Connecting Kani's Lemma and path-finding in the Bruhat-Tits tree to compute supersingular endomorphism rings

TL;DR

This work provides a deterministic polynomial-time method to compute the endomorphism ring $\operatorname{End}(E)$ of a supersingular elliptic curve in characteristic $p$, given two noncommuting endomorphisms generating a suborder and a factorization of its reduced discriminant. The approach localizes at primes $q$, constructs $q$-maximal enlargements, and navigates from each local order to $\operatorname{End}(E)\otimes\mathbb{Z}_q$ via paths in the Bruhat–Tits tree, using higher-dimensional isogenies to realize divisibility steps. It builds on the local–global principle for quaternion orders, the division algorithm for endomorphisms, and finite-intersection results of maximal orders to test local containment efficiently, yielding a global End$(E)$ without restricting to Bass suborders. The method improves previous subexponential and heuristic approaches, provides a new deterministic alternative to probabilistic methods, and has implications for isogeny-based cryptography by enabling explicit endomorphism-ring computations from partial input data.

Abstract

We give a deterministic polynomial time algorithm to compute the endomorphism ring of a supersingular elliptic curve in characteristic p, provided that we are given two noncommuting endomorphisms and the factorization of the discriminant of the ring $\mathcal{O}_0$ they generate. At each prime $q$ for which $\mathcal{O}_0$ is not maximal, we compute the endomorphism ring locally by computing a q-maximal order containing it and, when $q \neq p$, recovering a path to $\text{End}(E) \otimes \mathbb{Z}_q$ in the Bruhat-Tits tree. We use techniques of higher-dimensional isogenies to navigate towards the local endomorphism ring. Our algorithm improves on a previous algorithm which requires a restricted input and runs in subexponential time under certain heuristics. Page and Wesolowski give a probabilistic polynomial time algorithm to compute the endomorphism ring on input of a single non-scalar endomorphism. Beyond using techniques of higher-dimensional isogenies to divide endomorphisms by a scalar, our methods are completely different.

Figures (5)

• Figure 1: The (truncated) Bruhat-Tits tree for $q=3$, with vertices labelled by the associated matrices. The root of the tree, labelled $I$, corresponds to $M_2(\mathbb{Z}_q)$. The vertex labelled with matrix $T$ corresponds to the order $T^{-1}M_2(\mathbb{Z}_q)T.$
• Figure 2: Constructing $\Lambda_1, \Lambda_2, \Lambda_3$ such that $\bigcap_{\Lambda \in N_{\ell}(P)}\Lambda = \Lambda_1 \cap \Lambda_2 \cap \Lambda_3.$
• Figure 3: Case 1 and Case 2 in the proof of Corollary \ref{['cor:Lambdatilde']}.
• Figure 4: The maximal orders containing $\bigcap_{\Lambda' \subset N_{1}(M_2(\mathbb{Z}_q))} \Lambda'$ when $q=3$.
• Figure 5: Algorithm \ref{['alg:path']} Step 2 with $q=2$ and $d(\Lambda_E, M_2(\mathbb{Z}_q))) = 3$. Black edges indicate the portion of the path determined with previous values of $k$.

Theorems & Definitions (93)

• Theorem 1.1
• Definition 2.1
• Definition 2.2
• Definition 2.3
• Definition 2.4
• Theorem 2.5
• Remark 2.6
• Proposition 2.7
• Remark 3.1
• Definition 3.2