Key Compression for Isogeny-Based Cryptosystems

Abstract

We present a method for key compression in quantum-resistant isogeny-based cryptosystems, which reduces storage and transmission costs of per-party public information by a factor of two, with no effect on the security level of the scheme. We achieve this reduction by compressing both the representation of an elliptic curve, and torsion points on said curve. Compression of the elliptic curve is achieved by associating each j-invariant to a canonical choice of elliptic curve, and the torsion points will be represented as linear combinations with respect to a canonical choice of basis for this subgroup. This method of compressing public information can be applied to numerous isogeny-based protocols, such as key exchange, zero-knowledge identification, and public-key encryption. The details of utilizing compression for each of these cryptosystems is explained. We provide implementation results showing the computational cost of key compression and decompression at various security levels. Our results show that isogeny-based cryptosystems achieve the smallest possible key sizes among all existing families of post-quantum cryptosystems at practical security levels.