Computing supersingular endomorphism rings using inseparable endomorphisms

Abstract

We give an algorithm for computing an inseparable endomorphism of a supersingular elliptic curve E defined over $F_{p^2}$, which, conditional on GRH, runs in expected $O\left(p^{1/2}{(\log p)}^2{(\log \log p)}^3\right)$ bit operations and requires $O\left({(\log p)}^2\right)$ storage. This matches the time and storage complexity of the best conditional algorithms for computing a nontrivial supersingular endomorphism, such as those of Eisenträger–Hallgren–Leonardi–Morrison–Park and Delfs–Galbraith. Unlike these prior algorithms, which require two paths from E to a curve defined over $F_p$, the algorithm we introduce only requires one; thus when combined with the algorithm of Corte-Real Santos–Costello–Shi, our algorithm will be faster in practice. Moreover, our algorithm produces endomorphisms with predictable discriminants, enabling us to prove properties about the orders they generate. With two calls to our algorithm, we can provably compute a Bass suborder of $\mathrm{End}\left(E\right)$. This result is then used in an algorithm for computing a basis for $\mathrm{End}\left(E\right)$ with the same time complexity, assuming GRH. We also argue that $\mathrm{End}\left(E\right)$ can be computed using $O\left(1\right)$ calls to our algorithm along with polynomial overhead, conditional on a heuristic assumption about the distribution of the discriminants of these endomorphisms. Conditional on GRH and this additional heuristic, this yields a $O\left(p^{1/2}{(\log p)}^2{(\log \log p)}^3\right)$ algorithm for computing $\mathrm{End}\left(E\right)$ requiring $O\left({(\log p)}^2\right)$ storage.