Cycles in the Supersingular ℓ-Isogeny Graph and Corresponding Endomorphisms

Abstract

We study the problem of generating the endomorphism ring of a supersingular elliptic curve by two cycles in ℓ-isogeny graphs. We prove a necessary and sufficient condition for the two endomorphisms corresponding to two cycles to be linearly independent, expanding on the work by Kohel in his thesis. We also give a criterion under which the ring generated by two cycles is not a maximal order. We give some examples in which we compute cycles which generate the full endomorphism ring. The most difficult part of these computations is the calculation of the trace of these cycles. We show that a generalization of Schoof’s algorithm can accomplish this computation efficiently.

Appendix A: Modified Schoof’s Algorithm for Traces of Arbitrary Endomorphisms

Let E be an elliptic curve over a finite field \(\mathbb {F}_q\) of characteristic p ≠ 2, 3. The Frobenius endomorphism \(\phi \in \operatorname {\mathrm {End}}_{\mathbb {F}_q}(E)\) takes any point \((x,y) \in E(\mathbb {F}_q)\) to (x ^q, y ^q); it satisfies the relation in \( \operatorname {\mathrm {End}}_{\mathbb {F}_q}(E)\), given by

$$\displaystyle \begin{aligned} \phi^2 - t\phi + q = 0. \end{aligned}$$

Here, t is called the trace of the Frobenius endomorphism, and it is related to the number of \(\mathbb {F}_q\)-points on E via the relation

$$\displaystyle \begin{aligned} \#E(\mathbb{F}_q) = q + 1 - t. \end{aligned}$$

Schoof’s algorithm [20] computes the trace of the Frobenius endomorphism in \(O(\log ^9q)\) elementary operations (bit operations). This algorithm has been improved in [23] to be completed in \(O(\log ^5q \log \log q)\) operations.

Let E be a supersingular elliptic curve defined over \(\mathbb {F}_{p^2}\). Here we outline a modification of Schoof’s algorithm that computes the trace of any endomorphism \(\alpha \in \operatorname {\mathrm {End}}_{\mathbb {F}_q}(E)\) that corresponds to a cycle in the ℓ-isogeny graph, where ℓ ≠ p is a prime. That is, we assume that we are given a cycle of length e in the ℓ-isogeny graph; this path can be represented as a chain of e isogenies of degree ℓ, ϕ _k : E _k → E _k+1 for k = 0, …, e − 1. Here E ₀, …, E _e are elliptic curves in short Weierstrass form, defined over \(\mathbb {F}_{p^2}\), and E ₀ = E _e. We assume the isogenies are specified by their rational maps. We remark that if this cycle is instead represented by a sequence of ℓ-isogenous elliptic curves, then one can compute a corresponding sequence of ℓ-isogenies in \(\tilde {O}(n^2)\) time by Theorem 2 of [3], where \(n=\max \{\lceil \log p \rceil , \ell , e\}.\) In the context we are interested in (where p is of cryptographic size, \(\ell =O(\log p)\), and we assume \(e = O(\log p)\)), we observe that finding a cycle in G(p, ℓ) could require time exponential in \(\log p\), so we may as well assume that we are given the isogenies.

More precisely then, we assume that the input to our algorithm is a cycle of isogenies, each given explicitly as in Proposition 4.1 of [3] which we record here.

Proposition A.1

Let E : y ² = x ³ + Ax + B be an elliptic curve. Then every (normalized) ℓ-isogeny ψ : E → E ^′ can be written as

$$\displaystyle \begin{aligned} \psi(x,y) = \left(\frac{N(x)}{D(x)},y\left(\frac{N(x)}{D(x)}\right)^{\prime}\right), \end{aligned}$$

where

$$\displaystyle \begin{aligned} D(x) = \prod_{P\in \ker \psi\setminus \{0\}} (x-x_P) \end{aligned}$$

and we define N(x) by the relation

$$\displaystyle \begin{aligned} \frac{N(x)}{D(x)} = \ell x - \sigma - (3x^2 +A)\frac{D^{\prime}(x)}{D(x)} - 2(x^3+Ax+B)\left(\frac{D^{\prime}(x)}{D(x)}\right)^{\prime}. \end{aligned}$$

Here, σ is the coefficient of x ^ℓ−1 in D(x), the sum of the abscissas of the nonzero points of the kernel of ψ.

