Computing Isogenies Between Montgomery Curves Using the Action of (0, 0)

  • Joost Renes
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10786)


A recent paper by Costello and Hisil at Asiacrypt’17 presents efficient formulas for computing isogenies with odd-degree cyclic kernels on Montgomery curves. We provide a constructive proof of a generalization of this theorem which shows the connection between the shape of the isogeny and the simple action of the point \((0,0)\). This generalization removes the restriction of a cyclic kernel and allows for any separable isogeny whose kernel does not contain \((0,0)\). As a particular case, we provide efficient formulas for 2-isogenies between Montgomery curves and show that these formulas can be used in isogeny-based cryptosystems without expensive square root computations and without knowledge of a special point of order 8. We also consider elliptic curves in triangular form containing an explicit point of order 3.


Vélu’s formulas Montgomery form 2-isogenies SIDH Post-quantum cryptography 



I would like to thank Craig Costello for valuable suggestions and feedback during the creation of this document, and Chloe Martindale for comments on a first version of the paper, in particular to improve the proof of Theorem 1. I thank the anonymous reviewers of PQCrypto 2018 for their constructive comments.


  1. [Acc99]
    Accredited Standards Committee X9. American National Standard X9.62-1999, Public key cryptography for the financial services industry: the elliptic curve digital signature algorithm (ECDSA). Technical report, ANSI (1999)Google Scholar
  2. [BCKL15]
    Bernstein, D.J., Chuengsatiansup, C., Kohel, D., Lange, T.: Twisted hessian curves. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 269–294. Springer, Cham (2015). Scholar
  3. [BDL+12]
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. J. Cryptogr. Eng. 2(2), 77–89 (2012)CrossRefzbMATHGoogle Scholar
  4. [Ber06]
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). Scholar
  5. [Brö09]
    Bröker, R.: Constructing supersingular elliptic curves. J. Comb. Number Theory 1(3), 269–273 (2009)MathSciNetzbMATHGoogle Scholar
  6. [CH17]
    Costello, C., Hisil, H.: A simple and compact algorithm for SIDH with arbitrary degree isogenies. Cryptology ePrint Archive, Report 2017/504 (2017)Google Scholar
  7. [CJL+17]
    Costello, C., Jao, D., Longa, P., Naehrig, M., Renes, J., Urbanik, D.: Efficient compression of SIDH public keys. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 679–706. Springer, Cham (2017). Scholar
  8. [CLN16a]
    Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). Scholar
  9. [CLN16b]
    Costello, C., Longa, P., Naehrig, M.: SIDH Library (2016).
  10. [Cou06]
    Couveignes, J.M.: Hard Homogeneous Spaces. IACR Cryptology ePrint Archive (2006)Google Scholar
  11. [DH76]
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  12. [FJP14]
    De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)MathSciNetzbMATHGoogle Scholar
  13. [Gal12]
    Galbraith, S.D.: Mathematics of Public Key Cryptography. Cambridge University Press, Cambridge (2012)CrossRefzbMATHGoogle Scholar
  14. [Hus04]
    Husemöller, D.: Elliptic Curves. Graduate Texts in Mathematics. Springer, New York (2004). Scholar
  15. [JF11]
    Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). Scholar
  16. [KAK16]
    Koziel, B., Azarderakhsh, R., Mozaffari-Kermani, M.: Fast hardware architectures for supersingular isogeny diffie-hellman key exchange on FPGA. In: Dunkelman, O., Sanadhya, S.K. (eds.) INDOCRYPT 2016. LNCS, vol. 10095, pp. 191–206. Springer, Cham (2016). Scholar
  17. [Kob87]
    Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  18. [Len87]
    Lenstra, H.W.: Factoring integers with elliptic curves. Ann. Math. 126, 649–673 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  19. [Mil86]
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986). Scholar
  20. [Mon87]
    Montgomery, P.L.: Speeding the pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  21. [MS16]
    Moody, D., Shumow, D.: Analogues of Vélu’s formulas for isogenies on alternate models of elliptic curves. Math. Comput. 85(300), 1929–1951 (2016)CrossRefzbMATHGoogle Scholar
  22. [RS06]
    Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. IACR Cryptology ePrint Archive, 2006:145 (2006)Google Scholar
  23. [Sch89]
    Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). Scholar
  24. [Sho94]
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, 1994 Proceedings, pp. 124–134. IEEE (1994)Google Scholar
  25. [Sil09]
    Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, 2nd edn. Springer, New York (2009). Scholar
  26. [Vél71]
    Vélu, J.: Isogénies entre courbes elliptiques. Comptes Rendus de l’Académie des Sciences des Paris 273, 238–241 (1971)zbMATHGoogle Scholar
  27. [ZJP+17]
    Zanon, G.H.M., Simplicio Jr., M.A., Pereira, G.C.C.F., Doliskani, J., Barreto, P.S.L.M.: Faster isogeny-based compressed key agreement. Cryptology ePrint Archive, Report 2017/1143 (2017).

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Digital Security GroupRadboud UniversityNijmegenThe Netherlands

Personalised recommendations