Abstract
The implementation of isogeny-based cryptography mainly use Montgomery curves, as they offer fast elliptic curve arithmetic and isogeny computation. However, although Montgomery curves have efficient 3-and 4-isogeny formula, it becomes inefficient when recovering the coefficient of the image curve for large degree isogenies. Because the Commutative Supersingular Isogeny Diffie-Hellman (CSIDH) requires odd-degree isogenies up to at least 587, this inefficiency is the main bottleneck of using a Montgomery curve for CSIDH. In this paper, we present a new optimization method for faster CSIDH protocols entirely on Montgomery curves. To this end, we present a new parameter for CSIDH, in which the three rational two-torsion points exist. By using the proposed parameters, the CSIDH moves around the surface. The curve coefficient of the image curve can be recovered by a two-torsion point. We also proved that the CSIDH while using the proposed parameter guarantees a free and transitive group action. Additionally, we present the implementation result using our method. We demonstrated that our method is 6.4% faster than the original CSIDH. Our works show that quite higher performance of CSIDH is achieved while only using Montgomery curves.
Original language | English |
---|---|
Article number | 20 |
Pages (from-to) | 1-13 |
Number of pages | 13 |
Journal | Cryptography |
Volume | 4 |
Issue number | 3 |
DOIs | |
Publication status | Published - 2020 Sept |
Keywords
- Commutative Supersingular Isogeny Diffie-Hellman (CSIDH)
- Isogeny
- Montgomery curves
- Post-quantum cryptography
- Two-torsion points
ASJC Scopus subject areas
- Computational Theory and Mathematics
- Computer Networks and Communications
- Computer Science Applications
- Software
- Applied Mathematics