Karatsuba-based square-root Vélu’s formulas applied to two isogeny-based protocols

Abstract

At a combined computational cost of about \(6{\ell }\) field operations, Vélu’s formulas are used to construct and evaluate degree-\(\ell \) isogenies in the vast majority of isogeny-based cryptographic schemes. By adapting to Vélu’s formulas a baby-step giant-step approach, Bernstein, De Feo, Leroux, and Smith presented a procedure that can compute isogeny operations at a reduced cost of just \({\tilde{O}}(\sqrt{\ell })\) field operations. In this paper, we present a concrete computational analysis of these novel procedures along with several algorithmic tricks that helped us to further decrease its computational cost. We also report an optimized Python3-code implementation of several instantiations of two isogeny-based key-exchange protocols, namely, CSIDH and B-SIDH. Our software library uses a combination of the modified Vélu’s formulas and an adaptation of the optimal strategies commonly used in the SIDH/SIKE protocols to produce significant speedups. Compared to a traditional Vélu constant-time implementation of CSIDH, our experimental results report a saving of 5.357%, 13.68% and 25.938% base field operations for CSIDH-512, CSIDH-1024, and CSIDH-1792, respectively. Additionally, we present the first optimized implementation of B-SIDH ever reported in the open literature.

Appendix

1.1 Algorithms

1.2 Schönage-FFT vs Karatsuba

Karatsuba multiplication is a well-known and complete tool for multiplying polynomials of degree n over a commutative ring at the subquadratic cost of \(O(n^{\log _2 3})\). However, an asymtotically faster family of algorithms based on the fast Fourier transform (FFT) exists. In this section, we consider Schönage’s algorithm [33] blended with the FFT multiplication, as described in [4], and give an accurate estimate of the running time of this algorithm in order to make practical comparatives with Karatsuba multiplication.

Let A be a commutative ring where 2 in invertible. For \(n > 1\) a power of 2, c a square in A and \(\zeta \in A\) a square root of \(-1\), let f, g be two polynomials in \(A[x]/(x^n + c)\). To multiply f and g, one can split the problem into two smaller ones by reducing f, g to \(f_-, g_- \in A[x]/(x^{n/2} - \zeta c^{1/2})\) and to \(f_+, g_+ \in A[x]/(x^{n/2} + \zeta c^{1/2})\)g. Then, the products \(f_-g_-\), \(f_+g_+\) are computed, and subsequently embedded into \(A[x]/(x^n + c)\) wherein \((f_-g_- + f_+g_+)\) and \((f_-g_- - f_+g_+)\) are calculated to finally recover 2fg.

Note that when c is an nth root in A, which in addition contains an nth root of \(-1\), then the above procedure can be applied recursively to compute the product nfg at a cost of k multiplications in A and \(\frac{3}{2} n\log _2(n)\) easy multiplications in A by constants. This is essentially the FFT multiplication.

Suppose now that A does not contain an nth root of \(-1\), with \(n = 2^s > 8\), then Schönage’s method can be employed to multiply \(f = \sum _{0\le i< n} f_i\) and \(g = \sum _{0\le i< n} g_i\) in \(A[x]/(x^n + 1)\). First, define \(n_1 = 2^{s_1}\), with \(s_1 = \lfloor s/2\rfloor \), \(B = A[x]/(x^{n_1} + 1)\), and consider the ring \(B[y]/(y^{2n/n_1} + 1)\). The goal here is to reduce the computation of fg into one multiplication in \(B[y]/(y^{2n/n_1} + 1)\). Note that \(x^{n_1^2/2n}\) is a \((2n/n_1)\)th root of \(-1\) in B, and hence the FFT can be used to multiply polynomials in \(B[y]/(y^{2n/n_1} + 1)\). We start by sending f, g to \(F, G \in A[x,y]/(y^{2n/n_1} + 1)\), respectively, where

$$\begin{aligned} F&= \sum _{0 \le j< \frac{2n}{n_1}}\;\sum _{0 \le i< \frac{n_1}{2}} f_{i+\frac{n}{2}j} x^iy^j \text{ and } \\ G&= \sum _{0 \le j< \frac{2n}{n_1}}\;\sum _{0 \le i < \frac{n_1}{2}} g_{i+\frac{n}{2}j} x^iy^j, \end{aligned}$$

