Estimation of the computational cost of the CSIDH algorithm on supersingular twisted and quadratic Edwards curves

The properties of twisted and quadratic supersingular Edwards curves that form pairs of quadratic torsion with order p+1  over a prime field Fp are considered. A modification of the CSIDH algorithm based on the isogenies of these curves instead of the traditional arithmetic of curves in the Montgomery form is presented. The parameters of these two classes of supersingular Edwards curves for p=239 are calculated and tabulated. An example of the isogenies of these curves in the implementation of the CSIDH algorithm as a non-interactive secret sharing scheme based on the secret and public keys of Alice and Bob is given. It is shown that the sequences of parameters ±d(i) of isogeny chains for quadratic and twisted supersingular Edwards curves, respectively, have a reverse nature on the period of the sequence. A recurrent algorithm for calculating the coordinates of points that form the kernels of isogenies of odd degrees is proposed, and its implementation in various coordinate systems is considered. A comparative analysis of the cost of calculating the parameter d´ of the isogenic curve E´ using the Farashakhi-Hosseini (W : Z) - coordinates and classical projective coordinates (X : Y : Z) is given. It is noted that all calculations in the CSIDH algorithm necessary to calculate the shared secret dAB are reduced only to the calculation of the isogenic curve E´ parameter d´ and are performed by field operations and the scalar multiplication of the point. The controversial issue of refusal to calculate the isogenic function ϕ(R) of a curve point R in the CSIDH algorithm is discussed.