How to Construct CSIDH on Edwards Curves

Abstract

CSIDH is an isogeny-based key exchange protocol proposed by Castryck, Lange, Martindale, Panny, and Renes in 2018. CSIDH is based on the ideal class group action on \(\mathbb {F}_p\)-isomorphism classes of Montgomery curves. In order to calculate the class group action, we need to take points defined over \(\mathbb {F}_{p^2}\). The original CSIDH algorithm requires a calculation over \(\mathbb {F}_p\) by representing points as x-coordinate over Montgomery curves. Meyer and Reith proposed a faster CSIDH algorithm in 2018 which calculates isogenies on Edwards curves by using a birational map between a Montgomery curve and an Edwards curve. There is a special coordinate on Edwards curves (the w-coordinate) to calculate group operations and isogenies. If we try to calculate the class group action on Edwards curves by using the w-coordinate in a similar way on Montgomery curves, we have to consider points defined over \(\mathbb {F}_{p^4}\). Therefore, it is not a trivial task to calculate the class group action on Edwards curves with w-coordinates over only \(\mathbb {F}_p\).

In this paper, we prove a number of theorems on the properties of Edwards curves. By using these theorems, we extend the CSIDH algorithm to that on Edwards curves with w-coordinates over \(\mathbb {F}_p\). This algorithm is as fast as (or a little bit faster than) the algorithm proposed by Meyer and Reith.

Acknowlegements

This work was supported by JST CREST Grant Number JPMJCR14D6, Japan.

A Compute group operations and isogenies

Here, we explain how to compute group operations and isogenies on Montgomery curves and Edwards curves.

1.1 A.1 Montgomery curves

The doublings formula (1) can be computed as

$$ t_1\leftarrow X+Z,\quad t_2\leftarrow X-Z,\quad t_1\leftarrow t_1^2,\quad t_2 \leftarrow t_2^2,\quad s\leftarrow t_1-t_2,\quad t_2\leftarrow t_2\cdot (4C), $$

$$ X' \leftarrow t_1 \cdot t_2,\quad t_1 \leftarrow (A+2C)\cdot s,\quad t_1 \leftarrow t_1+t_2, \quad Z'\leftarrow s\cdot t_1. $$

If \(Z=1\), the doublings formula (1) can be computed as

$$ t_1\leftarrow X+1,\quad t_1\leftarrow t_1^2,\quad s \leftarrow 2\cdot X,\quad s \leftarrow 2\cdot s,\quad t_2 \leftarrow t_1-s,\quad t_2\leftarrow t_2\cdot (4C), $$

$$ X' \leftarrow t_1 \cdot t_2,\quad t_1 \leftarrow (A+2C)\cdot s,\quad t_1 \leftarrow t_1+t_2, \quad Z'\leftarrow s\cdot t_1. $$

The addition formula (2) can be computed as

$$ t_1\leftarrow X_1+Z_1,\quad s_1 \leftarrow X_2+Z_2,\quad t_2 \leftarrow X_1-Z_1,\quad s_2 \leftarrow X_2-Z_2,\quad t\leftarrow t_1\cdot s_2, $$

$$ s \leftarrow t_2\cdot s_1,\quad X_3\leftarrow t+s,\quad Z_3 \leftarrow t-s,\quad X_3\leftarrow X_3^2\cdot Z_0,\quad Z_3\leftarrow Z_3^2\cdot X_0. $$

The formula for calculating \(\phi (P)\) (3) can be computed as

$$ t_i\leftarrow X_i+Z_i,\quad s_i\leftarrow X_i-Z_i,\quad t_i\leftarrow t_i\cdot (X-Z),\quad s_i\leftarrow s_i\cdot (X+Z), $$

$$ X'\leftarrow \prod _{i=1}^s(t_i-s_i),\quad Z'\leftarrow \prod _{i=1}^s(t_i+s_i),\quad X'\leftarrow X\cdot (X')^2,\quad Z'\leftarrow Z\cdot (Z')^2. $$

