A Simple and Compact Algorithm for SIDH with Arbitrary Degree Isogenies

  • Craig CostelloEmail author
  • Huseyin Hisil
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10625)


We derive a new formula for computing arbitrary odd-degree isogenies between elliptic curves in Montgomery form. The formula lends itself to a simple and compact algorithm that can efficiently compute any low odd-degree isogenies inside the supersingular isogeny Diffie-Hellman (SIDH) key exchange protocol. Our implementation of this algorithm shows that, beyond the commonly used 3-isogenies, there is a moderate degradation in relative performance of \((2d+1)\)-isogenies as d grows, but that larger values of d can now be used in practical SIDH implementations.

We further show that the proposed algorithm can be used to both compute isogenies of curves and evaluate isogenies at points, unifying the two main types of functions needed for isogeny-based public-key cryptography. Together, these results open the door for practical SIDH on a much wider class of curves, and allow for simplified SIDH implementations that only need to call one general-purpose function inside the fundamental computation of the large degree secret isogenies.

As an additional contribution, we also give new explicit formulas for 3- and 4-isogenies, and show that these give immediate speedups when substituted into pre-existing SIDH libraries.


Post-quantum cryptography Isogeny-based cryptography SIDH Montgomery curves 



We are especially grateful to Steven Galbraith for his help in correcting the proof of Theorem 1. We thank Dustin Moody for his detailed comments on an earlier version of this paper, as well as Joppe Bos, Patrick Longa, Michael Naehrig and the anonymous reviewers for their useful comments.

