Computing supersingular endomorphism rings using inseparable endomorphisms

TL;DR

This paper introduces an efficient algorithm for computing inseparable endomorphisms of supersingular elliptic curves over finite fields, improving practical speed and enabling detailed structural analysis of endomorphism rings.

Contribution

The paper presents a novel algorithm that computes inseparable endomorphisms with optimal complexity, requiring only one path from the curve to a base field, and allows for provable computation of endomorphism ring suborders.

Findings

Algorithm runs in expected $O(p^{1/2}( ext{log } p)^2( ext{log log } p)^3)$ time

Produces endomorphisms with predictable discriminants for structural analysis

Enables computation of the entire endomorphism ring with polynomial overhead

Abstract

We give an algorithm for computing an inseparable endomorphism of a supersingular elliptic curve $E$ defined over $\mathbb F_{p^2}$, which, conditional on GRH, runs in expected $O(p^{1/2}(\log p)^2(\log\log p)^3)$ bit operations and requires $O((\log p)^2)$ storage. This matches the time and storage complexity of the best conditional algorithms for computing a nontrivial supersingular endomorphism, such as those of Eisentr\"{a}ger-Hallgren-Leonardi-Morrison-Park and Delfs-Galbraith. Unlike these prior algorithms, which require two paths from $E$ to a curve defined over $\mathbb F_p$, the algorithm we introduce only requires one; thus when combined with the algorithm of Corte-Real Santos-Costello-Shi, our algorithm will be faster in practice. Moreover, our algorithm produces endomorphisms with predictable discriminants, enabling us to prove properties about the orders they generate. With two calls to our algorithm, we can provably compute a Bass suborder of $\operatorname{End}(E)$. This result is then used in an algorithm for computing a basis for $\operatorname{End}(E)$ with the same time complexity, assuming GRH. We also argue that $\operatorname{End}(E)$ can be computed using $O(1)$ calls to our algorithm along with polynomial overhead, conditional on a heuristic assumption about the distribution of the discriminants of these endomorphisms. Conditional on GRH and this additional heuristic, this yields a $O(p^{1/2}(\log p)^2(\log\log p)^3)$ algorithm for computing $\operatorname{End}(E)$ requiring $O((\log p)^2)$ storage.