Constructing Cycles in Isogeny Graphs of Supersingular Elliptic Curves

Theorem 1

If an imaginary quadratic order ℤ[τ] is optimally embedded in 𝒪 ≅ End(E), then there are loops or cycles at j(E_n) in 𝒢L(𝔽¯p,ℓ+1) for every n ∈ {0, . . . , ℓ} where L splits into two principal ideals in ℤ[τ].

Proof

We assume τ=-d where d is a positive integer, and the other case τ=1+-d2 can be proved similarly.

If ℤ[-d] is optimally embedded in End(E), then ℤ[ℓ-d] can be embedded in 𝒪_n where 𝒪_n is the endomorphism ring of E_n. Since L splits into two principal ideals in ℤ[-d] , we can write L = a² + db² with a, b ∈ ℤ.

If ℓ | b, then L can be written as L=αα¯ with α, α¯∈ℤ[ℓ-d] . In this case, there are at least 2 loops at j(E_n) for n = 0, . . . , ℓ in 𝒢L(𝔽¯p,ℓ+1) .

If ℓ ∤ b, then [a±b-d](E[ℓ])=E[ℓ] since deg([a±b-d])=L≠ℓ . In other words, [a±b-d] is a bijection on E[ℓ], so that [a±b-d] acts as a permutation on the set of subgroups {G_i}_i=0,...,ℓ. Considering the following two isogenies:

where ϕ^n is the dual isogeny of ϕ_n, we have Ψn,+(En[ℓ])=[a+b-d](Gn) (resp. Ψn,-(En[ℓ])=[a-b-d](Gn) ) is the kernel of some ϕ_n1 (resp. ϕ_n2). The isogenies ϕ_n1 ∘ Ψ_n,+ : E_n → E_n1 and ϕ_n2 ∘ Ψ_n,− : E_n → E_n2 factor through [ℓ] ∈ End(E_n) by Lemma 1, so there are two L-isogenies Ψ_n,+ : E_n → E_n1 and Ψ_n,− : E_n → E_n2 such that ϕ_n1 ∘ Ψ_n,+ = Ψ_n,+ ∘ [ℓ] and ϕ_n2 ∘Ψ_n,− = Ψ_n,− ∘ [ℓ]. Since ker(ψn,+)⊆ker([L])∩ker([ℓ(a+b-d)]) and gcd(deg([L]), deg([ℓ(a+b-d)]))=L , the kernel ideal of Ψ_n,+ is In,1=(L,ℓ(a+b-d)) . Similarly, the kernel ideal of Ψ_n,− is In,2=(L,ℓ(a-b-d)) .

If E_n1 is isomorphic to E_n, then I_n,1 is a principal left ideal of 𝒪_n and Ψ_n,+ is an endomorphism of E_n. Because I_n,2 is the conjugate ideal of I_n,1, I_n,2 is also principal and Ψ_n,− is an endomorphism of E_n. In this case, j(E_n2) = j(E_n1) = j(E_n) and we construct two loops at j(E_n) in 𝒢L(𝔽¯p,ℓ+1) .

If E_n1 is not isomorphic to E_n and E_n1 is isomorphic to E_n2, then j(E_n1) = j(E_n2) and Ψ_n,+ and Ψ_n,− are two different L-isogenies since I_n,1 ≠ I_n,2. Therefore ψ^n,-∘ψn,+ and ψ^n,+∘ψn,- are two 2-cycles at j(E_n) in 𝒢L(𝔽¯p,ℓ+1) . Furthermore, we have 𝒪_n1 = 𝒪_n2 and the right order of I_n,1 and I_n,2 is 𝒪_n1, so the right order of I_n1,1 and I_n1,2 is 𝒪_n. Since the corresponding isogenies of I_n1,1 and I_n1,2 are Ψ_n1,+ and Ψ_n1,−, we also construct two 2-cycles at j(E_n1) in 𝒢L(𝔽¯p,ℓ+1) .