Supplementary material


  1. 1.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - A new hope. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, 10–12 August 2016, pp. 327–343. USENIX Association (2016)Google Scholar
  2. 2.
    Azarderakhsh, R., Jao, D., Kalach, K., Koziel, B., Leonardi, C.: Key compression for isogeny-based cryptosystems. In: Emura, K., Hanaoka, G., Zhang, R. (eds.) Proceedings of the 3rd ACM International Workshop on ASIA Public-Key Cryptography, AsiaPKC@AsiaCCS, Xi’an, China, 30 May–03 June 2016, pp. 1–10. ACM (2016)Google Scholar
  3. 3.
    Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted edwards curves. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 389–405. Springer, Heidelberg (2008). CrossRefGoogle Scholar
  4. 4.
    Bernstein, D.J., Buchmann, J., Dahmen, E.: Post-Quantum Cryptography. Springer Science & Business Media, Heidelberg (2009). CrossRefzbMATHGoogle Scholar
  5. 5.
    Bernstein, D.J., Chou, T., Schwabe, P.: McBits: Fast constant-time code-based cryptography. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 250–272. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  6. 6.
    Bos, J.W., Costello, C., Ducas, L., Mironov, I., Naehrig, M., Nikolaenko, V., Raghunathan, A., Stebila, D.: Frodo: Take off the ring! Practical, quantum-secure key exchange from LWE. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 1006–1018. ACM (2016)Google Scholar
  7. 7.
    Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, 17–21 May 2015, pp. 553–570. IEEE Computer Society (2015)Google Scholar
  8. 8.
    Bos, J.W., Friedberger, S.: Fast arithmetic modulo 2\({}^{\text{x}}\) p\({}^{\text{ y }}\) \(\pm \) 1. In: Burgess, N., Bruguera, J.D., de Dinechin, F. (eds.) 24th IEEE Symposium on Computer Arithmetic, ARITH 2017, London, United Kingdom, 24–26 July 2017, pp. 148–155. IEEE Computer Society (2017)Google Scholar
  9. 9.
    Castryck, W., Galbraith, S., Farashahi, R.R.: Efficient arithmetic on elliptic curves using a mixed Edwards-Montgomery representation. Cryptology ePrint Archive, Report 2008/218 (2008).
  10. 10.
    Chou, T.: QcBits: Constant-time small-key code-based cryptography. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 280–300. Springer, Heidelberg (2016). Google Scholar
  11. 11.
    Costello, C., Jao, D., Longa, P., Naehrig, M., Renes, J., Urbanik, D.: Efficient compression of SIDH public keys. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 679–706. Springer, Cham (2017). CrossRefGoogle Scholar
  12. 12.
    Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny diffie-hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  13. 13.
    Couveignes, J.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006).
  14. 14.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theor. 22(6), 644–654 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)MathSciNetzbMATHGoogle Scholar
  16. 16.
    Fluhrer, S.: Cryptanalysis of ring-LWE based key exchange with key share reuse. Cryptology ePrint Archive, Report 2016/085 (2016).
  17. 17.
    Fujisaki, E., Okamoto, T.: How to enhance the security of public-key encryption at minimum cost. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 53–68. Springer, Heidelberg (1999). CrossRefGoogle Scholar
  18. 18.
    Galbraith, S.D.: Mathematics of Public Key Cryptography. Cambridge University Press, New York (2012)CrossRefzbMATHGoogle Scholar
  19. 19.
    Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  20. 20.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). CrossRefGoogle Scholar
  21. 21.
    Jao, D., Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  22. 22.
    Kirkwood, D., Lackey, B.C., McVey, J., Motley, M., Solinas, J.A., Tuller, D.: Failure is not an option: Standardization issues for post-quantum key agreement. Talk at NIST workshop on Cybersecurity in a Post-Quantum World, April 2015.
  23. 23.
    Kobara, K., Imai, H.: Semantically secure McEliece public-key cryptosystems -conversions for McEliece PKC -. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 19–35. Springer, Heidelberg (2001). CrossRefGoogle Scholar
  24. 24.
    Kocher, P.C.: Timing attacks on implementations of diffie-hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). Google Scholar
  25. 25.
    Kohel, D.R.: Endomorphism rings of elliptic curves over finite fields. PhD thesis, University of California, Berkeley (1996)Google Scholar
  26. 26.
    Koziel, B., Azarderakhsh, R., Kermani, M.M., Jao, D.: Post-quantum cryptography on FPGA based on isogenies on elliptic curves. IEEE Trans. Circuits Syst. 64(1), 86–99 (2017)CrossRefzbMATHGoogle Scholar
  27. 27.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43:1–43:35 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. Coding Thv 4244, 114–116 (1978)Google Scholar
  29. 29.
    Misoczki, R., Tillich, J., Sendrier, N., Barreto, P.S.L.M.: MDPC-McEliece: New McEliece variants from moderate density parity-check codes. In: Proceedings of the 2013 IEEE International Symposium on Information Theory, Istanbul, Turkey, 7–12 July 2013, pp. 2069–2073. IEEE (2013)Google Scholar
  30. 30.
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Moody, D., Shumow, D.: Analogues of Vélu’s formulas for isogenies on alternate models of elliptic curves. Math. Comput. 85(300), 1929–1951 (2016)CrossRefzbMATHGoogle Scholar
  32. 32.
    Mosca, M.: Cybersecurity in an ERA with quantum computers: will we be ready? Cryptology ePrint Archive, Report 2015/1075 (2015).
  33. 33.
    Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014). Google Scholar
  34. 34.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (ed.) Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, 22–24 May 2005, pp. 84–93. ACM (2005)Google Scholar
  35. 35.
    Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 (2006).
  36. 36.
    Shor, P.W.: Algorithms for quantum computation: Discrete logarithms and factoring. In: 1994 Proceedings and 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE (1994)Google Scholar
  37. 37.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, 2nd edn. Springer, New York (2009). CrossRefzbMATHGoogle Scholar
  38. 38.
    Stebila, D., Mosca, M.: Post-quantum key exchange for the Internet and the open quantum safe project. Cryptology ePrint Archive, Report 2016/1017 (2016).
  39. 39.
    Stolbunov, A.: Cryptographic Schemes Based on Isogenies. PhD thesis, Norwegian University of Science and Technology (2012)Google Scholar
  40. 40.
    The National Institute of Standards and Technology (NIST). Submission requirements and evaluation criteria for the post-quantum cryptography standardization process, December 2016Google Scholar
  41. 41.
    Vélu, J.: Isogénies entre courbes elliptiques. CR Acad. Sci. Paris Sér. AB 273, A238–A241 (1971)zbMATHGoogle Scholar
  42. 42.
    Washington, L.C.: Elliptic Curves: Number Theory and Cryptography. CRC Press, Boca Raton (2008)CrossRefzbMATHGoogle Scholar
  43. 43.
    Yoo, Y., Azarderakhsh, R., Jalali, A., Jao, D., Soukharev, V.: A post-quantum digital signature scheme based on supersingular isogenies (2017). To appear in Financial Cryptography and Data Security

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  1. 1.Microsoft ResearchRedmondUSA
  2. 2.Yasar UniversityIzmirTurkey

Personalised recommendations