Abstract
Pairings are useful tools in isogeny-based cryptography and have been used in SIDH/SIKE and other protocols. As a general technique, pairings can be used to move problems about points on curves to elements in finite fields. However, until now, their applicability was limited to curves over fields with primes of a specific shape and pairings seemed too costly for the type of primes that are nowadays often used in isogeny-based cryptography. We remove this roadblock by optimizing pairings for highly-composite degrees such as those encountered in CSIDH and SQISign. This makes the general technique viable again: We apply our low-cost pairing to problems of general interest, such as supersingularity verification and finding full-torsion points, and show that we can outperform current methods, in some cases up to four times faster than the state-of-the-art. Furthermore, we analyze how pairings can be used to improve deterministic and dummy-free CSIDH. Finally, we provide a constant-time implementation (in Rust) that shows the practicality of these algorithms.
This work was done in large while the author was on an internship at the Cryptographic Research Centre of the Technology Innovation Institute, Abu Dhabi, UAE. In particular, the author thanks Francisco Rodríguez-Henríquez and Michael Scott for their warm support and excellent advice on the performance of these pairings. A full version of this paper is available at https://eprint.iacr.org/2023/858.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
pronounced “ell-kie”.
- 2.
- 3.
We treat finding full-torsion points in Sect. 4.3.
- 4.
To compute using Lucas exponentiation we use a constant-time laddering approach. Interesting future work would be to use (differential) addition chains to reduce costs.
References
Banegas, G., et al.: CTIDH: faster constant-time CSIDH. In: TCHES 2021, pp. 351–387 (2021)
Banegas, G., Gilchrist, V., Smith, B.: Efficient supersingularity testing over \(\mathbb{F} _p\) and CSIDH key validation. Math. Cryptol. 2(1), 21–35 (2022)
Banegas, G., et al.: Disorientation faults in CSIDH. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023. LNCS, vol. 14008, pp. 310–342. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30589-4_11
Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairing-based cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–369. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_23
Barreto, P., Lynn, B., Scott, M.: Efficient implementation of pairing-based cryptosystems. J. Cryptol. 17(4), 321–334 (2004)
Campos, F., et al.: On the Practicality of Post-Quantum TLS Using Large-Parameter CSIDH. ePrint 2023/793
Campos, F., Kannwischer, M.J., Meyer, M., Onuki, H., Stöttinger, M.: Trouble at the CSIDH: protecting CSIDH with dummy-operations against fault injection attacks. In: FDTC 2020, pp. 57–65. IEEE (2020)
Campos, F., Meyer, M., Reijnders, K., Stöttinger, M.: Patient zero and patient six. SAC (2022)
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15
Cervantes-Vázquez, D., Chenu, M., Chi-Domínguez, J.-J., De Feo, L., Rodríguez-Henríquez, F., Smith, B.: Stronger and faster side-channel protections for CSIDH. In: Schwabe, P., Thériault, N. (eds.) LATINCRYPT 2019. LNCS, vol. 11774, pp. 173–193. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30530-7_9
Chávez-Saab, J., Chi-Domínguez, J.-J., Jaques, S., Rodríguez-Henríquez, F.: The SQALE of CSIDH. J. Cryptogr. Eng. 12(3), 349–368 (2022)
Chi-Domínguez, J.-J., Rodríguez-Henríquez, F.: Optimal strategies for CSIDH. Adv. Math. Commun. 16(2), 383–411 (2022)
Costello, C.: Pairings for beginners (2015). https://www.craigcostello.com.au/
Costello, C., Jao, D., Longa, P., Naehrig, M., Renes, J., Urbanik, D.: Efficient compression of SIDH public keys. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 679–706. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_24
Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_21
Costello, C., Smith, B.: Montgomery curves and their arithmetic: the case of large characteristic fields. J. Cryptogr. Eng. 8, 227–240 (2018)
De Feo, L., Kohel, D., Leroux, A., Petit, C., Wesolowski, B.: SQISign: compact post-quantum signatures from quaternions and isogenies. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 64–93. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_3
