Skip to main content

AprèsSQI: Extra Fast Verification for SQIsign Using Extension-Field Signing

  • Conference paper
  • First Online:
Advances in Cryptology – EUROCRYPT 2024 (EUROCRYPT 2024)

Abstract

We optimise the verification of the SQIsign signature scheme. By using field extensions in the signing procedure, we are able to significantly increase the amount of available rational 2-power torsion in verification, which achieves a significant speed-up. This, moreover, allows several other speed-ups on the level of curve arithmetic. We show that the synergy between these high-level and low-level improvements gives significant improvements, making verification 2.07 times faster, or up to 3.41 times when using size-speed trade-offs, compared to the state of the art, without majorly degrading the performance of signing.

Author list in alphabetical order; see https://www.ams.org/profession/leaders/CultureStatement04.pdf. This work has been supported by UK EPSRC grant EP/S022503/1 and by the German Federal Ministry of Education and Research (BMBF) under the project 6G-RIC (ID 16KISK033).

The full version of this paper is available at https://ia.cr/2023/1559.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    This section is only necessary for Sect. 2.3 and Sect. 3, as all other sections are concerned only with \(\textsf{SQIsign}\) verification, which will only use well-known isogeny terminology. In contrast, signing heavily relies on the arithmetic of quaternion algebras.

  2. 2.

    Note that \(\mathcal {O}\) and \(\mathcal {O}'\) need not be distinct.

  3. 3.

    \(I = N\mathcal {O}\mathcal {O}'\), where N is the smallest integer making I integral.

  4. 4.

    Specifically, it only works for special, p-extremal orders. An example of such an order when \(p \equiv 3 \pmod {4}\) is \(\text {End}(E_0)\) where \(j(E_0) = 1728\).

  5. 5.

    Additionally, \(\widehat{\varphi _{\text {chall}}} \,\circ \, \varphi _{\text {resp}} \) needs to be cyclic. Observe that otherwise, the soundness proof might return a scalar endomorphism.

  6. 6.

    Alternatively, one can replace the connecting ideal with the shortest equivalent ideal, and translate it by embedding it in an isogeny between higher-dimensional abelian varieties, as shown in \(\textsf{SQIsignHD}\) [16].

  7. 7.

    Further, this is not a valid response, since the composition with \(\widehat{\varphi _{\text {chall}}}\) is not cyclic.

  8. 8.

    That is, the group \(\langle K \rangle \) is closed under the action of \(\textrm{Gal}(\bar{\mathbb {F}}_q/\mathbb {F}_q)\).

  9. 9.

    It is the smallest field over which every isomorphism class of supersingular elliptic curves has a model.

  10. 10.

    As standard, we denote multiplications by \(\textbf{M}\), squarings by \(\textbf{S}\), and additions by \(\textbf{a}\).

  11. 11.

    A point P is said to be above a point R if \([k]P = R\) for some \(k \in \mathbb {N}\).

  12. 12.

    In contrast to earlier versions, \(\mathsf {SQIsign~(NIST)}\) fixes \(f_0=f\). However, our analysis benefits from allowing \(f_0<f\).

  13. 13.

    \(\mathsf {SQIsign~(NIST)}\) fixes the sequence \(x_k = 1+k\cdot i\) with \(i\in \mathbb {F}_{p^2}\) such that \(i^2=-1\) and picks the smallest k for which we find a suitable point.

  14. 14.

    In particular, we compute \(R'=[2^{f-3}]K\) and \(R=[2]R'\), a 4-isogeny with kernel \(\langle R \rangle \), push \(R'\) through, and compute a 2-isogeny with kernel \(\langle R' \rangle \).

  15. 15.

    –that is, the Q.

  16. 16.

    Algorithmically, this is faster than a single scalar multiplication by \(2^{f - \lambda } \cdot \frac{p+1}{2^f}\).

  17. 17.

    See https://blog.cloudflare.com/sizing-up-post-quantum-signatures/.

  18. 18.

    Note that for equal failing rates the number of possible seeds for P can be chosen smaller than for Q, hence slightly decreasing the additional data sizes.

  19. 19.

    For instance, work by Adj, Chi-Domínguez, and Rodríguez-Henríquez [1] gives the crossover point at \(\ell > 89\), although for isogenies defined over \(\mathbb {F}_p\).

