Copyright 2011-2016 Luca De Feo http://defeo.lu/.

This software implements the cryptosystem described in

D. Jao and L. De Feo, Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. Post-Quantum Cryptography, Nov 2011, Taipei, Taiwan. Springer, LNCS 7071, pp. 19-34, 2011.

L. De Feo, D. Jao and J. Plût, Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. Journal of Mathematical Cryptology, 8(3), pp. 209-247. De Gruyter, 2014.

WARNING: This code is obsolete. For a modern treatment, please see the official code for the NIST candidate SIKE, and the additional implementations referenced here.

Just clone or download this repo.

You will need a recent version of Sage and a C compiler. This version has been tested with Sage 6.10 and gcc 5.2.1.

In a Sage shell type

sage: load('pqcrypto11.sage')

Some predefined key sizes are stored in a string-indexed dictionary called 'parameters'. Read pqcrypto11.sage to find them out.

Public data for a cryptosystem are generated via a call to ss_isogeny_gen. For example, to obtain parameters relative to a 40-bit prime, type

sage: set_verbose(1)
sage: pdata = ss_isogeny_gen(**parameters['2-3-40'])

The key exchange is performed by ss_isogeny_exchange. Type

sage: ss_isogeny_exchange(*pdata)
sage: set_verbose(0)

The function ss_isogeny runs both previous functions in one. The previous sequence of commands is equivalent to

sage: ss_isogeny('2-3-40', verbose=1)

Additional parameters can be passed to these functions, read pqcrypto11.sage.

NOTE: The file gfp2.c can be compiled as a standalone program with

gcc -lgmp gfp2.c

Then it can be run to gather estimates on the running times of doublings, triplings, 2 and 3-isogeny evaluations. These data can be used to tune up (via the dictionary "weights" in pqcrypto11.sage) the key exchange algorithm.

Many thanks to those who have helped in testing and fixing this software.

• David Jao,
• Jérôme Plût,
• Erik Nellessen.
• Adarsh Saraf,
• Srinath,
• Miha Marolt @miham