Efficient Commutative PQC Algorithms on Isogenies of Edwards Curves

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

Please find the comments in the attached file.

Comments for author File: Comments.pdf

Author Response

Comments 1: (1) There are several incorrect parts among this article. In Theorem 1, the inverse of a point Q = (x, y) on an Edwards curve should be −Q = (−x, y), but it was written as ±Qi = (α_i, ±β_i) in Line 141. In Lines 176 and 183, the authors consider that CSIDH512 possesses a 128-bit security level. However, it has been confirmed that CSIDH does not scale well as the parameters increase. The key size should be scaled to about 4096 bits to achieve the 128-    bit security level. Besides, the authors should cite the following papers ”Quantum Security Analysis of CSIDH”, ”He Gives C-Sieves on the CSIDH” and ”The SQALE of CSIDH: sublinear V´elu quantum-resistant isogeny action with low exponents”, which suggest that CSIDH should work with larger parameters to reach the required security level. We totally don’t understand why the authors ignore so many important references in this article.

Response 1: We use the modification of Edwards form equation [8] with replacement x, then −Q = (x, -y). The entry in Line 141 is correct. We did not explore the issues of quantum security but only provided a link to the pioneering work [1].

Comments 2: (2) Many references are missing in this article. For example, in Section 3 the authors describe the computation of odd-degree isogenies on Edwards curves. However, it seems that they neglect the square-root V´elu’s formulas (√´elu), which was first proposed by Bernstein et al. in the paper ”Faster computation of isogenies in large prime degree”. This work is obviously a milestone in speeding up the computation of isogenies. But the authors completely don’t cite this work and the improvements on it. Moriya et al. extended this approach to Edwards curves in ”How to Construct CSIDH on Edwards Curves”. The square-root V´elu’s formulas can reduce the complexity of isogeny computation from O(ℓ) to O(√ℓ), which is state-of-the-art when the degree ℓ is large. Consequently, the authors need to add these references. In Section 4, the author state the randomization of the CSIDH algorithm on non-cyclic Edwards curves. Nevertheless, they do not cite the paper ”How to Construct CSIDH on Edwards Curves” when presenting the algorithm of the class-group action on Edwards curves. As discussing the constant-time version of CSIDH, the author are required to cite ”CTIDH: faster constant-time CSIDH”.
Response 2: In the introduction, we significantly limited two objectives: (1) provide an overview of our results in works [8-15] on improving the efficiency of the PQC algorithm CSIDH and possible analogs and (2) obtain for the first time an integral estimate of the gain in performance of the CSIDH algorithm and similar ones due to the proposed modifications. Unfortunately, other problems were not considered. But this is a good remark that will help us in future work.

Comments 3: (3) A few typos in this article need to be corrected. I list the following errors as examples: In Line 78, ”we in [8]” should be ”in [8], we”.
Response 3: Agree. Changes applied.

Comments 4: (3) A few typos in this article need to be corrected. I list the following errors as examples: In Line 96, the blank space is required in ”p ≡7mod8”.
Response 4: Agree. Also added spaces in all other formulas with the "mod" operator.

Comments 5: (3) A few typos in this article need to be corrected. I list the following errors as examples: In Line 105, I guess ”(10..50M)” should be revised to ”10.5M”.
Response 5: In this case, the range of values ​​is indicated; more details can be found in [16].

Comments 6: (3) A few typos in this article need to be corrected. I list the following errors as examples: In Eq. (5), ”Q ∈ G” should be ”Q_i ∈ G”.
Response 6: Agree. Changes applied.

Reviewer 2 Report

Comments and Suggestions for Authors

This paper presents important and interesting work on modifications and modeling of post-quantum cryptography (PQC) algorithms, specifically the CSIDH algorithm on non-cyclic supersingular Edwards curves and the CRS scheme on ordinary non-cyclic Edwards curves. The authors provide lower bound estimates of computational speed gains for their modified algorithms compared to the original versions.

