On the Performance Analysis for CSIDH-Based Cryptosystems

Abstract

In this paper, we present the performance and security analysis for various commutative SIDH (CSIDH)-based algorithms. As CSIDH offers a smaller key size than SIDH and provides a relatively efficient signature scheme, numerous CSIDH-based key exchange algorithms have been proposed to optimize the CSIDH. In CSIDH, the private key is an ideal class in a class group, which can be represented by an integer vector. As the number of ideal classes represented by these vectors determines the security level of CSIDH, it is important to analyze whether the different vectors induce the same public key. In this regard, we generalize the existence of a collision for a base prime $p\equiv 7mod8$. Based on our result, we present a new interval for the private key to have a similar security level for the various CSIDH-based algorithms for a fair comparison of the performance. Deduced from the implementation result, we conclude that for a prime $p\equiv 7mod8$, CSIDH on the surface using the Montgomery curves is the most likely to be efficient. For a prime $p\equiv 3mod8$, CSIDH on the floor using the hybrid method with Onuki’s collision-free method is the most likely to be efficient and secure.

1. Introduction

Isogeny-based cryptography was first proposed by Couveignes in 1997 [1] and is constructed using the isogeny classes of ordinary elliptic curves defined over a finite field ${\mathbb{F}}_p$. The scheme proposed by Couveignes was later rediscovered by Rostovtsev and Stolbunov, which we now typically call as the CRS scheme. While the CRS scheme is attractive for having a small key size, the scheme was extremely inefficient and even suffered from the quantum sub-exponential algorithm proposed by Childs et al. [2]. The isogeny-based cryptosystem began to gain attention after the introduction of the SIDH key exchange by Jao, De Feo, and Plût in 2011 [3]. As SIDH is constructed using the isogenies between supersingular elliptic curves, the cryptosystem resists against the attack proposed in [2], as the endomorphism ring of supersingular curves is non-commutative while the attack in [2] exploits the commutativity of the endomorphism ring of an ordinary curve. Until now, the best known classical and quantum attacks against the underlying problem are both exponential. The Supersingular Isogeny Key Encapsulation (SIKE), based on SIDH, was submitted as one of the candidates to the NIST post-quantum cryptography standardization project [4]. Currently, SIKE is an alternative candidate in Round 3 of the NIST standardization project. However, one of the drawbacks of isogeny-based cryptography is that not only the algorithm is slower than any other post-quantum cryptography algorithms, but it is also hard to design various cryptographic primitives.

The CRS scheme was pointed out again by De Feo, Kieffer, and Smith in [5], and independently by Castryck et al. in [6]. As the CRS scheme offers efficient and safe public key validation, this makes it suitable to construct a non-interactive key exchange. In [5], they modernize the parameter selection of the CRS scheme for better performance and present an efficient way to compute the CRS group action. In [6], they propose CSIDH (commutative SIDH), which solves the parameter selection problem of the CRS scheme by restricting the use of supersingular elliptic curves over ${\mathbb{F}}_p$. The bottleneck in the performance of [5] is that it is hard to find an ordinary elliptic curve with many small Elkies primes ℓ, such that both the curve and its twist have an ${\mathbb{F}}_p$-rational ℓ-torsion point. By using the supersingular elliptic curve, every prime ℓ dividing the curve order is an Elkies prime. As a result, for a full key exchange at a 128-bit classical security level, CSIDH requires about 80 ms, which is 2000 times faster than De Feo, Kieffer, and Smith [5].

Currently, the performance of CSIDH is magnitude slower than SIDH-based algorithms. However, CSIDH provides a non-interactive key change and can efficiently validate the public key, which makes it possible to reuse a key without the need for confirmation. More importantly, CSIDH provides a practical isogeny-based signature scheme called CSI-FiSh [7]. Note that SIDH and CSIDH provide relatively efficient key-exchange schemes. However, constructing an isogeny-based digital signature scheme is much harder to achieve. The first SIDH-based digital signature scheme was by Yoo et al. in [8]. Not only was their scheme inefficient, but the size of the signature is larger than other post-quantum signature schemes. SeaSign, a CSIDH-based digital signature scheme proposed by De Feo and Galbraith, alleviated this problem, although several minutes are still required to sign a message [9]. Later, by computing the class group of an imaginary quadratic field having 154-digit discriminant, CSI-FiSh [7] offers a practical digital signature scheme which requires 390 ms to sign a message. For isogeny-based cryptography, this is a remarkable result, which shed a light that various cryptographic primitives can be constructed through elliptic curve isogenies. As speed is the main drawback of the practical use of CSIDH-based algorithms, many studies focus on developing an efficient algorithm or modifying an algorithm to increase the performance.

In CSIDH, as higher degree isogenies are used, computing the curve coefficient of the image curve is painstaking compared to the 3- and 4- isogenies used in SIDH-based systems. In [10], by exploiting the fact that conversion between Montgomery curves and Edwards curves are efficient, Meyer and Reith proposed a hybrid version of implementation for CSIDH. In [11], they proposed a method to use a 2-torsion point for recovering the coefficient of the image curve for Montgomery curves. In [12], they proposed optimized odd-degree isogeny formula by using the w-coordinate on Edwards curves. By adapting the formula in [12], faster Edwards-only CSIDH can be implemented. Additionally, there are studies that focus on both security and performance enhancement. In [13], Onuki and Takagi examined that there exist collisions related to an ideal class of order 3 in CSIDH. CSIDH uses the exponents $(e_1,e_2,\dots ,e_n)$ as a private key. The work of [13] means that $(e_1,e_2,\dots ,e_n)$ and $(e_1+3,e_2+3,\dots ,e_n+3)$ represent the same ideal class (same private key) so that the size of the private keyspace is reduced. To eliminate this collision, they present a new ideal representation that exploits an isogeny of degree 4. In [14], they proposed CSIDH on the surface, called CSURF, using supersingular elliptic curve with endomorphism ring $\mathbb{Z}[(1+\sqrt{-p})/2]$. The CSURF algorithm allows the use of 2-isogeny in CSIDH by choosing the prime p such that $p\equiv 7mod8$, unlike the original CSIDH execute on the floor, i.e., using endomorphism ring $\mathbb{Z}\left[\sqrt{-p}\right]$ with the base prime $p\equiv 3mod8$. As the computation of the large degree isogenies corresponds to the performance degradation of CSIDH, CSURF proposed a way to use 2-isogenies more and use a fewer number of large degree isogenies at the same security level. To summarize, all of this work focuses on optimizing the performance of CSIDH while enhancing the security level.

In this paper, we analyze the performance and security of the various CSIDH-based algorithms in order to find out what sort of prime p and which method is most efficient. The following list details the main contribution of this work.