are such that \(\phi (F) = f\) and \(\phi (G) = g\), the map \(\phi : A[x,y]/(y^{2n/n_1} + 1) \rightarrow A[x]/(x^n + 1)\) being the A[x]-algebra morphism that sends y to \(x^{n_1}\). Thus, since F and G have \(x\text{-degree } < n_1/2\), their product is computed in \(B[y]/(y^{2n/n_1} + 1)\), and then passed through \(\phi \) to recover \((2n/n_1)fg\).

To estimate the cost of this computation, notice that transforming f, g to F, G and \((2n/n_1)FG\) to \((2n/n_1)fg\) requires no multiplications in A. Moreover, when computing \((2n/n_1)FG\) in \(B[y]/(y^{2n/n_1}+1)\) using the FFT, the multiplications by constants can be ignored since these will be just multiplications by powers of x in B. Therefore, the cost of multiplying polynomials in \(A[x]/(x^n + 1)\) boils down to the 2n/m multiplications in B arising from the FFT application. Now, since \(B = A[x]/(x^{n_1} + 1)\), the above strategy can be applied recursively until reaching multiplications in \(A[x]/(x^{8} + 1)\), where more conventional methods can be used. Hence, the total cost of multiplying two polynomials in \(A[x]/(x^{n} + 1)\) will be

$$\begin{aligned} C(n) = \frac{2n}{n_1} \times \frac{2n_1}{n_2} \times \cdots \times \frac{2n_{k-1}}{n_k} \times C_8 = 2^k \frac{n}{n_k} C_8, \end{aligned}$$

where \(n_i = 2^{s_i}\), with \(s_i = \lfloor s_{i-1}/2\rfloor \) for \(i \in \{2, \ldots , k\}\), k is such that \(n_k = 8\), and \(C_8\) is the cost of multiplying two polynomials in \(A[x]/(x^{8} + 1)\). An easy analysis then shows that \(k=\lceil \log _2 (s-1) \rceil - 1 = \lceil \log _2 (\log _2(n)-1) \rceil - 1\). Thus, we have

$$\begin{aligned} C(n) = \frac{C_8}{16} e_n n (\log _2(n)-1), \end{aligned}$$

where \(\log _2(e_n) = \lceil \log _2 (\log _2(n)-1) \rceil - \log _2 (\log _2(n)-1)\). Notice that \(1\le e_n < 2\).

Finally, to compute the product of degree-n polynomials \(f,g \in A[x]\) (\(n \ge 4\)), we define \(N = 2^{\lfloor \log _2(n) \rfloor + 2}\) and compute fg in \(A[x]/(x^{N} + 1)\) at a cost of

$$\begin{aligned} Cost(n) = \frac{C_8}{4} E_n n (\lfloor \log _2(n) \rfloor + 1), \end{aligned}$$

where \(\log _2(E_n) = \lfloor \log _2(n)\rfloor - \log _2(n) + \lceil \log _2(\lfloor \log _2(n)\rfloor + 1)\rceil - \log _2(\lfloor \log _2(n)\rfloor + 1)\). Notice that \(\frac{1}{2}< E_n < 2\).

In order to illustrate the performance of Schönage-FFT polynomial multiplication, Fig. 4 compares it with the cost of Karatsuba-style method. Anyhow, we did not focus on improving Schönage-FFT method and our experiments are centered on asymtoptic costs. Whichever the case, it looks that Karatsuba-style polynomial multiplication is the more suitable approach to be used in the new √élu formulas for both as CSIDH and B-SIDH implementations.

