For primes p ≡ 3 mod 4, we show that setting up CSIDH on the surface, i.e., using supersingular elliptic curves with endomorphism ring Z[(1 + √ −p)/2], amounts to just a few sign switches in the underlying arithmetic. If p ≡ 7 mod 8 then horizontal 2-isogenies can be used to help compute the class group action. The formulas we derive for these 2-isogenies are very efficient (they basically amount to a single exponentiation in Fp) and allow for a noticeable speed-up, e.g., our resulting CSURF-512 protocol runs about 5.68% faster than CSIDH-512. This improvement is completely orthogonal to all previous speed-ups, constanttime measures and construction of cryptographic primitives that have appeared in the literature so far. At the same time, moving to the surface gets rid of the redundant factor Z3 of the acting ideal-class group, which is present in the case of CSIDH and offers no extra security.
This paper introduces a new approach to computing isogenies called "radical isogenies" and a corresponding method to compute chains of N -isogenies that is very efficient for small N . The method is fully deterministic and completely avoids generating N -torsion points. It is based on explicit formulae for the coordinates of an N -torsion point P on the codomain of a cyclic N -isogeny ϕ : E → E , such that composing ϕ with E → E / P yields a cyclic N 2 -isogeny. These formulae are simple algebraic expressions in the coefficients of E, the coordinates of a generator P of ker ϕ, and an N th root N √ ρ , where the radicand ρ itself is given by an easily computable algebraic expression in the coefficients of E and the coordinates of P . The formulae can be iterated and are particularly useful when computing chains of N -isogenies over a finite field Fq with gcd(q − 1, N ) = 1, where taking an N th root is a simple exponentiation. Compared to the state-of-the-art, our method results in an order of magnitude speed-up for N ≤ 13; for larger N , the advantage disappears due to the increasing complexity of the formulae. When applied to CSIDH, we obtain a speed-up of about 19% over the implementation by Bernstein, De Feo, Leroux and Smith for the CSURF-512 parameters.
In 2018 Takashima proposed a version of Charles, Goren and Lauter’s hash function using Richelot isogenies, starting from a genus-2 curve that allows for all subsequent arithmetic to be performed over a quadratic finite field 𝔽p2. In 2019 Flynn and Ti pointed out that Takashima’s hash function is insecure due to the existence of small isogeny cycles. We revisit the construction and show that it can be repaired by imposing a simple restriction, which moreover clarifies the security analysis. The runtime of the resulting hash function is dominated by the extraction of 3 square roots for every block of 3 bits of the message, as compared to one square root per bit in the elliptic curve case; however in our setting the extractions can be parallelized and are done in a finite field whose bit size is reduced by a factor 3. Along the way we argue that the full supersingular isogeny graph is the wrong context in which to study higher-dimensional analogues of Charles, Goren and Lauter’s hash function, and advocate the use of the superspecial subgraph, which is the natural framework in which to view Takashima’s 𝔽p2-friendly starting curve.
We argue that for all integers N ≥ 2 N \geq 2 and g ≥ 1 g \geq 1 there exist “multiradical” isogeny formulae, that can be iteratively applied to compute ( N k , … , N k ) (N^k, \ldots , N^k) -isogenies between principally polarized g g -dimensional abelian varieties, for any value of k ≥ 2 k \geq 2 . The formulae are complete: each iteration involves the extraction of g ( g + 1 ) / 2 g(g+1)/2 different N N th roots, whence the epithet multiradical, and by varying which roots are chosen one computes all N g ( g + 1 ) / 2 N^{g(g+1)/2} extensions to an ( N k , … , N k ) (N^k, \ldots , N^k) -isogeny of the incoming ( N k − 1 , … , N k − 1 ) (N^{k-1}, \ldots , N^{k-1}) -isogeny. Our group-theoretic argumentation is heuristic, but it is supported by concrete formulae for several prominent families. As our main application, we illustrate the use of multiradical isogenies by implementing a hash function from ( 3 , 3 ) (3,3) -isogenies between Jacobians of superspecial genus- 2 2 curves, showing that it outperforms its ( 2 , 2 ) (2,2) -counterpart by an asymptotic factor ≈ 9 \approx 9 in terms of speed.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
Contact Info
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Product
Resources
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.
