Efficient Isogeny Computations on Twisted Edwards Curves

The isogeny-based cryptosystem is the most recent category in the field of postquantum cryptography. However, it is widely studied due to short key sizes and compatibility with the current elliptic curve primitives. The main building blocks when implementing the isogeny-based cryptosystem are isogeny computations and point operations. From isogeny construction perspective, since the cryptosystem moves along the isogeny graph, isogeny formula cannot be optimized for specific coefficients of elliptic curves. Therefore, Montgomery curves are used in the literature, due to the efficient point operation on an arbitrary elliptic curve. In this paper, we propose formulas for computing 3 and 4 isogenies on twisted Edwards curves. Additionally, we further optimize our isogeny formulas on Edwards curves and compare the computational cost of Montgomery curves. We also present the implementation results of our isogeny computations and demonstrate that isogenies on Edwards curves are as efficient as those on Montgomery curves.


Introduction
The security of public key cryptosystems is mostly based on a number of theoretic problems such as the hardness of factoring large numbers or solving discrete logarithms over the finite field.However, due to Shor's algorithm, these problems can be solved in polynomial time by the quantum adversary, consequently threatening the security of current public key cryptosystems [1].Therefore, demands for quantum-secure cryptographic primitives are inevitable.
Postquantum cryptography (PQC) is alternative cryptographic primitives that are safe against the quantum adversary.Numerous studies have been made on PQC in order to substitute or interoperate with existing systems.The main categories of PQC are multivariate-based cryptography, codebased cryptography, lattice-based cryptography, hash-based digital signature, and isogeny-based cryptography.Although isogeny-based cryptography is the most recent field in PQC, it is considered as one of the prominent candidates due to its short key sizes and the reason that it can be implemented over currently used elliptic curve primitives.
The security of isogeny-based cryptography is based on the hardness of finding isogeny between given two elliptic curves.The first isogeny-based cryptosystems using ordinary elliptic curves were proposed by Couveignes and later by Stolbunov [2,3].The proposed scheme was extremely inefficient and even suffered from the quantum subexponential algorithm proposed by Childs et al. [4].In 2011, Jao and De Feo presented a new cryptosystem based on the difficulty of constructing isogenies between supersingular elliptic curves, which is still infeasible against the known quantum attacks [5].In 2016, Azarderakhsh et al. proposed a key compression method for supersingular isogeny key exchange, which was later improved by Costello et al. [6,7].Azarderakhsh et al. also implemented key exchange protocol on ARM-NEON and FPGA devices [8,9].Costello et al. proposed faster computation methods and library for supersingular isogeny key exchange [10].In 2017, isogeny-based digital signature schemes were proposed by Galbraith et al. and Yoo et al., which brought diversity in the isogeny-based cryptography [11,12].Additionally, after the National Institute of Standards and Technology (NIST) announced a standardization project for PQC, Supersingular Isogeny Key Encapsulation (SIKE) was submitted as one of the candidates [13].As stated above, extensive researches have been done in isogeny-based cryptography.

Security and Communication Networks
Since any curve in isogeny-based cryptosystem has group structure (Z/( ∓ 1)Z)) 2 , for prime , either the curve or its twist has a point of order four [5].As a result, it is isomorphic to a twisted Edwards curve and to a Montgomery curve [14].Moreover, as coefficients of the elliptic curves change randomly in the isogeny-based cryptosystem, Montgomery curves are used in the state-of-the-art implementations.This is due to the fact that Montgomery ladder reduces the cost of point operations on Montgomery curves compared with any other forms of elliptic curves.However, whether other forms of elliptic curves are efficient as Montgomery curves is still unclear.Costello et al. proposed explicit formulas for 3 and 4 isogenies and also remarked that there might exist savings to be gained in Supersingular Isogeny Diffie-Hellman (SIDH) twisted Edwards version [15].Meyer et al. proposed the hybrid SIDH scheme which exploits the fact that arithmetic in Edwards curves are efficient in certain cases [16].Their method uses Edwards curves for point operations and Montgomery curves for isogeny computation.Independent from isogeny-based cryptosystem, Moody and Shumow were the first to propose isogeny formula on elliptic curves other than Weierstrass form [17].They applied Vélu's formula on twisted Edwards curves and Huff curves.However, isogeny construction on these curves for cryptographic usage has not been done.
The aim of this work is to identify whether (twisted) Edwards curves are as efficient as Montgomery curves for isogeny-based cryptosystems.The following list details the main contributions of this work.
(i) We propose the optimized 3-and 4-isogeny formulas on twisted Edwards curves to be applied in the isogeny-based cryptography.Previous works on constructing isogenies on alternate curves are mostly for the theoretical foundations.To the best of our knowledge, we are the first to propose 4-isogeny formula on (twisted) Edwards curves, given an arbitrary subgroup.The details of our isogeny formulas on twisted Edwards curves are presented in Section 3.
(ii) We propose the optimized 3-and 4-isogeny formulas on Edwards curves.The proposed 3-and 4-isogeny formulas on Edwards curves require 6M+5S and 7M+ 5S, respectively, where M (resp., S) refers to field multiplication (resp., a field squaring).All of our formulas are given in terms of projective -coordinates, which can later combine with -coordinates only point operations on Edwards curves.The details of our isogeny formulas on Edwards curves are presented in Section 4.
(iii) We present the implementation results of our isogeny formulas and comprehensive analysis of their performance.We demonstrate that implementation results of isogenies on Edwards curves are similar to Montgomery curves.Therefore, the current isogeny-based cryptosystem can also work with Edwards curves.
This paper is organized as follows: A review of some special forms of elliptic curves is provided in Section 2. The description of isogeny of elliptic curves and Vélu's formula to compute isogeny is also presented in Section 2. Specifically, we introduce an existing application of Vélu's formula on Montgomery curves and twisted Edwards curves.In Section 3, we present our method to compute isogenies in twisted Edwards curves.Our optimized formulas for isogeny on Edwards curves and their implementations are given in Section 4. We draw our conclusions and future work in Section 5.

