Explicit Representation of the Endomorphism Rings of Supersingular Elliptic Curves

Explicit Representation of the Endomorphism Rings of Supersingular Elliptic Curves Ken McMurdy August 20, 2014 Abstract It is well known from the work of Deuring that the endomorphism ring of any supersingular elliptic curve for a fixed prime p is isomorphic to a maximal order in the quaternion algebra Q p,. This defines a correspondence between supersingular elliptic curves and maximal orders that is practically one-to-one, and various algorithms related to this correspondence have been developed. In this paper we develop an algorithm for explicitly describing not only the correspondence but also the actual embeddings of End E into Q p, for all E. The key idea is to represent one particular endomorphism ring, and then generate all others by applying 2-isogenies and a twisting operator of Waterhouse. 1 Introduction The relationship between endomorphism rings of supersingular elliptic curves for a fixed prime p and maximal orders in the quaternion algebra Q p, is, in principle, well understood from the work of Deuring in [D1] and [D2]. The background information which is necessary for this paper may be summarized as follows. First, the endomorphism ring of any supersingular elliptic curve for a fixed prime p is isomorphic to a maximal order in the quaternion algebra Q p,. Moreover, with respect to this isomorphism, dual isogenies correspond to conjugates, and the degree of an endomorphism corresponds to the reduced norm of the corresponding element in the quaternion algebra. (See [S1, V.3].) Second, the resulting correspondence between supersingular elliptic curves and maximal orders is practically one-to-one, in the following sense. Every maximal order within Q p, is isomorphic to the endomorphism ring of some supersingular elliptic curve, and two supersingular elliptic curves have isomorphic endomorphism rings if and only if their j-invariants (which must lie in F p 2) are Galois conjugates. Finally, the number of supersingular elliptic curves for a fixed prime p is given by p 12 + ɛ, where ɛ = 0, 1 or 2 depending on the class of p mod 12. The j-invariants of these curves can easily be computed using the Hasse polynomial. (See [S1, V.4].) 1

While Deuring was able to demonstrate the existence and describe various properties of the correspondence, his work unfortunately did not provide an efficient method for making the correspondence explicit. With the advent of computer algebra packages, this has become much more of a practical concern, and several people have worked on developing related algorithms. In reality, a distinction should be made between four closely-related but inequivalent algorithmic problems. (1) For a fixed E, explicitly describe O Q p, for which End E = O. (2) Do (1) for all supersingular elliptic curves E/F p 2. (3) For a fixed E, explicitly describe O Q p, and an isomorphism ι : O End E. (4) Do (3) for all supersingular elliptic curves E/F p 2. Problems (1) and (2) can be approached using algebraic invariants. For example, one can generate a complete set of non-isomorphic maximal orders 1, as well as explicit models for all of the supersingular curves. Then the matching can be done by comparing representation numbers, i.e., the numbers of elements of each possible reduced norm/degree. This is the approach that was taken in [LM] and [Ce]. Recent work of Chevyrev and Galbraith provides an improvement to this approach ([CG, 5.2]). In order to do Problem (3), one can simply search for endomorphisms of E, by applying isogenies of increasing degree, until sufficiently many are found as to generate a unique order of discriminant p inside Q p,. In this paper we develop an algorithm for Problem (4) that is not based on either of the two approaches mentioned above. To be precise, the algorithm produces explicit representations for all End E, by which we mean a Z-basis, r 1, r 2, r 3, r 4, for some maximal order, R Q p,, and explicit formulas for endomorphisms, ι(r i ), which define an isomorphism ι E : R End E. The first step is to determine an explicit representation for the endomorphism ring of one particularly convenient supersingular elliptic curve, depending on the class of p mod 12. This is explained in Section 3. We then obtain all other supersingular curves by applying a sequence of explicit 2-isogenies. 2 Finally, for each 2-isogeny, φ : A B, we are able to inductively derive an explicit representation for End B by twisting the given explicit representation for End A, using results of Waterhouse. In particular, given an existing isomorphism ι A : R End A, we show in Section 4 how to determine a maximal order S Q p, such that an isomorphism ι B : S End B exists, by computing the right order of the left kernel ideal of R associated to φ (as in [Wa, Prop. 3.9]). The isomorphism, ι B, can then be made explicit using the construction of [Wa, 3.1], in which for each α S we have ι B (α) = 1 2 φ ι A(α) ˆφ. 1 This essentially reduces to a class group calculation for some maximal O Q p,. See [Pi, Prop. 1.21, Prop. 5.2] and Step 3 of [Pi, 3]. 2 The fact that this can be done is a consequence of [Ri, Lemma 3.17]. 2

A complete explanation of this step is provided in Section 5, along with a summary of the results of the full algorithm for the specific example of p = 31. Remark 1.1. Throughout the paper, explicit computations are included in order to illustrate how the various results may be concretely implemented. These computations were done using the SAGE computational software package [Sa], and all supporting SAGE code is available on the author s website. 2 A Suite of Isogeny Functions Implementation of our algorithm relies upon several small results involving isogenies between elliptic curves, which we develop in this section. We assume that p > 2, which enables us to represent every elliptic curve E (up to isomorphism) with a Weierstrasss equation of the form: y 2 = W (x) = x 3 + ax 2 + bx + c. Moreover, suppose that E 1 and E 2 are respectively given by the Weierstrass equations, y 2 = W 1 (x) and y 2 = W 2 (x). Then every isogeny, φ : E 1 E 2, can be written as φ(x, y) = (f(x), g(x)y), where W 2 (f(x)) = g(x) 2 W 1 (x). So, just as each elliptic curve can be represented as a (monic, cubic) Weierstrasss polynomial, W (x), an isogeny can then be represented as a pair of rational functions [f(x), g(x)] satisfying the above compatibility relation. Once isogenies are represented in this manner, it is straightforward to use the addition and duplication rules on E 2 to implement addition and duplication rules for isogenies from E 1 to E 2. When E 1 = E 2 = E, this specializes to addition and duplication inside End E. In the usual manner, binary expansion can then be combined with addition and duplication to efficiently implement scalar multiplication of End E by Z. Finally, composition of isogenies, and hence ring multiplication inside End E, can be implemented as follows. Suppose that φ : E 1 E 2 and τ : E 2 E 3 are represented by [f 1 (x), g 1 (x)] and [f 2 (x), g 2 (x)] respectively. Then it is easy to show that τ φ is given by the pair [f 2 (f 1 (x)), g 2 (f 1 (x))g 1 (x)]. Thus it is straightforward, although clearly necessary, to begin by fully implementing arithmetic inside End E as above. 2.1 Explicit Representations of 2-Isogenies Now suppose that E/F p n is given by y 2 = x 3 + ax 2 + bx + c = (x α 1 )(x α 2 )(x α 3 ). Let C E be the subgroup of order 2, given by C = (α 1, 0). The goal of this subsection is to develop a simple method for explicitly representing the canonical isogeny φ : E E/C, and its dual isogeny, ˆφ : E/C E. Both are 3

