Fast and Frobenius: Rational Isogeny Evaluation over Finite Fields

Abstract

Consider the problem of efficiently evaluating isogenies φ: E E/H of elliptic curves over a finite field Fq, where the kernel H = G is a cyclic group of odd (prime) order: given E, G, and a point (or several points) P on E, we want to compute φ(P). This problem is at the heart of efficient implementations of group-action- and isogeny-based post-quantum cryptosystems such as CSIDH. Algorithms based on V\'elu's formulae give an efficient solution to this problem when the kernel generator G is defined over Fq. However, for general isogenies, G is only defined over some extension Fqk, even though G as a whole (and thus φ) is defined over the base field Fq; and the performance of V\'elu-style algorithms degrades rapidly as k grows. In this article we revisit the isogeny-evaluation problem with a special focus on the case where 1 k 12. We improve V\'elu-style isogeny evaluation for many cases where k = 1 using special addition chains, and combine this with the action of Galois to give greater improvements when k > 1.