Orienteering with One Endomorphism

In supersingular isogeny-based cryptography, the path-finding problem reduces to the endomorphism ring problem. Can path-finding be reduced to knowing just one endomorphism? It is known that a small degree endomorphism enables polynomial-time path-finding and endomorphism ring computation (in: Love and Boneh, ANTS XIV-Proceedings of the Fourteenth Algorithmic Number Theory Symposium, volume 4 of Open Book Ser. Math. Sci. Publ., Berkeley, 2020). An endomorphism gives an explicit orientation of a supersingular elliptic curve. In this paper, we use the volcano structure of the oriented supersingular isogeny graph to take ascending/descending/horizontal steps on the graph and deduce path-finding algorithms to an initial curve. Each altitude of the volcano corresponds to a unique quadratic order, called the primitive order. We introduce a new hard problem of computing the primitive order given an arbitrary endomorphism on the curve, and we also provide a sub-exponential quantum algorithm for solving it. In concurrent work (in: Wesolowski, Advances in cryptology-EUROCRYPT 2022, volume 13277 of Lecture Notes in Computer Science. Springer, Cham, 2022), it was shown that the endomorphism ring problem in the presence of one endomorphism with known primitive order reduces to a vectorization problem, implying path-finding algorithms. Our path-finding algorithms are more general in the sense that we don’t assume the knowledge of the primitive order associated with the endomorphism.


Introduction
The security of isogeny-based cryptosystems depends upon a constellation of hard problems.Central are the path-finding problem introduced in [10] (to find a path between two specified elliptic curves in a supersingular -isogeny graph), and the endomorphism ring problem (to compute the endomorphism ring of a supersingular elliptic curve).Only exponential algorithms are known for general path-finding, in the absence of information beyond the j-invariants you wish to navigate between.However, if the endomorphism rings are known, the KLPT algorithm allows for polynomial-time path-finding [34].In fact, it is known that the path-finding and endomorphism ring problems are equivalent [25,58].These are the central problems in isogeny based cryptography, despite the recent complete break of SIDH/SIKE [7] and [39].The hardness of these problems is in no way affected by the attack, and they form the basis of the CGL hash function [10], CSIDH [8], and OSIDH [15], among others.
A natural question to ask is whether knowledge of a single explicit endomorphism (which generates only a rank 2 subring of the rank 4 endomorphism ring) can be used for path-finding.Answering this question is the goal of this paper: we give explicit algorithms transforming knowledge of one endomorphism into a wayfinding tool that can detect ascending, descending and horizontal directions with regards to the corresponding orientation, and use this to walk to j = 1728.
By explicit endomorphism, we mean one given in some form in which its action on the curve is computable, and its minimal polynomial is known (but note that, given an endomorphism, both its norm and trace are in many cases computable; see Section 2.2).For example, such an endomorphism may be given as a rational map, or a composition chain of rational maps, and these are the two cases we focus on in this paper.The data of such an endomorphism is equivalent to the data of an orientation of a supersingular elliptic curve E, namely a map ι : K → Q ⊗ Z End(E), where K is the imaginary quadratic field generated by a root of the minimal polynomial of the endomorphism.
The study of orientations provides some structure to the supersingular isogeny graph, which has recently been exploited [15,20,42].In particular, the -isogeny graph of oriented supersingular elliptic curves over F p has a volcano structure familiar from the ordinary case: Each connected component consists of a single cycle, called a rim, of vertices connected by horizontal edges, and descending edges connecting the rim the non-rim vertices at lower altitudes of the volcano.Non-rim vertices only have ascending/descending edges.This graph maps onto the supersingular -isogeny graph over F p .Our approach is to use the orientation provided by a given explicit endomorphism to discern ascending, descending and horizontal directions with regards to the volcano.This provides a sort of tool for 'orienteering'.(The sport of orienteering involves finding one's way to checkpoints across varied terrain using only map and compass.) The core result of our paper is an algorithm that finds an -isogeny path from a given supersingular elliptic curve E to an initial curve E init , given a single explicit endomorphism of E. We take E init to be the curve with j-invariant j = 1728, but other choices are possible (see Section 6.3).The overall plan is as follows.First, climb the oriented volcano from E, oriented by the given endormorphism, to the volcano rim (using the given endomorphism as our 'orienteering tool').Then, by orienting the curve j = 1728 with the same field, we can climb to the rim from there also.Finally, we attempt to meet by circling the rim.
This approach is limited by our ability to traverse a potentially large segment of the rim, or to hit the same rim in a large cordillera of volcanoes, whose size is generally equal to the class number of the corresponding quadratic order.If we simply walk the rim, then, classically, the runtime depends linearly on this class number.Using a quantum computer to solve the vectorization problem (see Section 9.1) yields a subexponential algorithm.
1.1.Main theorems.We rely on a number of heuristic assumptions: (i) The Generalized Riemann Hypothesis (hereafter referred to as GRH).(ii) Powersmoothness in a quadratic sequence or form is as for random integers (a powersmooth analogue of the heuristic assumption underlying the quadratic sieve; see Heuristics 5.10 and 9.3).(iii) The orientations of a fixed j-invariant are distributed reasonably across all suitable volcanoes (Heuristic 3.7).(iv) This distribution is independent of a certain integer factorization (Heuristic 6.7).(v) The aforementioned integer factorization is prime with the same probability as a random integer (Heuristic 6.4; this heuristic is similar to those used in [24] and [34]).
We state our main results here; their proofs can be found in Section 11.1.We use the notation L x (y) = exp(O((log x) y (log log x)1−y )).Our first theorem gives a classical algorithm for -isogeny path-finding that is subexponential in log p times a certain class number, for a wide range of input endomorphisms.
Let ∆ be the -fundamental part of the discriminant ∆ of an endomorphism θ of a supersingular curve E (obtained 1 by removing the largest even power of ).Let h ∆ be the class number of the quadratic order of discriminant ∆ .Note that ∆ can be significantly smaller than ∆.
Theorem 1.1.Assume |∆ | ≤ p2 .Under the heuristic assumptions given above, there is a classical algorithm (given explicitly in Section 11; see also Algorithm 8.1) that, given an endomorphism θ of sufficiently large degree d which can be efficiently evaluated on points, finds an -isogeny path of length O(log p + h ∆ ) from E to the curve with j = 1728 in runtime h ∆ L d (1/2) poly(log p).
The term 'sufficiently large' as applied to the degree d asks that L d (1/2) ≥ poly(log p).The term 'efficiently' means that the endomorphism can be evaluated on points P ∈ E(F p k ) in time polynomial in log d, in k and in log p.An example of such an endomorphism is an endomorphism given as a chain of isogenies of small degree, but we can also accommodate less efficient endomorphism representations.The full formal statement given in Theorem 11.1 tracks the cost of this evaluation in the final runtime: it is assumed that the endomorphism θ can be evaluated on points P ∈ E(F p k ) in time denoted T θ (k, p), and the algorithm runtime, more precisely, is T θ (L d (1/2), p) + h ∆ L d (1/2) poly(log p).The algorithm comes in two phases: the first phase is to represent the given endomorphism as an isogeny chain in runtime T θ (L d (1/2), p) depending on the representation of θ; the second phase walks the isogeny graph using this representation and always has runtime h ∆ L d (1/2) poly(log p).Phase one is included to allow for an abstract notion of an input endomorphism (see Section 5.1).
Any θ of degree d which is represented in terms of rational maps has T θ (k, p) = poly(d, k, log p), hence the final runtime would be poly(d log p) + h ∆ L d (1/2) poly(log p).But θ could be represented as a composition chain of isogenies in such a way that T θ (k, p) is polynomial in log d.In this case, the final runtime would be h ∆ L d (1/2) poly(log p).The factor L d (1/2) in the runtime arises from the need, during the algorithm, to sieve for endomorphisms of powersmooth degree amongst translates θ + [d], d ∈ Z.
The algorithm can perform significantly better in some special cases, such as when the endomorphism is presented in an efficient way (in which case the first phase may be skipped), the curve is already at a rim (in which case the sieving is avoided), or the class number h ∆ is small (in which case the walk is short), etc.Specifically, modifications of the algorithm lead to special cases: (1) If the input endomorphism is rationally represented in polynomial space, or the class number is polynomial in log p (with some conditions on ), the algorithm becomes polynomial in log p (Theorem 11.3).The cryptographic weaknesses in these cases are already known by other methods [38].(2) If is inert in the field Q( √ ∆), the runtime improves for endomorphisms in suitable form to L d (1/2)+ h ∆ poly(log p), and the path length is improved to O(log p) (Proposition 8.1).
(3) If, in addition to (2), ∆ = ∆, then the runtime improves further to h ∆ poly(log p) (Proposition 8.1).( 4) If the degree of the endomorphism has B(p)-powersmooth factorization and its discriminant is coprime to , then the runtime improves to h ∆ poly(B(p) log p) (Theorem 11.5).( 5) If degree and discriminant have suitable factorizations, then the runtime can improve to poly(log p) even for non-small endomorphisms (Theorem 11.4).Such endomorphisms exist on all supersingular elliptic curves.
Our second theorem gives a quantum algorithm for finding a smooth isogeny to an initial curve that runs in subexponential time in log |∆|, and polynomial in log p. Theorem 1.2.Under the heuristic assumptions given above, there is a quantum algorithm (given explicitly in Section 11; see also Algorithm 10.1) which, given an endomorphism θ of degree d and discriminant ∆ satisfying d |∆| ≤ p 2 and which can be efficiently evaluated on points, will return an L |∆| (1/2)-smooth isogeny of norm O( |∆|) from E to the curve of j = 1728, and runs in time subexponential in log |∆| and polynomial in log p.
In both theorems, one may use other suitable initial curves besides j = 1728; see Section 6.3.

1.2.
A new hard problem.Each altitude of an oriented volcano corresponds to a unique order in K, called the primitive order for the oriented curves at that altitude.The orders get smaller as the altitude gets lower, decreasing in index by at each step.Given an elliptic curve E oriented by an endomorphism θ, the knowledge of the primitive order O with respect to (E, θ) plays a vital role in the algorithms: our classical algorithm computes a suborder of O whose relative index in O is coprime to in order to walk horizontally more efficiently; our quantum algorithm requires the full knowledge of O in order to solve the O-vectorization problem.
The primitive order O doesn't come for free; this is Problem 1.3.To the best of our knowledge, this paper is the first work that introduces this problem as a hard problem and provides a quantum algorithm (Proposition 9.8) for solving it in quantum sub-exponential time.
The importance of Problem 1.3 comes from the increasing interest in orientations on elliptic curves.Given an arbitrary supersingular elliptic curve E, the best known way to define an orientation on E is to perform random walks on the supersingular isogeny graph until a cycle on E is found, whereby an endomorphism on E is obtained by composing the edges along the cycle.In order to take advantage of the associated orientation, it is important to be able to answer Problem 1.3.This most general setting for obtaining orientations on E is the setting our paper works with.
Classically, however, solving Problem 1.3 as discussed in Section 9.2 takes time polynomial in the largest prime power factor of f , where f is the conductor of Z[θ].Luckily, with our classical path-finding algorithm (Theorem 11.1), we are able to circumvent the issue by computing a specific smaller order instead, which can be done in polynomial time.This is also what makes our path-finding algorithms more general comparing to the algorithms in a related paper [57] (See Section 1.4).1.3.Other algorithms presented.Some of the explicit building blocks of the results above may have independent applications.In particular, we provide algorithms for the following tasks, among others: (1) Section 4 provides methods for detecting ascending, descending and horizontal directions in general.
(2) Remark 4.9 explains how to adapt the algorithms of this paper to an endomorphism given as an approximate element of the Tate module (i.e.given by its action on -torsion).(3) Section 5.3 presents a technique for obtaining a prime-power powersmooth isogeny chain endomorphism from the same quadratic order as a given endomorphism (Algorithm 5.3).(4) Section 6 discusses an algorithm which computes an orientation of the elliptic curve of j-invariant 1728 (or other suitable curves; see Section 6.3) by an -power multiple of a given discriminant (Algorithm 6.1).In other words, given a quadratic order O, it finds j = 1728 somewhere in the cordillera of an order containing O. In fact, it finds arbitrarily many such orientations, moving gradually further 'down' the volcanoes.This algorithm runs in heuristic polynomial time when the discriminant is coprime to p and less than p 2 in absolute value.(5) 4]; our approach includes a novel method to evaluate isogenies on oriented curves), and for determining the quadratic order for which a given orientation is primitive (Proposition 9.8).We provide runtime analyses of these algorithms in turns of the degree and presentation of the given orientation and the prime p. (7) Given the input of an elliptic curve with orientation, Section 10 provides a quantum algorithm (Algorithm 10.1) for finding a smooth isogeny to j = 1728.In Proposition 10.1, we analyze the runtime of this algorithm in terms of the degree and presentation of the given orientation and the prime p. (8) Section 12 contains an efficient algorithm for dividing an isogeny by [ ] (Algorithm 12.2), originally outlined by McMurdy.We make McMurdy's approach explicit for an arbitrary small prime (he only made explicit the case = 2, which is more straightforward).
1.4.Related work.The question of the security of one endomorphism has recently been 'in the air,' for example, with the uber isogeny assumption of [22] (see Remark 9.2).Knowledge of a small explicit endomorphism is known to be a weakness [37,38].The work in this paper was done concurrently with [57], which also provides path-finding algorithms in the setting of oriented curves.However, the two papers are very different in nature.The work in [57] covers a web of reductions between a wide variety of hard problems related to orientations using quaternion algebras, which are of interest both in theory and applications.The path-finding algorithms are not stated as results in [57] but rather implied by several reductions combined with algorithms for solving the vectorization problem for oriented curves classically and quantumly.Our paper, by contrast, focuses on the path-finding problem.Our method is very explicit and works with isogenies and endomorphisms directly.We discuss the practical representations of isogenies and endomorphisms, provide complete algorithms, detailed runtime analysis and concrete numerical examples.
The most important advantage of our path-finding algorithms over those given by [57] is that we deal with orientations in greater generality.In both papers, an orientation is identified with an endomorphism.As discussed in Section 1.2, our input is an arbitrary endomorphism θ, and it is a hard problem (Problem 1.3) to find the primitive order with respect to (E, θ).However, the input endomorphism θ in [57] is one such that the order Z[θ] is already the primitive order.Such an endomorphism is unlikely to be found for an arbitrary supersingular elliptic curve.
With due consideration of the added constraints on input for the algorithm in [57], we can more accurately compare runtimes.Let ∆, ∆ and h ∆ be as in Section 1.1.Classically, the runtime of the algorithm in [57] is linear in h 1/2 ∆ whereas the runtime of our algorithm is linear in h ∆ .Quantumly, both algorithms run in subexponential time.If we consider the same input endomorphism in [57] as in this work, then the runtime for solving Problem 1.3 should be added to the runtime of [57].As discussed in Section 9.2, solving Problem 1.3 takes time polynomial in the biggest prime power factor of the conductor of Z[θ] classically and subexponential time quantumly.
Lastly, the paper [57] assumes the stronger hypothesis that the discriminant of the input endomorphism has a known factorization.We do not assume this.The work [57] is not heuristic beyond a dependence on GRH and the solution to the vectorization problem ([57, Proposition 4]), whereas we rely on a number of heuristic assumptions as given in Section 1.1.Our classical algorithm directly produces a path whose length depends on the class number (since it traverses a volcano rim), whereas a reduction to the vectorization problem as in the algorithms implied in [57] and our quantum algorithm produces a path of poly(log p) length.
Other related work includes [9,20].In [2], the authors of the present article show that appropriately defined closed walks of the isogeny graph are in bijection with the rims of oriented isogeny volcanoes, giving a class number sum for their number.
1.5.Other contributions.We give careful runtime analyses for various tasks related to endomorphisms represented as rational functions or as composition chains of isogenies, including evaluation, translation, division-by-[ ], and Waterhouse transfer.Additionally, we provide a review and some modest extensions to the theory of orientations as described in [15,42]; see Section 3, in particular Section 3.3.
In a follow-up paper [2], we establish a theoretical bijection between volcano rims and cycles in theisogeny graph, and address some of the aforementioned heuristics for oriented supersingular -isogeny graphs used in this paper.
Throughout the paper we demonstrate our algorithms with a running example first introduced in Example 3.2.The examples are given in more detail in SageMath [51] worksheets with accompanying PDF details, available on GitHub [3].
1.6.Outline.In Section 2, we set some notations and conventions and also state a few runtime lemmata.In Section 3, we introduce the main object of study, namely oriented -isogeny graphs and their properties, including some heuristic behaviour.In Section 4, the relationship between an endomorphism and an orientation is explained, and we also introduce a few new definitions that aid in navigating the oriented -isogeny graph.In Section 5, we discuss the representation of endomorphisms, along with the basic functionalities for these representations required for later algorithms.We then compute orientations for the supersingular elliptic curve of j-invariant 1728 in Section 6.In Sections 7 and 8, we present algorithms for walking on an oriented -isogeny graph and for classical path-finding to j = 1728 and give detailed runtime analyses and examples for illustration.We then provide quantum algorithms to solve the oriented vectorization and the primitive orientation problems in Section 9 and a quantum algorithm for finding a smooth isogeny to j = 1728 in Section 10.In Section 11, we discuss the proofs of our main theorems as well as some special cases.Lastly, we leave to Section 12 the technical explanation of McMurdy's division-by-algorithm and provide its runtime analysis.Throughout the paper, to aid in reading, important assumptions will be rendered in bold.1.7.Acknowledgements.We would like to thank Catalina Camacho-Navarro, Elena Fuchs, Steven Galbraith, David Kohel, Péter Kutas, and Christophe Petit for helpful discussion.We especially thank Benjamin Wesolowski, who took the time to share highly valuable suggestions on an earlier draft, particularly some important corrections concerning Proposition 9.4.We would also like to thank the conference Women in Numbers 5 for the opportunity to form this research group.

