Full Text Views
100
Isogeny-based cryptography, such as commutative supersingular isogeny Diffie-Hellman (CSIDH), have been shown to be promising candidates for post-quantum cryptography. However, their speeds have remained unremarkable. This study focuses on computing odd-degree isogeny between Montgomery curves, which is a dominant computation in CSIDH. Our proposed “2-ADD-Skip method” technique reduces the required number of points to be computed during isogeny computation. A novel algorithm for isogeny computation is also proposed to efficiently utilize the 2-ADD-Skip method. Our proposed algorithm with the optimized parameter reduces computational cost by approximately 12% compared with the algorithm proposed by Meyer and Reith. Further, individual experiments for each degree of isogeny ℓ show that the proposed algorithm is the fastest for 19≤ℓ≤373 among previous studies focusing on isogeny computation including the Õ(√ℓ) algorithm proposed by Bernstein et al. The experimental results also show that the proposed algorithm achieves the fastest on CSIDH-512. For CSIDH-1024, the proposed algorithm is faster than the algorithm by Meyer and Reith although it is slower than the algorithm by Bernstein et al.
Kenta KODERA
Osaka University
Chen-Mou CHENG
Kanazawa University
Atsuko MIYAJI
Osaka University,the Japan Advanced Institute of Science and Technology
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
Kenta KODERA, Chen-Mou CHENG, Atsuko MIYAJI, "Efficient Algorithm to Compute Odd-Degree Isogenies Between Montgomery Curves for CSIDH" in IEICE TRANSACTIONS on Fundamentals,
vol. E104-A, no. 9, pp. 1245-1254, September 2021, doi: 10.1587/transfun.2020DMP0024.
Abstract: Isogeny-based cryptography, such as commutative supersingular isogeny Diffie-Hellman (CSIDH), have been shown to be promising candidates for post-quantum cryptography. However, their speeds have remained unremarkable. This study focuses on computing odd-degree isogeny between Montgomery curves, which is a dominant computation in CSIDH. Our proposed “2-ADD-Skip method” technique reduces the required number of points to be computed during isogeny computation. A novel algorithm for isogeny computation is also proposed to efficiently utilize the 2-ADD-Skip method. Our proposed algorithm with the optimized parameter reduces computational cost by approximately 12% compared with the algorithm proposed by Meyer and Reith. Further, individual experiments for each degree of isogeny ℓ show that the proposed algorithm is the fastest for 19≤ℓ≤373 among previous studies focusing on isogeny computation including the Õ(√ℓ) algorithm proposed by Bernstein et al. The experimental results also show that the proposed algorithm achieves the fastest on CSIDH-512. For CSIDH-1024, the proposed algorithm is faster than the algorithm by Meyer and Reith although it is slower than the algorithm by Bernstein et al.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.2020DMP0024/_p
Copy
@ARTICLE{e104-a_9_1245,
author={Kenta KODERA, Chen-Mou CHENG, Atsuko MIYAJI, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={Efficient Algorithm to Compute Odd-Degree Isogenies Between Montgomery Curves for CSIDH},
year={2021},
volume={E104-A},
number={9},
pages={1245-1254},
abstract={Isogeny-based cryptography, such as commutative supersingular isogeny Diffie-Hellman (CSIDH), have been shown to be promising candidates for post-quantum cryptography. However, their speeds have remained unremarkable. This study focuses on computing odd-degree isogeny between Montgomery curves, which is a dominant computation in CSIDH. Our proposed “2-ADD-Skip method” technique reduces the required number of points to be computed during isogeny computation. A novel algorithm for isogeny computation is also proposed to efficiently utilize the 2-ADD-Skip method. Our proposed algorithm with the optimized parameter reduces computational cost by approximately 12% compared with the algorithm proposed by Meyer and Reith. Further, individual experiments for each degree of isogeny ℓ show that the proposed algorithm is the fastest for 19≤ℓ≤373 among previous studies focusing on isogeny computation including the Õ(√ℓ) algorithm proposed by Bernstein et al. The experimental results also show that the proposed algorithm achieves the fastest on CSIDH-512. For CSIDH-1024, the proposed algorithm is faster than the algorithm by Meyer and Reith although it is slower than the algorithm by Bernstein et al.},
keywords={},
doi={10.1587/transfun.2020DMP0024},
ISSN={1745-1337},
month={September},}
Copy
TY - JOUR
TI - Efficient Algorithm to Compute Odd-Degree Isogenies Between Montgomery Curves for CSIDH
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 1245
EP - 1254
AU - Kenta KODERA
AU - Chen-Mou CHENG
AU - Atsuko MIYAJI
PY - 2021
DO - 10.1587/transfun.2020DMP0024
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E104-A
IS - 9
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - September 2021
AB - Isogeny-based cryptography, such as commutative supersingular isogeny Diffie-Hellman (CSIDH), have been shown to be promising candidates for post-quantum cryptography. However, their speeds have remained unremarkable. This study focuses on computing odd-degree isogeny between Montgomery curves, which is a dominant computation in CSIDH. Our proposed “2-ADD-Skip method” technique reduces the required number of points to be computed during isogeny computation. A novel algorithm for isogeny computation is also proposed to efficiently utilize the 2-ADD-Skip method. Our proposed algorithm with the optimized parameter reduces computational cost by approximately 12% compared with the algorithm proposed by Meyer and Reith. Further, individual experiments for each degree of isogeny ℓ show that the proposed algorithm is the fastest for 19≤ℓ≤373 among previous studies focusing on isogeny computation including the Õ(√ℓ) algorithm proposed by Bernstein et al. The experimental results also show that the proposed algorithm achieves the fastest on CSIDH-512. For CSIDH-1024, the proposed algorithm is faster than the algorithm by Meyer and Reith although it is slower than the algorithm by Bernstein et al.
ER -