essential to our algorithm, and hence several good examples appear as part of the complete algorithm example given in Section 5.1. We begin by describing Weierstrass parameters on the quotient curve. Note that for any point P on E, we let P denote the image of P on E/C. Proposition 2.1. Let φ : E E/C be the canonical quotient map. Then there is a function t L(2( )) on E/C with φ t = (x α 2)(x α 3 ) (x α 1 ). Proof. For i = 1, 2, 3, let P i = (α i, 0). Then P 2 is a point of order 2 on E/C, as P 2 has order 2 and is not in the kernel of φ. Thus, there is a function s on E/C with divisor 2(P 2 ) 2( ). Moreover, since P 3 = P 1 + P 2, we have div(φ s) = 2(P 2 ) + 2(P 3 ) 2(P 1 ) 2( ). By comparing divisors on E, we see that φ s = M (x α 2)(x α 3 ) (x α 1 ) for some nonzero constant M. Therefore we may take t = M 1 s. Proposition 2.2. Let Q 1 and Q 2 be two points of E satisfying [2]Q i = P 1 and Q 2 Q 1. Let β i = φ t(q i ). Then E/C has the following Weierstrass equation. z 2 = t(t β 1 )(t β 2 ) (1) Proof. We have already seen that t is a function in L(2( )) that vanishes twice at P 2 (a point of order 2). So it follows that E/C has an equation of this form, and that β 1 and β 2 are the values of t at the other two distinct points of order 2. By construction, these points must be Q 1 and Q 2. To see this, note that [2]Q 1 = P 1 Q 1 + Q 1 + P 1 = P 1 + P 1 = 0. Therefore the condition that Q 2 Q 1 is equivalent to the condition that Q 2 Q 1 + P 1, i.e. that Q 1 Q 2. Remark 2.1. In practice, it is easy to find Q 1 and Q 2, using the duplication formula on E as follows: x([2]q) = x4 2bx 2 8cx + b 2 4ac 4(x 3 + ax 2 + bx + c) = α 1. This equation must have precisely two roots, x 1 := x(q 1 ) and x 2 := x(q 2 ), which can be substituted into the formula for φ t to find β 1 and β 2. Proposition 2.3. The function z in Proposition 2.2 can be chosen so that φ z = (x x 1)(x x 2 ) (x α 1 ) 2 y. 4

Proof. On E/C, the divisor of z must be (P 2 )+(Q 1 )+(Q 2 ) 3( ). So, pulling back to a function on E, we must have div(φ z) = (P 2 ) + (P 3 ) + (Q 1 ) + ( Q 1 ) + (Q 2 ) + ( Q 2 ) 3(P 1 ) 3( ). But we also know the following divisors on E. div(y) = (P 1 ) + (P 2 ) + (P 3 ) 3( ) div(x x i ) = (Q i ) + ( Q i ) 2( ) (i = 1, 2) So by comparing divisors, it follows that φ z = M (x x 1)(x x 2 ) (x α 1 ) 2 y for some nonzero constant M. If we substitute this expression for z and the expression for t into Equation 1, we obtain an equation in x and y. Then, replacing y 2 with x 3 + ax 2 + bx + c, we obtain a polynomial in x with leading coefficient M 2 1. So M can only be ±1 (either is an option). Remark 2.2. The formula for explicitly representing φ : E E/C that was developed above is essentially the same as the one developed in [Ve], although with a more modern presentation. A similar formula for representing more general separable isogenies of prime degree was also developed in [LM] and [Ve]. For our purposes, the following statement will suffice. Proposition 2.4. Let l be an odd prime. Suppose that E/F p n is an elliptic curve given by y 2 = x(x α 1 )(x α 2 ), and C E is a cyclic subgroup of order l generated by P. Set P i = [i]p and Q i = (0, 0) + P i, for 1 i l 1. (i) There is a function t L(2 ) on E/C with l 1 ( ) x φ x(qi ) t = x = x x x(p i ) i=1 2 l 1 i=1 ( x x(qi ) x x(p i ) ) 2. (ii) E/C has the Weierstrass equation z 2 = t(t t 1 )(t t 2 ), where t 1 = φ t(α 1, 0) and t 2 = φ t(α 2, 0). Now that we have an explicit representation of φ : E E/C (returning to the 2-isogeny case), we want to determine the formula for the dual isogeny, ˆφ : E/C E, in terms of these same parameters. Given the fact that div(φ t) = (P 2 ) + (P 3 ) 2( ), it is clear that the kernel of ˆφ must be (0, 0) (so that the kernel of the composition will be precisely E[2]). This might lead one to conjecture that we simply apply the above reasoning a second time. In other words, we would take X = (t β 1)(t β 2 ) t and Y = (t t 1)(t t 2 ) t 2 z, 5

where t 1 and t 2 are the two distinct values of t at the points R defined by [2]R = (0, 0). While these functions do define legitimate Weierstrass parameters on E (or, more precisely, on E/E[2]), they do not correspond to the original x and y. However, they need only be composed with a simple linear map, as we show in the following proposition. Proposition 2.5. ˆφ : E/C E is given by ˆφ(t, z) = ( 1 4 X + α 1, 1 8 Y ). Proof. Given the fact that X and Y have only a double pole and triple pole at the infinite point of E/E[2], respectively, we must have x = m 0 X + b 0 and y = c 0 Y + f(x) for constants m 0, b 0 and c 0, and some linear function f. (Here, we are abusing notation slightly, since x and y are really [2] x and [2] y.) Moreover, it is immediate that f(x) = 0, since the Weierstrass equation for E in X and Y has no Y or XY terms. To compute b 0, we evaluate both sides of the equation, x = m 0 X +b 0, at the point Q 1, which satisfied [2]Q 1 = P 1. Since t(q 1 ) = β 1, we have X(Q 1 ) = 0. On the other hand, [2] x(q 1 ) = x([2]q 1 ) = x(p 1 ) = α 1. So b 0 = α 1. To compute m 0 and c 0, we observe that both X and Y/y are a ratio of monic polynomials in x. On the other hand, by the well known duplication formula, we have ( x [2] 4 2bx 2 8cx + b 2 4ac (x, y) = 4(x 3 + ax 2, x6 + (b 3 4abc + 8c 2 ) ) + bx + c) 8(x 3 + ax 2 + bx + c) 2 y. So we must have m 0 = 1/4 and c 0 = 1/8. Remark 2.3. Recall that t 1 and t 2 are the two distinct t coordinates of the points R satisfying [2]R = (0, 0) on E/C. By the Weierstrass equation for E/C and the duplication formula, this amounts to solving the equation t 4 2β 1 β 2 t 2 + β 2 1β 2 2 = (t 2 β 1 β 2 ) 2 = 0. Thus, the expression for Y may be simplified to: Y = t2 β 1 β 2 t 2 z. 2.2 Division by l Inside End E In order to apply the twisting operator of Waterhouse, we must be able to divide by 2 inside the endomorphism ring of an elliptic curve. More generally, in this subsection we develop a formula for l 1 φ whenever φ : E 1 E 2 is a separable isogeny that is known to be a multiple of l for some prime l p. While the l = 2 case is necessary in all cases for the twisting operator, the case for more general l will also be necessary in some cases for establishing an initial explicit representation (which is discussed in Section 3). First we fix notation. Assume that E 1 and E 2 are elliptic curves given by Weierstrass equations as follows. E 1 : y 2 = W 1 (x) = x 3 + ax 2 + bx + c E 2 : z 2 = W 2 (t) = t 2 + a t 2 + b t + c 6

