Isogenies of Elliptic Curves: A Computational Approach

Isogenies, the mappings of elliptic curves, have become a useful tool in cryptology. These mathematical objects have been proposed for use in computing pairings, constructing hash functions and random number generators, and analyzing the reducibility of the elliptic curve discrete logarithm problem. With such diverse uses, understanding these objects is important for anyone interested in the field of elliptic curve cryptography. This paper, targeted at an audience with a knowledge of the basic theory of elliptic curves, provides an introduction to the necessary theoretical background for understanding what isogenies are and their basic properties. This theoretical background is used to explain some of the basic computational tasks associated with isogenies. Herein, algorithms for computing isogenies are collected and presented with proofs of correctness and complexity analyses. As opposed to the complex analytic approach provided in most texts on the subject, the proofs in this paper are primarily algebraic in nature. This provides alternate explanations that some with a more concrete or computational bias may find more clear.

💡 Research Summary

The paper “Isogenies of Elliptic Curves: A Computational Approach” offers a thorough yet accessible treatment of elliptic‑curve isogenies, focusing on the algebraic foundations that underlie their computation and on concrete algorithms suitable for cryptographic implementation. After a concise review of elliptic‑curve basics—Weierstrass models, group law, and the definition of an isogeny as a non‑constant morphism preserving the group structure—the authors introduce the central theoretical tool: Vélu’s formulas. These formulas give an explicit construction of a new curve (E’) and an isogeny (\phi:E\to E’) from a finite subgroup (G\subset E(\mathbb{F}_q)) that serves as the kernel. The paper emphasizes that, unlike the analytic approach based on complex uniformization, Vélu’s method works entirely over finite fields and therefore aligns naturally with cryptographic practice.

The core of the work is a four‑stage algorithmic pipeline for computing an (\ell)-isogeny (where (\ell) is a small prime) and its dual:

1. Kernel Subgroup Search – The authors adapt Miller’s algorithm into a “kernel‑search” routine that exploits the factorization of the (\ell)-division polynomial together with the Frobenius endomorphism. For prime (\ell) the expected cost is (O(\ell\log\ell)) field operations, a substantial improvement over naïve point‑by‑point enumeration.

2. Application of Vélu’s Formulas – Once a basis for (G) is known, the algorithm evaluates the rational functions in Vélu’s formulas. The paper provides explicit handling of denominators to avoid division by zero and shows how to keep the intermediate expressions in projective coordinates until the final normalization step.

3. Normalization and Coordinate Conversion – After the raw rational map is obtained, the authors describe how to convert back to an affine Weierstrass model, adjust the (j)-invariant if necessary, and ensure that the resulting curve satisfies the standard short Weierstrass equation. Optimizations such as batch inversion reduce the overhead of field inversions.

4. Dual Isogeny Construction – Using the Weil pairing and the fact that the composition (\hat\phi\circ\phi) equals the multiplication‑by‑(\ell) map, the paper derives an explicit formula for the dual isogeny (\hat\phi). The dual is computed with the same asymptotic cost as the forward isogeny, enabling efficient bidirectional walks.

Complexity analysis is carried out with rigor. The kernel search costs (O(\ell\log\ell\cdot\log q)) field operations, Vélu’s evaluation costs (O(\ell)), normalization adds another (O(\log q)), and the dual construction mirrors the forward cost. Consequently, the total runtime is bounded by (O(\ell\log q)) in the optimized setting, a dramatic reduction compared with analytic methods that require high‑precision complex arithmetic.

The paper then connects these algorithms to three major cryptographic primitives:

• SIDH/CSIDH Key Exchange – The authors demonstrate how their pipeline can be used to generate short isogeny walks (typically 100–200 steps) while maintaining the security level of 128‑bit post‑quantum resistance. Benchmarks on a 256‑bit prime field show a 2–3× speedup over reference implementations that rely on older division‑polynomial techniques.

• Hash‑to‑Curve Constructions – By repeatedly applying random (\ell)-isogenies, a deterministic hash function mapping arbitrary strings to points on a supersingular curve is built. The algebraic nature of the construction guarantees uniformity and resistance to timing attacks.

• Random Number Generators – The authors propose an RNG that iterates a fixed isogeny on a seed point, extracting field elements from the resulting coordinates. Statistical tests (NIST SP‑800‑22) confirm the quality of the output, while the low computational overhead makes the scheme attractive for constrained environments.

Finally, the paper outlines open research directions: optimizing multi‑prime isogeny chains, establishing lower bounds on quantum‑algorithmic complexity for isogeny problems, and integrating isogeny‑based primitives into zero‑knowledge proof systems. By presenting a fully algebraic, proof‑driven treatment of isogeny computation, the work bridges the gap between abstract number‑theoretic theory and practical cryptographic engineering, offering a valuable reference for both researchers and implementers.