If E_n, E_n1 and E_n2 are not isomorphic, we denote the target elliptic curve of Ψ_n1,+ by E_n3. We have that E_n3 is not isomorphic to E_n or E_n1, otherwise there exists a contradiction with the above two cases. If E_n3 is isomorphic to E_n2, then Ψ_n2,+ ∘ Ψ_n1,+ ∘ Ψ_n,+ is a cycle through j(E_n), j(E_n1) and j(E_n2) in 𝒢L(𝔽¯p,ℓ+1) . If E_n3 is not isomorphic to E_n2, we denote the target elliptic curves of Ψ_n3,+ by E_n4. We have that E_n4 is not isomorphic to E_n1 or E_n3, Moreover, we claim that E_n4 is not isomorphic to E_n. If E_n4 is isomorphic to E_n, then the dual of Ψ_n3,+ is Ψ_n,− which is the dual of Ψ_n2,+. This means that E_n3 is isomorphic to E_n2, so we get a contradiction. If E_n4 is isomorphic to E_n2, then we construct a cycle through j(E_n), j(E_n1), j(E_n3) and j(E_n2) in 𝒢L(𝔽¯p,ℓ+1) . The following process is similar. Since there are at most ℓ + 1 vertices, we construct cycles at j(E_n) in 𝒢L(𝔽¯p,ℓ+1) .

Remark 3.1

If ℤ[-d] can be embedded in the endomorphism ring of E_n, then I_n,1 and I_n,2 are principal and there exist two loops at j(E_n) in 𝒢L(𝔽¯p,ℓ+1) .

Example 1

Let p = 3461 and ℓ = 5. Since (-73461)=-1 , j(-7)=2553≡3185mod3461 is a supersingular j-invariant in 𝔽_p. Let 𝔽_p² = 𝔽_p(β) where β² + β + 1 = 0 in 𝔽_p². The solutions of Φ₅(X, 3185) are j₀ = 819, j₁ = 2402, j₂ = 2591β + 1415, j₃ = 1039β + 2586, j₄ = 870β + 2285 and j₅ = 2422β + 1547 in 𝔽_p². By computing modular polynomials [19], we get the subgraph 𝒢L(𝔽¯p,ℓ+1) which consists of these 6 vertices.

For L = 11 = 2² + 7 · 1², we have the following graph 𝒢11(𝔽¯3461,6) .

For L = 23 = 4² + 7 · 1², we have the following graph 𝒢23(𝔽¯3461,6) .

Next, we will discuss the usefulness of Theorem 1 in CGL hash function and the imaginary quadratic order O which can be embedded in 𝒪 ≅ End(E). The following example implies that we can find cycles in supersingular isogeny graphs by Theorem 1.

Example 2

Let p = 12601 ≡ 6 mod 11, we have that j(1+-112)=-323≡5035 is a supersingular j-invariant in 𝔽_p. Moreover 4825 is a root of H₋₄₄(x) in 𝔽_p and j₀ = 5035, j₁ = 7022β + 1350 and j₂ = 5579β + 1350 are the vertices next to 4825 in 𝒢2(𝔽¯p) where β² + 11 = 0 in 𝔽_p². We have the following subgraph of 𝒢47(𝔽¯p) which consists of j₀, j₁ and j₂.

Charles, Goren and Lauter proved in [3] that if 𝒢2(𝔽¯p) has no 2-cycles then p ≡ 1 mod 840. In this example, we construct 2-cycles in 𝒢47(𝔽¯p) for p = 12601 ≡ 1 mod 840.

Theorem 2

Suppose j(E) ≠ 0, 1728. Assume that ℤ[τ] and ℤ[ℓτ] are optimally embedded in 𝒪 and 𝒪_n respectively where E and E_n are ℓ-isogenous. If p > ℓ²LD and ℓ does not split in ℤ[τ], then there exist two m-cycles at j(E_n) in 𝒢L(𝔽¯p,ℓ+1) where L splits into two principal ideals in ℤ[τ].

Proof

Since j(E) ≠ 0, 1728, we have ℤ[τ] ≠ ℤ[i], ℤ[1+-32] and the unit group of ℤ[τ] is {±1}. If τ=-d and write L=(a+b-d)(a-b-d) , then m is the smallest positive integer such that (a+b-d)m=x+y-d with ℓ | y.

If ℓ | b, then m = 1 and we construct two loops at j(E_n) in 𝒢L(𝔽¯p,ℓ+1) . We assume ℓ ∤ b in the following.

We claim that E_n is not isomorphic to E_n1 or E_n2. If E_n is isomorphic to E_n1, then the right order of In,1=(L,ℓ(a+b-d)) is 𝒪_n and I_n,1 is principal. There exists an element α ∈ 𝒪_n such that Nrd(α) = L. We are under the assumption that ℤ[ℓτ] is optimally embedded in 𝒪_n and ℓ ∤ b, so α ∉ ℤ[ℓτ]. The absolute value D^′ of the discriminant of ℤ[α] satisfies D^′ ≤ 4Nrd(α) = 4L. By Theorem 2 in [11], we have 4p < 4ℓ²DL since two different imaginary orders ℤ[ℓτ] and ℤ[α] can be embedded in 𝒪_n. If p > ℓ²LD, then such α does not exist and I_n,1 is not principal.

