Efficiency of SIDH-based signatures (yes, SIDH)

1.1 Our contribution

In this note, we assess the compactness and efficiency that can be currently reached by digital signatures (and NIZKPs) based on the SIDH setting. In doing so, we restrict our attention to a digital signature built on a slightly weaker variant of Σ SECUER base . We talk about weaker variant because Σ SECUER base was designed to satisfy statistical honest-verifier zero-knowledge, which is not necessary for our case study. The variant we consider – denoted by Σ SEC – only achieves computational honest-verifier zero-knowledge, but it allows for shorter isogenies, therefore a better efficiency. There are three main reasons to work with Σ SEC instead of other SIDH-based Σ -protocols. First, a similar assessment focused on Σ wSIDH was recently conducted in [15]. Even more importantly, despite the similarities between Σ wSIDH and Σ SEC , the latter has a more lightweight design, leading to smaller transcripts and faster execution times. Last but not least, the optimisations we apply to ( t parallel executions of) Σ SEC are applicable also to Σ SECUER base and are relevant to any application of these Zero-Knowledge Proof systems. In fact, using the Fiat-Shamir transform to remove interactivity from a Σ -protocol has applications beyond digital signatures. For example, Σ SECUER base has been used to prove random generation of supersingular curves of unknown endomorphism rings in a distributed and trusted manner [14].

We conduct our analysis by applying some known signature-shortening techniques. By doing so, we can shorten the signatures produced by means of Σ SEC by approximately 69 % . For example, we obtain signatures of approximately 21 kB for the parameter set SIKEp434. In addition, we propose minor optimisations to compute many isogenies in parallel from the same starting curve.

One of the techniques we consider to shorten the signatures is the unbalanced challenge space technique, firstly proposed in the study by Beullens et al. [16] for a Σ -protocol obtained by running parallel executions of a base Σ -protocol with soundness error 1/2. In this work, however, we apply it to a base Σ -protocol with soundness error 2/3, which requires a non-trivial generalisation of the original proposal. In fact, to determine the number of parallel executions which are required in such case for an unbalanced challenge space, we deduce some combinatorial results. Our findings can be readily applied to every possible soundness error of the base Σ -protocol, and therefore are of independent interest.

Our assessment confirms that the problem of designing a practical isogeny-based signature scheme remains largely open. Nonetheless, the proposed optimisations can be applied to the distributed trusted-setup protocol [14, Sec. 5] built on top of Σ SECUER base to collaboratively produce a random supersingular elliptic curve whose endomorphism ring is hard to compute even for the involved parties. Determining the best techniques to design secure and efficient isogeny-based signatures, against which future protocols can be benchmarked, is still a quite new and very open problem.

1.2 Related work

The SIDH-based digital signature scheme proposed in the study by Galbraith et al. [5] produces signatures of approximately 12 kB when targeting 128 bits of classical security. For the same security target, the signature scheme in the study by Chi-DomAηnguez et al. [17] (deduced from a different SIDH-based Σ -protocol proposed in the study by Chi-DomAηnguez et al. [13, Sec. 6]) outputs signatures of approximately 61 kB. Both these signature schemes are no longer secure after the cryptanalytic attacks against SIDH. The analysis conducted in the study by Chi-Domínguez et al. [15] on a still-secure digital signature built on top of Σ wSIDH achieves signatures of size approximately 74 kB for the parameter set SIKEp 434 . Note that the protocol in the study by Galbraith et al. [5] and Σ wSIDH in the study by Chi-DomAηnguez et al. [13, Sec. 5] are 2-special sound. The protocols in the study by Chi-DomAηnguez et al. [13, Sec. 6] is instead 3-special sound.

