Endomorphisms of a supersingular elliptic curve defined over the prime field

Question

Let $E$ be a supersingular elliptic curve defined over a prime field $K=\Bbb{F}_p$. It is well known (see for example chapter V of J. Silverman, The Arithmetic of Elliptic Curves, my copy is the 1986 edition in case it makes a difference) that the full ring of endomorphisms of a supersingular elliptic curve is an order in a quaternion algebra.

Recently I was asked to review an M.Sc. thesis on cryptography. Apparently problems on the theme of isogenies between supersingular curves are being studied from the point of view of (post-quantum) cryptography. In one of the main references authors (whom I totally trust) made the claim that the endomorphisms of such a curve still is only an order in an imaginary quadratic number field. This leaves me scratching my head 🙂

I believe the difference must come from what isogenies $E\to E$ are included:

• Silverman explicitly states that to him $\mathrm{End}(E)$ means $\mathrm{End}_{\overline{K}}(E)$. That is, the isogenies need only be defined over the algebraic closure. It is not unreasonable to expect that some isogenies cannot be defined over the prime field even though the curve itself is (I'm not very familiar with the use of of Velu's formula, but when the points in the kernel of an isogeny are not in $E(K)$, this won't surprise me).
• The only corroborating evidence I could produce myself was this old exercise I managed to solve back in the day. After all, the automorphisms are surely the units of the ring of endomorphisms, and in there we see that even though the curve is defined over $\Bbb{F}_2$, the extra isomorphisms require rational functions with coefficients from the extension field $\Bbb{F}_4$.
• The Wikipedia article on supersingular elliptic curves also leaves this as a possibility.

So it seems to me that if we restrict ourselves to the subring $\mathrm{End}_{K}(E)$ we actually get a commutative ring (of rank two) only.

The questions:

• Is this correct? That is the ring of endomorphisms defined over the prime field is always commutative?
• Can an argument be given based on whatever is covered in Silverman up to Chapter V?
• I'm afraid I'm not quite as conversant with the material from Silverman's book as I was roughly twenty years ago. So I also welcome any reference to a proof of such a result.

Answer 1

I would suggest you look at Andrew Sutherland's notes on this topic at https://math.mit.edu/classes/18.783/2022/lectures.html specifically lectures 12 and 13. Coincidentally I wrote my master thesis on the topic of explaining the math behind these isogeny-based post-quantum algorithms (SIDH/CSIDH) and I can share it in case you are interested but the main ideas are still well explained in Sutherland's notes. Galbraith/Delfs's paper also goes into details about the rational endomorphism ring https://arxiv.org/pdf/1310.7789.pdf

I guess the proof you are looking for is Theorem 13.6 in Sutherland's https://math.mit.edu/classes/18.783/2022/LectureNotes13.pdf + Theorem 13.8. Note the Warning 13.1 where it mentions that the notation differs from Silverman. End(E) is the ring of endomorphisms defined over K and not closure of K. Also that the "$\text{End}^0(E)$" refers to the endomorphism algebra and not the endomorphism ring of E ($\text{End}(E)$). Definitions are in the Lecture 12 https://math.mit.edu/classes/18.783/2022/LectureNotes12.pdf.

I don't think this is really sufficiently proven in Silverman's book as you say. It does not really work with the rational endomorphism ring and simply assumes the whole ring of isogenies defined over the closure.

I haven't slept well today so I don't want to attempt to give a detailed answer but I can do that tomorrow.

################################################

Followup

My follow up specifically on the question "Is this correct? That is the ring of endomorphisms defined over the prime field is always commutative?"

Theorem 13.6. says that if $E$ is an elliptic curve over $\mathbb{F}_q$ where $q=p^e$ for some $e\in \mathbb{N}, p$ prime and $\pi_E \notin \mathbb{Z}$, then $(\text{End}^0_{\mathbb{F}_q}(E) =)\text{End}^0(E) \cong \mathbb{Q}(\sqrt{\text{tr}(\pi_E)-4q})$ which is an imaginary quadratic field.

Theorem 13.8 says that if $E$ is an elliptic curve over $\mathbb{F}_q$ s.t. $\text{End}_{\mathbb{F}_q}^0(E)$ is an imaginary quadratic field $K$, then $\mathbb{Z}[\pi_E] \subseteq \text{End}_{\mathbb{F}_q}(E) \subseteq \mathcal{O}_K$ (as rings). $\mathcal{O}_K$ denotes the ring of integers of $K$.

Therefore, by combination of 13.6 and 13.8 we get that the $\mathbb{F}_q$-rational endomorphism ring of $E$ (denoted as $\text{End}_{\mathbb{F}_q}(E)$) is a (commutative) subring of the commutative $\mathcal{O}_K$ (it's a ring of integers so it is commutative) if $\pi_E \notin \mathbb{Z}$.

Some details to clear up possible confusions:

• $\pi_E$ denotes the (special) Frobenius endomorphism of $E$.
• In $\mathbb{Q}(\sqrt{\text{tr}(\pi_E)-4q})$ the $\text{tr}(\pi_E)-4q$ is an integer because $\text{tr}(\cdot)$ denotes the trace map defined over $\text{End}_{\mathbb{F}_q}(E)$ (see Lecture 6: 6.16+6.17) which is always an integer for an endomorphism. ("This" trace map can also be defined over the endomorphism algebra $\text{End}^0_{\mathbb{F}_q}(E) = \text{End}_{\mathbb{F}_q}(E)\otimes_\mathbb{Z} \mathbb{Q}$ and if restricted to endomorphisms (elements of the form $\phi \otimes 1$ for some $\phi \in \text{End}_{\mathbb{F}_q}(E)$) it's equal to the one defined over $\text{End}_{\mathbb{F}_q}(E)$.)
  Therefore, $\mathbb{Q}(\sqrt{\text{tr}(\pi_E)-4q})$ is really an imaginary quadratic field as the integer is negative as shown in the proof 13.6.
• The statement $\pi_E \notin \mathbb{Z}$ means that $\pi_E$ is not equal to a "multiplication by n" endomorphism of the type $[n]$ for some $n\in\mathbb{Z}$. The notation is used because we always have $\mathbb{Z} \subseteq \text{End}_{\mathbb{F}_q}(E)$. (Technically, there the injective map $\mathbb{Z} \rightarrow \text{End}_{\mathbb{F}_q}(E): n \mapsto [n]$.)
• So what if $\pi_E \in \mathbb{Z}$? 13.7 shows that in this case the curve must be supersingular and $e$ must be even ($q=p^e$ from the finite field definition). In your case (a prime field) $e=1$ so $\pi_E \notin \mathbb{Z}$ and Theorem 13.6 applies.
• We can also pose a question about the rational endomorphism ring of supersingular curves defined over a field $\mathbb{F}_{p^e}$ where $e$ is even. I am not sure if the answer is that it's just $\mathbb{Z}$ or if its more complicated (it could be an order in an imaginary quadratic field or in a quaternion algebra). Maybe someone more knowledgable can provide an answer.