The most significant contributions include:

1).      Choosing classes of non-cyclic Edwards curves connected as quadratic twist pairs instead of cyclic complete Edwards curves, providing a speedup of up to 2^5 times.

2).      A randomization method for the CSIDH algorithm as an alternative to "constant time CSIDH", eliminating side-channel attack threats.

3.      Demonstrating the existence of two independent cryptosystems in CSIDH and CSIKE with parallel computation capability, and four such cryptosystems for the CRS scheme.

4).      Providing integral lower bound estimates of performance gains, with the modified CSIDH algorithm achieving a 1.5 * 2^9 speedup, and the CRS scheme achieving a 3 * 2^9 speedup.

The paper presents novel and valuable modifications to important PQC algorithms. The authors provide thorough mathematical analysis and justification for their proposed changes. The potential performance gains are significant and could help address efficiency concerns with isogeny-based cryptography.

However, the paper would benefit from some revisions before publication:

1).      A "Related Work" section should be added to thoroughly describe the current state of research in this area and clearly identify the gap the authors are addressing. This would help contextualize the contributions.

2).      A dedicated "Results" section comparing the proposed modifications to known work would strengthen the paper. While comparisons are made throughout, a consolidated presentation of advantages would be valuable.

3).      The authors should more clearly articulate their specific contributions compared to prior work, including their own previous publications. A succinct statement of novel contributions would be helpful.

4).      The level of self-citation is unusually high and should be reduced, as it raises ethical concerns. The authors should ensure they are citing the most relevant external work.

With these revisions, I believe this paper makes important contributions to the field of isogeny-based post-quantum cryptography and should be accepted for publication. The proposed modifications to CSIDH and related algorithms have the potential to significantly improve their efficiency, which is crucial for practical adoption.

Author Response

Comments 1: A "Related Work" section should be added to thoroughly describe the current state of research in this area and clearly identify the gap the authors are addressing. This would help contextualize the contributions.
Response 1: We believe there is no need for such a section. After work [1], most authors of scientific articles studied the problem of countering side-channel attacks in different versions of “constant time CSIDH” [19,20,...].  They significantly slowed down the algorithm, and we did not deal with it. Our original modifications of CSIDH [10-15] solved the problem of accelerating the algorithm, and the implementation of the proposed idea of ​​parallel computing [13-15] generally removes the problem of side-channel attacks. Two objectives of this article are specified in the introduction: this is a review of our results and an integral assessment of the gain in computation speed when implementing our modifications of the algorithm.

Comments 2: A dedicated "Results" section comparing the proposed modifications to known work would strengthen the paper. While comparisons are made throughout, a consolidated presentation of advantages would be valuable.
Response 2: Everywhere the results of modifications are compared with the original work [1].

Comments 3: The authors should more clearly articulate their specific contributions compared to prior work, including their own previous publications. A succinct statement of novel contributions would be helpful.
Response 3: Agree. Changes applied.

Comments 4: The level of self-citation is unusually high and should be reduced, as it raises ethical concerns. The authors should ensure they are citing the most relevant external work.
Response 4: The number of citations to one’s work is because they present parts of the results that are summarized in this work. We have reduced the number of citations for our work.

Reviewer 3 Report

Comments and Suggestions for Authors

No Comment.

Comments on the Quality of English Language

Abstract

--------------------

There are a few abbreviations without full forms. It makes the abstract very confusing. These abbreviations are as follows.

PQC CSIDH (Post-Quantum Cryptography (PQC) Commutative Su-24 Persingular Isogeny Diffie-Hellman)

CSIKE (Commutative Supersingular Isogeny Key Encapsulation)

CRS (Couveignes-Rostovtsev-Stolbunov)

The first and the second ones have been mentioned in the introduction. Please move them to the abstract.

The last full form has never been mentioned in the paper.

 

 

The abstract is totally vague. I read it several times. But I could not manage to understand it. Please consider rewriting the abstract such that it clearly answers the following questions.

