In [4]:
# Setup for binSIDH

import sys
import random
import time
import pandas as pd

from montgomery_xz import KummerLine
from montgomery_isogeny_original import KummerLineIsogenyComposite
from utilities import torsion_basis


N=1

proof.all(False)
random.seed(int(42))

lam = 128
ternary = False

for arg in sys.argv[1:]:
    if arg.lower() in ["--192"]:
        lam = 192
        break
    elif arg.lower() in ["--256"]:
        lam = 256
        break

for arg in sys.argv[1:]:
    if arg.lower() in ["--bin", "--binary"]:
        ternary = False
        break

params_binSIDH = [134, 192, 256]
params_terSIDH = [93, 128, 162]

if ternary:
    params = params_terSIDH
    keytypes = [[0, 1, 2], [0], [1], [2], [0, 1], [0, 2], [1, 2]]
else:
    params = params_binSIDH
    keytypes = [[1, 2], [1], [2]]

if lam == 128:
    t = params[0]
elif lam == 192:
    t = params[1]
elif lam == 256:
    t = params[2]
else:
    raise Exception("The security parameter needs to be 128, 192, or 256.")


def make_prime(p):
    '''
    Given a value `p`, finds a cofactor `f`
    such that p*f - 1 is prime.
    '''
    for i in range(1000):
        if (p*i - 1).is_prime():
            return p*i - 1, i

P = Primes()[:2*t:2]
Q = Primes()[1:2*t:2]


def compute_kernel_scalars(s, Alice=True):
    """ 
    Given a ternary secret `s`, returns scalars `B1` and `B2`
    such that the isogeny associated with `s` and orientation (P, Q)
    has kernel <[B1]*P + [B2]*Q>.
    The function also returns `order0` and `order1`, the orders
    of points [B1]*P and [B2]*Q, which is used in the isogeny computations.
    """
    B1 = 1
    B2 = 1
    order1 = 1
    order2 = 1

    t = len(s)

    if Alice:
        Prime = P
    else:
        Prime = Q
    
    for i, p in enumerate(Prime):
        if Alice and i == 0:
            p = 4

        if s[i] == 2:
            B2 *= p
            order1 *= p
        elif s[i] == 1:
            B1 *= p
            order2 *= p
        else:
            B1 *= p
            B2 *= p
    
    return B1, B2, order1, order2


##### Setup ############################

A = 2*prod(Primes()[:2*t:2]) # The 2* ensures that p \equiv 3 mod 4
B = prod(Primes()[1:2*t:2])

p, f = make_prime(A*B)


FF.<x> = GF(p)[]
F.<i> = GF(p^2, modulus=x^2+1) 
E0 = EllipticCurve(F, [0, 6, 0, 1, 0])
E0.set_order((p+1)**2) 

PA, QA = torsion_basis(E0, A)
PB, QB = torsion_basis(E0, B)

## Ensures that 2*PA != (0,0) and
## 2*QA != (0,0), which causes problems in
## computing isogenies with x-only arithmetic
if A//2 * PA == E0(0, 0):
    PA = PA + QA
elif A//2 * QA == E0(0, 0):
    QA = PA + QA 

assert A//2 * PA != E0(0, 0) and A//2 * QA != E0(0, 0)


E0 = KummerLine(E0)
xPA, xQA = E0(PA[0]), E0(QA[0])
xPB, xQB = E0(PB[0]), E0(QB[0])

In [5]:
# original functions
from montgomery_isogeny_original import KummerLineIsogenyComposite


def compute_kernel_scalars(s, Alice=True):
    """ 
    Given a ternary secret `s`, returns scalars `B1` and `B2`
    such that the isogeny associated with `s` and orientation (P, Q)
    has kernel <[B1]*P + [B2]*Q>.
    The function also returns `order0` and `order1`, the orders
    of points [B1]*P and [B2]*Q, which is used in the isogeny computations.
    """
    B1 = 1
    B2 = 1
    order1 = 1
    order2 = 1

    t = len(s)

    if Alice:
        Prime = P
    else:
        Prime = Q

    for i, p in enumerate(Prime):
        if Alice and i == 0:
            p = 4

        if s[i] == 2:
            B2 *= p
            order1 *= p
        elif s[i] == 1:
            B1 *= p
            order2 *= p
        else:
            B1 *= p
            B2 *= p

    return B1, B2, order1, order2


def keygen(A_points, B_points, keylist, Alice=True):
    # Extract Kummer points
    xP, xQ = A_points
    xR, xS = B_points