Background
2.1.Notations and conventions.Throughout the paper, let p be a cryptographically sized prime (upon which runtimes will depend), and let be a small prime (whose size will be assumed O(1) for runtimes).In particular, = p.We will assume both p and are defined once throughout the paper (so, for example, they will not be repeated as an input to every algorithm); the only exception being Sections 9 and 10.
Every elliptic curve considered in the paper is assumed to be a supersingular curve over F p .All such curves can be defined over F p 2 .Every isogeny and endomorphism is assumed to have domains and codomains which are curves of this type.We use the notation End(E) for the endomorphism ring of the elliptic curve E over F p , and End 0 (E) := Q ⊗ Z End(E) for the endomorphism algebra of E. We use the notation O E for the identity element of an elliptic curve E, and j(E) for the j-invariant.We use the variables ϕ and ψ to denote isogenies, while θ is generally reserved for endomorphisms.The dual isogeny to an isogeny ϕ is denoted by ϕ.Let E (p) denote the curve obtained by the action of Frobenius on E (acting on the Weierstrass coefficients).Let π p : E → E (p) denote the Frobenius isogeny, given by π p (x, y) = (x p , y p ).Note that Frobenius is an endomorphism if E is defined over F p .Frobenius also acts on any isogeny ϕ : E → E (acting on its coefficients) to give ϕ (p) : E (p) → (E ) (p) of the same degree.Unless otherwise specified (such as Frobenius), isogenies will be assumed to be separable throughout the paper (many of the algorithms herein would not apply to inseparable endomorphisms or isogenies).
There is only one fixed supersingular -isogeny graph under consideration at any time, which we denote simply by G. Namely, this is the graph whose vertices are F p -isomorphism classes of supersingular elliptic curves (which we will often refer to simply by their j-invariants), and whose directed edges are -isogenies (when there are no extra automorphisms, we can identify dual pairs to create an undirected graph).
We consider imaginary quadratic fields K = Q( √ ∆), where ∆ < 0 is a fundamental discriminant.Then the ring of integers has the form if ∆ ≡ 0 (mod 4).
Since we sometimes have multiple quadratic orders under consideration, we use the notation (α, β) O for the ideal generated by α and β in O.The (possibly non-maximal) orders O of K are parameterized by a positive integer called the conductor.
If f , then we say that both O and its discriminant are -fundamental.Given a discriminant ∆, its -fundamental part is the maximal -fundamental discriminant dividing ∆.
Write B p,∞ for the rational quaternion algebra ramified at p and ∞.Every quadratic field K is assumed to embed in the quaternion algebra B p,∞ , i.e. to be an imaginary quadratic field in which p does not split [53,Proposition 14.6.7(v)]; the only exception is in the discussion of Heuristic 6.4.Every quadratic order O is assumed to generate such a field K, and to have discriminant not divisible by p. Every quadratic discriminant is assumed to be the discriminant of such a quadratic order O, and we write ∆ O .We denote by O K the maximal order of the quadratic field K and reserve ∆ K for the discriminant of O K .
Complex conjugation (which is also the action of Gal(K/Q)) is denoted by an overline: α → α.We use the notation Cl(O) and h O for the class group and class number, respectively, of a quadratic order O.
The reduced norm and trace of B p,∞ coincide with the norm and trace of an element when it is considered as a quadratic algebraic number; when we discuss norm and trace it is always this we refer to.
For runtime analyses we use big O notation, including soft O for absorbing log factors.The notation M(n) will indicate the runtime of field operations (addition, multiplication, inversion) in a finite field of cardinality n; here, we note that M(n k ) = O(M(n)) when k is constant.In the later portions of the paper we are mainly concerned with the distinction between polynomial, subexponential and exponential algorithms.We write runtime as poly(x) if there exists a polynomial f so the runtime is O(f (x)).When we are concerned only with whether runtime is polynomial, we will suppress the notation M, by assuming that M(n) = poly(log n).For subexponential runtimes, we use notation L x (y) = exp(O((log x) y (log log x) 1−y )).
For general background on isogeny-based cryptography and supersingular isogeny graphs, we will assume the reader is familiar with a resource such as [25, Section 2] or [21].
2.2.Runtime lemmata.In this section, we recall some basic runtimes for isogenies and torsion points, etc.The first lemma is standard.Corollary 2.5]).Let ϕ : E → E be an isogeny between two supersingular elliptic curves, both defined over F p 2 .Then ϕ is defined over F p 12 .If neither of j(E) or j(E ) are 0 or 1728, then ϕ is defined over Proof.This can be proved by adapting the second paragraph of the proof of Lemma 5 in [28].In particular, the limiting runtime is the call to the equal-degree factorization algorithm of [55], which takes time O(N 4 (log p)M(p N 2 )).See also [4,Lemma 6.9].
In practice, this can be done much faster in some cases, e.g. when N is large and t is small.Lemma 2.4.Consider an isogeny ϕ : E → E of degree d, and a point P ∈ E(F p t ), where 12 | t.Then computing ϕ(P ) takes time O(dM(p t )).In particular, if P ∈ E[N ], then the time taken is O(dM(p lcm(12,N 2 ) )).
Proof.Write ϕ as a rational map ϕ(x, y) = (ϕ 1 (x), ϕ 2 (x)y); here the denominators and numerators of ϕ 1 (x) and ϕ 2 (x) are polynomials in x of degree at most 3d.By Lemma 2.2, we can assume that their coefficients are in F p 12 ⊆ F p t .To compute ϕ(P ), we apply Horner's algorithm [33, p. 467], which requires O(d) operations in the field.Assume that P is an N -torsion point on E. Then t can be chosen such that t ≤ lcm(t, N 2 ) by Lemma 2.3.
In the case that ϕ = [n] for some integer n, it is more efficient to use a standard double-and-add approach, which will also take polynomial time in the degree.By Lemma 2.2, the isogeny created via Vélu's formulas has coefficients in the field F p 12 .Lemma 2.6.Let ϕ : E → E and ψ : E → E be isogenies represented as rational maps, of respective degrees d and d , where E, E , E , ϕ and ψ are defined over some finite field F. Then computing the composition ψ • ϕ : E → E as a rational map takes time O(dd M(#F)).
Proof.As usual, write ϕ = u(x) v(x) , s(x) t(x) y where u(x), v(x), s(x), t(x) Obtaining ψ • ϕ requires computing four compositions of the form f ( u(x) v(x) ) where f ∈ {u , v , s , t } has degree O(d ).Writing f (x) = n i=0 f i x i with n = O(d ), we have The computation of F (u(x), v(x)) is dominated by computing the powers of u(x) and v(x) which can be accomplished in time O(dd M(#F)) using fast polynomial multiplication [29].An alternative way to compute F (u(x), v(x)) that is slightly faster but has asymptotically the same runtime is via the Horner-like recursion where it is easy to see that F 0 (x) = F (u(x), v(x)).
Lemma 2.7.Let E be an elliptic curve defined over some finite field F, θ ∈ End(E) an endomorphism represented as a rational map, and N an integer.Then computing the endomorphism θ + [N ] ∈ End(E) as a rational map takes time O(max{deg θ, N 2 }M(#F)).
Proof.By [48, Exercise 3.7, pp.105f.],we have where )/4y and ψ n is the n-th division polynomial on E. The required division polynomials have degree O(N 2 ) and can be computed in O(log(N )) steps using the recursive formulas Using the point addition formulas on E and fast polynomial multiplication techniques [29], the rational map θ + [N ] can be computed using O(max{deg θ, N 2 }) operations in F.
Throughout the paper, we will assume that all endomorphisms are provided with a trace and norm (which is the same as the degree) that carries through computations; see Section 5.1.If the trace is not provided, then it can be computed using [57, Lemma 1], [25,Lemma 4], [4,Theorem 3.6].

Oriented isogeny graphs
In this section, we recall and strengthen basic results about oriented isogeny graphs, mainly based on work of Colò-Kohel [15] and Onuki [42], and provide some minor new extensions of the general theory.
3.1.Orientations.Fixing a curve E, we have End 0 (E) ∼ = B p,∞ .The field K embeds into B p,∞ if and only if p does not split in K.There may be many distinct such embeddings.We define a K-orientation of E to be an embedding ι : K → End 0 (E).If O is an order of K, then an O-orientation is a K-orientation such that ι(O) ⊆ End(E).We say that a K-orientation ι is a primitive O-orientation if ι(O) = End(E) ∩ ι(K).It will often be expedient to have a local notion of primitivity: for a prime , we say that a K-orientation ι is an -primitive O-orientation if it is an O-orientation and the index [End(E) ∩ ι(K) : ι(O)] is coprime to .In particular, a primitive O-orientation is exactly one which is -primitive for all primes .
3.2.Oriented isogeny graphs.Fixing a quadratic field K, we define the graph G K of K-oriented supersingular curves over F p .This is the graph whose vertices are K-isomorphism classes of pairs (E, ι) and for which an edge joins (E, ι) and (E , ι ) for each K-oriented isogeny (defined over F p ) of degree between these oriented curves.
Therefore the edges may be taken to be undirected by pairing isogenies with their duals, when the vertices involved are not j = 0 or 1728.Also, isogenies are taken up to equivalence, meaning we quotient by the same isomorphisms as for the vertices; see [42,Definition 4.1].The graph G K has (out-)degree + 1 at every vertex.(Note that our graph differs slightly from the definition in [42,Section 4], where only the images of curves over a number field with complex multiplication are included; we discuss this distinction in the next section.)This graph was first studied in [15].
Every K-orientation is a primitive O-orientation for a unique order O := ι(K) ∩ End(E).Therefore, the set of vertices of G K is stratified by the order O by which a vertex is primitively oriented.

