Efficient Commutative PQC Algorithms on Isogenies of Edwards Curves

1. Introduction

The announcement of the Post-Quantum Cryptography (PQC) Commutative Supersingular Isogeny Diffie-Hellman (CSIDH) algorithm [1], based on the original CRS scheme [2], was accompanied by the author’s statement that it has the smallest known key length of 512 bits with a security level of 128 bits. However, problems with vulnerability to side-channel attacks and fast performance were noted. To overcome the slowness of the implementation of the Couveignes-Rostovtsev-Stolbunov (CRS) scheme [3], the authors justified their choice of supersingular elliptic curves in Montgomery form instead of ordinary (non-supersingular) ones in [2], which speeds up the implementation by a factor of 2,000 [1].

A significant acceleration of CSIDH [1] implementation (20%) was achieved in [4] with Farashahi-Hosseini [5] calculations in projective coordinates (W:Z). The CSIDH model [4] uses the Edwards isogenies of complete curves technique [6] with computations of isogenic curve parameters using formulas [7].

In our articles [8,9,10,11,12,13,14,15] we disagreed with the ambiguous terminology of curves in Edwards form in the pioneering [6] and proposed a more correct classification of them into three non-isomorphic classes [8]. The present article has two aims. First, we give an overview of our most promising modifications of the CSIDH algorithm, which improve the efficiency of the algorithm. Along with this, here for the first time we obtain an integral lower bound estimate of the gain in the speed of computation of isogenic chains γ = 3 ∙ 2⁹ in the speed of computing isogenic chains due to all proposed modifications.

Section 2 gives the rationale for the choice of non-cyclic classes of quadratic and twisted supersingular Edwards curves defined as a pair of quadratic twists over a prime field $F_p$, where $p\equiv 7\mathrm{m}\mathrm{o}\mathrm{d}8$ [8,9,10,11]. Their advantages over the class of complete supersingular Edwards curves are the doubling of the set of all curves and, most importantly, the elimination of the laborious operation of inversion of the $d^{-1}$ parameter $d$ in the transition to quadratic twist. In this article, we obtain the first partial estimate of the gain ${\gamma }_1{\gamma }_2=2^5$ in the speed of computation in CSIDH on non-cyclic supersingular Edwards curves compared to complete supersingular Edwards curves.

In Section 3, based on the estimates obtained in [10] of the computational cost in projective coordinates $(W:Z)$ Farashahi-Hosseini [5] parameter $d$ of the isogenic curve and isogenic function $\varphi (x,y)$ we obtained an estimate of the gain in computational speed in CSIDH ${\gamma }_3=2.235$due to the refusal of the redundant calculation of the function $\varphi \left(x,y\right).$In Section 4, we consider the method of randomization of the CSIDH algorithm [12] and justify estimates of the speed gain of its implementation. We emphasize the existence of two isomorphic cryptosystems with parallel computation capability, which removes the threat of side-channel and doubles the performance of the algorithm. Here, the partial estimate of the speed gain of the algorithm is ${\gamma }_4{\gamma }_5{\gamma }_6=2^3.$Section 5 is devoted to the optimization of the distribution of isogeny degrees in CSIDH [14], which is not dense and has discontinuities in the table of prime numbers. It is shown that, while preserving the security parameters, it is possible to reduce the degree of the senior isogeny and obtain a linear estimate of the CSIDH acceleration by a factor of 1.5.

The original and fast key encapsulation algorithm Commutative Supersingular Isogeny Key Encapsulation (CSIKE) [13] and its model implementation are discussed in Section 6. Here a single public key of the recipient is used instead of two in CSIDH, which gives a security gain.

In Section 7, we consider aspects of the CRS model implementation of the Diffie-Hellman secret sharing scheme on 4-degree isogenies $\{\mathrm{3,5},\mathrm{7,37}\}$ of ordinary non-cyclic Edwards curves. An important advantage of these curves is the existence of 4-independent cryptosystems with the possibility of parallel computation and performance quadrupling (or doubling compared to CSIDH). Other interesting problems and modifications of cryptosystems are considered in [15].

2. Selection of Classes and Types of Edwards Curves

Depending on the quadratic properties of the parameters $a$ and $d$ we in [8] also propose a more correct classification of curves into three non-intersecting classes than in [6]:

A. Complete Edwards curves: $\chi \left(a\right)=1,\chi \left(d\right)=-1$;

B. Quadratic Edwards curves: $\chi \left(a\right)=\chi \left(d\right)=1$;

C. Twisted Edwards curves: $\chi \left(a\right)=\chi \left(d\right)=-1.$

The well-known implementation of the CSIDH algorithm [4] is based on complete Edwards curves A in the Farashahi-Hosseini $(W:Z)$ coordinate system, which accelerated its performance by 20% compared to Montgomery curves in the $(X:Z)$ coordinate system. We have justified and utilized non-cyclic curves of classes B and C as quadratic twist pairs in [9,10,11,12,13,14,15]. They have two important advantages over the complete Edwards curves A:

• Doubling the number of all curves in the algorithm over a single class A doubles the set of all isogenic curves of classes B and C with a corresponding gain in security. This can be exchanged for a gain in computational speed ${\gamma }_1=2$;
• For half of all computable isogenic curves with negative exponents $e_i$ given by the secret key $\Omega$ (see Section 4), no time-consuming inversion of the parameter d of the class A isogenic curve is required. The corresponding gain in speed ${\gamma }_2$in computational speed should be estimated.

Let us define curves B and C as a pair of quadratic twists at $p\equiv 7\mathrm{m}\mathrm{o}\mathrm{d}8$ by the equations:

$$E_{1,d}:x^2+y^2=1+d{x}^2{y}^2,a,d\in F_p^{*},a=1,\chi \left(d\right)=1,$$

(1)

$$E_{-1,-d}:x^2-y^2=1-d{x}^2{y}^2,a,d\in F_p^{*},a=-1,\chi \left(d\right)=1.$$

(2)

In the twisted curve (2), both parameters of the curve are multiplied by $(-1)$ and become non-square. The orders of all supersingular Edwards curves are equal to $\#E=p+1=8n,$ where for the CSIDH algorithm $n={\prod }_{i=1}^K{l}_i$, where $l_i$ are the degrees of prime odd isogenies (see Section 4). The maximum order of a point of a non-cyclic curve is $4n$, so it is sufficient to multiply any random point by four to obtain odd-order points.

It follows from (1) and (2) that the transition to quadratic twist for classes B and C is practically free, whereas within class A such a transition is achieved by inversion of the parameter $d$, which according to a known estimate [16] requires (10..50)$M$, where $M$ is the cost of multiplication in the group $F_p^{*}.$ Taking conditionally the complexity of the transition between curves (1) and (2) as $1M$, we obtain a conditional average estimate of the gain ${\gamma }_2\approx 2^5$ in computational speed compared to complete curves A. Since in the CSIDH algorithm the transition to quadratic twist is required for approximately half of the isogenic curves, we can use a conditional lower estimate of the gain ${\gamma }_2\approx 2^4.$By curve type here we mean supersingular curves with trace $t=0$ or ordinary curves with order $\#E=p+1-t$, where $t$ is the trace of the Frobenius equation, $t\ne 0$. Since the set of the former is $\sqrt{p}$ times wider than the set of supersingular curves, interesting unique applications of this type of Edwards curves are discussed in [15] and Section 7.

An important tool in analyzing isogenies is the J-invariant [6]

$$J(a,d)=\frac{16(a^2+d^2+14ad{)}^3}{ad(a-d{)}^4},ad(a-d)\ne 0.$$

(3)

This parameter distinguishes between isogenic (with different J-invariants) and isomorphic (with equal J-invariants) curves. Since the J-invariant retains its value for all isomorphic curves and quadratic twist pairs [17]$,$it is the same for a pair of quadratic and twisted supersingular Edwards curves ($a=\pm 1$), so we will use the invariant $J\left(d\right)$. It is useful both in finding supersingular curves and in constructing isogeny chain graphs. One of the properties of J-invariants $J\left(d\right)=J\left(d^{-1}\right)$.

