We present new candidates for quantum-resistant public-key
cryptosystems based on the conjectured difficulty of finding isogenies
between supersingular elliptic curves. The main technical idea in our
scheme is that we transmit the images of torsion bases under the isogeny
in order to allow the parties to construct a shared commutative square
despite the non-commutativity of the endomorphism ring.
We give a precise formulation of the necessary computational assumptions
along with a discussion of their validity, and prove the
security of our
protocols under these assumptions. In addition, we present implementation
results showing that our protocols are multiple orders of magnitude faster
than previous isogeny-based cryptosystems over ordinary curves.
This paper is an extended version of
[Lecture Notes in Comput. Sci. 7071, Springer (2011), 19–34].
We add a new zero-knowledge identification scheme and detailed security proofs for
the protocols. We also present a new, asymptotically faster, algorithm
for key generation, a thorough study of its optimization, and new