isogeny is a separable isogeny, unless otherwise stated.

For every isogeny , there exists an isogeny such thatThe isogeny is called the dual isogeny of . By using this fact, the relation of isogeny is an equivalence relation. Moreover, and are isogenous over if and only if the group of the rational points and has the same cardinality. If is a separable isogeny of degree 1, then is an isomorphism. An isomorphism class of elliptic curves is uniquely represented by the -invariant. That is, two elliptic curves are isomorphic over if and only if they have the same -invariant. Moreover, the kernel of an isogeny is finite. Conversely, if a finite subgroup of an elliptic curve is given, then there exists an elliptic curve and a separable isogeny , with .

There are two methods to construct isogeny between elliptic curves. Vélu gave the explicit formulas to construct an isogeny with a given elliptic curve and a given finite subgroup as the kernel [22]. Later, Kohel proposed that isogeny can be computed from the kernel polynomial [23]. In this paper, we focus on Vélu’s method to construct isogenies. Vélu’s formulas are based on the transformationwhich is invariant under the translation by the points in the kernel . In order to compute rational functions given by Vélu, let be an elliptic curve with short Weierstrass form as in (1) for the simplicity. For a finite subgroup , partition into two sets, and , such that and if and only if . For each point , define the following equations:Then, the isogeny is given byThe order of the isogeny is equal to the order of the subgroup . The equation of the image curve is

2.2.1. Vélu’s Formulas on Montgomery Curves

In this section, we describe how even-degree isogenies are induced on Montgomery curves. This method was proposed by Jao and De Feo and later optimized by Costello et al. [5, 10]. The main processes for deriving 4-isogeny are illustrated in projective coordinates. For odd-degree isogenies, refer to [10].

Let be a Montgomery curve defined in (2). It has a point of order two and a point of order four , either defined over a quadratic extension, such that . The isogeny—which has degree 2 and maps to (0, 0)—is defined aswhere and for . The corresponding image curve is given as

Since the image curve is not in Montgomery form, computing square roots is unavoidable in order to transform back to Montgomery form. To overcome such problem, consider the isogeny with as a kernel, given bywhere , , and in the above equation. The equation of the image curve is given as in Montgomery form:Then, is an isogeny of degree four that maps to . However, this formula cannot be applied twice to obtain isogeny of degree . Instead, it would only induce multiplication by 4-isogeny when is computed twice. In order to apply 4-isogeny successively for -isogeny, must be combined with isomorphism of Montgomery curves that maps 4-torsion point to some specific coordinate. This is already apparent as we have computed with point of a specific form. Let be a point of order four in . Let and be the projective coordinates of and , respectively. The isomorphism defined below maps to and to point of the form .with the corresponding curve equation defined below.

Combining with , we are able to compute 4-isogeny successively.

2.2.2. Vélu’s Formulas on Twisted Edwards Curves

As denoted in the previous section, there exist birational maps from Edwards curves to Weierstrass curves. Let be the transformation from a twisted Edwards curve to a Weierstrass curve and be isogeny from to another curve . Let be the transformation from a Weierstrass curve back to a twisted Edwards curve. The intuitive approach toward computing the isogeny between twisted Edwards curves is to combine these maps. However, the transformation from Weierstrass curves to twisted Edwards curves is complicated if the corresponding Weierstrass curve is not of the form below.Moreover, one needs to compute square roots in order to transform back to twisted Edwards form. To solve this issue, Moody and Shumow proposed compact formulas for odd-degree isogenies on twisted Edwards curves [17]. The isogeny of order on twisted Edwards curves can be computed by using the following theorem.

Theorem 3. Suppose is a subgroup of the twisted Edwards curve with odd order and points . Then a normalized -isogeny from to , where and , with , , is given by

The idea of the above formula comes from the fact that the mapis invariant under the translation by an element in . Note that this idea does not apply for even-degree isogenies since either the abscissa or the ordinate of every 2-torsion point vanishes.

3. The Proposed Isogeny Computations on Twisted Edwards Curves

In this section, we propose optimized formulas for 3-isogeny and 4-isogeny on twisted Edwards curves, which are commonly used degrees in the isogeny-based cryptosystem. For 3-isogeny, we use Moody and Shumow’s result as a base formula and optimize it by using projective coordinates, projective curve coefficients, and division polynomial [17]. For even-degree isogeny computation, we exploit the efficiency of computing a birational map between twisted Edwards curves and Montgomery curves. The 4-isogeny formula on twisted Edwards curves can be obtained by composing the birational map and isogeny on Montgomery curves.