    # Generate the secret data
    # to check biased secret key, sk starts with [1, 2, 0]
    sk = [1, 2, 0]
    sk += random.choices(keylist, k=t-3)
    B1, B2, order1, order2 = compute_kernel_scalars(sk, Alice=Alice)
    sk = (B1, B2, order1, order2)

    # Compute the isogeny kernels
    xK1 = xP * B1
    xK2 = xQ * B2

    # Compute the first isogeny
    phi1 = KummerLineIsogenyComposite(E0, xK1, order1)
    xK2 = phi1(xK2)

    # Evaluate action on aux data
    xR, xS = phi1(xR), phi1(xS)

    # Compute the second isogeny from the codomain of phi0
    E1 = phi1.codomain()
    phi2 = KummerLineIsogenyComposite(E1, xK2, order2)

    # Evaluate action on aux data
    xR, xS = phi2(xR), phi2(xS)

    # Generate the masking values
    modulus = B if Alice else A  # modulus is the order of torsion points
    mask = modulus
    while gcd(mask, modulus) != 1:
        mask = random.randint(0, modulus)
    mask_inv = 1/mask % modulus

    # Scale the torsion images
    xR = mask * xR
    xS = mask_inv * xS

    # Compute the public data
    E2 = phi2.codomain()
    pk = (E2, xR, xS)

    return sk, pk


def shared(sk, pk):
    # Parse the private/public keys
    B1, B2, order1, order2 = sk
    E, xR, xS = pk

    # Compute the isogeny kernels
    xK1 = xR * B1
    xK2 = xS * B2

    # Compute the first isogeny
    phi1 = KummerLineIsogenyComposite(E, xK1, order1)
    xK2 = phi1(xK2)

    # Compute the second isogeny from the codomain of phi0
    E = phi1.codomain()
    phi2 = KummerLineIsogenyComposite(E, xK2, order2)

    EAB = phi2.codomain()
    return EAB.j_invariant()

In [6]:
# implementation of original binSIDH

import matplotlib.pyplot as plt
import numpy as np
import seaborn as sns
import pandas as pd

from montgomery_isogeny_original import KummerLineIsogenyComposite

keygen_timings_binSIDH = []

for keylist in keytypes:
    tt = [0, 0, 0, 0]
    ttr = []

    for _ in range(N):
        t0 = time.process_time_ns()
        skA, pkA = keygen((xPA, xQA), (xPB, xQB), keylist, Alice=True)
        tt[0] += time.process_time_ns() - t0

        t0 = time.process_time_ns()
        skB, pkB = keygen((xPB, xQB), (xPA, xQA), keylist, Alice=False)
        tt[1] += time.process_time_ns() - t0

        # t0 = time.process_time_ns()
        # ssA = shared(skA, pkB)
        # tt[2] += time.process_time_ns() - t0

        # t0 = time.process_time_ns()
        # ssB = shared(skB, pkA)
        # tt[3] += time.process_time_ns() - t0

        # assert ssA == ssB

    tt = [float(t) / N / 10 ^ 6 for t in tt]

    print("Key type is : ", keylist)
    print(f"KeyGen_A took {(tt[0]):.1f} ms")
    print(f"KeyGen_B took {(tt[1]):.1f} ms")
    # print(f"shared_A took {(tt[2]):.1f} ms")
    # print(f"shared_B took {(tt[3]):.1f} ms")
    print("")
    keygen_timings_binSIDH.append((tt[0]+tt[1])/2)

pd.DataFrame(
    {'1,2': [keygen_timings_binSIDH[0]],
     '1': [keygen_timings_binSIDH[1]],
     '2': [keygen_timings_binSIDH[2]],
     },
    index=['timing']
)

