On Collisions Related to an Ideal Class of Order 3 in CSIDH

Abstract

CSIDH is an isogeny-based key exchange, which is a candidate for post quantum cryptography. It uses the action of an ideal class group on \(\mathbb {F}_{p}\)-isomorphism classes of supersingular elliptic curves. In CSIDH, the ideal classes are represented by vectors with integer coefficients. The number of ideal classes represented by these vectors determines the security level of CSIDH. Therefore, it is important to investigate the correspondence between the vectors and the ideal classes. Heuristics show that integer vectors in a certain range represent “almost” uniformly all of the ideal classes. However, the precise correspondence between the integer vectors and the ideal classes is still unclear. In this paper, we investigate the correspondence between the ideal classes and the integer vectors and show that the vector \((1, \dots , 1)\) corresponds to an ideal class of order 3. Consequently, the integer vectors in CSIDH have collisions related to this ideal class. Here, we use the word “collision” in the sense of distinct vectors belonging to the same ideal class, i.e., distinct secret keys that correspond to the same public key in CSIDH. We further propose a new ideal representation in CSIDH that does not include these collisions and give formulae for efficiently computing the action of the new representation.

Appendix A Odd-degree Isogenies Using 4-Torsion Points

We give new formulae for computing odd-degree isogenies between Montgomery curves by calculating the images of \(P_+\) and \(P_-\). We denote the degree of the isogeny we compute by \(\ell = 2d + 1\) as in Theorem 6.

Theorem 8

We use the same notation as in Theorem 6 and assume \(B = 1\). Further, we assume that the group \(\langle P \rangle \) is stable under the action of the p-th power Frobenius endomorphism. Then, there exists \(A' \in \mathbb {F}_{p}\) such that \(E_{A'} = E_{A} / \langle P \rangle \). Furthermore, \(A'\) satisfies the equations

$$\begin{aligned} A' + 2 = (A + 2) \left( \left( 1 + 2\sum _{i=1}^{d}\frac{x_i + 1}{x_i - 1} \right) \prod _{i=1}^{d}x_i\right) ^2,\end{aligned}$$

(39)

$$\begin{aligned} A' - 2 = (A - 2) \left( \left( 1 + 2\sum _{i=1}^{d}\frac{x_i - 1}{x_i + 1} \right) \prod _{i=1}^{d}x_i\right) ^2. \end{aligned}$$

(40)

Proof

Let \(b = \prod _{i=1}^d x_i\). Then we have \(b \in \mathbb {F}_{p}\), because the group \(\langle P \rangle \) is stable under the action of the p-th power Frobenius map. Theorem 6 says that the isogeny with kernel \(\langle P \rangle \) is given by

$$\begin{aligned} E_A \rightarrow E_{A', b^2},\quad (x,y) \mapsto (f(x), yf'(x)), \end{aligned}$$

(41)

where \(A'\) is defined in Theorem 6. We have \(E_{A', b^2} = E_{A'}\) because \(E_{A', b^2} \rightarrow E_{A'},\ (x, y) \mapsto (x, by)\) is a \(\mathbb {F}_{p}\)-isomorphism. This proves the first assertion.

Let \(P_+, P_- \in E_A\) be the same as in Lemma 1. We denote the y-coordinate of \(P_+\) by \(y_+\). Note that \(y_+^2 = A + 2\). The image of \(P_+\) under the isogeny \(E_A \rightarrow E_{A'}\) is \((1, by_+f'(1))\). One can easily check that

$$\begin{aligned} f'(1) = 1 + 2\sum _{i=1}^{d}\frac{x_i + 1}{x_i - 1}. \end{aligned}$$

(42)

Substituting \((1, by_+f'(1))\) into the equation of \(E_{A'}\) yields Eq. (39). By considering the image of \(P_-\), we obtain Eq. (40). \(\square \)

As with the other formulae for isogenies between Montgomery curves [7, 8, 10, 20, 26], our formulae can avoid inversions by using a projective coordinate of A. For \(x \in \mathbb {F}_{p}\), we call a pair \(X, Z \in \mathbb {F}_{p}\) such that \(x = X/Z\) a projective coordinate of x and denote it by (X : Z). The following corollary gives a projectivized variant of Eq. (40) in the above theorem. Note that a projectivized variant of Eq. (39) can be obtained in the same way.

Corollary 3

We use the same notation as in Theorem 8. Let (a : c) be a projective coordinate of A and \((X_i:Z_i)\) a projective coordinate of \(x_i\). We define

$$\begin{aligned} c'= & {} c(\prod _{i=1}^{d}S_i \prod _{i=1}^{d}Z_i)^2),\end{aligned}$$

(43)

$$\begin{aligned} a'= & {} (a - 2c)((\prod _{i=1}^{d}S_i + 2\sum _{i=0}^{d}D_i\prod _{j\ne i}S_j)\prod _{i=1}^{d}X_i)^2 + 2c', \end{aligned}$$

(44)

where \(S_i = X_i + Z_i,\ D_i = X_i - Z_i\). Then \((a':c')\) is a projective coordinate of \(A'\).

Proof

This follows immediately from equation (40). \(\square \)

By Corollary 2, we obtain an algorithm (Algorithm 1) for computing the coefficient of the codomain of an odd-degree isogeny. We assume that the elements \(X_i, Z_i, S_i\) and \(D_i\) are precomputed. These elements are used in the computation of the image of a point under an isogeny. In CSIDH, one needs to compute not only the coefficient of the codomain of an isogeny, but also the image of a point under that isogeny. Therefore, it is natural to separate the computation of these elements from that of an isogeny.

The cost of Algorithm 1 is

$$\begin{aligned} (5d - 1)\mathbf{M} + 2\mathbf{S} + (d + 5)\mathbf{a}, \end{aligned}$$

(45)

where \(\mathbf{M}\), \(\mathbf{S}\), and \(\mathbf{a}\) mean multiplication, squaring, and addition or subtraction on the field \(\mathbb {F}_{p}\), respectively.

On the other hand, the costs of the similar algorithms in the previous studies are as follows. Castryck et al. [4] used the formula from Costello and Hisil [7] and Renes [26]. The cost is

$$\begin{aligned} (6d - 2)\mathbf{M} + 3\mathbf{S} + 4\mathbf{a}. \end{aligned}$$

(46)

Meyer and Reith [20] proposed an algorithm that exploits the correspondence between Montgomery curves and twisted Edwards curves. The cost is

$$\begin{aligned} 2d\mathbf{M} + 6\mathbf{S} + 6\mathbf{a} + 2w(\ell ), \end{aligned}$$

(47)

where \(w(\ell )\) is the cost of the \(\ell \)-th power on \(\mathbb {F}_{p}\). If we use the binary algorithm for exponentiation, we obtain \(w(\ell ) = (h - 1)\mathbf{M} + (t - 1)\mathbf{S}\), where h and t are the Hamming weight and the bit length of \(\ell \), respectively.

For comparing the above costs, we assume that \(\mathbf{S} = 0.8\,\mathbf{M}\) and \(\mathbf{a} = 0.05\,\mathbf{M}\) as in [20]. We conclude that Algorithm 1 is the fastest if \(\ell \le 7\) and the algorithm in [20] is the fastest if \(\ell > 7\). Table 1 shows the costs of these algorithms for small degrees.

Table 1. Costs of odd-degree isogeny computations