Skip to main content
SpringerLink
Log in

x-only point addition formula and faster compressed SIKE

  • Regular Paper
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

The optimization of the main key compression bottlenecks of the supersingular isogeny key encapsulation mechanism (SIKE) has been a target of research in the last few years. Significant improvements were introduced in the recent works of Costello et al. (EUROCRYPT’2017) and Zanon et al. (PQCrypto’2018; IEEE ToC’2018). The combination of the techniques in Zanon et al. (PQCrypto’2018; IEEE ToC’2018) reduced the running time of binary torsion basis generation in decompression by a factor of 29 compared to previous work. On the other hand, generating such a basis still takes almost a million cycles on an Intel Core i5-6267U Skylake. In this paper, we continue the work of Zanon et al. (IEEE ToC’2018) and introduce a technique that drops the complexity of binary torsion basis generation by a factor \(\log p\) in the number of underlying field multiplications. In particular, our experimental results show that a basis can be generated in about 1300 cycles, attaining an improvement by a factor more than 600. Although this result eliminates one of the key compression bottlenecks, many other bottlenecks remain. In addition, we give further improvements for the ternary torsion generation with significant impact on the related decompression procedure. Moreover, a new trade-off between ciphertext sizes versus decapsulation speed and storage is introduced and achieves a 1.7 times faster decapsulation.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. This formula was dubbed entangled addition due to the fact that one of the basis generator is intrinsically related to the other following the nomenclature introduced in [18]. This formula was independently discovered in [14].

  2. Note that \(u_0 = \sqrt{u} \in {\mathbb {F}}_{p^2} \backslash {\mathbb {F}}_p\) as defined in the original work.

  3. We omit the subscripts for \(\phi \), P, and Q for the sake of simplicity. Note also that the entangled basis generators \(S_1, S_2\) are not cofactor-reduced and extra multiplications by \(3^{e_3}\) appear in Eq. 8.

  4. We assume the tripling algorithm proposed in [18].

  5. This estimation is given by [7].

  6. We assume a cost of \(2\mathbf{S} {}\) to compute a 2-isogeny from [16].

References

  1. Azarderakhsh, R., Campagna, M., Costello, C., De Feo, L., Hess, B., Jalali, A., Jao, D., Koziel, B., LaMacchia, B., Longa, P., Naehrig, M., Pereira, G., Renes, J., Soukharev, V., Urbanik, D.: Supersingular isogeny key encapsulation. Submission to the 2nd Round of the NIST Post-Quantum Standardization project (2019)

  2. Azarderakhsh, R., Jao, D., Kalach, K., Koziel, B., Leonardi, C.: Key compression for isogeny-based cryptosystems. In: Proceedings of the 3rd ACM International Workshop on ASIA Public-Key Cryptography, pp. 1–10. ACM (2016)

  3. Bernstein, D.J., Hamburg, M., Krasnova, A., Lange, T.: Elligator: elliptic-curve points indistinguishable from uniform random strings. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 967–980. ACM (2013)

  4. Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) Advances in Cryptology - ASIACRYPT 2018, pp. 395–427. Springer, Cham (2018)

    Chapter  Google Scholar 

  5. Charles, D.X., Lauter, K.E., Goren, E.Z.: Cryptographic hash functions from expander graphs. J. Cryptol. 22(1), 93–113 (2009). https://doi.org/10.1007/s00145-007-9002-x

    Article  MathSciNet  MATH  Google Scholar 

  6. Costello, C., Jao, D., Longa, P., Naehrig, M., Renes, J., Urbanik, D.: Efficient compression of SIDH public keys. Advances in cyptology—eocrypt 2017, no. 10210 in Lecture Notes in Computer Science, pp. 679–706. Springer, Paris, France (2017)

  7. De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)

    MathSciNet  MATH  Google Scholar 

  8. Faz-Hernández, A., López, J., Ochoa-Jiménez, E., Rodríguez-Henríquez, F.: A faster software implementation of the supersingular isogeny diffie-hellman key exchange protocol. IEEE Trans. Comput. (2017)

  9. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2013). https://doi.org/10.1007/s00145-011-9114-1

    Article  MathSciNet  MATH  Google Scholar 

  10. Galbraith, S.D., Petit, C., Shani, B., Ti, Y.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) Advances in Cryptology—ASIACRYPT 2016, pp. 63–91. Springer, Berlin (2016)

    Chapter  Google Scholar 

  11. Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Post-quantum cryptography, Lecture Notes in Comput. Sci., vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2. http://dx.doi.org/10.1007/978-3-642-25405-5_2

  12. Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. Post-Quantum Cryptography—PQCrypto 2011, no. 7071 in Lecture Notes in Computer Science, pp. 19–34. Springer, Taipei, Taiwan (2011)

  13. Kirkwood, D., Lackey, B., McVey, J., Motley, M., Solinas, J., Tuller, D.: Failure is not an option: Standardization issues for post-quantum key agreement. https://csrc.nist.gov/groups/ST/post-quantum-2015/presentations/session7-motley-mark.pdf (2015)

  14. Naehrig, M., Renes, J.: Dual isogenies and their application to public-key compression for isogeny-based cryptography. In: International Conference on the Theory and Application of Cryptology and Information Security, pp. 243–272. Springer (2019)

  15. NIST: Post-quantum cryptography. https://www.nist.gov/pqcrypto/ (2019)

  16. Renes, J.: Computing isogenies between montgomery curves using the action of (0, 0). In: International Conference on Post-Quantum Cryptography, pp. 229–247. Springer (2018)

  17. SIKE: Supersingular isogeny key encapsulation (2017). https://sike.org

  18. Zanon, G., Simplicio Jr., M., Pereira, G., Doliskani, J., Barreto, P.: Faster isogeny-based compressed key agreement. In: International Workshop on Post-Quantum Cryptography, pp. 248–268. Springer (2018)

  19. Zanon, G., Simplicio Jr., M., Pereira, G., Doliskani, J., Barreto, P.: Faster key compression for isogeny-based cryptosystems. IEEE Trans. Comput. 68, 688–701 (2018)

    Article  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Waterloo, Waterloo, Canada

    Geovandro Pereira & David Jao

  2. Ryerson University, Toronto, Canada

    Javad Doliskani

Authors
  1. Geovandro Pereira
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Javad Doliskani
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. David Jao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Geovandro Pereira.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This work is supported in part by NSERC, CryptoWorks21, Canada First Research Excellence Fund, Public Works and Government Services Canada, and the Royal Bank of Canada.

Appendices

Additional performance experiments

In order to illustrate our techniques for different SIKE primes that are not present in the previous compression works, we give extra benchmarks in Table 4.

Table 4 Benchmark for \(2^{e_2}\)-torsion basis generation in cycles on an Intel Core i5-6267U Skylake clocked at 2.9 GHz (GCC compiler with -O3 flag, and \(\mathbf{s} {}=\mathbf{m} {}\) in this implementation)
Full size table

Auxiliary algorithms

This appendix lists some key algorithms in SIKE specification that were used in this work.

figure n
figure o
figure p
figure q

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Pereira, G., Doliskani, J. & Jao, D. x-only point addition formula and faster compressed SIKE. J Cryptogr Eng 11, 57–69 (2021). https://doi.org/10.1007/s13389-020-00245-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-020-00245-4

Keywords

Search

Navigation