Let [l] 1 E 1 and [l] 2 E 1 be the two rational functions that are determined by the multiplication by l map on E 1. [l] x = [l] 1 E 1 (x) [l] y = [l] 2 E 1 (x) y Similarly, define [l] 1 E 2 and [l] 2 E 2 via multiplication by l on E 2. When l 2, we let ψ E1,l(x) be the l th torsion polynomial for E 1, i.e., the degree (l 2 1)/2 monic polynomial in x, whose roots are the distinct x coordinates of the nontrivial points of E 1 [l] (similarly for ψ E2,l(t)). Definition 2.4. Suppose that P (x) = (x r 1 ) (x r n ) is a polynomial, whose roots r i lie in some field K. Let T be a rational function over K that is holomorphic at each r i. Then we define P (x) T = (x T (r 1 )) (x T (r n )). Proposition 2.6. Suppose that φ : E 1 E 2 is a separable isogeny, and that (lφ)(x, y) = (F (x), G(x)y). Write F (x) in lowest terms, as either (l = 2) or c F P (x) ψ E1,l(x) 2 Q(x) c F P (x) W 1(x)Q(x) (l 2), for monic polynomials P (x) and Q(x). Set p(x) = P (x) [l] 1 E 1 q(x) = Q(x) [l] 1 E 1. Then p = p l2 0 and q = q l2 0, for monic polynomials p 0 and q 0. Moreover, we have φ(x, y) = (f(x), g(x)y), where f(x) = c F l 2 p0(x) q 0(x) and g(x) = G(x)/[l]2 E 2 (f(x)). Proof. First note that F (x) can indeed always be written in this form. This follows from the fact that E 1 [l] ker(lφ), and so ord P F (x) = ord t = 2 for each point P E 1 [l]. Moreover, since the poles of [l] 1 E 1 (x) are precisely the roots of W 1 (x) (l = 2) or ψ E1,l(x) (l 2), and hence [l] 1 E 1 is holomorphic at the roots of P (x) and Q(x), the definitions of p(x) and q(x) are valid. Now, define f(x) and g(x) by φ(x, y) = (f(x), g(x)y). We want to show that the divisor of f(x), as a function on E 1, is precisely l 2 [div(p(x)) div(q(x))]. First we observe that f(x) = φ t, while F (x) can be viewed as (φ [l]) t. So, as rational functions on E 1, we have F (x) = [l] f(x). Therefore, we have: div(p (x)) div(q(x)) div(w 1(x)) = div([l] f(x)) = [l] div(f(x)) (l = 2) div(p (x)) div(q(x)) 2div(ψ E1,l(x)) = div([l] f(x)) = [l] div(f(x)) (l 2). Now observe that [l] div(x r) = div(x [l] 1 E 1 (r)) whenever W 1 (r) 0 (l = 2) or ψ E1,l(r) 0 (l 2), and 0 otherwise. Thus, in either case, if we apply [l] to the above equation and use the fact that [l] [l] = l 2, we obtain div(p(x)) div(q(x)) = l 2 div(f(x)). It follows that p(x)/q(x) is an l 2 power. But p(x) and q(x) have no roots in common. So we must indeed have p = p l2 0 and q = q0 l2, for monic polynomials 7

p 0 and q 0, and then f(x) = k p0(x) q 0(x) for some constant k. Viewing F (x) again as [l] 1 E 1 (f(x)), and using the fact that [l] 1 E 1 (x) l 2 x at, we see that l 2 k must equal c F. Now that we have f(x), g(x) follows easily. This time, it is more convenient to view lφ as [l] φ, which gives us G(x)y = ([l] φ) z = φ ([l] 2 E 2 (t)z) = [l] 2 E 2 (f(x))g(x)y. Example 2.5. Take E 1 and E 2 to be the following elliptic curves over F 43. E 1 : y 2 = x 3 14x 2 6x + 17 E 2 : z 2 = t 3 + 17t 2 + 16t Then we have a degree 5 map, φ : E 1 E 2, given by ( (x 2)(x 12) 2 (x 19) 2 φ(x, y) = (x 37) 2 (x 40) 2, x6 16x 5 + 20x 4 14x 3 2x 2 ) + 10x + 1 (x 37) 3 (x 40) 3 y The two duplication rules are given by ( x 4 + 12x 2 + 36x + 42 [2](x, y) = 4(x 3 14x 2 6x + 17), x6 + 15x 5 + 13x 4 + 39x 3 + 5x 2 ) + 36x + 4 8(x 3 14x 2 6x + 17) 2 y ( t 4 + 11t 2 + 41 [2](t, z) = 4(t 3 + 17t 2 + 16t), t6 + 34t 5 + 37t 4 + 10t 2 ) + 25t + 32 8(t 3 + 17t 2 + 16t) 2 z We find that 2φ = (F (x), G(x)y), where F (x) = x 2 (x + 4) 2 (x + 9) 2 (x + 13) 2 (x + 16) 2 (x + 21) 2 (x 21) 2 (x 18) 2 (x 15) 2 (x 8) 2 4(x 19) 2 (x 12) 2 (x 9) 2 (x 1) 2 (x + 3) 2 (x + 6) 2 (x + 11) 2 (x + 14) 2 (x 2)(x + 12)(x + 19). The construction from the proposition yields p(x) = (x 2) 4 (x 12) 8 (x 19) 8 q(x) = (x + 3) 8 (x + 6) 8. Therefore, since c F = 1 4, the proposition takes us right back to the original function f(x). We leave it as an exercise to verify that G(x)/[2] 2 E 2 (f(x)) = g(x). It is important to note here, for the sake of complexity, that one can apply the previous proposition without first finding the roots of P (x) and Q(x). For example, p(x) = P (x) [l] 1 E 1 (resp., q(x) = Q(x) [l] 1 E 1 ) can be computed in the following way. Observe that the degree l 2 extension of function fields over K(x) generated by the equation, [l] 1 E 1 (X) = x, is Galois. Indeed, the conjugates of X in this extension, say, α i (X), can be easily computed by taking the x-coordinates of the points, (X, Y ) + (x i, y i ), where (x i, y i ) ranges over the distinct points of 8

E 1 [l] (including ). It is straightforward to show 3 with elementary Galois theory that P (x) [l] 1 E 1 = ɛ N (P (X)) = ɛ P (α 1 (X)) P (α l 2(X)) ɛ K. Once the right hand side has been computed as a rational function in the indeterminate, X, the coefficients of P (x) [l] 1 E 1 (as a polynomial in x), can be computed by recursively (1) evaluating at a root ξ of [l] 1 E 1 (x), (2) subtracting off the result, and (3) dividing by [l] 1 E 1 (x). This works because x = 0 when X = ξ, and so we are essentially recovering the coefficients of p(x) = a n x n + + a 1 x + a 0 by recursively evaluating at x = 0, subtracting the result, and dividing by x. The ɛ is irrelevant for our application, since we know we are looking for a monic polynomial. Example 2.6. Consider the elliptic curve E 1 from Example 2.5. To illustrate the method described above, we choose as our original polynomial, P (x) = (x + 4)(x 8)(x + 9)(x 15) = x 4 + 33x 3 + 29x 2 + x + 20, and compute the polynomial p(x) = P (x) [2] 1 E 1. Adding the generic point, (X, Y ), to each of the 2-torsion points of E 1 with the explicit group law, we obtain the following four conjugates of X. { 2X 11 12X + 16 {α 1 (X), α 2 (X), α 3 (X), α 4 (X)} = X, X 2, X + 12, 19X + 1 } X + 19 Now we compute the norm of P (X). P (α 1 (X)) P (α 4 (X)) = 18X16 17X 15 + + 11X 2 19X X 12 13X 11 + 6X + 15 This must be a scalar multiple of p(x). In order to deduce p(x), we choose a root ξ of [2] 1 E 1 (x) (which will lie in the quadratic extension of F 43 ) and apply the recursive algorithm described above. For example, we may take ξ = 20 + 12 2. After dividing the resulting polynomial by the leading coefficient, we have p(x) = x 4 + 8x 3 + 12x 2 + 39x + 9 = (x 2) 2 (x 12)(x 19). By applying [2] 1 E 1 to each of the four original roots, we see that this is correct. 3 As we were unable to find a suitable reference for this general principle, a brief write-up has been included in Appendix A. 9