For the considered classes of supersingular Edwards curves the substitution $d\to d^{-1}$ gives an isomorphism, and for complete Edwards curves a quadratic twist.

3. Computation of Odd-Degree Isogenies on Edwards Curves and Complexity Estimation

Isogenies of an elliptic curve $E\left(K\right)$ over the field $K$ into a curve $E^{\text{'}}\left(K\right)$ is a homomorphism $\varphi :E\left(\bar{K}\right)\to \hspace{0.33em}{E}^{\text{'}}\left(\bar{K}\right)$given by rational functions. This means that there exists a rational function [17]

$$\varphi \left(x,y\right)=\left(\frac{p\left(x\right)}{q\left(x\right)},y\frac{f\left(x\right)}{g\left(x\right)}\right)=\left(x^{\text{'}},y^{\text{'}}\right),$$

(4)

mapping the points of the curve $E$ to the points of the curve $E^{\text{'}}$, and for all $P,Q\in E\left(K\right)$ $\varphi \left(P+Q\right)=\varphi \left(P\right)+\varphi \left(Q\right)$. The isogeny degree is the maximum of the degrees $l=\mathrm{deg}\varphi (x,y)=\max \{\mathrm{deg}p\left(x\right),\mathrm{deg}q\left(x\right)\}$and its kernel $\ker \varphi =G$ is the subgroup $G\subseteq E$ whose points are mapped by the function $\varphi (x,y)$ into a neutral element $O$ of the group $E^{\text{'}}$. The degree of the separable isogeny is equal to the ordering $l$ of its kernel. The isogeny compresses the set of points of the curve E в $l$ times ($l$ curve points $E$ are mapped to a single point on the curve $E^{\text{'}}$).

The computation of isogenies of Edwards curves of classes A and B of odd powers is performed according to Theorem 2 [7]. In [9] we generalized it to curves of class C in the following theorem.

Theorem 1.Let $G=\left\{\right(\mathrm{1,0}),\pm Q_1,\pm Q_2,\dots ,\pm Q_s\}$ is a subgroup of odd order of $l=2s+1$ points of $\pm Q_i=({\alpha }_i,\pm {\beta }_i)$ curve $E_d$ over the field $F_p$.

Let’s determine

$$\varphi \left(P\right)=\left(x^{\text{'}},y^{\text{'}}\right)=\left(\prod _{Q\in G}\frac{x_{P+Q_i}}{x_{Q_i}}\frac{x_{P-Q_i}}{x_{-Q_i}},\hspace{0.33em}\prod _{Q\in G}\frac{y_{P+Q_i}}{x_{Q_i}}\frac{y_{P-Q_i}}{x_{-Q_i}}\hspace{0.33em}\right).$$

(5)

Then $\varphi (x,y)$ there is l-isogeny with the kernel G from the curve $E_{a,d}$ into a curve $E_{a^{\text{'}},d^{\text{'}}}^{\text{'}}$ with parameters $a^{\text{'}}=a^l{d}^{\text{'}}=A^8{d}^l$, where $A=\prod _{i=1}^s{\alpha }_i$, and the mapping function

$$\varphi (x,y)=\left(\frac{x}{A^2}\prod _{i=1}^s\frac{({\alpha }_{i}x{)}^2-a^2({\beta }_{i}y{)}^2}{1-(d{\alpha }_i{\beta }_{i}xy{)}^2},\frac{y}{A^2}\prod _{i=1}^s\frac{({\alpha }_{i}y{)}^2-({\beta }_{i}x{)}^2}{1-(d{\alpha }_i{\beta }_{i}xy{)}^2}\right)$$

(6)

or

$$\varphi (x,y)=\left(\frac{x}{A^2}\prod _{i=1}^s\frac{x^2-a{{\beta }_i}^2}{1-d{\beta }_i{x}^2},-\frac{y}{A^2}\prod _{i=1}^s\frac{x^2-{a_i}^2}{a-d{\alpha }_i{x}^2}\right).$$

(7)

Proof of Theorem 1. Its proof is given in [9]. It is important to note that the isogenic function (7) includes the parameter $a$, which is absent in the original Theorem 2 [7]. □

The parameters of the isogenic curve according to Theorem 2 [7] are calculated by the formulas

$$a^{\text{'}}=a^l{d}^{\text{'}}=A^8{d}^l,A={\prod }_{i=1}^s{\alpha }_i$$

(8)

.

The task of this section is a comparative evaluation of the complexity of computing the isogenic function $\varphi (x,y)$ and the parameter $d^{\text{'}}$ of the isogenic curve $E_{a^{\text{'}},d^{\text{'}}}^{\text{'}}$. This will allow us to estimate the gain in computational speed in the CSIDH algorithm when giving up the computation of the function $\varphi (x,y)$ (justified in Section 4).

The fastest results today for curve isogenies in Edwards form are obtained in projective coordinates $(W:Z)$ with the introduction of a generalized Farashahi-Hosseini variable $w=d{x}^2{y}^2$ [5]. For isogenies of degree $l$ are calculated $s=(l-1)/2$ points $Q_i=({\alpha }_i,{\beta }_i)$ of the isogeny kernel together with the coordinates $w_i=d{\alpha }_i^2{\beta }_i^2$, then according to Theorem 2 [4]

$$w\left(\varphi \right)=w\prod _{i=1}^s\frac{w-w_i}{1-w{w}_i}.$$

(9)

Let $M$ complexity of multiplication in the field $F_p$, $S$ is the complexity of squaring, and let us use the results of [4]. Taking into account the complexity of calculating the coordinates of the kernel points, the complexity of calculating the function $\varphi (x,y)$ is equal to

$$C_{\varphi }=s\left(8M+2S\right)+S-2M.$$

(10)

The cost of calculating the parameter $d^{\text{'}}$ of the isogenic curve $E^{\text{'}}$, respectively,

$$C_d=s\left(6M+2S\right)+5S-4M.$$

(11)

Let’s take the known estimate $S=\frac{2}{3}M$ [6]. Then we have

$$C_{\varphi }=\frac{28}{3}sM-\frac{4}{3}M,C_d=\frac{22}{3}sM-\frac{2}{3}M.$$

(12)

The gain in computing speed without taking into account $C_{\varphi }$ equals

$${\gamma }_3=\frac{C_d+C_{\varphi }}{C_d}=1+\frac{C_{\varphi }}{C_d}=1+\frac{14s-2}{11s-1}.$$

(13)

For $l$ at the maximum $s\approx 300$ and minimum $s=1$ this gain is equal to 2.27 and 2.20, respectively. On average, we obtain ${\gamma }_3=2.235.$ Thus, the acceleration of the CSIDH algorithm when refusing the redundant calculation of the function $\varphi (x,y)$ is estimated by the coefficient ${\gamma }_3=2.235.$

4. Randomization of the CSIDH Algorithm on Non-Cyclic Edwards Curves

The PQC CSIDH algorithm is proposed by the authors [1] to solve the classical Diffie-Hellman key exchange problem. Isogenic curve mapping $E$ of order $\#E$ over a prime field $F_p$ into a curve $E^{\text{'}}$ is defined as the class-group action and is commutative. Compared to the known original CRS scheme (Couveignes [18] and Rostovtsev et al. [2]) on ordinary curves, the use of isogenies of supersingular curves allowed us to speed up the algorithm and obtain the smallest known key size (512 bits with a security level of 128 bits in [1]).