References

  1. Adj, G., Chi-Domínguez, J.-J., Rodríguez-Henríquez, F.: Karatsuba-based square-root Vélu’s formulas applied to two isogeny-based protocols. J. Cryptogr. Eng. 13(1), 89–106 (2023). https://doi.org/10.1007/s13389-022-00293-y

    Article  Google Scholar 

  2. Auer, R., Top, J.: Legendre elliptic curves over finite fields. J. Number Theor. 95(2), 303–312 (2002). ISSN 0022-314X. https://doi.org/10.1006/jnth.2001.2760. https://www.sciencedirect.com/science/article/pii/S0022314X0192760X

  3. Bajard, J.-C., Duquesne, S.: Montgomery-friendly primes and applications to cryptography. J. Cryptogr. Eng. 11(4), 399–415 (2021). https://doi.org/10.1007/s13389-021-00260-z

    Article  Google Scholar 

  4. Banegas, G., Gilchrist, V., Le Dévéhat, A., Smith, B.: Fast and Frobenius: rational isogeny evaluation over finite fields. In: Aly, A., Tibouchi, M. (eds.) Progress in Cryptology, LATINCRYPT 2023. LATINCRYPT 2023. LNCS, vol. 14168, pp. 129–148. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-44469-2_7

  5. Bernstein, D.J., De Feo, L., Leroux, A., Smith, B.: Faster computation of isogenies of large prime degree. In: Open Book Series, vol. 4, no. 1, pp. 39–55 (2020)

    Google Scholar 

  6. Biasse, J.-F., Jao, D., Sankar, A.: A quantum algorithm for computing isogenies between supersingular elliptic curves. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 428–442. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13039-2_25

    Chapter  Google Scholar 

  7. Bruno, G., et al.: Cryptographic Smooth Neighbors. IACR Cryptol. ePrint Arch., p. 1439 (2022). https://eprint.iacr.org/2022/1439

  8. Chavez-Saab, J., et al.: SQIsign: algorithm specifications and supporting documentation (2023). National Institute of Standards and Technology. https://csrc.nist.gov/csrc/media/Projects/pqc-dig-sig/documents/round-1/spec-files/sqisign-spec-web.pdf

  9. Chi-Domínguez, J.-J., Rodríguez-Henríquez, F.: Optimal strategies for CSIDH. Adv. Math. Commun. 16(2), 383–411 (2022)

    Article  MathSciNet  Google Scholar 

  10. Santos, M.C.-R., Eriksen, J.K., Meyer, M., Reijnders, K.: AprésSQI: extra fast verification for SQIsign using extension-field signing. Cryptology ePrint Archive, Paper 2023/1559 (2023). https://eprint.iacr.org/2023/1559

  11. Costello, C.: B-SIDH: supersingular isogeny Diffie-Hellman using twisted torsion. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part II. LNCS, vol. 12492, pp. 440–463. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_15

    Chapter  Google Scholar 

  12. Costello, C.: Computing supersingular isogenies on Kummer surfaces. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part III. LNCS, vol. 11274, pp. 428–456. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_16

    Chapter  Google Scholar 

  13. Costello, C., Hisil, H.: A simple and compact algorithm for SIDH with arbitrary degree isogenies. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part II. LNCS, vol. 10625, pp. 303–329. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_11

    Chapter  Google Scholar 

  14. Costello, C., Jao, D., Longa, P., Naehrig, M., Renes, J., Urbanik, D.: Efficient compression of SIDH public keys. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 679–706. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_24

    Chapter  Google Scholar 

  15. Costello, C., Meyer, M., Naehrig, M.: Sieving for twin smooth integers with solutions to the Prouhet-Tarry-Escott problem. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021, Part I. LNCS, vol. 12696, pp. 272–301. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_10

    Chapter  Google Scholar 

  16. Dartois, P., Leroux, A., Robert, D., Wesolowski, B.: SQISignHD: new dimensions in cryptography. IACR Cryptol. ePrint Arch., p. 436 (2023). https://eprint.iacr.org/2023/436

  17. De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014). https://doi.org/10.1515/jmc-2012-0015

    Article  MathSciNet  Google Scholar 

  18. De Feo, L., Kohel, D., Leroux, A., Petit, C., Wesolowski, B.: SQISign: compact post-quantum signatures from quaternions and isogenies. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part I. LNCS, vol. 12491, pp. 64–93. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_3

