Batching CSIDH Group Actions using AVX-512

Batching CSIDH Group Actions using AVX-512

Commutative Supersingular Isogeny Diffie-Hellman (or CSIDH for short) is a recently-proposed post-quantum key establishment scheme that belongs to the family of isogeny-based cryptosystems. The CSIDH protocol is based on the action of an ideal class group on a set of supersingular elliptic curves a...

Full description

Bibliographic Details
Main Authors: Hao Cheng, Georgios Fotiadis, Johann Großschädl, Peter Y. A. Ryan, Peter B. Rønne
Format: Article
Language:English
Published: Ruhr-Universität Bochum 2021-08-01
Series:Transactions on Cryptographic Hardware and Embedded Systems
Subjects:
Post-Quantum Cryptography
Isogeny-Based Cryptography
CSIDH
AVX-512IFMA
Software Optimization
Constant-Time Implementation
Online Access:https://tches.iacr.org/index.php/TCHES/article/view/9077
id doaj-6cc0a36519764c8f8f1c47323bd8bdbd
record_format Article
spelling doaj-6cc0a36519764c8f8f1c47323bd8bdbd2021-08-11T14:18:38ZengRuhr-Universität BochumTransactions on Cryptographic Hardware and Embedded Systems2569-29252021-08-012021410.46586/tches.v2021.i4.618-649Batching CSIDH Group Actions using AVX-512Hao Cheng0Georgios Fotiadis1Johann Großschädl2Peter Y. A. Ryan3Peter B. Rønne4DCS and SnT, University of Luxembourg, Esch-sur-Alzette, LuxembourgDCS and SnT, University of Luxembourg, Esch-sur-Alzette, LuxembourgDCS and SnT, University of Luxembourg, Esch-sur-Alzette, LuxembourgDCS and SnT, University of Luxembourg, Esch-sur-Alzette, LuxembourgDCS and SnT, University of Luxembourg, Esch-sur-Alzette, Luxembourg Commutative Supersingular Isogeny Diffie-Hellman (or CSIDH for short) is a recently-proposed post-quantum key establishment scheme that belongs to the family of isogeny-based cryptosystems. The CSIDH protocol is based on the action of an ideal class group on a set of supersingular elliptic curves and comes with some very attractive features, e.g. the ability to serve as a “drop-in” replacement for the standard elliptic curve Diffie-Hellman protocol. Unfortunately, the execution time of CSIDH is prohibitively high for many real-world applications, mainly due to the enormous computational cost of the underlying group action. Consequently, there is a strong demand for optimizations that increase the efficiency of the class group action evaluation, which is not only important for CSIDH, but also for related cryptosystems like the signature schemes CSI-FiSh and SeaSign. In this paper, we explore how the AVX-512 vector extensions (incl. AVX-512F and AVX-512IFMA) can be utilized to optimize constant-time evaluation of the CSIDH-512 class group action with the goal of, respectively, maximizing throughput and minimizing latency. We introduce different approaches for batching group actions and computing them in SIMD fashion on modern Intel processors. In particular, we present a hybrid batching technique that, when combined with optimized (8 × 1)-way prime-field arithmetic, increases the throughput by a factor of 3.64 compared to a state-of-the-art (non-vectorized) x64 implementation. On the other hand, vectorization in a 2-way fashion aimed to reduce latency makes our AVX-512 implementation of the group action evaluation about 1.54 times faster than the state-of-the-art. To the best of our knowledge, this paper is the first to demonstrate the high potential of using vector instructions to increase the throughput (resp. decrease the latency) of constant-time CSIDH. https://tches.iacr.org/index.php/TCHES/article/view/9077Post-Quantum CryptographyIsogeny-Based CryptographyCSIDHAVX-512IFMASoftware OptimizationConstant-Time Implementation
collection DOAJ
language English
format Article
sources DOAJ
author Hao Cheng
Georgios Fotiadis
Johann Großschädl
Peter Y. A. Ryan
Peter B. Rønne
spellingShingle Hao Cheng
Georgios Fotiadis
Johann Großschädl
Peter Y. A. Ryan
Peter B. Rønne
Batching CSIDH Group Actions using AVX-512
Transactions on Cryptographic Hardware and Embedded Systems
Post-Quantum Cryptography
Isogeny-Based Cryptography
CSIDH
AVX-512IFMA
Software Optimization
Constant-Time Implementation
author_facet Hao Cheng
Georgios Fotiadis
Johann Großschädl
Peter Y. A. Ryan
Peter B. Rønne
author_sort Hao Cheng
title Batching CSIDH Group Actions using AVX-512
title_short Batching CSIDH Group Actions using AVX-512
title_full Batching CSIDH Group Actions using AVX-512
title_fullStr Batching CSIDH Group Actions using AVX-512
title_full_unstemmed Batching CSIDH Group Actions using AVX-512
title_sort batching csidh group actions using avx-512
publisher Ruhr-Universität Bochum
series Transactions on Cryptographic Hardware and Embedded Systems
issn 2569-2925
publishDate 2021-08-01
description Commutative Supersingular Isogeny Diffie-Hellman (or CSIDH for short) is a recently-proposed post-quantum key establishment scheme that belongs to the family of isogeny-based cryptosystems. The CSIDH protocol is based on the action of an ideal class group on a set of supersingular elliptic curves and comes with some very attractive features, e.g. the ability to serve as a “drop-in” replacement for the standard elliptic curve Diffie-Hellman protocol. Unfortunately, the execution time of CSIDH is prohibitively high for many real-world applications, mainly due to the enormous computational cost of the underlying group action. Consequently, there is a strong demand for optimizations that increase the efficiency of the class group action evaluation, which is not only important for CSIDH, but also for related cryptosystems like the signature schemes CSI-FiSh and SeaSign. In this paper, we explore how the AVX-512 vector extensions (incl. AVX-512F and AVX-512IFMA) can be utilized to optimize constant-time evaluation of the CSIDH-512 class group action with the goal of, respectively, maximizing throughput and minimizing latency. We introduce different approaches for batching group actions and computing them in SIMD fashion on modern Intel processors. In particular, we present a hybrid batching technique that, when combined with optimized (8 × 1)-way prime-field arithmetic, increases the throughput by a factor of 3.64 compared to a state-of-the-art (non-vectorized) x64 implementation. On the other hand, vectorization in a 2-way fashion aimed to reduce latency makes our AVX-512 implementation of the group action evaluation about 1.54 times faster than the state-of-the-art. To the best of our knowledge, this paper is the first to demonstrate the high potential of using vector instructions to increase the throughput (resp. decrease the latency) of constant-time CSIDH.
topic Post-Quantum Cryptography
Isogeny-Based Cryptography
CSIDH
AVX-512IFMA
Software Optimization
Constant-Time Implementation
url https://tches.iacr.org/index.php/TCHES/article/view/9077
work_keys_str_mv AT haocheng batchingcsidhgroupactionsusingavx512
AT georgiosfotiadis batchingcsidhgroupactionsusingavx512
AT johanngroßschadl batchingcsidhgroupactionsusingavx512
AT peteryaryan batchingcsidhgroupactionsusingavx512
AT peterbrønne batchingcsidhgroupactionsusingavx512
_version_ 1721211056390406144

Similar Items