Let the curve $E$ of order $\#E$ contain points of small odd orders $l_k,k=\mathrm{1,2},\dots ,K.$ Then there exists an isogenic curve $E^{\text{'}}$of the same order $\#E$ as a mapping of degree $l_k:E\to E^{\text{'}}=\left[l_k\right]*E$. Repetition of this operation $e_k$ times is denoted as $\left[{l_k}^{e_k}\right]*E$. The values of the exponents of the isogenies $e_k\in Z$ determine the length of the chain of isogenies of degree $l_k$. In [1] the interval of exponent values is adopted $[-m\le e_k\le m]$, $m=5$, $K=74$, which provides a security level of 128 bits during attacks on a quantum computer. Negative values of the exponent $e_i$ mean transition to the supersingular curve of quadratic twist.

Non-interactive key exchange using the Diffie-Hellman scheme involves steps [1]:

• Parameter selection. For small prime odd $l_k$ is calculated $n=\prod _{k=1}^K{l}_k$ where the value $K$ is determined by the security level, a suitable field modulus $p=2^m{\prod }_{k=1}^K{l}_k-1,m\ge 3$, and the starting elliptic curve $E_0$ are chosen;
• Public key computation. Alice uses her secret key ${\Omega }_A=(e_1,e_2,\dots ,e_K)$ constructs an isogenic mapping ${\Theta }_A=[{l_1}^{e_1},{l_2}^{e_2},\dots ,{l_K}^{e_K}]$ and computes the isogenic curve $E_A={\Theta }_A*E_0$ as her public key. Bob, based on the secret key ${\Omega }_B$ and function ${\Theta }_{В}$ performs the same computation and obtains his public key $E_B={\Theta }_B*E_0$ These curves are defined by their parameters with exact isomorphism;
• Key exchange. The protocol here is similar to Step 2 with a change $E_0\to E_B$ for Alice and $E_0\to E_A$ for Bob. Knowing Bob’s public key, Alice calculates $E_{BA}={\Theta }_A*E_B={\Theta }_A{\Theta }_B*E_0$. Bob’s similar action gives the result $E_{AB}={\Theta }_B*E_A={\Theta }_B{\Theta }_A*E_0$, coinciding with the first one due to the commutativity of the group operation. As a shared secret we take J-invariant of the curve $E_{AВ}\left(E_{ВА}\right).$

Below we give a modification of Alice’s computation algorithm according to Section 3 [1] using isogenies of quadratic and twisted supersingular Edwards curves.

Algorithm 1. Evaluation of the class-group action on quadratic and twisted supersingular Edwards curves.

Input: $d_A\in E_A,\chi \left(d\right)=1$ and a list of integers ${\Omega }_A=(e_1,e_2,\dots ,e_K)$.

Output: $d_B$ such that $[{l_1}^{e_1},{l_2}^{e_2},\dots ,{l_K}^{e_K}]\mathrm{*}{E}_A=E_B$, where $E_{A,B}:x^2+a{y}^2=1+a{d}_{A,B}{x}^2{y}^2$.

 1. WHILE some$e_i\ne 0$ DO

  2. Sample a random $x\in F_p$;

  3. Set $a\leftarrow 1$, $E_A:x^2+y^2=1+d_A{x}^2{y}^2$ IF $\frac{1-x^2}{1-d{y}^2}$ is a square in $F_p$;

  4. ELSE $a\leftarrow -1$, $E_A:\hspace{0.33em}{x}^2-y^2=1-d_A{x}^2{y}^2$;

  5. Let $S=\left\{i\right|a{e}_i>0\}$. IF $G=\varnothing$ then start over to Line 2 while $a\leftarrow -a$;

  6. Let $n={\prod }_{i\in S}{l}_i$ and compute $R\leftarrow \frac{p+1}{2n}P,P\leftarrow P(x,y)$;

  7. FOR each $i\in S$ DO

   8. Compute $Q\leftarrow \frac{k}{l_i}R$;

   9. IF $Q\ne \left(\mathrm{1,0}\right)$ compute an isogeny $\varphi :E_A\to E_B$ with $\ker \varphi =Q$;

   10. Set $d_A\leftarrow d_B$, $R\leftarrow \varphi \left(R\right)$, $e_i\leftarrow e_i-a$;

   11. Skip $i$ in $S$ and $n\leftarrow \frac{n}{l_i}$ IF $e_i=0$;

 12. RETURN $d_{\mathrm{А}}$. □

Compared to Algorithm 2 in [1], Algorithm 1 adapted to quadratic and twisted supersingular Edwards curves, makes modifications that are discussed in [11]. In this section, we present an analysis of the speed gains of the randomized algorithm [12] compared to the algorithm [1].

The CSIDH algorithm [1] is constructed in such a way that the computation of isogenic chains according to functions ${\Theta }_{A,В}=[{l_1}^{e_1},{l_2}^{e_2},\dots ,{l_K}^{e_K}]$ are performed in two stages: first the set is formed $S$ with key exponents $e_k$ of one sign, then, after zeroing of all $e_k$, of the other. At each stage, the kernels and parameters of exactly $\left|e_k\right|$ of isogenic curves of isogenies of degrees $l_k$ constructed on curves of the same class ($E_d$ or $E_{-1,-d}$). This gives rise to the threat of a side-channel attack based on measuring the time of these computations, proportional to the length of the $\left|e_k\right|$ and degree $l_k$ of each chain $\left[{l_k}^{e_k}\right]$. In this regard, most articles on this topic [19,20] consider different variants of “constant time CSIDH” in which the secret exponents are $e_k$ are built up to an upper bound $m$ by fictitious chains of isogenies. Such protection is achieved by significant redundancy and slowing down the algorithm by half.

We propose in [12] another method for solving the problem is the randomization of the path of isogenic chains. The idea is that any random coordinate of the $x$ of an elliptic curve always generates a random point $P=(x,y)$ of one of the two curves of a pair of quadratic twist pair (1) or (2). Then instead of trying (unsuccessfully with probability ½) to find a point of a curve of a given class and succeeding with probability 1, we determine the class of curve (in our case it is the curve $E_d$ (1) or $E_{-1,-d}$ (2), one of which the point belongs to $P=(x,y)$). Then we calculate the first isogenic curve in this class $E^{\left(1\right)}=\left[l_k\right]*E^{\left(0\right)}$ isogeny degree $l_k$ corresponding to the sign of the exponent $e_k$. The selection $l_k$ is randomized, and the value $\left|e_k\right|$ is decreased by one. In the next step with a new value of the parameter $d^{\left(1\right)}$ the random point $P=(x,y)$ of one of the curves $E_d$ or $E_{-1,-d}$, the isogeny kernel of the randomly chosen degree is determined $l_k$ and the parameter $d^{\left(2\right)}$ of the chain. The process continues until all $e_k=0$. The corresponding randomized CSIDH Algorithm 2 is given below.

Algorithm 2.Randomized evaluation of the class-group action on quadratic and twisted supersingular Edwards curves.

Input: $d_A\in E_A,\chi \left(d\right)=1$ and a list of integers ${\Omega }_A=(e_1,e_2,\dots ,e_K)$.

Output: $d_B$ such that $[{l_1}^{e_1},{l_2}^{e_2},\dots ,{l_K}^{e_K}]*E_A=E_B$, where $E_{A,B}:x^2+y^2=1+d_{A,B}{x}^2{y}^2$.

