Cryptology ePrint Archive: Report 2019/1121

Further Optimizations of CSIDH: A Systematic Approach to Efficient Strategies, Permutations, and Bound Vectors

Aaron Hutchinson and Jason LeGrow and Brian Koziel and Reza Azarderakhsh

Abstract: CSIDH is a recent post-quantum key establishment protocol based on constructing isogenies between supersingular elliptic curves. Several recent works give constant-time implementations of CSIDH along with some optimizations of the ideal class group action evaluation algorithm, including the SIMBA technique of Meyer et al. and the "two-point method" of Onuki et al. A recent work of Cervantes-Vazquez et al. details a number of improvements to the works of Meyer et al. and Onuki et al. Several of these optimizations---in particular, the choice of ordering of the primes, the choice of SIMBA partition and strategies, and the choice of bound vector which defines the secret keyspace---have been made in an ad hoc fashion, and so while they yield performance improvements it has not been clear whether these choices could be improved upon, or how to do so. In this work we present a framework for improving these optimizations using (respectively) linear programming, dynamic programming, and convex programming techniques. Our framework is applicable to any CSIDH security level, to all currently-proposed paradigms for computing the class group action, and to any choice of model for the underlying curves. Using our framework we find improved parameter sets for the two major methods of computing the group action: in the case of the implementation of Meyer et al. we obtain a 12.77% speedup without applying the further optimizations proposed by Cervantes-Vazquez et al., while for that of Cervantes-Vazquez et al. under the two-point method we obtain a speedup of 5.06%, giving the fastest constant-time implementation of CSIDH to date.

Category / Keywords: public-key cryptography / Post-quantum cryptography, isogeny-based cryptography, key establishment, CSIDH

Original Publication (with minor differences): 18th International Conference on Applied Cryptography and Network Security

Date: received 30 Sep 2019, last revised 4 Aug 2020

Contact author: jlegrow at uwaterloo ca,a5hutchinson@uwaterloo ca,bkoziel2017@fau edu,razarderakhsh@fau edu

Available format(s): PDF | BibTeX Citation

Note: The cycle counts in Table 2 have been corrected. Previously, tests were accidentally ran with Turbo Boost enabled. They have been reran and the cycle counts and speedups updated. New speedup values are within 0.3% of the originally reported values.

Version: 20200804:160809 (All versions of this report)

Short URL: ia.cr/2019/1121


[ Cryptology ePrint archive ]