Fast and Frobenius: Rational Isogeny Evaluation over Finite Fields

TL;DR

This paper introduces optimized algorithms for evaluating elliptic curve isogenies over finite fields, significantly improving efficiency especially when the kernel point is defined over small extension fields, which benefits post-quantum cryptography.

Contribution

It presents new methods that enhance Vélu-style isogeny evaluation for small extension degrees and leverages Galois actions for further improvements.

Findings

Enhanced Vélu-style algorithms for k=1 using special addition chains.

Combined Galois action with isogeny evaluation for k>1.

Achieved faster isogeny computations in relevant cryptographic settings.

Abstract

Consider the problem of efficiently evaluating isogenies $\phi: E \to E/H$ of elliptic curves over a finite field $\mathbb{F}_q$, where the kernel $H = \langle G\rangle$ is a cyclic group of odd (prime) order: given $E$, $G$, and a point (or several points) $P$ on $E$, we want to compute $\phi(P)$. This problem is at the heart of efficient implementations of group-action- and isogeny-based post-quantum cryptosystems such as CSIDH. Algorithms based on V{\'e}lu's formulae give an efficient solution to this problem when the kernel generator $G$ is defined over $\mathbb{F}_q$. However, for general isogenies, $G$ is only defined over some extension $\mathbb{F}_{q^k}$, even though $\langle G\rangle$ as a whole (and thus $\phi$) is defined over the base field $\mathbb{F}_q$; and the performance of V{\'e}lu-style algorithms degrades rapidly as $k$ grows. In this article we revisit the isogeny-evaluation problem with a special focus on the case where $1 \le k \le 12$. We improve V{\'e}lu-style isogeny evaluation for many cases where $k = 1$ using special addition chains, and combine this with the action of Galois to give greater improvements when $k > 1$.