1) Exactly what have you modified and what have you modeled (the first sentence vaguely talks about modeling and modifications)?

2) What modifications have you made on PQC CSIDH?

3) "The most significant 11 results were obtained by choosing" --> The most significant among what?

4) "parallel computation, eliminating the threat of side-channel attacks" --> What is the relation between parallel computation and the elimination of side-channel threat?

5) What do you mean that there are four cryptosystems in CSIDH and CSIKE and two cryptosystems in CRS?

 

Section 6:

----------------

"In [13], we propose the original CSIKE" --> It is not common to refer to your previous works by  "we" because this reveals the names of the authors. I am not sure about the policies in this journal.

 

Section 9.

-------------------

"a lower estimate of the computational speed gain of the modified" --> This is introduced as one of your achievements in the abstract, while you are talking about it as "present and previous works [9-15] in this section. It is so confusing.

The reader cannot see Which results are your contributions and which results have been obtained in previous works.

Author Response

Comments 1: There are a few abbreviations without full forms. It makes the abstract very confusing. These abbreviations are as follows. PQC CSIDH (Post-Quantum Cryptography (PQC) Commutative Su-24 Persingular Isogeny Diffie-Hellman). CSIKE (Commutative Supersingular Isogeny Key Encapsulation). CRS (Couveignes-Rostovtsev-Stolbunov). The first and the second ones have been mentioned in the introduction. Please move them to the abstract. The last full form has never been mentioned in the paper.
Response 1: Agree. Changes applied. 

Comments 2: (Abstract 1) Exactly what have you modified and what have you modeled (the first sentence vaguely talks about modeling and modifications)?
Response 2: The abstract is of a general nature, so we do not indicate all the changes in detail. More detailed proposed improvements are given in the Introduction. 

Comments 3: (Abstract 2) What modifications have you made on PQC CSIDH?
Response 3: The CSIKE algorithm was proposed as a modification of CSIDH, replacing Alice’s secret key with a secret vector Ω_k, with which she computes a curve E_k=Θ_k*E_0 and the shared secret key d_k=k. Alice then encrypts it with Bob’s public key E_B. and computes the curve E_kB=Θ_k*E_B=Θ_k*Θ_В*E_0. Bob decapsulates his cipher using a multiplicative inverse function ¯(Θ_В ) (such that Θ_B*¯(Θ_В )=I, where I= [1,1,…,1]|_K), thereby restoring the curve E_k=Θ_k*E_0. As the key of encapsulation by both parties, we can take J-invariant of the curve E_k. 

Comments 4: (Abstract 3) "The most significant 11 results were obtained by choosing" --> The most significant among what?
Response 4: Non-cyclic connected as quadratic twist pairs showed better results than cyclic complete Edwards curves. 

Comments 5: (Abstract 4) "parallel computation, eliminating the threat of side-channel attacks" --> What is the relation between parallel computation and the elimination of side-channel threat?
Response 5: The CSIDH algorithm is constructed in such a way that the computation of isogenic chains according to functions Θ_(A,В)=[(l_1)^(e_1),(l_2)^(e_2),…,(l_K)^(e_K)] are performed in two stages: first the set is formed S with key exponents e_k of one sign, then, after zeroing of all e_k, of the other. At each stage, the kernels and parameters of exactly |e_k | of isogenic curves of isogenies of degrees l_k constructed on curves of the same class (E_d or E_(-1,-d)). This gives rise to the threat of a side-channel attack based on measuring the time of these computations, proportional to the length of the |e_k | and degree l_k of each chain [(l_k)^(e_k)]. In this regard, most articles on this topic [21,22] consider different variants of “constant time CSIDH” in which the secret exponents are e_k are built up to an upper bound m by fictitious chains of isogenies. Such protection is achieved by significant redundancy and slowing down the algorithm by half. 

