Fast and Frobenius: Rational Isogeny Evaluation over Finite Fields

Consider the problem of efficiently evaluating isogenies phi : E -> E/H of elliptic curves over a finite field F-q, where the kernel H = < G > is a cyclic group of odd (prime) order: given E, G, and a point (or several points) P on E, we want to compute phi(P). This problem is at the heart of efficient implementations of group-action- and isogeny-based post-quantum cryptosystems such as CSIDH. Algorithms based on Velu's formulae give an efficient solution when the kernel generator G is defined over F-q, but for general isogenies G is only defined over some extension F-qk, even though < G > as a whole (and thus phi) is defined over the base field F-q; and the performance of Velu-style algorithms degrades rapidly as k grows. In this article we revisit isogeny evaluation with a special focus on the case where 1 <= k <= 12. We improve Velu-style evaluation for many cases where k = 1 using special addition chains, and combine this with the action of Galois to give greater improvements when k > 1.