Fig. 4

Comparison between the Schönage-FFT and Karatsuba style polynomial multiplications. The x-axis corresponds with the degree of both polynomials to be multiplied, while y-axis shows the expected cost required in the polynomial multiplication method. In particular, the karatsuba and Schönage-FFT costs are taken as \(n^{\log _2(3)}\) and \(\frac{27}{8} n (\lfloor \log _2(n) \rfloor + 1)\), respectively. Schönage-FFT method assumes that \(E_n = 1/2\), and karatsuba multiplication is required in its base case, which implies \(C_8 = 27\)

1.3 Cost of computing resultants via remainder trees

In this section we focused on the computational cost associated to a resultant computation via remainder trees. Resultants are required by the √élu procedures xISOG and xEVAL.

Formally, each one of the two resultants required by 2 and 3, corresponds to the computation of \(\texttt {Res}_Z(f(Z), g(Z))\) such that \(f, g\in {\mathbb {F}}_q[Z]\), \(\deg f = b' \approx b\) and \( \deg g = 2b\). Our goal in this appendix is that of deriving the cost of the resultant computation in terms of b. For the sake of simplicity, let us assume \(\deg f = b\).

It is important to highlight that the modular polynomial reduction required at each node in the remainder tree, can be performed via reciprocal computations (for more details see [4, p. 27,  Sect. 17]). For example, the modular polynomial reduction \(g \bmod f\) requires two degree-b polynomial multiplications modulo \(x^b\), one constant multiplication by a degree-b polynomial, and the reciprocal computation modulo \(x^b\) (that is, \(1/f \bmod x^b\)). In turn, the cost of a reciprocal computation modulo \(x^b\) can be estimated by the expenses associated to two degree-(b/2) polynomial multiplications modulo \(x^{b/2}\), one constant multiplication by a degree-(b/2) polynomial, and another reciprocal, but this time modulo \(x^{(b/2)}\). The above implies that a reciprocal modulo \(x^b\) should be computed recursively. Its associated running time complexity equation is given as,

$$\begin{aligned} T(b) = T\left( \frac{b}{2}\right) + 2t\left( \frac{b}{2}\right) + \frac{b}{2}, \end{aligned}$$

where t(b) denotes the polynomial multiplication cost of two degree-b polynomials modulo \(x^b\). Now, assuming that a Karatsuba polynomial multiplication is used, it follows that

$$\begin{aligned} T(b)&\approx T\left( \frac{b}{2}\right) + 2{\left( \frac{b}{2}\right) }^{\log _2(3)} + \frac{b}{2} \\&= T\left( \frac{b}{2}\right) + \frac{2}{3}b^{\log _2(3)} + \frac{b}{2} \\&= \sum _{i=0}^{\log _2(b)} \left( \frac{2}{3}{\left( \frac{b}{2^i}\right) }^{\log _2(3)} + \frac{b}{2^{i+1}} \right) \\&= \left( \frac{2}{3}b^{\log _2(3)}\right) \sum _{i=0}^{\log _2(b)} \frac{1}{3^i} + \left( \frac{b}{2}\right) \sum _{i=0}^{\log _2(b)} \frac{1}{2^i} \\&= \left( 1 - \frac{1}{3^{\log _2(b) + 1}}\right) b^{\log _2(3)} + \left( 1 - \frac{1}{2^{\log _2(b) + 1}}\right) b\\&= \left( 1 - \frac{1}{3b^{\log _2(3)}}\right) b^{\log _2(3)} + \left( 1 - \frac{1}{2b}\right) b\\&= b^{\log _2(3)} + b - \frac{5}{6}\;. \end{aligned}$$

Hence, the polynomial reduction \(g \bmod f\) is expected to have a running time of \(\left( b^{\log _2(3)} + b - \frac{5}{6}\right) \) field multiplications.

Now, the remainder tree of f and g is constructed going from its root all the way to its leaves. To do this, at the i-th level of the remainder tree \(2^i\) modular reductions of the form \(g \bmod f\) such that \(\deg f \approx \frac{b}{2^i}\) and \(\deg g \approx 2 \deg f,\) must be performed. Their combined cost is given as,

$$\begin{aligned} R(b,i)&= 2^{i} \left( {\left( \frac{b}{2^i}\right) }^{\log _2(3)} + \frac{b}{2^i} - \frac{5}{6}\right) \\&= b^{\log _2(3)} {\left( \frac{2}{3}\right) }^i + b - \left( \frac{5}{6}\right) 2^i\;. \end{aligned}$$