If m = 2, then [a±b-d]2(Gn)=Gn . Since j(E_n) ≠ j(E_n1), Ψ_n1,+ ∘ Ψ_n,+ : E_n → E_n1 → E_n is a 2-cycle at j(E_n) in 𝒢L(𝔽¯p,ℓ+1) . In this case, ψn,-=ψ^n1,+ and j(E_n1) = j(E_n2).

If m > 2, then [a+b-d]m(Gn)=[x+y-d](Gn)=Gn and j(E_n1) ≠ j(E_n2). The composition of the following 3m isogenies

factors through [ℓ^m].

As in the proof of Theorem 1, the isogenies E_n → E → E → E_n1 factor through [ℓ] ∈ End(E_n) and we get an L-isogeny Ψ_n,+ : E_n → E_n1. By repeating the process, we get a cycle E_n → E_n1 → . . . → E_n in the L-isogeny graph. We want to prove that the cycle E_n → E_n1 → . . . → E_n is simple, which means that every vertex in this cycle appears only once. Rewrite the isogenies as following:

First, we claim that different G_n’s generate non-isomorphic elliptic curves, so the isogeny E_n → E_n1 → . . . can return to E_n if and only if there exists a positive integer k such that [a+b-d]k(Gn)=Gn .

Let I_s and I_t be the kernel ideals of ϕ_s : E → E_s and ϕ_t : E → E_t with s, t ∈ {0, 1, . . . , ℓ}. We recall that E_s and E_t are isomorphic if and only if there exists an element μ∈Bp,∞* such that I_sµ = I_t with Nrd(µ) = 1 and µ ≠ ±1. Moreover, ℓ ∈ I_s, so ℓµ ∈ I_t ⊆ 𝒪. If ℓ does not split in ℤ[τ], then there exists an element β ∈ 𝒪 with Nrd(β) = ℓ² but β ∉ ℤ[τ]. Then ℤ[β] is an imaginary quadratic order which can be embedded in 𝒪, and the absolute value D^′′ of the discriminant of ℤ[β] satisfies D^′′ ≤ 4Nrd(β) = 4ℓ². By Theorem 2 in [11], we have 4p < 4ℓ²D since ℤ[τ] and ℤ[β] are embedded in 𝒪. If p > ℓ²LD > ℓ²D, then such µ does not exist and E_s is not isomorphic to E_t. Moreover, we have proved that different G_n’s generate non-isomorphic elliptic curves.

Next, we prove [s+t-d](Gn)=Gn if and only if ℓ|t for s, t ∈ ℤ, so m is the smallest positive integer such that [a+b-d]m(Gn)=Gn . If ℓ | t, then [s+t-d](Gn)=Gn . On the contrary, if [s+t-d](Gn)=Gn , then [s+t-d]P∈Gn for any P ∈ G_n. We have [t-d]P∈Gn for any P ∈ G_n, then ℓ | t and [t-d]P=∞ . If not, we have [-d]P∈Gn and [a+b-d](Gn)⊆Gn which is a contradiction.

We have proved that the cycle E_n → E_n1 → . . . → E_n is an m-cycle. Moreover, since [a-b-d]m=x-y-d , there is another m-cycle at j(E_n) in 𝒢L(𝔽¯p,ℓ+1) .

If τ=1+-d2 , the proof is similar.

Remark 4.1

Assume ℓ splits in ℤ[τ], we can discuss whether I_s and I_t are in the same class as in [13] if we know the endomorphism ring of E. In general, if p > ℓ²LD and ℓ splits in ℤ[τ], we can construct two cycles with lengths m at j(E_n) in 𝒢L(𝔽¯p,ℓ+1) without backtracking but they may not be simple.

Example 3

Because j₀, . . . , j₅ are different in Example 1, the conclusion of Theorem 2 also holds even if p = 3461 < 5² × 28L. Since the class number of ℤ[-7] is one, by Deuring’s reducing and lifting theorems, ℤ[5-7] is optimally embedded in 𝒪_n ≅ End(E(j_n)) for n = 0, . . . , 5. For 11=(2+-7)(2--7) , we compute m = 3, so there exist 3-cycles at j_n in 𝒢11(𝔽¯p,ℓ+1) by Theorem 2. For L = 23 = 4² + 7 · 1², we compute m = 6, so there exist 6-cycles at j_n in 𝒢23(𝔽¯p,ℓ+1) by Theorem 2.