Proof

This is Proposition 4.1 of [3]. □

By Corollary 2.5, if E is defined over \(\mathbb {F}_{p^2}\) we can take these isogenies to be defined over an extension of degree at most degree 6 of \(\mathbb {F}_{p^2}\). If \(\ell =O(\log p)\) and the path has length \(e=O(\log p)\), which are the parameters that are most interesting, we will show that the trace of this endomorphism can be computed in \(\tilde {O}(\log ^7 p)\) time by using a modified version of Schoof’s algorithm, where we use \(f(n)=\tilde {O}(g(n))\) to mean that there exists k such that \(f(n)=O(g(n)\log ^kn)\).

The naïve computation of the composition of the e isogenies via Vélu’s formula yields a formula for the ℓ ^e-isogeny that requires at least O(ℓ ^e) elementary operations; in order to cut down on the number of elementary operations required to compute the explicit formula for the isogeny, we note that the explicit isogeny formula is simpler on the set of m-torsion points for any m, by taking the quotient modulo the division polynomials. Thus, ℓ ^e-isogenies on E[m] can be computed much more quickly, and this is sufficient information to which one can apply Schoof’s idea. We remark that the algorithm will correctly compute the trace of an endomorphism of an ordinary curve \(E/\mathbb {F}_q\), but unlike in the supersingular case and without further assumptions on the cycle, not all of the isogenies are defined over \(\mathbb {F}_q\) (or an extension of \(\mathbb {F}_q\) of bounded degree).

1.1 A.1. Complexity of Computing Endomorphisms on m-Torsion

Let f _k(X) denote the k-th division polynomial of E. It is the polynomial whose roots are the x-coordinates of the nonzero elements of the k-torsion subgroup of E. When k is coprime to p, the degree of f _k is (k ² − 1)∕2. The division polynomials can be defined recursively and the complexity of computing them is analyzed in [23].

Let M(n) denote the number of elementary operations required to multiply two n-bit integers. If we choose to multiply two n-bit integers via long multiplication, then M(n) = O(n ²); if we multiply two numbers using the Fast Fourier Transform (FFT), then \(M(n) = O(n \log n \log \log n)\).

Proposition A.2

Given a natural number m > 1, the division polynomials f ₁, …, f _m can be computed in \(O(m M(m^2\log q))\) time.

Proof

Using the recursive relations defining the division polynomials, f _k can be computed in \(O(M(k^2\log q))\) time by using a double-and-add method. Thus f ₁, …, f _m can be computed in \(O(mM(m^2\log q))\) time; see [23, Section 5.1]. □

We continue to work over \(\mathbb {F}_{q}\); typically we will work over an extension of \(\mathbb {F}_{p^2}\) of degree at most 6.

Given an ℓ-isogeny ψ : E → E′ as well as a prime m ≠ 2, p, we are interested in the explicit formula for the induced isogeny on the m-torsion points ψ _m : E[m] → E′[m]. If E is defined by the equation y ² = x ³ + ax + b, and f _m(x) is the m-th division polynomial for E, then \(E[m] = \operatorname {\mathrm {Spec}} \mathbb {F}_q[x,y]/I\), where I = 〈f _m(x), y ² − (x ³ + ax + b)〉. Thus we may reduce the coordinates of the explicit formula for the isogeny ψ given by (x, y)↦(X(x, y), Y (x, y)) modulo the ideal I, and the resulting map ψ _m agrees with ψ on E[m]. Let \(d= \max {m, \ell }\).

Proposition A.3

Keeping the notation of the discussion in the above paragraph, deg ψ _m = O(d), and ψ _m can be computed in \(O(M(d^2\log q)\log d)\) elementary operations.