• We implement the CSIDH-based algorithms in the same environment for the exact performance comparison. More explicitly, we implement CSURF [13,14] in projective coordinates. The algorithm in [13] has not been previously implemented. For CSURF, the authors presented only Magma-based implementation. We implemented both of the algorithms in C for an exact comparison with CSIDH [6]. The projectivized formula for the building blocks for both of the algorithms is presented in Section 2.
• We generalize the existence of a collision for a base prime p such that $p\equiv 7mod8$. As CSIDH-based algorithms use ideal classes expressed by an integer vector as a private key, the number of ideal classes represented by these vectors determines the security level of CSIDH. Hence, analyzing whether different private key results in the same public key is important. The collisions for CSIDH and CSURF were examined in [13,15], respectively. We generalize this idea to the prime $p\equiv 7mod8$. Details of our proof are presented in Section 3.4
• We analyze the performance and the security of the three algorithms—CSIDH, CSURF, and Onuki’s CSIDH over the prime p with $p\equiv 3mod8$ and $p\equiv 7mod8$. Additionally, we present a new interval for the private key to have a similar security level for the various CSIDH-based algorithms. The details of our implementation are presented in Section 4. From the implementation result, we conclude that for a prime $p\equiv 7mod8$, CSIDH on the surface using the Montgomery curves is the most likely to be efficient. For a prime $p\equiv 3mod8$, CSIDH on the floor using the hybrid method with Onuki’s collision-free method is the most likely to be efficient and secure.

This paper is organized as follows. In Section 2, we introduce two types of elliptic curves, which will be used for the implementation. We also present the computational cost of the lower-level functions to construct CSIDH-based algorithms over these curves. In Section 3, we review the CSIDH algorithms and two of its variants. The implementation results are presented in Section 4, and we draw our conclusions and future work in Section 5.

2. Montgomery Curve and Tweaked Montgomery Curve

This section introduces two types of Montgomery elliptic curves, which will be used throughout the paper. Then, we analyze the computational cost of elliptic curve arithmetic and isogeny computation on both curves, which are the main building blocks for implementing CSIDH-based algorithms.

Let K be a field with the characteristic not equal to 2 or 3. The Montgomery curves over K are denoted by

$$M_{a,b}:b{y}^2=x^3+a{x}^2+x,$$

where $b(a^2-4)\ne 0$. We shall write $M_a$ when $b=1$ throughout the paper. Moreover, the tweaked Montgomery curves over K are denoted by

$$M_{a,b}^t:b{y}^2=x^3+a{x}^2-x,$$

where $b(a^2+4)\ne 0$. We shall write $M_a^t$ when $b=1$ in this paper. Similar to the arithmetic on $M_a$, the elliptic curve arithmetic on $M_a^t$ can also be constructed using only x-coordinate.

For the remainder of this section, we introduce the elliptic curve arithmetic and isogeny formulas and analyze the computational cost for each operation on both curves. As the projective curve coefficient and projective coordinate are used for implementing isogeny-based cryptography, we shall evaluate the computational cost on both curves in these circumstances. For the elliptic curve arithmetic, we mainly focus on differential addition and doubling formula. For isogeny computation, we consider odd-degree isogenies.

2.1. Elliptic Curve Arithmetic on $M_a$ and $M_a^t$

Let $P=(x_P,y_P)$ and $Q=(x_Q,y_Q)$ be a point on a Montgomery curve $M_a$ such that $x_P\ne x_Q$. Let $P-Q=(x_{P-Q},y_{P-Q})$ be given. Then the x coordinates of their sum $P+Q$ and the doubling of P, $x_{\left[2\right]P}$ can be computed as follows:

$$\begin{array}{cc}\hfill x_{P+Q}& ={(x_P{x}_Q-1)}^2/\left(x_{P-Q}{(x_P-x_Q)}^2\right)\hfill \\ \hfill x_{\left[2\right]P}& ={(x_P^2-1)}^2/\left(4x_P(x_P^2+a{x}_P+1)\right)\hfill \end{array}$$

For a tweaked Montgomery curve $M_a^t$, let $P=(x_P,y_P)$ and $Q=(x_Q,y_Q)$ be a point on $M_a^t$ such that $x_P\ne x_Q$. Let $P-Q=(x_{P-Q},y_{P-Q})$ be given. Then the x coordinates of their sum $P+Q$ and the doubling of P, $x_{\left[2\right]P}$ can be computed as follows [14]:

$$\begin{array}{cc}\hfill x_{P+Q}& ={(x_P{x}_Q+1)}^2/\left(x_{P-Q}{(x_P-x_Q)}^2\right)\hfill \\ \hfill x_{\left[2\right]P}& ={(x_P^2+1)}^2/\left(4x_P(x_P^2+a{x}_P-1)\right)\hfill \end{array}$$

At a glance, the computational costs of the differential addition and doubling on both curves are the same. However, when projective x-coordinate ($XZ$-coordinate) and projective curve coefficients are used, the computational costs are slightly different for both curves.

Now let $P=(X_P:Z_P)$ and $Q=(X_Q,Z_Q)$ be a point on a Montgomery curve $M_a$ such that $x_P=X_P/Z_P$ and $x_Q=X_Q/Z_Q$ for $x_P\ne x_Q$. Let $P-Q=(X_{P-Q}:Z_{P-Q})$ be the given difference of P and Q in projective coordinates such that $x_{P-Q}=X_{P-Q}/Z_{P-Q}$. Then the addition formula in projective coordinates can be decomposed as follows [16]:

$$\begin{array}{cc}\hfill X_{P+Q}& =Z_{P-Q}{(X_P{X}_Q-Z_P{Z}_Q)}^2=Z_{P-Q}{((X_P-Z_P)(X_Q+Z_Q)+(X_P+Z_P)(X_Q-Z_Q))}^2,\hfill \\ \hfill Z_{P+Q}& =X_{P-Q}{(X_P{Z}_Q-Z_P{X}_Q)}^2=X_{P-Q}{((X_P-Z_P)(X_Q+Z_Q)-(X_P+Z_P)(X_Q-Z_Q))}^2.\hfill \end{array}$$

The computational cost is 4M + 2S, where the M and S refers to a field multiplication and squaring, respectively. The doubling of P gives $\left[2\right]P=(X_{\left[2\right]P}:Z_{\left[2\right]P})$, where $X_{\left[2\right]P}$ and $Z_{\left[2\right]P}$ are defined as:

$$\begin{array}{cc}\hfill X_{\left[2\right]P}& =C{(X_P^2-Z_P^2)}^2,\hfill \\ \hfill Z_{\left[2\right]P}& =4X_P{Z}_P(C{X}_P^2+C{Z}_P^2+A{X}_P{Z}_P),\hfill \end{array}$$

where $a=A/C$. The computational cost is 4M + 2S.

