Batching CSIDH Group Actions using AVX-512

Commutative Supersingular Isogeny Diffie-Hellman (or CSIDH for short) is a recently-proposed post-quantum key establishment scheme that belongs to the family of isogeny-based cryptosystems. The CSIDH protocol is based on the action of an ideal class group on a set of supersingular elliptic curves and comes with some very attractive features, e.g. the ability to serve as a “drop-in” replacement for the standard elliptic curve Diffie-Hellman protocol. Unfortunately, the execution time of CSIDH is prohibitively high for many real-world applications, mainly due to the enormous computational cost of the underlying group action. Consequently, there is a strong demand for optimizations that increase the efficiency of the class group action evaluation, which is not only important for CSIDH, but also for related cryptosystems like the signature schemes CSI-FiSh and SeaSign. In this paper, we explore how the AVX-512 vector extensions (incl. AVX-512F and AVX-512IFMA) can be utilized to optimize constant-time evaluation of the CSIDH-512 class group action with the goal of, respectively, maximizing throughput and minimizing latency. We introduce different approaches for batching group actions and computing them in SIMD fashion on modern Intel processors. In particular, we present a hybrid batching technique that, when combined with optimized (8 × 1)-way prime-field arithmetic, increases the throughput by a factor of 3.64 compared to a state-of-the-art (non-vectorized) x64 implementation. On the other hand, vectorization in a 2-way fashion aimed to reduce latency makes our AVX-512 implementation of the group action evaluation about 1.54 times faster than the state-of-the-art. To the best of our knowledge, this paper is the first to demonstrate the high potential of using vector instructions to increase the throughput (resp. decrease the latency) of constant-time CSIDH.

Construction of metrics on the set of elliptic curves over a finite field

We consider metrics on the set of elliptic curves in short Weierstrass form over a finite field of characteristic greater than three. The metrics have been first found by Mishra and Gupta (2008). Vetro (2011) constructs other metrics which are independent on the choice of a generator of the multiplicative group of the underlying finite field, whereas the metrics found by Mishra and Gupta, are dependent on the choice of a generator of the multiplicative group of the underlying finite field. Hakuta (2015, 2018) constructs metrics on the set of non-supersingular elliptic curves in shortWeierstrass form over a finite field of characteristic two and three, respectively. The aim of this paper is to point out that the metric found by Mishra and Gupta is in fact not a metric. We also construct new metrics which are slightly modified versions of the metric found by Mishra and Gupta.

Constructing Cycles in Isogeny Graphs of Supersingular Elliptic Curves

Loops and cycles play an important role in computing endomorphism rings of supersingular elliptic curves and related cryptosystems. For a supersingular elliptic curve E defined over 𝔽 p 2 , if an imaginary quadratic order O can be embedded in End(E) and a prime L splits into two principal ideals in O, we construct loops or cycles in the supersingular L-isogeny graph at the vertices which are next to j(E) in the supersingular ℓ-isogeny graph where ℓ is a prime different from L. Next, we discuss the lengths of these cycles especially for j(E) = 1728 and 0. Finally, we also determine an upper bound on primes p for which there are unexpected 2-cycles if ℓ doesn’t split in O.

Algebraic approaches for solving isogeny problems of prime power degrees

Recently, supersingular isogeny cryptosystems have received attention as a candidate of post-quantum cryptography (PQC). Their security relies on the hardness of solving isogeny problems over supersingular elliptic curves. The meet-in-the-middle approach seems the most practical to solve isogeny problems with classical computers. In this paper, we propose two algebraic approaches for isogeny problems of prime power degrees. Our strategy is to reduce isogeny problems to a system of algebraic equations, and to solve it by Gröbner basis computation. The first one uses modular polynomials, and the second one uses kernel polynomials of isogenies. We report running times for solving isogeny problems of 3-power degrees on supersingular elliptic curves over 𝔽p2 with 503-bit prime p, extracted from the NIST PQC candidate SIKE. Our experiments show that our first approach is faster than the meet-in-the-middle approach for isogeny degrees up to 310.

The existence of supersingular curves of genus 4 in arbitrary characteristic

We prove that there exists a supersingular nonsingular curve of genus 4 in arbitrary characteristic $$p>0$$ p > 0 . For $$p>3$$ p > 3 we shall prove that the desingularization of a certain fiber product over $$\mathbf{P }^1$$ P 1 of two supersingular elliptic curves is supersingular.

Orienting supersingular isogeny graphs

We introduce a category of 𝓞-oriented supersingular elliptic curves and derive properties of the associated oriented and nonoriented ℓ-isogeny supersingular isogeny graphs. As an application we introduce an oriented supersingular isogeny Diffie-Hellman protocol (OSIDH), analogous to the supersingular isogeny Diffie-Hellman (SIDH) protocol and generalizing the commutative supersingular isogeny Diffie-Hellman (CSIDH) protocol.