Fact-checked by Grok 2 weeks ago

Supersingular elliptic curve

In algebraic geometry and number theory, a supersingular elliptic curve is an elliptic curve defined over a field of characteristic p > 0 whose p-torsion subgroup is trivial, meaning E = \{ \mathcal{O} \}.^[1] This distinguishes them from ordinary elliptic curves, which have E \cong \mathbb{Z}/p\mathbb{Z}.^[1] Equivalently, for an elliptic curve E over \mathbb{F}_q where q is a power of p, the curve is supersingular if the number of points \#E(\mathbb{F}_q) \equiv 1 \pmod{p}.^[1] The concept of supersingularity was introduced by Max Deuring in 1941 as part of his classification of elliptic curves based on their endomorphism rings.^[2] Deuring showed that the endomorphism ring of a supersingular elliptic curve is a maximal order in the quaternion algebra over \mathbb{Q} ramified precisely at p and \infty, contrasting with the commutative endomorphism rings of ordinary curves.^[2] All j-invariants of supersingular elliptic curves lie in \mathbb{F}_{p^2}, and over \mathbb{F}_p, such a curve has exactly p+1 points.^[1] In characteristics 2 and 3, supersingular curves are precisely those with j-invariant 0.^[1] The number of isomorphism classes of supersingular elliptic curves over the algebraic closure \overline{\mathbb{F}}_p is approximately p/12, reflecting their relative scarcity among all elliptic curves modulo p.^[3] Supersingular curves exhibit heightened symmetry, with their formal groups having height 2, and the Frobenius endomorphism being purely inseparable of degree p.^[2] Beyond pure mathematics, supersingular elliptic curves are foundational in isogeny-based cryptography, where the hardness of computing isogenies between them underpins post-quantum secure protocols such as the Supersingular Isogeny Diffie-Hellman (SIDH) key exchange (though recent advances have impacted its security).^[4] Their isogeny graphs, which connect curves via \ell-isogenies for fixed \ell \neq p, are regular of degree \ell + 1 and expander graphs, enabling efficient cryptographic constructions while resisting quantum attacks via Shor's algorithm.^[1] Ongoing research explores their arithmetic properties, including Deuring correspondences linking curves to ideals in quaternion orders, with applications in secure curve generation and multiparty computations.^[5]

Background Concepts

Elliptic Curves over Finite Fields

An elliptic curve E over a finite field \mathbb{F}_q, where q = p^k for a prime p and integer k \geq 1, is defined by a Weierstrass equation of the form

y^2 = x^3 + a x + b,

with coefficients a, b \in \mathbb{F}_q such that the discriminant \Delta = -16(4a^3 + 27b^2) \neq 0 in \mathbb{F}_q.^[6] This ensures the curve is nonsingular and forms a smooth projective curve of genus 1 with a distinguished point at infinity serving as the identity element.^[6] The points on E with coordinates in \mathbb{F}_q, denoted E(\mathbb{F}_q), together with the point at infinity, constitute a finite abelian group under the elliptic curve group law, which is defined geometrically via the chord-and-tangent rule for point addition: the sum of two distinct points is the reflection across the x-axis of the third intersection point of the line through them with the curve, while doubling a point uses the tangent line at that point.^[7] The order of this group, \#E(\mathbb{F}_q), satisfies Hasse's theorem, which bounds the number of rational points as

\left| \#E(\mathbb{F}_q) - (q + 1) \right| \leq 2\sqrt{q}.

^[8] Introducing the trace of Frobenius t via the relation

\#E(\mathbb{F}_q) = q + 1 - t,

Hasse's bound implies |t| \leq 2\sqrt{q}, providing a precise interval for the possible sizes of the group.^[8] This trace t serves as a fundamental invariant characterizing the arithmetic of the curve over \mathbb{F}_q.^[7] A key algebraic structure on E arises from the Frobenius endomorphism \pi: E \to E, defined by \pi(x, y) = (x^q, y^q) on affine points and extending to the point at infinity.^[7] This map is a purely inseparable isogeny of degree q, and as an element of the endomorphism ring \mathrm{End}(E), it satisfies the characteristic equation \begin{equation} T^2 - t T + q = 0, \end{equation} where the roots are the eigenvalues of \pi acting on the Tate module of E.^[7] The trace t = q + 1 - \#E(\mathbb{F}_q) thus directly encodes the action of Frobenius, linking the point count to the endomorphism structure.^[7] Supersingular elliptic curves represent a special case where this trace satisfies particular conditions modulo p.^[8]