1.3 Roadmap

This article is organised as follows. In Section 2, we recall some cryptographic preliminaries and we provide a description of the Σ -protocol Σ SEC , which is a diminished version of Σ SECUER base from the study by Basso et al. [14, Sec. 4]. By applying the Fiat-Shamir transform [18] on Σ SEC , an SIDH-based signature scheme DS SEC is obtained. In Section 3, we apply some optimisation techniques to reduce the size of the signatures produced by DS SEC : commitment recoverability (Section 3.1), response compression (Section 3.2), and seed trees (Section 3.3). In Section 3.4, unbalanced challenge spaces are also taken into account. We conclude the section highlighting the overall gain in applying these optimisations with respect to the original scheme. In Section 4, we suggest two optimisations for the computation of several isogenies of the same degree from the same starting curve. They consists in a pre-computation of repeated initial steps (Section 4.1) and in the parallelisation of kernel generators computation (Section 4.2). Section 5 presents some closing remarks.

2.1 Supersingular elliptic curves, isogenies, and hardness assumptions

We refer the reader to [19,20] for a more detailed introduction to the topic.

Let q be a power of a prime p ≥ 5 , and let F q be a finite field with q elements. An isogeny φ : E ⟶ E ′ between two elliptic curves E and E ′ over F q , with points at infinity denoted by 0 E and 0 E ′ respectively, is a non-constant regular rational map mapping φ ( 0 E ) into 0 E ′ . Every isogeny φ can be written in its polynomial form ( F 1 ( x ) ∕ F 2 ( x ) , y G 1 ( x ) ∕ G 2 ( x ) ) , where F 1 , F 2 , G 1 , and G 2 are polynomials over the algebraic closure of F , F 1 is coprime with F 2 , and G 1 is coprime with G 2 . The isogeny φ is said to be defined over F q k if the coefficients of the above polynomials are contained in F q k ; in this case, we say that E , E ′ are isogenous over F q k . Tate’s theorem states that E , E ′ are isogenous over F q k if and only if # E ( F q k ) = # E ′ ( F q k ) .

An invertible isogeny is an isomorphism; in addition, if its domain and image coincide, it is an endomorphism. The set of all endomorphisms of an elliptic curve E together with the zero map form a ring under pointwise addition and composition, called the endomorphism ring of E and denoted by End ( E ) . If End ( E ) is not commutative, then E is said to be supersingular. Every supersingular elliptic curve defined over F p k for some k ∈ N is isomorphic to an elliptic curve defined over F p 2 . The degree deg ( φ ) of an isogeny φ is the maximum among { deg ( F 1 ) , deg ( F 2 ) } ; we say that φ is a d -isogeny. Two elliptic curves E and E ′ are d -isogenous if there exists an isogeny φ : E ⟶ E ′ of degree d . Given a power q of a prime p > 5 and a prime number ℓ ≠ p , we denote by G q ( ℓ ) the graph whose vertices are F q -isomorphism classes of supersingular elliptic curves over F q and whose edges are equivalence classes of ℓ -isogenies (two isogenies are in the same class if they have the same kernel). The composition of two isogenies of degrees d 1 and d 2 is an isogeny of degree d 1 d 2 .

The kernel of an isogeny is finite, and its size is equal to the degree of the isogeny itself if the isogeny is separable. Vice versa, if H is a finite subgroup of an elliptic curve E , then the elliptic curve E ∕ H and a separable isogeny ψ : E ⟶ E ′ of kernel ker ( ψ ) = H are unique (modulo isomorphism). Both E ∕ H and ψ can be computed with complexity O ( # H ) using Velu’s formulas. We say that φ is a cyclic isogeny when ker ( φ ) is a cyclic group. Given ℓ ∈ N , we denote by E [ ℓ ] the ℓ -torsion subgroup { P ∈ E ∣ [ ℓ ] P = 0 E } of E . When ℓ and p are relatively prime, E [ ℓ ] ≃ ( Z ∕ ℓ Z ) × ( Z ∕ ℓ Z ) .

2.2 Σ -protocols

Let X and Y be two sets whose sizes depend on a security parameter λ . Then ℛ ⊂ X × Y is a polynomially computable binary relation over X and Y if, for any ( x , w ) ∈ X × Y , whether ( x , w ) ∈ ℛ can be decided in time poly ( ∣ x ∣ ) . If ( x , w ) ∈ ℛ , we call w a witness for the statement x . The language corresponding to ℛ is ℒ ℛ = { x ∈ X ∣ ∃ w ∈ Y : ( x , w ) ∈ ℛ } .