 1. Let $S_0=\left\{k\right|e_k>0\}$, $S_1=\left\{k\right|e_k<0\}$, $n_0={\prod }_{k\in S_0}{l}_k$, $n_1={\prod }_{k\in S_1}{l}_k$;

 2. WHILE some $e_k\ne 0$ DO

  3. Sample a random $x\in F_p$;

  4. Set $a\leftarrow 1$, $s\leftarrow 0$, $E_A:x^2+y^2=1+d_A{x}^2{y}^2$ IF $\chi \left(\frac{x^2-1}{d{x}^2-1}\right)=1$;

  5. ELSE $a\leftarrow -1$, $s\leftarrow 1$, $E_A:x^2-y^2=1-d_A{x}^2{y}^2$;

  6. Compute $y$-coordinate of the point $P=(x,y)\in E_A$;

  7. Compute $R\leftarrow \frac{p+1}{2n_s}P$;

  8. Sample a random $l_k|k\in S_s$;

  9. Compute $Q\leftarrow \frac{n_s}{l_k}R$;

  10. IF $Q\ne \left(\mathrm{1,0}\right)$ compute kernel $G$ of $l_k$-isogeny $\varphi :E_A\to E_B$;

  11. ELSE start over to Line 3;

  12. Compute $d_B$ of curve $E_B$, $d_A\leftarrow d_B$, $e_k\leftarrow e_k-s$;

  13. Skip $k$ to $V_s$ and set $n_s\leftarrow \frac{n_s}{l_k}$ IF $e_k=0$;

 14. RETURN $d_{\mathrm{А}}$. □

Here instead of one set $S$ in Algorithm 1 two sets $S_0$ and $S_1$ are formed, in which the numbers of isogeny degrees corresponding to the key positions are recorded ${\Omega }_A$ with positive and negative exponents $e_k,$ respectively. At any random choice of $x$ is coordinate we obtain a random point $P=(x,y)$, belonging to the curve (1) or (2). Its multiplication by four in Step 7 gives a point of $R$ of odd order. The scalar multiplication in Step 9 calculates the point of the $Q$ of the isogeny kernel, then the coordinates of all points of the kernel $G.$are calculated. Finally, in Step 12, according to (8), we calculate the parameter $d\text{'}$ of the isogenic curve $E^{\text{'}}.$

Note that in classical CSIDH there is already a guaranteed level of protection against the type of side channel attack described above. It is determined by the sign of the secret exponent$e_k$of the key. Since each component of $\left[l_k\right]$ function $\Theta$ computation time $\left[{l_k}^{+1}\right]$ and $\left[{l_k}^{-1}\right]$ is the same, the probability of the analyst’s success even in the conditions of error-free values of $l_k$ is equal to $2^{-K}=2^{-74}$ (for the data of [1]). For the average length of $\frac{m+1}{2}=3$ chain of isogenies of each degree $l_k$ the total length of the chain of isogenies of the function is $\Theta =3\bullet 74=222$ steps. Let $p_1$ be the probability of error-free determination of degree $l_k$ by the analyst at one step of the randomized CSIDH protocol, then its probability of success can be estimated by the value $2^{-74}{p_1}^{222},p_1<1$. For example, at $p_1=\frac{1}{2}$ the analyst’s probability of success is $2^{-296}$, and at $p_1=\frac{3}{4}$ this probability is close to the value $2^{-165}$ that is well below the safety level $2^{-128}$. Various modifications of the proposed randomization method are possible with insertions of single dummy exponents into the sample components of the $\left[l_k\right]$ functions $\Theta$ that will not introduce redundancy into the calculations. Note that one mistake of an analyst destroys all his labor-intensive work.

Algorithm 2 does not include the computation of the isogenic function $\varphi (x,y)$, which gives an estimate of the speed gain of Algorithm 2 ${\gamma }_3=2.235.$ The following gain ${\gamma }_4=2$ randomization method provides that instead of choosing one of the curves (1) or (2) with probability ½ in Algorithm 2, any choice is good. There is also an approximate gain ${\gamma }_5=2$ compared to “constant time CSIDH” in which close to half of the isogenies are fictitious, which is not the case in Algorithm 2.

Finally, we’ll justify the gain ${\gamma }_6=2$ due to parallel computations in two cryptosystems with isomorphic curves. This article is described for the first time. The idea is that in classes B and C for any Edwards curve (1) and (2) with parameter $d$ there exists an isomorphic curve with parameter $d^{-1}$. Fixing the starting curve $E_0$, we construct chains of isogenies of all degrees of the first cryptosystem with the secret key ${\Omega }_1$. The second cryptosystem with the secret key ${\Omega }_2$ can be easily constructed on the set of all curves isomorphic to the first one. For this purpose, another starting curve is chosen by inverting the parameter $d$ of any curve of the first cryptosystem. These two sets of curves do not intersect, and it is possible to solve two problems simultaneously instead of one, which doubles the computational performance. In addition, parallel computing removes the threat of side-channel attacks altogether and makes the “constant time CSIDH” redundancy meaningless.

Reducing for simplicity the estimate ${\gamma }_3$ and taking ${\gamma }_3=2$, we obtain from the results of this section a partial estimate of the computational speed gain of the CSIDH algorithm ${\gamma }_3{\gamma }_4{\gamma }_5{\gamma }_6=2^4$. Thus, the final lower speedup estimate of the CSIDH algorithm modified in [9,10,11,12,13,14,15] is no less than ${\prod }_{k=1}^6{\gamma }_k\ge 2^9$. In the following sections, we consider further modifications of CSIDH and their performance evaluations.

5. Optimization of Isogeny Degree Set in CSIDH

In this section, we optimize the distribution of isogeny degrees ${\{l}_k\}$ in [14] and evaluate the gains ${\gamma }_7$ of this optimization in comparison with the CSIDH model [1].

We found that 74 degrees $l_k$ isogenies in [1] with the value of $l_{\mathrm{m}\mathrm{a}\mathrm{x}}=587$ runs only a fraction of all minimal prime numbers from 3 to $587,$the total number of which is 106. In other words, 32 values of prime numbers are not included in the list of degrees $l_k$ in the model [1], which means discontinuities (gaps) in the set of ${\{l}_k\}$. With an average cost of each degree of 8 bits, a rough estimate of the cost of the removed degrees is $32·8=256$ bits. These losses are unnecessary and generate a slowdown of the algorithm at excessively high degrees of isogenies.

We set a task to analyze possible distributions of sets of prime numbers of the set $L={{\{l}_k\}}^K$ with size $K$ and to find variants of optimization (compaction) of this distribution. According to the table of prime numbers up to 587, the complete set $L={{\{l}_k\}}^N=\{\mathrm{3,5},7,\dots ,587\}$ contains $N=106$ all prime numbers.

Let’s call the set of prime numbers ordered in ascending order ${{\{l}_k\}}^K$ is optimal if at known $l_{\mathrm{m}\mathrm{i}\mathrm{n}}=l_m$ and $K$ product ${\prod }_{k=m}^{K+m-1}{l}_k=\mathrm{m}\mathrm{a}\mathrm{x}.$ It follows from the definition that the optimal set of prime numbers is dense (without skips) with elements ${\{l_m,l}_{m+1},\dots ,l_{K+m-1}\}L$. It is constructed as a segment of length $K$ of ordered prime numbers. Removing at least one number (except the extreme numbers) from the middle of the segment gives a non-optimal set ${{\{l}_k\}}^K\notin L.$ Removal of one of the extreme numbers $l_m,l_{max}$ of the segment gives two different optimal sets of size $K-1$. Any subset (segment of length $K)$ of the complete set $L$ is an optimal set. A non-optimal set contains skips that violate the condition ${\prod }_{k=m}^{K+m-1}{l}_k=\mathrm{m}\mathrm{a}\mathrm{x}.$

The complete set ${{L=\{l}_k\}}^{106}={\{\mathrm{3,5},7,\dots ,587\}}^{106}$ is optimal by definition. Removing 32 numbers from it gives a set ${{\{l}_k\}}^{K=74}$ that is far from optimal. This set ${\{l}_k\}$ in [1]. We associate the notion of optimality exclusively with the maximization of the product of elements of the set.

Let’s divide $L$ into subsets $Lh={{\{l}_k\}}^{K_h},h=1,\dots ,6$ which includes prime numbers in the hundreds of numbers with numbers $h$. For the first hundred, for example, we have the subset $L1=\{\mathrm{3,5},7,\dots ,97{\}}^{K_1},$where $K_1=24.$ For all six subsets $Lh$ these numbers $K_h$ are given in the second row of Table 1.

