arxiv:2101.08761v1 [math.nt] 21 jan 2021

arX

iv:2

101.

0876

1v2

[m

ath.

NT

] 1

7 Se

p 20

21

LOOPS, MULTI-EDGES AND COLLISIONS IN SUPERSINGULAR

ISOGENY GRAPHS

WISSAM GHANTOUS

Mathematical Institute,University of Oxford,

Andrew Wiles Building, OX2 6GG, UK

Abstract. Supersingular isogeny graphs are known to have very few loops and multi-edges. We formalize this idea by studying and finding bounds for the number of loops andmulti-edges in such graphs. We also find conditions under which the supersingular isogenygraph Λp(ℓ) is simple.

The methods presented in this paper can be used to study many kinds of collisions insupersingular isogeny graphs. As an application, we introduce the notion of bi-route numberfor two graphs Λp(ℓ1),Λp(ℓ2) and compute bounds for it. We also study the number of edgesin common between the graphs Λp(ℓ1),Λp(ℓ2).

1. Introduction

Supersingular isogeny graphs Λp(ℓ) play a paramount role in post-quantum cryptographyand isogeny based cryptography. They are used to develop quantum-safe analogs of oldercryptographic systems. In [1], Charles, Lauter and Goren construct a cryptographic hashfunction whose security is based on the difficulty of finding paths between two vertices inΛp(ℓ), i.e. finding isogenies between supersingular elliptic curves. Moreover, in [2] new can-didates for quantum-resistant public-key cryptosystems, based on this same problem, arepresented. The graph Λp(ℓ) is created by taking the graph associated to a Brandt matrixB(ℓ) for the prime ℓ, over some base prime p. In other words, they are obtained by turningthe set of supersingular elliptic curves (over Fp2) into a graph where edges are given byisogenies of prime degree ℓ.

A key assumption that is made in many cases is that the base prime p is congruent to 1modulo 12. This is a very technical assumption to ensure that the graphs are everywhereregular and undirected. Actually, the only vertices where one might not have undirectednessare the ones corresponding to the j-invariants 0 and 1728. The assumption p ≡ 1 mod 12ensures that the elliptic curves with j-invariants 0 and 1728 are not supersingular.

A further conceptual simplification that is usually made when working with supersingularisogeny graphs is that they are very close to being simple graphs. Indeed, supersingularisogeny graphs have very few multiple edges and also very few loops (by loop, we mean anedge from a vertex to itself). One might hence ask how many loops or multi-edges such

Date: September 20, 2021.2010 Mathematics Subject Classification. 14H52, 14K02.Key words and phrases. supersingular isogeny graphs, loops, multi-edges, collisions, bi-route number.

1

http://arxiv.org/abs/2101.08761v2

2 WISSAM GHANTOUS

a graph has on average, or what assumptions must one make in order to obtain a simplesupersingular isogeny graph (i.e. with no loops nor multi-edges).

Our contribution. It is already known that one can make some conditions on the primep to ensure that the graph Λp(ℓ) has no loops. However there isn’t any comprehensive studyassembling – in one place – bounds on the number of loops, bounds on the number of multi-edges and conditions to ensure the simplicity of Λp(ℓ). To do so, we will use a very particularcharacterization of the trace of Brandt matrices proven in [6], relating the trace of Brandtmatrices to modified Hurwitz class number, as well as bounds for Hurwitz class numbersgiven in [4].

Moreover, since the graphs {Λp(ℓ)}ℓ have the same set of vertices for any fixed prime p,we can consider the graph Λp(ℓ1, ℓ2), for two primes ℓ1 and ℓ2, obtained by superposing thetwo graphs Λp(ℓ1),Λp(ℓ2) and drawing the edges of Λp(ℓ1) and Λp(ℓ2) in two different coloursas in Figure 1. One is then interested in the number of edges that these two graphs have incommon (which is related to their edit distance) as well as the number of times two verticeswill have paths of certain lengths between them on both graphs (which we will define astheir bi-route number). We will formalize, quantitatively study and bound these notions ofcommon edges and common paths between two graphs Λp(ℓ1) and Λp(ℓ2). We will do so byusing the same method as for the study of loops and multi-edges. This method can actuallybe used to quantitatively study any kind of collisions in supersingular isogeny graphs.

43

89a+108

20a+88

41

7a+12

102a+19

17

74a+96

35a+61

Figure 1. The graph Λ109(2, 3) where 2-isogenies are in blue and 3-isogeniesare in green.

Outline. We start with Section 2, where we recall the necessary preliminaries to under-stand the construction of supersingular isogeny graphs and Brandt matrices, as well as theessential results on traces of Brandt matrices and sums of Hurwitz class numbers used inour subsequent computations. In Section 3, we begin the study of loops in the graph Λp(ℓ),which is the simplest example one can consider, in order to demonstrate how our method ofcomputing collisions works. This gives us a bound on the number of loops and well as con-ditions to ensure the graph Λp(ℓ) has no loops. Subsequently, we turn our attention to thesimplest kind of collision one can have: multi-edges. We then obtain bounds on the numberof multi-edges and conditions to guarantee the simplicity of the graph Λp(ℓ). Finally, in Sec-tion 4, we simultaneously study two supersingular isogeny graphs. This section provides newresults regarding problems that haven’t been considered before. We first study the number

LOOPS, MULTI-EDGES AND COLLISIONS 3

of edges in common between the two graphs Λp(ℓ1) and Λp(ℓ2) and provide bounds for them,which in turn gives bounds for the edit distance between Λp(ℓ1) and Λp(ℓ2). We also giveconditions under which these common edges do not exist. Second, we study a much moregeneral notion of collision by introducing the concept of bi-route number. It is a measureof how many times two vertices will have paths (which will constitute collisions) of certainlengths between them on both graphs Λp(ℓ1) and Λp(ℓ2).

Acknowledgements. I would like to thank Eyal Goren, who supervised my masters studiesat McGill University. I am thankful for the many fruitful discussions we had – that leadto many of the results in this article – and the helpful advice I received during my time atMcGill.