A Σ -protocol for a polynomially-computable binary relation ℛ is a public-coin three-move interactive protocol between a prover and a verifier. Informally, a prover can demonstrate knowledge of a valid witness for a certain statement without revealing any information about the witness itself. Below, we define a relaxed version of sigma protocols where the special-soundness extractor only extracts a witness for a slightly larger relation ℛ ˜ , with ℛ ⊆ ℛ ˜ . Furthermore, the definition is given in the random oracle model, i.e. prover and verifier have access to a random oracle O . We may occasionally omit the superscript O when the meaning is clear from the context.

We require the following properties of a Σ -protocol:

• Correctness: All honestly generated transcripts must be valid. Formally, it is required that

  Pr V 2 O ( x , com , ch , resp ) = 1 ( x , w ) ← KeyGen O ( 1 λ ) com ← P 1 O ( x , w ) , ch ← V 1 O ( com ) , resp ← P 2 O ( x , com , w , ch ) = 1 .

• Relaxed κ -special soundness: There exists a polynomial-time extraction algorithm Ex such that, given any κ valid transcripts ( x , com , ch 1 , resp 1 ) , … , ( x , com , ch κ , resp κ ) relative to the same statement x ∈ ℒ ℛ , with the same commitment com and κ distinct challenges ch 1 , … , ch κ , outputs w such that ( x , w ) ∈ ℛ ˜ (note that Ex is only required to recover a witness in ℛ ˜ ⊇ ℛ ).

• Statistical and computational honest-verifier zero-knowledge (HVZK): Within this definition, we allow the adversary, the prover, and the simulator to make queries to a common random oracle O . We say the Σ -protocol is statistically HVZK if there exists a probabilistic polynomial-time (PPT) simulator algorithm Sim O such that, for any ( x , w ) ∈ ℛ , any honestly chosen ch ∈ ChSet and any computationally unbounded adversary A that makes at most a polynomial number of queries to O , we have

  Pr A O ( com , ch , resp ) = 1 com ← P 1 O ( x , w ) ; resp ← P 2 O ( x , com , w , ch ) − Pr [ A O ( com , ch , resp ) = 1 ∣ ( com , resp ) ← Sim O ( x , ch ) ] = negl ( λ ) .

  If the aforementioned relation holds only for computationally bounded adversaries, the protocol is said to be computationally HVZK.

2.3 Digital signatures

Below we recall the definition of digital signature schemes, correctness, and unforgeability.

2.4 The Σ SEC protocol

In this section, we describe the Σ -protocol Σ SEC , a weaker variant of Σ SECUER base from the study by Basso et al. [14, Section 4] (see Remark 2 for the differences between the two protocols).

For every possible value of the security parameter λ , p will denote a prime of the form p = ℓ 1 e 1 ℓ 2 e 2 f ± 1 (where ℓ 1 , ℓ 2 are small primes such that ℓ 1 e 1 ≈ ℓ 2 e 2 and f ∈ N is a small cofactor), E 0 is a fixed supersingular elliptic curve over F p 2 such that # E 0 ( F p 2 ) = ( ℓ 1 e 1 ℓ 2 e 2 f ) 2 (when considering SIKE parameters, we will take E 0 : y 2 = x 3 + 6 x 2 + x ), and { P 1 , Q 1 } and { P 2 , Q 2 } basis for E 0 [ ℓ 1 e 1 ] and E 0 [ ℓ 2 e 2 ] , respectively. Then, the tuple pp = ( p , ℓ 1 , ℓ 2 , e 1 , e 2 , f , E 0 , P 1 , Q 1 , P 2 , Q 2 ) forms the public parameter for the protocol.