Ordinary and Supersingular Distinction

The distinction between ordinary and supersingular elliptic curves over finite fields of characteristic p originates from Max Deuring's foundational work in the 1940s, which explored the classification of elliptic curves based on their endomorphism structures and the possibility of lifting these endomorphisms from characteristic p to characteristic 0. Deuring's lifting theorem establishes that, given an elliptic curve E over a finite field of characteristic p equipped with a non-scalar endomorphism, there exists a lift to an elliptic curve over a ring of characteristic 0 (such as the Witt vectors) along with an endomorphism that reduces modulo p to the original one. This lifting process highlights the algebraic rigidity of certain curves in positive characteristic and motivates the dichotomy by revealing how endomorphisms behave under reduction.^[9] For ordinary elliptic curves, the endomorphism ring \operatorname{End}(E) is commutative and isomorphic to an order in an imaginary quadratic field \mathbb{Q}(\sqrt{-D}) for some positive integer D. The Frobenius endomorphism \pi satisfies a quadratic equation with trace t such that p \nmid t, ensuring the curve's endomorphism structure aligns closely with complex multiplication theory over the rationals. This commutative nature allows for a relatively flexible algebraic framework, where endomorphisms behave like those in characteristic 0 after lifting.^[10]^[11] In contrast, supersingular elliptic curves exhibit a more rigid structure, with their endomorphism ring \operatorname{End}(E) isomorphic to a maximal order in the quaternion algebra over \mathbb{Q} that is ramified precisely at p and \infty, denoted B_{p,\infty}. This non-commutative quaternion algebra reflects the curve's exceptional behavior in characteristic p, where the endomorphisms cannot be lifted to commutative rings in characteristic 0 in the same way. The supersingular case thus represents a "superspecial" subset of elliptic curves, with enhanced symmetry due to the larger, non-abelian endomorphism ring.^[5]^[12] A key distinction linking these structures to p-adic properties is the height of the formal group associated with the curve: ordinary curves have formal group height 1, while supersingular curves have height 2. This height measures the kernel of the p-power Frobenius map on the formal group, providing a local criterion for the global classification and connecting to the trace of the Frobenius endomorphism, where supersingularity occurs precisely when p divides the trace t.^[13]

Formal Definition

Trace of Frobenius Condition

A supersingular elliptic curve E over the finite field \mathbb{F}_p, where p is prime, is defined by the condition that the trace t of the Frobenius endomorphism \pi_E: E \to E given by (x,y) \mapsto (x^p, y^p) satisfies t \equiv 0 \pmod{p}. In characteristics p=2 and p=3, the supersingular curves are those with j-invariant 0, which satisfy this trace condition. This trace t appears in the characteristic polynomial of \pi_E, which is T^2 - t T + p = 0, and the Hasse bound ensures that |t| \leq 2\sqrt{p}, so the condition p \mid t implies t = 0. Consequently, the number of points on E over \mathbb{F}_p is \#E(\mathbb{F}_p) = p + 1 - t = p + 1.^[10] To see why this trace condition characterizes supersingularity, consider the multiplication-by-p map _E = \pi_E \circ \hat{\pi}_E, where \hat{\pi}_E is the Verschiebung dual to \pi_E. For ordinary curves, _E is separable, but supersingularity requires _E to be purely inseparable, which holds if and only if \hat{\pi}_E is inseparable; this inseparability is equivalent to the characteristic polynomial having roots whose difference is divisible by p, or directly, p \mid t.^[10] This criterion originates from Deuring's classification of elliptic curves in characteristic p, where supersingularity distinguishes curves whose endomorphism rings exceed the commutative case.^[2] The definition extends to elliptic curves over \mathbb{F}_{p^k} for k \geq 1: E is supersingular if the trace of the q-power Frobenius endomorphism \pi_{E,q}: (x,y) \mapsto (x^q, y^q) (with q = p^k) satisfies \operatorname{tr}(\pi_{E,q}) \equiv 0 \pmod{p}.^[10] This is independent of k, as supersingularity is preserved under base field extension, and it is equivalent to the endomorphism algebra \operatorname{End}^0(E) over the algebraic closure being a non-commutative quaternion algebra over \mathbb{Q}, specifically an order therein.^[10] In particular, for supersingular E over \mathbb{F}_p, the endomorphism ring often admits complex multiplication by orders like \mathbb{Z} when p \equiv 3 \pmod{4}, reflecting the quaternion structure.^[2]