Each degree $l_k$ in binary form has a $\mathrm{l}\mathrm{o}\mathrm{g}{(l}_k)$ bit. For all products of numbers $l_k$ in subsets $Lh$ we calculate the bit length $B_h=\sum _{l_k\in Lh}\mathrm{l}\mathrm{o}\mathrm{g}{(l}_k)$ of the degrees of isogenies. The values $B_h$ are given in the third row of Table 1. These results allow us to draw interesting conclusions. First, the sum of all bits of the third row $\sum _{h=0}^6{B}_h=792.772=793$ bits, defining the product of all 106 prime numbers $\{3,\dots ,587\}$, has a redundancy of 283 bits compared to the minimum lower threshold of 510 bits ($4n>2^{512}$) [1] security requirements. Second, prime numbers in the 5th and 6th hundreds ($L5$ and $L6$) can be removed, since $\sum _{h=1}^4{B}_h=533.855=534$bits, which satisfies with a margin of 24 bits the requirement $4n>2^{512}$. Ignoring the last two columns of Table 1, we obtain 77 values of the elements of the optimal set of ${{\{l}_k\}}^{K=77}=\{3,\dots ,397\}$ of prime numbers. Further, we propose to remove the 3 lowest degrees in the first hundred $\{\mathrm{3,5},7\}$ and construct the optimal set of isogeny degrees $Lopt={\{\mathrm{11,13},\dots ,397\}}^{74}$ of the same size 74 as in [1]. This preserves the length $K=74$ of the secret key. Given the equality $\log \left(3*5*7\right)=6.714$, the product n of all $l_k$ of the optimal set $Lopt$ is evaluated by a binary number of length 528 bits. Adding 2 bits, we obtain the estimate $\mathrm{l}\mathrm{o}\mathrm{g}p=530$ bit. For the distribution $Lopt$ we can adjust Table 1: in column $h=1$ of the table we should put the values of $K_1=21,B_1=113.081$and the last two columns of the table should be deleted. Then $\sum _{h=1}^4{K}_h=74,\sum _{h=1}^4{B}_h=527.141=528$ bits, $\mathrm{l}\mathrm{o}\mathrm{g}p=530$ bit. Such an optimal distribution of degrees ${\{l}_k\}$ isogenies ensures that the minimal security threshold of 512 bits of the algorithm is exceeded by 18 bits.

Note that the reserve of 18 bits can be used up by removing the two maximum isogeny degrees 397 and 389 for a total cost of 18 bits and taking $l_{\mathrm{m}\mathrm{a}\mathrm{x}}=383.$ However, this requires reducing the length $K\leftarrow K-2$ of the secret key by two.

The main advantage of the set of isogeny degrees proposed here $Lopt$ over the one used in [1] is a significant (by a factor of 1.5) decrease of $l_{\mathrm{m}\mathrm{a}\mathrm{x}}=587$ up to $l_{\mathrm{m}\mathrm{a}\mathrm{x}}=397$ with an optimal distribution of prime numbers. The real gain requires experimental estimation of the complexity of CSIIDH implementation at such a radical reduction of the value of $l_{\mathrm{m}\mathrm{a}\mathrm{x}}.$

So, a linear estimate of the gain in computational speed due to the optimization of the isogeny degree distribution is equal to ${\gamma }_7=1.5$. Together with the total gain of the previous sections, we obtain a speedup of the CSIIDH algorithm by a factor of $1.5*2^9\cong 770$ times.

6. CSIKE Algorithm

The classical non-interactive Diffie-Hellman algorithm is based on the use of two public keys. The same problem of generating a shared secret can be solved in a protocol with one transmission session and one recipient’s public key, which is more secure. To do this, Alice generates a shared secret, encrypts it with Bob’s public key, and sends him the encrypted key. On receipt, Bob decrypts it with his secret key. This protocol is called key encapsulation. It involves the steps [21]:

• Secret key generation$k$. Alice uses a random number sensor to find the secret encapsulation vector ${\Omega }_k=(e_1,e_2,\dots ,e_K)$, constructs the class function of the class group action ${\Theta }_k=[{l_1}^{e_1},{l_2}^{e_2},\dots ,{l_K}^{e_K}]$ and computes an isogenic curve $E_k={\Theta }_k*E_0$, whose parameter $d_k$ is taken as the secret key $d_k=k$.
• Key encapsulation. It’s Alice’s procedure for encrypting the key $k$ with Bob’s public key $E_B$. To do this, Alice computes an isogenic curve ${\Theta }_k*E_B=E_{kB}$. The parameter $d_{kB}$ of this curve is sent to Bob.
• Key decapsulation. Bob’s decryption of the curve $E_{kB}$ with his secret key ${\Omega }_B$ is reduced to his computation of an isogenic curve $\overline{{\Theta }_B}*E_{kB}=E_k$where the mapping $\overline{{\Theta }_B}$ is constructed by inversion of all signs of the exponents of Bob’s secret key ${\Omega }_B\to \left(-{\Omega }_B\right)$.

In [13], we propose the original CSIKE algorithm as a modification of CSIDH, replacing Alice’s secret key with a secret vector ${\Omega }_k$, with which she computes a curve $E_k={\Theta }_k*E_0$ and the shared secret key $d_k=k$. Alice then encrypts it with Bob’s public key $E_B$. and computes the curve $E_{kB}={\Theta }_k*E_B={\Theta }_k*{\Theta }_{В}*E_0$. Bob decapsulates his cipher using a multiplicative inverse function $\overline{{\Theta }_{В}}$ (such that ${\Theta }_B*\overline{{\Theta }_{В}}=\mathbf{I}$, where $\mathbf{I}={\left.[\mathrm{1,1},\dots ,1]\right|}_K$), thereby restoring the curve $E_k={\Theta }_k*E_0$. As the key of encapsulation by both parties, we can take J-invariant of the curve $E_k$.

We consider a simple model of the implementation of the CSIKE algorithm on quadratic and twisted supersingular Edwards curves that form pairs of quadratic twist curves with order $p+1$. Such curves exist only at $p\equiv -1\mathrm{mod}8$ and have order $\#E=\#E^t=p+1=cn(n-odd),c\equiv 0\mathrm{mod}8.$ Let such a pair of curves contain kernels of order 3, 5, and 7. At the value $n=105$ of the minimal prime $p=8n-1=839$, then the order of these curves $\#E=8n=840$. The parameter $d$ of the whole family of 418 quadratic Edwards curves can be taken as squares $d=r^2\mathrm{mod}p,r=2,\dots ,419.$ Of these, 66 pairs of quadratic and twisted supersingular Edwards curves are found with parameters $a=\pm 1$ and $\chi \left(ad\right)=1.$ Table 2 summarizes the values of the parameter $d$ for pairs of quadratic $E_d$ and twisted $E_{-1,-d}$ supersingular Edwards curves. They are written as squares $d=r^2\mathrm{mod}p,r=2,\dots ,419$ in ascending order $r$. In this example, the relative proportion of supersingular Edwards curves is close to 16%. Note that for each curve in Table 2, there is at least one isomorphic curve with a parameter $d^{-1}$ and the same J-invariant (2).