3 Canonical Choice for Initial Explicit Representation The first step in our algorithm is to explicitly represent the endomorphism ring of some initial supersingular elliptic curve. When p is congruent to 5, 7, or 11 mod 12, this is fairly straightforward, since we may use the very special j = 0 and j = 1728 curves. Their endomorphism rings are particularly easy to identify because of their additional automorphisms. The situation is a little more complicated when p 1 mod 12. However, we may still choose a somewhat canonical curve, and explicitly represent its endomorphism ring, in what should heuristically be a power of log p complexity. For convenience, we assume for this section that p 5. 3.1 Case 1: p 3 (mod 4) The case of p 3 mod 4 is the easiest case to handle, as we are then able to use the supersingular curve A with j-invariant 1728 as our starting point. A : y 2 = x 3 x From [Pi, Prop. 5.1, 5.2], we may take Q p, = A( 1, p), the quaternion algebra given by Q[i, j, k], where i 2 = 1, j 2 = p and ij = k = ji. Moreover, there is a maximal order R Q p, with Z-basis: C R = r 1, r 2, r 3, r 4 = 1 2 (1 + j), 1 2 (i + k), j, k. Proposition 3.1. There is an isomorphism, ι A : Q p, End A Q, such that R = ι 1 A (End A). The isomorphism can be chosen so that j corresponds to the Frobenius endomorphism, and i corresponds to the isomorphism, ι A (i) : (x, y) ( x, αy) α F p 2, α 2 = 1. Proof. Because R is a maximal order in Q p,, there must exist an isomorphism, ι A : Q p, End A Q, with R = ι 1 A (End A), for some supersingular elliptic curve A. Then, since i 4 = 1, that elliptic curve would necessarily have an extra automorphism of order 4. This implies that A is the j = 1728 curve by [S1, III, Cor. 10.2]. However, it wouldn t immediately follow that ι A satisfies the given properties. To show this, we simply determine all of the elements of reduced norm 1 and p in Q p, to be {±1, ±i} and {±j, ±k}, respectively. Hence ι 1 A must take the given automorphism to ±i, and Frobenius to ±j or ±k. Finally we note that Q p, itself has (ring) automorphisms that switch any two signs of {i, j, k}, as well as the automorphism that takes (i, j, k) to ( i, k, j). So by composing ι A with some automorphism of Q p, it can be brought into the given form. Note that we may combine Proposition 3.1 with Proposition 2.6 to obtain explicit formulas for each ι A (r i ). In other words, the two propositions combine to give us an explicit representation of End A in the sense of Section 1. We illustrate this with the following example. 10

Example 3.1. For p = 31, we begin by setting ι A (r 3 ) = ι A (j) equal to the Frobenius endomorphism. ι A (j) : (x, y) ( x 31, y 31) = ( x 31, (x 3 x) 15 y ) Next we compute ι A (1+j) with the addition law on A, and then use Proposition 2.6 to compute ι A (r 1 ) : (x, y) (f(x), g(x)y), where f(x) = 4x8 + 13x 7 + 21x 6 + 11x 5 + 22x 4 + 4x 3 + 4x 2 + 6x + 16 x 7 + 11x 6 + 19x 5 + 30x 4 + x 3 + 9x 2 + 14x + 16 8x 11 + 12x 10 + 22x 9 + 29x 8 + 28x 7 + 14x 6 + 26x 5 + 9x 3 + 16x 2 + 9x + 29 g(x) = x 11 + 17x 10 + 20x 9 + 14x 8 + 22x 7 + 17x 6 + 21x 5 + 3x 4 + 22x 3 + 25x 2 + 23x + 2. For the remaining basis vectors, we then have ι A (r 2 ) = ι A (i) ι A (r 1 ) : (x, y) ( f(x), αg(x)y) ι A (r 4 ) = ι A (i) ι A (r 3 ) : (x, y) ( x 31, α(x 3 x) 15 y). Thus, we have a complete explicit representation of the endomorphism ring of A (which is the j = 1728 supersingular elliptic curve). 3.2 Case 2: p 5 (mod 6) The case of p 5 (mod 6) can be handled in a very similar manner, using the supersingular curve A with j(a) = 0. A : y 2 = x 3 1 A quick calculation of discriminants shows that we may represent Q p, as the quaternion algebra, Q[i, j, k], where i 2 = 3, j 2 = p and ij = k = ji. Moreover, there is a maximal order R inside Q p, with the following Z-basis. C R = r 1, r 2, r 3, r 4 = 1, 1 2 ( 1 + i), j, 1 6 (3 + i + 3j + k) Proposition 3.2. There is an isomorphism, ι A : Q p, End A Q, such that R = ι 1 A (End A). The isomorphism can be chosen so that j corresponds to the Frobenius endomorphism, and 1 2 ( 1 + i) corresponds to the isomorphism, ι A ( 1 2 ( 1 + i)) : (x, y) (ωx, y) ω F p 2, ω 2 + ω + 1 = 0. Proof. Just as in the proof of Proposition 3.1, it follows immediately that there is an isomorphism, ι A : Q p, End A Q, with R = ι 1 A (End A), where A is the j = 0 curve given above. The explicit automorphism given above can only correspond to 1 2 ± 1 2 i, and Frobenius can only correspond to ±j or ± 1 2 j ± 1 2 k. Once again we have automorphisms of Q p, that change any two signs of i, j and k. We also have the inner automorphism by 1 2 (1 + i), under which j has the following orbit. j 1 2 j 1 2 k 1 2 j + 1 2 k By composing ι A with these two types of automorphisms, as needed, it can be brought into the form that is claimed in the statement of the proposition. 11