On the other hand, for a tweaked Montgomery curve, let $P=(X_P:Z_P)$ and $Q=(X_Q,Z_Q)$ be a point on $M_a^t$ such that $x_P=X_P/Z_P$ and $x_Q=X_Q/Z_Q$ for $x_P\ne x_Q$. Let $P-Q=(X_{P-Q}:Z_{P-Q})$ be the given difference of P and Q in projective coordinates such that $x_{P-Q}=X_{P-Q}/Z_{P-Q}$. Then the sum $P+Q$ in projective coordinates can be computed as follows:

$$\begin{array}{c}\hfill X_{P+Q}=Z_{P-Q}{(X_P{X}_Q+Z_P{Z}_Q)}^2,\\ \hfill Z_{P+Q}=X_{P-Q}{(X_P{Z}_Q-Z_P{X}_Q)}^2,\end{array}$$

and the concrete computation process is presented as below:

$$\begin{array}{c}\hfill t_0=X_P·X_Q,t_1=Z_P·Z_Q,t_2=t_0+t_1,t_3=t_2^2,X_{P+Q}=t_3·Z_{P-Q},\\ \hfill t_0=X_P·Z_Q,t_1=Z_P·X_Q,t_2=t_0-t_1,t_3=t_2^2,Z_{P+Q}=t_3·X_{P-Q}.\end{array}$$

In this case, the techniques used to compute the differential addition on a curve $M_a$ cannot be used, so that the computational cost of the addition formula in the tweaked Montgomery curves is 6M + 2S. The doubling of P gives $\left[2\right]P=(X_{\left[2\right]P}:Z_{\left[2\right]P})$, where $X_{\left[2\right]P}$ and $Z_{\left[2\right]P}$ are defined as:

$$\begin{array}{cc}\hfill X_{\left[2\right]P}& =C{(X_P^2+Z_P^2)}^2,\hfill \\ \hfill Z_{\left[2\right]P}& =4X_P{Z}_P(C{X}_P^2-C{Z}_P^2+A{X}_P{Z}_P),\hfill \end{array}$$

where $a=A/C$. Moreover, the concrete computation process is presented as below:

$$\begin{array}{c}\hfill t_0=X_P^2,t_1=Z_P^2,t_2=t_0+t_1,t_3=t_2^2,X_{\left[2\right]P}=C·t_3,t_2=t_0-t_1,t_3=X_P·Z_P,\\ \hfill t_0=C·t_2,t_1=A·t_3,t_2=t_0+t_1,t_0=t_2·t_3,t_1=t_0+t_0,Z_{\left[2\right]P}=t_1+t_1.\end{array}$$

The computational cost of the doubling formula in the tweaked Montgomery curves is 5M + 3S.

2.2. Odd-Degree Isogeny Formulas on $M_a$ and $M_a^t$

In [16], Costello and Hisil proposed a formula for computing an arbitrary odd-degree isogenies on the Montgomery curves. Let $P=(x_1,y_1)$ be a point on a Montgomery curve $M_a$, having order $\ell =2d+1$ and let $(x_i,y_i)=\left[i\right]P$. Then ℓ-isogeny $\varphi$ from $M_a$ to $M_{a^{\prime }}=M_a/\langle P\rangle$ is given by:

$$\begin{array}{c}\hfill \varphi :(x,y)\to (f\left(x\right),y·f^{\prime }\left(x\right))\end{array}$$

where

$$\begin{array}{c}\hfill f\left(x\right)=x·\prod _{i=1}^d{\left(\frac{x{x}_i-1}{x-x_i}\right)}^2\end{array}$$

In the above equation, $f^{\prime }\left(x\right)$ is derivative of $f\left(x\right)$ and $a^{\prime }=(6\tilde{\sigma }-6\sigma +a){\pi }^2$ for $\sigma ={\sum }_{i=1}^d{x}_i$, $\tilde{\sigma }={\sum }_{i=1}^{d}1/x_i$, and $\pi ={\prod }_{i=1}^d{x}_i$.

Now, in projective $XZ$-coordinate, let $\left[i\right]P=P_i=(X_i:Z_i)$, where $x_i=X_i/Z_i$ and $P_1=P$. Then the evaluation of an isogeny refers to the computation of the image point of $\varphi$. Let $Q=(X:Z)$ be another point on $M_a$ and $\varphi \left(Q\right)=(X^{\prime }:Z^{\prime })$. Then $X^{\prime }$ and $Z^{\prime }$ are as follows:

$$\begin{array}{cc}\hfill & X^{\prime }=X{\left(\prod _{i=1}^d[(X-Z)(X_i+Z_i)+(X+Z)(X_i-Z_i)]\right)}^2,\hfill \end{array}$$

(1)

$$\begin{array}{cc}\hfill & Z^{\prime }=Z{\left(\prod _{i=1}^d[(X-Z)(X_i+Z_i)-(X+Z)(X_i-Z_i)]\right)}^2.\hfill \end{array}$$

(2)

The computational cost of this formula is $\left(4d\right)$M + 2S. For the coefficient of the image curve $a^{\prime }$, Castryck et al. present a formula in projective coordinate in [6], which is as follows:

$$\begin{array}{c}\hfill a^{\prime }=\pi (a-3\sigma ),\end{array}$$

where $\pi ={\prod }_{i=1}^{\ell -1}\frac{X_i}{Z_i}\mathrm{and}\sigma ={\sum }_{i=1}^{\ell -1}(\frac{X_i}{Z_i}-\frac{Z_i}{X_i})$. Which can be computed in $(6d-2)$M + 3S.

For the isogeny evaluation and computing the curve coefficient of the image curve of a tweaked Montgomery curve $M_a^t$ presented in [14], $f\left(x\right)$ is now defined as:

$$\begin{array}{c}\hfill f\left(x\right)=x·\prod _{i=1}^d{\left(\frac{x{x}_i+1}{x-x_i}\right)}^2\end{array}$$

Let P be a point on $M_a^t$, having order $\ell =2d+1$. In projective coordinate, let $\left[i\right]P=P_i=(X_i:Z_i)$, where $x_i=X_i/Z_i$ and $P_1=P$. Let $\varphi$ be an ℓ-isogeny from $M_a^t$ to $M_{a^{\prime }}^t=M_a^t/\langle P\rangle$. Let $Q=(X:Z)$ be another point on $M_a^t$ and let $\varphi \left(Q\right)=(X^{\prime }:Z^{\prime })$. Then $X^{\prime }$ and $Z^{\prime }$ are as follows:

$$\begin{array}{cc}\hfill & X^{\prime }=X{\left(\prod _{i=1}^d(X{X}_i+Z{Z}_i)\right)}^2,\hfill \end{array}$$

(3)

$$\begin{array}{cc}\hfill & Z^{\prime }=Z{\left(\prod _{i=1}^d(X{Z}_i-Z{X}_i)\right)}^2.\hfill \end{array}$$

(4)

Similar to the case for computing the differential addition, note that for (3) and (4), the optimized computation methods like (1) and (2) do not exist. So, the computational cost of odd-degree isogeny point evaluation on the tweaked Montgomery curve is $\left(6d\right)$M + 2S. Formula in [14] for computing the coefficient of the image curve $a^{\prime }$, is similar to the formula for Montgomery curve which is

$$\begin{array}{c}\hfill a^{\prime }=\pi (a-3\sigma ),\end{array}$$

where $\pi ={\prod }_{i=1}^{\ell -1}\frac{X_i}{Z_i}\mathrm{and}\sigma ={\sum }_{i=1}^{\ell -1}(\frac{X_i}{Z_i}+\frac{Z_i}{X_i})$. This can be computed in $(6d-2)$M + 3S.