For the first quadratic curve $E_d^{\left(0\right)}=E_{144}$ from Table 2, we can construct 3-, 5-, and 7-isogenies and find the parameters $d^{\left(i\right)}$ of a chain of isogenic curves $E_d^{\left(i\right)},i=\mathrm{0,1},2,\dots ,Т$ such that $d^{\left(T\right)}=d^{\left(0\right)}$. Period $T$ of the chain of isogenies divides the number $66=2·3·11$ of all supersingular Edwards curves. The calculations of the parameters of $d^{\left(i\right)}$ chains of respectively 3-, 5-, and 7-isogenies quadratic supersingular Edwards curves are useful only for illustrating the properties of chains of isogenies of quadratic twist pair curves and we omit them in this article. We only note that the period of the 3-isogeny $T_3=33,$ and the other two $T_5=T_7=11.$ The fragments of isogenic chains of quadratic supersingular Edwards curves in the tables are read from left to right, for twisted ones—from right to left. At each step $i$ isogeny of degree $l=2s+1$ coordinates ${\alpha }_1,\dots ,{\alpha }_s,s=(l-1)/2$ points of the kernel, after which the parameter of the $d^{(i+1)}$ of the isogenic curve $E_d^{(i+1)}$ according to (8) is calculated. Calculation of the isogenic function $\varphi (x,y)$, according to Algorithm 1 of Section 5 is not necessary.

Example 5.1. Suppose Alice has generated a secret vector ${\Omega }_k=(7,-\mathrm{5,8}),$ which by isogenic mapping ${\Theta }_k=[3^7,5^{-5},7^8]$ at the first stage transforms it into a shared secret key $k$ i.e., calculates the curve $E_k={\Theta }_k*E_0$.

Then at the second stage, she encrypts this key with Bob’s public key. $d_B.$ Let Bob’s secret ${\Omega }_B=(-\mathrm{8,6},-5)$, respectively, its function of the class-group action ${\Theta }_B=[3^{-8},5^6,7^{-5}].$ Let us perform their key computations $k,d_B.$ As the starting curve of the chain of isogenies, we take the curve $E_d^{\left(0\right)}=E_{144}$. Then $E_k=E_0*{\Theta }_k$, $E_B=E_0*{\Theta }_B$.

To simplify the record in the algorithm for calculating the isogenic curve $E_k=E_0*{\Theta }_k$ we will use only the parameters $d^{\left(i\right)}$ which completely defines the curves $E_d^{\left(i\right)}(e_k>0)$ and $E_{-1,-d}^{\left(i\right)}(e_k<0)$ as pairs of quadratic twists. In the parameter chain $d^{\left(i\right)}$ below we write in parentheses the degree of isogeny, above the arrow the number of steps with the exponent sign $e_k.$ For example, according to the function ${\Theta }_k=[3^7,5^{-5},7^8]$ and the curve $E_d^{\left(0\right)}=E_{144}$ without resorting to the randomization method (see Section 4), Alice computes a chain of

$$\frac{d_0=144}{\left(7\right)}\stackrel{\hspace{1em}8\hspace{1em}}{\to }\frac{258}{\left(5\right)}\stackrel{\hspace{1em}-5\hspace{1em}}{\to }\frac{112}{\left(3\right)}\stackrel{\hspace{1em}7\hspace{1em}}{\to }286=k.$$

(14)

So, the shared secret key $k=286$. Similarly, Bob calculates his public key based on the curve$E_{144}$ and a function ${\Theta }_B=[3^{-8},5^6,7^{-5}]$

$$\frac{d_0=144}{\left(5\right)}\stackrel{\hspace{1em}6\hspace{1em}}{\to }\frac{788}{\left(7\right)}\stackrel{\hspace{1em}-5\hspace{1em}}{\to }\frac{258}{\left(3\right)}\stackrel{\hspace{1em}-8\hspace{1em}}{\to }514=d_B.$$

(15)

So Bob’s public key $d_{В}=514$. Then, in the second encapsulation step, Alice encrypts Bob’s public key with the secret key $k=286$ and calculates $E_{Bk}=E_B*{\Theta }_k$.

$$\frac{d_B=514}{\left(3\right)}\stackrel{\hspace{1em}7\hspace{1em}}{\to }\frac{683}{\left(5\right)}\stackrel{\hspace{1em}-5\hspace{1em}}{\to }\frac{38}{\left(7\right)}\stackrel{\hspace{1em}8\hspace{1em}}{\to }259\Rightarrow d_{Bk}=259.$$

(16)

Finally, in the third step of decapsulation, Bob from the curve $d_{Bk}=259$ removes his secret key using the inverse function $\overline{{\Theta }_B}=[3^8,5^{-6},7^5]$

$$\frac{d_0=259}{\left(7\right)}\stackrel{\hspace{1em}5\hspace{1em}}{\to }\frac{578}{\left(5\right)}\stackrel{\hspace{1em}-6\hspace{1em}}{\to }\frac{38}{\left(3\right)}\stackrel{\hspace{1em}8\hspace{1em}}{\to }286\hspace{0.33em}\Rightarrow d_k=286.$$

(17)

He ends up with a shared secret key $k=286$ calculated for him by Alice. To avoid ambiguity when obtaining isomorphic curves, J-invariant (3) is taken as the encapsulation key by both parties $J\left(d_k\right)=525$ curve $E_{286}$.

The above example gives a concise illustration of the CSIKE algorithm. Its efficiency increases significantly after using the randomization method (see Section 4). For example, Alice’s computation of the encapsulation key $k.$ based on the secret vector ${\Omega }_{\kappa }=(7,-\mathrm{5,8})$ can be realized by a pseudo-random chain of isogenic curves in 20 steps

$$\begin{gathered} \frac{d_0=144}{\left(3\right)}\stackrel{\hspace{1em}2\hspace{1em}}{\to }\frac{405}{\left(5\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{15}{\left(7\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{488}{\left(5\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{43}{\left(7\right)}\stackrel{\hspace{1em}2\hspace{1em}}{\to }\frac{508}{\left(5\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{289}{\left(3\right)}\stackrel{\hspace{1em}2\hspace{1em}}{\to }\frac{43}{\left(7\right)}\stackrel{\hspace{1em}3\hspace{1em}}{\to } \\ \stackrel{\hspace{1em}3\hspace{1em}}{\to }\frac{405}{\left(5\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{15}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{243}{\left(5\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{293}{\left(7\right)}\stackrel{\hspace{1em}3\hspace{1em}}{\to }\frac{636}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }286\Rightarrow d_k=k=286. \end{gathered}$$

(18)

This result is, understandably, the same as the first result above. In Table 2, exactly half of the parameters $d$ are marked with asterisks. These 33 values are included in the period $T=33$ 3-isogeny and form a set of parameters $d^{*}$ of the first cryptosystem with the starting curve $E_{144}$ (or any other curve of this set $d^{*}$). In our example, all isogenic curves belong to this set. The parameters not labeled in Table 2 form the set of 33-parameter $d^{-1}$ isomorphic curves, on which we can build a second cryptosystem independent of the first one with the possibility of parallel computation. For example, from the starting curve with $d^{*}=144$ parameter inversion we come to an isomorphic curve $E_{705}$ of the second cryptosystem (see Table 2). Further, by specifying different secrets ${\Omega }_{k1}$ and ${\Omega }_{k2}$ in the two cryptosystems, we can double the key length ($512\to 1024$ bit in CSIDH). Parallel computation, moreover, makes a side-channel attack hopeless. Note also that this possibility arises when only classes of non-cyclic Edwards curves (1) and (2) are used. □

We can conclude that the CSIKE algorithm and modifications of the CSIDH algorithm proposed in our works [13] on quadratic and twisted supersingular Edwards curves provide an efficient and secure alternative to various variants of “Constant time CSIDH” [19,20] with lower estimates in computational speed up to $1.5·2^9$. Computation of odd degree isogenies in coordinates $(W:Z)$ [4], allows us to realize the fastest computations to date in the construction of PQC protocols CSIDH, CSIKE, and similar. Examples of such implementation for simple models of CSIDH and CSIKE algorithms are given in [9,10,11,12,13,14,15]. The possibility of refusing to compute the isogenic function $\varphi \left(R\right)$ of a random point $R$, which more than doubles the speedup of the algorithm, is justified. The above results cast doubt on the assertion of the author of [22] about the insufficient efficiency of the CSIDH algorithm. The largest computational costs in the algorithms are associated with scalar multiplications of random points, the costs of which require rather experimental evaluation.