Equivalent Characterizations

A supersingular elliptic curve over a finite field \mathbb{F}_q with q = p^a and prime p > 0 admits several equivalent characterizations, each providing distinct perspectives on the condition that the trace of the q-power Frobenius endomorphism \pi_E satisfies \operatorname{tr}(\pi_E) \equiv 0 \pmod{p}. These equivalences stem from foundational work establishing connections between the Frobenius action, the structure of the endomorphism ring, and local properties of the curve.^[14] One characterization uses the j-invariant: an elliptic curve E over \overline{\mathbb{F}}_p is supersingular if and only if j(E) \in \mathbb{F}_{p^2}. If E is defined over \mathbb{F}_p, then j(E) \in \mathbb{F}_p, and it must be one of the supersingular j-invariants in \mathbb{F}_p. Explicit computation shows that supersingular j-invariants are roots of a polynomial over \mathbb{F}_p. The equivalence to the trace condition arises because the characteristic polynomial of \pi_E determines the action leading to j(E) \in \mathbb{F}_{p^2}, with \operatorname{tr}(\pi_E) = 0 implying the Frobenius eigenvalues are \pm \sqrt{-p^a}, which generate at most a quadratic extension.^[14]^[10] Another perspective comes from the formal group of the curve. The p-divisible group of E decomposes into an étale part and a connected (formal) part; E is supersingular if and only if the formal group \hat{E} has height 2 over the base field (compared to height 1 for ordinary curves). In this case, the multiplication-by-p map on the formal group is zero on the height-1 component, making the Verschiebung endomorphism purely inseparable. The trace condition implies this height via duality between the Frobenius and Verschiebung isogenies on the p-divisible group: \operatorname{tr}(\pi_E) \equiv 0 \pmod{p} forces the inseparable degree of _E to be p^2, corresponding to formal height 2. Conversely, height 2 implies the kernel of _E is trivial étale, yielding trace 0.^[14] The Hasse invariant provides an explicit computational criterion. For an elliptic curve E given in short Weierstrass form y^2 = x^3 + ax + b over a field of characteristic p > 2, the Hasse invariant A_p(E) is the coefficient of x^{p-1} in the expansion of (x^3 + ax + b)^{(p-1)/2} modulo the relation y^2 = 0 (or equivalently, in (x^3 + ax + b)^p / x^{p(p-1)/2 + 3(p-1)} adjusted for the form). Then E is supersingular if and only if A_p(E) = 0. This vanishes precisely when the Frobenius acts nilpotently on the de Rham cohomology H^1_{\mathrm{dR}}(E), which is equivalent to the trace of Frobenius on the Tate module being divisible by p, as the Hasse invariant detects the separability of the iterated Frobenius map.^[14] Finally, the Serre-Tate criterion uses deformation theory: E over a perfect field k of characteristic p is supersingular if and only if its canonical lift \tilde{E} to the Witt ring W(k) (uniquely determined by lifting the p-divisible group rigidly) has no non-trivial p-torsion in its deformation space, meaning the versal deformation ring is formally smooth of relative dimension 1 with trivial p-adic filtration on the tangent space. This equates to the trace condition because the canonical lift preserves the isoclinic slope 1/2 of the Dieudonné module of E[p^\infty], implying no étale p-torsion liftable independently, which forces \operatorname{tr}(\pi_E) \equiv 0 \pmod{p}.^[15]^[16]