Key type is :  [1, 2]
KeyGen_A took 9592.7 ms
KeyGen_B took 9619.3 ms

Key type is :  [1]
KeyGen_A took 11862.5 ms
KeyGen_B took 11959.6 ms

Key type is :  [2]
KeyGen_A took 12896.5 ms
KeyGen_B took 13134.2 ms



Unnamed: 0,"1,2",1,2
timing,9605.9825,11911.0325,13015.3695


In [7]:
# Setup for terSIDH

import sys
import random
import time
import pandas as pd

from montgomery_xz import KummerLine
from montgomery_isogeny_original import KummerLineIsogenyComposite
from utilities import torsion_basis


proof.all(False)
random.seed(int(42))

lam = 128
ternary = True

for arg in sys.argv[1:]:
    if arg.lower() in ["--192"]:
        lam = 192
        break
    elif arg.lower() in ["--256"]:
        lam = 256
        break

for arg in sys.argv[1:]:
    if arg.lower() in ["--bin", "--binary"]:
        ternary = False
        break

params_binSIDH = [134, 192, 256]
params_terSIDH = [93, 128, 162]

if ternary:
    params = params_terSIDH
    keytypes = [[0, 1, 2], [0], [1], [2], [0, 1], [0, 2], [1, 2]]
else:
    params = params_binSIDH
    keytypes = [[1, 2], [1], [2]]

if lam == 128:
    t = params[0]
elif lam == 192:
    t = params[1]
elif lam == 256:
    t = params[2]
else:
    raise Exception("The security parameter needs to be 128, 192, or 256.")


def make_prime(p):
    '''
    Given a value `p`, finds a cofactor `f`
    such that p*f - 1 is prime.
    '''
    for i in range(1000):
        if (p*i - 1).is_prime():
            return p*i - 1, i

P = Primes()[:2*t:2]
Q = Primes()[1:2*t:2]


def compute_kernel_scalars(s, Alice=True):
    """ 
    Given a ternary secret `s`, returns scalars `B1` and `B2`
    such that the isogeny associated with `s` and orientation (P, Q)
    has kernel <[B1]*P + [B2]*Q>.
    The function also returns `order0` and `order1`, the orders
    of points [B1]*P and [B2]*Q, which is used in the isogeny computations.
    """
    B1 = 1
    B2 = 1
    order1 = 1
    order2 = 1

    t = len(s)

    if Alice:
        Prime = P
    else:
        Prime = Q
    
    for i, p in enumerate(Prime):
        if Alice and i == 0:
            p = 4

        if s[i] == 2:
            B2 *= p
            order1 *= p
        elif s[i] == 1:
            B1 *= p
            order2 *= p
        else:
            B1 *= p
            B2 *= p
    
    return B1, B2, order1, order2


##### Setup ############################

A = 2*prod(Primes()[:2*t:2]) # The 2* ensures that p \equiv 3 mod 4
B = prod(Primes()[1:2*t:2])

p, f = make_prime(A*B)


FF.<x> = GF(p)[]
F.<i> = GF(p^2, modulus=x^2+1) 
E0 = EllipticCurve(F, [0, 6, 0, 1, 0])
E0.set_order((p+1)**2) 

PA, QA = torsion_basis(E0, A)
PB, QB = torsion_basis(E0, B)

## Ensures that 2*PA != (0,0) and
## 2*QA != (0,0), which causes problems in
## computing isogenies with x-only arithmetic
if A//2 * PA == E0(0, 0):
    PA = PA + QA
elif A//2 * QA == E0(0, 0):
    QA = PA + QA 

assert A//2 * PA != E0(0, 0) and A//2 * QA != E0(0, 0)


E0 = KummerLine(E0)
xPA, xQA = E0(PA[0]), E0(QA[0])
xPB, xQB = E0(PB[0]), E0(QB[0])

In [8]:
# temporary functions
from montgomery_isogeny_original import KummerLineIsogenyComposite


def compute_kernel_scalars_temp2(s, Alice=True):
    """ 
    Given a ternary secret `s`, returns scalars `B0` and `B1`
    such that the isogeny associated with `s` and orientation (P, Q)
    has kernel <[B0]*P + [B1]*Q>.
    The function also returns `order0` and `order1`, the orders
    of points [B0]*P and [B1]*Q, which is used in the isogeny computations.
    """
    B0 = 1
    B1 = 1
    B2 = 1
    order0 = 1
    order1 = 1
    order2 = 1
    primes = 1

    t = len(s)

    if Alice:
        Primes = P
    else:
        Primes = Q

    for i, p in enumerate(Primes):
        if Alice and i == 0:
            p = 4

        primes *= p
        if s[i] == 2:
            B1 *= p
            order0 *= p
            B2 *= p
        elif s[i] == 1:
            B0 *= p
            order1 *= p
            B2 *= p
        else:
            B0 *= p
            B1 *= p
            order2 *= p

    return B0, B1, B2, order0, order1, order2, primes


def keygen_temp2(A_points, B_points, keylist, Alice=True):
    