The formula for calculating \(E'\) (4) can be computed as

$$ c\leftarrow 2\cdot C,\quad a\leftarrow A+c, \quad d\leftarrow A-c, \quad a'\leftarrow \prod _{i=1}^s(X_i+Z_i), $$

$$ d'\leftarrow \prod _{i=1}^s(X_i-Z_i),\quad a'\leftarrow (a')^4, \quad d'\leftarrow (d')^4, \quad a'\leftarrow a^s\cdot a',\quad d'\leftarrow d^s \cdot d', $$

$$ \quad a'\leftarrow a \cdot (a')^2,\quad d'\leftarrow d \cdot (d')^2, \quad A'\leftarrow 2\cdot (a'+d'),\quad C'\leftarrow a'-d'. $$

1.2 A.2 Edwards curves

The doublings formula (6) can be computed as

$$ t_1\leftarrow Y^2,\quad t_2\leftarrow Z^2,\quad t_3\leftarrow C-D,\quad t_4 \leftarrow t_2-t_1,\quad t_1\leftarrow t_3\cdot t_1,\quad t_5\leftarrow C\cdot t_4, $$

$$ t_6 \leftarrow t_1+t_5, \quad t_6 \leftarrow t_4\cdot t_6,\quad t_1 \leftarrow t_1\cdot t_2, \quad Y'\leftarrow t_1-t_6, \quad Z'\leftarrow t_1+t_6. $$

If \(Z=1\), the doublings formula (6) can be computed as

$$ t_1\leftarrow Y^2,\quad t_3\leftarrow C-D,\quad t_4 \leftarrow 1-t_1,\quad t_1\leftarrow t_3\cdot t_1,\quad t_5\leftarrow C\cdot t_4, $$

$$ t_6 \leftarrow t_1+t_5, \quad t_6 \leftarrow t_4\cdot t_6, \quad Y'\leftarrow t_1-t_6, \quad Z'\leftarrow t_1+t_6. $$

The addition formula (7) can be computed as

$$ t_1\leftarrow Y_1\cdot Z_2,\quad t_2 \leftarrow Y_2 \cdot Z_1,\quad s_1 \leftarrow t_1+t_2,\quad s_2 \leftarrow t_1-t_2,\quad s_1 \leftarrow s_1^2,\quad s_2\leftarrow s_2^2, $$

$$ s_1 \leftarrow (Z_0-Y_0)\cdot s_1,\quad s_2\leftarrow (Z_0+Y_0)\cdot s_2, \quad Y_3 \leftarrow s_1-s_2,\quad Z_3 \leftarrow s_1+s_2. $$

The formula for calculating \(\phi (P)\) (8) can be computed as

$$ t_i\leftarrow Z\cdot Y_i,\quad t'_i\leftarrow Z_i\cdot Y,\quad s_1\leftarrow \prod _{i=1}^s(t_i+t'_i),\quad s_2\leftarrow \prod _{i=1}^s(t_i-t'_i),\quad s_1\leftarrow s_1^2, $$

$$ s_2\leftarrow s_2^2,\quad s_1 \leftarrow (Z+Y)\cdot s_1, \quad s_2 \leftarrow (Z-Y)\cdot s_2, \quad Y'\leftarrow s_1-s_2,\quad Z'\leftarrow s_1+s_2. $$

The formula for calculating \(E'\) (9) can be computed as

$$ D'\leftarrow \prod _{i=1}^sY_i,\quad C'\leftarrow \prod _{i=1}^sZ_i,\quad D'\leftarrow (D')^4, \quad C'\leftarrow (C')^4, $$

$$ D'\leftarrow D^s\cdot D',\quad C'\leftarrow C^s \cdot C',\quad D'\leftarrow D \cdot (D')^2,\quad C'\leftarrow C \cdot (C')^2. $$

The formulas (10, 11, 12) can be computed similarly as the formulas on Montgomery curves. The formula for calculating \(E'\) (13) can be computed as

$$ D'\leftarrow \prod _{i=1}^s(W_i+Z_i),\quad C'\leftarrow \prod _{i=1}^sZ_i,\quad D'\leftarrow (D')^4, \quad C'\leftarrow (C')^4, $$

$$ D'\leftarrow D^s\cdot D',\quad C'\leftarrow (2\cdot 2 \cdot 2 \cdot 2\cdot C)^s \cdot C',\quad D'\leftarrow D \cdot (D')^2,\quad C'\leftarrow C \cdot (C')^2. $$