Proof

First we observe that by Proposition A.1, the rational functions which define ψ have degree O(ℓ). Next, reduce modulo f _m(x), so that the degree of the resulting expression is bounded by deg f _m = O(m ²). Then by [23, Lemma 9, p. 315], it takes \(O(M(d^2\log q)\log d)\) elementary operations to compute the reduction of the isogeny formula modulo f _m. □

1.2 A.2. Computing the Trace on m-Torsion Points

To compute the trace of an endomorphism \(\psi \in \operatorname {\mathrm {End}}(E)\), where ψ appears as a cycle of length e in the supersingular ℓ-isogeny graph in characteristic p, we will compute \( \operatorname {\mathrm {tr}}(\psi ) \pmod {m}\) for several primes m and then recover the trace using the Chinese Remainder Theorem, as in Schoof’s algorithm.

The endomorphism ψ satisfies the equation \(x^2- \operatorname {\mathrm {tr}}(\psi )x+ \operatorname {\mathrm {norm}}(\psi )\). There is a simple relationship between \( \operatorname {\mathrm {tr}}(\psi )\) and \( \operatorname {\mathrm {norm}}(\psi )\):

Lemma A.4

Let \(\psi \in \operatorname {\mathrm {End}}(E)\). Then \(| \operatorname {\mathrm {tr}}(\psi )| \leq 2 \operatorname {\mathrm {norm}}(\psi )\).

Proof

If ψ is multiplication by some integer, then its characteristic polynomial is x ² ± 2nx + n ², with \(n \in \mathbb {N}\). Then \(| \operatorname {\mathrm {tr}}(\psi )| = 2n\), \( \operatorname {\mathrm {norm}}(\psi ) =n^2\), and the statement of the lemma holds.

If ψ is not multiplication by an integer, then \(\mathbb {Z}[\psi ]\) is an order in the ring of integers \(\mathcal {O}_K\) for some quadratic imaginary number field K. Hence we can fix an embedding \(\iota : \mathbb {Z}[\psi ] \hookrightarrow \mathcal {O}_K\). Since ι(ψ) is imaginary, its characteristic polynomial \(x^2 - \operatorname {\mathrm {tr}}(\psi )x + \operatorname {\mathrm {norm}}(\psi )\) must have discriminant < 0, so \(| \operatorname {\mathrm {tr}}(\psi )| \leq 2\sqrt { \operatorname {\mathrm {norm}}(\psi )}\). □

As in Schoof’s algorithm, we begin by looking for a bound L such that

$$\displaystyle \begin{aligned} N:=\prod_{\substack{m\leq L \mbox{ prime } \\ m\neq 2,p}} m > 2\operatorname{\mathrm{norm}}(\psi) = 2\ell^e, \end{aligned} $$

(A.2.1)

where the last equality follows from the fact that the cycle corresponding to ψ in the isogeny graph has length e, so \( \operatorname {\mathrm {norm}}(\psi )=\ell ^e\). By the prime number theorem, we can take \(L=O(\log p)\) and there are \(O(\log p / \log \log p)\) many primes less than L.

Let m be a prime. Any \(\psi \in \operatorname {\mathrm {End}}(E)\) induces an endomorphism \(\psi _m \in \operatorname {\mathrm {End}}(E[m])\); if ψ _m has characteristic polynomial x ² − t _mx + n _m, then \(t_m \equiv \operatorname {\mathrm {tr}}(\psi ) \pmod {m}\). After computing t (mod m) for each m < L, we can compute t (mod N) using the Chinese Remainder Theorem. The bound in Lemma A.4 then lets us compute the value of \( \operatorname {\mathrm {tr}}(\psi )\). Now, fix one such prime m.

1.2.1 A.2.1. Computation of \( \operatorname {\mathrm {tr}}(\psi _m)\)

Let \(t_m \equiv \operatorname {\mathrm {tr}}(\psi ) \bmod m\). Then the relation \(\psi _{m}^{2}-t_{m}\psi _{m} + n_{m} = 0\) holds in \( \operatorname {\mathrm {End}}(E[m]):= \operatorname {\mathrm {End}}(E)/(m)\). Here, \(n_m \equiv \operatorname {\mathrm {norm}}(\psi _m) = \ell ^e \bmod m\), with 0 ≤ n _m < m.