Furthermore, the cost of the remainder tree construction can be done with about \(R(b) = \sum _{i=0}^{\log _2(b)} R(b,i)\) field multiplications. In particular,

$$\begin{aligned} R(b)&= b^{\log _2(3)} \sum _{i=0}^{\log _2(b)}{\left( \frac{2}{3}\right) }^i + b(\log _2(b)+1) - \frac{5}{6}\sum _{i=0}^{\log _2(b)}2^i\\&= 3b^{\log _2(3)}\left( 1 - {\left( \frac{2}{3}\right) }^{\log _2(b)+1}\right) + b(\log _2(b)+1)\\&\quad - \frac{5}{6}\left( 2^{\log _2(b)+1} - 1\right) \\&= 3b^{\log _2(3)}\left( 1 - \frac{2b}{3b^{\log _2(3)}}\right) + b(\log _2(b)+1)\\&\quad - \frac{5}{6}\left( 2b - 1\right) \\&= 3b^{\log _2(3)} - 2b + b\log _2(b) + b - \frac{5}{3}b + \frac{5}{6}\\&= 3b^{\log _2(3)} + b\log _2(b) - \frac{8}{3}b + \frac{5}{6}\;. \end{aligned}$$

Finally, once the remainder tree has been constructed, the next step is to multiply all its leaves, which has an extra cost of b field multiplications, and produces that the Resultant \(\texttt {Res}_Z(f(Z), g(Z))\) computation requires a total of

$$\begin{aligned} \left( 3b^{\log _2(3)} + b\log _2(b) - \frac{5}{3}b + \frac{5}{6} \right) \text{ field } \text{ multiplications }. \end{aligned}$$

Now, the polynomial \(h_I(X)\), which splits into b linear polynomials, is computed via product trees at a cost of

$$\begin{aligned} T(b)&\approx 2T\left( \frac{b}{2}\right) + {\left( \frac{b}{2}\right) }^{\log _2(3)}\\&= \sum _{i=0}^{\log _2(b)}2^i{\left( \frac{b}{2^{i+1}}\right) }^{\log _2(3)} = \frac{b^{\log _2(3)}}{3}\sum _{i=0}^{\log _2(b)}{\left( \frac{2}{3}\right) }^i\\&= \left( 1 - {\left( \frac{2}{3}\right) }^{\log _2(b) + 1}\right) b^{\log _2(3)}\\&= \left( 1 - \frac{2b}{3b^{\log _2(3)}}\right) b^{\log _2(3)} = \left( b^{\log _2(3)} - \frac{2}{3}b\right) \end{aligned}$$

multiplications, while \(E_{i,J}\) (the product of b quadratic polynomials), requires about

$$\begin{aligned} T(b)&\approx 2T\left( \frac{b}{2}\right) + b^{\log _2(3)} = \sum _{i=0}^{\log _2(b)}2^i{\left( \frac{b}{2^{i}}\right) }^{\log _2(3)}\\&= b^{\log _2(3)}\sum _{i=0}^{\log _2(b)}{\left( \frac{2}{3}\right) }^i = \left( 3b^{\log _2(3)} - 2b\right) \;. \end{aligned}$$

1.4 B-SIDH primes

For all primes here we have that \(M| (p + 1)\) and \(N| (p - 1)\).

Example 2. of [13, Sect. 5.2] (B-SIDHp253):

$$\begin{aligned} p&= \texttt {0x1935BECE108DC6C0AAD0712181BB1A414}\\&\quad \quad \texttt {E6A8AAA6B510FC29826190FE7EDA80F}, \\ M&= {4}^{2} \cdot {3} \cdot {7}^{16} \cdot {17}^{9} \cdot {31}^{8} \cdot {311} \cdot {571} \cdot {1321} \cdot {5119} \cdot {6011} \cdot \\&\quad \quad {14207} \cdot {28477} \cdot {76667},\\ N&= {11}^{18} \cdot {19} \cdot {23}^{13} \cdot {47} \cdot {79} \cdot {83} \cdot {89} \cdot {151} \cdot {3347} \cdot {17449} \cdot \\&\quad \quad {33461} \cdot {51193}. \end{aligned}$$