Summarizing the section,

Table 1. Computational costs of lower-level functions on Montgomery and tweaked Montgomery curves.

	Montgomery Curves	Tweaked Montgomery Curves
DBLADD	8M + 4S	11M + 5S
DBL	4M + 2S	5M + 3S
ℓ-isogeny eval.	$\left(4d\right)$M + 2S	$\left(6d\right)$M + 2S
ℓ-isogeny coeff.	$(6d-2)$M + 3S	$(6d-2)$M + 3S

presents the computational cost of the elliptic curve arithmetic and isogeny operations on Montgomery and tweaked Montgomery curves. In Table 1, DBLADD refers to the differential addition with doubling, and DBL refers to the doubling. ℓ-isogeny eval. denotes the evaluation of an ℓ-isogeny, and ℓ-isogeny coeff. denotes the computation of the coefficient of the image curve for an ℓ-isogeny.

Remark 1.

In [10], Meyer and Reith proposed a hybrid version of CSIDH, which exploits Edwards curves for recovering the coefficient of the image curve. By using the efficiency of the birational equivalence between Montgomery and Edwards curves, the coefficient of the image curve is obtained using the Edwards isogeny formula. The obtained Edwards curve coefficient is then transformed into the Montgomery coefficient. The computational cost is $\left(2d\right)$M + 6S + 2$w(\ell )$, where $w(\ell )$ is the cost of the ℓ-th power on ${\mathbb{F}}_p$ [13].

3. CSIDH-Based Schemes

In this section, we introduce the CSIDH key exchange and two main CSIDH-based algorithms—CSURF [14] and collision-free CSIDH proposed by Onuki and Takagi [13]—to compare the performance and security. As CSIDH made a noticeable improvement by exploiting supersingular elliptic curves to instantiate the CRS scheme, various methods began to propose in order to optimize the performance and improve the security. The former is the CSURF, which proposes a way to exploit efficient horizontal 2-isogenies for a speed-up, and the later is the method by Onuki and Takagi, where they analyzed the existence of a collision in the private keyspace and provided a method to eliminate such collisions. Before going into the details of the algorithms, we present three primes, $p_1$, $p_2$, and $p_3$, which will be used throughout the paper.

First, we use the primes $p_1$ and $p_2$ presented as below, in order to match the size of the base field for a fair comparison.

$$\begin{array}{cc}\hfill p_1& =4·\underset{73\mathrm{first}\mathrm{odd}\mathrm{primes}}{(3·\dots ·373)}·587-1\approx 2^{510.668},\hfill \\ \hfill p_2& =4·2^2·3^2·11·\underset{73\mathrm{first}\mathrm{odd}\mathrm{primes}}{(3·\dots ·373)}-1\approx 2^{510.100}.\hfill \end{array}$$

The first prime $p_1\equiv 3mod8$, presented in [6], will be used to compare the original CSIDH and Onuki’s CSIDH. The second prime $p_2\equiv 7mod8$, presented in [11], will be used to compare the original CSIDH and CSURF.

On the other hand, in [14], Castryck and Decru used the prime $p_3$ defined as below for CSURF. In this paper, we use $p_3$ to explain the CSURF algorithm, but $p_3$ will not be used for the implementation as the size of the prime is larger than $p_1$.

$$\begin{gathered} \begin{array}{c}\hfill p_3=4·2·3·\underset{74\text{consecutive primes}, \\ \mathrm{skip}347\mathrm{and}359}{(3·\dots ·389)}-1\approx 2^{512.880}.\end{array} \end{gathered}$$

3.1. CSIDH

CSIDH is an isogeny-based Diffie-Hellman protocol proposed by Castryck et al. [6] using supersingular curves defined over ${\mathbb{F}}_p$ and commutative group action. The prime p of the base field is of the form $p=4{\prod }_{i=1}^n{\ell }_i-1$, where ${\ell }_i$’s are odd primes. For an order $\mathcal{O}={\mathrm{End}}_{{\mathbb{F}}_p}\left(E\right)$, it is well-known that the class group $\mathrm{cl}\left(\mathcal{O}\right)$ acts freely and transitively on $\mathcal{E}\ell {\ell }_p\left(\mathcal{O}\right)$, where $\mathcal{E}\ell {\ell }_p\left(\mathcal{O}\right)$ is the set of elliptic curves E defined over ${\mathbb{F}}_p$ with ${\mathrm{End}}_{{\mathbb{F}}_p}\left(E\right)=\mathcal{O}$. This group action is represented by $\left[\mathfrak{a}\right]E$, where $E\in \mathcal{E}\ell {\ell }_p\left(\mathcal{O}\right)$ and an ideal class $\left[\mathfrak{a}\right]\in \mathrm{cl}\left(\mathcal{O}\right)$. Since E is a supersingular curve with $\#E\left({\mathbb{F}}_p\right)=p+1=4·{\ell }_1\cdots {\ell }_n$, for each i, there is ${\mathbb{F}}_p$-rational subgroup of order ${\ell }_i$. Moreover, let $\pi =\sqrt{-p}$ be the ${\mathbb{F}}_p$-Frobenius endomorphism of E. Then, since $p=-1mod{\ell }_i$, for a prime ${\ell }_i$, it is well-known that ${\ell }_i\mathcal{O}$ splits into two prime ideals ${\mathfrak{l}}_i=({\ell }_i,\pi -1)$ and ${\mathfrak{l}}_i^{-1}=({\ell }_i,\pi +1)$. Using Velu’s formula, we compute $\left[{\mathfrak{l}}_i\right]E$ through the isogeny ${\varphi }_{{\mathfrak{l}}_i}$ with the kernel generated by a point of order ${\ell }_i$, which lies in the kernel of $\pi -1$ and compute $\left[{\mathfrak{l}}_i^{-1}\right]E$ through the isogeny ${\varphi }_{{\mathfrak{l}}_i^{-1}}$ with the kernel generated by a point of order ${\ell }_i$, which lies in the kernel of $\pi +1$.

Assume that Alice and Bob execute a key exchange. Alice and Bob randomly select each secret key $\left[\mathfrak{a}\right]$ and $\left[\mathfrak{b}\right]$ in $\mathrm{cl}\left(\mathcal{O}\right)$, respectively. Next, Alice sends $E_A=\left[\mathfrak{a}\right]E$ to Bob, Bob sends $E_B=\left[\mathfrak{b}\right]E$ to Alice. Upon the receipt of $E_B$ from Bob, Alice computes $\left[\mathfrak{a}\right]E_B$ and obtains $E_{AB}=\left[\mathfrak{a}\right]E_B$. Similarly, Bob obtains $E_{BA}=\left[\mathfrak{b}\right]E_A$. Then $E_{AB}=E_{BA}$ is the shared secret between Alice and Bob.

