The SEA algorithm for endomorphisms of supersingular elliptic curves

Abstract

For a prime p\,>\,3 and a supersingular elliptic curve E defined over Fp2 with j(E)\0,1728\, consider an endomorphism α of E represented as a composition of L isogenies of degree at most d. We prove that the trace of α may be computed in O(n4( n)2 + dLn3) bit operations, where n\,=\,(p), using a generalization of the SEA algorithm for computing the trace of the Frobenius endomorphism of an ordinary elliptic curve. When L∈ O( p) and d∈ O(1), this complexity matches the heuristic complexity of the SEA algorithm. Our theorem is unconditional, unlike the complexity analysis of the SEA algorithm, since the kernel of an arbitrary isogeny of a supersingular elliptic curve is defined over an extension of constant degree, independent of p. We also provide practical speedups, including a fast algorithm to compute the trace of α modulo p.