    # Extract Kummer points
    xP, xQ = A_points
    xR, xS = B_points

    # Generate the secret data
    sk = [1, 2, 0]
    sk += random.choices(keylist, k=t-3)
    B0, B1, B2, order0, order1, order2, primes = compute_kernel_scalars_temp2(sk, Alice=Alice)
    sk = (B0, B1, B2, order0, order1, order2, primes)

    # Compute the isogeny kernels
    xK0 = xP
    xK1 = xQ
    xK2 = xQ

    # Compute the isogeny
    phi = KummerLineIsogenyComposite(E0, B0, xK0, order0, B1, xK1, order1, B2, xK2, order2, primes)
    xR, xS = phi(xR), phi(xS)

    # Generate the masking values
    modulus = B if Alice else A  # modulus is the order of torsion points
    mask = modulus
    while gcd(mask, modulus) != 1:
        mask = random.randint(0, modulus)
    mask_inv = 1/mask % modulus

    # Scale the torsion images
    xR = mask * xR
    xS = mask_inv * xS

    # Compute the public data
    E = phi.codomain()
    pk = (E, xR, xS)

    return sk, pk


def shared_temp2(sk, pk):
    # Parse the private/public keys
    B0, B1, B2, order0, order1, order2, primes = sk
    E, xR, xS = pk

    # Compute the isogeny kernels
    xK0 = xR
    xK1 = xS
    xK2 = xR

    # Compute the first isogeny
    phi2 = KummerLineIsogenyComposite(
        E, B0, xK0, order0, B1, xK1, order1, B2, xK2, order2, primes)

    EAB = phi2.codomain()
    
    return EAB.j_invariant()
    

In [9]:
# implementation of temp2 terSIDH
from montgomery_isogeny_temp2 import KummerLineIsogenyComposite

keygen_timings_temp = []


for keylist in keytypes:

    tt = [0, 0, 0, 0]

    for _ in range(N):
        t0 = time.process_time_ns()
        skA, pkA = keygen_temp2((xPA, xQA), (xPB, xQB), keylist, Alice=True)
        tt[0] += time.process_time_ns() - t0

        t0 = time.process_time_ns()
        skB, pkB = keygen_temp2((xPB, xQB), (xPA, xQA), keylist, Alice=False)
        tt[1] += time.process_time_ns() - t0

        # t0 = time.process_time_ns()
        # ssA = shared_temp(skA, pkB)
        # tt[2] += time.process_time_ns() - t0

        # t0 = time.process_time_ns()
        # ssB = shared_temp(skB, pkA)
        # tt[3] += time.process_time_ns() - t0

        # assert ssA == ssB

    tt = [float(t) / N / 10 ^ 6 for t in tt]

    print("Key type is : ", keylist)
    print(f"KeyGen_A took {(tt[0]):.1f} ms")
    print(f"KeyGen_B took {(tt[1]):.1f} ms")
    print("")
    keygen_timings_temp.append((tt[0]+tt[1])/2)

pd.DataFrame(
    {'original': [keygen_timings_temp[0]],
     '0': [keygen_timings_temp[1]],
     '1': [keygen_timings_temp[2]],
     '2': [keygen_timings_temp[3]],
     '0,1': [keygen_timings_temp[4]],
     '0,2': [keygen_timings_temp[5]],
     '1,2': [keygen_timings_temp[6]]},
    index=['timing']
)

