Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Computing supersingular endomorphism rings using inseparable endomorphisms

Jenny Fuselier, Annamaria Iezzi, Mark Kozek, Travis Morrison, Changningphaabi Namoijam

TL;DR

This work introduces an efficient, GRH-assisted method to compute endomorphism data for supersingular elliptic curves by producing inseparable endomorphisms (inseparable reflections). By carefully controlling the arithmetic of the generated quaternionic orders, two such endomorphisms yield a Bass suborder of End$(E)$, and, with subexponential overhead, End$(E)$ itself via existing maximal-order enumeration frameworks. The approach improves practical performance by requiring only one path to $F_p$-rational curves, and it provides provable (under GRH) time bounds of $O(p^{1/2}(\\log p)^2(\\log\log p)^3)$ bit operations with polylog storage. A heuristic, storage-efficient variant targets generating $Z+P$ first and then End$(E)$, supported by experimental evidence that the number of inseparable reflections needed is a small constant. Altogether, the paper advances both the theoretical understanding and practical computation of supersingular endomorphism rings through inseparable endomorphisms and Bass-order techniques.

Abstract

We give an algorithm for computing an inseparable endomorphism of a supersingular elliptic curve $E$ defined over $\mathbb F_{p^2}$, which, conditional on GRH, runs in expected $O(p^{1/2}(\log p)^2(\log\log p)^3)$ bit operations and requires $O((\log p)^2)$ storage. This matches the time and storage complexity of the best conditional algorithms for computing a nontrivial supersingular endomorphism, such as those of Eisenträger-Hallgren-Leonardi-Morrison-Park and Delfs-Galbraith. Unlike these prior algorithms, which require two paths from $E$ to a curve defined over $\mathbb F_p$, the algorithm we introduce only requires one; thus when combined with the algorithm of Corte-Real Santos-Costello-Shi, our algorithm will be faster in practice. Moreover, our algorithm produces endomorphisms with predictable discriminants, enabling us to prove properties about the orders they generate. With two calls to our algorithm, we can provably compute a Bass suborder of $\operatorname{End}(E)$. This result is then used in an algorithm for computing a basis for $\operatorname{End}(E)$ with the same time complexity, assuming GRH. We also argue that $\operatorname{End}(E)$ can be computed using $O(1)$ calls to our algorithm along with polynomial overhead, conditional on a heuristic assumption about the distribution of the discriminants of these endomorphisms. Conditional on GRH and this additional heuristic, this yields a $O(p^{1/2}(\log p)^2(\log\log p)^3)$ algorithm for computing $\operatorname{End}(E)$ requiring $O((\log p)^2)$ storage.

Computing supersingular endomorphism rings using inseparable endomorphisms

TL;DR

This work introduces an efficient, GRH-assisted method to compute endomorphism data for supersingular elliptic curves by producing inseparable endomorphisms (inseparable reflections). By carefully controlling the arithmetic of the generated quaternionic orders, two such endomorphisms yield a Bass suborder of End, and, with subexponential overhead, End itself via existing maximal-order enumeration frameworks. The approach improves practical performance by requiring only one path to -rational curves, and it provides provable (under GRH) time bounds of bit operations with polylog storage. A heuristic, storage-efficient variant targets generating first and then End, supported by experimental evidence that the number of inseparable reflections needed is a small constant. Altogether, the paper advances both the theoretical understanding and practical computation of supersingular endomorphism rings through inseparable endomorphisms and Bass-order techniques.

Abstract

We give an algorithm for computing an inseparable endomorphism of a supersingular elliptic curve defined over , which, conditional on GRH, runs in expected bit operations and requires storage. This matches the time and storage complexity of the best conditional algorithms for computing a nontrivial supersingular endomorphism, such as those of Eisenträger-Hallgren-Leonardi-Morrison-Park and Delfs-Galbraith. Unlike these prior algorithms, which require two paths from to a curve defined over , the algorithm we introduce only requires one; thus when combined with the algorithm of Corte-Real Santos-Costello-Shi, our algorithm will be faster in practice. Moreover, our algorithm produces endomorphisms with predictable discriminants, enabling us to prove properties about the orders they generate. With two calls to our algorithm, we can provably compute a Bass suborder of . This result is then used in an algorithm for computing a basis for with the same time complexity, assuming GRH. We also argue that can be computed using calls to our algorithm along with polynomial overhead, conditional on a heuristic assumption about the distribution of the discriminants of these endomorphisms. Conditional on GRH and this additional heuristic, this yields a algorithm for computing requiring storage.
Paper Structure (33 sections, 24 theorems, 85 equations, 2 figures, 3 algorithms)

This paper contains 33 sections, 24 theorems, 85 equations, 2 figures, 3 algorithms.

Table of Contents

  1. Introduction
  2. Notation and background
  3. Elliptic curves
  4. Isogeny graphs
  5. Quaternion algebras
  6. The canonical involution
  7. Completions, splitting, and ramification
  8. Quaternionic ideals and orders
  9. Computing in finite fields and quaternion algebras
  10. Algebraic operations over Fp2
  11. Computing in quaternion algebras
  12. Inseparable endomorphisms
  13. Properties of Z+P
  14. Inseparable reflections
  15. The Galois involution of Gpl
  16. ...and 18 more sections

Key Result

Theorem 1

On input a supersingular elliptic curve $E$ defined over $\mathbb{F}_{p^2}$, Algorithm alg:bass computes a basis of a Bass suborder of $\mathop{\mathrm{End}}\nolimits(E)$. Assuming the Generalized Riemann Hypothesis, the algorithm terminates in an expected $O(p^{1/2}(\log p)^2(\log\log p)^3)$ number

Figures (2)

  • Figure 1: Collected data for testing Heuristic \ref{['heuristic:coprime']}. Orange bars represent the experimental probability that $\gcd\left(\mathop{\mathrm{disc}}\nolimits\left(\frac{\alpha_1\alpha_2}{p}\right),\mathop{\mathrm{disc}}\nolimits\left(\frac{\alpha_3\alpha_4}{p}\right)\right)=1$, blue bars represent the experimental probability that $1,\alpha_1,\alpha_2,\alpha_3,\alpha_4$ generate $\mathbb Z+P$, where $\alpha_i$ are inseparable reflections of a supersingular elliptic curve. Averages of the two frequencies are plotted as well.
  • Figure 2: Collected data for testing heuristic in Remark \ref{['rmk:secondheuristic']}. Orange bars represent the experimental probability that $\gcd\left(\mathop{\mathrm{disc}}\nolimits\left(D_1,D_2\right)\right)=4p^2$, blue bars represent the experimental probability that $1,\alpha_{11},\alpha_{12},\alpha_{21},\alpha_{22}$ generate $\mathbb Z+P$ where $\alpha_{ij}$ are random elements of $\mathbb{Z}+P$ in a random maximal order in $B_{p,\infty}$ and $D_i$ is the discriminant of $\rho_i \coloneqq(\mathop{\mathrm{Trd}}\nolimits\alpha_{i2})\alpha_{i1}+(\mathop{\mathrm{Trd}}\nolimits\alpha_{i1})\alpha_{i2}-2\alpha_{i1}\alpha_{i2}$. Averages of the two frequencies are plotted as well.

Theorems & Definitions (58)

  • Theorem : Theorem \ref{['thm:makebass']}
  • Theorem : Theorem \ref{['thm:EndE']}
  • Proposition 3.1
  • proof
  • Remark 3.2
  • Remark 3.3
  • Lemma 3.4
  • proof
  • Definition 3.5
  • Proposition 3.6
  • ...and 48 more