Lemma 2

Suppose ℓ > 3.

(1) If p ≡ 3 mod 4 and p > 4ℓ², there are 12(ℓ-(-1ℓ)) vertices adjacent to 1728 in 𝒢ℓ(𝔽¯p) , each connecting 1728 with 2 edges.

(2) If p ≡ 2 mod 3 and p > 3ℓ², there are 13(ℓ-(ℓ3)) vertices adjacent to 0 in 𝒢ℓ(𝔽¯p) , each connecting 0 with 3 edges.

Theorem 3

Let ℓ be an odd prime and j1,…,j12(ℓ-(-1ℓ)) be the vertices adjacent to 1728 in 𝒢ℓ(𝔽¯p) . If p ≡ 3 mod 4 and p > 4ℓ²L, then there exist two m-cycles at every j_n in 𝒢L(𝔽¯p) for L ≡ 1 mod 4.

Proof

Suppose ℓ > 3. If p ≡ 3 mod 4 and p > 4ℓ²L, then ℤ[ℓi] is optimally embedded in End(E(j_n)) and I_n,1 and I_n,2 are not principal for every n∈{1,…,12(ℓ-(-1ℓ))} . If L = (a + bi)(a − bi), then m is the smallest positive integer such that (a + bi)^m = x + yi with ℓ | y or ℓ | x. Let Gn′=[i](Gn) , then Gn′ is the kernel of ϕ_n ∘ [i] : E(1728) → E(1728) → E(j_n). ϕ^n and ϕ^n∘[i] are the two ℓ-isogenies between E(1728) and E(j_n). For s, t ∈ ℤ, we have that [s + ti](G_n) = G_n (resp. Gn′ ) if and only if ℓ | t (resp. ℓ | s). As in the proof of Theorem 2, there exist two m-cycles at j_n in the supersingular isogeny graphs 𝒢L(𝔽¯p) .

For ℓ = 3, we have Φ₃(X, 1728) = (X² − 153542016X − 1790957481984)². If p ≡ 3 mod 4 and p > 31, then there are two vertices j₁ and j₂ adjacent to 1728 in 𝒢ℓ(𝔽¯p) , each connecting 1728 with 2 edges. For L = a² + b², if 3 | a or 3 | b, there are two loops at j₁ and j₂ in 𝒢L(𝔽¯p) . If 3 ∤ ab, we have 3 | (a² − b²). There are two 2-cycles at j₁ and j₂ in 𝒢L(𝔽¯p) .

Remark 4.2

For ℓ = 2, we have Φ₂(X, 1728) = (X − 1728)(X − 66³)². If p ≡ 3 mod 4 and p > 11, then 66³ is a supersingular j-invariant which is different from 1728. ℤ[2i] is optimally embedded in 𝒪(66³). For L = a² + b², there are at least two loops at 66³ in 𝒢L(𝔽¯p) .

Theorem 4

Let ℓ be an odd prime and j1,…,j13(ℓ-(ℓ3)) be the vertices adjacent to 0 in 𝒢ℓ(𝔽¯p) . If p ≡ 2 mod 3 and p > 3ℓ²L, then there exist two m-cycles at every j_n in 𝒢L(𝔽¯p) for L ≡ 1 mod 3.

Proof

For ℓ > 3, the proof is similar to that of Theorem 3.

For ℓ = 3, we have Φ₃(X, 0) = X(X − 12288000)³. If p ≡ 2 mod 3 and p > 23, we have −12288000 is a supersingular j-invariant which is different from 0. ℤ[3ɛ] is optimally embedded in 𝒪(−12288000). For L ≡ 1 mod 3, there are at least two loops at −12288000 in 𝒢L(𝔽¯p) .

Remark 4.3

For ℓ = 2, we have Φ₂(X, 0) = (X − 54000)³. If p ≡ 2 mod 3 and p > 11, then 54000 is a supersingular j-invariant which is different from 0. It is easy to show that ℤ[-3] is optimally embedded in 𝒪(54000). For L ≡ 1 mod 3, there are at least two loops at 54000 in 𝒢L(𝔽¯p) .

Example 4

Let us return to Example 1. For τ=-7 and ℓ = 5, we know that 5 is inert in ℤ[-7] and h′h=6 . We have m = 3 or 6 if L = 11 or 23. Furthermore, when L = 179 or 53, we have m = 1 or 2 respectively.