Key type is :  [0, 1, 2]
KeyGen_A took 3918.4 ms
KeyGen_B took 3910.2 ms

Key type is :  [0]
KeyGen_A took 3830.3 ms
KeyGen_B took 3997.4 ms

Key type is :  [1]
KeyGen_A took 4003.6 ms
KeyGen_B took 3991.4 ms

Key type is :  [2]
KeyGen_A took 3948.9 ms
KeyGen_B took 3947.8 ms

Key type is :  [0, 1]
KeyGen_A took 3876.0 ms
KeyGen_B took 3903.1 ms

Key type is :  [0, 2]
KeyGen_A took 3960.1 ms
KeyGen_B took 3981.0 ms

Key type is :  [1, 2]
KeyGen_A took 3910.9 ms
KeyGen_B took 3938.8 ms



Unnamed: 0,original,0,1,2,"0,1","0,2","1,2"
timing,3914.284,3913.819,3997.494,3948.3305,3889.5755,3970.5395,3924.883


In [10]:
# temporary2 functions
from montgomery_isogeny_temp3 import KummerLineIsogenyComposite


def keygen_temp3(A_points, B_points, keylist, Alice=True):
    # Extract Kummer points
    xP, xQ = A_points
    xR, xS = B_points
    xT = xQ # dummy point
    
    # Generate the secret data
    # to check biased secret key, sk starts with [1, 2, 0]
    sk = [1, 2, 0]
    sk += random.choices(keylist, k=t-3)
    random.shuffle(sk)

    # Compute isogeny kernel
    if Alice:
        Prime = P        
        primes = A
        modulus = B
    else:
        Prime = Q        
        primes = B
        modulus = A

    order1 = 1
    order2 = 1
    order0 = 1
    
    # t0 = time.process_time_ns()
    for i, p in enumerate(Prime):
        if Alice and i == 0:
            p = 4

        if sk[i] == 2:
            xQ *= p
            order1 *= p
            xT *= p
        elif sk[i] == 1:
            xP *= p
            order2 *= p
            xT *= p
        else:
            xP *= p
            xQ *= p
            order0 *= p

    xPa, xQa = xP.curve_point(), xQ.curve_point()
    xK0 = E0((xPa + xQa)[0])
    print(xK0)

    orders = order1 * order2
    
    # Compute the isogeny
    phi = KummerLineIsogenyComposite(E0, xK0, orders, xT, primes)
    xR, xS = phi(xR), phi(xS)

    # Generate the masking values
    # modulus is the order of torsion points
    mask = modulus
    while gcd(mask, modulus) != 1:
        mask = random.randint(0, modulus)
    mask_inv = 1/mask % modulus

    # Scale the torsion images
    xR = mask * xR
    xS = mask_inv * xS

    # Compute the public data
    E = phi.codomain()
    pk = (E, xR, xS)
    
    return sk, pk

def shared_temp3(sk, pk, Alice=True):
    # Parse the private/public keys
    E, xR, xS = pk
    xT = xS # dummy point

    # Compute isogeny kernel
    if Alice:
        Prime = P        
        primes = A
        modulus = B
    else:
        Prime = Q        
        primes = B
        modulus = A

    order1 = 1
    order2 = 1
    order0 = 1
    
    for i, p in enumerate(Prime):
        if Alice and i == 0:
            p = 4

        if sk[i] == 2:
            xS *= p
            order1 *= p
            xT *= p
        elif sk[i] == 1:
            xR *= p
            order2 *= p
            xT *= p
        else:
            xR *= p
            xS *= p
            order0 *= p

    xRa, xSa = xR.curve_point(), xS.curve_point()
    xK = E((xRa + xSa)[0])

    orders = order1 * order2

    # Compute the first isogeny
    phi2 = KummerLineIsogenyComposite(E, xK, orders, xT, primes)

    EAB = phi2.codomain()

    return EAB.j_invariant()