Once again, we note that Proposition 3.2 can be combined with Proposition 2.6 to explicitly represent the endomorphism ring of A in this case. In particular, r 1, r 2 and r 3 can be represented immediately, which provides an explicit representation of 3r 4. So the only nontrivial step is a division by 3 inside of End A. This is illustrated in the following example. Example 3.2. In the case of p = 17, Proposition 3.2 immediately gives us the following. ι A (r 3 ) = ι A (j) : (x, y) ( x 17, (x 3 1) 8 y ) ι A (r 2 ) = ι A ( 1 2 ( 1 + i)) : (x, y) (ωx, y) ι A (r 2 j) = ι A ( 1 2 ( j + k)) : (x, y) ( ωx 17, (x 3 1) 8 y ) So, by applying the group law on the curve, we can quickly compute ι A (3r 4 ) = ι A (2 + r 2 + 2j + r 2 j). Then we simply divide this by 3 using Proposition 2.6 to obtain ι A (r 4 ) : (x, y) (f(x), g(x)y), where f(x) and g(x) are as follows. f(x) = ω(14x6 + 12x 5 + 10x 4 + 12x 3 + 6x 2 + 3x + 15) x 5 + 13x 4 + 8x 3 + 10x 2 + 10x + 9 g(x) = (11ω + 4)(x8 + 2x 7 + 6x 6 + 3x 5 + 10x 4 + 4x 3 + 3x 2 + 7x + 2) x 8 + 2x 7 + 6x 6 + 9x 5 + 5x 4 + 6x 3 + x 2 + 10x + 11 Thus we have an explicit representation of End A, where A/F 17 is the j = 0 elliptic curve. 3.3 Case 3: p 1 (mod 12) This is the most difficult case, because we aren t able to choose one particular global CM curve that will reduce to a supersingular curve in every case. On the quaternion side, we begin by choosing the smallest auxiliary prime q such that q 3 mod 4 and q is a quadratic non-residue mod p. Then we may represent Q p, as Q[i, j, k] where i 2 = q, j 2 = p and ij = k = ji. This is a restatement of [Pi, Prop. 5.1] when p 1 mod 8, and follows with a little more work when p 5 mod 8. At least heuristically, one should have q = O(log p) (by Dirichlet and Prime Number Theorem). For example, the first several values of minimal choice of q are as follows. p 13 37 61 73 97 109 157 181 193 229 q 7 19 7 7 7 11 7 7 11 7 It is actually simpler in this case not to write down a basis for a particular maximal order in Q p,. Rather, it will suffice for now to consider the order R with the following basis. 1, 1 2 (1 + i), j, 1 2 (j + k) 12

While R not maximal, it is very nearly so, as it has discriminant pq. This enables us to build up to a maximal order in a small number of steps. To construct a suitable supersingular elliptic ] curve, we essentially reduce an appropriate global curve with CM by Z. More precisely, we compute [ 1+ q 2 ideal class group representatives for the quadratic field Q( q), and evaluate the corresponding values of j(τ) to sufficient precision (over C) to identify the monic polynomial T q (j) over Z which has these algebraic integers as roots. The roots of T q (j) are necessarily the j-invariants of all distinct elliptic curves E/Q with End E = Z [ 1+ q 2 ] ([S2, II, Prop. 1.2, 4.3]). For example, for q = 7, 11 and 19, we simply get j = 3375, 32768 and 884736, respectively. For q = 23, the class group has 3 elements, and the corresponding three j-invariants are the roots of the following cubic polynomial. j 3 + 3491750j 2 5151296875j + 12771880859375 Now, let K be the splitting field of T q (j), and let j 0 F p be any root of T q (j). Then j 0 determines an elliptic curve A/F p that lifts (via some prime π lying over p) to one of these global CM curves E/K, which in turn forces A to be supersingular. We formalize this situation, and relate End A with R from above, in the following proposition. Proposition 3.3. Suppose j 0 F p is a root of T q (j) (notation as above). Let A/F p be the corresponding elliptic curve. Then A is supersingular. Moreover, there exists an isomorphism ι A : Q p, End A Q such that R R := ι 1 A (End A) and ι A(j) is the Frobenius endomorphism. [ ] Proof. Let E/K be the lifting of A to a curve with CM by Z 1+ q 2. Since j(e) F p, we may assume without loss of generality that E is given by a Weierstrass equation of the form y 2 = W (x) over some subfield K 0 K such that K 0 = F p. With respect to this model let ψ(x, y) be either of the two endomorphisms of E satisfying (2ψ 1) 2 = q (defined over some L/K, with a prime π L lying over π). Suppose that I := 2ψ 1 is given by I(x, y) = (f(x), g(x)y). Since {±I} is defined over K 0, so is f(x). Now we reduce, and observe that ( Ī ) ( ) 2 = q in End A. Since q p = 1, this implies that A/F p is supersingular and the (p-power) Frobenius endomorphism σ satisfies σ 2 = p. Finally, since the reduction of f(x) is defined over F p, it follows that Ī σ = σ Ī. Hence we have an isomorphism ι A : Q p, End A Q defined by ιa (j) = σ and ι A (i) = Ī. Clearly, R := ι 1 A (End A) contains R, since ι 1 ( A ψ) = 1+i 2. In order to implement the theorem in practice, there is no need to work with a global CM curve. Once j 0 F p and a corresponding model for A/F p are chosen, the next step is to find ψ End A such that ( Ī ) 2 = q, where Ī = 2 ψ 1. It is actually not necessary for ψ to lift to characteristics zero. However, it is necessary for the first coordinate function of Ī to be defined over 13

F p. Proposition 3.3 guarantees the existence of such a ψ. Hence, we may simply enumerate and apply all isogenies of degree 1+q 4 (using Proposition 2.3) until an endomorphism with these properties is found. At this point, ι A has been determined but only made explicit on the nonmaximal order R. Since R and R have discriminants p and pq respectively, however, it follows that R := ι 1 A (End A) will be spanned as a Z-module by the given basis for R along with some element r R of the form [ 1 q a + b ( ) ( )] 1+i 2 + cj + d j+k 2 where a, b, c, d Z. Closure under multiplication in R implies that 2a + b 0, 2c + d 0 and b dl mod q, where l 2 p. By taking linear combinations, we may assume without loss of generality that c = 1. Thus, r may be taken to be 1 q [ l + 2l ( 1+i 2 ) j + 2 ( j+k 2 )] = k+li q for one of the two values of l, and for a basis for R we may take 1, 12 (1 + i), 12 (j + k), 1q (k + li). Note that the correct choice of l can be determined by evaluating both options for k+li on A[q]. Then ι A (r) can be explicitly represented by dividing ι A (k+li) by q using Proposition 2.6. Example 3.3. For the prime p = 13, the minimal auxiliary prime is q = 7. This leads us to the associated supersingular elliptic curve A/F 13 with j = 5, which by [S1, Prop. 1.4(c)] and some algebraic manipulations has the following Weierstrass Equation. y 2 = x 3 3x 2 6x + 2 = (x + 6)(x 2 + 4x + 9) Next we must find ψ such at that Ī := 2 ψ 1 has the desired properties. We can do this by simply enumerating and performing all isogenies ψ of degree (1 + q)/4 = 2, and computing ( 2 ψ 1 ) 2 for each one that turns out to be an endomorphism (as in Section 2.1). Choosing α F 13 2 with α 2 α + 2 = 0, we find ψ(x, y) = ( (3α + 3)x 2 + (α + 3)x + 9α + 7 x + α + 8, ) (5α + 11)x 2 + 8αx + 12α + 4 x 2 + (2α + 3)x + 4α + 10 y. This example illustrates that the first coordinate function of ψ need not be defined over F p. Indeed, the first coordinate function of Ī, for this choice of ψ, turns out to be x 7 + 11x 6 + 3x 5 + 12x 4 + 10x 3 + 9x 2 + 6x + 11 6x 6 + 10x 5 + 6x 4 + 12x 3 + 5x 2. The fact that this is ( defined over F p is what guarantees that Ī σ = σ Ī. So now we have ι 1 A 2 (1 + i)) = ψ, ι A (j) = σ = (x 13, (x 3 3x 2 6x + 2) 6 y), 14