As an element of the ideal-class group cl$\left(\mathcal{O}\right)$ is expected to be of the form ${\prod }_{i=1}^n{\mathfrak{l}}_i^{e_i}$ $({\mathfrak{l}}_i=({\ell }_i,\pi -1))$ by Cohen–Lenstra heuristics, the private key $\left[\mathfrak{a}\right]$ and $\left[\mathfrak{b}\right]$ is represented as the integer vectors $(e_1,e_2,\cdots ,e_n)\in {\mathbb{Z}}^n$, each of $e_i$ sampled randomly from a range $[-m,m]$. Thus a group action $\left[\mathfrak{a}\right]E$ can be computed by applying ${\ell }_i$-isogeny operation $e_i$ times for $\mathfrak{a}={\prod }_{i=1}^n{\mathfrak{l}}_i^{e_i}\in \mathrm{cl}\left(\mathcal{O}\right)$. If $e_i>0$, ${\ell }_i$-isogeny is applied with the kernel generated by a point in $E\left({\mathbb{F}}_p\right)$ of order ${\ell }_i$. If $e_i<0$, ${\ell }_i$-isogeny is applied with the kernel generated by a point in $E({\mathbb{F}}_{p^2}\backslash {\mathbb{F}}_p)$ of order ${\ell }_i$.

The CSIDH-512 offers an 128-bit classical security and uses the prime $p_1$. The secret exponent of CSIDH-512 is of the form $(e_1,e_2,\cdots ,e_{74})$, where $e_i\in [-5,5]$. Thus, they expect that there are ${11}^{74}\approx 2^{255.998}$ distinct exponents.

3.2. Onuki’s CSIDH

In [13], Onuki and Takagi proposed a new interval of the secret exponent and a new method for computing the coefficient of the image curve using 4-torsion points for CSIDH protocol. In CSIDH, the ideal classes, which are used as a private key, are represented by vectors with integer coefficients. As the number of ideal classes represented by these vectors determines the security level of CSIDH, it is important to examine the correspondence between the ideal classes and the vectors. They proved that the vector $(1,\dots ,1)$ corresponds to an ideal class of order 3. This means that a secret exponent $(e_1,e_2,\cdots ,e_n)$ and $(e_1+3,e_2+3,\cdots ,e_n+3)$ represents the same ideal class. Since CSIDH-512 selects a secret exponent $(e_1,e_2,\cdots ,e_n)$ from a range $[-5,5]$, there exists the collision of the form $(e_1+3,e_2+3,\cdots ,e_n+3)$. Thus, Onuki and Takagi used the ideal ${\mathfrak{l}}_0=(4,\pi -1)$ instead of using the ideal ${\mathfrak{l}}_n=({\ell }_n,\pi -1)$. Therefore, a secret exponent proposed in [13] is of the form $(e_0,e_1,\cdots ,e_{n-1})$ to compute class group action $\left[\mathfrak{a}\right]E[{\mathfrak{l}}_0^{e_0}{\mathfrak{l}}_1^{e_1}\cdots {\mathfrak{l}}_{n-1}^{e_{n-1}}]E$, where $e_0\in [-1,1]$ and $e_i\in [-m,m]$ for $1\le i\le n-1$. They also proposed a new formula for computing the actions of the ideal classes represented by $(1,\dots ,1)$ and $(-1,\dots ,-1)$ by using degree 4 isogenies. Let $P_{-}$ and $P_{+}$ be a point of $M_a$ of x-coordinate -1 and 1, respectively. Then, for 4-isogenies $\varphi :M_a\to M_{a^{\prime }}$ used in this algorithm with $ker\varphi =\langle P_{-}\rangle$$\left(\mathrm{resp}.ker\varphi =\langle P_{+}\rangle \right)$, $a^{\prime }$ is computed as

$$\begin{array}{c}\hfill a^{\prime }=\frac{2a-12}{a+2}\left(\mathrm{resp}.a^{\prime }=\frac{-2a-12}{a-2}\right).\end{array}$$

(5)

The former case is computed if $e_0=1$, and the later case is computed when $e_0=-1$. Applicability of these 4-isogenies is argued in below proposition, where $En{d}_p\left(M_a\right)\cong \mathbb{Z}[(1+\sqrt{-p})/2]$.

Proposition 1.

Let p be a prime of the form $p\equiv 7mod8$ and $M_a:y^2=x^3+a{x}^2+x$ be a Montgomery curve with the endomorphism ring $En{d}_p\left(M_a\right)\cong {\mathcal{O}}_K$. Then, the 4-isogenies $\varphi :M_a\to M_{a^{\prime }}$ presented in (5)

$$\begin{array}{c}\hfill \left(i\right)a^{\prime }=\frac{2a-12}{a+2}\mathit{and}\left(ii\right)a^{\prime }=\frac{-2a-12}{a-2}\end{array}$$

do not preserve the same $(\ell ,\pi -1)$ action class.

Proof. 

First, the set $S_{p,{\mathcal{O}}_K}^{+}=\left\{a\right|En{d}_p\left(M_a\right)\cong {\mathcal{O}}_K\}$ splits into two partitions, denoted $S_{p,1}^{+}$ and $S_{p,2}^{+}$ respectively. These sets are defined as below,

$$\begin{array}{c}\hfill S_{p,1}^{+}=\{a\in S_{p,{\mathcal{O}}_K}^{+}|(0,0)\notin 2M_a\left({\mathbb{F}}_p\right)\},\\ \hfill S_{p,2}^{+}=\{a\in S_{p,{\mathcal{O}}_K}^{+}|(0,0)\in 2M_a\left({\mathbb{F}}_p\right)\}.\end{array}$$

Note that $a\pm 2$ are both square in ${\mathbb{F}}_p$ if $a\in S_{p,2}^{+}$, and $a\pm 2$ are not both square in ${\mathbb{F}}_p$ if $a\in S_{p,1}^{+}$ by Theorem 2 in [11]. Assume that we apply above former 4-isogeny. Since $a^{\prime }=(2a-12)/(a+2)$,

$$\begin{array}{c}\hfill a^{\prime }+2=\frac{4(a-2)}{a+2}\mathrm{and}{a}^{\prime }-2=\frac{-16}{a+2}.\end{array}$$

If $a\in S_{p,1}^{+}$, then $a^{\prime }\pm 2$ are both square in ${\mathbb{F}}_p$, so that $a^{\prime }\in S_{p,2}^{+}$. If $a\in S_{p,2}^{+}$, then $a^{\prime }+2$ is square and $a^{\prime }-2$ is not square in ${\mathbb{F}}_p$, so that $a^{\prime }\in S_{p,\mathcal{O}}$. That is, the image curve $M_{a^{\prime }}$ is on the floor. Similarly, the case of later 4-isogeny does not preserve the same $(\ell ,\pi -1)$ action class.  □

We summarize the result of Proposition 1 in

Table 2. The results of 4-isogenies in [13] on the surface.