In [11]:
# implementation of temp3 terSIDH


keygen_timings_temp3 = []

for keylist in keytypes:    
    tt = [0, 0, 0, 0]
    ttr = []
    
    for _ in range(N):
        t0 = time.process_time_ns()
        skA, pkA = keygen_temp3((xPA, xQA), (xPB, xQB), keylist, Alice=True)
        tt[0] += time.process_time_ns() - t0
    
        t0 = time.process_time_ns()
        skB, pkB = keygen_temp3((xPB, xQB), (xPA, xQA), keylist, Alice=False)
        tt[1] += time.process_time_ns() - t0
    
        t0 = time.process_time_ns()
        ssA = shared_temp3(skA, pkB, Alice=True)
        tt[2] += time.process_time_ns() - t0
    
        t0 = time.process_time_ns()
        ssB = shared_temp3(skB, pkA, Alice=False)
        tt[3] += time.process_time_ns() - t0
    
        assert ssA == ssB
    
    tt = [float(t) / N / 10^6 for t in tt]

    print("Key type is : ", keylist)
    print(f"KeyGen_A took {((tt[0]+tt[1])/2):.1f} ms")
    print(f"KeyGen_B took {(tt[1]):.1f} ms")
    print(f"shared_A took {(tt[2]):.1f} ms")
    print(f"shared_B took {(tt[3]):.1f} ms")
    print("")
    keygen_timings_temp3.append((tt[0]+tt[1])/2)

pd.DataFrame(
    {'original' : [keygen_timings_temp3[0]],
     '0' : [keygen_timings_temp3[1]],
     '1' : [keygen_timings_temp3[2]],
     '2' : [keygen_timings_temp3[3]],
     '0,1' : [keygen_timings_temp3[4]],
     '0,2' : [keygen_timings_temp3[5]],
     '1,2' : [keygen_timings_temp3[6]]},
     index = ['timing']
)

Kummer Point [32378278399211269542438073460680230403809708121949787875711566885190109808817100877081731136168106266069680190667345919041927462298597978737655950483258821391220601289541376089374504324689191421965829305462469378575938016913951818346183353079378042401896803075094741997293785958346424854927397291493756272869897366262616842608678378837149443748604683297724509776535954952072257183455468561982870605374252673042365572145880404029609451613935841354064528208178203123813078136*i + 30774706278281075686588321527003539863526611454263584041775817449634247298439503195363961790650804616322591628870978807258310163840239550134517021355848280165660609124910372844780657249828157636423015022147372572492727096019805702254338124592088260122916018120145612695232401304074566613923545284201043042579246262084560995915597261038716919477146111206801697877833789895554133979531408296434040377784599914480585321357457972622731956715277813918350901171734997730134355616 : 1] on Kummer line of the Montgom

Unnamed: 0,original,0,1,2,"0,1","0,2","1,2"
timing,3338.968,3362.7975,3321.1505,3296.502,3306.334,3339.146,3351.501


In [12]:
# time table
empty = '-'
col = ['original', '0', '1', '2', '0,1', '0,2', '1,2']
ind = ['이전 terSIDH', '최신 terSIDH']
con = [[keygen_timings_temp[0], keygen_timings_temp[1], keygen_timings_temp[2],
        keygen_timings_temp[3], keygen_timings_temp[4], keygen_timings_temp[5],
        keygen_timings_temp[6]],
      [keygen_timings_temp3[0], keygen_timings_temp3[1], keygen_timings_temp3[2],
        keygen_timings_temp3[3], keygen_timings_temp3[4], keygen_timings_temp3[5],
        keygen_timings_temp3[6]]]

df = pd.DataFrame(con, columns=col, index=ind)
df

Unnamed: 0,original,0,1,2,"0,1","0,2","1,2"
이전 terSIDH,3914.284,3913.819,3997.494,3948.3305,3889.5755,3970.5395,3924.883
최신 terSIDH,3338.968,3362.7975,3321.1505,3296.502,3306.334,3339.146,3351.501


In [19]:
# reverse fucntion
from montgomery_isogeny_reverse import KummerLineIsogenyComposite

N = 10

def keygen_reverse(A_points, B_points, keylist, Alice=True):
    # Extract Kummer points
    xP, xQ = A_points
    xR, xS = B_points

    # Generate the secret data
    # to check biased secret key, sk starts with [1, 2, 0]
    sk = [1, 2, 0]
    sk += random.choices(keylist, k=t-3)
    B1, B2, order1, order2 = compute_kernel_scalars(sk, Alice=Alice)
    sk = (B1, B2, order1, order2)