Furthermore, one has an explicit formula for ψ _m : E[m] → E[m] by reducing the explicit coordinates for ψ modulo the ideal I (using the notation in the discussion before Proposition A.3), with deg ψ _m = O(m ²). Using the addition formulas for E, we can compute the explicit formula for \(\psi _m^2 + n_m\), and reduce it to modulo I. The main modification to Schoof’s algorithm, as it is described in [23, 5.1], is to replace the Frobenius endomorphism on E[m] with ψ _m. Having computed \(\psi _m^2+n_m\) and ψ _m, for τ with 0 ≤ τ ≤ m − 1 we compute τψ _m until

$$\displaystyle \begin{aligned} \psi_m^2+n_m = \tau \psi_m \end{aligned}$$

in \( \operatorname {\mathrm {End}}(E[m])\). Then τ = t _m. Having computed t _m for sufficiently many primes, we recover \( \operatorname {\mathrm {tr}} \psi \) using the Chinese Remainder Theorem.

1.2.2 A.2.2. Complexity Analysis for Computing the Trace

Proposition A.5

Let \(E/\mathbb {F}_q\) be a supersingular elliptic curve. Let ψ be an isogeny of E of degree ℓ ^e, specified as a chain ϕ ₁, …, ϕ _e of ℓ-isogenies, whose explicit formulas are given. The explicit formula for ψ _m can be computed in \(O(edM(d\log q)\log d)\) time, where \(d \in \max \{\ell , m^2\}\).

Proof

The expression for ψ _m can be computed by computing (ϕ _k)_m for k = 1, …, e, composing the rational maps, and reducing modulo I at each step. The calculation of f ∘ g mod  h, where \(f, g, h\in \mathbb {F}_q[x]\) are polynomials of degree at most d, takes \(O(dM(d\log q))\) elementary operations using the naïve approach. Thus, computing e of these compositions, reducing modulo f _m at each step, takes \(O(edM(d\log q) \log q)\) time. □

We now wish to compute the trace of an endomorphism of E corresponding to a cycle in G(p, ℓ). Since the diameter of G(p, ℓ) is \(O(\log p)\), we are interested in computing the trace of a cycle of length \(e=O(\log p)\) in G(p, ℓ). We are also interested in the case where ℓ is a small prime, so we will take \(\ell =O(\log p)\). The resulting generalization of Schoof’s algorithm runs in time polynomial in \(\log p\).

Theorem A.6

Let p > 3 be a prime and let ψ be an endomorphism of a supersingular elliptic curve \(E/\mathbb {F}_{p^2}\) given as a chain of ℓ-isogenies,

$$\displaystyle \begin{aligned} \psi = \phi_e\circ \cdots \circ \phi_1, \end{aligned}$$

where each ϕ _k is specified by its rational functions and is defined over \(\mathbb {F}_q\). We can take \(\mathbb {F}_q\) to be an extension of \(\mathbb {F}_{p^2}\) of degree at most 6. Let \(n= \lceil \log p\rceil \)and assume e, ℓ = O(n). Then the modified version of Schoof’s algorithm computes \( \operatorname {\mathrm {tr}} \psi \) in \(\tilde {O}(n^7)\) time.

Proof

We follow the steps in our modification of Schoof’s algorithm. Since \( \operatorname {\mathrm {norm}} \psi = \ell ^e\), we first choose a bound \(L = O(\log \ell ^e)\).

We can compute ψ _m in time \(\tilde {O}(n^6)\) time by Proposition A.5. For a prime m < L, we compute \( \operatorname {\mathrm {tr}} \psi _m\), the trace of the induced isogeny ψ _m on E[m], by reducing by the m-division polynomial f _m whenever possible.

Having computed ψ _m and \(\psi _m^2\), with the same argument as in the proof of Theorem 10 of [23], we can compute t _m in \(O((m+\log q)(M(m^2\log q)))\) time. This is because once ψ _m and \(\psi _m^2\) are computed, the algorithm proceeds the same way as Schoof’s original algorithm. We must repeat this \(L=O(\log p) = O( n )\) times.

Once we compute \( \operatorname {\mathrm {tr}} \psi _m\) for each prime m ≠ p less than L, we compute \( \operatorname {\mathrm {tr}} \psi \) using the Chinese Remainder Theorem. This step is dominated by the previous computations. Thus we have a total run time of \(\tilde {O}(n^7)\). □