The Σ -protocol Σ SEC consists of five oracle-calling algorithms ( Gen , P = ( P 1 , P 2 ) , V = ( V 1 , V 2 ) ) , where:

• ( E 1 , φ ) ← Gen ( 1 λ ) : On input a security parameter, the key-generation algorithm uniformly samples s from Z ∕ ℓ 1 e 1 Z and computes the cyclic isogeny φ : E 0 ⟶ E 1 ≔ E 0 ∕ ⟨ P 1 + [ s ] Q 1 ⟩ having ⟨ P 1 + [ s ] Q 1 ⟩ as kernel. It returns the statement-witness pair ( E 1 , φ ) .

• com ← P 1 ( E 1 , φ ) : Given a statement E 1 and a corresponding witness φ , the prover uniformly samples r from Z ∕ ℓ 2 e 2 Z and computes the point R = P 2 + [ r ] Q 2 – whose order is ℓ 2 e 2 – and the elliptic curves E 2 = E 0 ∕ ⟨ R ⟩ and E 3 = E 1 ∕ ⟨ φ ( R ) ⟩ . Then, it uniformly samples b 2 , b 3 from { 0 , 1 } λ and commits to E 2 and E 3 computing com 1 ← O ( Com ∣ ∣ E 2 ∣ ∣ b 2 ) and com 2 ← O ( Com ∣ ∣ E 3 ∣ ∣ b 3 ) via the random oracle O . The output is com = ( com 1 , com 2 ) .

• { − 1 , 0 , 1 } ← V 1 ( com ) : On input a commitment com , V 1 outputs a random challenge ch ∈ { − 1 , 0 , 1 } .

• resp ← P 2 ( E 1 , φ , com , ch ) : On input a statement E 1 , a corresponding witness φ , a commitment com = ( com 1 , com 2 ) and a challenge ch ∈ { − 1 , 0 , 1 } , it outputs a response resp defined as follows. If ch = − 1 , then resp = ( E 2 , r , b 2 ) ; if ch = 1 , then resp = ( E 3 , φ ( R ) , b 3 ) ; if ch = 0 , then resp = ( E 2 , ψ ( Ker ( φ ) ) , E 3 , b 2 , b 3 ) , where ψ is the isogeny from E 0 having ⟨ R ⟩ as kernel.

• 1 ∕ 0 ← V 2 ( E 1 , com , ch , resp ) : It takes as input a statement E 1 , a commitment com = ( com 1 , com 2 ) , a challenge ch ∈ { − 1 , 0 , 1 } , and a response resp . Depending on ch , the algorithm performs a check. In particular, if ch = − 1 then resp = ( E , r , b ) and the algorithm checks whether the isogeny from E 0 with kernel equal to ⟨ P 2 + [ r ] Q 2 ⟩ goes to E and whether com 1 = O ( Com ∣ ∣ E ∣ ∣ b ) . If ch = 1 , then resp = ( E , T , b ) and the algorithm checks whether the point T is in E 1 , the order of T is ℓ 2 e 2 , the isogeny from E 1 with kernel ⟨ T ⟩ goes to E and com 2 = O ( Com ∣ ∣ E ∣ ∣ b ) . Finally, if ch = 0 , then resp = ( E , T , E ˜ , b , b ˜ ) and the algorithm checks whether the point T is in E , the order of T is ℓ 1 e 1 , the isogeny from E with kernel ⟨ T ⟩ goes to E ˜ , com 1 = O ( Com ∣ ∣ E ∣ ∣ b ) , and com 2 = O ( Com ∣ ∣ E ˜ ∣ ∣ b ˜ ) . If the check is successful, then it outputs 1, and 0 otherwise.

Let X be the set of supersingular elliptic curves E 1 over F p 2 having the same number of rational points of E 0 , and Y be the set of all separable isogenies with domain E 0 . Define the relation

and the relaxed relation

It is not difficult to see that the Σ -protocol Σ SEC described earlier is correct and has relaxed 3-special soundness for the relations ℛ SEC and ℛ ˜ SEC . Furthermore, under the assumption that the following problem is hard, we prove in Proposition 1 that Σ SEC is computationally HVZK.

