Abstract
The optimization of the main key compression bottlenecks of the supersingular isogeny key encapsulation mechanism (SIKE) has been a target of research in the last few years. Significant improvements were introduced in the recent works of Costello et al. (EUROCRYPT’2017) and Zanon et al. (PQCrypto’2018; IEEE ToC’2018). The combination of the techniques in Zanon et al. (PQCrypto’2018; IEEE ToC’2018) reduced the running time of binary torsion basis generation in decompression by a factor of 29 compared to previous work. On the other hand, generating such a basis still takes almost a million cycles on an Intel Core i5-6267U Skylake. In this paper, we continue the work of Zanon et al. (IEEE ToC’2018) and introduce a technique that drops the complexity of binary torsion basis generation by a factor \(\log p\) in the number of underlying field multiplications. In particular, our experimental results show that a basis can be generated in about 1300 cycles, attaining an improvement by a factor more than 600. Although this result eliminates one of the key compression bottlenecks, many other bottlenecks remain. In addition, we give further improvements for the ternary torsion generation with significant impact on the related decompression procedure. Moreover, a new trade-off between ciphertext sizes versus decapsulation speed and storage is introduced and achieves a 1.7 times faster decapsulation.
Similar content being viewed by others
Notes
Note that \(u_0 = \sqrt{u} \in {\mathbb {F}}_{p^2} \backslash {\mathbb {F}}_p\) as defined in the original work.
We omit the subscripts for \(\phi \), P, and Q for the sake of simplicity. Note also that the entangled basis generators \(S_1, S_2\) are not cofactor-reduced and extra multiplications by \(3^{e_3}\) appear in Eq. 8.
We assume the tripling algorithm proposed in [18].
This estimation is given by [7].
We assume a cost of \(2\mathbf{S} {}\) to compute a 2-isogeny from [16].
References
Azarderakhsh, R., Campagna, M., Costello, C., De Feo, L., Hess, B., Jalali, A., Jao, D., Koziel, B., LaMacchia, B., Longa, P., Naehrig, M., Pereira, G., Renes, J., Soukharev, V., Urbanik, D.: Supersingular isogeny key encapsulation. Submission to the 2nd Round of the NIST Post-Quantum Standardization project (2019)
Azarderakhsh, R., Jao, D., Kalach, K., Koziel, B., Leonardi, C.: Key compression for isogeny-based cryptosystems. In: Proceedings of the 3rd ACM International Workshop on ASIA Public-Key Cryptography, pp. 1–10. ACM (2016)
Bernstein, D.J., Hamburg, M., Krasnova, A., Lange, T.: Elligator: elliptic-curve points indistinguishable from uniform random strings. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 967–980. ACM (2013)
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) Advances in Cryptology - ASIACRYPT 2018, pp. 395–427. Springer, Cham (2018)
Charles, D.X., Lauter, K.E., Goren, E.Z.: Cryptographic hash functions from expander graphs. J. Cryptol. 22(1), 93–113 (2009). https://doi.org/10.1007/s00145-007-9002-x
Costello, C., Jao, D., Longa, P., Naehrig, M., Renes, J., Urbanik, D.: Efficient compression of SIDH public keys. Advances in cyptology—eocrypt 2017, no. 10210 in Lecture Notes in Computer Science, pp. 679–706. Springer, Paris, France (2017)
De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)
Faz-Hernández, A., López, J., Ochoa-Jiménez, E., Rodríguez-Henríquez, F.: A faster software implementation of the supersingular isogeny diffie-hellman key exchange protocol. IEEE Trans. Comput. (2017)
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2013). https://doi.org/10.1007/s00145-011-9114-1
Galbraith, S.D., Petit, C., Shani, B., Ti, Y.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) Advances in Cryptology—ASIACRYPT 2016, pp. 63–91. Springer, Berlin (2016)
Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Post-quantum cryptography, Lecture Notes in Comput. Sci., vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2. http://dx.doi.org/10.1007/978-3-642-25405-5_2
Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. Post-Quantum Cryptography—PQCrypto 2011, no. 7071 in Lecture Notes in Computer Science, pp. 19–34. Springer, Taipei, Taiwan (2011)
Kirkwood, D., Lackey, B., McVey, J., Motley, M., Solinas, J., Tuller, D.: Failure is not an option: Standardization issues for post-quantum key agreement. https://csrc.nist.gov/groups/ST/post-quantum-2015/presentations/session7-motley-mark.pdf (2015)
Naehrig, M., Renes, J.: Dual isogenies and their application to public-key compression for isogeny-based cryptography. In: International Conference on the Theory and Application of Cryptology and Information Security, pp. 243–272. Springer (2019)
NIST: Post-quantum cryptography. https://www.nist.gov/pqcrypto/ (2019)
Renes, J.: Computing isogenies between montgomery curves using the action of (0, 0). In: International Conference on Post-Quantum Cryptography, pp. 229–247. Springer (2018)
SIKE: Supersingular isogeny key encapsulation (2017). https://sike.org
Zanon, G., Simplicio Jr., M., Pereira, G., Doliskani, J., Barreto, P.: Faster isogeny-based compressed key agreement. In: International Workshop on Post-Quantum Cryptography, pp. 248–268. Springer (2018)
Zanon, G., Simplicio Jr., M., Pereira, G., Doliskani, J., Barreto, P.: Faster key compression for isogeny-based cryptosystems. IEEE Trans. Comput. 68, 688–701 (2018)
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This work is supported in part by NSERC, CryptoWorks21, Canada First Research Excellence Fund, Public Works and Government Services Canada, and the Royal Bank of Canada.
Appendices
Additional performance experiments
In order to illustrate our techniques for different SIKE primes that are not present in the previous compression works, we give extra benchmarks in Table 4.
Auxiliary algorithms
This appendix lists some key algorithms in SIKE specification that were used in this work.
Rights and permissions
About this article
Cite this article
Pereira, G., Doliskani, J. & Jao, D. x-only point addition formula and faster compressed SIKE. J Cryptogr Eng 11, 57–69 (2021). https://doi.org/10.1007/s13389-020-00245-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-020-00245-4