Computing isogenies between supersingular elliptic curves over \({\mathbb {F}}_p\)

Abstract

Let \(p>3\) be a prime and let \(E\), \(E'\) be supersingular elliptic curves over \({\mathbb {F}}_p\). We want to construct an isogeny \(\phi :E\rightarrow E'\). The currently fastest algorithm for finding isogenies between supersingular elliptic curves solves this problem in the full supersingular isogeny graph over \({\mathbb {F}}_{p^2}\). It takes an expected \(\tilde{\mathcal {O}}(p^{1/2})\) bit operations, and also \(\tilde{\mathcal {O}}(p^{1/2})\) space, by performing a “meet-in-the-middle” breadth-first search in the isogeny graph. In this paper we consider the structure of the isogeny graph of supersingular elliptic curves over \({\mathbb {F}}_p\). We give an algorithm to construct isogenies between supersingular curves over \({\mathbb {F}}_p\) that works in \(\tilde{\mathcal {O}}(p^{1/4})\) bit operations. We then discuss how this algorithm can be used to obtain an improved algorithm for the general supersingular isogeny problem.

Appendix: Example graphs

We present a few small examples of the irregular structure of the full supersingular isogeny graph \(X(\bar{{\mathbb {F}}}_p, \ell )\). After that we display, for the same examples, the graphs \(X({\mathbb {F}}_{p}, \ell )\) which have a much more regular structure. For the examples we use the primes \(p = 83, 101\) and \(103\), one for each of the different cases that occur. To demonstrate the two occurring structures we build the graphs for isogeny degrees \(\ell =2\) and the smallest prime \(\ell >2\) in each case for that isogenies exist.

Note that for \(j(E) = 0\) resp. \(j(E) \equiv 1728 \pmod p\) there are three resp. two non-equivalent isogenies mapping from \(E\) to another curve \(E'\). but their dual isogenies are all equivalent. This is due to the fact that \(\#\mathrm{Aut }(E) =6\) resp. \(\#\mathrm{Aut }(E) = 4\) in these cases. If \(\phi :E\rightarrow E'\) is an isogeny and \(\rho \in \mathrm{Aut }(E)\), then \(\phi \circ \rho \) may not be equivalent (i.e., have the same kernel) as \(\psi \), whereas the dual of \(\phi \circ \rho \) is \(\hat{\rho }\circ \hat{\phi }\), so this is equivalent to the dual of \(\phi \). We denote these multiple isogenies in the graph using a single arrow together with an integer to indicate the multiplicity.

1.1 An example for \(p\equiv 1 \pmod 4\)

If we take \(p=101\), we expect \(\lfloor \tfrac{101}{12} \rfloor +1 = 9\) supersingular \(j\)-invariants in \({\mathbb {F}}_{p^2}\). In the next figure we show how they are connected using \(2\)-isogenies. The nodes labeled \(\alpha \) and \(\bar{\alpha }\) represent \(j\)-invariants in \({\mathbb {F}}_{p^2}\setminus {\mathbb {F}}_p\) where \(\bar{\alpha }\) is the conjugate of \(\alpha \). The graph can be easily computed with help of modular polynomials (Fig. 1).

Fig. 1

Supersingular isogeny graph \(X(\bar{{\mathbb {F}}}_{101}, 2)\)

In \(X({\mathbb {F}}_p, \ell )\) we will have \(h(-4p) = 14\) nodes which are supersingular elliptic curves over \({\mathbb {F}}_p\) with endomorphism ring \({\mathbb {Z}}[\sqrt{-101}]\). There will be only one outgoing \(2\)-isogeny from each curve, so naturally the graph can not be connected. It can be seen in Fig. 2.

Fig. 2

\({\mathbb {F}}_p\)-rational supersingular isogeny graph \(X({\mathbb {F}}_{101}, 2)\)

It is notable that in this graph there are fewer connecting isogenies than in the full graph before. For example, in the first graph we have two isogenies going from the node \(64\) to the node \(3\) and two ones back, which are all missing in the new graph. This is due to the fact that those isogenies are not defined over \({\mathbb {F}}_p\), so they are not computed as edges in \(X({\mathbb {F}}_p, 2)\). Likewise the two loops from \(59\) to itself are isogenies over \({\mathbb {F}}_{p^2}\) that are dual to each other, whereas the loop at \(21\) is a \({\mathbb {F}}_p\)-rational isogeny that is its own dual.