	$\left(\mathit{i}\right)$	$\left(\mathit{ii}\right)$
$S_{p,1}^{+}$	$S_{p,2}^{+}$	$S_{p,\mathcal{O}}$
$S_{p,2}^{+}$	$S_{p,\mathcal{O}}$	$S_{p,1}^{+}$

.

Moreover, Onuki and Takagi presented a new formula for computing the image coefficient of the image curve using 4-torsion points. For a $(2d+1)$-isogeny $\varphi :M_a\to M_{a^{\prime }}$ with $ker\varphi =\langle P\rangle$, $a^{\prime }$ is computed as below,

$$\begin{array}{cc}\hfill C^{\prime }& =C{\left(\prod _{i=1}^d(X_i+Z_i)\prod _{i=1}^d{Z}_i\right)}^2,\hfill \\ \hfill A^{\prime }& =(A-2C){\left((\prod _{i=1}^d(X_i+Z_i)+2\sum _{i=1}^d(X_i-Z_i)\prod _{j\ne i}(X_i+Z_i))\prod _{i=1}^d{X}_i\right)}^2+2C^{\prime }\hfill \end{array}$$

where $\left[i\right]P=(X_i:Z_i)$, $a=A/C$, and $a^{\prime }=A^{\prime }/C^{\prime }$. The computational cost of this formula is $(5d-1)$M + 2S.

This collision-free CSIDH proposed by Onuki and Takagi offers little extra security to the original CSIDH. For the implementation of Onuki’s algorithm, we use the prime $p_1$ with $n=74$ and $m=5$, as the parameters are not explicitly described in [13]. This setting gives $3·{11}^{73}\approx 2^{254.123}$ distinct exponents.

3.3. CSURF

Since CSIDH protocol used a prime of the form $p\equiv 3mod8$, the Montgomery curves $M_a\left({\mathbb{F}}_p\right)$ has no ${\mathbb{F}}_p$-rational 2-torsion point except for $(0,0)$. Using only odd-degree isogenies without 2-isogenies resulted in the inefficiency of computing the class group action. To overcome this problem, Castryck and Decru presented a new hard homogeneous space using tweaked Montgomery curves in [14]. The CSURF protocol uses a prime of the form $p\equiv 7mod8$ and the tweaked Montgomery curves $M_a^t/{\mathbb{F}}_p$. Thus, the ${\mathbb{F}}_p$-endomorphism ring of $M_a^t/{\mathbb{F}}_p$ is isomorphic to $\mathbb{Z}[(1+\sqrt{-p})/2]$ and every curve in this setting has three ${\mathbb{F}}_p$-rational 2-torsion points. Hence, CSURF can now exploit horizontal 2-isogenies with the ideal ${\mathfrak{l}}_0=(2,\frac{\sqrt{-p}-1}{2})$ to help compute the class group action. For a supersingular Montgomery curve $M_a$, the Montgomery coefficient a and ${\mathbb{F}}_p$-isomorphism class of $M_a$ are one-to-one correspondence when the base prime p is of the form $p\equiv 3mod8$. Likewise, for a supersingular tweaked Montgomery curve $M_a^t$, the tweaked Montgomery coefficient a and ${\mathbb{F}}_p$-isomorphism class of $M_a^t$ are also one-to-one correspondence when the base prime p is of the form $p\equiv 7mod8$. This is summarized in

Table 3. ([14]) The ratio of the number of Montgomery± coefficients to the number of ${\mathbb{F}}_p$-isomorphism classes of supersingular elliptic curves.

		$\left(\right|{\mathit{S}}_{\mathit{p},\mathcal{O}}^{+}|:|\mathcal{E}\mathit{\ell }{\mathit{\ell }}_{\mathit{p}}\left(\mathcal{O}\right)\left|\right)$	$\left(\right|{\mathit{S}}_{\mathit{p},\mathcal{O}}^{-}|:|\mathcal{E}\mathit{\ell }{\mathit{\ell }}_{\mathit{p}}\left(\mathcal{O}\right)\left|\right)$
$p\equiv 3mod8$	$\mathcal{O}=\mathbb{Z}\left[\frac{1+\sqrt{-p}}{2}\right]$	0	(3:1)
	$\mathcal{O}=\mathbb{Z}\left[\sqrt{-p}\right]$	(1:1)	0
$p\equiv 7mod8$	$\mathcal{O}=\mathbb{Z}\left[\frac{1+\sqrt{-p}}{2}\right]$	(2:1)	(1:1)
	$\mathcal{O}=\mathbb{Z}\left[\sqrt{-p}\right]$	(1:1)	0

. Thus, Castryck and Decru can construct well-defined free and transitive group action. Finally, they used a secret exponent $(e_0,e_1,\cdots ,e_n)$ to compute class group action $\left[\mathfrak{a}\right]M_a^t[{\mathfrak{l}}_0^{e_0}{\mathfrak{l}}_1^{e_1}\cdots {\mathfrak{l}}_n^{e_n}]M_a^t$.

In [14], Castryck and Decru used the prime $p_3$, which have 74 odd primes. For a secret exponent, they used $(e_0,e_1,\cdots ,e_{74})\in [-137,137]\times {[-4,4]}^3\times {[-5,5]}^{46}\times {[-4,4]}^{25}$ with the class group action $[{\mathfrak{l}}_0^{e_0}{\mathfrak{l}}_1^{e_1}\cdots {\mathfrak{l}}_{74}^{e_{74}}]E$, where ${\mathfrak{l}}_0=(2,\frac{\sqrt{-p_3}-1}{2})$. This leads to about $275·9^{28}·{11}^{46}\approx 2^{255.995}$ distinct exponents.

3.4. Collisions for CSIDH-Based Algorithms

In this subsection, we examine the correspondence between the ideal classes and the vectors for the CSIDH-based algorithms. As denoted in [6,13,14], the private keys in CSIDH-based algorithms are ideal classes in the class group $\mathrm{cl}\left(\mathcal{O}\right)$. Due to the design choices, this ideals can be expected to have the form ${\prod }_{i=1}^n{\mathfrak{l}}_i^{e_i}$, for small $e_i$. Hence, selecting an ideal classes corresponds to selecting an integer vector $(e_1,\dots ,e_n)$. Therefore, for an exact security evaluation, analyzing whether two different integer vectors $(e_1,\dots ,e_n)$ and $(e_1^{\prime },\dots ,e_n^{\prime })$ represent the same ideal class is important. In CSIDH-based schemes, there are different collisions depending on the prime of the base field and the ${\mathbb{F}}_p$-endomorphism ring $En{d}_p\left(E\right)$ of the elliptic curve E. As we use two different types of prime $p_1$ and $p_2$ for our implementation, we examine the collision in this prime field. We first state the main theorem in [13] and the following corollary.

Theorem 1

([13]). Let $p\equiv 3mod8$ and $En{d}_p\left(E\right)=\mathcal{O}$. Then, the ideal class $\{{\mathfrak{l}}_1^{r_1}\cdots {\mathfrak{l}}_n^{r_n}\}$ has order 3 in $\mathrm{cl}\left(\mathcal{O}\right)$.

