Fast and Frobenius: Rational Isogeny Evaluation over Finite Fields
share
Consider the problem of efficiently evaluating isogenies Ļ: E ā E/H of elliptic curves over a finite field š½_q, where the kernel H = āØ Gā© is a cyclic group of odd (prime) order: given E, G, and a point (or several points) P on E, we want to compute Ļ(P). This problem is at the heart of efficient implementations of group-action- and isogeny-based post-quantum cryptosystems such as CSIDH. Algorithms based on VĆ©lu's formulae give an efficient solution to this problem when the kernel generator G is defined over š½_q. However, for general isogenies, G is only defined over some extension š½_q^k, even though āØ Gā© as a whole (and thus Ļ) is defined over the base field š½_q; and the performance of VĆ©lu-style algorithms degrades rapidly as k grows. In this article we revisit the isogeny-evaluation problem with a special focus on the case where 1 ā¤ k ā¤ 12. We improve VĆ©lu-style isogeny evaluation for many cases where k = 1 using special addition chains, and combine this with the action of Galois to give greater improvements when k > 1.
READ FULL TEXT
