Abstract
In this paper, we present the performance and security analysis for various commutative SIDH (CSIDH)-based algorithms. As CSIDH offers a smaller key size than SIDH and provides a relatively efficient signature scheme, numerous CSIDH-based key exchange algorithms have been proposed to optimize the CSIDH. In CSIDH, the private key is an ideal class in a class group, which can be represented by an integer vector. As the number of ideal classes represented by these vectors determines the security level of CSIDH, it is important to analyze whether the different vectors induce the same public key. In this regard, we generalize the existence of a collision for a base prime p≡7mod8. Based on our result, we present a new interval for the private key to have a similar security level for the various CSIDH-based algorithms for a fair comparison of the performance. Deduced from the implementation result, we conclude that for a prime p≡7mod8, CSIDH on the surface using the Montgomery curves is the most likely to be efficient. For a prime p≡3mod8, CSIDH on the floor using the hybrid method with Onuki’s collision-free method is the most likely to be efficient and secure.
Highlights
Isogeny-based cryptography was first proposed by Couveignes in 1997 [1] and is constructed using the isogeny classes of ordinary elliptic curves defined over a finite field F p
As commutative SIDH (CSIDH)-based algorithms use ideal classes expressed by an integer vector as a private key, the number of ideal classes represented by these vectors determines the security level of CSIDH
We present a new interval for the private key to have a similar security level for the various
Summary
Isogeny-based cryptography was first proposed by Couveignes in 1997 [1] and is constructed using the isogeny classes of ordinary elliptic curves defined over a finite field F p. In [6], they propose CSIDH (commutative SIDH), which solves the parameter selection problem of the CRS scheme by restricting the use of supersingular elliptic curves over F p. We analyze the performance and security of the various CSIDH-based algorithms in order to find out what sort of prime p and which method is most efficient. As CSIDH-based algorithms use ideal classes expressed by an integer vector as a private key, the number of ideal classes represented by these vectors determines the security level of CSIDH. We conclude that for a prime p ≡ 7 mod 8, CSIDH on the surface using the Montgomery curves is the most likely to be efficient. We present the computational cost of the lower-level functions to construct CSIDH-based algorithms over these curves.
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
