1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
# PEGASIS
## Examples
This code is compatible with `sage 10.5`.
The general API is as follows
```python
from pegasis import PEGASIS
EGA = PEGASIS(500) # 1000 | 1500 | 2000 | 4000
a = EGA.sample_ideal()
Ea = EGA.action(EGA.E_start, a)
```
### Key Exchange
Run (and check) a CSIDH key exchange
```python
from pegasis import PEGASIS
lvl = 500 # 1000 | 1500 ...
# Two distinct instances: there is no shared stateful information
Alice = PEGASIS(lvl)
Bob = PEGASIS(lvl)
assert Alice.E_start == Bob.E_start
alice_seckey = Alice.sample_ideal()
alice_pubkey = Alice.action(Alice.E_start, alice_seckey)
bob_seckey = Bob.sample_ideal()
bob_pubkey = Bob.action(Bob.E_start, bob_seckey)
alice_shared_secret = Alice.action(bob_pubkey, alice_seckey)
bob_shared_secret = Bob.action(alice_pubkey, bob_seckey)
assert alice_shared_secret == bob_shared_secret
```
### Timings
Timings contained in the paper may be verified by running
```bash
$ python -O time_pegasis.py [-p {500,1000,1500,2000,4000}] [--nruns <num>] [--precompute | --no-precompute]
```
- `-p` set the underlying prime size
- `--nruns` set how many runs to execute
- `--precompute`, pass this option to precompute strategies for 4D isogeny
computations before beginning
**The `-O` switch must be passed to python, else expensive assertions will
affect timings**
Defaults to `-p 500 --nrun 5 --no-precompute`
### Testing
To test whether the library computes key exchanges correctly, run
`test_key_exchange.py`. It performs the key exchange example above in an
infinite loop and prints some crude timing information whilst doing so.
(For development) To test whether the action is computing the same outputs every
time, use `test_consistency.py`. It allows you to generate test vectors as
follows
```bash
$ python -O test_consistency.py --generate 10 --save /tmp/test_vectors.txt
```
then after some changes have been made, you can execute
```bash
$ python -O test_consistency.py --verify /tmp/test_vectors.txt
```
We have supplied test vectors in the repository `test_vectors.txt`.
## Additional information
- The code is a proof of concept, and as such contains various unnecessary
assertions that may slow down the computation; to ignore them, use the
`-O` flag (e.g. `sage --python -O script.py`)
- additional information may be printed by adding the following snippet at the
beginning of the code:
```python
import logging
logging.getLogger("pegasis").setLevel(logging.INFO) #or logging.DEBUG
logging.getLogger("lcsidh").setLevel(logging.INFO)
```
## Project structure
- `Theta_dim4`: code for computing with 4D isogenies imported as a submodule from <https://github.com/Pierrick-Dartois/Theta_dim4>
- `pegasis.py`: contains `PEGASIS`, the main class running the algorithm
- `coin.py`: utilities to solve the norm equation with u and v sums of squares
- `const_precomp.py`: precomputed constants for trial division
- `elkies.py`: Elkies algorithm for computing rational isogenies
- `ideal.py`: code for handling fractional ideals
- `lcsidh.py`: solve the norm equation for a given ideal
- `xonly.py`: code for x-only arithmetic on Montgomery curves
- `uv_params.py`: contains the parameters for solving the norm equation
("finding uv")
- `test_vectors.txt`: contains test vectors for verification
## License
See [LICENSE](LICENSE)
Copyright 2025
Pierrick Dartois, Jonathan Komada Eriksen, Tako Boris Fouotsa, Arthur Herlédan
Le Merdy, Riccardo Invernizzi, Damien Robert, Ryan Rueger, Frederik Vercauteren,
Benjamin Wesolowski
Third party code is used in this library:
- `Theta_dim4`; Apache 2.0: "Copyright (c) 2025 Pierrick Dartois"
|
