Fast Arithmetic Modulo 2xpy± 1.

We give a systematic overview of techniques to compute arithmetic modulo 2 ^x p ^y ± 1 and propose improvements. This is useful for computations in the supersingular isogeny Diffie-Hellman (SIDH) key-exchange protocol which is one of the more recent contenders in the post-quantum public-key arena. One of the main computational bottlenecks in this cryptographic key-exchange protocol is computing modular arithmetic in a finite field defined by a prime of this special shape. Recent implementations already use this special prime shape to speed up the cryptographic implementations but it remains unclear if the choices made are optimal or if one can do better. Our overview shows that in the SIDH setting, where arithmetic over a quadratic extension field is required, the approaches based on Montgomery multiplication are to be preferred. Based on our results, we give selection criteria for such moduli and the outcome of our search reveals that there exist moduli which result in even faster implementations.