Comments 6: (Abstract 5) What do you mean that there are four cryptosystems in CSIDH and CSIKE and two cryptosystems in CRS?
Response 6: Vice versa: for there are two cryptosystems in CSIDH and CSIKE and four cryptosystems in CRS. Dealing with the modeling and modification problems of CSIDH, we constructed a prime 4-isogenous model of the CRS scheme with degrees {3,5,7,37} with our modifications [17]. Since the set of ordinary elliptic curves is approximately √p times wider than the set of supersingular curves, we should expect that their advantages would be discovered as well. Indeed, such advantages turned out to be the growth of the number of degrees of isogenies at a given or close modulus of the p field, and the presence of four parallel independent cryptosystems instead of two in CSIDH, which doubles the speed of the CRS scheme algorithm comparably to CSIDH. 

Comments 7: (Section 6) "In [13], we propose the original CSIKE" --> It is not common to refer to your previous works by  "we" because this reveals the names of the authors. I am not sure about the policies in this journal.
Response 7: Agree. Changes applied. 

Comments 8: (Section 9) "a lower estimate of the computational speed gain of the modified" --> This is introduced as one of your achievements in the abstract, while you are talking about it as "present and previous works [9-15] in this section. It is so confusing. The reader cannot see Which results are your contributions and which results have been obtained in previous works.
Response 8: Agree. The results obtained have been clarified.

Reviewer 4 Report

Comments and Suggestions for Authors

1. Summary:

- Clearly explain the goals and implementation methods of the proposed research and its contribution to the results.

- Full names of abbreviations must be provided.

- What does the following mean to the readers? "For the CRS scheme, there are four such cryptosystems. Integral lower bound estimates of the performance gain of the modified CSIDH algorithm are obtained at 1.5 ∙ 29, and for the CRS scheme are 3 ∙ 29."

 

2. Introduction:

- Surrounding research on PQC and quantum cryptography is very lacking. Additional related research and investigation and explanation of the latest trends should be added.

- Minimize the explanation of each section.

- The contribution and novelty of the proposed article must be presented before the section description.

 

3. Body:

- It must be clear whether the proposed study is a survey article or a research article, and it seems difficult for readers to follow and understand the scattered content.

- Authors should make it clearer what kind of help the article is intended to provide to readers.

- There are many typos and the use of notations that are not specified, so corrections are required.

 

4. Conclusion:

- The conclusion mentions already well-known facts. The conclusion should present the results of the authors' research and the meaning of the results, and include information on limitations and ways to overcome them.

Comments on the Quality of English Language

Moderate editing of English language required

Author Response

Comments 1: (1) Summary: Clearly explain the goals and implementation methods of the proposed research and its contribution to the results.
Response 1: A summary of the goals and objectives of the article is given in the introduction.

Comments 2: (1) Summary: Full names of abbreviations must be provided.
Response 2:  Agree. Changes applied.

Comments 3: (1) Summary: What does the following mean to the readers? "For the CRS scheme, there are four such cryptosystems. Integral lower bound estimates of the performance gain of the modified CSIDH algorithm are obtained at 1.5 ∙ 29, and for the CRS scheme are 3 ∙ 29."
Response 3: There were errors when formatting the article: instead of 1.5 ∙ 29 you should write 1.5 ∙ 2^⁹, and instead of 3 ∙ 29 you should write 3 ∙ 2^⁹. These are the values ​​of the integral gains in the computation speed of the modified CSIDH (CSIKE) algorithms for supersingular curves and for the CRS scheme, respectively (about 750 and 1500).

Comments 4: (2) Introduction: Surrounding research on PQC and quantum cryptography is very lacking. Additional related research and investigation and explanation of the latest trends should be added.
Response 4: Added description of current standards for PQC.

Comments 5: (2) Introduction: Minimize the explanation of each section.
Response 5: Agree. Changes applied.

Comments 6: (2) Introduction: The contribution and novelty of the proposed article must be presented before the section description.
Response 6: Agree. Changes applied.