Proof. 

See ([13], Theorem 3).  □

Corollary 1

([13]). In the CSIDH protocol, the secret exponents

$$\begin{array}{c}\hfill (e_1,e_2,\cdots ,e_n)and(e_1+3r_1,e_2+3r_2,\cdots ,e_n+3r_n)\end{array}$$

represent the same ideal class.

CSIDH-512 use $p_1$ as the base prime, where $p_1\equiv 3mod8$. Hence, the collisions pointed out in [13] exists for the original parameters of CSIDH-512. Similarly, in [15] Fan et al. proved that there also exist collisions of the form $(e_0+1,e_1+2,e_2+1,\cdots ,e_{74}+1)$ for the CSURF prime $p_3$. Now, we generalize the idea of [15] to a prime $p\equiv 7mod8$ of a certain form.

Let p be a prime of base field of the form $p=4·2^{r_0}{\ell }_1^{r_1}\cdots {\ell }_n^{r_n}-1$, with $p\equiv 7mod8$. Let $\pi =\sqrt{-p}$, $K=\mathbb{Q}\left(\pi \right)$, $\mathcal{O}=\mathbb{Z}\left[\pi \right]$, and ${\mathcal{O}}_K=\mathbb{Z}\left[\frac{1+\pi }{2}\right]$. Theorem 2 generalizes the theorem in [15] to the prime p, where $p\equiv 7mod8$.

Theorem 2.

Let $p\equiv 7mod8$ and $En{d}_p\left(E\right)={\mathcal{O}}_K$. Then the secret exponents

$$\begin{array}{c}\hfill (e_0,e_1,\cdots ,e_n)and(e_0+r_0,e_1+r_1,\cdots ,e_n+r_n)\end{array}$$

represent the same ideal class, where ${\mathfrak{l}}_0=(2,\frac{\pi -1}{2})$.

Proof. 

Since ${\mathfrak{l}}_i=({\ell }_i,\pi -1)=({\ell }_i,\frac{\pi -1}{2})$ in $\mathrm{cl}\left({\mathcal{O}}_K\right)$, the followings are hold.

$$\begin{array}{cc}\hfill {\mathfrak{l}}_0^{r_0}{\mathfrak{l}}_1^{r_1}\cdots {\mathfrak{l}}_n^{r_n}& ={(2,\frac{\pi -1}{2})}^{r_0}·{({\ell }_1,\frac{\pi -1}{2})}^{r_1}\cdots {({\ell }_n,\frac{\pi -1}{2})}^{r_n}\hfill \\ \hfill & =(2^{r_0}{\ell }_1^{r_1}\cdots {\ell }_n^{r_n},\frac{\pi -1}{2})\hfill \\ \hfill & =(\frac{p+1}{4},\frac{\pi -1}{2})=\left(\frac{\pi -1}{2}\right),\hfill \end{array}$$

Thus, $[{\mathfrak{l}}_0^{e_0}{\mathfrak{l}}_1^{e_1}\cdots {\mathfrak{l}}_n^{e_n}]E=[{\mathfrak{l}}_0^{e_0+r_0}{\mathfrak{l}}_1^{e_1+r_1}\cdots {\mathfrak{l}}_n^{e_n+r_n}]E$.  □

Corollary 2.

When the prime $p_2$ is used on the surface, the secret exponents

$$\begin{array}{c}\hfill (e_0,e_1,\cdots ,e_{73})and(e_0+2,e_1+3,e_2+1,e_3+1,e_4+2,e_5+1,\cdots ,e_{73}+1)\end{array}$$

represent the same ideal class.

Since collisions in a secret exponent reduce the size of the private keyspace, we must either avoid the collisions or endure the risk for collisions by counting the number of possible public keys. Theorem 3 deals with the number of ideal classes that a secret exponent can represent, assuming that a collision exists.

Theorem 3.

Assume that a secret exponent $(e_0,e_1,\cdots ,e_n)$ has the collision so that it represent the same ideal class as $(e_0+c_0,e_1+c_1,\cdots ,e_n+c_n)$, where $e_i\in [-m_i,m_i]$, and $c_i\in \mathbb{Z}$. Then, there are ${\prod }_{i=0}^n(2m_i+1-c_i)$ collisions. Therefore the order of the private key space $\left\{[{\mathfrak{l}}_0^{e_0}{\mathfrak{l}}_1^{e_1}\cdots {\mathfrak{l}}_n^{e_n}]E\mid e_i\in [-m_i,m_i]\right\}$ is ${\prod }_{i=0}^n(2m_i+1)-{\prod }_{i=0}^n(2m_i+1-c_i)$.

Proof. 

If every exponent $e_i$ is equal to or greater than $c_i-m_i$, then the secret exponent $(e_0,e_1,\cdots ,e_n)$ and $(e_0-c_0,e_1-c_1,\cdots ,e_n-c_n)$ represent the same ideal class. So, there are ${\prod }_{i=0}^n(m_i-(c_i-m_i)+1)={\prod }_{i=0}^n(2m_i+1-c_i)$ collisions and we must contain $e_i$ smaller than $c_i-m_i$ for at least one $i\in [0,n]$. Thus, $\left|\left\{[{\mathfrak{l}}_0^{e_0}{\mathfrak{l}}_1^{e_1}\cdots {\mathfrak{l}}_n^{e_n}]E\mid e_i\in [-m_i,m_i]\right\}\right|={\prod }_{i=0}^n(2m_i+1)-{\prod }_{i=0}^n(2m_i+1-c_i)$.  □

To avoid this type of collision, we can consider two options – dropping some degree of an isogeny or adding supplementary factors to the prime of the base field. The former method is used in [13,15] and has the advantage of avoiding computation of some large odd-degree isogenies. However, the interval adjustment of a secret exponent is inevitable to guarantee the security of the protocol. The latter method is to let exponent $r_i$ of ${\ell }_i$ in p for at least one i to be bigger than $2m_i$. In this case, we must choose the prime having those factors. The advantage of this method is that we can expect that CSIDH protocols to have a certain level of the resistance for subexponential quantum attack [2,17,18] by expanding the size of the base field.

4. Implementation and Security Analysis

In this section, we provide the implementation results and security analysis for the algorithms presented in previous chapters. First, we measure the performance of each algorithm using the initial parameters. However, for implementing the algorithms on the surface, we choose $p_2$ as the prime of the base field to match the cost of the field arithmetic with $p_1$, as much as possible. Then, we present the performance result by modifying the interval of the private key of each algorithm in order to match the security level.

All of the algorithms in this paper are implemented in C language to evaluate the performance of each algorithm. To this end, we use the field arithmetic implemented in [6]. Moreover, wall-clock times and clock cycles are obtained on one core of an Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz, running Ubuntu 18.04.1 LTS. For compilation, we used GNU GCC version 7.5.0 with compile option -O3 using the benchmark provided by [6]. All results are averaged over 500,000 rounds.