Doliskani, J.: On division polynomial pit and supersingularity. Appl. Algebra Eng. Commun. Comput. 29(5), 393–407 (2018)
Galbraith, S.D.: Pairings (2005)
Galbraith, S.D., Lin, X.: Computing pairings using \(x\)-coordinates only. Des. Codes Crypt. 50(3), 305–324 (2009)
Hutchinson, A., LeGrow, J., Koziel, B., Azarderakhsh, R.: Further optimizations of CSIDH: a systematic approach to efficient strategies, permutations, and bound vectors. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds.) ACNS 2020. LNCS, vol. 12146, pp. 481–501. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57808-4_24
Joye, M., Quisquater, J.-J.: On the importance of securing your bins: The garbage-man-in-the-middle attack. In: CCS 1997, pp. 135–141 (1997)
Kiyomura, Y., Takagi, T.: Efficient algorithm for Tate pairing of composite order. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 97(10), 2055–2063 (2014)
Kobayashi, T., Aoki, K., Imai, H.: Efficient algorithms for Tate pairing. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 89(1), 134–143 (2006)
LeGrow, J.T., Hutchinson, A.: (Short Paper) analysis of a strong fault attack on static/ephemeral CSIDH. In: Nakanishi, T., Nojima, R. (eds.) IWSEC 2021. LNCS, vol. 12835, pp. 216–226. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-85987-9_12
Lin, K., Wang, W., Xu, Z., Zhao, C.: A faster software implementation of sqisign. Cryptology ePrint Archive, Paper 2023/753 (2023)
Lubicz, D., Robert, D.: A generalisation of miller’s algorithm and applications to pairing computations on abelian varieties. J. Symb. Comput. 67, 68–92 (2015)
Lubicz, D., Robert, D.: Efficient pairing computation with theta functions. In: Hanrot, G., Morain, F., Thomé, E. (eds.) ANTS 2010. LNCS, vol. 6197, pp. 251–269. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14518-6_21
McEliece, R.: Finite Fields for Computer Scientists and Engineers, vol. 23. Springer, New York (2012). https://doi.org/10.1007/978-1-4613-1983-2
Meyer, M., Campos, F., Reith, S.: On lions and elligators: an efficient constant-time implementation of CSIDH. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 307–325. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_17
Meyer, M., Reith, S.: A faster way to the CSIDH. In: Chakraborty, D., Iwata, T. (eds.) INDOCRYPT 2018. LNCS, vol. 11356, pp. 137–152. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05378-9_8
Miller, V.: The weil pairing, and its efficient calculation. J. Cryptol. 17(4), 235–261 (2004)
Onuki, H., Aikawa, Y., Yamazaki, T., Takagi, T.: A faster constant-time algorithm of CSIDH keeping two points. In: IWSEC 2019 (2019)
Reitwiesner, G.: Binary arithmetic. In: Advances in Computers, vol. 1, pp. 231–308. Elsevier (1960)
Scott, M.: Pairing implementation revisited. ePrint 2019/077 (2019)
Scott, M.: Understanding the Tate pairing (2004). http://www.computing.dcu.ie/~mike/tate.html
Scott, M., Barreto, P.S.L.M.: Compressed pairings. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 140–156. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_9
Silverman, J.H.: A Survey of Local and Global Pairings on Elliptic Curves and Abelian Varieties. In: Joye, M., Miyaji, A., Otsuka, A. (eds.) Pairing 2010. LNCS, vol. 6487, pp. 377–396. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17455-1_24
Stange, K.E.: The Tate pairing via elliptic nets. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 329–348. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73489-5_19
Sutherland, A.: Identifying supersingular elliptic curves. LMS J. Comput. Math. 15, 317–325 (2012)
Vélu, J.: Isogénies entre courbes elliptiques. Comptes Rendus de l’Académie des Sciences de Paris, Séries A 273, 238–241 (1971)
Vercauteren, F.: Optimal pairings. IEEE Trans. Inf. Theory 56(1), 455–461 (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Reijnders, K. (2023). Effective Pairings in Isogeny-Based Cryptography. In: Aly, A., Tibouchi, M. (eds) Progress in Cryptology – LATINCRYPT 2023. LATINCRYPT 2023. Lecture Notes in Computer Science, vol 14168. Springer, Cham. https://doi.org/10.1007/978-3-031-44469-2_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-44469-2_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-44468-5
Online ISBN: 978-3-031-44469-2
eBook Packages: Computer ScienceComputer Science (R0)