For higher isogeny degrees the number of outgoing isogenies from each vertex grows, so the graph becomes more complicated to draw. For this example we can take \(\ell =3\) since \(\left( \tfrac{-p}{3}\right) = 1\) (Fig. 3).

Fig. 3

Supersingular isogeny graph \(X(\bar{{\mathbb {F}}}_{101}, 3)\)

Despite the complicated picture of the full graph, the graph over \({\mathbb {F}}_p\) becomes just a big circle. In particular, it is already fully connected. This is because the ideal class group of \({\mathbb {Q}}( \sqrt{-101})\) is generated by a prime ideal of norm \(3\) (Fig. 4).

Fig. 4

Rational supersingular isogeny graph \(X({\mathbb {F}}_{101}, 3)\)

Again you can see how the isogenies from the full graph that are defined over \({\mathbb {F}}_{p^2}\) vanish in the rational graph, and the single loops become isogenies from an elliptic curve to its quadratic twist. This latter fact can be shown in general.

1.2 An example for \(p\equiv 3 \pmod 8\)

For this case we take \(p=83\), so the full graph will have \(\lfloor \frac{83}{12}\rfloor + 2 = 8\) vertices. Again we have two \(j\)-invariants \(\alpha , \bar{\alpha } \in {\mathbb {F}}_{p^2}\setminus {\mathbb {F}}_p\). The full \(2\)-isogeny graph is given in Fig. 5.

Fig. 5

Supersingular isogeny graph \(X(\bar{{\mathbb {F}}}_{83}, 2)\)

In the graph over \({\mathbb {F}}_p\) we get \(h(-p) = 3\) supersingular elliptic curves on the surface and \(h(-4p)=9\) ones on the floor. In the next figure we can see how \(2\)-isogenies connect floor and surface as explained in case (2)(b) of Theorem 2.7 (Fig. 6).

Fig. 6

Rational supersingular isogeny graph \(X({\mathbb {F}}_{83}, 2)\)

If we repeat the procedure for \(\ell =3\), the full graph looks like Fig. 7.

Fig. 7

Supersingular isogeny graph \(X(\bar{{\mathbb {F}}}_{83}, 3)\)

And in the graph over \({\mathbb {F}}_p\) we get two isogeny circles, one on the floor and one on the surface (Fig. 8).

Fig. 8

Rational supersingular isogeny graph \(X({\mathbb {F}}_{83},3)\)

1.3 An example for \(p\equiv 7 \pmod 8\)

Our example here is \(p=103\) where we have \(h(-p) = 5\) supersingular elliptic curves on the surface and also \(h(-4p) = 5\) ones on the floor. In this case we have four nodes in \({\mathbb {F}}_{p^2}\setminus {\mathbb {F}}_p\) (Fig. 9).

Fig. 9

Supersingular isogeny graph \(X(\bar{{\mathbb {F}}}_{103}, 2)\)

The \(2\)-isogeny graph over \({\mathbb {F}}_p\) in this case is already connected. Again a volcano structure can be observed where every supersingular elliptic curve on the floor has exactly one isogeny up starting at it (Fig. 10).

Fig. 10

Rational supersingular isogeny graph \(X({\mathbb {F}}_{103}, 2)\)

The smallest prime \(\ell >2\) with \(\left( \tfrac{-103}{\ell }\right) = 1\) is \(\ell =7\). In the full graph every vertex has eight outgoing isogenies so it is not nice to draw. The subgraph of \(X(\bar{{\mathbb {F}}}_{103},7)\) only consisting of \(j\)-invariants in \({\mathbb {F}}_{103}\) is presented in Fig. 11, so it can be compared to \(X({\mathbb {F}}_{103},7)\).

Fig. 11

Subgraph of supersingular isogeny graph \(X(\bar{{\mathbb {F}}}_{103}, 7)\)

Again we get two isogeny cycles such that floor and surface each are fully connected when we draw the graph \(X({\mathbb {F}}_{103}, 7)\). This is because the ideal class group is cyclic and generated by a prime ideal of norm \(7\) (Fig. 12).

Fig. 12

Rational supersingular isogeny graph \(X({\mathbb {F}}_{103},7)\)