Efficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography

Abstract

Isogeny based post-quantum cryptography is one of the most recent addition to the family of quantum resistant cryptosystems. In this paper we propose an efficient modular multiplication algorithm for primes of the form \(p=2\cdot {2^a}3^b-1\) with b even, typically used in such cryptosystem. Our modular multiplication algorithm exploits the special structure present in such primes. We compare the efficiency of our technique with Barrett reduction and Montgomery multiplication. Our C implementation shows that our algorithm is approximately 3 times faster than the normal Barrett reduction.

Acknowlegments

A. Karmakar and S. Sinha Roy were supported by Erasmus Mundus PhD Scholarship. This work was supported in part by the Research Council KU Leuven: C16/15/058. In addition, this work was supported in part by iMinds, the Flemish Government, FWO G.0550.12N, G.00130.13N and FWO G.0876.14N, by the Hercules Foundation AKUL/11/19, and by the European Commission through the Horizon 2020 research and innovation programme under contract No. H2020-ICT-2014-644371 WITDOM, and H2020-ICT-2014-644209 HEAT, and H2020-ICT-2014-645622 PQCRYPTO.

We would also like to thank Carl Bootland for his help in proof checking the manuscript.

Appendices

A An Example

In this section we provide a small example of the method described in the paper.

Let \(a=22\),and \(b=16\) so that the prime is \(p=2\cdot 2^a\cdot 3^b-1=361102068154367\), \(n=2^a\cdot 3^b=180551034077184\), \(\sqrt{n}=13436928\)

\(A=128965951662196\ =0*n\ +\ 9597874*\sqrt{n}\ +\ 971124\), and

\(B=230338429880123\ =1*n\ +\ 3705266*\sqrt{n}\ +\ 334009\)

After executing the first stage of the multiplication algorithm, we reached \(A\times B = C=C_1n+C_2\sqrt{n}+C_3\) with \(C_1=0,\ C_2= 68262390904455,\ C_3=50417786320088 \). We have to reduce \(C_2\) and \(C_3\) further by dividing them using \(\sqrt{n}\). Using our Barrett division algorithm we found \(C_3=3752181*\sqrt{n}+ 380120\), we set the remainder 380120 to \(C_3\) and add the quotient with \(C_2\). We again divide \(C_2\) with \(\sqrt{n}\)

\(C_2=68262390904455+3752181= 68262394656636\)

\(C_2=5080208*\sqrt{n}+ 5535612\), we set the remainder to \(C_2\) and add the quotient with \(C_1\) to get \(C_1=5080208\).

As \(C_1\pmod {2}=0\), we add \(C_1/2=2540104\) to \(C_3\) to get \(C_3=380120+2540104=2920224\).

Here \(C_3\) is smaller than \(\sqrt{n}\) and there is no overflow. So we stop our algorithm here. Finally, we get the result as \(C=0*n+5535612*\sqrt{n}+2920224=74381622800160\), which is indeed \(A\times B\pmod {p}\).

B Application in Isogeny Based Post-quantum Key Exchange Protocol

The isogeny based post-quantum protocol, described in Sect. 3 works by computing and applying isogenies over supersingular elliptic curve groups. These operations are fundamentally field arithmetic operations over the field \(\mathbb {F}_{p^2}\), where the curve is defined.

Here we want to mention that modular addition and subtraction is also easy in our representation. Let’s say we want to add two numbers \(A, B\in \mathbb {F}_p\) to get the sum \(C=(a_1+b_1)\cdot {n}+(a_2+b_2)\cdot \sqrt{n}+(a_3+b_3)=C_1\cdot {n}+ C_2\cdot {\sqrt{n}+c_3}\) for convenience we have assumed \(n=2^a3^b\). Here again, similar to multiplication algorithm, \(C_1, C_2\) and \(C_3\) may not be consistent with our representation as given in Eq. (1). To make C consistent with our representation we follow steps 23 to 36 of Algorithm 4. But here we do not have to use the division Algorithm 3, only a subtraction by \(2^{a/2}3^{b/2}\) will suffice. For subtraction we first negate a number \(B\in \mathbb {F}_p\) as \(-B=p-b=(1-b_1)\cdot {n}+(\sqrt{n}-1-b_1)\cdot {\sqrt{n}+(\sqrt{n}-1-b_3)}\) followed by an addition.

To apply our method to the isogeny based key exchange algorithm as mentioned in Sect. 3.1, we changed the representation of the public parameters in the beginning of the algorithm and executed the algorithm. In the last step we changed the representation back to the original form and matched both Alice and Bob’s j-invariant.

To further test the correctness of the algorithm we ran an instance of the unmodified algorithm with same parameter set and numbers m and n. We verified that both executions produce identical results.

C List of Primes

In this section we list values for a and b for security level of around 256 bit and 512 bit. We found these values by a simple brute-force search using a C implementation. As mentioned before the prime is \(p=2\cdot {2^a3^b}+k\), with the value of \(\log _2(3^b)\) close to a. The primality has been tested using GMP [21] and PARI/GP [22]. Also we should mention that this list is not exhaustive (Tables 2 and 3).

Table 2. Table for primes with around 256 bit PQ security

Table 3. Table for primes with around 512 bit PQ security