2. Background

2.1. Elliptic curves. Let p be a prime greater than 4 and k := Fq be the finite field of orderq and characteristic p. The algebraic closure of Fq will be denoted by Fq. An elliptic curveE over k is a smooth projective curve of genus 1, together with a distinguished k-rationalpoint OE. Equivalently, (since Char(k) 6= 2, 3) the elliptic curve E over k is the projectiveclosure of the affine curve given by a short Weierstrass equation of the form

E : y2 = x3 + ax+ b, a, b ∈ k

where the discriminant ∆ := −16(4a3 + 27b2) is non-zero. Here, the distinguished pointOE is the point at infinity (0 : 1 : 0) on the projective closure. The j-invariant of E is

j(E) := −1728 (4a)3

∆. Every j ∈ k is the j-invariant of some elliptic curve Ej over k. Indeed,

for j equal to 0 or 1728, consider E0 : y2 = x3 + b and E1728 : y

2 = x3 + ax respectively (forany choice of a and b). If j 6= 0, 1728, let Ej : y

2 = x3 + 3j(1728− j)x+ 2j(1728− j)2.For every extension K/k, the set of K-rational points of E,

E(K) := {(x, y) ∈ K ×K : y2 = x3 + ax+ b} ∪ {OE},forms an abelian group where the group structure is given by rational functions. An isogenyf between two elliptic curves E1 and E2 over k is a group homomorphism that is also amorphism of varieties (a regular rational function). We must have f(OE1) = OE2. Bijectiveisogenies are just called isomorphisms. It is known that isogenies have finite kernels and thatnon-zero isogenies are surjective.

Elliptic curves are classified up to isomorphism (over k) by their j-invariants, i.e. twoelliptic curves E1 and E2, when viewed over k, are isomorphic if and only if j(E1) = j(E2).

Quotients of elliptic curves by finite subgroups are also elliptic curves. In addition, iso-genies are uniquely defined by their kernels. So given a finite subgroup L ⊆ E, E/L is anelliptic curve and there exists a unique (up to isomorphism) elliptic curve E ′ and a separableisogeny φ : E −→ E ′ such that ker(φ) = L and E ′ ∼= E/L.

Remark 1. Although elliptic curves may in general be defined over any extension K/k, inthis work, isogenies will always (unless specified explicitly) be defined over the algebraicclosure k.

Theorem 2.1. Let E be an elliptic curve over a field K (of any characteristic). The auto-morphism group Aut(E) is cyclic. If j(E) 6= 0, 1728, then ♯Aut(E) = 2. If Char(K) 6= 2, 3,then ♯Aut(E0) = 6 and ♯Aut(E1728) = 4.

4 WISSAM GHANTOUS

Since every isogeny φ : E1 −→ E2 is a rational map of curves, composition with φ inducesan injection of function fields

φ∗ : k(E2) −→ k(E1)

f 7→ f ◦ φ.We say that the isogeny φ is separable (resp. purely inseparable) if the field extensionk(E1)/φ

∗k(E2) is separable (resp. purely inseparable). The degree of a non-zero isogenyφ : E1 −→ E2 is the degree of the field extension, i.e. deg(φ) := [k(E1) : φ∗k(E2)]. Thedegree is multiplicative (with respect to composition) and in the case where φ is a separableisogeny, its degree is equal to the size of its kernel.

Remark 2. If K is a field of characteristic p, which is the case in this paper, then any isogenyφ can be factored into the composition of a separable isogeny ψ, and a purely inseparableFrobenius isogeny πpr : E −→ E(pr), (x, y) 7→ (xp

r, yp

r) to get φ = ψ ◦ πpr . In particular, if

the degree of an isogeny is not divisible by p, then it is a separable isogeny.

Let E be an elliptic curve over K. Given an integer m ∈ N, the multiplication-by-m map

[m] : E −→ E

P 7→ P + ... + P︸︷︷︸

m-times

is an isogeny of degree m2. This allows us to view Z as a subgroup of End(E) via m 7→ [m].The kernel of [m] is the group ofm-torsion points E[m] of E. Whenm is coprime to Char(K),we have E[m] ∼= Z/mZ× Z/mZ.

Example 1. Consider the elliptic curve E : y2 = x3+1 over C and the isogeny [2] : P 7→ P+P .Since isogenies are rational functions, the coordinates of the map [2] can be expressed as afraction of polynomials. Indeed,

[2](x, y) =

(x4 − 8x

4(x3 + 1),y(−8 + 20x3 + x6)

8(1 + x3)2

)

.

Moreover, ker([2]) = E[2] = {OE, (−1, 0), (1+i√3

2, 0), (1−i

√3

2, 0)} ∼= Z/2Z× Z/2Z.

An extremely important property of isogenies, other than always being surjective, is thatfor every isogeny φ : E −→ E ′ of degree d, there exists a (unique) dual isogeny φ∨ : E ′ −→ Eof degree d, such that φ∨ ◦φ = φ◦φ∨ = [d]. We conclude with the following useful propertiesabout the existence and the decomposition of certain isogenies. See [11] for more on this.

Proposition 2.1. Let φ : E1 −→ E2, ψ : E1 −→ E3 be two non-zero isogenies and assumethat φ is separable. If ker(φ) ⊆ ker(ψ), then there exists a unique isogeny γ : E2 −→ E3 suchthat ψ = γ ◦ φ.Proposition 2.2. Let φ : E −→ E ′ be a separable isogeny defined over Fq. Then, there existsn ∈ Z, elliptic curves E = E0, ..., Es = E ′ and isogenies ψi : Ei −→ Ei+1 of prime degree(for i = 0, ..., s− 1) such that φ = ψs−1 ◦ ... ◦ ψ0 ◦ [n]. Moreover, deg(φ) = n2

∏s−1i=0 deg(ψi).

2.2. Supersingular elliptic curves.

Definition 2.1. An elliptic curve E is said to be supersingular if it satisfies one of thefollowing equivalent conditions:


(i) For every finite extension Fqr there are no points in E(Fqr) of order p, i.e. E(Fqr)[p] = 0.(ii) The isogeny [p] : E −→ E is purely inseparable and j(E) ∈ Fp2.(iii) The endomorphism ring End(E) is an order in a quaternion algebra.

The quaternion algebra we refer to in part (iii) of Definition 2.1 is the quaternion algebraBp,∞ that we will define in section (2.3).

Any supersingular elliptic curve E, defined over Fp, has j-invariant j(E) ∈ Fp2 and admitsa presentation over Fp2. This means that E is isomorphic to another supersingular ellipticcurve defined over Fp2. This implies the (generous) bound of p2 for the number of supersin-

gular elliptic curves over Fp up to isomorphism. The actual number is much smaller than p2

however. For a prime p ≥ 5, the number of isomorphism classes (over Fp) of supersingularelliptic curves is given by

⌊ p

12

⌋

+

0 if p ≡ 1 mod 12;1 if p ≡ 5 mod 12;1 if p ≡ 7 mod 12;2 if p ≡ 11 mod 12.

