E cient Scalar Multiplication by Isogeny Decompositions

On an elliptic curve, the degree of an isogeny corresponds essentially to the degrees of the polynomial expressions involved in its application. The multiplication by ` map [`] has degree `, therefore the complexity to directly evaluate [`](P ) is O(`). For a small prime ` (= 2, 3) such that the additive binary representation provides no better performance, this represents the true cost of application of scalar multiplication. If an elliptic curves admits an isogeny φ of degree ` then the costs of computing φ(P ) should in contrast be O(`) eld operations. Since we then have a product expression [`] = φ̂φ, the existence of an `-isogeny φ on an elliptic curve yields a theoretical improvement from O(`) to O(`) eld operations for the evaluation of [`](P ) by naïve application of the de ning polynomials. In this work we investigate actual improvements for small ` of this asymptotic complexity. For this purpose, we describe the general construction of families of curves with a suitable decomposition [`] = φ̂φ, and provide explicit examples of such a family of curves with simple decomposition for [3]. Finally we derive a new tripling algorithm to nd complexity improvements to triplication on a curve in certain projective coordinate systems, then combine this new operation to non-adjacent forms for `-adic expansions in order to obtain an improved strategy for scalar multiplication on elliptic curves.