3.1. 3 Isogenies on Twisted Edwards Curves

Let be a 3-torsion point on twisted Edwards curve defined in (4). Let be the 3-isogeny with kernel that maps to the twisted Edwards curve , where . Then, by using the formula proposed by Moody and Shumow [17], is given bywith the curve parameters and such thatFrom the curve equation, and can be expressed as and , respectively. By substituting and , the -coordinate in equation (24) is given byTo prevent inversions when computing isogeny and curve coefficients, we utilize projective coordinates and projective curve coefficients. Let be the projective representation of such that and . Let be the additional input and be its corresponding image. By substituting the projective coordinates in (26) and simplifying the equation, we can obtain

Since is a root of the 3-division polynomial , we can express . Then, we have

In summary, from the additional input , projective version of (26) gives

Now, let and be the curve coefficients of the image curve. Substituting and in (25) represented in projective coordinates, we have

To avoid inversions, projective versions of (30) arewhere and for and .

3.2. 4 Isogenies on Twisted Edwards Curves

Computing 4 isogenies is more complicated than odd-degree isogenies in twisted Edwards curves. There exist roughly two approaches for computing 4 isogenies in twisted Edwards curves. The first method is to transform twisted Edwards curve to corresponding Weierstrass form and apply Vélu’s formula. However, transforming back to twisted Edwards form from Weierstrass form is complicated as square root computations might be required in some cases. The other approach is to use the birational relation between twisted Edwards curves and Montgomery curves. As the transformation between twisted Edwards curves and Montgomery curves costs only two additions, we can compute 4-isogeny on a Montgomery curve and transform back to a twisted Edwards curve. However, when applying the 4-isogeny formula on Montgomery curves proposed by Jao and De Feo, the isomorphism that maps 4-torsion point to a specific point must be combined to compute 4-isogeny consecutively [5]. Therefore, after transforming a twisted Edwards curve into a Montgomery curve, the isomorphism must be combined with 4-isogeny.

In summary, the composition we used is as follows:where and are birational maps and is an isogeny obtained using Vélu’s formulas.

Let be a 4-torsion point on twisted Edwards curve , represented in projective coordinate. The birational map that maps twisted Edwards curve to Montgomery curve sends as follows:where

Let be the corresponding 4-torsion point on . The evaluation of 4-isogeny on with kernel is defined as in [10].Note that this formula is already combined with the isomorphism so that additional transform is not necessary. Finally, the birational map , which maps the Montgomery curve back to the twisted Edwards curve , is defined as follows:

The curve coefficients and of the image curve are given by

Combining the three maps , , and yields 4-isogeny from to . The equation below is the evaluation of the 4-isogeny by computing , given the additional point on .Simplifying the above equations by substituting and , we have

We now describe the evaluation of the curve coefficients of the image curve. For the 4-torsion point on the twisted Edwards curve , birational map is used to transform into the Montgomery form . The curve coefficients, as well as the image of and , are as given below.Here , , , and in the above equation. Next, the isomorphism sends to a point of the form and to . The coefficients of the corresponding image curve are

Then, by combining the isogeny , coefficients of the image curve are given below.

Finally, by applying the birational map to transform back to the twisted Edwards curve, we obtain the coefficients of the 4-isogeny twisted Edwards curve. Let be the image curve. Then we have

Since is a root of the 4-division polynomial of a Montgomery curve , we can express in terms of and . Simplifying the above equation with expression in terms of and , we have

4. The Proposed Isogeny Computations on Edwards Curves

In this section, we present 3- and 4-isogeny formulas on Edwards curves. Recall that 2-isogeny on twisted Edwards curves requires square root computation when transforming back to twisted Edwards curves [17]. Hence, we assumed twisted Edwards curves to have a 4-torsion point by restricting the order of the field. However, every elliptic curve having a 4-torsion point is birationally equivalent to Edwards curves [14]. Therefore, twisted Edwards curves having a 4-torsion point are in fact Edwards curves, with the curve coefficient . Since the number of curve coefficients is reduced, the proposed isogeny formulas can further be optimized.

4.1. 3 Isogenies on Edwards Curves

Let be a 3-torsion point on Edwards curve , where . Let be a 3-isogeny generated by a kernel , so that . Since (29) is independent of the curve coefficients, 3-isogeny formula on Edwards curve is identical to 3-isogeny on twisted Edwards curves. The curve coefficient of the isogenous curve isTherefore, in projective coordinates,

4.2. 4 Isogenies on Edwards Curves

Similar to the case for computing 3-isogeny on Edwards curves, only the formula for computing image curve coefficient is changed when computing 4-isogeny on Edwards curves. By setting and starting from (34), we haveTo conclude, note that all of our formulas are given in terms of projective -coordinates. Since point operations such as doubling and tripling on Edwards curves can be performed by -coordinates, our formulas are well-adjusted to the isogeny-based cryptosystem.

