Computing endomorphism rings of supersingular elliptic curves is an important
problem in computational number theory, and it is also closely connected to the
security of some of the recently proposed isogenybased cryptosystems. We give a new
algorithm for computing the endomorphism ring of a supersingular elliptic curve
$E$ defined over
${\mathbb{\mathbb{F}}}_{{p}^{2}}$ that runs, under certain
heuristics, in time
$O\left({\left(logp\right)}^{2}{p}^{1\u22152}\right)$.
The algorithm works by first finding two cycles of a certain form in the supersingular
$\ell $isogeny graph
$G\left(p,\ell \right)$, generating an order
$\Lambda \subseteq $End$\left(E\right)$.
Then all maximal orders containing
$\Lambda $
are computed, extending work of Voight (2013). The final step is to
determine which of these maximal orders is the endomorphism ring. As
part of the cyclefinding algorithm, we give a lower bound on the set of all
$j$invariants
$j$ that are
adjacent to
${j}^{p}$
in
$G\left(p,\ell \right)$,
answering a question of Arpin et al. (2019).
We also give a polynomialtime reduction from computing
End$\left(E\right)$ to pathfinding
in the
$\ell $isogeny
graph which is simpler in several ways than previous ones. We show that this reduction
leads to another algorithm for computing endomorphism rings which runs in time
$\xd5\left({p}^{1\u22152}\right)$. This
allows us to break the second preimage resistance of a hash function in the family
constructed by Charles, Goren and Lauter.
