学术文献库

Computing endomorphism rings of supersingular elliptic curves is an important problem in computational number theory, and it is also closely connected to the security of some of the recently proposed isogeny-based cryptosystems. In this paper we give a new algorithm for computing the endomorphism ring of a supersingular elliptic curve $E$ that runs, under certain heuristics, in time $O((\log p)^2p^{1/2})$. The algorithm works by first finding two cycles of a certain form in the supersingular $\ell$-isogeny graph $G(p,\ell)$, generating an order $Λ\subseteq \operatorname{End}(E)$. Then all maximal orders containing $Λ$ are computed, extending work of Voight. The final step is to determine which of these maximal orders is the endomorphism ring. As part of the cycle finding algorithm, we give a lower bound on the set of all $j$-invariants $j$ that are adjacent to $j^p$ in $G(p,\ell)$, answering a question in arXiv:1909.07779.