Quantum Circuits for the CSIDH: Optimizing Quantum Evaluation of Isogenies

Bernstein, Daniel J.; Lange, Tanja; Martindale, Chloe; Panny, Lorenz

doi:10.1007/978-3-030-17656-3_15

Cited by 39 publications

(49 citation statements)

References 48 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Modular polynomials are rarely the most efficient option, although for some applications they do prove to be the best choice, e.g. [BLMP18,Appendix D].…”

Section: Walking On Isogeny Graphsmentioning

confidence: 99%

Hilbert modular polynomials

Martindale

2020

Journal of Number Theory

Self Cite

View full text Add to dashboard Cite

We present an algorithm to compute a higher dimensional analogue of modular polynomials. This higher dimensional analogue, the 'set of Hilbert modular polynomials', concerns cyclic isogenies of principally polarised abelian varieties with maximal real multiplication by a fixed totally real number field K0. We give a proof that this algorithm is correct, and provide practical improvements and an implementation for the 2-dimensional case with K0 = Q(√ 5). We also explain applications of this algorithm to point counting, walking on isogeny graphs, and computing class polynomials.

show abstract

“…Modular polynomials are rarely the most efficient option, although for some applications they do prove to be the best choice, e.g. [BLMP18,Appendix D].…”

Section: Walking On Isogeny Graphsmentioning

confidence: 99%

Hilbert modular polynomials

Martindale

2020

Journal of Number Theory

Self Cite

View full text Add to dashboard Cite

show abstract

“…The best known classical attacks, both for the F p and the F p 2 case, are in the square root of the graph size (respectively, O( 4 √ p) and O( √ p)). But key recovery is hard even for quantum computers: the best attack for the F p case is Kuperberg's algorithm for the Hidden Shift Problem [49,63,50,18,13,7,39,5], which finds φ in exp( log(p)) quantum operations; whereas in the F p 2 case quantum computers give a square-root speedup via Grover's algorithm at best [8]. Hence, both identification protocols have a security property similar to the quantum annoyance defined in Defintion 2: any forgery requires running a new instance of Shor's algorithm, while key recovery is infeasible on quantum computers.…”

Section: Attacksmentioning

confidence: 99%

Verifiable Delay Functions from Supersingular Isogenies and Pairings

Feo

Masson

Petit

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…The constant-time implementation in [17] allows variance of the computational time of their implementation with randomness that does not relate to secret information. On the other hand, implementations which do not allow such variance are proposed by Bernstein, Lange, Martindale, and Panny [18] and Jalali, Azarderakhsh, Kermani, and Jao [19]. The implementation in [18] is for evaluating the performance of quantum attacks for CSIDH.…”

Section: Introductionmentioning

confidence: 99%

“…On the other hand, implementations which do not allow such variance are proposed by Bernstein, Lange, Martindale, and Panny [18] and Jalali, Azarderakhsh, Kermani, and Jao [19]. The implementation in [18] is for evaluating the performance of quantum attacks for CSIDH. It must not have branches in order to compute in superposition on quantum computers.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Constant-Time Algorithm of CSIDH Keeping Two Points

Onuki

Aikawa

Yamazaki

et al. 2020

IEICE Trans. Fundamentals

View full text Add to dashboard Cite

Hiroshi ONUKI †a) , Yusuke AIKAWA † †b) , Tsutomu YAMAZAKI † † †c) , Nonmembers, and Tsuyoshi TAKAGI †d) , Member SUMMARY At ASIACRYPT 2018, Castryck, Lange, Martindale, Panny and Renes proposed CSIDH, which is a key-exchange protocol based on isogenies between elliptic curves, and a candidate for postquantum cryptography. However, the implementation by Castryck et al. is not constant-time. Specifically, a part of the secret key could be recovered by the side-channel attacks. Recently, Meyer, Campos, and Reith proposed a constant-time implementation of CSIDH by introducing dummy isogenies and taking secret exponents only from intervals of non-negative integers. Their non-negative intervals make the calculation cost of their implementation of CSIDH twice that of the worst case of the standard (variabletime) implementation of CSIDH. In this paper, we propose a more efficient constant-time algorithm that takes secret exponents from intervals symmetric with respect to the zero. For using these intervals, we need to keep two torsion points on an elliptic curve and calculation for these points. We evaluate the costs of our implementation and that of Meyer et al. in terms of the number of operations on a finite prime field. Our evaluation shows that our constant-time implementation of CSIDH reduces the calculation cost by 28% compared with the implementation by Mayer et al. We also implemented our algorithm by extending the implementation in C of Meyer et al. (originally from Castryck et al.). Then our implementation achieved 152 million clock cycles, which is about 29% faster than that of Meyer et al. and confirms the above reduction ratio in our cost evaluation.

show abstract

Quantum Circuits for the CSIDH: Optimizing Quantum Evaluation of Isogenies

Cited by 39 publications

References 48 publications

Hilbert modular polynomials

Hilbert modular polynomials

Verifiable Delay Functions from Supersingular Isogenies and Pairings

A Constant-Time Algorithm of CSIDH Keeping Two Points

Contact Info

Product

Resources

About