Abstract
We optimise the verification of the SQIsign signature scheme. By using field extensions in the signing procedure, we are able to significantly increase the amount of available rational 2-power torsion in verification, which achieves a significant speed-up. This, moreover, allows several other speed-ups on the level of curve arithmetic. We show that the synergy between these high-level and low-level improvements gives significant improvements, making verification 2.07 times faster, or up to 3.41 times when using size-speed trade-offs, compared to the state of the art, without majorly degrading the performance of signing.
Author list in alphabetical order; see https://www.ams.org/profession/leaders/CultureStatement04.pdf. This work has been supported by UK EPSRC grant EP/S022503/1 and by the German Federal Ministry of Education and Research (BMBF) under the project 6G-RIC (ID 16KISK033).
The full version of this paper is available at https://ia.cr/2023/1559.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
Note that \(\mathcal {O}\) and \(\mathcal {O}'\) need not be distinct.
- 3.
\(I = N\mathcal {O}\mathcal {O}'\), where N is the smallest integer making I integral.
- 4.
Specifically, it only works for special, p-extremal orders. An example of such an order when \(p \equiv 3 \pmod {4}\) is \(\text {End}(E_0)\) where \(j(E_0) = 1728\).
- 5.
Additionally, \(\widehat{\varphi _{\text {chall}}} \,\circ \, \varphi _{\text {resp}} \) needs to be cyclic. Observe that otherwise, the soundness proof might return a scalar endomorphism.
- 6.
Alternatively, one can replace the connecting ideal with the shortest equivalent ideal, and translate it by embedding it in an isogeny between higher-dimensional abelian varieties, as shown in \(\textsf{SQIsignHD}\) [16].
- 7.
Further, this is not a valid response, since the composition with \(\widehat{\varphi _{\text {chall}}}\) is not cyclic.
- 8.
That is, the group \(\langle K \rangle \) is closed under the action of \(\textrm{Gal}(\bar{\mathbb {F}}_q/\mathbb {F}_q)\).
- 9.
It is the smallest field over which every isomorphism class of supersingular elliptic curves has a model.
- 10.
As standard, we denote multiplications by \(\textbf{M}\), squarings by \(\textbf{S}\), and additions by \(\textbf{a}\).
- 11.
A point P is said to be above a point R if \([k]P = R\) for some \(k \in \mathbb {N}\).
- 12.
In contrast to earlier versions, \(\mathsf {SQIsign~(NIST)}\) fixes \(f_0=f\). However, our analysis benefits from allowing \(f_0<f\).
- 13.
\(\mathsf {SQIsign~(NIST)}\) fixes the sequence \(x_k = 1+k\cdot i\) with \(i\in \mathbb {F}_{p^2}\) such that \(i^2=-1\) and picks the smallest k for which we find a suitable point.
- 14.
In particular, we compute \(R'=[2^{f-3}]K\) and \(R=[2]R'\), a 4-isogeny with kernel \(\langle R \rangle \), push \(R'\) through, and compute a 2-isogeny with kernel \(\langle R' \rangle \).
- 15.
–that is, the Q.
- 16.
Algorithmically, this is faster than a single scalar multiplication by \(2^{f - \lambda } \cdot \frac{p+1}{2^f}\).
- 17.
- 18.
Note that for equal failing rates the number of possible seeds for P can be chosen smaller than for Q, hence slightly decreasing the additional data sizes.
- 19.
For instance, work by Adj, Chi-Domínguez, and Rodríguez-Henríquez [1] gives the crossover point at \(\ell > 89\), although for isogenies defined over \(\mathbb {F}_p\).
References
Adj, G., Chi-Domínguez, J.-J., Rodríguez-Henríquez, F.: Karatsuba-based square-root Vélu’s formulas applied to two isogeny-based protocols. J. Cryptogr. Eng. 13(1), 89–106 (2023). https://doi.org/10.1007/s13389-022-00293-y
Auer, R., Top, J.: Legendre elliptic curves over finite fields. J. Number Theor. 95(2), 303–312 (2002). ISSN 0022-314X. https://doi.org/10.1006/jnth.2001.2760. https://www.sciencedirect.com/science/article/pii/S0022314X0192760X
Bajard, J.-C., Duquesne, S.: Montgomery-friendly primes and applications to cryptography. J. Cryptogr. Eng. 11(4), 399–415 (2021). https://doi.org/10.1007/s13389-021-00260-z
Banegas, G., Gilchrist, V., Le Dévéhat, A., Smith, B.: Fast and Frobenius: rational isogeny evaluation over finite fields. In: Aly, A., Tibouchi, M. (eds.) Progress in Cryptology, LATINCRYPT 2023. LATINCRYPT 2023. LNCS, vol. 14168, pp. 129–148. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-44469-2_7
Bernstein, D.J., De Feo, L., Leroux, A., Smith, B.: Faster computation of isogenies of large prime degree. In: Open Book Series, vol. 4, no. 1, pp. 39–55 (2020)
Biasse, J.-F., Jao, D., Sankar, A.: A quantum algorithm for computing isogenies between supersingular elliptic curves. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 428–442. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13039-2_25
Bruno, G., et al.: Cryptographic Smooth Neighbors. IACR Cryptol. ePrint Arch., p. 1439 (2022). https://eprint.iacr.org/2022/1439
Chavez-Saab, J., et al.: SQIsign: algorithm specifications and supporting documentation (2023). National Institute of Standards and Technology. https://csrc.nist.gov/csrc/media/Projects/pqc-dig-sig/documents/round-1/spec-files/sqisign-spec-web.pdf
Chi-Domínguez, J.-J., Rodríguez-Henríquez, F.: Optimal strategies for CSIDH. Adv. Math. Commun. 16(2), 383–411 (2022)
Santos, M.C.-R., Eriksen, J.K., Meyer, M., Reijnders, K.: AprésSQI: extra fast verification for SQIsign using extension-field signing. Cryptology ePrint Archive, Paper 2023/1559 (2023). https://eprint.iacr.org/2023/1559