( and ι 1 A 2 (j + k)) = ψ σ. All that remains is to determine for which value of l we have r := 1 q (k + li) R. In this case we have l = ±1, and only ι A(k i) vanishes on all of A[7]. So the explicit representation of End A is completed by dividing ι A (k i) by q = 7 using Proposition 2.6 to obtain the following. ι A ( k i 7 ) = ( 6x 2 + 5x + 5 x + 6, (12α + ) 7)(x2 + 12x + 2) y x 2 + 12x + 10 4 Translation of Maximal Orders Inside Q p, The goal of this section is to develop all the parts of our algorithm that take place inside of Q p,, i.e., on the quaternion algebra side. In particular, we assume that A/F p 2 is a fixed supersingular elliptic curve, given by a Weierstrass equation, and that we have already explicitly represented the endomorphism ring of A as a maximal order inside Q p,. Recalling the definition from Section 1, this means that we have an isomorphism, ι A : Q p, End A Q, which is given explicitly by two pieces of data. First, we have a Z-basis, C R = r 1, r 2, r 3, r 4, for the maximal order R := ι 1 A (End A). Then we have an explicit formula for each ι A (r i ) in terms of the Weierstrass parameters on A. Now suppose that φ : A B is a degree two isogeny with kernel H A and dual isogeny ˆφ. From [Wa, 3.1], there is an isomorphism, ι B : Q p, End B Q, given by ι B (α) = 1 2 φ ι A(α) ˆφ. (2) This does not immediately provide an explicit representation of End B, however, unless we also have a Z-basis for S = ι 1 B (End B). Our solution is to follow the well-known construction of S as the right order of the left kernel ideal associated to φ (as developed in [Wa, 3]). In the special case where φ has degree 2, we show that this calculation can be reformulated in terms of relatively simple linear algebra over Z and Z/4Z. Proposition 4.1. Suppose that r R satisfies (ker ι A (r)) A[2] = H. Let I = 2, r (the left ideal of R with these generators). Then S is equal to the right order of I (in Q p, ). Proof. As in [Wa, 3], we let H(I) = ρ I ker ρ. Since 1 R and hence 2, r I, it is immediate from the condition on r that H(I) = H. Note that I is a kernel ideal, as are all left ideals of R, by [Wa, Thm 3.15, Thm 4.2.1]. Therefore the statement follows from [Wa, Prop 3.9]. 15

The condition on r clearly depends only on its class in R/2R. Hence, to find such an r, it suffices to check one representative from each of the 15 nonzero classes of R/2R (Z/2Z) 4. CR Moreover, it is easy to see that such an r must always exist in the case that interests us. Indeed, suppose that every endomorphism of A that factors through φ also factors through [2]. Then s 1 2 ˆφ s φ defines an injection of End B into End A. But then the two rings must be isomorphic, since End B is a maximal order. This can only happen when A and B have Galois conjugate j-invariants, and so their endomorphism rings were isomorphic a priori (see the proof of [Wa, Thm 4.5], for example). Thus, the case does not concern us. Once r R is chosen so that I = 2, r, it is easy to generate a Z-basis for I. Note that taking C R coordinates defines an isomorphism of Z modules [ ] CR : R Z 4. So we may determine a Z-basis for I by choosing a basis for the submodule of Z 4 generated by the following elements. {[2r 1 ] CR, [2r 2 ] CR, [2r 3 ] CR, [2r 4 ] CR, [r 1 r] CR, [r 2 r] CR, [r 3 r] CR, [r 4 r] CR } (3) Pulling back the resulting basis via [ ] 1 C R, we arrive at a Z-basis for I that we denote by C I = i 1, i 2, i 3, i 4. Let [ ] CI be the associated coordinates map. Proposition 4.2. There is a linear map, τ : (Z/4Z) 4 M 4 4 (Z/4Z), that is induced via C I and C R coordinates from ˆτ : R Hom Z (I, I) ˆτ(r)(x) = 2xr (x I). Let C R be any finite set of vectors whose C R coordinates generate ker(τ). Then 1 2 C 2C R is a generating set for S. Proof. The fact that ˆτ is well-defined follows from the fact that 2R I. We can obviously follow ˆτ with an isomorphism via C I coordinates of Hom Z (I, I) onto M 4 4 (Z). Then apply the canonical surjection onto M 4 4 (Z/4Z). By linearity, 4R is in the kernel of the composition. So τ ultimately follows from the isomorphism via C R coordinates of R/4R with (Z/4Z) 4. First we show that 1 2 C 2C R S. Since 2C R 2R I, it is immediate that 2C R S. So suppose now that r 1 2 C. Then the image of 2r in R/4R = (Z/4Z) 4 is in the kernel of τ. Equivalently, we have ˆτ(2r)(x) 4I for all x I. Applying the definitions of ˆτ and τ, this implies that 4xr 4I for all x I, and since I is a torsion free Z-module, xr I for all x I. Thus, r is in S (the right order of I). Conversely, choose any s S. Then xs I for all x I, by definition. In particular, since 2 I, it follows that 2s R. Therefore, we may apply ˆτ and see that ˆτ(2s)(x) = 4xs 4I for all x I. This means that the reduction of [2s] CR is in the kernel of τ. So (2s) R/4R must be congruent to a linear combination of the vectors in C. Hence, 2s must be a linear combination of vectors in C 4C R. 16

4.1 Example Let A be the j = 0 elliptic curve over F 31, given by the equation y 2 = x 3 x. In Example 3.1, we found an explicit representation of End A. In particular, we showed that End A was isomorphic to the maximal order in Q 31, with the following basis. 1 2 (1 + j), 1 2 (i + k), j, k We also gave explicit formulas for the endomorphisms corresponding to each of those basis vectors. So now suppose we want to apply the degree 2 isogeny whose kernel is (1, 0), and use Waterhouse s twisting formula (Equation 2) to explicitly represent the endomorphism ring of the resulting quotient curve. We begin by applying Proposition 4.1, choosing r = r 1 + r 3 = 1 2 + 3 2 j. (It is easy to check that this r satisfies the hypotheses.) By the proposition, S = ι 1 B (End B) will be isomorphic to the right order of I = 2, r. After computing the C R coordinates of the eight generators of I given in (3), and row reducing the corresponding 8 4 matrix over Z, we arrive at the following Z-basis for I. [i 1 ] CR = [1, 0, 1, 0] i 1 = 1 2 + 3 2 j [i 2 ] CR = [0, 1, 0, 1] i 2 = 1 2 i + 3 2 k [i 3 ] CR = [0, 0, 2, 0] i 3 = 2j [i 4 ] CR = [0, 0, 0, 2] i 4 = 2k Next we compute a basis for the right order of I, by applying Proposition 4.2. For the purpose of illustration, we will list here the values of ˆτ(r i ), given as elements of M 4 4 (Z) (via C I coordinates). 92 0 124 0 0 94 0 124 ˆτ(r 1 ) = 0 92 0 124 70 0 94 0 ˆτ(r 2 ) = 94 0 124 0 0 71 0 94 0 70 0 94 71 0 94 0 186 0 248 0 0 186 0 248 ˆτ(r 3 ) = 0 186 0 248 140 0 186 0 ˆτ(r 4 ) = 186 0 248 0 0 139 0 186 0 140 0 186 139 0 186 0 Straightforward linear algebra 4 shows that we may take C = 2r 1, 2r 3, r 2 r 4. Therefore, by Proposition 4.2, the right order of I must be generated by the following set of vectors: {r 1, r 3, 1 2 (r 2 r 4 ), 2r 1, 2r 2, 2r 3, 2r 4 }. Doubling the C R coordinates of these vectors and row reducing over Z, we arrive at the following basis for S, the right order of I. C S = s 1, s 2, s 3, s 4 = 1, 2i, 1 2 + 1 2 j, 1 4 i 1 4 k 4 For example, one could compute the Smith normal form of the corresponding 16 4 matrix over Z/4Z. 17