    # Compute the isogeny kernels
    xK1 = xP * B1
    xK2 = xQ * B2

    # Compute the first isogeny
    phi1 = KummerLineIsogenyComposite(E0, xK1, order1)
    xK2 = phi1(xK2)

    # Evaluate action on aux data
    xR, xS = phi1(xR), phi1(xS)

    # Compute the second isogeny from the codomain of phi0
    E1 = phi1.codomain()
    phi2 = KummerLineIsogenyComposite(E1, xK2, order2)

    # Evaluate action on aux data
    xR, xS = phi2(xR), phi2(xS)

    # Generate the masking values
    modulus = B if Alice else A  # modulus is the order of torsion points
    mask = modulus
    while gcd(mask, modulus) != 1:
        mask = random.randint(0, modulus)
    mask_inv = 1/mask % modulus

    # Scale the torsion images
    xR = mask * xR
    xS = mask_inv * xS

    # Compute the public data
    E2 = phi2.codomain()
    pk = (E2, xR, xS)

    return sk, pk


def shared_reverse(sk, pk):
    # Parse the private/public keys
    B1, B2, order1, order2 = sk
    E, xR, xS = pk

    # Compute the isogeny kernels
    xK1 = xR * B1
    xK2 = xS * B2

    # Compute the first isogeny
    phi1 = KummerLineIsogenyComposite(E, xK1, order1)
    xK2 = phi1(xK2)

    # Compute the second isogeny from the codomain of phi0
    E = phi1.codomain()
    phi2 = KummerLineIsogenyComposite(E, xK2, order2)

    EAB = phi2.codomain()
    return EAB.j_invariant()

In [20]:
# implementation of reverse terSIDH
from montgomery_isogeny_reverse import KummerLineIsogenyComposite

keygen_timings_reverse = []

keytypes_temp = [[0,1,2]]

for keylist in keytypes_temp:
    tt = [0, 0, 0, 0]
    ttr = []

    for _ in range(N):
        t0 = time.process_time_ns()
        skA, pkA = keygen_reverse((xPA, xQA), (xPB, xQB), keylist, Alice=True)
        tt[0] += time.process_time_ns() - t0

        t0 = time.process_time_ns()
        skB, pkB = keygen_reverse((xPB, xQB), (xPA, xQA), keylist, Alice=False)
        tt[1] += time.process_time_ns() - t0

        # t0 = time.process_time_ns()
        # ssA = shared_temp(skA, pkB)
        # tt[2] += time.process_time_ns() - t0

        # t0 = time.process_time_ns()
        # ssB = shared_temp(skB, pkA)
        # tt[3] += time.process_time_ns() - t0

        # assert ssA == ssB

    tt = [float(t) / N / 10 ^ 6 for t in tt]

    print("Key type is : ", keylist)
    print(f"KeyGen_A took {((tt[0]+tt[1])/2):.1f} ms")
    # print(f"KeyGen_B took {(tt[1]):.1f} ms")
    # print(f"shared_A took {(tt[2]):.1f} ms")
    # print(f"shared_B took {(tt[3]):.1f} ms")
    print("")
    keygen_timings_reverse.append((tt[0]+tt[1])/2)

pd.DataFrame(
    {'original': [keygen_timings_reverse[0]]},
    index=['timing']
)

Key type is :  [0, 1, 2]
KeyGen_A took 1681.4 ms
KeyGen_B took 1707.6 ms



Unnamed: 0,original
timing,1681.402


In [21]:
# random fucntion
from montgomery_isogeny_random import KummerLineIsogenyComposite

def keygen_random(A_points, B_points, keylist, Alice=True):
    # Extract Kummer points
    xP, xQ = A_points
    xR, xS = B_points

    # Generate the secret data
    # to check biased secret key, sk starts with [1, 2, 0]
    sk = [1, 2, 0]
    sk += random.choices(keylist, k=t-3)
    B1, B2, order1, order2 = compute_kernel_scalars(sk, Alice=Alice)
    sk = (B1, B2, order1, order2)

    # Compute the isogeny kernels
    xK1 = xP * B1
    xK2 = xQ * B2

    # Compute the first isogeny
    phi1 = KummerLineIsogenyComposite(E0, xK1, order1)
    xK2 = phi1(xK2)

    # Evaluate action on aux data
    xR, xS = phi1(xR), phi1(xS)

    # Compute the second isogeny from the codomain of phi0
    E1 = phi1.codomain()
    phi2 = KummerLineIsogenyComposite(E1, xK2, order2)