(1)

Moreover, quotients of supersingular elliptic curves by finite subgroups are also supersingular.

2.3. Brandt matrices. A quaternion algebra A is a 4-dimensional Q-algebra of the form

A = Q⊕Qα⊕Qβ ⊕Qαβ

such that α2 = a, β2 = b with a, b ∈ Q×, and αβ = −βα. An order O in a Q-algebra Ais a subring of A that is also a lattice (a finitely generated Z-module) spanning A over Q

(i.e. O ⊗Z Q = A). Given a quaternion algebra B and a prime ν (that could potentially beinfinity), we define Bν := B ⊗Q Qν (with Q∞ = R) . It follows from Wedderburn’s theoremthat Bν must either be a division ring or a matrix algebra M2(Qν). In the case where Bν isa division ring we say that B is ramified at ν. If Bν

∼= M2(Qν) we say that B is unramified(or split) at ν.

A quaternion algebra is determined, up to isomorphism, by the set of primes at which itramifies: this set has even cardinality (and can potentially include ∞). Conversely, any suchset (of even cardinality, potentially including ∞) may arise as the set of primes at which aquaternion algebra ramifies.

We will follow [6] and [12] to introduce Brandt matrices. Let p be a rational prime andB = Bp,∞ the (unique) quaternion algebra over Q which is ramified at p and infinity. Let Obe a fixed maximal order of B. We will say that two left ideals I and J of O are equivalentif there is some b ∈ B× such that J = Ib. Let {I1, ..., In} be a set of representatives forthe left ideals of O (with I1 = O). Here, n is independent of the choice of maximal orderO in B. Further, let Ri := Oright(Ii) = {b ∈ B : Ib ⊆ I} be the right order of Ii. Theneach conjugacy class of a maximal order of B is represented (not necessarily once) in theset {R1, ..., Rn}. Let t ≤ n be the number of conjugacy classes of maximal orders in B. Wecall n the class number of B and t the type number of B.

The above shows that endomorphism rings of supersingular elliptic curves correspond tomaximal orders in the quaternion algebra Bp,∞. The following theorem makes it clear.

Theorem 2.2 (Deuring’s correspondence, [3]). Fix any maximal order O ∈ B. Let E be theset of supersingular elliptic curves up to isomorphism and let LO be the set of equivalence

6 WISSAM GHANTOUS

classes of left ideals of O. Then there is a correspondence between E and LO, such that foreach E ∈ E , there exists a unique I ∈ LO with End(E) ∼= Oright(I) and Aut(E) ∼= Oright(I)

×.

Let Γi := R×i /Z

×. It is a discrete subgroup of the compact group (B⊗R)×/R× ∼= SO3(R)and hence must be finite. Let wi := ♯Γi, then w :=

∏ni=1wi is independent of the choice of O

and is equal to the denominator of p−112

, when simplified. Eichler’s mass formula states that

n∑

i=1

1

wi=p− 1

12.

We will now introduce the notions of theta series and Brandt matrices. Let I−1i := {a ∈

B : IiaIi ⊆ Ii} and Mij := I−1j Ii = {∑ akbk : ak ∈ I−1

j , bk ∈ Ii}. Given a ∈ B, let Nm(a)

denote its reduced norm: Nm(t+xi+yj+zk) = t2−αx2−βy2+αβz2. Let Nm(Mij) denote

the unique rational number such that{

Nm(a)Nm(Mij)

: a ∈Mij

}

are integers with no common

factors. Define the theta series

θij(τ) :=1

2wj

∑

a∈Mij

e2πi Nm(a)

Nm(Mij )τ=

∑

m≥0

Bij(m)qm,

where q := e2πiτ . This allows us in turn to define B(m) :=[Bij(m)

]

1≤i,j≤n, the Brandt

matrix of degree m. If m = 0, we have

B(0) =1

2

1w1

1w2

... 1wn

1w1

1w2

... 1wn

......

. . ....

1w1

1w2

... 1wn

,

and B(1) is the identity matrix. For a reason that will become clear in Section 4.2, we willdefine B(m) for all m ∈ Q, setting B(m) = 0 if m 6∈ N and as above if m ∈ N.

Proposition 2.3 (Proposition 2.7 in [6]). (1) For m ≥ 1, the matrix B(m) has non-negative, integral entries. Further, the row sums of B(m) are independent of thechosen row and

∑

j

Bij(m) =∑

d|m(d,p)=1

d.

(2) If (m,m′) = 1, then B(mm′) = B(m)B(m′).(3) If ℓ 6= p is a prime, then B(ℓk) = B(ℓk−1)B(ℓ)− ℓB(ℓk−2) for all k ≥ 2.(4) We have the symmetry relation wjBij(m) = wiBji(m).

The concepts of Brandt matrices and elliptic curves are intimately related. We can thususe the theory of Brandt matrices to study elliptic curves. This approach is very fruitfuland we will use it in many computations in Sections 3 and 4. To make this more precise, weintroduce Hurwitz Class Numbers.

Given an order O (of rank 2 over Z) of negative discriminant d, let h(d) be the size of theclass group of O and u(d) = ♯(O×/Z×) = ♯O×/2. If d = dK is a discriminant of a field K,by the correspondence between ideal class groups and form class groups, we can define h(d)as the class number of primitive binary quadratic forms of discriminant d (equivalently, it is


the number of reduced primitive binary quadratic forms of discriminant d). We notice thatu(d) is always 1; except if d = −3,−4, in which case, u(d) = 3, 2 respectively.

Definition 2.2. For D > 0, the Hurwitz Class Number H(D) is

H(D) =∑

d·f2=−Dd neg. disc.

h(d)

u(d).

where the sum runs over negative discriminants. For D = 0, we set H(0) := −1/12.

The sum defining H(D) precisely takes into account d’s such that d ≡ 0, 1 mod 4. It thenfollows that H(D) > 0 when D ≡ 0, 3 mod 4. In particular, H(4k − s2) > 0 for all s2 < 4k.

Theorem 2.3 ([4, 7, 8]). Let m ∈ Z. Then,∑

s∈Zs2≤4m

H(4m− s2) = 2∑

d|md−

∑

d|mmin{d,m/d}.

In particular, for a given prime ℓ, we have∑

|s|<2√ℓ

H(4ℓ− s2) = 2ℓ. (2)

Definition 2.3. For D > 0, the modified Hurwitz Class Number attached to a prime p is

Hp(D) :=

0 if p splits in O−D;H(D) if p is inert in O−D

and does not divide the conductor of O−D;12H(D) if p is ramified in O−D

but does not divide the conductor of O−D;H(D

p2) if p divides the conductor of O−D;

where O−D is the order of discriminant −D. If D = 0, let Hp(0) :=p−124

.

