Fast and Frobenius: Rational Isogeny Evaluation over Finite Fields
share
Consider the problem of efficiently evaluating isogenies ϕ: E → E/H of elliptic curves over a finite field 𝔽_q, where the kernel H = ⟨ G⟩ is a cyclic group of odd (prime) order: given E, G, and a point (or several points) P on E, we want to compute ϕ(P). This problem is at the heart of efficient implementations of group-action- and isogeny-based post-quantum cryptosystems such as CSIDH. Algorithms based on Vélu's formulae give an efficient solution to this problem when the kernel generator G is defined over 𝔽_q. However, for general isogenies, G is only defined over some extension 𝔽_q^k, even though ⟨ G⟩ as a whole (and thus ϕ) is defined over the base field 𝔽_q; and the performance of Vélu-style algorithms degrades rapidly as k grows. In this article we revisit the isogeny-evaluation problem with a special focus on the case where 1 ≤ k ≤ 12. We improve Vélu-style isogeny evaluation for many cases where k = 1 using special addition chains, and combine this with the action of Galois to give greater improvements when k > 1.
READ FULL TEXT