Note that the prime $p_1$ and the initial curve $y^2=x^3+x$ are used for implementing the original CSIDH and Onuki’s CSIDH, and the prime $p_2$ and the initial curve $y^2=x^3-x$ are used for implementing CSURF. When implementing CSIDH over $p_2$, as a rational 2-torsion point exist, the 2-torsion method in [11,16] is used for the implementation. Therefore, for CSIDH over $p_2$, the curve $y^2=x^3+a{x}^2+x$ is used as the initial curve, where a of the initial curve is presented in [11]. We also implement Meyer’s hybrid method for a fair comparison. The prime and the base curve for implementing Meyer’s hybrid method follows the setting of CSIDH.

Table 4. Wall-clock time and clock cycles of group action of CSIDH-based algorithms (original).

	CSIDH [6]	Onuki’s [13]	Hybrid [10]	CSURF [14]
$p_1$	32.39 ms	30.77 ms	28.68 ms	-
	110,401,470 cc	104,866,008 cc	97,752,709 cc	-
$p_2$	29.62 ms	-	28.01 ms	39.38 ms
	100,945,178 cc	-	95,480,448 cc	134,216,582 cc
Interval	${[-5,5]}^{74}$/${[-5,5]}^{73}$	$[-1,1]\times {[-5,5]}^{73}$	${[-5,5]}^{74}$/${[-5,5]}^{73}$	$[-137,137]\times {[-4,4]}^3\times {[-5,5]}^{45}\times {[-4,4]}^{25}$
Security	255.998/252.536	254.123	255.998/252.536	252.535

shows the implementation results for each scheme, using the intervals provided in the original papers. For Onuki’s CSIDH, as [13] does not specified the intervals of the secret exponents, we arbitrarily set the intervals according the the security level. The security in Table 4 is the result of considering the collisions mentioned in Section 3.4. For CSIDH over $p_1$ and $p_2$, this equals to ${11}^{74}-8^{74}\approx 2^{255.998}$ and ${11}^{73}-8^{73}\approx 2^{252.536}$, respectively. For CSURF over $p_2$, this equals to $275·9^{28}·{11}^{45}-273·6·8^{27}·9·{10}^{44}\approx 2^{252.535}$.

As CSURF is an algorithm only applicable on the surface of supersingular curves, the result using $p_1$ does not exist. Similarly, Onuki’s method cannot be applied directly on the surface using $p_2$, so that the result using this prime does not exist. This is because 4-isogenies presented in [13] do not preserve the same $(\ell ,\pi -1)$ action class of the Montgomery curves used on the surface, as proved in the Proposition 1.

Lastly, we provide the performance of CSIDH-based algorithms by modifying the intervals of the secret exponents for a similar security level. As in [6,13,14], we heuristically expect that these exponents represent the elements of the class group quasi-uniformly. Note that the intervals are modified in a way so that the first three 3-, 5-, and 7-isogenies are performed up to four times, as in line with the idea in [14]. We manage to select the exponent of the first three primes small since probability of selecting a random small torsion point is lower than selecting a random large torsion point.

Remark 2.

We do not apply other technical optimization methods like SIMBA [19], new addition chains for a scalar multiplication [20], and Velusqrt algorithm [21]. This is because we intend to present the comparison results of primitive algorithms as possible. Except for applying Velusqrt to the original CSIDH and the Onuki’s method, those techniques are applicable for all of the algorithms in this paper.

As denote in Table 4 and

Table 5. Wall-clock time, clock cycles, and security considering collisions with modifying intervals.

	CSIDH [6]	Onuki’s [13]	Hybrid [10]	CSURF [14]
$p_1$	31.79 ms	30.43 ms	28.38 ms	-
	108,355,188 cc	103,712,678 cc	96,735,839 cc	-
$p_2$	30.57 ms	-	28.74 ms	40.81 ms
	104,177,392 cc	-	97,963,451 cc	139,102,772 cc
Interval	${[-4,4]}^3\times {[-6,6]}^{41}\times {[-5,5]}^{10}\times {[-4,4]}^{19}$/ ${[-4,4]}^3\times {[-6,6]}^{46}\times {[-5,5]}^{12}\times {[-4,4]}^{11}$	$[-1,1]\times {[-4,4]}^3\times {[-6,6]}^{38}\times {[-5,5]}^{10}\times {[-4,4]}^{22}$	${[-4,4]}^3\times {[-6,6]}^{41}\times {[-5,5]}^{10}\times {[-4,4]}^{19}$/${[-4,4]}^3\times {[-6,6]}^{46}\times {[-5,5]}^{12}\times {[-4,4]}^{11}$	$[-137,137]\times {[-4,4]}^3\times {[-6,6]}^{29}\times {[-5,5]}^{15}\times {[-4,4]}^{25}$
Security	256.051/256.112	256.044	256.051/256.112	256.065

, CSIDH using $p_2$ is faster than CSIDH using $p_1$. While this speed gap is meaningless because the hybrid method surpasses both algorithms, we conclude that the potential derived from the applicability of 2-isogenies makes CSIDH on the surface more attractive as computing 2-isogeny in CSURF [14] does not require sampling of a 2-torsion point. On the other hand, CSURF is slower than other algorithms, since the tweaked Montgomery curves have inefficient elliptic curve arithmetic – DBLADD and isogeny evaluation – compared to the Montgomery curves in projective coordinates. Thus, deducing from the implementation of CSIDH and CSURF, instead of using tweaked Montgomery curves, CSIDH on the surface can be executed more efficiently by using a prime of the form $p\equiv 7mod8$ and the Montgomery curves. When prime $p\equiv 3mod8$ is used, then we can implement CSIDH efficiently on the floor by exploiting the hybrid method proposed in [10]. Moreover, it is recommended to use Onuki’s collision-free method, since an attack on the collision can potentially exist.

5. Conclusions

In this paper, we provide the performance and security analysis for the various CSIDH-based algorithms. First, we implement the CSIDH-based algorithms presented in [6,13,14] in C for a fair comparison between those algorithms. By projectivizing the arithmetic formula in the tweaked Montgomery curve, we conclude that using this curve is inefficient compared to using the Montgomery curves, as of now.

Moreover, we analyze the security against brute-force attack on the private key by generalizing the possible collisions in CSIDH executed on the surface. In this regard, we present a new interval for the private key to have a similar security level for those algorithms. Thus, we can compare fairly the performances of three algorithms and offer optimization scenarios for using each parameter.

From the implementation result, we conclude that for a prime $p\equiv 7mod8$, then CSIDH on the surface using the Montgomery curves is the most likely to be efficient. For a prime $p\equiv 3mod8$ CSIDH on the floor, using the hybrid method Onuki’s collision-free method is the most likely to be efficient and secure.

For future work, we plan to study a potential attack against CSIDH-based algorithms with the collisions presented in this paper. Additionally, we plan to implement an optimized algorithm for each form of base primes and to provide more obvious standards for parameter selection by applying the various optimization methods as in [19,20,21].