• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.6
• /
• pp.1137-1148
• /
• 2021

The main obstacle for implementing CSIDH-based cryptography is that it requires generating a kernel of a small prime order to compute the group action using Velu's formula. As this is a quite painstaking process for small torsion points, a new approach called radical isogeny is recently proposed to compute chains of isogenies from a coefficient of an elliptic curve. This paper presents an optimized implementation of radical isogenies and analyzes its ideal use in CSIDH-based cryptography. We tailor the formula for transforming Montgomery curves and Tate normal form and further optimized the radical 2- and 3- isogeny formula and a projective version of radical 5- and 7- isogeny. For CSIDH-512, using radical isogeny of degree up to 7 is 15.3% faster than standard constant-time CSIDH. For CSIDH-4096, using only radical 2-isogeny is the optimal choice.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.2
• /
• pp.243-252
• /
• 2023

As an efficient key recovery attack on SIDH/SIKE was proposed, CSIDH is drawing attention again. CSIDH is an isogeny-based key exchange algorithm that is safe against known attacks to date, and provide efficient NIKE by modernizing CRS scheme. In this paper, we firstly present the optimized implementation of CSIDH-512 on ARM Cortex-M7. We use three-level hybrid Montgomery reduction and present the results of our implementation, limitations, and future research directions. This is a CSIDH implementation in 32-bit embedded devices that has not been previously presented, and it is expected that the results of this paper will be available to implement CSIDH and derived cryptographic algorithms in various embedded environments in the future.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.3
• /
• pp.497-508
• /
• 2021

In this paper, we focus on optimizing the performance of CSURF, which uses the tweaked Montgomery curves. The projective version of elliptic curve arithmetic is slower on tweaked Montgomery curves than on Montgomery curves, so that CSURF is slower than the hybrid version of CSIDH. However, as the square-root Velu formula uses less number of ellitpic curve arithmetic than the standard Velu formula, there is room for optimization We optimize the square-root Velu formula and 2-isogeny formula on tweaked Montgomery curves. Our CSURFis 14% faster than the standard CSURF, and 10.8% slower than the CSIDH using the square-root Velu formula. The constant-time CSURF is 6.8% slower than constant-time CSIDH. Compared to the previous implementations, this is a remarkable result.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.34 no.2
• /
• pp.167-177
• /
• 2024

This paper proposes optimization techniques for SeaSign, an isogeny-based digital signature algorithm. SeaSign combines class group actions of CSIDH with the Fiat-Shamir with abort. While CSIDH-based algorithms have regained attention due to polynomial time attacks for SIDH-based algorithms, SeaSiogn has not undergone significat optimization because of its inefficiency. In this paper, an efficient signing method for SeaSign is proposed. The proposed signing method is simple yet powerful, achived by repositioning the rejection sampling within the algorithm. Additionally, this paper presnts parameters that can provide optimal performance for the proposed algorithm. As a result, by using the original parameters of SeaSign, the proposed method is three times faster than the original SeaSign. Additonally, combining the newly suggested parameters with the signing method proposed in this paper yields a performance that is 290 times faster than the original SeaSign and 7.47 times faster than the method proposed by Decru et al.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.4
• /
• pp.591-599
• /
• 2023

Due to the recent attack by Castryck-Decru, the private key of SIDH can be recovered in polynomial time so several methods have been proposed to prevent the attack. Among them, M-SIDH proposed by Fouotsa et al, counteracts the attack by masking the torsion point information during the key exchange. In this paper, we implement M-SIDH and evaluate its performance. To the best of our knowledge, this is the first implementation of M-SIDH in C language. Toward that end, we propose a method to select parameters for M-SIDH instantiation and propose a 1024-bit prime for implementation. We implemented the square-root Velu formula over the extension field for further optimization. As a result, 1129 ms is required for a key exchange in the case of MSIDH-1024, providing the classic 64-bit security level.