The SEA algorithm for endomorphisms of supersingular elliptic curves
Travis Morrison, Lorenz Panny, Jana Sotáková, Michael Wills
TL;DR
This work extends the SEA framework to compute the trace of a general endomorphism $\alpha$ on a supersingular elliptic curve $E/\mathbb{F}_{p^2}$, where $\alpha$ factors as a composition of $L$ isogenies of degree at most $d$. By exploiting that every odd prime is Elkies for such $E$ (and that isogeny kernels are defined over constant-degree extensions), the authors achieve a unconditional complexity bound of $O(n^4(\log n)^2 + dLn^3)$ bit operations with $n=\lceil \log p \rceil$, and show that this matches the SEA heuristic in the regime $L=O(n)$, $d=O(1)$. They develop arithmetic in restricted endomorphism spaces $\Hom(E,E)_h$, enabling efficient modular computations, and provide a fast trace computation modulo $p$ as a practical speedup. The paper also discusses practical timings and situates these techniques in relation to Dewaghe’s extensions of Elkies’ method to Atkin primes, suggesting potential broader applicability of Elkies-based accelerations in endomorphism computations.
Abstract
For a prime $p{\,>\,}3$ and a supersingular elliptic curve $E$ defined over $\mathbb{F}_{p^2}$ with ${j(E)\notin\{0,1728\}}$, consider an endomorphism $α$ of $E$ represented as a composition of $L$ isogenies of degree at most $d$. We prove that the trace of $α$ may be computed in $O(n^4(\log n)^2 + dLn^3)$ bit operations, where $n{\,=\,}\log(p)$, using a generalization of the SEA algorithm for computing the trace of the Frobenius endomorphism of an ordinary elliptic curve. When $L\in O(\log p)$ and $d\in O(1)$, this complexity matches the heuristic complexity of the SEA algorithm. Our theorem is unconditional, unlike the complexity analysis of the SEA algorithm, since the kernel of an arbitrary isogeny of a supersingular elliptic curve is defined over an extension of constant degree, independent of $p$. We also provide practical speedups, including a fast algorithm to compute the trace of $α$ modulo $p$.