Abstract

Computing endomorphism rings of supersingular elliptic curves is an important problem in computational number theory, and it is also closely connected to the security of some of the recently proposed isogeny-based cryptosystems. We give a new algorithm for computing the endomorphism ring of a supersingular elliptic curve $E$ defined over ${\mathbb{𝔽}}_{p^2}$ that runs, under certain heuristics, in time $O\left({\left(logp\right)}^2{p}^{1∕2}\right)$. The algorithm works by first finding two cycles of a certain form in the supersingular $\ell$-isogeny graph $G\left(p,\ell \right)$, generating an order $\Lambda \subseteq$End$\left(E\right)$. Then all maximal orders containing $\Lambda$ are computed, extending work of Voight (2013). The final step is to determine which of these maximal orders is the endomorphism ring. As part of the cycle-finding algorithm, we give a lower bound on the set of all $j$-invariants $j$ that are adjacent to $j^p$ in $G\left(p,\ell \right)$, answering a question of Arpin et al. (2019).

We also give a polynomial-time reduction from computing End$\left(E\right)$ to path-finding in the $\ell$-isogeny graph which is simpler in several ways than previous ones. We show that this reduction leads to another algorithm for computing endomorphism rings which runs in time $Õ\left(p^{1∕2}\right)$. This allows us to break the second preimage resistance of a hash function in the family constructed by Charles, Goren and Lauter.

Keywords

Mathematical Subject Classification 2010

Milestones

Authors