Notice that Hp(D) ≤ H(D) for all p and D > 0. In addition, when D ≡ 0, 3 mod 4 weget H(D) > 0 and then Hp(D) = 0 if and only if p splits in O−D. Moreover, if we let −ddenote the fundamental discriminant of O−D and f =

√

D/d its conductor, then d, f ≤ D.But for p to ramify, it precisely needs to divide d. So if D < p, Hp(D) can be defined as

Hp(D) =

{0 if p splits in O−D;H(D) if p is inert in O−D.

Gross computes the trace of Brandt matrices in terms of sums of generalized Hurwitz ClassNumbers as follows.

Theorem 2.4 (Proposition 1.9 in [6]). For all m ≥ 0, we have

Tr(B(m)) =∑

s∈Zs2≤4m

Hp(4m− s2).

8 WISSAM GHANTOUS

Example 2. The number of supersingular elliptic curves over Fp up to isomorphism is equalto the trace of B(1), as we will see in the next Section. If we take m = 1 in the abovetheorem, we get

Tr(B(1)) =∑

s∈Zs2≤4

Hp(4− s2)

= Hp(4) + 2Hp(3) + 2Hp(0)

=1

4

(

1−(−4

p

))

+1

3

(

1−(−3

p

))

+p− 1

12,

which proves that the number of supersingular elliptic curves is indeed as described in (1).

2.4. Supersingular isogeny graphs. Supersingular isogeny graphs are graphs that arisefrom supersingular elliptic curves over finite fields and isogenies of a given degree betweenthem. Fix two different primes ℓ and p, with p > 3. In practice, one would let ℓ besmall (usually ℓ ∈ {2, 3, 5, 7}) and let p be a very large prime (of cryptographic size). Thesupersingular ℓ-isogeny graph (of level 1) for the prime p, denoted by Λp(ℓ), is constructedas follows. The vertex set of this graph consists of the supersingular moduli (i.e. the setof j-invariants of supersingular elliptic curves). Equivalently, one can view the vertices asisomorphism classes of supersingular elliptic curves over Fp. The number of vertices n isthen given by (1).

Defining the edges of Λp(ℓ) is a bit more subtle. For every supersingular elliptic curve Eand (cyclic) subgroup C of E of order ℓ, draw an edge from E to E/C. Since all ellipticcurves have ℓ+1 subgroups of order ℓ, we obtain a directed graph Λp(ℓ) of out-degree ℓ+1.Equivalently, we can define the edges of Λp(ℓ) as ℓ-isogenies up to automorphism of theirimages, (a.k.a. up to post-composing by automorphisms) i.e. two isogenies φ1, φ2 : E1 −→ E2

are equivalent if there is some α ∈ Aut(E2) such that φ1 = α ◦ φ2.Recall that for every isogeny φ : E1 −→ E2, there is a dual isogeny φ∨ : E2 −→ E1

such that deg(φ) = deg(φ∨) and φ ◦ φ∨ = [deg(φ)]. One might hence try to simplify thesegraphs by associating φ with φ∨ and hope to obtain undirected graphs. However, this isnot possible in general. This is because we are considering isogenies up to automorphismsof the image, i.e. up to composition with automorphisms from the left (and not the right!).Here is the prototypical example illustrating why one cannot associate φ to φ∨ in general.Let f, g : E1 −→ E2 be two isogenies. Suppose that f ∼ g, i.e. there is an automorphismα ∈ Aut(E2) such that f = α◦g. However, f∨ = (α◦g)∨ = g∨◦α∨ and we are now composingwith α∨ from the right, not from the left. So we do not necessarily know that f∨ ∼ g∨, asthey differ by an automorphism of the domain, not the image. If we wish to guarantee thatf ∼ g if and only if f∨ ∼ g∨, we would need that for all isogenies f : E1 −→ E2 and allα ∈ Aut(E1) there exists some α′ ∈ Aut(E2) such that f ◦ α = α′ ◦ f. The only way forthis to work would be to only have trivial automorphisms: {±Id}. However, we know fromTheorem 2.1 that the elliptic curves E0 and E1728 both (and only them) have non trivialautomorphism groups. One way (the way) to to avoid these curves is to require that theprime p is congruent to 1 modulo 12. Then, E0 and E1728 would not be supersingular andall the supersingular elliptic curves will have automorphism group {±Id}. Hence, if p ≡ 1mod 12, then for all ℓ, the graph Λp(ℓ) can be viewed as an undirected graph of degree ℓ+1.


9

56

72a+4a+1

22a+48

51a+41

Figure 2. The directed graph Λ73(2).

24

17

41

40

66

0

48

Figure 3. The undirectedgraph Λ71(2).

These supersingular isogeny graphs are directly related to Brandt matrices. Indeed, Bij(ℓ)is the number of equivalence classes of isogenies from φ : Ei −→ Ej of degree ℓ (cf. Propo-sition 2.3 in [6]). Equivalently, it is the number of subgroups C of Ei of order ℓ such thatEi/C ∼= Ej . Therefore, B(ℓ) (where it is customary to not denote the dependence on p)is the adjacency matrix of the graph Λp(ℓ). In particular, B(ℓ) is an n × n matrix andTr(B(1)) = Tr(Id) = n.

An isogeny of degree ℓa between two supersingular elliptic curves Ei and Ej can be factoredas a product of isogenies as in Proposition 2.2 and thus can be seen as a path of length ain Λp(ℓ) from Ei to Ej . It is known that requiring the kernel of a map φ ∈ Hom(Ei, Ej) ofdegree ℓa to be cyclic is equivalent to requiring that the corresponding path of length a onΛp(ℓ) does not involve any backtracking. Indeed, factor φ as

∏

k ψk (see proposition 2.2).Backtracking can only be achieved through taking the same edge twice (once going forwardand once going backward). This means that we are composing some isogeny ψk (goingforward) with its dual ψ∨

k (going backward). And we know that ψk ◦ ψ∨k = [deg(ψk)] = [ℓ].

Thus, we see that an isogeny (a path) φ of degree ℓa (of length a) involves backtracking ifand only if the factorization of ψ involves some scalar isogeny (i.e. an isogeny of the form[m] for some m ∈ Z). And the scalar isogeny [ℓ] has a kernel isomorphic to (Z/ℓZ)2, whereasall the other isogenies in the factorization of φ have a kernel isomorphic to Z/ℓ2Z.