Geometric and Algebraic Properties

Endomorphism Ring Structure

The endomorphism ring \operatorname{End}(E) of a supersingular elliptic curve E over a finite field of characteristic p > 2 is isomorphic to an order in the definite quaternion algebra B_{p,\infty} over \mathbb{Q}, which is ramified precisely at the places p and \infty and satisfies [B_{p,\infty} : \mathbb{Q}] = 4. This contrasts with ordinary elliptic curves, whose endomorphism rings are commutative orders in quadratic imaginary fields. For primes p, \operatorname{End}(E) is a maximal order in B_{p,\infty}; these orders contain the Frobenius endomorphism \pi, where \pi satisfies the minimal relation \pi^2 = -p up to isomorphism of the ring.^[17] The classification of such rings reveals that the endomorphism rings arising from supersingular elliptic curves are specifically maximal orders (Eichler orders of level 1) in B_{p,\infty}.^[18] A key consequence of this quaternion structure is that no ordinary elliptic curve can possess a non-commutative endomorphism ring, ensuring the distinction between ordinary and supersingular types is preserved algebraically. Furthermore, while supersingular curves defined over \mathbb{F}_{p^2} may appear non-isomorphic over \mathbb{F}_p, their endomorphism rings impose a rigidity that aligns them under the action of the quaternion algebra over the algebraic closure. Deuring's lifting theorem guarantees that every supersingular elliptic curve E over a finite field of characteristic p, together with a chosen nonzero endomorphism \phi \in \operatorname{End}(E), lifts uniquely to an elliptic curve \tilde{E} over a number field, endowed with an endomorphism \tilde{\phi} reducing to \phi modulo p, such that \operatorname{End}(\tilde{E}) \cong \operatorname{End}(E).^[19] This unique lift preserves the full quaternion endomorphism structure in characteristic zero.

Frobenius Endomorphism Role

In supersingular elliptic curves defined over a finite field of characteristic p > 3, the Frobenius endomorphism \pi plays a pivotal role in the structure of the endomorphism ring. Specifically, \pi satisfies the minimal polynomial X^2 + p = 0 over \mathbb{Z}, implying \pi^2 = -p.^[20]^[17] This quadratic relation ensures that \mathbb{Z}[\pi] is a subring of the endomorphism ring \mathrm{End}(E), as \pi provides the necessary non-integer element alongside the identity.^[17] The action of \pi on the étale cohomology group H^1(E, \mathbb{Q}_\ell) for \ell \neq p further underscores its significance, where \pi acts with eigenvalues \sqrt{-p} and -\sqrt{-p}.^[21] These eigenvalues arise as the roots of the characteristic polynomial X^2 + p = 0, directly linking to the trace of Frobenius being zero, a defining property of supersingularity.^[20] Dually, the Verschiebung isogeny V satisfies V \circ \pi = , where $$ denotes the multiplication-by-p map, and in the supersingular case, \mathrm{im}(\pi) = \mathrm{ker}(V).^[22] This equality highlights the inseparability of both \pi and V, reflecting the height-2 formal group law of the curve, where the p-torsion is fully killed by these maps.^[20] In the context of isogeny graphs, all supersingular elliptic curves over \overline{\mathbb{F}}_p form a single connected component under l-power degree isogenies for primes l \neq p, structured as a volcano with the supersingular curves at the base level.^[23] The Frobenius endomorphism induces p-isogenies that connect curves within this structure, preserving supersingularity and facilitating the quaternion algebra framework for the endomorphism rings.^[23] Computationally, powers of \pi enable efficient determination of the order of the group of rational points E(\mathbb{F}_{p^k}). Since \pi and its conjugate \overline{\pi} = -p / \pi satisfy the recurrence from their minimal polynomial, the trace t_k = \pi^k + \overline{\pi}^k yields |E(\mathbb{F}_{p^k})| = p^k + 1 - t_k, allowing recursive computation without point counting.^[5]

Classification and Enumeration

j-Invariant Classification

Supersingular elliptic curves over the algebraic closure of a finite field \mathbb{F}_p of characteristic p > 0 are classified up to isomorphism by their j-invariants, which parametrize the isomorphism classes of elliptic curves via the moduli interpretation of the j-line. The set of supersingular j-invariants forms a finite subset of \mathbb{F}_{p^2}. The number of distinct supersingular j-invariants is \left\lfloor \frac{p+1}{12} \right\rfloor + \epsilon, where \epsilon \in \{0, 1, 2\} depends on p \mod 12. For p=2, there is one supersingular j-invariant, j=0; for p=3, there is one, j=0; for p>3, the count follows the formula above. For example, when p=5, the unique supersingular j-invariant is j=0. These j-invariants all reside in \mathbb{F}_{p^2}.^[24] Only the special cases j=0 and j=[1728](/page/1728) can yield supersingular elliptic curves defined over \mathbb{F}_p, specifically when p \equiv 2 \pmod{3} for j=0 and p \equiv 3 \pmod{4} for j=[1728](/page/1728); all other supersingular curves require the quadratic extension \mathbb{F}_{p^2} for their models up to isomorphism over \mathbb{F}_p. The j-invariants of supersingular elliptic curves generally satisfy j \equiv 0 \pmod{p}, except in the cases of twists of the curves with j=0 or j=[1728](/page/1728) that are supersingular. The supersingular j-invariants are precisely the roots of Deuring's polynomial, a monic polynomial over \mathbb{F}_p of degree equal to the number of such j-invariants (the Hurwitz class number H(-4p)). This polynomial arises from the Deuring correspondence between supersingular curves and maximal orders in the quaternion algebra ramified at p and \infty.^[25]

