Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Finding Orientations of Supersingular Elliptic Curves and Quaternion Orders

Sarah Arpin, James Clements, Pierrick Dartois, Jonathan Komada Eriksen, Péter Kutas, Benjamin Wesolowski

TL;DR

Orientations of supersingular curves by a fixed imaginary quadratic order $\mathfrak{O}$ encode endomorphisms; the paper analyzes the hardness of obtaining a full endomorphism ring by studying the $\mathfrak{O}$-Orienting Problem and its decisional variant. It proves reductions from search to decision when $\mathrm{disc}(\mathfrak{O})<p$ and provides explicit subexponential algorithms with complexity analyses, along with a polynomial-time special-discriminant case and a SageMath implementation. On the quaternion side, it develops embedding algorithms for a fixed $\mathfrak{O}$ into maximal quaternion orders in $B_{p,\infty}$, with heuristics showing practical efficiency up to $|\Delta_{\mathfrak{O}}|=O(p)$ and discussions of rerandomization for small discriminants. The results tie orienting problems to quaternionic embeddings and isogeny-graph frameworks, offering concrete algorithms, complexity bounds, and practical tools relevant to the security assumptions of isogeny-based cryptography.

Abstract

Orientations of supersingular elliptic curves encode the information of an endomorphism of the curve. Computing the full endomorphism ring is a known hard problem, so one might consider how hard it is to find one such orientation. We prove that access to an oracle which tells if an elliptic curve is $\mathfrak{O}$-orientable for a fixed imaginary quadratic order $\mathfrak{O}$ provides non-trivial information towards computing an endomorphism corresponding to the $\mathfrak{O}$-orientation. We provide explicit algorithms and in-depth complexity analysis. We also consider the question in terms of quaternion algebras. We provide algorithms which compute an embedding of a fixed imaginary quadratic order into a maximal order of the quaternion algebra ramified at $p$ and $\infty$. We provide code implementations in Sagemath which is efficient for finding embeddings of imaginary quadratic orders of discriminants up to $O(p)$, even for cryptographically sized $p$.

Finding Orientations of Supersingular Elliptic Curves and Quaternion Orders

TL;DR

Orientations of supersingular curves by a fixed imaginary quadratic order encode endomorphisms; the paper analyzes the hardness of obtaining a full endomorphism ring by studying the -Orienting Problem and its decisional variant. It proves reductions from search to decision when and provides explicit subexponential algorithms with complexity analyses, along with a polynomial-time special-discriminant case and a SageMath implementation. On the quaternion side, it develops embedding algorithms for a fixed into maximal quaternion orders in , with heuristics showing practical efficiency up to and discussions of rerandomization for small discriminants. The results tie orienting problems to quaternionic embeddings and isogeny-graph frameworks, offering concrete algorithms, complexity bounds, and practical tools relevant to the security assumptions of isogeny-based cryptography.

Abstract

Orientations of supersingular elliptic curves encode the information of an endomorphism of the curve. Computing the full endomorphism ring is a known hard problem, so one might consider how hard it is to find one such orientation. We prove that access to an oracle which tells if an elliptic curve is -orientable for a fixed imaginary quadratic order provides non-trivial information towards computing an endomorphism corresponding to the -orientation. We provide explicit algorithms and in-depth complexity analysis. We also consider the question in terms of quaternion algebras. We provide algorithms which compute an embedding of a fixed imaginary quadratic order into a maximal order of the quaternion algebra ramified at and . We provide code implementations in Sagemath which is efficient for finding embeddings of imaginary quadratic orders of discriminants up to , even for cryptographically sized .
Paper Structure (28 sections, 34 theorems, 97 equations, 9 algorithms)

This paper contains 28 sections, 34 theorems, 97 equations, 9 algorithms.

Table of Contents

  1. Introduction
  2. Our contributions
  3. Reduction from Search to Decision $\mathfrak{O}$-Orienting Problem
  4. Quaternion Order Embedding Problem
  5. Preliminaries
  6. Supersingular elliptic curves and quaternion algebras
  7. Orientations
  8. Computing modular polynomials and $j$-invariants
  9. Computing an $\ell$-isogeny between two $j$-invariants.
  10. Efficiently representing an isogeny of any degree with Kani's lemma
  11. Smoothness test and factorization with the ECM method
  12. Reduction of $\mathfrak{O}$-orienting problem for special discriminants
  13. Solving the $\mathfrak{O}$-orienting problem with a decision oracle
  14. Description of the algorithms
  15. Finding a smooth norm generator
  16. ...and 13 more sections

Key Result

Theorem 2.1

Fix a maximal order $M$ of the quaternion algebra $B_{p,\infty}$ ramified precisely at $p$ and $\infty$. There is a bijection between isomorphism classes of supersingular elliptic curves over $\overline{\mathbb{F}_p}$ and the left class set of the order $M$.

Theorems & Definitions (73)

  • Theorem 2.1: Deuring Deu41
  • Definition 2.2: Orientation
  • Definition 2.7
  • Definition 2.8: $d$-isogeny in higher dimension
  • Lemma 2.9: Kani
  • Lemma 2.10
  • proof
  • Lemma 2.11
  • proof
  • Proposition 2.12
  • ...and 63 more