The supersingular isogeny graphs Λp(ℓ) have many nice properties. They are sparse, asare the Brandt matrices B(ℓ). They are ℓ + 1 regular by part (1) of proposition 2.3. The

second eigenvalue of the adjacency matrix of Λp(ℓ) is bounded above by√ℓ (see [10]). They

are also optimal expanders, which implies that a walk on Λp(ℓ) quickly becomes close to a

uniform distribution. More precisely, after log(2n)/ log((ℓ+ 1)/2√ℓ) steps, a random walk

on Λp(ℓ) approximates the uniform distribution with an error of 1/2n (see Corollary 6 in [5]or Proposition 2.1 in [2]).

10 WISSAM GHANTOUS

3. Loops and multi-edges

It is known that the supersingular isogeny graphs Λp(ℓ) are very close to being simplegraphs. We will make this precise by studying the number of loops and multi-edges thatthey usually contain.

3.1. The number of loops. In this section only, we will not assume that p is necessarilycongruent to 1 modulo 12. We are interested in computing the number of loops that super-singular isogeny graphs contain. To find out, we need to count the number of loops at everyvertex. The vertices correspond to the supersingular elliptic curves {Ei}i=1,...,n and the edgesbetween them correspond to isogenies up to automorphism from the left (i.e. automorphismof the image). Hence, we can write

♯{loops in Λp(ℓ)} =n∑

i=1

♯{f ∈ End(Ei) : deg(f) = ℓ}/♯Aut(Ei)

=∑

i=1

Bii(ℓ)

= Tr(B(ℓ))

=∑

s∈Zs2≤4ℓ

Hp(4ℓ− s2).

(3)

Let us look closer at the quantity Hp(4ℓ − s2). Since ℓ is a prime, 4ℓ − s2 6= 0, and we donot have to worry about the case Hp(0). This case will appear in section 3.2, when dealingwith the number of multiple edges. As 4ℓ− s2 ≡ 0, 3 mod 4, we have H(4ℓ− s2) > 0 for alls2 ≤ 4ℓ. So the above computation and Definition 2.3 give the following known result.

Theorem 3.1 (The No-Loop Theorem). The supersingular isogeny graph Λp(ℓ) has no loops

if and only if p splits in Os2−4ℓ for all s2 ≤ 4ℓ, i.e. if and only if

(s2−4ℓ

p

)= 1 for all s2 ≤ 4ℓ.

In most application, the prime ℓ is very small (usually ℓ ∈ {2, 3}). Once we fix ℓ, we onlyhave a finite number of orders in which we need to investigate the behaviour (splitting) of p.Moreover, the splitting of p in such orders can be phrased in terms of congruence conditionson p via the quadratic reciprocity. Let us now study the presence of loops in the graphsΛp(2) and Λp(3).

Example 3. If ℓ = 2, we need to consider the orders O−D where −D ∈ {−8,−7,−4}. TheNo-Loop Theorem implies that Λp(2) has no loops if and only if

1 =(−8

p

)

=(−7

p

)

=(−4

p

)

.

Using quadratic reciprocity, we obtain the congruence conditions{p ≡ 1, 2, 4 mod 7;p ≡ 1 mod 8;

i.e. p ≡ 1, 9, 25 mod 56. One can require in addition that p ≡ 1 mod 12 so that the graphsare undirected. And so, one would get:

p ≡ 1, 25, 121 mod 168. (4)


Take for example the primes 193 and 113, respectively, to obtain the isogeny graphs Λ193(2)and Λ113(2) shown in Figures 4 and 5. These are the smallest primes such that the graphΛp(2) is undirected (respectively directed) and has no loops.

42

169

127a+113

66a+47

155a+133

38a+95

168a+35

51a+15

142a+66

25a+10

114a+61

95a+4

98a+99

79a+175

184a+118

9a+109

Figure 4. The graph Λ193(2)

0

99105a+32

8a+49

54

69a+29

44a+66

72

10a+105

103a+112

Figure 5. The graph Λ113(2)

Example 4. Let ℓ = 3. As above, the graph Λp(3) has no loops if and only if p splits in theorders O−D where −D ∈ {−8,−7,−4}. Hence Λp(3) has no loops if and only if

1 =(−12

p

)

=(−11

p

)

=(−8

p

)

=(−3

p

)

.

These conditions translate to congruence conditions:

p ≡ 1 mod 3;p ≡ 1, 3 mod 8;p ≡ 1, 3, 4, 5, 9 mod 11;

i.e. p ≡ 1, 25, 49, 67, 91, 97, 115, 163, 169, 235 mod 264. If we further require that p ≡ 1mod 12, we then get

p ≡ 1, 25, 49, 97, 169 mod 264. (5)

The smallest such prime is 97. It gives the isogeny graph Λ97(3) shown in Figure 6.

We summarize the above examples in the following theorem.

Theorem 3.2. The graph Λp(2) is undirected and has no loops if and only if p ≡ 1, 25, 121mod 168. Similarly, the graph Λp(3) is undirected and has no loops if and only if p ≡1, 25, 49, 97, 169 mod 264.

One way to compare supersingular isogeny graphs is to overlay them on top of each otherin a compatible way: fix the vertices to be the supersingular j-invariants, then draw theedges of both graphs Λp(ℓ1) and Λp(ℓ2) on the same set of vertices, making sure to draw theedges of Λp(ℓ1) and Λp(ℓ2) in different colours, as is done in Figure 1. Denote this graph

12 WISSAM GHANTOUS

1

81a+84

16a+68

12a+75

85a+87

20

20a+35

77a+55

Figure 6. The graph Λ97(3).

Figure 7. The graph Λ1009(2).

by Λp(ℓ1, ℓ2). One might for example use Theorem 3.2 to search for primes such that bothΛp(2) and Λp(3) have no loops. The first such prime is 1873.

We conclude this section with a bound (only depending on ℓ) on the total number of loopsin the graph Λp(ℓ). Equations (3) and (2) give the following bound

♯{loops in Λp(ℓ)} =∑

s∈Zs2<4ℓ

Hp(4ℓ− s2) ≤∑

s∈Zs2<4ℓ

H(4ℓ− s2) = 2ℓ. (6)

Corollary 3.1. The supersingular isogeny graph Λp(ℓ) has at most 2ℓ loops.

Note that this bound does not depend on p. In particular, for all p, the graph Λp(2) cannothave more than 4 loops and Λp(3) cannot have more than 6 loops.