Definition 3.1. Let SS pr
O denote the set of isomorphism classes of K-oriented supersingular elliptic curves for which the orientation is a primitive O-orientation.
This set is non-empty if and only if p is not split in K and does not divide the conductor of O [42, Proposition 3.2].As mentioned in Section 2.1, we make those assumptions throughout the paper.
Let ϕ : (E, ι) → (E , ι ) be a K-oriented -isogeny.Suppose that ι is a primitive O-orientation and ι is a primitive O -orientation.There are exactly three possible cases: Example 3.2 (Introducing our running example).To illustrate the algorithms in this paper, we consider supersingular elliptic curves defined over F p for p = 179.As p ≡ 3 (mod 4), the curve E : y 2 = x 3 − x with j(E) = 1728 is supersingular.This curve is well-known to have extra automorphisms, and its endomorphism ring is generated by the endomorphisms [1], [i], [1]+πp 2 On the right hand side is the supersingular 2-isogeny graph over F p 2 .Here j 1 = 64i + 5, j 2 = 99i + 107, j 3 = 5i + 109, where i denotes a root of −1 in F p 2 .Since the oriented graph is undirected while the supersingular isogeny graph is directed, we have undirected edges in the left graph and directed edges in the right graph.Note that the green 5-cycle represents the rim of the volcano.A different choice of ϕ a with the same kernel gives an isomorphic oriented curve [42,Section 3.3], so this is well-defined on the oriented -isogeny graph G K .The action of Cl(O) is free, but not necessarily transitive; it may have as many as two orbits [42,Proposition 3.3].In particular, # SS pr O ∈ {h O , 2h O }. Consider the effect of the Frobenius isogeny on an oriented curve, namely π p • (E, ι) = (E (p) , ι (p) ) where ι (p) := (π p ) * (ι).For any isogeny ϕ, we have gives an isomorphism End(E) ∼ = End(E (p) ), we see that π p is horizontal, so this gives an action on SS pr O for any O by the twoelement group {1, π p } = π p .In fact, it is an action on the graph G K , not just the vertices, i.e. it preserves adjacency.Onuki shows that when there are two orbits of the action of Cl(O) on SS pr O , then the second orbit can be reached from the first by the action of Frobenius [42,Proposition 3.3].In [2], a complete classification of when there are two (instead of one) orbit is given.
For our algorithms, we will sometimes need to compute the action of O on SS pr O without actually knowing O.We can define and use an action of a suborder O ⊆ O as a proxy.To accomplish this, define, for [a ] ∈ Cl(O ), that a • (E, ι) := ∩ θ∈ι(a ) ker(θ).Observe that there is a homomorphism ρ : Cl(O ) → Cl(O).Using the previous proposition, this gives a group action of Cl(O ) on SS pr O .The following proposition states that these two definitions agree.Although it implements the action of O, using the kernel intersection formula does not require knowledge of O. Proposition 3.3.Let O ⊆ O with relative index f .Let a be an ideal of O which has norm coprime to f .Suppose that E has a K-orientation ι which is O-primitive.Let ϕ a be defined as the isogeny with kernel ∩ θ∈ι(a ) ker(θ).Let a := a O be the extension of a to O. Then a • (E, ι) = ϕ a (E, ι).
3.4.Volcano structure.Any component of the oriented -isogeny graph G K has a volcano structure (see Figure 1), which is made precise by the following statement.(This behaviour is similar to the ordinary -isogeny graph, except here volcanoes have no floor; they descend forever.)Here we remind the reader that p = throughout the paper.(1) There are no ascending edges from (E, ι).
(3) There remaining edges from (E, ι) are descending.If divides the conductor of O, then the following hold.
When O has unit group {±1}, i.e. except for the Gaussian and Eisenstein integers, the out-degree of (E, ι) is + 1.For the out-degree in these special cases, see [2,Proposition 2.11].
Proposition 3.4 implies that each connected component of the oriented -isogeny graph G K is a volcano, containing a rim comprised of the vertices with no ascending edges.Each vertex on a rim is the root of a tree that radiates infinitely downward and in which each node other than the root generically has one parent and children.The vertices at altitude r are precisely those pairs (E, ι) for which ι is a primitive O-orientation such that the conductor of O has -adic valuation r.Specifically, the vertices at the rims are exactly those for which O is -fundamental.For any fixed -fundamental order O, we define the O-cordillera to be subgraph of G K comprised of only those volcanoes whose rims are pairs (E, ι) with ι a primitive O-orientation.The vertices at the rims of the O-cordillera are exactly SS pr O .

The action of an ideal class [a] ∈ Cl(O) gives a permutation on SS pr
O , which we can visualize as a directed graph.This consists of cycles, all of which are the same size, given by the order of [a] in Cl(O).Applying this to a prime ideal l of O lying above , the rims of the O-cordillera are exactly these cycles.All these rims have the same size dividing h O , and each of them is either a single vertex, a single or double edge or a cycle.If is inert, they are each singletons.If is ramified, they are each of size 2 with one connecting edge (the isogeny and its dual are identified).If splits into two classes of order 2, we obtain a rim of size two with two connecting edges.Otherwise, the rims are non-trivial cycles in the oriented -isogeny graph, of size equal to the order of [l] ∈ Cl(O).We summarize the discussion as follows.Proof.Fix a volcano V ⊂ G K .Choose a vertex (E, ι) ∈ V.The image E under the quotient map lies on G. Since both V and G are regular of degree + 1 at every vertex, the image of V must be all of G.
As a corollary, every j-invariant occurs on every volcano infinitely many times.Given p, a result of Kaneko [31,Theorem 2'] implies that the multiple occurrences of a given j-invariant cannot occur too quickly as one descends the oriented -isogeny volcano.In fact, there is at most one occurrence in the range |∆| < p (here ∆ is the discriminant at a certain altitude in the volcano).
3.6.Graph statistics and heuristics.In the -isogeny graph G, two vertices are at distance d if the shortest path between them in the graph consists of d edges.The distance between two arbitrary vertices is known to be at most 2 log p [43, Theorem 1].In fact, for most pairs of vertices, the distance between them is at most (1 + ) log p (see [45,Theorem 1.5] for a precise statement).
We will use the following heuristic to justify the runtimes in the paper.One expects the number of occurrences of a j-invariant in a volcano to be governed by the number of trees emanating from the rim of the volcano.The heuristic in essence asserts a uniform behaviour within any cordillera.Specifically, the proportion of occurrences of any j-invariant in any individual volcano of a cordillera approaches the overall proportion of trees (or equivalently, of edges descending from a rim).A more precise statement is given in Heuristic 3.7.In a follow-up paper [2], we discuss this and some related heuristics in more detail.Heuristic 3.7.Let O be an -fundamental quadratic order.Consider the finite union SS O of O -cordilleras in the oriented supersingular -isogeny graph for all O ⊇ O. Let d(v) denote the distance of a vertex v to the rim of its volcano.Let j(v) denote its j-invariant.Define: • R V , the number of edges descending from the rim of the volcano V ∈ SS O ; • R SS O , the sum of the number of edges descending from all rims in SS O .
Then for any j-invariant j 0 and any volcano V ∈ SS O , the ratio Briefly, one expects this because sufficiently long random walks from any rim vertex will visit all vertices with a uniform distribution [28,Theorem 1].This observation suffices to prove the case the rims are singletons; other cases should behave similarly.
The following lemma is useful for runtime analyses of our main algorithms (Propositions 8.1 and 10.1).It states that sum of the class numbers of all the orders containing O (approximately the cardinality of the union of the sets SS pr O involved in SS O in Heuristic 3.7) is only marginally bigger than just the class number h O (approximately the size of the largest SS pr O in the union).
Lemma 3.8.Let O be an imaginary quadratic order of conductor f in some quadratic field K with class number h O , and put (2) where the sum ranges over all the quadratic orders O containing O and h O denotes the class number of O . Then Then f divides f .By [18, Corollary 7.28], we have where w, w ∈ {2, 4, 6} are the sizes of the unit groups of O and O , respectively.Thus, were ϕ(•) denotes Euler's phi function.It follows that By [1, Exercise 3.9 (a)], we have for all integers n ≥ 3, where σ(•) is the sum of divisors function.From Robin's Theorem [44], we obtain σ(n)/n < c log log n for all n ≥ 3 and some constant c.Therefore, and hence

Navigating the K-oriented -isogeny graph
In this section, we will show how to transform a given endomorphism of a supersingular elliptic curve into a suitable orientation, and then use it to navigate the oriented -isogeny graph.
4.1.Conjugate orientations and orientations from endomorphisms.Motivated by our computational goals, we replace the abstract data of an orientation with the more computational data of an endomorphism.Given an element θ ∈ End(E) along with its minimal polynomial m θ (x), we can infer a unique Z[θ]-orientation only up to conjugation.Namely, if α is a quadratic irrational root of m θ (x), then we define ι θ (α) = θ and extend to a ring homomorphism.The conjugate orientation is defined by ι θ (α) = θ, or equivalently, by ι θ (α) = θ.An example in [42, Section 3.1] demonstrates a pair of Gal(K/Q)-conjugate K-oriented curves which are not isomorphic.In other words, given ϕ ∈ End(E), one may be in either of two locations in the oriented -isogeny graph: (E, ι) or (E, ι).However, locally at least, navigating from either location looks the same, in the sense of ascending/descending/horizontal edges and j-invariants.
-isogeny, and the type (ascending, descending, or horizontal) is the same.
Proof.The map is clearly a bijection on vertices.Observe that the dual of ϕ From this, it follows that the map is a graph isomorphism.The observation about type follows from the fact that SS pr O is taken back to itself.
As consequences of this lemma, for two vertices (E, ι) and (E, ι), we have the following: (1) the j-invariant is the same at both vertices; (2) both vertices are at the same altitude in the volcano; (3) if the vertices are not at a rim, the ascending isogeny from either vertex is the same; (4) if the vertices are at the rim, the pair of horizontal isogenies from either vertex is the same; (5) if we apply any fixed sequence of -isogenies from both vertices, the sequence of j-invariants appearing on the resulting paths is the same.
For these reasons, it will not, in practice, be necessary for us to know which of two conjugate orientations we are dealing with.Therefore, we do not make any choice between the two.In the remainder of the paper, we will not dwell on this distinction and will work with endomorphisms instead of orientations.Remark 4.2.It is a natural question to ask when a subset of the four oriented curves (E, ι), (E (p) , ι (p) ), (E, ι) and (E (p) , ι (p) ) coincide.This question may have importance to a more detailed runtime analysis than we present in this paper, for example.It is considered in [2].4.2.-primitivity, -suitability, and direction finding.Having associated an endomorphism to an orientation, we can now define the following.Definition 4.3.Let θ ∈ End(E) be an endomorphism and α the corresponding quadratic element (up to conjugation).Then θ (as well as α) is called -primitive if the associated orientations ι θ : α → θ and ι θ : α → θ are -primitive Z[α]-orientations.Moreover, θ (as well as α) is called N -suitable, for an integer N , if α is of the form f ω + kN where k is some integer, f is the conductor of Z[α], and f ω is the generator of Z[α] as described in the conventions of Section 2.1.
The purpose of this definition is made clear by the following lemma. .
In our algorithms, we sometimes choose an optimal T in the sense of the following definition.Definition 4.6.If α + T has the smallest possible non-negative trace amongst all N -suitable translates of α, we say that α + T is a minimal N -suitable translate.
Knowing just one suitable endomorphism θ on an elliptic curve E, we can determine the type (ascending, descending or horizontal) of isogenies originating at (E, ι θ ).Proposition 4.7.Suppose ψ : E → E is an -isogeny and θ ∈ End(E) is an -suitable -primitive endomorphism.Then, with regards to the orientation ι θ induced by θ, Proof.Let ι θ be the orientation on E associated to θ.Let ι be the induced orientation on E by ι θ via ψ.Let O, O ⊆ K be two orders such that ι θ is O-primitive and ι is O -primitive.The three cases in the proposition correspond to the cases when O O , O = O and O O , respectively.Therefore, ψ is ascending, horizontal and descending correspondingly.
The previous proposition demonstrates that it is enough to check the action of ψ • θ • ψ on E[ ] to determine whether ψ is ascending, horizontal or descending.However, we can also write down the ascending or horizontal endomorphisms directly by analysing the eigenspaces of θ on E[ ], as follows.Note that a version of this for Frobenius is used in CSIDH [8]  Consider the oriented curve (E, ι θ ).
(2b) λ 1 = λ 2 = 0, then there is a unique eigenspace Q and that gives rise to a horizontal isogeny ψ Q ; the rest ψ P 's are descending.
denote the minimal polynomial of α over Q, then f (x) (mod ) is the characteristic polynomial of the action of θ on E[ ].From this one can show that Case (2a) appears if and only if α is divisible by as an algebraic integer.Since α is -suitable, this is equivalent to O being non-maximal at .Therefore we divide the proof into two cases.In both cases, the statements on the number of descending isogenies follow from the volcano structure as described in Proposition 3.4.
Case I : O is not maximal at .The eigenspace corresponds to 0 is one-dimensional as otherwise it violates the fact that α is -primitive, denote the eigenspace by Q .Then Q = E[l] where l := (α, ) O is a non-invertible ideal in O.According to [42, Proposition 3.5], the corresponding isogeny ψ Q is ascending.
Case II : O is maximal at .
• Case ( 1) is equivalent to being inert in K, there are only descending isogenies.
• Case (2b) is equivalent to ramifying in K.In this case, the eigenspace is again one-dimensional, we denote it by According to [42, Proposition 3.5], the corresponding isogeny ψ Q is horizontal.• Case (2c) is equivalent to splitting in K.In this case, there are two distinct F -eigenvalues and two eigenspaces They give rise to two horizontal isogenies.
Remark 4.9.Observe from the proposition that in order to detect which outgoing -isogeny at an oriented curve (E, θ) is ascending or horizontal, we only need to know how θ acts on E[ ].Indeed, we can formalize as follows.Let T (E) have basis We determine a basis P , Q for the codomain T (φ a (E)) as follows: take any P satisfying [ ]P = φ a (P − [a]Q) and take Q = φ a (Q), in the case a = ∞.In the case a = ∞, we take P = φ ∞ (P ) and take Q to be any point satisfying [ ]Q = φ ∞ (Q).With the setup as described above, for any -isogeny φ : E → E , we have that φ = φ a for some a ∈ {0, 1, . . ., − 1, ∞}.Furthermore, for any endomorphism θ ∈ End(E), with respect to bases P , Q and P , Q as described above, φ a θ φ a ∈ End(E ) has -adic matrix representation depending upon whether a = ∞ or a = ∞ respectively.Furthermore, as a consequence of Proposition 4.8, (1) Suppose (E, θ) is not at the rim in the oriented isogeny graph.Then, the ascending isogeny is given by φ a for a ≡ α/β (mod ) (where a = ∞ if β ≡ 0 (mod )). ( 2) Suppose instead that (E, θ) is at the rim.Then, the two horizontal isogenies are given by the two values of a satisfying βa 2 − (α − δ)a − γ ≡ 0 (mod ), if such exist (if β ≡ 0 (mod ), the solutions are a = ∞ and a ≡ γ/(δ − α) (mod )).
These observations show that one can navigate in the oriented graph, one can perform a Waterhouse transfer (see the next section), divide by , and translate by integers, using the matrix representation.In fact, the algorithms presented in this paper for finding a path to j = 1728 can be adapted (using the observations just mentioned) to work for an endomorphism given as an approximate element of T (E).Note that one loses precision every time one divides by , so that one's precision limits the number of steps one can take.
A situation where one may be provided with such an endomorphism is the situation of the cryptographic SIDH problem (the subject of recent attacks [7,39]), where an unknown isogeny ϕ : E → E init to a starting curve gives rise to various endomorphisms ϕθϕ for θ ∈ End(E init ) whose action on certain torsion groups is known.

