Extended supersingular isogeny Diffie-Hellman key exchange protocol: Revenge of the SIDH

The supersingular isogeny Diffie-Hellman key exchange protocol (SIDH) was introduced by Jao and De Feo in 2011. SIDH operates on supersingular elliptic curves defined over Fp2, where p is a large prime number of the form p=4eA3eB-1 and e(A) and e(B) are positive integers such that 4eA approximate to 3eB. A variant of the SIDH protocol, dubbed extended SIDH (eSIDH), is presented. The eSIDH makes use of primes of the form p=4eAlBeBlCeCf-1. Here l(B) and l(C) are two small prime numbers; f is a cofactor; and e(A), e(B), and e(C) are positive integers such that 4eA approximate to lBeBlCeC. It is shown that for many relevant instantiations of the SIDH protocol, this new family of primes enjoys faster field arithmetic than the one associated with traditional SIDH primes. Furthermore, its richer opportunities for parallelism yield a noticeable speed-up factor when implemented on multicore platforms. A supersingular isogeny key encapsulation (SIKE) instantiation using the prime eSIDH-p765 yields an acceleration factor of 1.06, 1.15 and 1.14 over a SIKE instantiation with the prime SIKE-p757 when implemented on k = {1, 2, 3}-core processors. To the authors' knowledge, this work reports the first multicore implementation of SIDH and SIKE.