Remark 3. As we vary the prime p, we expect it to split in Os2−4ℓ half of the time and remaininert the other half of the time, by Chebotarev’s density theorem. Hence, for fixed ℓ, weexpected the number of loops in the graph Λp(ℓ) to be ℓ.

3.2. The number of multi-edges. We will, from now on, assume that p ≡ 1 mod 12,unless stated otherwise, so that the graphs Λp(ℓ) are undirected. It will make more senseto discuss multi-edges in the context of undirected graphs. A multi-edge, also known as adouble-edge, is a pair of distinct edges between two (not necessarily different) vertices. Notethat we allow the two vertices to be the same. So in particular, two loops on the same vertexwill count as a double-edge. Note that if we have m edges between two vertices (or m loopson one vertex), this will give rise to

(m2

)multi-edges. Using similar methods to the previous

section, one can study the number of multi-edges in the graph Λp(ℓ) and identify conditionsunder which this graph has no multi-edges. Let n := (p− 1)/12 denote the number ofvertices in Λp(ℓ).

Theorem 3.3. An undirected graph Λp(ℓ) has no multi-edges if and only if Tr(B(ℓ2)) = n.


Proof. As we can see in Figure 8, multi-edges f, g : Ei −→ Ej generate a non trivial (i.e.non-scalar) isogeny g∨ ◦ f of degree ℓ2. In addition, an isogeny of degree ℓ2 must factorthrough two isogenies of degree ℓ. Therefore, the graph Λp(ℓ) has no multi-edges if and onlyif, for all i, the only endomorphism of degree ℓ2 of Ei is the trivial one (the multiplicationby ℓ isogeny), i.e. Bii(ℓ

2) = 1 for all i. Since, Bii(ℓ2) ≥ 1 for all i, the graph Λp(ℓ) has no

multi-edges if and only if Tr(B(ℓ2)) = n.

E1 E2

f

g

g∨ ◦ f

Figure 8. Multiple edges.

A slightly different way to prove this theorem is to realize that a graph has no doubleedges if and only if all the entries its adjacency matrix are either 0 or 1, which we write asBij(ℓ)

2 = Bij(ℓ) for all i, j. Now, as Bij(ℓ)2 − Bij(ℓ) ≥ 0 for all i, j, the graph Λp(ℓ) has no

multi-edges if and only if∑n

i,j=1Bij(ℓ)2 − Bij(ℓ) = 0. Meanwhile, by the symmetry of the

Brandt matrix (since p ≡ 1 mod 12) and parts (1) and (3) of Proposition 2.3, we have

Bii(ℓ2) =

n∑

j=1

Bij(ℓ)Bji(ℓ)− ℓ = 1 +

n∑

j=1

Bij(ℓ)2 −Bij(ℓ).

Thus, Tr(B(ℓ2)) =∑n

i=1Bii(ℓ2) = n+

∑ni,j=1Bij(ℓ)

2−Bij(ℓ). So Λp(ℓ) has no multiple edges

if and only if Tr(B(ℓ2)) = n. �

Remark 4. Note that our proof also shows that the bigger the quantity Tr(B(ℓ2)) − n, themore we expect to have multi-edges.

In some cases, one might ask about the number of redundant edges. It is defined as theminimal number of edges (including loops) that one has to remove in order to have a graphwith no multi-edges. For example, in Figure 1, the graph Λ109(3) has 3 redundant edges andthe graph Λ109(2) has no redundant edges.

As we said, the quantity Tr(B(ℓ2))− n tells us about the number of redundant edges. Wenotice however that each redundant edge does not simply add 1 to the value of Tr(B(ℓ2))−n.Actually, if we have two distinct vertices that are precisely joined by m multiple edges (givingus m − 1 redundant edges) this will contribute 2m(m − 1) to Tr(B(ℓ2)) − n. Likewise, ifwe have a vertices having precisely m loops (giving us m − 1 redundant loops) this willcontribute m(m− 1) to Tr(B(ℓ2))− n. So for example, in the graph Λ109(3) from Figure 1,we have Tr(B(ℓ2)) − n = 8 = 2 + 2 + 4 where the two double loops each give a factor of 2and the double edge gives a factor of 4.

Let RE(m) :=∑

i<j 1Bi,j(ℓ)=m(m − 1) be the total number of redundant edges between

any two distinct vertices with precisely m edges between them. Similarly, define RE◦(m) :=∑

i 1Bi,i(ℓ)=m(m− 1) to be the total number of redundant edges on any vertex with precisely

14 WISSAM GHANTOUS

m loops. Then,

Tr(B(ℓ2))− n =n∑

i,j=1

Bij(ℓ)(Bij(ℓ)− 1

)=

∑

m

2m · RE(m) +m ·RE◦(m). (7)

For p > 2, since Λp(ℓ) has degree ℓ + 1 and must be connected, there cannot be more thanℓ edges between any two vertices. Moreover, in order to have redundant edges, we must atleast have 2 edges between some given vertices. Therefore, we can assume that 2 ≤ m ≤ ℓin equation (7):

Tr(B(ℓ2))− n =

ℓ∑

m=2

2m · RE(m) +m ·RE◦(m). (8)

This gives the following result.

Lemma 3.1. The number of redundant edges in an undirected graph Λp(ℓ) lies between(Tr(B(ℓ2))− n)/2ℓ and (Tr(B(ℓ2))− n)/2.

Let us now, as in Section 3.1, find conditions under which supersingular isogeny graphshave no multi-edges.

Theorem 3.4. An undirected graph Λp(ℓ) has no multi-edges (hence no redundant edges)

if and only if p splits in Os2−4ℓ2 for 0 < s2 < 4ℓ2, i.e. if and only if(s2−4ℓ2

p

)= 1 for

0 < s2 < 4ℓ2.

Proof. Theorem 2.4 allows us to express the trace of B(ℓ2) as a sum of Hurwits class numbers.Note as well that 2Hp(0) = (p − 1)/12 = n and that Hp(4ℓ

2) = 0 since p is always split inO−4ℓ2 (because 4ℓ2 is a square). We can thus write

Tr(B(ℓ2)) =∑

s∈Zs2≤4ℓ2

Hp(4ℓ2 − s2) = n +

∑

0<s2<4ℓ2

Hp(4ℓ2 − s2). (9)

So by Theorem 3.3, Λp(ℓ) has no multi-edges edges if and only if∑

0<s2<4ℓ2 Hp(4ℓ2−s2) = 0.

And by Definition 2.3, this happens precisely when p splits in Os2−4ℓ2 for s = 1, ..., 2ℓ−1. �

Just like in the previous section, one can find congruence conditions on p that ensure thegraph Λp(ℓ) has no multi-edges.