    Chapter  Google Scholar 

  19. De Feo, L., Leroux, A., Longa, P., Wesolowski, B.: New algorithms for the deuring correspondence. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology, EUROCRYPT 2023. LNCS, vol. 14008, pp. 659–690. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30589-4_23

  20. Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(\mathbb{F} _p\). Des. Codes Crypt. 78, 425–440 (2016)

    Article  Google Scholar 

  21. Eriksen, J.K., Panny, L., Sotáková, J., Veroni, M.: Deuring for the people: supersingular elliptic curves with prescribed endomorphism ring in general characteristic. IACR Cryptol. ePrint Arch., p. 106 (2023). https://eprint.iacr.org/2023/106

  22. Jao, D., R., et al.: SIKE. Technical report, National Institute of Standards and Technology (2022). https://csrc.nist.gov/Projects/post-quantum-cryptography/round-4-submissions

  23. Johnson, D., Menezes, A., Vanstone, S.A.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Sec. 1(1), 36–63 (2001). https://doi.org/10.1007/s102070100002

    Article  Google Scholar 

  24. Josefsson, S., Liusvaara, I.: Edwards-curve digital signature algorithm (EdDSA). RFC: 8032, pp. 1–60 (2017). https://doi.org/10.17487/RFC8032

  25. Kohel, D., Lauter, K., Petit, C., Tignol, J.-P.: On the quaternion-isogeny path problem. LMS J. Comput. Math. 17(A), 418–432 (2014)

    Article  MathSciNet  Google Scholar 

  26. Lin, K., Wang, W., Xu, Z., Zhao, C.-A.: A faster software implementation of SQISign. Cryptology ePrint Archive, Paper 2023/753 (2023). https://eprint.iacr.org/2023/753

  27. Meyer, M., Reith, S.: A faster way to the CSIDH. In: Chakraborty, D., Iwata, T. (eds.) INDOCRYPT 2018. LNCS, vol. 11356, pp. 137–152. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05378-9_8

    Chapter  Google Scholar 

  28. Page, A., Wesolowski, B.: The supersingular endomorphism ring and one endomorphism problems are equivalent. CoRR abs/2309.10432. arXiv arXiv:2309.10432 (2023). https://doi.org/10.48550/arXiv.2309.10432

  29. Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303–332 (1999)

    Article  MathSciNet  Google Scholar 

  30. Shoup, V.: Efficient computation of minimal polynomials in algebraic extensions of finite fields. In: Proceedings of the 1999 International Symposium on Symbolic and Algebraic Computation, pp. 53–58 (1999)

    Google Scholar 

  31. Silverman, J.H.: The Arithmetic of Elliptic Curves, vol. 106. Springer, New York (2009). https://doi.org/10.1007/978-1-4757-1920-8

  32. National Institute of Standards and Technology (NIST): Call for Additional Digital Signature Schemes for the Post-Quantum Cryptography Standardization Process (2022). https://csrc.nist.gov/csrc/media/Projects/pqc-dig-sig/documents/call-for-proposals-dig-sig-sept-2022.pdf

  33. Tsukazaki, K.: Explicit isogenies of elliptic curves. Ph.D. thesis, University of Warwick (2013)

    Google Scholar 

  34. Vélu, J.: Isogénies entre courbes elliptiques. Comptes-Rendus de l’Académie des Sciences 273, 238–241 (1971)

    MathSciNet  Google Scholar 

  35. Voight, J.: Quaternion Algebras. GTM, vol. 288. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-56694-4

    Book  Google Scholar 

  36. Wesolowski, B.: The supersingular isogeny path and endomorphism ring problems are equivalent. In: 2021 IEEE 62nd Annual Symposium on Foundations of Computer Science (FOCS), pp. 1100–1111. IEEE (2022)

    Google Scholar 

Download references

Acknowledgement

We thank Craig Costello for helpful suggestions and comments on an earlier version of this work. We thank the anonymous Eurocrypt 2024 reviewers for their constructive feedback.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Maria Corte-Real Santos .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2024 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Corte-Real Santos, M., Eriksen, J.K., Meyer, M., Reijnders, K. (2024). AprèsSQI: Extra Fast Verification for SQIsign Using Extension-Field Signing. In: Joye, M., Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024. EUROCRYPT 2024. Lecture Notes in Computer Science, vol 14651. Springer, Cham. https://doi.org/10.1007/978-3-031-58716-0_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-58716-0_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-58715-3

  • Online ISBN: 978-3-031-58716-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics