Efficient Implementations of Square-root Vélu's Formulas

Abstract

In the implementation of isogeny-based cryptographic schemes, Vélu's formulas are essential for constructing and evaluating isogenies. Bernstein et al. proposed an approach known as √élu, which computes an ℓ-isogeny at a cost of $\tilde{O}\left(\sqrt{\ell }\right)$ finite field operations. This paper presents two improvements to enhance the efficiency of the implementation of √élu as follows: optimizing the index system required in √élu and speeding up the computations of the sums of products used in polynomial multiplications over a finite field $F_p$ with characteristic p. To optimize the index system, we modify it to enhance the utilization of x-coordinates and combine it with the technique of redundant representation, which can ultimately reduce the number of $F_p$-multiplications. The speedup of the sums of products is to employ two techniques: lazy reduction (abbreviated as LZYR) and generalized interleaved Montgomery multiplication (abbreviated as INTL). These techniques aim to minimize the underlying operations. We provide an optimized C and assembly implementation of √élu. For the computational cost (in terms of $F_p$-multiplications) of each isogeny involved in CTIDH2048 (resp. SQIsign), exploiting our modified index system (including the combination with redundant representation) obtains a saving up to 5.78% (resp. 5.39%) compared to the previous work. In terms of the performance (reported in CPU clock cycles) of isogeny computations in CTIDH512, applying our index system combined with INTL (resp. our index system combined with LZYR) offers an improvement up to 16.05% (resp. 10.96%) compared to the previous implementation. As for executing an isogeny group action in CTIDH512, our experimental results also demonstrate a reduction of 3.73% (resp. 1.83%) clock cycles by utilizing our index system combined with INTL (resp. our index system combined with LZYR).