Key Compression for Isogeny-Based Cryptosystems

Abstract: We present a method for key compression in quantum-resistant isogeny-based cryptosystems, which reduces storage and transmission costs of per-party public information by a factor of two, with no effect on the security level of the scheme. We achieve this reduction by compressing both the representation of an elliptic curve, and torsion points on said curve. Compression of the elliptic curve is achieved by associating each j-invariant to a canonical choice of elliptic curve, and the torsion points will be repre… Show more

“…Azarderakhsh et al [2] introduced two techniques for compressing parameters in isogenybased cryptosystems. However their implementation was quite slow compared to the runtime of the isogeny computations.…”

“…The first technique of [2] is simple: we can represent an elliptic curve E : y 2 = x 3 +ax+b by its j-invariant j(E) ∈ F p 2 instead of the two parameters a, b ∈ F p 2 , cutting storage requirements by a half.…”

“…The idea of [2] is as follows: just as we can represent a random full-order torsion point by their coefficients with respect to the public basis, we can represent each public torsion basis point in terms of their coefficients with respect to some other fixed basis. The new basis need not be published as a public parameter, as long as all parties are able to generate the same basis independently by a deterministic algorithm.…”

“…Techniques for compressing public keys of isogeny-based cryptosystems (which were already quite small) were proposed in [2] and optimized in [9].…”

A Post-quantum Digital Signature Scheme Based on Supersingular Isogenies

“…Azarderakhsh et al [2] introduced two techniques for compressing parameters in isogenybased cryptosystems. However their implementation was quite slow compared to the runtime of the isogeny computations.…”

“…The first technique of [2] is simple: we can represent an elliptic curve E : y 2 = x 3 +ax+b by its j-invariant j(E) ∈ F p 2 instead of the two parameters a, b ∈ F p 2 , cutting storage requirements by a half.…”

“…The idea of [2] is as follows: just as we can represent a random full-order torsion point by their coefficients with respect to the public basis, we can represent each public torsion basis point in terms of their coefficients with respect to some other fixed basis. The new basis need not be published as a public parameter, as long as all parties are able to generate the same basis independently by a deterministic algorithm.…”

“…Techniques for compressing public keys of isogeny-based cryptosystems (which were already quite small) were proposed in [2] and optimized in [9].…”

A Post-quantum Digital Signature Scheme Based on Supersingular Isogenies

“…In 2011, Jao and De Feo presented a new cryptosystem based on the difficulty of constructing isogenies between supersingular elliptic curves, which is still infeasible against the known quantum attacks [5]. In 2016, Azarderakhsh et al proposed a key compression method for supersingular isogeny key exchange, which was later improved by Costello et al [6,7]. Azarderakhsh et al also implemented key exchange protocol on ARM-NEON and FPGA devices [8,9].…”

Efficient Isogeny Computations on Twisted Edwards Curves

Computing Supersingular Isogenies on Kummer Surfaces