Counting Supersingular Curves

The enumeration of supersingular elliptic curves up to isomorphism over the algebraic closure \overline{\mathbb{F}}_p is a classical result due to Deuring. The number of such curves, equivalently the number of distinct supersingular j-invariants in \overline{\mathbb{F}}_p, is given by the formula

\sum_{\substack{d \mid (p+1) \\ d > 0}} \frac{h(-d)}{w_d},

where h(-d) is the class number of the imaginary quadratic order of discriminant -d and w_d = |\mathcal{O}_{-d}^\times| is the number of units in that order. This sum equals the class number of the definite quaternion algebra ramified precisely at p and \infty, adjusted for units. For large primes p > 3, this count is asymptotically p/12 + O(p^{1/2 + \epsilon}), with the leading term established by Deuring in the 1940s via the mass formula \sum 1/|\mathrm{Aut}(E)| = (p-1)/24, where the sum is over all supersingular E (most have |\mathrm{Aut}(E)| = 2). Recent refinements to the error term stem from Katz's estimates on the average size of class numbers h(-d) for discriminants up to p, yielding improved bounds on the distribution and confirming the asymptotic with explicit constants for p \gg 0. When p \equiv 2 \pmod{3}, the formula simplifies due to limited possible discriminants, and the Gross–Koblitz formula for Gauss sums in terms of the p-adic gamma function enables exact computation of the relevant class number h(-3p)/3, giving the count as (p-1)/12 + \epsilon_p, where \epsilon_p \in \{0, 1/3, 2/3\} depends on p \pmod{36}.^[26] All supersingular elliptic curves over \overline{\mathbb{F}}_p are defined over the quadratic extension \mathbb{F}_{p^2}, as their j-invariants lie in \mathbb{F}_{p^2} (generated by the Frobenius endomorphism satisfying \pi^2 = -p). There are no additional isomorphism classes of supersingular curves over \mathbb{F}_{p^k} for k > 2; all such curves base change from those over \mathbb{F}_{p^2}.^[27] Deuring established the original count in the 1940s using the correspondence between supersingular curves and maximal orders in the quaternion algebra. Modern computational verifications, implemented in software such as SageMath's SupersingularModule (which lists all supersingular j-invariants for given p), have confirmed the formula for primes up to at least $10^{12} via explicit enumeration and isogeny graph traversals.^[28]

