The supersingular endomorphism ring problem given one endomorphism

TL;DR

This paper presents a new classical and quantum algorithm for computing the endomorphism ring of supersingular elliptic curves given one endomorphism, improving complexity and removing heuristic assumptions.

Contribution

It introduces a polynomial-time solution to the Primitivisation problem and efficient computation of smooth ideal actions, advancing isogeny-based cryptography.

Findings

Classical time complexity about disc(Z[α])^{1/4}

Quantum subexponential time complexity under GRH

Polynomial-time algorithms for Primitivisation and smooth ideal actions

Abstract

Given a supersingular elliptic curve E and a non-scalar endomorphism $\alpha$ of E, we prove that the endomorphism ring of E can be computed in classical time about disc(Z[$\alpha$])^1/4 , and in quantum subexponential time, assuming the generalised Riemann hypothesis. Previous results either had higher complexities, or relied on heuristic assumptions. Along the way, we prove that the Primitivisation problem can be solved in polynomial time (a problem previously believed to be hard), and we prove that the action of smooth ideals on oriented elliptic curves can be computed in polynomial time (previous results of this form required the ideal to be powersmooth, i.e., not divisible by any large prime power). Following the attacks on SIDH, isogenies in high dimension are a central ingredient of our results.