5 The Complete Algorithm Now that the tools have all been developed, we are able to describe the complete algorithm for obtaining explicit representations (as defined in Section 1) for the endomorphism rings of all supersingular elliptic curves for a given prime p. The first step is to use the Hasse polynomial to compute all of the supersingular j-invariants, which lie in F p 2, and then allocate space for all of the endomorphism rings (indexed by those j values). Next, according to the class of p mod 12, use the methods Section 3 to determine an explicit representation for the endomorphism ring of one of the supersingular curves. Specifically, we use the j = 1728 curve and Proposition 3.1 if p 7 mod 12 or p 11 mod 12. We use the j = 0 curve and Proposition 3.2 if p 5 mod 12. When p 1 mod 12, we work a little harder and apply Proposition 3.3. The next step is roughly to begin with that first curve and apply 2-isogenies until all of the others have been attained. After the very first step, this will generate a binary tree, since it is never advantageous to follow an isogeny with its dual. (Note that the dual isogeny always has kernel (0, 0) with our construction.) Every time the quotient curve has a j-invariant that is a repeat, or the Galois conjugate of a repeat (over F p 2), we terminate that path. In all other cases, the given useful 2-isogeny will be used at the next step to generate a new endomorphism ring. For clarification of this step, we include below the binary trees that are generated for p = 79 and p = 83. In both cases, we begin with the j = 1728 curve, and represent F p 2 as F p [α], where α 2 = 1. 69 69 15 15 21 64 17 21 48α + 72 31α + 72 68 68 67 67 66α + 38 17α + 38 17α + 38 17 50 17α + 38 0 28 Once the tree has been generated, we work our way down from top to bottom, using each useful 2-isogeny to generate a new explicit representation. By induction, at each such step we will have a curve A, a basis r 1, r 2, r 3, r 4 for the maximal order R = ι 1 A (End A) Q p,, and explicit formulas for the ι A (r i ) in terms of the Weierstrass parameters on A. We will also have an order two subgroup, H A, a Weierstrass equation for B = A/H, and an explicit formula for the 2-isogeny φ : A B. Following the comments after Proposition 4.1, we first choose r R such that (ker ι A (r)) A[2] = H. Then, using the methods of Section 4, we determine a basis s 1, s 2, s 3, s 4 for the maximal order S = ι 1 B (End B). 18

At this point, all that must be done is to twist endomorphisms of A with the formula of Waterhouse, to obtain explicit formulas for the ι B (s i ). More specifically, since 2S R, we use elementary linear algebra to write 2s i for each i as a linear combination (over Z) of the r i. Then, by simple addition, subtraction, and multiplication by integers inside of End A, we are able to determine an explicit formula for ι A (2s i ). ι A (2s i ) = ι A (a 1 r 1 + a 2 r 2 + a 3 r 3 + a 4 r 4 ) = a 1 ι A (r 1 ) + a 2 ι A (r 2 ) + a 3 ι A (r 3 ) + a 4 ι A (r 4 ) a i Z Finally, using Proposition 2.6 (twice if necessary) and Waterhouse, we determine an explicit formula for ι B (s i ). ι B (s i ) = 1 2 φ ι A(s i ) ˆφ = 1 4 φ ι A(2s i ) ˆφ There is one slight caveat, which is that Proposition 2.6, as stated, only applies to separable isogenies. One solution would be to strengthen the proposition. On the other hand, one could easily compute the norm of s i inside Q p, first. If it is prime to p, the above method works. Otherwise, determine the explicit formula for ι A (2s i + 2) inside End A and then compute ι B (s i ) as follows. ι B (s i ) = ι B (s i + 1) [1] B = 1 4 φ ι A(2s i + 2) ˆφ [1] B Each time we have completed this step, we store the resulting explicit representation of End B in the record indexed by j(b), and if necessary store its Galois conjugate in the record indexed by the conjugate of j(b). Then we essentially hit the reset button, before moving on to the next useful isogeny. After O(p) of these twisting steps, we have explicit representations for all of the supersingular endomorphism rings. 5.1 One Complete Example To apply the algorithm with p = 31, we begin by using the Hasse polynomial to compute the supersingular j-invariants: j = 2, j = 4 and j = 23. Now, because we are in the p 3 mod 4 case, we take our initial curve A to have Weierstrass equation, y 2 = x 3 x, and j-invariant 1728 23 mod 31. With this as our starting point, we then want to systematically apply all possible 2- isogenies, abandoning a path whenever there is a repeated or Galois conjugate j-invariant, until all three supersingular j-invariants have been obtained. This results in the following steps. Step 1: (j(a) = 2) Roots of x 3 x are 0, 1 and 1. Step 1a: Apply the 2-isogeny with kernel (0, 0). Quotient has j = 23. Since this j value is a repeat, terminate this path. Step 1b: Apply the 2-isogeny with kernel (1, 0). Quotient has j = 2. The Weierstrass equation, isogeny, and dual isogeny are as follows. y 2 = x 3 + 25x 2 + x 19

( x 2 + x x 2 ) + 29x + 30 φ A : (x, y) x + 30, x 2 + 29x + 1 y ( 8x ˆφ 2 + 15x + 8 4x 2 ) + 27 A : (x, y) x, x 2 y Step 1c: Apply the 2-isogeny with kernel ( 1, 0). Quotient has j = 2 again. So terminate this path. Step 2: (j(b) = 2) Nonzero roots of x 3 + 25x 2 + x are 18 and 19. Step 2a: Apply the 2-isogeny with kernel (18, 0). Quotient has j = 4. The Weierstrass equation, isogeny, and dual isogeny are as follows. y 2 = x 3 + 28x 2 + 20x ( x 2 + 12x x 2 ) + 26x + 1 φ B : (x, y) x + 13, x 2 + 26x + 14 y ( 8x ˆφ 2 + 25x + 5 4x 2 ) + 13 B : (x, y) x, x 2 y Step 2b: Apply the 2-isogeny with kernel (19, 0). Quotient has j = 2 again. So terminate this path. (Or observe that all j-invariants have been attained.) Now that the 2-isogeny tree has been generated, we begin to twist endomorphism rings. For each isogeny, we first generate a basis for the new maximal order inside Q 31, with the methods of Section 4. Then we determine the explicit formulas for the corresponding endomorphisms using the formula of Waterhouse (Equation 2). For the isogeny from the j = 23 curve (A) to the j = 2 curve (B), the first step was already done in the example of Section 4.1. In particular, we found that the maximal order, S = ι 1 B (End B), has basis, C S = s 1, s 2, s 3, s 4 = 1, 2i, 1 2 + 1 2 j, 1 4 i 1 4 k. The first basis vector will clearly correspond to the identity endomorphism, although the official algorithm would arrive at this by twisting ι A (2r 1 r 3 ) with φ A and ˆφ A, and then dividing by 2 inside End B with Proposition 2.6. Similarly, the second basis vector will correspond to φ A ι A (i) ˆφ A, although in reality the algorithm would twist 2i before dividing by 2 inside End B. This results in a degree 4 endomorphism, ι B (s 2 ) = (f B,2 (x), g B,2 (x)y). f B,2 (x) = 2x4 + 15x 3 + 28x 2 + 15x + 2 23x 3 + 15x 2 + 23x g B,2 (x) = α(8x5 + 24x 4 + 8x 3 + 23x 2 + 7x + 23) 2x 5 + 6x 4 + 6x 3 + 2x 2 20