Comments 7: (3) Body: It must be clear whether the proposed study is a survey article or a research article, and it seems difficult for readers to follow and understand the scattered content.
Response 7: In the introduction, we significantly limited two objectives: (1) provide an overview of our results in works [8-15] on improving the efficiency of the PQC algorithm CSIDH and possible analogs and (2) obtain for the first time an integral estimate of the gain in performance of the CSIDH algorithm and similar ones due to the proposed modifications. Unfortunately, other problems were not considered. But this is a good remark that will help us in future work.

Comments 8: (3) Body: Authors should make it clearer what kind of help the article is intended to provide to readers.
Response 8: Readers of scientific articles are specialists. They use useful results for their modeling tasks

Comments 9: (3) Body: There are many typos and the use of notations that are not specified, so corrections are required.
Response 9: Agree. Changes applied.

Comments 10: (4) Conclusion: The conclusion mentions already well-known facts. The conclusion should present the results of the author's research and the meaning of the results, and include information on limitations and ways to overcome them.
Response 10: Agree. Added limitations and possible use in cryptographic standards.

Round 2

Reviewer 1 Report

Comments and Suggestions for Authors

In the revised version of the manuscript, the author did not respond substantively to the reviewer's previous comments, but only corrected some typos found by the reviewer.

The authors seem confident in their research work. However, in my opinion, the authors still lack the citation, analysis, and comparison between those similar results from other key literatures, and their results may therefore be difficult to generate very much academic value in the field of isogeny-based cryptography.

Author Response

Comments 1: In the revised version of the manuscript, the author did not respond substantively to the reviewer's previous comments, but only corrected some typos found by the reviewer.
Response 1: We are grateful to you for finding shortcomings in our work.

Comments 2: The authors seem confident in their research work.
Response 2: We just tried to present the final results of our work.

Comments 3: However, in my opinion, the authors still lack the citation, analysis, and comparison between similar results from other key literature, and their results may therefore be difficult to generate very much academic value in the field of isogeny-based cryptography.
Response 3: The results obtained during the study have a new character for non-cyclic curves (two types), therefore they can be compared only with the full Edwards curves (first proposed in 2007). According to the comparison results, the gain was about 1,500 times in terms of work speed, which is shown in this work. In this submission, we have tried to summarize the main results of a series of experiments with non-cyclic curves. A more detailed criticism can be found in [Bessalov, 2022] (Bessalov, A. On correctness of conditions for the CSIDH algorithm implementation on Edwards curves. Radiotekhnika 2022, 208, 16–27. https://doi.org/10.30837/rt.2022.1.208.02), which points out shortcomings in the implementation in [Moriya et al., 2020] (Moriya, T., Onuki, H., Takagi, T. How to construct CSIDH on Edwards curves. In Cryptographers’ Track at the RSA Conference–CT-RSA 2020, pages 512–537. Springer, 2020. https://doi.org/10.1007/978-3-030-40186-3_22). This criticism is beyond the scope of this submission, so we only provide general references to sources on the topic in the Introduction.

Reviewer 3 Report

Comments and Suggestions for Authors

Thank you for addressing my comments.

Author Response

Comments 1: Thank you for addressing my comments.
Response 1: Thank you for your time and sensible comments.

Reviewer 4 Report

Comments and Suggestions for Authors

The proposed article appears to have been heavily revised based on reviewer comments. The paper can be published after minor formatting errors and English editing.

Comments on the Quality of English Language

Minor editing of English language required

Author Response

Comments 1: The proposed article appears to have been heavily revised based on reviewer comments. The paper can be published after minor formatting errors and English editing.
Response 1: We asked a native speaker to proofread the text and incorporated his comments.

Round 3

Reviewer 1 Report

Comments and Suggestions for Authors

After reading the author's revisions and their candid responses, I read the article again and I would like to say that the authors have indeed demonstrated a solid piece of research work about isogeny-based cryptography, although I still think that its academic value is not particularly large. The article is a little bit innovative, and it could provide some reference for related research works in this field. Thus, I think we may consider accepting this article now.