Representing orientations and endomorphisms
In this section, we will introduce several ways to represent isogenies and endomorphisms and then provide functionality for each type of representation.5.1.Representations and functionality.We remind the reader that throughout the paper, isogenies and endomorphisms will be assumed separable unless otherwise stated (see Section 2.1).In this section, we discuss two types of representations of an endomorphism.The first is the most basic.Definition 5.1.A rationally represented isogeny is an isogeny given by a rational map.A rationally represented endomorphism is an endomorphism which is rationally represented as an isogeny.
We may also represent endomorphisms of large degree (e.g.not polynomial in log p) by writing them as a chain of isogenies of manageable degree.Definition 5.2.An isogeny chain isogeny ϕ : E 0 → E k is an isogeny which is given in the form of a sequence of rationally represented isogenies (ϕ i : Recall that an integer is called B-smooth (or B-friable) if its largest prime factor is at most B. It is called B-powersmooth (or B-ultrafriable) if its largest prime power factor is at most B. In order to handle isogeny chain endomorphisms, we will generally refactor them, meaning we will replace the chain with another chain representing the same endomorphism, but whose component isogenies have coprime prime power degrees.Moreover, we also fix a powersmooth bound B for the prime power degrees.In Section 5.3.4,we explain our choice of B for the best algorithm runtime.Definition 5.3.An isogeny chain whose component isogenies have coprime prime power degrees is called a prime-power isogeny chain.Moreover, it is called a B-powersmooth prime-power isogeny chain if its component isogenies have coprime prime power degrees at most B.
For isogenies represented in any manner, we will need the following functionality: (1) Evaluation at -torsion: Given θ ∈ End(E), and 3) and again separable.(See Lemma 2.7 for rational representations and Algorithm 5.3 for isogeny chains.)Note that for powersmooth prime power isogeny chains, by computing an -suitable translation, we always mean that we compute a translate that is a B-powersmooth prime power isogeny chain unless otherwise specified.This is exactly what Algorithm 5.3 does.(See Lemma 2.6 for rational representations and Algorithm 5.1 for isogeny chains.)The terminology is based on [56].We have endeavoured to write the paper in a modular fashion, so that these two types of representations -or another unforeseen type of representation, as long as it provides these functionalities -can be used at will.In particular, we write our algorithms (Sections 7.1 onwards) in terms of these functionalities (writing for example θ ← θ/[ ] for division by , to be implemented according to the endomorphism representation chosen).
Although isogeny chain endomorphisms may have large degree, we assume that for any type of endomorphism representation, the overall degree, trace and discriminant are polynomially bounded in p.
As discussed in Section 2.2, it can be rather involved to compute the trace of an endomorphism.However, the manipulations we perform in our algorithms transform the trace predictably.Therefore, it is to our advantage to attach the trace data to all endomorphisms under consideration and update it as needed.For either rationally represented or isogeny chain endomorphisms, our data type will be the following.Definition 5.4.A traced endomorphism is a tuple of data (E, θ, t, n) where θ ∈ End(E) is either rationally represented or an isogeny chain, and t and n are the reduced trace and norm (degree) of θ, respectively.5.2.Functionality for rationally represented endomorphisms.In the case of a rationally represented endomorphism, we can evaluate at -torsion directly (Lemma 2.4).We can translate by an integer by adding the rational maps under the group law (Lemma 2.7).We can Waterhouse transfer by composing the maps (Lemma 2.6).However, division by requires a dedicated algorithm.In Section 12, we describe the algorithm of McMurdy [41] for exactly this purpose, and analyse its runtime in greater detail.For the completeness of this section, we record here that the runtime of dividing an isogeny ϕ : E → E of supersingular elliptic curves defined over F p 2 (Algorithm 12.2) is O(deg 2 (ϕ)M(p)).5.3.Functionality for isogeny chain endomorphisms.An isogeny chain representation of an endomorphism can be more space efficient than its rational representation, and more efficient to compute with.Computing the Waterhouse transfer of an isogeny chain endomorphism is essentially trivial: include the transfer isogenies in the chain.To evaluate at -torsion, we evaluate the sequence of maps one-by-one (Lemma 2.4); the runtime depends polynomially on the largest degree of their component isogenies.
In this section, we give algorithms for the more onerous tasks of division-by-and translation by integers.Their runtimes will depend polynomially on the largest prime power appearing in the degree of the endomorphism, which must therefore be kept small for efficiency.To address this problem, which arises when translating to something -suitable, we use a search step to find a translate of powersmooth degree.
In order to keep the largest prime power in the degree below a certain bound, we will be interested in B-powersmooth prime power isogeny chains.In the last subsection of this section, we balance the runtime considerations by choosing a subexponential powersmoothness bound B for the degree of an isogeny chain endomorphism.Thus, working with a general such endomorphism is a subexponential endeavour.
Although our concern is with endomorphisms, both Algorithm 5.1 and Algorithm 5.2 work for isogenies in general.

5.3.1.
Refactoring an isogeny chain.If an endomorphism is not in the prime power isogeny chain form, we can refactor it.To achieve this, one factors the degree, then builds the new chain from scratch kernel-bykernel, as described in Algorithm 5.1.In fact, any endomorphism that can be evaluated at arbitrary points on the curve can be converted to an isogeny chain representation using this algorithm.
Remark 5.5.In principle, it is possible to refactor into degrees that are primes as opposed to prime powers.However, this doesn't circumvent the need for powersmoothness (in practice, it would provide some savings, e.g. in Vélu's formulas, but it wouldn't avoid the overall polynomial dependence on the powersmoothness bound).During refactoring, for any prime power factor q k of the degree, the endomorphism needs to be evaluated on the q k -torsion, which should therefore be defined over a field of manageable size.See [10, Section 5.2.1] for a nice discussion of this issue in another context.

Algorithm 5.1: Refactoring an isogeny chain
Input: A traced endomorphism (E, θ, t, n) in any form in which it can be evaluated (such as rationally represented or a translation of an isogeny chain), of degree coprime to p. Output: The same traced endomorphism (E, θ, t, n) ∈ End(E) in prime-power isogeny chain form.
To write the factorization of n is at worst O(B log 2 B) in time (by trial division), but O(log n) in space.For each prime power factor (so at most log n times), we must do each of the following: (i) Compute a basis for the torsion subgroup in time and space O(B 2 log p) by Lemma 2.3.(ii) Evaluate θ on the basis (iii) List the elements of the kernel G j ; this involves computing all linear combinations of the basis images and recording those combinations which vanish; and then computing the corresponding linear combinations of the original torsion points, a total of B 2 + B linear combinations; by Lemma  Algorithm 5.2: Dividing-by-[ ] for an endomorphism given as a prime-power isogeny chain.As discussed earlier, we wish to keep the powersmoothness bound B on the degree of an isogeny chain endomorphism low when translating by an integer.Since our goal is to find -suitable endomorphisms, and translation by preserves -suitability, we may search amongst nearby translates for one which is B-powersmooth for our desired bound B. This is done in Algorithm 5.3.
Proposition 5.9.Algorithm 5.3 is correct, and the runtime is that of Algorithm 5.1 plus the time taken for Step 2.
Proof.The -suitability of the output is guaranteed by Lemma 4.5.

5.3.4.
Choosing a powersmoothness bound B. In practice, we need to balance the runtimes of the various functionalities of an isogeny chain endomorphism by choosing an appropriate powersmoothness bound B.
The number of B-smooth and B-powersmooth numbers below a bound X is asymptotically the same, provided that B/ log 2 X → ∞ [50] (another reference shows they are asymptotically proportional, provided Algorithm 5.3: Computing a B-powersmooth -suitable translate in prime-power isogeny-chain form. Input: A traced endomorphism (E, θ, t, n) in prime-power isogeny chain form, and a powersmoothness bound B (where B = ∞ is acceptable).Output: A traced endomorphism (E, θ , t , n ) which satisfies Z[θ ] = Z[θ] but where θ is -suitable, and is given as a separable prime-power isogeny chain, with prime powers ≤ B.
Try values n(b) = n + (T + b )t + (T + b ) 2 for small integers b, to find b such that n(b) is B-powersmooth and coprime to p. θ ← a refactored prime-power isogeny chain for θ + T + b , using Algorithm 5.1.
).In our situation, we expect to handle endomorphisms which may have degree as much as exponential in log p. Fortunately, we can, at least heuristically, find subexponentially smooth translates in subexponential time [ This is the powersmooth analogue of the heuristic assumption underlying the quadratic sieve; see [19].A few important notes for the remainder of the paper: we will assume B = L deg θ (1/2), where θ is the initial input endomorphism, when dealing with isogeny chains, and that whenever we perform an -suitable translation on an isogeny chain, we choose a B-powersmooth prime power -suitable translate.
Example 5.12 (Computing an -suitable translation via Algorithm 5.3).We continue with our running example, computing an -suitable translate of a degree 47 endomorphism θ on the curve E 1728 : y 2 = x 3 − x for = 2.Here θ is given as a rational map: The traced endomorphism is (E 1728 , θ, 0, 47).In Step 1, we compute the minimal 2-suitable translate T using Lemma 4.5.From the traced endomorphism, we compute ∆ θ = t 2 − 4n = 0 2 − 4 • 47 = −188.This implies that the fundamental discriminant is −47 and the conductor is 2. Therefore, the 2-suitable translates are of the form θ + T for T in 1 + 2Z, and the minimal 2-suitable translate is obtained for T = 1.In Step 2, we find b = 0 produces n(b) = 2 Of course, in individual situations, these runtimes may be much lower (for example, dividing an isogeny chain by [ ] may depend only on the power of if no refactoring is necessary).
In the following algorithms, we will need to call all of these operations many times.It will be convenient to set the following definition.Definition 5.14.We define the representation runtime of a given representation (rationally represented or isogeny chain) to be the maximum runtime of implementing the following operations: evaluating at -torsion, -suitable translation, division-by-, and Waterhouse transfer by an -isogeny.We say that an algorithm has poly-rep runtime if its runtime is bounded above by a constant power of log p times the relevant representation runtime.
Note that our definition above means that, throughout the paper poly(log p) ≤ poly-rep.

