Abstract
The implementation of isogeny-based cryptography mainly use Montgomery curves, as they offer fast elliptic curve arithmetic and isogeny computation. However, although Montgomery curves have efficient 3- and 4-isogeny formula, it becomes inefficient when recovering the coefficient of the image curve for large degree isogenies. Because the Commutative Supersingular Isogeny Diffie-Hellman (CSIDH) requires odd-degree isogenies up to at least 587, this inefficiency is the main bottleneck of using a Montgomery curve for CSIDH. In this paper, we present a new optimization method for faster CSIDH protocols entirely on Montgomery curves. To this end, we present a new parameter for CSIDH, in which the three rational two-torsion points exist. By using the proposed parameters, the CSIDH moves around the surface. The curve coefficient of the image curve can be recovered by a two-torsion point. We also proved that the CSIDH while using the proposed parameter guarantees a free and transitive group action. Additionally, we present the implementation result using our method. We demonstrated that our method is 6.4% faster than the original CSIDH. Our works show that quite higher performance of CSIDH is achieved while only using Montgomery curves.
Highlights
With the evolution of a quantum computing environment, currently used public key cryptosystems based on factorization and discrete logarithm problems, such as RSA and ECC, will not be able to guarantee their security in the near future
The isogeny-based cryptography is based on the difficulty of finding a specific isogeny between two elliptic curves defined on the same finite field
Because Montgomery curve arithmetic can only be constructed with the x-coordinate, XZ-coordinate system is mainly used for implementing isogeny-based cryptography
Summary
With the evolution of a quantum computing environment, currently used public key cryptosystems based on factorization and discrete logarithm problems, such as RSA and ECC, will not be able to guarantee their security in the near future. The isogeny-based cryptography was first proposed by Couveignes in 2006 [1] This is a non-interactive key exchange protocol, which uses a set of Fq -isomorphism classes of ordinary elliptic curves that are defined on Fq. The endomorphism ring between these curves is given by the order O in an imaginary quadratic field. This allows for a non-interactive key exchange, where several of the previously proposed PQC algorithms do not efficiently provide this property With this in mind, De Feo et al proposed a method to efficiently perform CRS-schemes on ordinary curves in [6]. The original implementation of CSIDH in [7] uses Montgomery curves, as they were known to provide efficient isogeny computation.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