Since s 3 = r 1, we compute ι B (s 3 ) = (f B,3 (x), g B,3 (x)y) by composing ι A (r 1 ) with φ A and ˆφ A, and dividing by 2 in End B. f B,3(x) = 4x8 + 26x 7 + x 6 + 14x 5 + 12x 4 + 14x 3 + x 2 + 26x + 4 x 7 + 8x 6 + 24x 5 + 3x 4 + 24x 3 + 8x 2 + x g B,3(x) = 16x11 + 6x 10 + x 9 + 6x 8 + x 7 + 21x 6 + 10x 5 + 30x 4 + 25x 3 + 30x 2 + 25x + 15 2x 11 + 24x 10 + 27x 9 + 16x 8 + x 7 + x 6 + 16x 5 + 27x 4 + 24x 3 + 2x 2 Finally, we note that s 4 = 1 2 (r 2 r 4 ). So to obtain ι B (s 4 ) = (f B,4 (x), g B,4 (x)y) we compose ι A (r 2 r 4 ) with φ A and ˆφ A, and then divide by 4 (i.e., apply Proposition 2.6 twice). This results in the following explicit functions. f B,4 (x) = 15x2 + 28x + 11 x + 12 g B,4 (x) = α(23x2 + 25x + 23) 27x 2 + 28x + 13 It is important to realize that at this point the twisting process begins from scratch, as if one had pushed the reset button. We currently have an explicit representation of End B, i.e., a basis for the maximal order, S = ι 1 B (End B), and explicit formulas for the corresponding endomorphisms of B. We have a degree two isogeny, φ B : B C, and its dual. Once again, we want to use the method of Section 4 to determine a basis for the maximal order T = ι 1 C (End C), and then use Waterhouse to find explicit formulas for the corresponding endomorphisms of C. A quick check shows that the kernel ideal is I = 2, s, where s = s 3 + s 4. A Z-basis for the ideal is given by 1 2 + 3 2 j + 2k, 1 4 i + j + 7 4 k, 2j, 4k. Applying Proposition 4.2, we find that the right order of this ideal, which is really T = ι 1 C (End C), has the following Z-basis. C T = t 1, t 2, t 3, t 4 = 1, j, 1 2 5 8 i 3 8 k, 1 2 1 4 i + 1 2 j + 1 4 k The first basis vector corresponds to the identity endomorphism, although again this would be computed by twisting ι B (1) = ι B (s 1 ) and dividing by 2 inside End C. The second vector corresponds to the Frobenius endomorphism. ι C (j) = ( x 31, (x 3 + 28x 2 + 20x) 15 y ) However, the reduced norm of this vector is divisible by 31. So ι C (j) would actually be computed by twisting ι B (1 + j) = ι B (2s 3 ), dividing by 2 in End C, and subtracting [1] C. For the third basis vector we twist ι B (s 1 s 2 + 3s 4 ) and divide by 4 inside End C. This results in a degree 5 endomorphism, ι C (t 3 ) = (f C,3 (x), g C,3 (x)y), where f C,3 (x) is equal to (7α + 24)x 5 + (25α + 23)x 4 + (12α + 2)x 3 + (12α + 19)x 2 + 4x + 17α + 5 x 4 + (21α + 30)x 3 + (9α + 16)x 2 + (19α + 19)x + 4α + 28. 21

We have g C,3 (x) = p(x)/q(x) where p(x) = (12α + 13)x 6 + (4α + 21)x 5 + (11α + 19)x 4 + (25α + 19)x 3 + (3α + 16)x 2 + (2α + 24)x + 12α + 17 q(x) = (26α + 3)x 6 + (9α + 29)x 5 + (24α + 23)x 4 + (28α + 8)x 3 + (8α + 6)x 2 + (27α + 1)x + 18α + 19. For the fourth vector and final vector, we twist ι B (s 3 s 4 ) and divide by 2 inside End C to obtain a degree 10 endomorphism ι C (t 4 ) = (f C,4 (x), g C,4 (x)y). Below we list the numerator and denominator of f C,4 (x), followed by the numerator and denominator of g C,4 (x). (10α + 23)x 10 + (26α + 8)x 9 + (21α + 4)x 8 + (28α + 25)x 7 + (2α + 8)x 6 + (30α + 5)x 5 + (29α + 16)x 4 + (23α + 19)x 3 + (18α + 21)x 2 + 16x x 9 + (7α + 3)x 8 + (17α + 10)x 7 + (23α + 2)x 6 + (13α + 28)x 5 + (7α + 28)x 4 + (7α + 14)x 3 + (12α + 20)x 2 + (27α + 25)x + 5α + 27 (20α + 29)x 14 + (9α + 30)x 13 + (24α + 22)x 12 + (26α + 10)x 11 + (18α + 16)x 10 + (15α + 8)x 9 + (13α + 28)x 8 + (6α + 26)x 7 + 18x 6 + (29α + 16)x 5 + (9α + 26)x 4 + (α + 10)x 3 + (18α + 15)x 2 + (5α + 7)x + 15α + 16 15x 14 + (30α + 2)x 13 + (25α + 21)x 12 + (4α + 2)x 11 + (7α + 28)x 10 + (19α + 27)x 9 + (17α + 4)x 8 + (21α + 30)x 7 + (23α + 13)x 6 + (28α + 20)x 5 + (10α + 7)x 4 + (2α + 23)x 3 + (14α + 4)x 2 + (5α + 5)x + 12α + 26 Thus we have an explicit representation of End C, i.e., a Z-basis for the maximal order, T = ι 1 C (End C), and explicit formulas for the corresponding endomorphisms. 6 Concluding Remarks There are two remaining practical matters regarding our algorithm upon which we would like to comment briefly, namely complexity and field of definition. The latter is much easier to address for the following reason. It is straightforward to show that if two elliptic curves over F p 2 are 2-isogenous, the isogeny can be defined over F p 24. In addition, it is an O(log p) step to determine an explicit isomorphism between two elliptic curves over F p 2 with the same j-invariant. Hence, at the time when the tree of 2-isogenies is generated, models for all curves and isogenies could be chosen over F p 24. Thus, the field of definition for the entire calculation could be taken to be the union of the field of definition for the endomorphism ring of the initial curve and F p 24. 22