Example 5. Let ℓ = 2 and assume that p ≡ 1 mod 12. Then, the graph Λp(2) has nomultiple edges if and only if p splits in Os2−16 for s = 1, 2, 3. We thus want

1 =(−15

p

)

=(−12

p

)

=(−7

p

)

.

Therefore, the graph Λp(2) is undirected and has no multiple edges if and only if p ≡1, 109, 121, 169, 289, 361 mod 420. See for instance Λ109(2) in Figure 1.

Example 6. Let ℓ = 3 and assume that p ≡ 1 mod 12. Then, Λp(3) has no multiple edgesif and only if p splits in Os2−36 for s = 1, ..., 5. We thus want

1 =(−35

p

)

=(−32

p

)

=(−27

p

)

=(−20

p

)

=(−11

p

)

.

So the graph Λp(3) is undirected and has no multiple edges if and only if p ≡ 1, 169, 289,361, 529, 841, 961, 1369, 1681, 1849, 2209, 2641, 2689, 2809, 3481,3529, 3721, 4321, 4489,5041, 5329, 5569, 6169, 6241, 6889, 7561, 7681, 7921, 8089, 8761 mod 9240.


Putting together examples 3, 4, 5 and 6, we obtain the following theorem.

Theorem 3.5. The isogeny graph Λp(2) is undirected and simple if and only if p ≡ 1, 121,169, 289, 361, 529 mod 840.Likewise, Λp(3) is undirected and simple if and only if p ≡ 1, 169, 289, 361, 529, 841, 961,1369, 1681, 1849, 2209, 2641, 2689, 2809, 3481,3529, 3721, 4321, 4489, 5041, 5329, 5569,6169, 6241, 6889, 7561, 7681, 7921, 8089, 8761 mod 9240.

For example, 1009 is the smallest prime such that the graph Λ1009(2) has no loops normulti-edges (see Figure 7). In addition, comparing Theorem 3.2 and examples 5 and 6 givesthe following slightly surprising corollary.

Corollary 3.2. Let p be a prime such that Λp(3) is undirected and has no multi-edges. ThenΛp(3) also has no loops (and is hence simple), and Λp(2) also must be simple.

In particular, 2689 is the first prime such that the supersingular 2-isogeny and 3-isogenygraphs both are simple.

Finally, we conclude this section by giving bounds for the number of redundant edges.Recall that H(0) = −1/12 and that Hp(D) ≤ H(D) for all D > 0. So, by equation (9) andTheorem 2.3,

Tr(B(ℓ2))− n ≤∑

0<s2<4ℓ2

H(4ℓ2 − s2) = ℓ+ 2ℓ2 −H(4ℓ2) +1

6.

But H(4ℓ2) = 12+ h(−4ℓ2) and

h(−4ℓ2) =

ℓ/2 if ℓ = 2;ℓ/2− 1/2 if ℓ ≡ 1 mod 4;ℓ/2 + 1/2 if ℓ ≡ 3 mod 4.

Thus,

2ℓ2 +ℓ

2− 5

6≤

∑

0<s2<4ℓ2

H(4ℓ2 − s2) ≤ 2ℓ2 +ℓ

2+

1

6. (10)

We can then use Lemma 3.1 to obtain the bound ⌊ℓ2 + ℓ4+ 1

12⌋ on the number of redundant

edges in Λp(ℓ).

Corollary 3.3. The graph Λp(ℓ) has at most ℓ2 + ℓ4redundant edges.

In particular, for all p, the graph Λp(2) cannot have more than 4 redundant edges andΛp(3) cannot have more than 9 redundant edges.

Remark 5. As in Remark 3, we expect the quantity Tr(B(ℓ2))−n to be 12

∑

0<s2<4ℓ2 H(4ℓ2−s2), which lies between ℓ2 + ℓ

4− 5

12and ℓ2 + ℓ

4+ 1

12, by (10). So by Lemma 3.1, the expected

number of redundant edges in Λp(ℓ) lies between ℓ/2 and (ℓ+ 1/4)ℓ/2.

Corollaries 3.1 and 3.3 show that the supersingular isogeny graphs Λp(ℓ) are very close tobeing simple, as they involve a very small number of loops and redundant edges. This smallnumber of loops and redundant edges can be seen as negligible, especially as the graphs thatwe are dealing with, in practice, are of cryptographic size.

16 WISSAM GHANTOUS

4. Simultaneous study of two graphs

4.1. The intersection of two graphs. The intersection number of two undirected1 graphsis the number of edges they have in common. It is given by

♯(E(Λp(ℓ1)) ∩ E(Λp(ℓ2))

):=

∑

i≤j

min{Bij(ℓ1), Bij(ℓ2)}. (11)

It is related to the edit distance, a well-known graph distance. By using similar methodsto the previous sections, we will study the number of edges that two supersingular isogenygraphs share. Let {Eu : u = 1, ..., n} be a set of representatives for the isomorphism classes ofsupersingular elliptic curves over Fp. Given two fixed elliptic curves Ei, Ej, let Homm(Ei, Ej)denote the isogenies of degree m from Ei to Ej . Moreover, let

Cij(m) := {f ∈ Homm(Ei, Ej) : ker(f) is cyclic}/(Aut(Ej)),

where isogenies have cyclic kernels and are considered up to automorphisms of the image.Then, ♯Cij(m) = Bij(m)− ♯{isogenies from Ei to Ej with backtracking}.Remark 6. Since p ≡ 1 mod 12, the only possible automorphisms are {±Id}. Hence, inCij(m), f ∼ g if and only if f = ±g. Moreover, it is known that isogenies are determinedby their kernel up to sign. Hence, f ∼ g if and only if ker(f) = ker(g).

Theorem 4.1. The graphs Λp(ℓ1) and Λp(ℓ2) have no edges in common if and only if p splits

in Os2−4ℓ1ℓ2 for all s2 < 4ℓ1ℓ2, i.e. if and only if(s2−4ℓ1ℓ2

p

)= 1 for all s2 < 4ℓ1ℓ2.