7. CRS Encryption Scheme on Isogenies of Ordinary Non-Cyclic Edwards Curves

The presentation of Castryck et al. [1] of the PQC CSIDH algorithm cites the CRS scheme as the first proposed scheme on isogenies of ordinary elliptic curves [2]. Its remarkable properties are the commutativity of isogenic transitions, flexibility, and simplicity due to the use of prime field arithmetic $F_p$. The CSIDH algorithm already uses the technology of supersingular elliptic curves, which is justified by the relatively faster implementation of the algorithms. For example, it is noted that CRS encryption is prohibitively slow and can take several minutes at a security level of 128 bits [1].

In [15], we attempted to find reasons for the slowness of the CRS scheme compared to CSIDH and found only immeasurable redundancy in the choice of cryptosystem parameters [2,3]. Then, dealing with the modeling and modification problems of CSIDH, we constructed a prime 4-isogenous model of the CRS scheme with degrees $\{\mathrm{3,5},\mathrm{7,37}\}$ with our modifications [15]. Since the set of ordinary elliptic curves is approximately $\sqrt{p}$ times wider than the set of supersingular curves, we should expect that their advantages would be discovered as well. Indeed, such advantages turned out to be the growth of the number of degrees of isogenies at a given or close modulus of the $p$ field, and the presence of four parallel independent cryptosystems instead of two in CSIDH, which doubles the speed of the CRS scheme algorithm comparably to CSIDH.

In this survey article, we only consider aspects related to the encryption model and omit the multifunctionality of the scheme described in the original article [15].

The order of an elliptic curve $E$ over a prime field $F_p$ is defined as $\#E=p+1-t$, where $t$ is the trace of the Frobenius endomorphism equation $\left|t\right|\le 2\sqrt{p}$. For a curve of quadratic twist $E^t$ this order ${\#E}^t=p+1+t$ is symmetric concerning the mean value $p+1.$For the supersingular curve $t=0$ and the orders of both curves $p+1$ coincide and the sets of isogeny degrees are the same, but the signs of the exponents of the degrees are reversed, as in CSIDH. In the case of ordinary curves, the orders of the quadratic twist pairs differ by $2t$, then there exist different degrees of isogenies on curves of two classes related as quadratic twist pairs with different orders. This is the main specificity of ordinary curves. The exponents of the degrees of isogenies of these two curves, as in CSIDH, have opposite signs. The alternation of the degrees of isogenies according to the randomization method is random, and the simplicity of the transitions of the chain of isogenies from one class of non-cyclic Edwards curves (1) and (2) to another is achieved by the fact that their parameters are additively inverse: $\left(a,d\right)\leftrightarrow \left(-a,-d\right)$ (see Section 2).

By analogy with CSIDH, it is not difficult to form general parameters of CRS—similar cryptosystem on isogenies of ordinary Edwards curves of order $\#E\equiv 0\mathrm{m}\mathrm{o}\mathrm{d}8$ over a field with modulus $p\equiv 7\mathrm{m}\mathrm{o}\mathrm{d}8$. Let $n_0={\prod }_{k=1}^K{l}_k$ and $N=8n_0$ is the order of a quadratic supersingular Edwards curve over a field with modulus $p_0=N-1.$ Setting the values of the Frobenius trace $t=\pm 8m,m=\mathrm{1,2},3,\dots$ we determine the sum $p_0\pm 8m=p$, equal to a prime number $p.$Then over the field $F_p$ there exists a quadratic ordinary Edwards curve (1) of order ${\#E}_d=8n_0$ and a twisted curve (2) of order $\#E_{-1,-d}{=N\pm 16m=8n}_1.$

For example, for the set of degrees of isogenies {$l_k\}=\left\{\mathrm{3,5},7\right\},n_0=105,N=840,p_0=839$, then at $m=3$ we obtain a prime number $p=839+24=863.$Thus the orders of the curves of the pair of quadratic twists are ${\#E}_d=840=8·3·5·7$ and ${\#E}_{-1,-d}=N+48=888=8·3·37$, $n_1=111=3·37.$Other variants of calculating the ordinary Edwards curve parameters are given in [15]. Thus, we have four degrees of isogenies ${\{l}_k\}=\left\{\mathrm{3,5},\mathrm{7,37}\right\},$the first three of which are factors of order 840 of the quadratic curve (1), and degrees 3 and 37 share order 888 of the twisted curve (2) over the field $F_{863}$ and the trace of the Frobenius endomorphism equation $t=-24.$ For the first curve (1), the signs of the exponents of the isogenies are $e_k>0,$ and for the curve (2) $e_k<0$. Here degree 3 is bidirectional (admits both signs), and degrees 5 and 7 ($e_k>0$) and 37 ($e_k<0$) are unidirectional.

With a relatively small field modulus $p=863$ it is not difficult to find the estimated $\sqrt{p}$ parameters $d$ of all curves (1) with order 840. Since they are squares, a complete search modulo $p$ of all $c=\mathrm{2,3},\dots ,431,$ and $d=c^2$ yields the set of all 62 values of the parameters d of the ordinary Edwards curves (1) and (2) given in Table 3. All curves together, respectively, are 124. Here the number of parameters is even since for each curve there exists an isomorphic curve with parameter $d\leftrightarrow d^{-1}$ and the same J-invariant (3). For example, ${169}^{-1}=623$, $J\left(169\right)=J\left(623\right)=826$. Then there are 31 non-isomorphic curves (1), the same number of curves (2). Isogenies of all degrees have a prime period $\pi =31.$

All parameter values of Table 3 can be found by computing chains of any degree isogeny $\left\{\mathrm{3,5},\mathrm{7,37}\right\}$ in period $\pi =31$. For example, let us compute the chain of 3-isogenies of the quadratic curve (1) in the same way as in [10] for CSIDH on supersingular curves of order 840 over the field $F_{839}$. Choosing the first curve in Table 3 as the starting curve, we obtain for the curve (1)

$$\begin{gathered} \frac{d^{\left(0\right)}=169}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{503}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{318}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{652}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{181}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{551}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{326}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{161}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{618}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{436}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{302}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to } \\ \stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{186}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{665}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{400}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{43}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{858}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{835}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{210}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{705}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{311}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{27}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{728}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to } \\ \stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{616}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{840}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{472}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{283}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{444}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{113}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{673}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{852}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{253}{\left(3\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{169=d^{\left(31\right)}}{\left(3\right)}. \end{gathered}$$

(19)

The number above Arrow 1 denotes one step of the 3-isogeny chain of the quadratic ordinary Edwards curve (1) with exponent $e_k>0$. Under the value of the parameter $d^{\left(i\right)}$ in parentheses, we write the degree of isogeny.

For the curved curve (2) with $e_k<0$ there also exists a 3-isogeny of the same period $\pi =$31

$$\begin{gathered} \frac{d^{\left(0\right)}=169}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{253}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{852}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{673}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{113}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{444}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{283}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{472}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{840}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to } \\ \stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{616}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{728}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{27}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{311}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{705}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{210}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{835}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{858}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{43}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to } \\ \stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{400}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{665}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{186}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{302}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{436}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{618}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{161}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{326}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to } \\ \stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{551}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{181}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{652}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{318}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{503}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{169=d^{\left(31\right)}}{\left(3\right)}, \end{gathered}$$

(20)

having a reverse order of alternation of isogenic curves (the last chain and (19) are read in reverse order). The number above the arrow (–1) means one step of the isogenic curve (1) with negative parameters. Do not forget that the pair of twist curves $E_d$ and $E_{-1,-d}$ here are orders of 840 and 888, respectively. For any other degree of isogeny, we can construct similar (19) and (20) chains of isogenic curves of period $\pi =31$ with the same set of parameters $d^{\left(i\right)}$, but with different orders of alternation. In Table 3, these 31 parameters $d$are marked with asterisks. This is the set of parameters $d$ of the first cryptosystem. Inverting each parameter $d^{*}$ we get unlabeled 31 parameters $d$ of the second cryptosystem. As in Section 6 when describing CSIKE (CSIDH), here we also have two isomorphic cryptosystems with the possibility of parallel computation.