Applications and Significance

Role in Elliptic Curve Cryptography

Supersingular elliptic curves are particularly suitable for pairing-based cryptographic protocols due to their small embedding degree, typically 2 or at most 6, which enables efficient computation of bilinear pairings such as the Weil or Tate pairings.^[29] For instance, on a supersingular curve E over \mathbb{F}_p with p \equiv 3 \pmod{4}, the embedding degree is 2, allowing the \eta_T pairing to be defined on points in E(\mathbb{F}_{p^2}), which simplifies pairing evaluation compared to ordinary curves with larger embedding degrees.^[30] This property makes supersingular curves pairing-friendly, facilitating applications like identity-based encryption and short signatures where bilinear maps are essential.^[31] A prominent example is the Boneh-Lynn-Shacham (BLS) signature scheme, which relies on the Weil pairing over supersingular elliptic curves defined over \mathbb{F}_p with p \equiv 3 \pmod{4} and embedding degree 2.^[32] In BLS signatures, the pairing enables verification of constant-sized signatures, achieving short signature lengths of approximately \log p bits while supporting aggregation for multiple messages.^[32] These curves are also used in identity-based encryption protocols, where the small embedding degree supports efficient key generation and decryption via pairings.^[32] The advantages of supersingular curves in these systems include the efficiency of pairing computations, which yield compact signatures suitable for bandwidth-constrained environments, and inherent resistance to certain discrete logarithm attacks on the curve group due to the curve's structure.^[32] However, their low embedding degree exposes them to the MOV attack, which reduces the elliptic curve discrete logarithm problem to a finite field discrete logarithm problem in \mathbb{F}_{p^k}, potentially weakening security if k is small.^[33] This vulnerability is mitigated by selecting sufficiently large primes p, ensuring that the discrete logarithm in the extension field \mathbb{F}_{p^k} remains computationally infeasible.^[34] Beyond pairings, supersingular curves underpin isogeny-based cryptography, notably the Supersingular Isogeny Diffie-Hellman (SIDH) key exchange protocol introduced in 2011, which leverages walks on supersingular isogeny graphs guided by the Frobenius endomorphism for post-quantum secure key agreement. SIDH and its encapsulation variant SIKE were historically significant for offering compact keys and resistance to quantum attacks, though a 2022 key recovery attack by Castryck and Decru demonstrated efficient classical breaks, prompting a shift away from these protocols in post-quantum standardization efforts. Despite these setbacks, research in supersingular isogeny-based cryptography continues as of 2025, with new constructions such as enhanced digital signature schemes and unconditional security foundations for related problems.^[35] In terms of implementation, pairings on supersingular curves benefit from optimized algorithms like the optimal Ate pairing, which achieves O(\log p) time complexity for evaluation, making it viable for resource-limited devices despite the quadratic extension field arithmetic.^[36] This efficiency has supported practical deployments in pairing-based systems prior to the broader adoption of higher-degree ordinary curves for enhanced security.^[36]

Connections to Number Theory

Supersingular elliptic curves exhibit profound connections to modular forms through the Eichler-Shimura isomorphism, which relates the cohomology of modular curves to spaces of cusp forms. For a supersingular elliptic curve E over a finite field \mathbb{F}_p, the trace of the Frobenius endomorphism t = 0, implying that the Hecke eigenvalue a_p = t = 0 at the supersingular prime p. This condition links supersingular curves to weight 2 newforms with rational coefficients, where the associated modular form vanishes at p, providing a bridge between elliptic curve geometry and the arithmetic of modular forms. The zeta function of a supersingular elliptic curve further underscores these number-theoretic ties, particularly through Igusa invariants. For such a curve E over \mathbb{F}_p, the zeta function is given by

Z(E, T) = \frac{(1 - \pi T)(1 - \bar{\pi} T)}{(1 - T)(1 - p T)},

where \pi = \sqrt{-p} is a root of the characteristic polynomial of Frobenius. This functional form connects the arithmetic of supersingular curves to class number problems in imaginary quadratic fields, as the number of supersingular j-invariants modulo p equals the class number of \mathbb{Q}(\sqrt{-p}), reflecting deep relations in algebraic number theory. A striking link emerges in monstrous moonshine, where the j-invariants of supersingular elliptic curves relate to the Monster simple group via modular functions. Specifically, these j-invariants generate genus zero modular groups, and their Hauptmoduls appear in the McKay-Thompson series conjectured by Conway and Norton in the 1980s, tying sporadic group representations to the arithmetic of elliptic curves over finite fields. In p-adic number theory, supersingular elliptic curves parametrize formal groups of height 2, playing a central role in the p-adic Langlands program initiated in the 2000s. These formal modules facilitate the study of p-adic representations of Galois groups, enabling connections between automorphic forms and Galois representations in the supersingular locus. Supersingular reductions also feature prominently in the resolution of Serre's modularity conjecture in the 2000s, where they inform the behavior of Galois representations modulo primes. For elliptic curves with supersingular reduction at p, the associated residual representations exhibit specific properties that aid in lifting to characteristic zero, contributing to the proof that every odd, irreducible, two-dimensional \overline{\mathbb{Q}}_l-representation of the absolute Galois group of \mathbb{Q} arises from a modular form.