4.3. Algorithms for Computing Isogenies on Edwards Curves

This section presents an efficient way to compute three and four isogenies on Edwards curves. In order to evaluate 3-isogeny efficiently, consider the difference between and coordinates. Let and , where and are defined as in (29). Then, and are given by

Therefore, and can be obtained alternatively by computing and . To compute the coefficients of the image curve, (48) can be rewritten as

Hence, when values , and are computed, and can be computed with two field multiplications. Algorithm 1 shows an efficient way to compute 3-isogeny and its corresponding curve coefficients. The total cost for Algorithm 1 is 6M+5S.

Require: 3-torsion point and a curve point on
Ensure: Image point on and curve coefficients of the image curve where
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29: return

Next, to compute 4-isogeny formula on Edwards curves, let and , where and are defined as in (39). Then and can be written as

Therefore, and can be obtained alternatively by computing and . Also, note that in (49) equals to

The coefficients of the image curve can be computed more efficiently using the above equation. The algorithm for computing 4-isogeny and its corresponding curve coefficients is described in Algorithm 2. The total cost for Algorithm 2 is 7M+5S.

Require: 4-torsion point and curve point on
Ensure: Image point on and curve coefficients of the image curve where
1: //
2: //
3: //
4: //
5: //
6: //
7: //
8: //
9: //
10: //
11: //
12: //
13: //
14: //
15: //
16: //
17: //
18: //
19: //
20: //
21: //
22: //
23: //
24: //
25: return

4.4. Implementation Results

To evaluate the performance of the proposed formulas, the algorithms are implemented in C language. We used the isogeny formula implemented in SIDH library version 3.0 for isogenies on Montgomery curves. Moreover, to make an exact comparison with isogenies on Montgomery curves, the field operations implemented in SIDH library were used for both curves. The field operations in SIDH library are written in x64 assembly [18]. As a result, the difference in performance lies purely in the computation of isogenies. All cycle counts were obtained on one core of an Intel Core i7-6700 (Skylake) at 3.40 GHz, running Ubuntu 16.04 LTS. For compilation, we used GNU GCC version 5.4.0.

In this section, the field is fixed as , where is prime, and . For the prime , we used 503-bit prime and 751-bit prime , presented in [13, 18]. The base field operations were tested in order to visualize the ratio between field operations. To this end, each field operation was repeated times for each prime field. Table 1 summarizes the average cycle counts of field operations over .

As in Table 1, 1S equals approximately 0.8M, for both 503-bit prime and 751-bit prime. Based on the above result, Table 2 shows the computational cost and corresponding cycle counts of 3 and 4 isogenies, when using Montgomery curves and Edwards curves. For each isogeny computation, we report the average cycles of times. Note that the number of field multiplications and squarings are same for 3-isogeny. Therefore, to better represent the results, we also counted field additions and subtractions. In Table 2, a (resp., s) refers to field addition (resp., subtraction).

Note that the base field operations in [18] run in constant time to protect against timing attacks [24]; field additions cost more cycles than field subtractions. Therefore, 3-isogeny on Edwards curves are slightly faster than on Montgomery curves. Overall, because the proposed algorithms used field subtractions more than field additions, the performance gap between Montgomery curves and Edwards curves is small.

5. Conclusion and Future Work

In this paper, we proposed 3- and 4-isogeny formulas on twisted Edwards curves that can be applied in isogeny-based cryptography. For 3-isogeny, we optimized Moody and Shumow’s formula by applying projective coordinates, projective curve coefficients, and division polynomials [17]. For even-degree isogeny, we combined bilinear map between twisted Edwards curves and Montgomery curves and isogeny on Montgomery curves. We further optimized our isogeny formulas by working on with Edwards curves. The computational costs for 3 and 4 isogenies on Edward curves are 6M+5S and 7M+5S, respectively. We also implemented our formulas and demonstrated that isogenies on Edwards curves are as efficient as isogenies on Montgomery curves. For the future work, we plan to implement our isogeny formulas on isogeny-based cryptosystem and measure its performance. Additionally, we plan to consider isogeny formulas on other forms of elliptic curves and report the best isogeny degree for isogeny-based cryptography.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (no. NRF-2017R1A2B4011599).