Example 3. of [13, Sect. 5.2] (B-SIDHp255):

$$\begin{aligned} p&= \texttt {0x76042798BBFB78AEBD02490BD2635DEC}\\&\quad \quad \texttt {131ABFFFFFFFFFFFFFFFFFFFFFFFFFFF} \\ M&= {4}^{55} \cdot {5} \cdot {7}^{2} \cdot {67} \cdot {223} \cdot {4229} \cdot {9787} \cdot {13399} \cdot {21521} \cdot \\&\quad \quad {32257} \cdot {47353},\\ N&= {3}^{34} \cdot {11} \cdot {17} \cdot {19}^{2} \cdot {29} \cdot {37} \cdot {53}^{2} \cdot {97} \cdot {107} \cdot {109} \cdot {131} \cdot \\&\quad \quad {137} \cdot {197} \cdot {199} \cdot {227} \cdot {251} \cdot {5519} \cdot {9091} \cdot {33997} \cdot \\&\quad \quad {38201}. \end{aligned}$$

Example 5. of [13, Sect. 5.3] (B-SIDHp247):

$$\begin{aligned} p&= \texttt {0x46B27D6FAE96ED4A639E045B7D2C3CA33}\\&\quad \quad \texttt {F476892ADAFF87B9B6EAE5EE1FFFF} \\ M&= {\big ({4}^{2} \cdot {5}^{2} \cdot {7} \cdot {23} \cdot {79} \cdot {107} \cdot {307} \cdot {2129}\big )}^{4} \cdot {7901}^{2}, \\ N&= {3} \cdot {11} \cdot {17} \cdot {241} \cdot {349} \cdot {421} \cdot {613} \cdot {983} \cdot {1327} \cdot {1667} \cdot \\&\quad \quad {2969} \cdot {3769} \,\cdot {4481} \cdot {4649} \cdot {4801} \cdot {4877} \cdot {5527} \cdot \\&\quad \quad {6673} \cdot {7103} \cdot {7537} \cdot {7621}. \end{aligned}$$

Example 6. of [13, Sect. 5.3] (B-SIDHp237):

$$\begin{aligned} p&= \texttt {0x1B40F93CE52A207249237A4FF37425A798}\\&\quad \quad \texttt {E914A74949FA343E8EA487FFFF} \\ M&= {4}^{3} \cdot {\big ({4} \cdot {3}^{4} \cdot {17} \cdot {19} \cdot {31} \cdot {37} \cdot {53}^{2}\big )}^{6}, \\ N&= {7} \cdot {13} \cdot {43} \cdot {73} \cdot {103} \cdot {269} \cdot {439} \cdot {881} \cdot {883} \cdot {1321} \cdot \\&\quad \quad {5479} \cdot {9181} \,\cdot {12541} \cdot {15803} \cdot {20161} \cdot {24043} \cdot {34843} \cdot \\&\quad \quad {48437} \cdot {62753} \cdot {72577}. \end{aligned}$$

Lucky proposal of [5, appendix A] (B-SIDHp257):

$$\begin{aligned} p&= \texttt {0x1E409D8D53CF3BEB65B5F41FB53B25E}\\&\quad \quad \texttt {BEAF37761CD8BA996684150A40FFFFFFFF}\\ M&= {4}^{16} \cdot {5}^{21} \cdot {7} \cdot {11} \cdot {163} \cdot {1181} \cdot {2389} \cdot {5233} \cdot {8353} \cdot \\&\quad \quad {10139} \cdot {11939} \,\cdot {22003} \cdot {25391} \cdot {41843}, \\ \text { and} \\ N&= {3}^{56} \cdot {31} \cdot {43} \cdot {59} \cdot {271} \cdot {311} \cdot {353} \cdot {461} \cdot {593} \cdot {607} \cdot \\&\quad \quad {647} \cdot {691} \cdot {743} \,\cdot {769} \cdot {877} \cdot {1549}. \end{aligned}$$