References

[1]
https://arxiv.org/pdf/1107.1140.pdf
[2]
[PDF] An Introduction to Supersingular Elliptic Curves and Supersingular ...
In this article, we introduce supersingular elliptic curves over a finite field and relevant concepts, such as formal group of an elliptic curve, ...
[3]
[PDF] an elementary proof for the number of supersingular elliptic curves
Jun 6, 2020 · An elliptic curve over a field of characteristic p > 0 is ordinary if its p-torsion is isomorphic to Z/pZ. Otherwise, its p-torsion is trivial ...
[4]
[PDF] Supersingular Curves You Can Trust - Cryptology ePrint Archive
The standard way to construct supersingular curves is to start from a curve with complex multiplication over a number field, and then reduce modulo p.
[5]
[PDF] Supersingular Elliptic Curves with Prescribed Endomorphism Ring ...
Feb 2, 2023 · A standard technique in elliptic-curve and isogeny-based cryptography is to work with x-coordinates only, instead of “full” points (x, y) ...
[6]
[PDF] 18.783 Elliptic Curves Lecture 1 - MIT Mathematics
Feb 8, 2017 · The (short/narrow) Weierstrass equation y2 = x3 + Ax + B defines a smooth projective genus 1 curve over k with the rational point (0 : 1 : 0).
[7]
[PDF] Chapter 4 - Elliptic Curves over Finite Fields - Koc Lab
Hasse's theorem gives bounds for the group of points on an elliptic curve over a finite field. In this section and in Section 4.5, we'll discuss some ...
[8]
[PDF] 18.783 S17 Elliptic Curves Lecture 8: Hasse's Theorem, Point ...
Mar 6, 2017 · We are now ready to prove Hasse's theorem. Theorem 8.1 (Hasse). Let E/Fq be an elliptic curve over a finite field. Then #E(Fq) = q + 1 − t, ...
[9]
[PDF] Constructing elliptic curves of prescribed order - Universiteit Leiden
we can lift an elliptic curve in characteristic p together with an endomorphism. THEOREM 3.1.(Deuring lifting) Let E/Fp be an elliptic curve and let α ∈ EndFp ...
[10]
[PDF] 14 Ordinary and supersingular elliptic curves
Apr 1, 2019 · Let E be an elliptic curve over a finite field Fq and suppose πE 6∈ Z. Then. End0(E) = Q(πE) ≃ Q(. √. D) is an imaginary quadratic field with D ...
[11]
[PDF] Endomorphism rings of elliptic curves over finite fields by David Kohel
The following theorem shows the key role that the Frobenius endmorphism plays in the structure of the elliptic curve and its endomorphism ring. Theorem 9 ...
[12]
[PDF] SUPERSINGULAR ELLIPTIC CURVES, QUATERNION ALGEBRAS ...
This paper contains a survey of supersingular isogeny graphs associated to supersin- gular elliptic curves and their various applications to cryptography.
[13]
[PDF] arXiv:math/9708215v1 [math.NT] 22 Aug 1997
An elliptic curve in characteristic p of height one is called ordinary. An elliptic curve in characteristic p of height 2 is called supersingular. The next.
[14]
[PDF] Joseph H. Silverman - The Arithmetic of Elliptic Curves
The past two decades have witnessed tremendous progress in the study of elliptic curves. Among the many highlights are the proof by Merel [170] of uniform bound ...
[15]
[PDF] Good Reduction of Abelian Varieties - Jean-Pierre Serre, John Tate
Jun 26, 2002 · By JEAN-PIERRE SERRE and JOHN TATE*. As Ogg has shown, the fact that an elliptic curve has good reduction can be seen from the unramifiedness ...Missing: supersingular | Show results with:supersingular
[16]
[PDF] LIFTING THE j-INVARIANT: QUESTIONS OF MAZUR AND TATE
In this paper we analyze the j-invariant of the canonical lifting of an elliptic curve as a Witt vector. We show that its coordinates are rational functions on ...
[17]
[PDF] Endomorphism Rings of Supersingular Elliptic Curves over Fp and ...
In 1941, Deuring [9] proved that there is a one-to-one correspondence ... Deuring [9] gave an equivalence of categories between supersingular j-invariants and.
[18]
[PDF] Endomorphism Rings of Supersingular Elliptic Curves and Ternary ...
Notice that an Eichler order of level 1 is a maximal order. Let O be an Eichler order and I an invertible left ideal of O. Define the left order OL(I) and ...
