Sitemap

We show that Montgomery ladders compute pairings as a by-product, and explain how a small adjustment to the ladder results in simple and efficient algorithms for the Weil and Tate pairing on elliptic curves using cubical arithmetic. We demonstrate the efficiency of the resulting cubical pairings in several applications from isogeny-based cryptography. Cubical pairings are simpler and more performant than pairings computed using Miller’s algorithm: we get a speed-up of over 40 per cent for use-cases in SQIsign, and a speed-up of about 7 per cent for use-cases in CSIDH. While these results arise from a deep connection to biextensions and cubical arithmetic, in this article we keep things as concrete (and digestible) as possible. We provide a concise and complete introduction to cubical arithmetic as an appendix.

Published in IACR Communications In Cryptology, Volume 2, no. 2, 2025

SageMath implementation of pairings on genus-2 Jacobians using cubical arithmetic on theta coordinates

Arithmetic on abelian varieties via the use of algebraic theta functions. Algorithms describing the group law, $(2,\dots,2)$-isogenies, pairings. Application of these algorithms on SQIsign2D verification.

Pairings are an important tool in elliptic curve- and isogeny-based cryptography. We show pairing computations can be practical even over generic elliptic curves and field characteristics without optimized parameters, via an approach proposed by Robert (2024). Using cubical arithmetic on an elliptic curve, resulting from a small adjustment to standard projective x-only point arithmetic, pairing information comes as a direct by-product of Montgomery ladders. Cubical pairings are simpler and more performant than state-of-the-art pairings computed using Miller’s algorithm, in the case of generic base fields and curves. We observe speedups in use-cases in isogeny based cryptography (around 1.7x in SQIsign, 1.075x in CSIDH) and we discuss the practicality of the new approach when applied to other contexts.

Discussion of eprint 2025/672, with focus on the relevant aspects to pairing-based cryptography.

Pairings are an important tool in elliptic curve- and isogeny-based cryptography. We show pairing computations can be practical even over generic elliptic curves and field characteristics without optimized parameters, via an approach proposed by Robert (2024). Using cubical arithmetic on an elliptic curve, resulting from a small adjustment to standard projective x-only point arithmetic, pairing information comes as a direct by-product of Montgomery ladders. Cubical pairings are simpler and more performant than state-of-the-art pairings computed using Miller’s algorithm, in the case of generic base fields and curves. We observe speedups in use-cases in isogeny based cryptography (around 1.7x in SQIsign, 1.075x in CSIDH) and we discuss the practicality of the new approach when applied to other contexts.

The course Analysis für Informatik is an undergraduate (3rd semester) course in the Computer Science bachelor’s degree at TUM, led by Nina Gantert and Quirin Vogel. I hold weekly tutorials, helping the students solve exercises related to the course.

Bachelor's degree course - tutorials, Technical University of Munich, Winter semester 2024

The course Coding Theory is a course offered in the master’s degrees of Mathematics and of Computer Science TUM (Munich), led by Violetta Weger. I hold weekly tutorials, helping the students solve exercises related to the course.

Master's degree course - tutorials, Technical University of Munich, Summer semester 2025

The course Cryptography and Cryptanalysis is a course offered in the master’s degrees of Mathematics and of Computer Science TUM (Munich), led by Lorenz Panny. In this course, the students have to solve weekly CTF-style cryptanalysis challenges. I hold weekly tutorials, presenting the challenges and helping the students solve them.

Master degree course - tutorials, Technical University of Munich, Summer semester 2025