As the protocol Σ SEC has a soundness error ε = 2 ∕ 3 , it is necessary to repeat its execution in parallel t times to obtain a negligible soundness error. It is customary to set t as the minimum positive integer such that ε t < 2 − λ . Therefore, we obtain

The Σ -protocol that results from repeating Σ SEC in parallel t -times, which will be denoted by Σ SEC t in the following, is depicted in Figure 1.

Figure 1

Algorithms in Σ SEC t . Given a supersingular elliptic curve E , IsogenyFromKernel ( E , ⋅ ) denotes an algorithm which, on input a subgroup S ⊂ E , computes an isogeny from E with kernel S . Moreover, E [ ℓ e ] max denotes the points of order ℓ e in E [ ℓ e ] , when ℓ is prime and e ∈ N .

Assuming a supersingular elliptic curve over F p 2 is identified by a single element of F p 2 , the average size (in bits) of a transcript of Σ SEC t (excluding the statement) is approximated by

where the terms indicate commitment , challenge, and response sizes (the terms within brackets correspond to the sizes of the responses to challenge − 1 , 1, and 0).

Within an execution of Σ SEC t , the prover computes 2 t elliptic-curve scalar multiplications, 2 t isogenies and 2 t commitments to produce the commitment. In addition, to produce the response, the prover evaluates an ℓ 1 e 1 -isogeny (on a point of order ℓ 2 e 2 ) t ∕ 3 times, and an ℓ 2 e 2 -isogeny (on a point of order ℓ 1 e 1 ) t ∕ 3 times, on average.

When Σ SEC t is turned into the digital signature scheme DS SEC via the Fiat-Shamir transform, the security of DS SEC is guaranteed by the hardness of the relation ℛ ˜ SEC , as the problem of finding an isogeny between two given isogenous elliptic curves is still believed to be hard (and it has not been affected by the recent cryptanalytic attacks on SIDH ). A signature produced by DS SEC is just a transcript of Σ SEC t without the statement and the challenge (as the latter can be easily recovered, being it the digest of a hash function on the message m to sign and the commitment com ). Consequently, the signature size is slightly smaller than the size of a transcript (without the statement) of Σ SEC t , and the computational cost to sign is that undergone by the prover in an execution of Σ SEC t , plus one hash-function evaluation. Therefore, the efficiency analysis presented above applies almost directly to DS SEC (see the last column of Table 1 for the signature sizes of DS SEC for different SIDH/SIKE parameters).

3.1 Challenge and commitment recoverability

A Σ -protocol ( Gen , P = ( P 1 , P 2 ) , V = ( V 1 , V 2 ) ) is said to be commitment-recoverable if, with overwhelming probability over the random choice of a pair ( x , w ) ← Gen ( 1 λ ) , for any ch ∈ ChSet and resp ∈ ResSet , there exists a unique commitment com ∈ ComSet that makes ( x , com , ch , resp ) a valid transcript, and such a commitment can be publicly computed by means of an algorithm taking ( x , ch , resp ) as input. This property allows for shorter signatures by omitting com from them, and letting the verifier re-compute it. Its correctness is then checked by means of the challenge ch .

The original version of the Σ -protocol Σ SEC t , described in Figure 1, does not satisfy commitment recoverability (e.g., the response resp i when ch i = − 1 does not allow to recover com i , 2 ). However, we can modify ( Σ SEC and) Σ SEC t in such a way that the new protocol(s) are commitment recoverable.

The modification of Σ SEC t which we suggest^[2] is detailed in Figure 2. In particular, P 1 remains unchanged, while the algorithm P 2 outputs the response resp i = ( r i , b 2 , i , com i , 2 ) when ch i = − 1 ; the response resp i = ( φ ( P 2 + [ r i ] Q 2 ) , b 3 , i , com i , 1 ) when ch i = 1 ; and the response resp i = ( E 2 , i , ψ i ( Ker ( φ ) ) , b 2 , i , b 3 , i ) when ch i = 0 , where ψ i is the isogeny with kernel ⟨ P 2 + [ r i ] Q 2 ⟩ from E 0 . The verifier then re-computes part of the commitment, and checks whether it corresponds to that received by P 1 .