Preliminaries
In this section, we introduce the definition of special forms of elliptic curves.There are various forms of elliptic curves, but we will focus on twisted Edwards curves and Montgomery curves in this paper.Next, an isogeny of elliptic curves and Vélu's formulas are introduced.Due to the work of Vélu, isogeny can be constructed given a finite subgroup.We describe a previous method that applied Vélu's formula on twisted Edwards curves and Montgomery curves [5,17].

Models of Elliptic Curve.
Let  be a field with the characteristic not equal to 2 or 3.An elliptic curve defined over  is a smooth, projective algebraic curve of genus 1 with a distinguished point.It is well known that the points of an elliptic curve form an additive group with the distinguished point as the identity element.From the Riemann-Roch theorem, every elliptic curve can be defined by a cubic polynomial equation in two variables.For example, an elliptic curve can be defined by a short Weierstrass equation  , :  2 =  3 +  + , or by a Montgomery equation The -invariants of the above curves are defined as ( , ) = 1728 ⋅ 4 3 /(4 Note that  , has either three rational points of order two or a rational point of order four (possibly both) [19,20].
Another important model is the Edwards model defined by the equation In fact,   is not an elliptic curve as it has singular points (1 : 0 : 0) and (0 : 1 : 0) at infinity.In Edwards curves, the point (0, 1) is the identity element, and the point (0, −1) has order two.The points (1, 0) and (−1, 0) have order four.The condition that   always has a rational point of order four restricts the use of elliptic curves in the Edwards model.To overcome this deficiency, Bernstein et al. proposed twisted Edwards curves which are defined by the equation for distinct nonzero elements ,  ∈  [14].Clearly,  , is isomorphic to an Edwards curve over (√).Later in this paper we demonstrate that it is efficient to work with both projective coordinates and projective curve coefficients.Let (, , ) ∈ P 2 () where  ∈  × such that  = / and  = /.Then  , can be expressed as The addition law on twisted Edwards curve is defined as follows, and doubling can be performed with exactly the same formula.
Bernstein et al. showed the following cryptographically interesting relations on the above three models of elliptic curve [14].

Theorem 1. Let 𝐸 be an elliptic curve defined over a field 𝐾 with the characteristic not equal to 2. The group of rational points 𝐸(𝐾) has an element of order 4 if and only if 𝐸 is birationally equivalent over 𝐾 to an Edwards curve.
Theorem 2. Let  be a field with # ≡ 3 (mod 4); then every Montgomery curve over  is birationally equivalent over  to an Edwards curve.
As Theorem 2 is used to compute 4-isogeny formula in Edwards curves, we shall define  with # ≡ 3 mod 4 in the remainder of this paper, unless otherwise specified.

Relation between Twisted Edwards Curves and Montgomery Curves.
In [14], Bernstein et al. proved that every twisted Edwards curve over  is birationally equivalent over  to a Montgomery curve.Since this relation is used later in this paper, we shall describe it briefly.Let  and  be nonzero elements in .Then every twisted Edwards curve  , is birationally equivalent to a Montgomery form  , via where  = 2( + )/( − ) and  = 4/( − ).The inverse of the map from  , to  , is defined as The first coordinate in map ( 7) is computed by using only -coordinate and the second coordinate in map (8) uses only -coordinate.In projective coordinates, this map becomes remarkably simple [21].A point (  :   ) on a Montgomery curve can be transformed to the corresponding Edwards coordinates (  :   ) and vice versa: Therefore, the point conversion between these two curves costs only two additions.