References

P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM Review, vol. 41, no. 2, pp. 303–332, 1999.
View at: Publisher Site | Google Scholar | MathSciNet
J. M. Couveignes, “Hard homogeneous spaces,” IACR Cryptology ePrint Archive, vol. 291, 2006.
View at: Google Scholar
A. Stolbunov, “Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves,” Advances in Mathematics of Communications, vol. 4, no. 2, pp. 215–235, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
A. Childs, D. Jao, and V. Soukharev, “Constructing elliptic curve isogenies in quantum subexponential time,” Journal of Mathematical Cryptology, vol. 8, no. 1, pp. 1–29, 2014.
View at: Publisher Site | Google Scholar | MathSciNet
D. Jao and L. De Feo, “Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies,” in Post-quantum cryptography, vol. 7071 of Lecture Notes in Comput. Sci., pp. 19–34, Springer, Heidelberg, 2011.
View at: Publisher Site | Google Scholar | MathSciNet
R. Azarderakhsh, D. Jao, K. Kalach, B. Koziel, and C. Leonardi, “Key compression for isogeny-based cryptosystems,” in Proceedings of the 3rd ACM International Workshop on ASIA Public-Key Cryptography, pp. 1–10.
View at: Google Scholar
C. Costello, D. Jao, P. Longa, M. Naehrig, J. Renes, and D. Urbanik, “Efficient compression of sidh public keys,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 679–706, Springer, 2017.
View at: Google Scholar | MathSciNet
R. Azarderakhsh, B. Koziel, and S. H. F. Langroudi, “Fpga-sidh: High-performance implementation of supersingular isogeny diffie-hellman key-exchange protocol on fpga,” IACR Cryptology ePrint Archive, vol. 672, 2016.
View at: Google Scholar
B. Koziel, A. Jalali, R. Azarderakhsh, D. Jao, and M. Mozaffari-Kermani, “Neon-sidh: efficient implementation of supersingular isogeny diffie-hellman key exchange protocol on arm,” in International Conference on Cryptology and Network Security, pp. 88–103, Springer, 2016.
View at: Google Scholar
C. Costello, P. Longa, and M. Naehrig, “Efficient algorithms for supersingular isogeny diffie-hellman,” in Annual Cryptology Conference, pp. 572–601, Springer, 2016.
View at: Google Scholar
S. D. Galbraith, C. Petit, and J. Silva, “Identification protocols and signature schemes based on supersingular isogeny problems,” in International Conference on the Theory and Application of Cryptology and Information Security, pp. 3–33, Springer, 2017.
View at: Google Scholar | MathSciNet
Y. Yoo, R. Azarderakhsh, A. Jalali, D. Jao, and V. Soukharev, “A post-quantum digital signature scheme based on supersingular isogenies,” in Financial cryptography and data security, vol. 10322 of Lecture Notes in Comput. Sci., pp. 163–181, Springer, Cham, 2017.
View at: Publisher Site | Google Scholar | MathSciNet
R. Azarderakhsh, M. Campagna, C. Costello et al., “Supersingular isogeny key encapsulation. submission to the nist post-quantum standardization project,” 2017.
View at: Google Scholar
D. Bernstein, P. Birkner, M. Joye, T. Lange, and C. Peters, “Twisted Edwards curves,” in International Conference on Cryptology in Africa, vol. 5023, pp. 389–405, Springer, 2008.
View at: Google Scholar
C. Costello and H. Hisil, “A simple and compact algorithm for sidh with arbitrary degree isogenies,” in International Conference on the Theory and Application of Cryptology and Information Security, pp. 303–329, Springer, 2017.
View at: Google Scholar | MathSciNet
M. Meyer, S. Reith, and F. Campos, On hybrid sidh schemes using edwards and montgomery curve arithmetic,.
D. Moody and D. Shumow, “Analogues of Vélu's formulas for isogenies on alternate models of elliptic curves,” Mathematics of Computation, vol. 85, no. 300, pp. 1929–1951, 2016.
View at: Publisher Site | Google Scholar | MathSciNet
C. Costello, P. Longa, and M. Naehrig, “Sidh library,” 2016.
View at: Google Scholar
K. Okeya, H. Kurumatani, and K. Sakurai, “Elliptic curves with the Montgomery-form and their cryptographic applications,” in Public key cryptography (MELbourne, 2000), vol. 1751 of Lecture Notes in Comput. Sci., pp. 238–257, Springer, Berlin, 2000.
View at: Publisher Site | Google Scholar | MathSciNet
I. E. Shparlinski and A. V. Sutherland, “On the distribution of Atkin and Elkies primes for reductions of elliptic curves on average,” LMS Journal of Computation and Mathematics, vol. 18, no. 01, pp. 308–322, 2015.
View at: Publisher Site | Google Scholar
R. R. Farashahi, I. E. Shparlinski, and J. F. Voloch, “On hashing into elliptic curves,” Journal of Mathematical Cryptology, vol. 3, no. 4, 2009.
View at: Publisher Site | Google Scholar
J. Vélu, “Isogénies entre courbes elliptiques,” Comptes Rendus Mathematique Academie des Sciences, Paris, vol. 273, pp. 238–241, 1971.
View at: Google Scholar | MathSciNet
D. R. Kohel, Endomorphism rings of elliptic curves over finite fields [Ph.D. Thesis], University of California, Berkeley, Calif, USA, 1996.
View at: MathSciNet
P. C. Kocher, “Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems,” in Annual International Cryptology Conference, pp. 104–113, Springer, 1996.
View at: Google Scholar

Copyright

Copyright © 2018 Suhri Kim et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

2056

Downloads

1258

Citations