    # Evaluate action on aux data
    xR, xS = phi2(xR), phi2(xS)

    # Generate the masking values
    modulus = B if Alice else A  # modulus is the order of torsion points
    mask = modulus
    while gcd(mask, modulus) != 1:
        mask = random.randint(0, modulus)
    mask_inv = 1/mask % modulus

    # Scale the torsion images
    xR = mask * xR
    xS = mask_inv * xS

    # Compute the public data
    E2 = phi2.codomain()
    pk = (E2, xR, xS)

    return sk, pk


def shared_random(sk, pk):
    # Parse the private/public keys
    B1, B2, order1, order2 = sk
    E, xR, xS = pk

    # Compute the isogeny kernels
    xK1 = xR * B1
    xK2 = xS * B2

    # Compute the first isogeny
    phi1 = KummerLineIsogenyComposite(E, xK1, order1)
    xK2 = phi1(xK2)

    # Compute the second isogeny from the codomain of phi0
    E = phi1.codomain()
    phi2 = KummerLineIsogenyComposite(E, xK2, order2)

    EAB = phi2.codomain()
    return EAB.j_invariant()

In [22]:
# implementation of random terSIDH
from montgomery_isogeny_random import KummerLineIsogenyComposite

keygen_timings_random = []

keytypes_temp = [[0,1,2]]

for keylist in keytypes_temp:
    tt = [0, 0, 0, 0]
    ttr = []

    for _ in range(N):
        t0 = time.process_time_ns()
        skA, pkA = keygen_random((xPA, xQA), (xPB, xQB), keylist, Alice=True)
        tt[0] += time.process_time_ns() - t0

        t0 = time.process_time_ns()
        skB, pkB = keygen_random((xPB, xQB), (xPA, xQA), keylist, Alice=False)
        tt[1] += time.process_time_ns() - t0

        # t0 = time.process_time_ns()
        # ssA = shared_temp(skA, pkB)
        # tt[2] += time.process_time_ns() - t0

        # t0 = time.process_time_ns()
        # ssB = shared_temp(skB, pkA)
        # tt[3] += time.process_time_ns() - t0

        # assert ssA == ssB

    tt = [float(t) / N / 10 ^ 6 for t in tt]

    print("Key type is : ", keylist)
    print(f"KeyGen_A took {((tt[0]+tt[1])/2):.1f} ms")
    # print(f"KeyGen_B took {(tt[1]):.1f} ms")
    # print(f"shared_A took {(tt[2]):.1f} ms")
    # print(f"shared_B took {(tt[3]):.1f} ms")
    print("")
    keygen_timings_random.append((tt[0]+tt[1])/2)

pd.DataFrame(
    {'original': [keygen_timings_random[0]]},
    index=['timing']
)

Key type is :  [0, 1, 2]
KeyGen_A took 1693.1 ms
KeyGen_B took 1706.1 ms



Unnamed: 0,original
timing,1693.14715


In [23]:
# time table
empty = '-'
col = ['original', '0', '1', '2', '0,1', '0,2', '1,2']
ind = ['original terSIDH', 'temp terSIDH']
con = [[keygen_timings_temp3[0], keygen_timings_temp3[1], keygen_timings_temp3[2], 
        keygen_timings_temp3[3], keygen_timings_temp3[4], keygen_timings_temp3[5], 
        keygen_timings_temp3[6]],
       [keygen_timings_temp[0], keygen_timings_temp[1], keygen_timings_temp[2],
        keygen_timings_temp[3], keygen_timings_temp[4], keygen_timings_temp[5],
        keygen_timings_temp[6]]]

df = pd.DataFrame(con, columns=col, index=ind)
df

Unnamed: 0,original,0,1,2,"0,1","0,2","1,2"
original terSIDH,3338.968,3362.7975,3321.1505,3296.502,3306.334,3339.146,3351.501
temp terSIDH,3914.284,3913.819,3997.494,3948.3305,3889.5755,3970.5395,3924.883


In [24]:
print("random : ", keygen_timings_reverse[0])
print("reverse : ", keygen_timings_random[0])

random :  1681.402
reverse :  1693.14715