Isogeny and
The isogeny φ is called the dual isogeny of .By using this fact, the relation of isogeny is an equivalence relation.There are two methods to construct isogeny between elliptic curves.Vélu gave the explicit formulas to construct an isogeny with a given elliptic curve and a given finite subgroup as the kernel [22].Later, Kohel proposed that isogeny  can be computed from the kernel polynomial [23].In this paper, we focus on Vélu's method to construct isogenies.Vélu's formulas are based on the transformation which is invariant under the translation by the points in the kernel .In order to compute rational functions given by Vélu, let  be an elliptic curve with short Weierstrass form as in (1) for the simplicity.For a finite subgroup , partition  \ {} into two sets,  + and  − , such that  \ {} =  + ∪  − and  ∈  + if and only if − ∈  − .For each point  ∈ , define the following equations: Then, the isogeny  is given by ) . ( The order of the isogeny is equal to the order of the subgroup .The equation of the image curve is

Vélu's Formulas on Montgomery Curves.
In this section, we describe how even-degree isogenies are induced on Montgomery curves.This method was proposed by Jao and De Feo and later optimized by Costello et al. [5,10].The main processes for deriving 4-isogeny are illustrated in projective coordinates.For odd-degree isogenies, refer to [10].

Vélu's Formulas on Twisted Edwards Curves.
As denoted in the previous section, there exist birational maps from Edwards curves to Weierstrass curves.Let  be the transformation from a twisted Edwards curve to a Weierstrass curve  and  be isogeny from  to another curve   .Let  −1 be the transformation from a Weierstrass curve   back to a twisted Edwards curve.The intuitive approach toward computing the isogeny between twisted Edwards curves is to combine these maps.However, the transformation from Weierstrass curves to twisted Edwards curves is complicated if the corresponding Weierstrass curve is not of the form below.
Moreover, one needs to compute square roots in order to transform back to twisted Edwards form.To solve this issue, Moody and Shumow proposed compact formulas for odddegree isogenies on twisted Edwards curves [17].The isogeny of order ℓ = 2 + 1 on twisted Edwards curves can be computed by using the following theorem.
The idea of the above formula comes from the fact that the map is invariant under the translation by an element in .Note that this idea does not apply for even-degree isogenies since either the abscissa or the ordinate of every 2-torsion point vanishes.

The Proposed Isogeny Computations on Twisted Edwards Curves
In this section, we propose optimized formulas for 3-isogeny and 4-isogeny on twisted Edwards curves, which are commonly used degrees in the isogeny-based cryptosystem.For 3-isogeny, we use Moody and Shumow's result as a base formula and optimize it by using projective coordinates, projective curve coefficients, and division polynomial [17].For even-degree isogeny computation, we exploit the efficiency of computing a birational map between twisted Edwards curves and Montgomery curves.The 4-isogeny formula on twisted Edwards curves can be obtained by composing the birational map and isogeny on Montgomery curves.

4 Isogenies on Twisted Edwards Curves. Computing 4
isogenies is more complicated than odd-degree isogenies in twisted Edwards curves.There exist roughly two approaches for computing 4 isogenies in twisted Edwards curves.The first method is to transform twisted Edwards curve to corresponding Weierstrass form and apply Vélu's formula.However, transforming back to twisted Edwards form from Weierstrass form is complicated as square root computations might be required in some cases.The other approach is to use the birational relation between twisted Edwards curves and Montgomery curves.As the transformation between twisted Edwards curves and Montgomery curves costs only two additions, we can compute 4-isogeny on a Montgomery curve and transform back to a twisted Edwards curve.However, when applying the 4-isogeny formula on Montgomery curves proposed by Jao and De Feo, the isomorphism  that maps 4torsion point to a specific point must be combined to compute 4-isogeny consecutively [5].Therefore, after transforming a twisted Edwards curve into a Montgomery curve, the isomorphism must be combined with 4-isogeny.In summary, the composition we used is as follows: where  and   −1 are birational maps and  1 is an isogeny obtained using Vélu's formulas.Let  = ( 4 :  4 :  4 ) be a 4-torsion point on twisted Edwards curve  , , represented in projective coordinate.The birational map  that maps twisted Edwards curve  , to Montgomery curve  , sends  as follows: where Let   = (  :   ) be the corresponding 4-torsion point on  , .The evaluation of 4-isogeny  =  1 ∘  on  , with kernel ⟨  ⟩ is defined as in [10].
Note that this formula is already combined with the isomorphism  so that additional transform is not necessary.Finally, the birational map   −1 , which maps the Montgomery curve back to the twisted Edwards curve    ,  , is defined as follows: The curve coefficients   and   of the image curve    ,  are given by Combining the three maps , , and   −1 yields 4-isogeny from  , to    ,  .The equation below is the evaluation of the 4-isogeny by computing (  :   ), given the additional point ( : ) on  , .
=  (2     −  ( Then, by combining the isogeny  1 , coefficients of the image curve are given below.
Finally, by applying the birational map to transform back to the twisted Edwards curve, we obtain the coefficients of the 4-isogeny twisted Edwards curve.Let    ,  =  , /⟨⟩ be the image curve.Then we have Since   /  is a root of the 4-division polynomial  4 =  4 + 2 (46)