Orientation-finding for j = 1728
For many cryptographic applications, a supersingular elliptic curve with known endomorphism ring is assumed.Most commonly used is the curve with j = 1728, which is supersingular when p ≡ 3 (mod 4).For simplicity, this is the curve we will consider here, but our algorithm can be modified to suit other situations (see Section 6.3).We will use the model given by E init : y2 = x3 − x, which has endomorphism ring with a Z-basis In particular, i is given by (x, y) → (−x, √ −1 y) and j is the Frobenius endomorphism 2 (x, y) → (x p , y p ).Let O be an imaginary quadratic order of conductor coprime to such that O embeds into B p,∞ .In this section we give an algorithm for finding an endomorphism θ ∈ End(E init ), generating a suborder O ⊆ O of discriminant 2r ∆ O for the minimal possible r.In other words, we wish to find an -primitive orientation by a suborder O of O. Or, rephrased again, we want to find an orientation for E init placing it as near to the rim as possible in the oriented supersingular isogeny graph cordillera with rims at O. Alternatively, the algorithm can be run continuously, to return all -primitive orientations by suborders of O in order of increasing r.
The algorithm we provide (Algorithm 6.1) has similarities to [34, Integer Representation, Section 3.2], where the difference arises because we seek a given discriminant instead of a given norm.In fact, this algorithm applies more generally to curves over F p satisfying the hypotheses of [34, Section 3.2]; in Section 6.3 we make some comments on adapting this algorithm for other initial curves of known endomorphism ring.
An algorithm for a similar problem appears in [57, Section 4.3].However, that algorithm finds the 'smallest' quadratic order only: it requires the discriminant be bounded above by 2 √ p − 1.We wish to find orientations by more general orders.
6.1.In terms of 1, i, j, k.The goal of Algorithm 6.1 is to find such an endomorphism as a linear combination of 1, i, j, k.
The idea is to solve a norm equation for E init under extra conditions that guarantee that the result is an element of the desired quadratic order.The algorithm depends on Cornacchia's algorithm, which is discussed in [14, Section 1.5.2] and [27, Section 3.1].It solves the equation x 2 + y 2 = n when a square root of −1 modulo n is known (e.g., such a square root can be found if n is factored).Remark 6.1.Algorithm 6.1 can be adapted to run continuously, finding many K-orientations of 1728.Simply continue the loops instead of breaking them, returning an endomorphism θ every time one is found.Remark 6.2.If one wishes to find all possible solutions, remove the requirements that D be a prime congruent to 1 (mod 4), although this will adversely affect runtime (Cornacchia's algorithm will require factoring D).Furthermore, we must make sure Cornacchia's algorithm returns all solutions, and we must include solutions obtained by changing the sign of x on each solution already obtained.We must also be aware that later solutions may fail to be -primitive; these can be discarded.With these adjustments, every orientation of the form specified will eventually be found by the algorithm (not every θ, but every embedding of O into End(E init ) for all O ) -see the proof of Proposition 6.3 for relevant details.
Because of the primality testing step, the algorithm terminates only heuristically.We separately prove its correctness (if it returns) and then give a heuristic runtime.
In what follows, write ∆ := ∆ O for convenience.
Proposition 6.3.Any output returned by Algorithm 6.1 is correct.
Proof.We attempt to find an endomorphism θ for each fixed r increasing from r = 0.If the order O of index r in O has even discriminant (namely ∆ 2r ), then we seek an element of reduced trace zero and reduced norm −∆ 2r /4.Such an element must generate O , and O must contain a generator of this form.Write the element as θ = x 2 i + y 2 j + z 2 k.Then, simplifying the equation, the norm condition is Any solutions must have x 2 < √ −∆ 2r , and for a valid x, solutions y and z are found by Cornacchia's algorithm applied to In order to be contained in End(E init ), we require x ≡ z (mod 2) and y is even.The variable r is incremented if no solution exists, or if Cornacchia's algorithm is not applied because D is not a prime congruent to 1 (mod 4) (in which case we may miss solutions).If ∆ 2r is odd, we instead seek an element of reduced trace 1 and reduced norm (−∆ 2r + 1)/4.Such an element will again necessarily generate O , and O must contain a generator of this form.Writing the element as θ = 1 2 + x 2 i + y 2 j + z 2 k, after slightly simplifying the norm equation, we must solve the same equation as before: However, in order to lie in End(E init ), such an element must satisfy the conditions that x ≡ z (mod 2) and y is odd (note the parity difference).The rest of this case is as above.If θ is not -primitive, the algorithm will translate and divide by until it is.Use the output of Step 9 and Cornacchia's algorithm to find y and z such that If y is odd then Swap y and z.The probability that N (r, x) is a prime congruent to 1 modulo 4 is at least O(1/(log D log N (r, x))), where the implied constant is independent of p, D, and b.
We now give a brief justification for this heuristic by passing to the real quadratic field Q( √ D).Write D = f 2 d where d > 0 is squarefree.We have N (r, x) = q if and only if ±pq = N (x + f b r √ d).Hence we need to estimate the probability, given that N (x + f b r √ d) is divisible by p, that it is of the form ±pq for some other prime q.We analyse instead the probability, for α ∈ O Q( √ d) (having no assumptions on the form of α), given that N (α) is divisible by p, that it is of the form ±pq for some prime q.Heuristically, we assume that this will be the same probability.
Given that p splits, there is a prime ideal p above p in the maximal order of Q( √ d).Hence N (α) has the form ±pq if and only if there is a prime ideal q of norm q satisfying pq = (α) (or pq = (α)).If p | N (α), then replacing p with p if necessary, this occurs if and only if the integral ideal (α)p −1 ∈ [p] −1 has norm q.
Therefore, we estimate the probability that integral elements in [p] −1 of size X have prime norm.This is bounded below by the probability that integers of size X have a norm which is a prime represented by the class [p] −1 .This in turn is bounded below by We apply this estimate with X = N (r, x).
Finally, following the Cohen-Lenstra heuristics for real quadratic fields, it may be reasonable to expect the class number h Q( √ d) to have an expected value bounded by O(log d), since the number of prime factors of d is around log log d (see [59] for a result for prime discriminants and recall that the 2-part of the class group is controlled by the number of prime factors of d).
Heuristic 6.4 has been confirmed numerically in some small cases; we will consider this heuristic in more detail in [2].The corresponding heuristic, in the case of the KLPT norm equation, has been verified by Wesolowski [58]; it would be nice to know if similar methods apply here.Running the algorithm continuously, subsequent pairs (θ, r) should be found in the same runtime, with r expected to increase by 1, and their norms expected to increase by a constant factor of 2 at each subsequent pair.
Proof.Suppose r ≤ u log p, where u is positive (otherwise r is not positive).Then √ −∆ 2r ≤ |∆| 1/2 p u .Thus, we expect to iterate the While loop at Step 5 at most X(∆, u) := |∆| 1/2 p u−1 + 1 times.Each time we enter the loop, we obtain a value D = (−∆ 2r − x 2 )/p of size ≤ pX(∆, u) 2 .The probability that D is prime and 1 (mod 4) is heuristically 1/(4 log(p 1/2 X(∆, u))) (Heuristic 6.4).Hence we expect to reach Cornacchia's algorithm once u is large enough such that Reaching it will terminate the algorithm.This is a mild condition, satisfied asymptotically when X(∆, u) ≥ (log p) 1+ .In fact, it suffices to take |∆|p u ≥ p log 1+ (p), or equivalently, In particular, u > 1 is always enough, and if |∆| > p 2+ , then any positive value for u will suffice.(An informal explanation of this behaviour: even for a volcano with a trivial rim, distance (1 + ) log p down its sides is enough to capture all j-invariants.At the same time, if ∆ is large enough that the rim likely captures all j-invariants, then we needn't descend the volcano at all.)This shows that the algorithm needs to increase r at most O(log p) times before it reaches Cornacchia's algorithm.
For |∆| ≤ p 2+ , the optimal value of u is given by (3).However, since u cannot be negative, when |∆| > p 2+ , the optimal value of u is 0. (Again, informally: the class group will be of size ≈ |∆| > p, and we will find all ≈ p 12 supersingular j-invariants already on the rim of an isogeny volcano.)We first determine the overall runtime in terms of X(∆, u) and p.The primality test can be run in time O(log 4+ D) for example, using the Miller-Rabin algorithm [46,Section 2].This algorithm is probabilistic, so there is a negligible possibility that Cornacchia's algorithm may fail on false positives.
Once D is a prime congruent to 1 (mod 4), we must find a square root of −1 with which to run Cornacchia's algorithm.There is a nice analysis of this exact situation in [27,Section 3.1], which concludes that it takes probabilistic time O(log 2 D), which is negligible compared to the primality testing.
∈ End(E 1728 ).This indicates (correctly) that E 1728 admits an orientation at r = 1 of the Q( √ −47)-oriented 2-isogeny volcano, see the node with j-invariant 1728 in Figure 1.If we continue to run the algorithm, looking for pairs (r, θ) for r up to 8, it returns three more pairs: We now formalize a heuristic about the behaviour of Algorithm 6.1 needed for what follows.This is a version of Heuristic 3.7 specific to the algorithm we use.Heuristic 6.7.Let O be a quadratic order.Let SS O be the finite union of O -cordilleras where O ⊇ O. Write R SS O for the sum of the number of descending edges from all rims of SS O .Fix a volcano V having R V edges descending from its rim.Then Algorithm 6.1 running continuously will (i) eventually produce solutions on every volcano of SS O , and (ii) produce solutions on the fixed volcano V with probability approaching If SS O has only one volcano, this heuristic is immediate as long as the algorithm produces infinitely many solutions (which happens by Proposition 6.5, under heuristic assumptions from Section 3.6).If Algorithm 6.1 returned all orientations of 1728, then this heuristic would follow directly from Heuristic 3.7.The difficulty is that it finds only those solutions where the primality testing step succeeds.In other words, we cannot rule out the unlikely possibility that the primality condition causes all the orientations of 1728 to be missed on some individual volcano.Thus, we seem to require a version of Heuristic 6.4 which asserts that the primality is independent of whether the eventual solution is on any fixed volcano of the cordillera.We consider Heuristic 6.7 more closely in the companion paper [2].6.2.As an isogeny chain endomorphism.Since i and j are known endomorphisms which can be evaluated at points, any combination of these can also be evaluated at points.Therefore the output of Algorithm 6.1 can be input into Algorithm 5.3, and an -suitable isogeny chain endomorphism will result.Thus, in poly-rep time (that is, depending on B, the powersmoothness bound), we can obtain the output of Algorithm 6.1 as an isogeny chain endomorphism.

6.3.
Curves other than j = 1728.Algorithm 6.1 can be adapted to work for certain curves E init other than the curve with j = 1728.In particular, if the endomorphism ring End(E) of a curve E defined over F p is of the form O + jO, where j is the Frobenius endomorphism and O is a quadratic order, then the adaptation of Algorithm 6.1 is clear, where we use the principal norm form of O in place of x 2 + y 2 .As before, this will reduce to Cornacchia's algorithm.Instead of primes that are 1 (mod 4), we seek primes that split in the field and are coprime to the conductor of O; this requires a Legendre symbol computation.The runtime is essentially unchanged provided that ∆ O < p (so Cornacchia's applies; see [27,Section 3.1]).This adaptation follows the discussion in [34,Section 3.2], which also discusses good choices for E init and O.

Supporting algorithms for walking on oriented curves
Given a suitable endomorphism, we will present algorithms for walking on an oriented -isogeny graph.7.1.Computing an -primitive endomorphism.Recall from Definition 4.3 that an endomorphism θ is -primitive if the associated orientation is -primitive.If θ is chosen to be -suitable, then equivalently, θ is -primitive if and only if it is not divisible by [ ] in End(E) (Lemma 4.4).Therefore, given θ, we can translate it to become -suitable and then divide by [ ] as often as possible to obtain an -primitive endomorphism.
Input: A traced endomorphism (E, θ, t, n) providing the functionality of Section 5.1.Output: A traced endomorphism (E, θ , t , n ) which is -primitive, and the -valuation of the index Return (E, θ, t, n) and c.
10 (E, θ, t, n) ← an -suitable translate of (E, θ, t, n) 11 Return (E, θ, t, n) and c.Proof.If t 2 − 4n is -fundamental, then the conductor of the quadratic order generated by θ is not divisible by ; in this case θ is already -primitive.In order to check if any order of superindex contains Z[θ] within End(E), we first translate θ to be -suitable, and then check whether it is divisible by [ ] within End(E).If it is, we divide it by and repeat.For runtime, the algorithm translates to an -suitable translate, tests for divisibility by , and divides by , at most a polynomial number of times (since we assume that the discriminant of Z[θ] is bounded by a power of p; see Section 5.1).
7.2.Rim walking via the class group action.In the case that an orientation is available, one can walk the rim of the oriented -isogeny volcano using the class group action.Walking a cycle generated by the class group action was first described in Bröker-Charles-Lauter [6] in the case of ordinary curves, which carry an orientation by Frobenius.This was later used in CSIDH [8], and it was remarked that it extends to orientations by Q( √ −np) in Chenu-Smith [11].In this section we provide a generalization of the same algorithm to arbitrary orientations.The algorithm walks the rim from a specified start curve in an arbitrary direction until it encounters a specified end curve.This path is computed using the action of the class group on the oriented curves in the rim of the oriented volcano.As such, it requires knowledge of the orientation, so the steps of the algorithm must pull the orientation (i.e. the endomorphism) along with them.
More precisely, the ideal we wish to apply to (E, θ) is given in terms of θ, so that one can use the methods of Bröker-Charles-Lauter [6, Section 3] with θ in place of Frobenius.One can apply the Waterhouse transfer of θ, and divide by to carry along θ in the computation.
The algorithm works by applying the action of Cl(O) to a rim of elements primitively oriented by a quadratic order O.In fact, using Cl(O) works just as well if the rim is primitively oriented by O ⊇ O, where [O : O].This allows us to walk on any rim associated to an -fundamental discriminant ∆, without knowing for sure that the orientation is primitive with respect to ∆. See Proposition 3.3.Algorithm 7.2: Walking along the rim of the oriented supersingular -isogeny graph Input: An -primitive traced endomorphism (E 1 , θ 1 , t 1 , n 1 ) providing the functionality of Section 5.1, and a target curve E 2 .Output: If E 1 and E 2 are on the same volcano rim in the oriented isogeny graph for the field Q(θ), with discriminant coprime to , the algorithm returns a path of oriented horizontal -isogenies from (E 1 , θ 1 , t 1 , n 1 ) to a vertex with curve E 2 .Otherwise returns FAILURE.
, the quadratic order generated by θ 1 (using trace and norm), together with an explicit isomorphism given in the form of α θ1 ∈ O corresponding to θ 1 .
Use Vélu's algorithm to compute the -isogeny ν : Append (ν, (E, θ, t, n)) to H. Proof.If | t 2 − 4n, then either we are not at the rim, or the field discriminant is not coprime to .If j(E 1 ) = j(E 2 ), we have already completed our task.Assuming neither of those cases, we compute the quadratic order O generated by θ using its minimal polynomial, and associate an element α θ to θ.The volcano rim in question is contained in SS O for some O ⊇ O, where the relative index f = [O : O] is coprime to (by -primitivity).If is inert in O, then it is also inert in O .Hence the rim of the associated volcano is trivial; since j(E 1 ) = j(E 2 ), this indicates there is no valid path to be found.Otherwise, is split or ramified in O, so we factor it and compute a and b and τ as in the algorithm.Namely, we have the Therefore, the isogeny computed is the action of the ideal l lying above in O on SS O as desired, which is thus a horizontal isogeny.The repeat clause walks the rim step by step.
We stop if we meet E 2 or return to our (oriented) starting point.The latter occurs only if we have walked the entire rim, which means E 2 was not on that rim.
For runtime, all individual steps are polynomial, except for calls to evaluate at -torsion points, Waterhouse transfer and divide by .The number of repeats is equal to the path length from E 1 to E 2 along the rim.The size of the rim is O(h O ) (Section 3.4).
For the final statement of the proposition, note that no -suitable translation is needed in the algorithm.In fact, the norm of the endomorphism remains constant as one walks the rim.
The final step along the rim produces the isogeny ϕ 80i+107 : E 80i+107 → E 22 with codomain E 22 : y 2 = (125i + 98)x + (84i + 152) and induced traced endomorphism (E 22 , θ 22 , t 22 , n 22 ).The codomain E 22 is isomorphic to E 22 via an isomorphism ρ, and we use the same isomorphism ρ to confirm that E 22 and E 22 are in fact isomorphic as oriented curves by computing Algorithm 7.2 terminates and returns the rim cycle of length 5 (see the green rim cycle in Figure 1).Indeed, K has class number 5, and the ideal class of l generates the class group of K.
7.3.Ascending to the rim using an orientation.The other major component of navigating the supersingular -isogeny graph using an orientation is to walk to the rim.We can use Proposition 4.8 to determine the ascending direction and walk up.This is described in Algorithm 7.3.The number of steps to the rim is expected to be log(p) in general; see Section 3.6.
Proposition 7.5.Algorithm 7.3 is correct and has poly-rep runtime times the distance to the rim.
Proof.The number of steps to the rim is given by the number of times 2 divides the discriminant of θ (we assume θ is -primitive); this is k in Step 2. We translate θ to be -suitable, which implies that ν • θ • ν can be divided by [ ] twice when ν is ascending.Since there is no horizontal direction (by the choice of k in Step 2), there exists a non-trivial P ∈ E[ ] ∩ ker(θ).This gives the ascending isogeny by Proposition 4.8.Once we have found the ascending isogeny, we divide the Waterhouse transfer of θ by [ ] 2 (Step 11), and the result is -primitive, in preparation for the next loop iteration.For each iteration of the For loop, the work is clearly poly-rep.
Example 7.6 (Walking to the rim of the oriented -isogeny graph for rationally represented endomorphisms via Algorithm 7.3 ).We apply Algorithm 7.3 to the output of Step 4 of Example 8.3, namely E 120 and θ 120 having t 120 = 0, n 120 = 188.We find that we expect to take two steps to the rim.Since Algorithm 7.3: Walking to the rim of the oriented -isogeny graph.