Costello, C.: B-SIDH: supersingular isogeny Diffie-Hellman using twisted torsion. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part II. LNCS, vol. 12492, pp. 440–463. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_15
Costello, C.: Computing supersingular isogenies on Kummer surfaces. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part III. LNCS, vol. 11274, pp. 428–456. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_16
Costello, C., Hisil, H.: A simple and compact algorithm for SIDH with arbitrary degree isogenies. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part II. LNCS, vol. 10625, pp. 303–329. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_11
Costello, C., Jao, D., Longa, P., Naehrig, M., Renes, J., Urbanik, D.: Efficient compression of SIDH public keys. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 679–706. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_24
Costello, C., Meyer, M., Naehrig, M.: Sieving for twin smooth integers with solutions to the Prouhet-Tarry-Escott problem. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021, Part I. LNCS, vol. 12696, pp. 272–301. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_10
Dartois, P., Leroux, A., Robert, D., Wesolowski, B.: SQISignHD: new dimensions in cryptography. IACR Cryptol. ePrint Arch., p. 436 (2023). https://eprint.iacr.org/2023/436
De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014). https://doi.org/10.1515/jmc-2012-0015
De Feo, L., Kohel, D., Leroux, A., Petit, C., Wesolowski, B.: SQISign: compact post-quantum signatures from quaternions and isogenies. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part I. LNCS, vol. 12491, pp. 64–93. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_3
De Feo, L., Leroux, A., Longa, P., Wesolowski, B.: New algorithms for the deuring correspondence. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology, EUROCRYPT 2023. LNCS, vol. 14008, pp. 659–690. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30589-4_23
Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(\mathbb{F} _p\). Des. Codes Crypt. 78, 425–440 (2016)
Eriksen, J.K., Panny, L., Sotáková, J., Veroni, M.: Deuring for the people: supersingular elliptic curves with prescribed endomorphism ring in general characteristic. IACR Cryptol. ePrint Arch., p. 106 (2023). https://eprint.iacr.org/2023/106
Jao, D., R., et al.: SIKE. Technical report, National Institute of Standards and Technology (2022). https://csrc.nist.gov/Projects/post-quantum-cryptography/round-4-submissions
Johnson, D., Menezes, A., Vanstone, S.A.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Sec. 1(1), 36–63 (2001). https://doi.org/10.1007/s102070100002
Josefsson, S., Liusvaara, I.: Edwards-curve digital signature algorithm (EdDSA). RFC: 8032, pp. 1–60 (2017). https://doi.org/10.17487/RFC8032
Kohel, D., Lauter, K., Petit, C., Tignol, J.-P.: On the quaternion-isogeny path problem. LMS J. Comput. Math. 17(A), 418–432 (2014)
Lin, K., Wang, W., Xu, Z., Zhao, C.-A.: A faster software implementation of SQISign. Cryptology ePrint Archive, Paper 2023/753 (2023). https://eprint.iacr.org/2023/753
Meyer, M., Reith, S.: A faster way to the CSIDH. In: Chakraborty, D., Iwata, T. (eds.) INDOCRYPT 2018. LNCS, vol. 11356, pp. 137–152. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05378-9_8
Page, A., Wesolowski, B.: The supersingular endomorphism ring and one endomorphism problems are equivalent. CoRR abs/2309.10432. arXiv arXiv:2309.10432 (2023). https://doi.org/10.48550/arXiv.2309.10432
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303–332 (1999)
Shoup, V.: Efficient computation of minimal polynomials in algebraic extensions of finite fields. In: Proceedings of the 1999 International Symposium on Symbolic and Algebraic Computation, pp. 53–58 (1999)
Silverman, J.H.: The Arithmetic of Elliptic Curves, vol. 106. Springer, New York (2009). https://doi.org/10.1007/978-1-4757-1920-8
National Institute of Standards and Technology (NIST): Call for Additional Digital Signature Schemes for the Post-Quantum Cryptography Standardization Process (2022). https://csrc.nist.gov/csrc/media/Projects/pqc-dig-sig/documents/call-for-proposals-dig-sig-sept-2022.pdf
Tsukazaki, K.: Explicit isogenies of elliptic curves. Ph.D. thesis, University of Warwick (2013)
Vélu, J.: Isogénies entre courbes elliptiques. Comptes-Rendus de l’Académie des Sciences 273, 238–241 (1971)
Voight, J.: Quaternion Algebras. GTM, vol. 288. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-56694-4
Wesolowski, B.: The supersingular isogeny path and endomorphism ring problems are equivalent. In: 2021 IEEE 62nd Annual Symposium on Foundations of Computer Science (FOCS), pp. 1100–1111. IEEE (2022)
Acknowledgement
We thank Craig Costello for helpful suggestions and comments on an earlier version of this work. We thank the anonymous Eurocrypt 2024 reviewers for their constructive feedback.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 International Association for Cryptologic Research
About this paper
Cite this paper
Corte-Real Santos, M., Eriksen, J.K., Meyer, M., Reijnders, K. (2024). AprèsSQI: Extra Fast Verification for SQIsign Using Extension-Field Signing. In: Joye, M., Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024. EUROCRYPT 2024. Lecture Notes in Computer Science, vol 14651. Springer, Cham. https://doi.org/10.1007/978-3-031-58716-0_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-58716-0_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-58715-3
Online ISBN: 978-3-031-58716-0
eBook Packages: Computer ScienceComputer Science (R0)