A remarkable property of ordinary curves in comparison with supersingular curves is the existence of two more isomorphic cryptosystems. The idea is prime: we can swap the orders of the quadratic (1) and twisted (2) ordinary Edwards curves. The corresponding cryptosystem will be called dual.

Let the orders of the curves (1) and (2) over the field $F_{863}$ ${\#E}_d=888$, ${\#E}_{-1,-d}=840.$ For a dual cryptosystem, we can compute an array of parameter values $d$ instead of the brute-force method for Table 3. Let us find just one curve (1) with an order ${\#E}_d=888$ and parameter $d=6.$ Let us compute a 37-isogeny chain like (19) with a starting value $d=6$, and its values marked with an asterisk are entered in the first three rows of Table 4. In the same sequence, in the next three rows of the array, we will write the inverted values of the $d^{-1}$ of the isomorphic curves (not marked with an asterisk). The upper and lower parts of Table 4 form equal-sized sets of the parameters of the $d$ of two isomorphic dual cryptosystems.

So, using an ordinary instead of supersingular Edwards curve, we get four independent cryptosystems instead of two, which in parallel computing provides a 4-fold gain in cryptosystem performance compared to classical CSIDH. Parallel computation must make it impossible to realize side channel attack and redundancy in “constant time CSIDH” meaningless. Redundant cryptosystems can be used both for the 4-fold increase of key length in encapsulation algorithms and for simplification of the algorithm (reducing the number of isogeny degrees at fixed key length).

Let us consider an example of the implementation of the Diffie-Hellman secret-sharing algorithm on the first cryptosystem with 31 parameters $d^{*}$ from Table 4. In our model with isogenies of degrees $\{\mathrm{3,5},\mathrm{7,37}\}$, to equalize the selection probabilities of the quadratic twist pair curves, we assume all degrees are unidirectional, then in the secret keys of degrees $\left\{\mathrm{5,7}\right\}$ we attribute the quadratic curve $\left(e_k>0\right)$ and degrees ${\left\{\mathrm{3,37}\right\}}^t$ to the twisted curve ${(e}_k<0).$ Let’s take Alice’s secret keys ${\Omega }_A=\left(-\mathrm{2,5},1,-4\right)$ and Bob’s ${\Omega }_B=\left(-\mathrm{1,3},3,-5\right)$ Let’s compute for 12 randomly chosen isogeny steps for each of their public keys.

Alice’s public key with randomly chosen curves and degrees is defined as

$$\frac{d^{\left(0\right)}=169}{\left(5\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{840}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{616}{\left(5\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{43}{\left(5\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{326}{\left(5\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{852}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }673=d^{\left(6\right)},$$

(21)

$$\begin{gathered} \frac{d^{\left(6\right)}=673}{\left(37\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{472}{\left(7\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{551}{\left(37\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{503}{\left(5\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{472}{\left(37\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{27}{\left(37\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }835=d^{\left(12\right)}\Rightarrow \\ \Rightarrow d_A=835. \end{gathered}$$

(22)

Bob’s similar calculations give

$$\frac{d^{\left(0\right)}=169}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{253}{\left(5\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{616}{\left(5\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{43}{\left(7\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{444}{\left(7\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{161}{\left(5\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }253=d^{\left(6\right)},$$

(23)

$$\begin{gathered} \frac{d^{\left(6\right)}=253}{\left(7\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{186}{\left(37\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{161}{\left(37\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{652}{\left(37\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{253}{\left(37\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{444}{\left(37\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }616=d^{\left(12\right)}\Rightarrow \\ \Rightarrow d_B=616. \end{gathered}$$

(24)

As a result, the two parties have public keys $d_A=835$ and $d_B=616$. Next, Alice uses her secret key to compute ${\Omega }_A=\left(-\mathrm{2,5},1,-4\right)$ curve $E_{BA}$

$$\frac{d^{\left(0\right)}=616}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{728}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{27}{\left(5\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{665}{\left(5\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{181}{\left(5\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{113}{\left(5\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }311=d^{\left(6\right)},$$

(25)

$$\begin{gathered} \frac{d^{\left(6\right)}=311}{\left(5\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{186}{\left(7\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{840}{\left(37\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{311}{\left(37\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{858}{\left(37\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{186}{\left(37\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }161=d^{\left(12\right)}\Rightarrow \\ \Rightarrow d_{BA}=161. \end{gathered}$$

(26)

Bob’s symmetric calculus

$$\frac{d^{\left(0\right)}=835}{\left(5\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{618}{\left(3\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{161}{\left(5\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{253}{\left(5\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{616}{\left(7\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{652}{\left(7\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }858=d^{\left(6\right)},$$

(27)

$$\begin{gathered} \frac{d^{\left(6\right)}=858}{\left(7\right)}\stackrel{\hspace{1em}1\hspace{1em}}{\to }\frac{113}{\left(37\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{840}{\left(37\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{311}{\left(37\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{858}{\left(37\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }\frac{186}{\left(37\right)}\stackrel{\hspace{1em}-1\hspace{1em}}{\to }{d}^{\left(12\right)}\Rightarrow \\ \Rightarrow d_{AB}=161 \end{gathered}$$

(28)

give the same result due to the commutativity of isogenies $d_{AB}=d_{BA}=161,$which defines the quadratic curve $E_{161}$ of the shared secret. As noted above, this value is unique (for a given starting curve). It is not required here in the shared secret $k=161$ to go to the J-invariant. Similar calculations with other starting curves and keys can be performed in parallel in other 3-independent cryptosystems to solve different problems.

9. Discussion

Let us summarize the main and composite results of the present and previous [9,10,11,12,13,14,15] works:

• The results obtain a lower estimate of the computational speed gain of the modified CSIDH algorithm on non-cyclic supersingular Edwards curves by a $\gamma =1.5·2^9$ times;
• The transition from the class of complete Edwards curves to the classes of quadratic and twisted Edwards curves double the set of curves and does not require inversion of the parameter $d$ of the Edwards curves, which is evaluated by a partial gain estimate of a $2^5$ times;
• The method of randomization of the CSIDH algorithm and avoiding the computation of the isogenic function $\varphi (x,y)$ in the projective coordinates $(W:Z)$ of Farashahi-Hosseini speeds up the algorithm more than $2^3$ times;
• Optimizing the isogeneity degrees of the CSIDH algorithm reduces the maximum isogeneity degree with a linear estimate of the algorithm speedup by a factor of 1.5;
• For every non-cyclic Edwards curve, there exists an isomorphic Edwards curve with an inverted parameter, which gives rise to the existence of two independent cryptosystems with parallel computation capability. This doubles the performance of the CSIDH algorithm and eliminates the threat of side-channel attacks. The CSIKE scheme also allows doubling the length of the secret key to 1024 bits;
• An original CSIKE key encapsulation scheme with one public key instead of two in CSIDH is proposed and modeled, which provides improved security of the algorithm;
• A model of Diffie-Hellman secret sharing on isogenies of degrees $\{\mathrm{3,5},\mathrm{7,37}\}$ of non-cyclic Edwards curves is constructed for the CRS scheme of ordinary curves. It is shown that instead of two isomorphic cryptosystems in the CSIDH algorithm, the transition to a set of ordinary Edwards curves gives rise to four independent cryptosystems with parallel computation capability. This can double the above estimate of the computational speed gain up to $\gamma =3·2^9.$

Although in [22] it is stated that a drawback of CSIDH is that it is still considered to be inefficient when compared to other algorithms, taking into account the optimization data of the algorithm, it can be assumed that the algorithm can be used on an equal basis with other PQC algorithms.