Figure 2

Modified Σ SEC t protocol which enjoys commitment recoverability. The blue text marks the differences with the original scheme depicted in Figure 1.

The expected sizes (in bits) of the elements in a transcript of the modified Σ SEC t protocol (excluding the statement) are approximated by

(the terms within the brackets corresponds to the size of the responses to challenge − 1 , 1, and 0, respectively).

In Table 2, we lists the approximated sizes (in bits) of commitments, challenges, and responses for the four SIKE parameter sets.

Thanks to commitment recoverability, when the modified Σ -protocol is turned into a digital signature, the commitment com does not need to be part of the corresponding signature. In principle, the challenge ch should now be part of the signature, as it necessary to recover the commitment com . However, the modified Σ SEC t protocol is also challenge-recoverable, and then ch can be excluded from the signature. We recall that a Σ -protocol is challenge-recoverable if the challenge ch in a transcript ( x , com , ch , resp ) can be reconstructed from resp . This is the case for both Σ SEC t and its modification, since the type of each resp i in resp uniquely determines the corresponding challenge bit ch i in ch . Thus, one can simply omit the challenge from a transcript and let it be deduced from the response. Consequently, both challenge and commitment can be reconstructed by the verifier. Therefore, the signature sizes for different SIDH/SIKE parameters are equal to the response sizes in Table 2. Moreover, we note that the computational effort made by the prover in the modified Σ SEC t protocol is exactly the same as in the original Σ SEC t protocol.

3.2 Compressed responses

In Σ SEC t , when ch i = 1 the prover responds with the point φ ( P 2 + [ r i ] Q 2 ) generating the kernel of the commitment isogeny ψ i ′ : E 1 ⟶ E 3 , i . Being P 2 and Q 2 over F p 2 by construction, this requires the transmission of 2 ⋅ log p + 1 bits.

Following the algorithmic improvements proposed in the studies by Costello et al. and Azarderakhsh et al. [21,22], we can deterministically compute a torsion basis { P ′ , Q ′ } of E 1 [ ℓ 2 e 2 ] for any statement/public key E 1 . Then, the response can be set as the result ( α i , β i ) of a double discrete logarithm, with α i , β i such that [ α i ] P ′ + [ β i ] Q ′ = φ ( P 2 + [ r i ] Q 2 ) . Since φ ( P 2 + [ r i ] Q 2 ) is of order ℓ 2 e 2 , one of the two coefficients α i , β i must be invertible modulo ℓ 2 e 2 ; if it is α i , we let ι i ≔ 1 and γ i ≔ α i − 1 β i , otherwise we let γ i ≔ 1 and ι i ≔ β i − 1 α i . The response can then be set as ( ι i , γ i ), and the kernel generator computed as [ ι i ] P ′ + [ γ i ] Q ′ .

With this method, the size of the response is therefore reduced to ⌈ log ( ℓ 2 e 2 ) ⌉ + 1 bits, at the cost of computing a deterministic torsion basis both by signer and verifier, and determining a double discrete logarithm only on the signer’s side. Note that the basis P ′ , Q ′ can be computed once for all by adding it to the statement/public key E 1 . The new public key would look exactly like an old SIDH public key, with the crucial difference that the basis is computed independently of the secret isogeny φ , preventing the applicability of the attacks on SIDH to this context. Moreover, the following pre-computation would allow us to use the method of compressed responses at no additional computation cost. The prover needs to determine φ ( P 2 ) and φ ( Q 2 ) , and then compute their respective components α , β and γ , ω in the basis { P ′ , Q ′ } . Then, to compute a response, the prover would only need to calculate one multiplications and two sums in Z ∕ ℓ 2 e 2 Z , since φ ( P 2 + [ r i ] Q 2 ) = [ α + γ ] P ′ + [ r i ⋅ ( β + ω ) Q ′ ] .