The Proposed Isogeny Computations on Edwards Curves
In this section, we present 3-and 4-isogeny formulas on Edwards curves.Recall that 2-isogeny on twisted Edwards curves requires square root computation when transforming back to twisted Edwards curves [17].Hence, we assumed twisted Edwards curves to have a 4-torsion point by restricting the order of the field.However, every elliptic curve having a 4-torsion point is birationally equivalent to Edwards curves [14].Therefore, twisted Edwards curves having a 4-torsion point are in fact Edwards curves, with the curve coefficient  = 1.Since the number of curve coefficients is reduced, the proposed isogeny formulas can further be optimized.
Therefore, in projective coordinates,

4 Isogenies on Edwards
Curves.Similar to the case for computing 3-isogeny on Edwards curves, only the formula for computing image curve coefficient is changed when computing 4-isogeny on Edwards curves.By setting  = 1 and starting from (34), we have To conclude, note that all of our formulas are given in terms of projective -coordinates.Since point operations such as doubling and tripling on Edwards curves can be performed by -coordinates, our formulas are well-adjusted to the isogeny-based cryptosystem.

Algorithms for Computing Isogenies on Edwards Curves.
This section presents an efficient way to compute three and four isogenies on Edwards curves.In order to evaluate 3isogeny efficiently, consider the difference between  and

Implementation Results.
To evaluate the performance of the proposed formulas, the algorithms are implemented in C language.We used the isogeny formula implemented in SIDH library version 3.0 for isogenies on Montgomery curves.Moreover, to make an exact comparison with isogenies on Montgomery curves, the field operations implemented in SIDH library were used for both curves.The field operations in SIDH library are written in x64 assembly [18].As a result, the difference in performance lies purely in the computation of isogenies.All cycle counts were obtained on one core of an Intel Core i7-6700 (Skylake) at 3.40 GHz, running Ubuntu 16.04 LTS.For compilation, we used GNU GCC version 5.4.0.
In this section, the field  is fixed as  = F  2 , where  is prime, and F  2 = F  2 []/( 2 + 1).For the prime , we used 503-bit prime  503 = 2 250 ⋅ 3 159 − 1 and 751-bit prime  751 = 2 372 ⋅ 3 239 − 1, presented in [13,18].The base field operations were tested in order to visualize the ratio between field operations.To this end, each field operation was repeated 10 8 times for each prime field.Table 1 summarizes the average cycle counts of field operations over F  2 .
As in Table 1, 1S equals approximately 0.8M, for both 503-bit prime and 751-bit prime.Based on the above result, Table 2 shows the computational cost and corresponding cycle counts of 3 and 4 isogenies, when using Montgomery curves and Edwards curves.For each isogeny computation, we report the average cycles of 10 8 times.Note that the number of field multiplications and squarings are same for 3-isogeny.Therefore, to better represent the results, we also counted field additions and subtractions.In Table 2, a (resp., s) refers to field addition (resp., subtraction).
Note that the base field operations in [18] run in constant time to protect against timing attacks [24]; field additions cost more cycles than field subtractions.Therefore, 3-isogeny on Edwards curves are slightly faster than on Montgomery curves.Overall, because the proposed algorithms used field subtractions more than field additions, the performance gap between Montgomery curves and Edwards curves is small.

Conclusion and Future Work
In this paper, we proposed 3-and 4-isogeny formulas on twisted Edwards curves that can be applied in isogenybased cryptography.For 3-isogeny, we optimized Moody and Shumow's formula by applying projective coordinates, projective curve coefficients, and division polynomials [17].For even-degree isogeny, we combined bilinear map between twisted Edwards curves and Montgomery curves and isogeny on Montgomery curves.We further optimized our isogeny formulas by working on with Edwards curves.The computational costs for 3 and 4 isogenies on Edward curves are 6M+5S and 7M+5S, respectively.We also implemented our formulas and demonstrated that isogenies on Edwards curves are as efficient as isogenies on Montgomery curves.For the future work, we plan to implement our isogeny formulas on
Vélu'sFormulas.An isogeny between two elliptic curves  1 and  2 is a surjective group homomorphism with a finite kernel.Two elliptic curves  1 and  2 are said to be isogenous over  if there exists an isogeny  :  1 →  2 defined over .If the degree of the isogeny  is equal to the order of the kernel of , then  is called a separable isogeny.