Output:
The shortest path from (E, θ, t, n) to the rim of the oriented -isogeny volcano upon which (E, θ, t, n) lies.
13 Return H θ 120 is already 2-suitable, we evaluate it on E 120 [2] and obtain the kernel (121i + 4, 0) for the ascending isogeny.The codomain is E 171 .Computing the Waterhouse transfer and dividing by [2] twice, we obtain an endomorphism θ which is not 2-suitable, but Lemma 4.5 shows that θ 171 := θ + [1] is 2-suitable.The second ascending step is similar; this has kernel (121i + 131, 0) and codomain E 5i+109 .The two ascending steps are in blue in Figure 1.
Specifically, with Algorithm 7.4 given here, we can walk up the volcano and traverse the rim (being careful not to back-track by comparing to our previous steps), where each step is polynomial in log p and the length of the representation of θ.To get started, we use E init as the curve defining B p,∞ as in [58], and take the path P to be the trivial path.Proposition 7.8.Under GRH, Algorithm 7.4 is correct and runs in expected polynomial time in the following quantities: log p, the size of the representation of θ, and the length of the path P .
Proof.Each of the cited algorithms runs in the time specified under GRH.We determine which steps are ascending or horizontal by testing whether β/ s+1 , β/ s+2 ∈ O, by Proposition 4.7.Since β is represented Algorithm 7.4: Extending a path from E init by an ascending or horizontal step.
Input: A fixed endomorphism θ ∈ End(E init ).An elliptic curve E and path P from E init to E, with no descending steps, and s equal to the number of ascending steps in the path P .Output: For each of the available horizontal or ascending steps E → E (with regards to the orientation induced by θ), returns the data (E , P , s ), where P is the path obtained from P by extending it by the extra step, and s is the number of ascending steps in the path P .

H ← []
For each -isogeny ν : E → E departing E do P ← the path formed by appending ν to P .
(ϕ : E init → E ) ← the isogeny associated to the path P .
Compute a Z-basis of the maximal quaternion order O of E and connecting ideal I between E init and E using [58, Algorithm 3] from the path P .
as a linear combination of a basis of End(E ), this involves dividing the coefficients, which is polynomial time.

Classical path-finding to j = 1728
We now present an algorithm which, given a suitable endomorphism on a curve in the supersingular graph, will find a path to the initial curve, under heuristic assumptions.An illustration of the method is given in Figure 1: we walk from the initial endomorphism to its rim; find an orientation of E 1728 and walk from that orientation of E 1728 to its rim; and hope to collide on the same rim.
If one wishes to adapt this algorithm to find a path to a more general initial curve, one would need a replacement to Algorithm 6.1 that works for that initial curve (see Section 6.3 for a discussion of how this may be done).For this reason, we restrict ourselves to considering the j = 1728 curve.Proposition 8.1.Assume GRH, Heuristic 6.4, and the assumptions of Section 5.1.Consider an endomorphism θ ∈ End(E) in rationally-represented or prime-power isogeny-chain form as described in Section 5.4, whose discriminant is coprime to p and has -fundamental part ∆ satisfying |∆| < p 2 .Write O ∆ for the order of discriminant ∆.Algorithm 8.1 produces a path of length O(log p + h O∆ ) to E 1728 in the supersingular -isogeny graph, under Heuristic 6.7 part (i).The runtime is expected poly-rep times O(h O∆ ), under Heuristic 6.7 part (ii).Furthermore, the following hold: (1) If is inert in K, then the runtime improves to h O∆ poly(log p)+poly-rep, and the path length improves to O(log p).(2) If is inert in K and the discriminant of θ is already -fundamental, then the runtime improves to h O∆ poly(log p) and the path length improves to O(log p).(3) If ∆ is a fundamental discriminant, is split in K and a prime above generates the class group Cl(O ∆ ), then the dependence on Heuristic 6.7 is removed.
Proof.Let θ be the input to the algorithm.The pair (E, ι θ ), where ι θ : K → End(E) is the orientation given by θ, lies somewhere on the oriented -isogeny graph associated to K.More specifically, it lies on a volcano of the O-cordillera for some order O whose discriminant divides the -fundamental discriminant ∆ Algorithm 8.1: Finding a path to E 1728 .
Input: A traced endomorphism (E, θ, t, n) providing the functionality of Section 5.1, where the discriminant of θ is coprime to p. Output: A path in the -isogeny graph between E and E 1728 .
repeat Call Algorithm 6.1 on input ∆, to obtain a new solution θ 1728 = a + bi + cj + dk.(Algorithm 6.1 can be suspended and then resumed to find subsequent solutions; see Remark 6.1) Using the methods of Section 7.4, produce an ascending path H 1 from E 1728 with endomorphism θ 1728 up to the rim, i.e. to a traced endomorphism (E 0 , θ 0 , t 0 , n 0 ) having -fundamental order  ) and E 1 lie on the same rim, the algorithm will discover this.If not, then one continues the calls to Algorithm 6.1, and another endomorphism will be found.Under Heuristic 6.7 part (i), eventually one of these will produce E 0 or E (p) 0 on the same rim as E 1 .The algorithm will then succeed.Let R denote the number of descending edges from the rim containing E 0 , referred to in this paragraph as the adjusted rim size (which is bounded above and below by a constant multiple of the rim size).The sum of the adjusted rim sizes of all rims of SS O∆ is O(H O∆ ), with H O∆ given by (2) (Equation (1) and Proposition 3.5).By Lemma 3.8, this is O(h O∆ (log log |∆|) 2 )) = O(h O∆ )(log log p) 2 (using |∆| < p 2 ).By Heuristic 6.7 part (ii), the number of times we must repeat is therefore O(h O∆ /R)(log log p) 2 .Each iteration performs Steps 7 and 8 and then checks membership in L. By Proposition 6.5, under GRH, Step 7 runs in polynomial time in log p and provides a solution θ init of norm at most p 2 log 2+ p. Then θ init can be written as a linear combination of the Z-basis of End(E 1728 ) with integer coefficients of size O(log p).Hence Step 8 requires a runtime polynomial in log p by Proposition 7.8; we store the j-invariant of the output for comparison to L. Thus, each iteration takes expected polynomial time times O(R) (to check membership in L).The walk to produce L in Step 5 takes at most O(R) steps, each of which is poly-rep.Hence the runtime is poly-rep (for Step 4) plus O(h O∆ ) • poly(log p) + O(R) • (poly-rep).
This runtime is overall bounded by O(h O∆ ) times poly-rep.But if is inert, then E 0 lies on a rim of size 1, so we don't need Step 5, and we have poly-rep plus h O∆ poly(log p).If θ is already at the rim, then we don't need Step 4. Combined with inertness, this gives runtime h O∆ poly(log p).
Finally, if ∆ is a fundamental discriminant, is split and a prime above generates Cl(O ∆ ), then there is only one volcano, obviating the need for Heuristic 6.7.
The restriction that |∆| < p 2 is required to ensure that Algorithm 6.1 is heuristically polynomial time.If |∆| is larger, and is inert, this failure of polynomial time could become the bottleneck.On the other hand, suppose is split in K.Under the Cohen-Lenstra heuristics, class groups are usually cyclic, and most elements of a cyclic group are generators, so with high probability, Heuristic 6.7 will not be necessary.
It is also possible to use Algorithm 7.3 at Step 4, instead of the methods of Section 7.4.This results in a worse runtime, but removes the dependence on GRH.Remark 8.2.One might hope to modify Algorithm 8.1 to produce a shorter path along with a square-root runtime improvement, by removing Step 5, and in each repeat, attempting to solve a vectorization problem (see Section 9.1) between E 0 and E 1728 .Unfortunately, we cannot: the problem is that we do not know the correct quadratic order O with respect to which these oriented curves are primitively oriented.To overcome this, one might try to factor ∆ and ascend with respect to any square factors, to guarantee that ∆ is fundamental.Ascending would be polynomial in the largest square prime factor of ∆, which could be very costly.An alternative that would usually work may be to try guessing ∆, working backward from the largest (and hence most likely) divisors.Just assuming ∆ is fundamental would work much of the time.
Step 4 calls Algorithm 7.3 on input (E 120 , θ 120 , t 120 , n 120 ) to produce the following ascending path H 2 to the rim, see Example 7.6: Finally, since j(E 22 ) = 22 ∈ L, joining the previous paths, we obtain a path from E 1728 to E 120 (see the whole path in Figure 1) as