[19]
[PDF] 18.783 S17 Elliptic Curves Lecture 22 - DSpace@MIT
May 3, 2017 · Theorem 22.13 (Deuring lifting theorem). Let E/Fq be an elliptic curve over a finite field and let φ ∈ End(E) be nonzero. There exists an ...
[20]
[PDF] 13 Ordinary and supersingular elliptic curves
Oct 26, 2023 · An elliptic curve E/Fq is supersingular if and only if trπE ≡ 0 mod p. Proof. If E is supersingular then [p] = πˆπ is purely inseparable ...
[21]
[PDF] Lectures on etale cohomology - James Milne
Consider an elliptic curve E0 over Fq. The number theorists define the “eigenvalues of the Frobenius” to be the eigenvalues of ' 2 Gal.F=Fq/ acting on T`E ...
[22]
[PDF] 1. p-divisible groups and finite group schemes - Purdue Math
In particular, this is not just an abelian group, but a W(k)-module. Moreover, the Frobenius and. Verschiebung maps on define operations F and V on this module ...
[23]
[PDF] 22 Isogeny volcanoes - MIT Mathematics
Nov 28, 2023 · If EllO(Fq) is nonempty then there is an elliptic curve E/Fq with CM by O. Its. Frobenius endomorphism πE is an element of End(E) = O with trace ...
[24]
[PDF] Adventures in Supersingularland - Cryptology ePrint Archive
For a prime p, the number of supersingular j-invariants over Fp2 is b p. 12 c+ε for ε ∈ {0, 1, 2} [Sil09,. Thm V.4.1] and the supersingular j-invariant ...
[25]
[PDF] a formula for the supersingular polynomial - UTK Math
In these notes we deduce a explicit formula for ssp. Deuring (in [Deu41]) gave a characterization of supersingular elliptic curves for p > 2 based on the ...<|control11|><|separator|>
[26]
https://www.sas.rochester.edu/mth/sites/doug-ravenel/otherpapers/gross_koblitz.pdf
[27]
[PDF] Arithmetic Moduli of Elliptic Curves
the supersingular points", of suitable Igusa curves. In Chapter 14, we apply the specific calculations of the previous chapter to prove a general theorem of ...
[28]
Module of supersingular points - Modular Forms
The roots of the polynomial along with ssJ1 are the neighboring/2-isogenous supersingular j-invariants of ssJ2. INPUT: J3 – indeterminate of a univariate ...
[29]
Programming ECC - Curve Selection - Applied Cryptography Group
Supersingular curves provide six families of curves with embedding degree at most 6 [MOV]. Let q = p m and let k be the embedding degree. Then the six ...
[30]
[PDF] Fast Architectures for the ηT Pairing over Small ... - HAL Inria
Abstract—This paper is devoted to the design of fast parallel accelerators for the cryptographic ηT pairing on supersingular elliptic curves over finite ...
[31]
[PDF] Powered Tate pairing computation - Cryptology ePrint Archive
In this paper, we introduce a powered Tate pairing on a supersingular elliptic curve that has the same shortened loop as the modified Tate pairing using the eta ...
[32]
Short Signatures from the Weil Pairing | SpringerLink
We introduce a short signature scheme based on the Computational Diffie-Hellman assumption on certain elliptic and hyper-elliptic curves.Missing: original | Show results with:original
[33]
How does the MOV attack work? - Cryptography Stack Exchange
Feb 17, 2012 · But for some curves the embedding degree is small enough (specially supersingular curves, where k<=6), and this enables the MOV attack. For ...Security level difference: supersingular vs non-singular elliptic curveTrying to understand the 2nd subgroup in the Weil Pairing used for ...More results from crypto.stackexchange.com
[34]
[PDF] Pairings and pairing-friendly elliptic curves for Cryptography - Inria
Oct 28, 2024 · When n is small i.e. 1 ≤ n ≤∼ 50, the curve is pairing-friendly. This is very rare: For a given curve, log n ∼ log ℓ (Balasubramanian–Koblitz).<|separator|>
[35]
[PDF] Optimal Pairings - Cryptology ePrint Archive
Optimal pairings are computed using log2 r/ϕ(k) Miller iterations, where r is the group order and k is the embedding degree, and attain this lower bound.Missing: complexity | Show results with:complexity