Corollary 5.1

Suppose that ℤ[τ] and ℤ[ℓτ] are optimally embedded in End(E) and End(E_n) respectively and p > ℓ²LD where D is the absolute value of the discriminant of ℤ[τ].

(1)Suppose p ≡ 3 mod 4. If τ = i and ℓ > 2, then there exist 2-cycles at j(E_n) in 𝒢L(𝔽¯p,ℓ+1) if L = a² + b² with ℓ | (a² − b²) and ℓ ∤ a.

(2)Suppose p ≡ 2 mod 3. If τ = ɛ and ℓ > 3, then there exist 2-cycles at j(E_n) in 𝒢L(𝔽¯p,ℓ+1) if L = a² + 3b² with ℓ ∤ a, ℓ ∤ b, ℓ ∤ (a + b) and ℓ | (a² − b²) (or ℓ | (b² + 2ab), or ℓ | (a² + 2ab)).

(3)If τ ≠ ℤ[i], ℤ[ɛ] and ℓ > 2, then there exist 2-cycles at j(E_n) in 𝒢L(𝔽¯p,ℓ+1) if L = (a + bτ)(a − bτ) with ℓ | a and ℓ ∤ b.

(4)If τ=-d≠i and ℓ = 2, then there exist 2-cycles at j(E_n) in 𝒢L(𝔽¯p,ℓ+1) if L=(a+b-d)(a-b-d) with 2 ∤ b.

Theorem 5

Suppose that ℓ is ramified or inert in ℤ[τ] and L satisfies the condition in Corollary 5.1. If p > Dℓ²L, then there are only two L-isogenies from E_n to En′ .

Proof

If there is another L-isogeny from E_n to En′ , the corresponding kernel ideal J must belong to X_L and I_n,1 = Jµ, where μ∈Bp,∞* with Nrd(µ) = 1. Since L ∈ J, we have Lµ ∈ I_n,1 and µ ∈ L⁻¹I_n,1. There exist x, y ∈ 𝒪_n such that μ=L-1(xL+yℓ(a+bτ))=L-1(x(a+bτ¯)+ℓy)(a+bτ) , and α=x(a+bτ¯)+ℓy with Nrd(α) = L. We have ℓα ∈ 𝒪 since ℓx, ℓy and a+bτ¯ are in 𝒪.

If ℓα ∈ ℤ[τ], then α ∈ ℓ⁻¹ℤ[τ]. Since ℓ is ramified or inert in ℤ[τ], the set of elements with norm ℓ² in ℤ[τ] is {ɛℓ : ɛ ∈ ℤ[τ]^*}. For simplicity, we can assume α = a + bτ or a+bτ¯ . If α=a+bτ¯ , then µ = 1 and J = I_n,1. If α = a + bτ, then μ=a+bτa+bτ¯ and J = I_n,2. If ℓα is not in ℤ[τ], by Theorem 2 in [11], we have 4p ≤ 4DNrd(ℓα) = 4Dℓ²L since ℤ[τ] and ℤ[ℓα] are embedded in 𝒪. We assume p > Dℓ²L, so such α does not exist. This proves the theorem.

Example 5

If p ≡ 3 mod 4 and ℓ = 2, then j(2i) = 66³ is a supersingular j-invariant in 𝔽_p and 2 is ramified in ℤ[2i]. For L = 13 = (3 + 2i)(3 − 2i) and p = 827, j₁ = 774β + 169, j₂ = 53β + 169 and j₃ = 1728 are the vertices adjacent to 66³ in 𝒢2(𝔽¯p) where β² + 1 = 0. There exist three 13-isogenies from j₁ to j₂. In fact, p = 827 is the largest prime satisfying p ≡ 3 mod 4 and p < 16 × 2² × 13 = 832.

If (-7p)=-1 and ℓ = 3, then j(1+-72)=-153 is a supersingular j-invariant in 𝔽_p and 3 is inert in ℤ[1+-72] . For L=37=(3+2-7)(3-2-7) and p = 2309, j₁ = 860β + 1506 and j₂ = 1449β + 1506 are two vertices adjacent to −15³ in 𝒢3(𝔽¯p) where β² + β + 1 = 0. There exist three 37-isogenies from j₁ to j₂. In fact, p = 2309 is the largest prime satisfying (-7p)=-1 and p < 7 × 3² × 37 = 2331.