Quantum algorithms for Vectorization and PrimitiveOrientation Problems
We will introduce two hard problems: the oriented vectorization and the primitive orientation problems and then provide quantum algorithms to solve them.9.1.Vectorization.Since the class group acts on the rim, a problem closely related to walking along the rim is the following, where we use the terminology vectorization in analogy with [17] and [11,Section 6.1].This problem was also recently introduced in [57, Section 3.1].Problem 9.1 (OrientedVectorization(∆)).Let O be the quadratic order of discriminant ∆.Suppose Remark 9.2.This problem is somewhat related to the uber isogeny assumption, which asks for [b] without knowledge of ι 2 ; the difficulty of this problem is shown to be crucial for a variety of supersingular isogenybased schemes [22].
The following result was implied without details in a more restricted case in [11,Section 6.1].A variation also appears in [57,Proposition 4].
Heuristic 9.3.The values of a definite binary quadratic form f (x, y), as x, y → ∞, are powersmooth and coprime to the first N primes with the same probability as randomly chosen integers of the same size.Proposition 9.4.Assume Heuristic 9.3.Suppose (E 1 , ι 1 ) and (E 2 , ι 2 ) are given by ι i := ι θi for some endomorphisms θ i ∈ End(E i ) which can be evaluated on E i (F p k ) in time T θi (k, p) ≥ poly(k log p).Define Proof.The approach is based on that in Childs-Jao-Soukharev [13], who developed a subexponential means of evaluating the action of the class group (by finding a smooth representative of the needed ideal class), and then applying Kuperberg's algorithm, which requires subexponentially many evaluations.The difference is that we need to apply the class group action, in the form of isogenies, to oriented curves, i.e. carry along the orientation.
The reduction to the hidden shift problem is formalized in [36,Theorem 3.3]; the malleability oracle in the sense of [36,  To evaluate the action of [a] on E i takes time poly(log p)L |∆| (1/2) using the methods of [13] or [5] and involves finding an L |∆| (1/2)-smooth integral representative a which can be evaluated as a composition chain of isogenies.Unfortunately, to evaluate the action of [a] on θ i , we require a powersmooth representative instead.Calling on Heuristic 9. We also need to evaluate the action of a on θ i in some way that is distinguishable (since isogeny chains are not unique for a given endomorphism).For each j-invariant we choose a fixed model.We replace the data of θ with the data of its linear action on the O(log deg θ i ) smallest prime-torsion subgroups E[q], as well as all the prime-power N (a k )-torsion subgroups.By Chinese Remainder Theorem, this is enough to distinguish different results, since if θ − θ vanishes on all of the prime-power subgroups, then it vanishes on a subgroup (generated by all of the subgroups together), whose size exceeds a fixed multiple of d, which implies that θ = θ (this method is inspired by the Schoof algorithm, as adapted for example in [35,Theorem 81], [25,Lemma 4]).
To compute the action on θ i , we first need to compute ϕ a k .This is done as in Algorithm 7.2, where we consider the linear action of a + bθ i on the N (a k )-torsion to find the kernel of ϕ a k .In order to compute the linear action of ϕ a k • θ i • ϕ a k /[N (a k )] on the prime or prime-power torsion subgroups E[q] described in the last paragraph, we proceed as follows.If q is coprime to N (a k ), then to find this action, we evaluate ϕ a k • θ i • ϕ a k on E[q] and then apply the action of [n ] where n ≡ N (a k ) −1 (mod q).Otherwise we store null for that value of q (by assumption, this occurs only for q larger than log deg θ i ).
This gives a way to evaluate the function f suitable for quantum computation.Taken together, the time taken for evaluating [a k ] is poly(log deg θ i ) times the time taken to evaluate θ i and ϕ a k , namely T θ1,θ2 (O(log 2 d), p) + poly(log p)L |∆| (1/2).
There is a small caveat that the action of Frobenius may take us out of the orbit of Cl(O), so this will only work when the oriented curves E 1 and E 2 are in the same Cl(O)-orbit.Of course, there are at most two orbits, so in the case of failure, we can apply Frobenius to one of the curves and try again.
Remark 9.5.If we wish to avoid the coprimality aspect of Heuristic 9.3, then we can take subexponentially many prime power torsion subgroups, at an increased cost in runtime and memory (thanks to Benjamin Wesolowski for this and other helpful observations and corrections to this proof).
Remark 9.6.If we wish to avoid Heuristic 9.3 in Proposition 9.4, we could first transform θ i into a powersmooth isogeny chain (using Algorithm 5.3 at a runtime cost of T θ1,θ2 (L deg θi (1/2), p)) and then use the method for horizontal stepping of Algorithm 7.2 to evaluate [a] prime-by-prime.This depends on Heuristic 5.10 instead.This allows for the representative a to be chosen as smooth, not necessarily powersmooth, but incurs an additional runtime cost to the algorithm as a whole.9.2.Primitive orientation computation.The vectorization problem 9.1 requires knowledge of the order with respect to which (E, ι) is a primitive orientation.This requirement naturally leads to the following problem: Problem 9.7 (PrimitiveOrientation).Given an supersingular elliptic curve E, and an endomorphism θ ∈ End(E), determine the quadratic order O such that ι θ is O-primitive.
We briefly describe two classical algorithms here for solving Problem 9.7.Let f be the conductor of Z[θ], we compute a B-powersmooth f -suitable translation and factorize f = Πf i ri .For any prime power factor f i ri of f , one needs to check whether the translated endomorphism is divisible by f i ri , which amounts to checking whether θ vanishes on the f i ri -torsion of E. We take B to be L d (1/2) with d = deg θ, as discussed in the proof of Theorem 11.1, using Algorithm 5.3, computing the translation takes time T θ (L d (1/2), p) assuming Heuristic 5.10 with replaced by f in Heuristic 5.10.Furthermore, evaluating the translated endomorphism on f r -torsion takes time poly(log p)L d (1/2)M(p lcm(12, f 2r ) ) where f r = max{f i ri }.Alternatively, one can compute an integer T with smallest absolute value such that θ + T is f -suitable translation instead of a B powersmooth translation.Checking whether θ vanishes on the f i ri -torsion of E takes time poly(log p)T θ ( f 2r , p) where f r = max{f i ri }.Both methods have runtimes polynomial in f ri .Quantumly we give the following algorithm that runs in subexponential time.Our method for solving Problem 9.7 has similarities to that of Proposition 9.4, with a hidden subgroup problem in place of the hidden shift problem.The subexponential runtime in ∆ still arises from the need to evaluate the action of the class group.• (E, ι θ ).We evaluate the action of b on θ as described in the proof of Proposition 9.4.
Once the kernel G has been computed in the form of generators g 1 , . . ., g n , one writes each g i as principal in the maximal order via a generator g i = (g i ).Then O is by definition the order generated from O θ by adjoining the g i 's.One computes the conductor of this order by taking the gcd of the conductors of the Z[g i ] and Z[θ], and hence computing the discriminant ∆ O .These last computations are polynomial in log |∆ θ |.
An improvement is available: to evaluate the action of [b] on E takes time poly(log p) exp( O(log 1/3 |∆ θ |)) using the methods of Biasse-Iezzi-Jacobson [5]; they also improve on the computation of Cl(O).10.Quantum algorithm for finding a smooth isogeny to j = 1728 The problems of computing the endomorphism ring of an elliptic curve E, computing an -power isogeny to an initial curve (such as j = 1728), and computing a smooth isogeny to an initial curve, are all equivalent [58].In this section, we modify Algorithm 8.1 to find a smooth isogeny, using the quantum algorithms of the previous section (Propositions 9. 4 θ0 ) (try both).Proof.The algorithm determines ∆ * so that ι θ is O ∆ * -primitive.In the repeat loop, it finds an orientation of j = 1728 and a path from that oriented curve to an oriented curve (E 0 , ι θ0 ) which is primitive with respect to the same order.Thus vectorization applies, and finds a smooth isogeny between (E, ι θ ) and (E 0 , ι θ0 ).
Combining the path and isogeny, we find a smooth isogeny between E and the initial curve.1) and Proposition 3.5) and using Heuristic 6.7).Thus, by Lemma 3.8, the expected number of iterations is poly(log p).
Note that the endomorphism found by Algorithm 6.1 is of norm O(|∆|).Therefore the rim endomorphism θ 0 is also of norm O(|∆|).Thus, OrientedVectorization in Step 9 takes time T θ (O(log 2 d), p)L |∆| (1/2) (Proposition 9.4).Note that the evaluation time for θ 0 on small torsion is O(log p) since we have expressed θ 0 as a linear combination of basis elements, each of which can be evaluated via the chain down to j = 1728.Theorem 11.1.Choose a small prime and assume the heuristic assumptions of Proposition 8.1.Let θ ∈ End(E) be an endomorphism of degree d, such that L d (1/2) ≥ poly(log p).Suppose θ can be evaluated on points P ∈ E(F p k ) in time T θ (k, p).Let ∆ be the -fundamental part of the discriminant ∆ of θ, and assume that |∆ | ≤ p 2 .There is a classical algorithm that, given any such θ, finds an -isogeny path of length O(log p + h ∆ ) from E to the curve E init of j-invariant j = 1728 in runtime T θ (L d (1/2), p) + h ∆ L d (1/2) poly(log p).
The runtime comes as a sum of two terms because the algorithm has two steps: first, evaluate the endomorphism on points in order to create a presentation of the endomorphism that meets the needs of the main algorithm; and then second, use the result to walk in the oriented graph.
Proof of Theorem 11.1.Suppose θ is such an endomorphism.Then set B = L d (1/2).We can apply Algorithm 5.3 (having Algorithm 5.1 as a subroutine) to θ, whose runtime depends on the evaluation of θ on inputs in a field F p O(B 2 ) .The runtime for this conversion is therefore T θ (L d (1/2), p).The result is a primepower isogeny-chain representation of θ.We can then use Algorithm 8.1, with the representation runtime being L d (1/2), by Proposition 5.13.The classical runtime follows from Proposition 8.1.
Theorem 11.2.Assume GRH, Heuristic 6.4, 6.7, and 9.3, and the assumptions of Section 5.1.Let θ ∈ End(E) be an endomorphism which can be evaluated on points P ∈ E(F p k ) in time T θ (k, p), where T θ (k, p) ≥ poly(k log p).Suppose θ has discriminant ∆ coprime to p with |∆| ≤ p 2 .Let d = max{deg θ, |∆|}.There is a quantum algorithm that, given any such θ, finds an Proof of Theorem 11.2.We use Algorithm 10.1, with no need to pre-process θ.Runtime follows from Proposition 10.1.11.2.Special cases.In this section, we refer to an endomorphism as insecure if access to such an endomorphism allows for a polynomial time path-finding algorithm.Endomorphisms of small size are known to be insecure [38].We obtain a version of this from our methods also.
Theorem 11.3.Assume the situation of Theorem 11.1.In the following special cases, the runtime and path length of Algorithm 8.1 are polynomial in log p: (1) The input endomorphism is rationally represented in polynomial space.
(2) h O∆ = poly(log p) and is coprime to ∆ and inert in K.In this case, the endomorphism is not even needed as input; only its existence, trace and norm are needed.
Proof.The second case is a consequence of Algorithm 8.1 and Proposition 8.1, in which the hypotheses imply Steps 4 and 5 are unnecessary.The first is a consequence of the observation that such endomorphisms have polynomially sized discriminants and class numbers.
The following result demonstrates for all curves the existence of non-small endomorphisms which are insecure under our algorithm.(Recall that most curves do not have small endomorphisms.It is known that there are curves having no endomorphisms of norm smaller than p 2/3− (see [37,Proposition B.5], [26,Section 4], [60,Proposition 1.4]).)Theorem 11.4.Suppose ∆ = f 2 ∆ * where ∆ * is a discriminant of poly(log p) size, f is poly(log p)-smooth, and θ is f -suitable with poly(log p)-powersmooth norm, and represented in some fashion so that it can be evaluated in poly(log p) time on points of poly(log p) size.Then there is a classical algorithm to find an O(log p)-powersmooth isogeny to E init in time poly(log p).
Proof.The dependence on throughout the paper has been suppressed by assuming = O(1), but it is at worst polynomial throughout.We refactor θ in poly(log p) time (this is possible by Proposition 5.6 and the evaluation runtime assumption), to obtain an isogeny chain.Taking each prime dividing f in turn, we ascend as for as possible on the oriented -isogeny volcano.By f -suitability, we can ascend without any further translation or refactoring.Having ascended, we obtain an endomorphism of discriminant ∆ * of poly(log p) size and trace zero, and hence call on Theorem 11.3 with respect to some suitable .
In fact, every elliptic curve has insecure endomorphisms: one can provide an endomorphism in the form of a closed walk in the -isogeny graph that passes through 1728.Such a path is guaranteed to exist by the diameter of the graph.In that case, one hardly needs the algorithms of this paper, as the path to 1728 is already explicit.A variation on this theme is to provide a poly(log p)-powersmooth isogeny chain whose endomorphism has minimal polynomial x 2 +L 2 (i.e., L is powersmooth).Such a chain will be insecure because it explicitly passes through 1728 and also under the algorithms provided in this paper (by Theorem 11.4).
More interestingly, examples of such endomorphisms exist whose minimal polynomial places them in any field Q(ω) with poly(log p) discriminant (not just the Gaussian field as above); indeed one can take any element of the form L(ω + k) for k ∈ Z and a poly(log p)-powersmooth L such that the norm N (ω + k) is poly(log p)-powersmooth.
Finally, we remark on one more special case.When the norm of θ is well-behaved, and we are already at the rim with respect to (perhaps by choosing judiciously), then we have improved dependence on p.Note that in the following theorem, there is no requirement on the factorization of ∆.
Theorem 11.5.Suppose the norm of θ has powersmoothness bound B(p), and suppose that ∆ is coprime to .Then there is a classical algorithm to find an -isogeny path of length O(log p + h O ) to E init in time h O poly(B(p) log p).
Proof.Use Algorithm 8.1.By the assumption on ∆, we need not ascend with θ (that is, we skip Step 4).We only walk horizontally, and those steps are polynomial in B(p) by Proposition 7.3.

Division by [ ]
We conclude with a detailed description and analysis of McMurdy's algorithm (Algorithm 12.2) which can be used to divide any isogeny (not just an endomorphism) by [ ] if it is a multiple of [ ].Given a rationally represented traced endomorphism, we apply Algorithm 12.2 and then adjust the trace and norm accordingly.
We follow the notation of McMurdy [41].Let E 1 and E 2 be two supersingular elliptic curves given by respective short Weierstrass equations with W 1 (x), W 2 (x) ∈ F p 2 [x].Denote by ψ E1, the -division polynomial of E 1 , made monic, and let X i (x) and Y i (x) be the rational functions representing the multiplication-by-map on E i , i.e. [ ] Ei (x, y) = (X i (x), Y i (x)y) for i = 1, 2. For a polynomial P (x) = (x − r 1 ) • • • (x − r n ) with coefficients in some field F whose roots r i lie in some field extension F of F, and a rational function T (x) over F F , define P (x) T := (x − T (r 1 )) • • • (x − T (r n )) .
Given [ ]ϕ : E 1 → E 2 as a pair of rational maps, where ϕ : E 1 → E 2 is an isogeny, the rational maps of ϕ are obtained as follows.
Division by = 2 has been implemented by McMurdy [41] (code available at [40]).Division by odd primes > 2 is complicated by the non-vanishing of the y-coordinates of the -torsion points.Fix an odd prime > 2. In order to compute p(x) = P (x) X 1 and q(x) = Q(x) X 1 in Steps 3 and 4 of Algorithm 12.2, we compute the rational map N P = i P (x i ) as a function of the variable x only.In contrast to the case of 2-torsion points, the -torsion points on E 1 have non-zero y-coordinates, so some x i depend not only on x (as in the case = 2) but also on y and y i for i ≤ ( 2 − 1)/2.As a consequence, N P also depends on these variables.To overcome this obstruction, we employ a new technique presented in Steps 5-11 of Algorithm 12.1.In these steps, we compute the products x i • xi , and hence the products P (x i ) • P (x i ).Each product P (x i ) • P (x i ) is a rational map in x, y 2 , and y 2 i (i ≤ ( 2 − 1)/2) by Lemma 12.4.We replace y 2 (respectively y 2 i ) with W 1 (x) (respectively W 1 (x i )) to obtain rational maps in the variable x only.Example 12.2 (Computing the polynomial P (x) X 1 via Algorithm 12.1).Let = 3, p = 179, and E 1728 : y 2 = x 3 − x the supersingular elliptic curve over F p with j = 1728.Let X 1 (x), Y 1 (x) be associated Algorithm 12.1: Computing the polynomial P (x) X 1 Input: An elliptic curve E 1 , a monic polynomial P (x) defined over F p m , and the rational map X 1 (x) associated to E 1 .Output: P (x) X 1 .
Compute a root ζ (in some field extension of F p 2 ) of X 1 .Compute the x-coordinates x i (in some field extension of F p 2 ) of the points S i = (x i , y i ) ∈ E 1 [ ], indexed by i = 1, . . ., 2 − 1 so that x i+ 2 −1 2 = x i , using the -th division polynomial (note that we do not compute the y i here).Let S 0 = O E1 .
Compute the x-coordinates x i (x, y, y i ) for 1 ≤ i ≤ 2 −1 2 of the maps representing point addition (x, y) + S i on E 1 , using the values of x i computed in step 2 but leaving y i 's as indeterminates.Set xi (x, y, y i ) = x i (x, y, −y i ) which is the x-coordinate of the point addition (x, y) + (−S i ).
Compute the numerator N i and denominator D i of P (x i )P (x i ) as polynomials in x, y and y i .
Replace y 2 with W 1 (x) and y 2 i with W 1 (x i ) in N i .Denote the result by N i (x), as no y's or y i 's should remain.
Determine c F , and the monic polynomials P (x) and Q(x) such that F (x) = c F •P (x) W1(x)•Q(x) ( = 2) or Compute X 1 (x) and Y 2 (x).Compute p(x) ← P (x) X 1 using Algorithm 12.1 on input E 1 , P (x), X 1 (x).Compute q(x) ← Q(x) X 1 using Algorithm 12.1 on input E 1 , Q(x), X 1 (x).In this step we can skip Steps 1-4 in Algorithm 12.1 since they were already performed in Step 3 of this algorithm.

( 1 )
O = O , in which case we say ϕ is horizontal, (2) O O , in which case [O : O ] = and we say ϕ is descending, (3) O O , in which case [O : O] = and we say ϕ is ascending.

Figure 1 .
Figure 1.On the left hand side is a component of G K for p = 179, = 2 and K = Q( √ −47).On the right hand side is the supersingular 2-isogeny graph over F p 2 .Here j 1 = 64i + 5, j 2 = 99i + 107, j 3 = 5i + 109, where i denotes a root of −1 in F p 2 .Since the oriented graph is undirected while the supersingular isogeny graph is directed, we have undirected edges in the left graph and directed edges in the right graph.Note that the green 5-cycle represents the rim of the volcano.

Proposition 3 . 4 (
[42, Proposition 4.1]).Consider a vertex (E, ι) of the oriented -isogeny graph associated to K, a quadratic field of discriminant ∆.Suppose that ι is a primitive O-orientation for E. If does not divide the conductor of O, then the following hold.

Proposition 3 . 5 . 5 .
Let O be -fundamental.Let R be the order of [l] ∈ Cl(O), for l a prime ideal of O lying above .The O-cordillera consists of # SS pr O /R volcanoes of rim size R .3.From oriented isogeny graph to isogeny graph.There is a graph quotient G K → G induced by forgetting the orientation.Proposition 3.6.Under this quotient, every component of G K (i.e.every volcano) covers G.

Lemma 4 . 1 .
The map (E, ι) → (E, ι) is a graph isomorphism and an involution, taking SS pr O back to itself for each O.If

Proposition 5 . 6 .
Let B be the largest prime power dividing deg θ.Then Algorithm 5.1 is correct and has runtime O(log deg θ) times the maximum of the following three runtimes: O(B 2 (log p)), O(B 2 (log B)M(p B 2 )) and the runtime of evaluation of θ on O(B)-torsion.The space requirement of Algorithm 5.1 is O(B 2 log p).In particular, if θ is an integer translate of an isogeny chain with B-powersmooth degree, then the runtime is O((log deg θ)B 2 M(p B 2 )).
16, Section 3.1].Heuristic 5.10.Given integers n, t, and T , values of the function n(b) = n + (T + b )t + (T + b ) 2 , as b → ∞, are powersmooth with the same probability as randomly chosen integers of the same size.

Proposition 5 . 11 .
Assume Heuristic 5.10.Let θ ∈ End(E) have degree d such that L d (1/2) > poly(log p), and assume that its trace t is polynomial in d.Then Algorithm 5.3 produces an L d (1/2)-powersmooth prime power isogeny chain of total degree O(d).Furthermore, on L d (1/2)-powersmooth prime power isogeny chains of total degree O(d), the maximum runtime of Algorithm 5.1, Algorithm 5.2 and Algorithm 5.3 is L d (1/2), and the output of these algorithms is again an L d (1/2)-powersmooth prime power isogeny chain of total degree O(d).Proof.We have seen that all the runtimes in Algorithms 5.1 through 5.3 are polynomial in B, log d (= O(log p) by the assumptions of Section 5.1), and log p, with the exception of Step 2 in Algorithm 5.3.Hence, taking B = L d (1/2), the runtime (except for this step) will be L d (1/2).As far as Step 2, under Heuristic 5.10, we can call on [16, Section 3.1] (note that the L-notation in the reference differs from ours here).According to [16, Section 3.1], the probability that a random integer between 1 and d is B-powersmooth is 1/L d (1/2).Testing values of b between 1 and L d (1/2), we do indeed have n(b) < d.Thus, we expect to find a B-powersmooth integer, by Heuristic 5.10.For each b-value, to see whether n(b) is B-powersmooth, we use naïve division in time O(B log 2 B).Therefore, in total, one will find L d (1/2)-powersmooth integers in time L d (1/2).In Step 5, n = n + O(b 2 2 ) (since |t + 2T | ≤ 1), so the total degree of the output is O(d).

Algorithm 6 . 1 :repeat 3 r ← r + 1 . 4 Find the smallest positive x such that x 2 ≡O 2r do 6 D 7 If D ≡ 1 (mod 4) then 8 If D is prime then 9 Find a square root of − 1
Computing an orientation for the initial curve.Input: A discriminant ∆ O coprime to p, which is the discriminant of an -fundamental quadratic order O that embeds into B p,∞ .Output: (θ, r) where θ ∈ End(E init ) is represented as a linear combination of 1, i, j, k, with Z[θ] = O ⊆ O where [O : O ] = r .Furthermore, θ is -primitive.(Here E init and i, j and k are as in the introduction to this section, namely the specified model of j = 1728.) 1 r ← −1. 2 ← (−∆ O 2r − x 2 )/p.modulo D.

break the While loop x ← x + p 19 until θ is defined 20 c ← 0 21 While c < r do 22 Translate 26 else break the While loop 28 Heuristic 6 . 4 .
θ to be minimally -suitable (Lemma 4.5).23If θ/ ∈ End(E init ) then θ ← θ/ .c ← c + 1 Return θ as a linear combination, r − cFor the runtime analysis, and the assertion that the algorithm returns an output at all, we need a heuristic similar to that used for torsion-point attacks[24, Heuristic 1] and the KLPT algorithm [34, Section 3.2].Fix integers D > 0, b > 0, and a prime p coprime to Db that splits in the real quadratic field Q( √ D).Ranging through pairs (r, x) : 0 < x, x 2 < Db 2r , 0 ≤ r, Db 2r − x 2 ≡ 0 (mod p) , consider the value N (r, x) = Db 2r − x 2 p .

Proposition 7 . 3 .
lines 4 and 5 on identical input curves (i.e.(E 1 , ι 1 ) = (E 2 , ι 2 ) yields the entire rim of the -oriented isogeny graph.Algorithm 7.2 is correct.Each step of the rim walk has poly-rep runtime.The number of steps is bounded O(h O ).Furthermore, if θ is in prime power isogeny chain form with any powersmoothness bound B, then each step of the rim walk has runtime polynomial in B.

(p) 1 )
−1 , a path from E 1728 to E. computed in Step 3. In other words, if we write O ∆ for the order of discriminant ∆, then O ⊇ O ∆ .Since all endomorphisms throughout the paper are taken to have norm and discriminant at worst polynomial in p, the distance of (E, ι θ ) to the rim is at worst polynomial in log p, and so walking to the rim (Step 4) is poly-rep by Proposition 7.5.Next, we walk around the rim; the runtime depends on the size of the rim and we defer that question to later in the proof.When ∆ is passed on to Algorithm 6.1 in Step 7, the result (which is returned in polynomial time by Proposition 6.5 under Heuristic 6.4) is an endomorphism of End(E 1728 ) which gives an oriented elliptic curve lying somewhere on a volcano in an O -cordillera, where again O ⊇ O ∆ .(We do not necessarily have O = O .)This has norm polynomial in p by Proposition 6.5.By Proposition 6.5 again, the distance to the rim is O(log p), so walking to the rim is expected polynomial time by Proposition 7.8.Hence each repeat iteration has expected polynomial time.Walking to the rim in Step 8, E 0 lies on the rim of a volcano.This volcano is somewhere in the set of volcanoes SS O defined as the finite union of the O-cordilleras for all O ⊇ O ∆ in Heuristic 3.7.Note that its conjugate E (p) 0 also lies on a rim in SS O .Now E 1 also lies on a rim of SS O .If E 0 (or E (p) 0 T θ1,θ2 (k, p) := max{T θ1 (k, p), T θ2 (k, p)} and d := max{deg θ 1 , deg θ 2 }.Then OrientedVectorization(|∆|) can be reduced to a hidden shift problem and solved in quantum time T θ1,θ2 (O(log 2 d), p)L |∆| (1/2) under GRH, where, furthermore, the ideal class is L |∆| (1/2)-smooth and of size O( |∆|).
3 and [16, Section 3.1] (similarly to the proof of Proposition 5.11), we can find a representative with norm L |∆| (1/2)-powersmooth and coprime to the first log deg θ i primes, by random search.The time taken is L |∆| (1/2), because by Mertens' Theorem, the probability of satisfying the coprimality hypothesis is p<O(log deg θ) p prime (1 − 1/p) ∼ O(1/ log log deg θ i ).Having done this, write the result as a := a k , where the N (a k ) are coprime prime powers.

Proposition 9 . 8 .
Assume Heuristic 9.3.Suppose θ can be evaluated on E(F p k ) in time T θ (k, p).Then there is a quantum algorithm to solve PrimitiveOrientation in time T θ (O(log 2 deg θ), p)+poly(log p)L |∆| (1/2).Proof.Let O θ := Z[θ].Compute Cl(O θ ) as a product of cyclic groups with given generators, using the quantum algorithm [12, Algorithm 10], as described in [13, Proof of Theorem 4.5 ].It is possible to solve the PrimitiveOrientation problem by computing the kernel of the map Cl(O θ ) → Cl(O) (where we do not a priori know O).This can be done by solving a hidden subgroup problem.Namely, we consider the action of Cl(O θ ) on SS pr O , defining f ([b]) = [b]

11 . 1 .
Proofs of Main Theorems and Special Cases 11.Proof of main theorems.
Section 7.2 concerns a method for computing the class group action of Cl(O) on SS pr O , the set of curves primitively oriented by O.In fact, we demonstrate how to navigate SS pr O using the class group action of Cl(O ) for any O ⊆ O such that [O : O ]. (6) Section 9 provides two new quantum algorithms.Namely, an algorithm for vectorization on an oriented volcano rim (Proposition 9.4; prior work includes [11, Section 6.1], [57, Proposition and only if θ/ ∈ End(E).Proof.The endomorphism θ is not -primitive if and only if there exists a (unique) order O ⊆ End(E) of index = [O : Z[θ]].But this happens if and only if θ/ ∈ End(E), since under the -suitability hypothesis, Z[θ/ ] is precisely this order O .Lemma 4.5.Let α ∈ O K \Z with trace t.Let f be the conductor and to walk horizontally, earlier used in [32, Section 3.2] and [23, Section 2.3].Proposition 4.8.Suppose θ ∈ End(E) is -suitable and -primitive.For each P ∈ E[ ] of order let ψ P denote the degree quotient isogeny induced by P .Let λ 1 , λ 2 ∈ F 2 be the eigenvalues of θ acting on E[ ].
2.1, this takes time O(B 2 (log B)M(p B 2 )).(iv) Apply Vélu's formulas in time O(BM(p B 2 )) by Lemma 2.5.Writing down the resulting isogeny takes O(B) coefficients in a subfield of F p 12 (Lemma 2.2), hence we use O(B log p) space for each isogeny of the chain.If θ is a translate of an isogeny chain whose component degrees are bounded by B, we can further estimate the time taken to evaluate θ on the torsion basis.This involves one evaluation for each component isogeny (at most log n such).Each evaluation of a component ϕ i takes time O((deg ϕ i )M(p B 2 )) by Lemma 2.4.(Evaluation of the integer translation is of smaller runtime by Lemma 2.1; since the integer is taken modulo the torsion, its size is irrelevant.)Remark 5.7.The exponent of the dependence on B can surely be improved here; for example, if deg θ is prime, then our bound on the number of linear combinations on which to evaluate θ is a substantial overestimate.5.3.2.Division by .In this section, we demonstrate in Algorithm 5.2 how to divide an isogeny chain endomorphism by [ ].
The runtime is negligible except for the call to Algorithm 12.2.By Proposition 12.6, that algorithm runs in time O(deg 2 (ϕ i )M(p)) (and we bound M(p) by poly(log p) as discussed in Section 2.1).
i ← the index at which the chain has -power degree.Modify the chain for θ by replacing ϕ i with ϕ i /[ ] using Algorithm 12.2.t←t/n←n/ 2 .Return (E, θ, t, n).Proposition 5.8.Let B be an upper bound on the degrees of the prime powers in θ.Then Algorithm 5.2 is correct and runs in time O(B 2 poly(log p)).Proof.5.3.3.Finding a B-powersmooth -suitable translate.
a path from E 1728 to E.