Proof. Common edges f ∈ Cij(ℓ1) and g ∈ Cij(ℓ2) guarantee the existence of an endomor-phism g∨ ◦ f of Ei of degree ℓ1ℓ2. Since ℓ1ℓ2 is square-free, g∨ ◦ f has no backtracking andis in Cii(ℓ1ℓ2). Conversely, an isogeny in Cii(ℓ1ℓ2) must factor as the composition of twoisogenies of degrees ℓ1 and ℓ2, giving us a pair of common edges in Λp(ℓ1) ∩ Λp(ℓ2). Thus,Λp(ℓ1) and Λp(ℓ2) have no common edges if and only if Cii(ℓ1ℓ2) = 0 for all i. Note that♯Cii(ℓ1ℓ2) = Bii(ℓ1ℓ2) since isogenies of degree ℓ1ℓ2 cannot have backtracking. So Λp(ℓ1) andΛp(ℓ2) have no common edges if and only if Tr(B(ℓ1ℓ2)) = 0. Finally, by Theorem 2.4, weexpress the trace of B(ℓ1ℓ2) as Tr(B(ℓ1ℓ2)) =

∑

s2≤4ℓ1ℓ2Hp(4ℓ1ℓ2 − s2).

Thus, by Definition 2.3, ♯(E(Λp(ℓ1)) ∩ E(Λp(ℓ2))

)= 0 if and only if the prime p splits in

Os2−4ℓ1ℓ2 for all s2 < 4ℓ1ℓ2. This happens if and only if(s2−4ℓ1ℓ2

p

)= 1 for all s2 < 4ℓ1ℓ2. �

Example 7. Let ℓ1 = 2, ℓ2 = 3. Then Λp(2) and Λp(3) have no common edges if and only if

1 =(3

p

)

=(−5

p

)

=(−8

p

)

=(−23

p

)

,

i.e. if and only if p ≡ 1, 49, 121, 169, 289, 361, 409, 601, 721, 841, 961, 1129, 1369, 1681,1729, 1849, 1921, 2209, 2281, 2329, 2401, 2569 mod 2760.

Theorem 4.2. Let p, ℓ1, ℓ2 be primes such that p ≡ 1 mod 12. The two supersingularisogeny graphs Λp(ℓ1) and Λp(ℓ2) have at most ℓ2ℓ1 + ℓ2 + ℓ1 edges in common.

Proof. Assume w.l.o.g. that ℓ1 < ℓ2. By the definition of the intersection number,

2 · ♯(E(Λp(ℓ1)) ∩ E(Λp(ℓ2))

)=

n∑

i,j=1

min{Bij(ℓ1), Bij(ℓ2)}+n∑

i=1

min{Bii(ℓ1), Bii(ℓ2)}.

1In the case of directed graphs, we would let the sum in equation (11) run over all i, j in {1, ..., n}.


First, we have∑

i min{Bii(ℓ1), Bii(ℓ2)} ≤ Tr(B(ℓ1)) ≤ 2ℓ1, as in equation (6). Second, wecan bound min{Bij(ℓ1), Bij(ℓ2)} above by Bij(ℓ1) · Bij(ℓ2). Third, ♯Cij(m) = Bij(m) for allsquare-free m ∈ N, since backtracking involves scalar isogenies (of square degree). Fourth,Lemma 4.1, proven in Section 4.2, allows us to express the trace of B(ℓ1ℓ2) as

Tr(B(ℓ1ℓ2)) =n∑

i=1

♯Cii(ℓ1ℓ2) =n∑

i,j=1

♯(Cij(ℓ1)× Cij(ℓ2)

)=

n∑

i,j=1

Bij(ℓ1) · Bij(ℓ2).

Finally, since Hp(D) ≤ H(D) for all D > 0, Theorems 2.4 and 2.3 allow us to compute

Tr(B(ℓ1ℓ2)) =∑

s2≤4ℓ1ℓ2

Hp(4ℓ1ℓ2 − s2)

≤∑

s2≤4ℓ1ℓ2

H(4ℓ1ℓ2 − s2)

= 2∑

d|ℓ1ℓ2

d−∑

d|ℓ1ℓ2

min {d, ℓ1ℓ2/d}

= 2ℓ2(ℓ1 + 1).

Therefore, ♯(E(Λp(ℓ1)) ∩ E(Λp(ℓ2))

)≤ ℓ1ℓ2 + ℓ1 + ℓ2. �

Example 8. The edit distance de(G1, G2) between two graphs G1 = (V,E1) and G2 = (V,E2)on the same set of vertices is the number of edges one would need to add or remove to onegraph to obtain the other (see section 1.5 in [9] for more on the edit distance). It can beexpressed as de(G1, G2) :=

∣∣E1△E2

∣∣ where E1△E2 is the symmetric difference.

Let p, ℓ1, ℓ2 be primes. The edit distance de(Λp(ℓ1),Λp(ℓ2)) between Λp(ℓ1) and Λp(ℓ2)is given by |E(Λp(ℓ1))△E(Λp(ℓ2))| = |E(Λp(ℓ1))| + |E(Λp(ℓ2))| − 2|E(Λp(ℓ1)) ∩ E(Λp(ℓ2))|.However, we know that

2|E(Λp(ℓ))| = 2∑

i≤j

Bij(ℓ) =

n∑

i,j=1

Bij(ℓ) + Tr(B(ℓ)) = n(ℓ+ 1) + Tr(B(ℓ)).

So,

de(Λp(ℓ1),Λp(ℓ2)) =12n(ℓ1 + ℓ2 + 2) + 1

2Tr(B(ℓ1)) +

12Tr(B(ℓ2))− 2|E(G1) ∩ E(G2)|.

And by Corollary 3.1 and Theorem 4.2 we get

− 2(ℓ1ℓ2 + ℓ1 + ℓ2) ≤ de(Λp(ℓ1),Λp(ℓ2))− 12n(ℓ1 + ℓ2 + 2) ≤ ℓ1 + ℓ2. (12)

Remark 7. Theorem 4.2 and Example 8 justify the intuition that in practice, when ℓ1, ℓ2 aresmall and p is big, the two supersingular isogeny graphs Λp(ℓ1) and Λp(ℓ2) have very fewedges in common. Moreover, as in Remark 3, we actually expect the number of edges incommon given in Theorem 4.2 to be less than ℓ1ℓ2+ℓ1+ℓ2

2.

4.2. The bi-route number. Throughout this section as well, we will assume that p ≡ 1mod 12 so that the graphs Λp(·) are undirected. We are interested in studying the numberof instances where there are two curves Ei, Ej that are linked by paths of length less than Rin both graphs.

18 WISSAM GHANTOUS

Definition 4.1. Given two graphs G1 and G2 with common vertex set V , their Rth bi-routenumber, denoted by I(G1, G2, R), is given by

I(G1, G2;R) =R∑

a1,a2=1

∑

v,w∈V♯

{(℘1, ℘2) such that ℘i is a path from v tow of length ai in Gi with no backtracking

}

.

In the case of the isogeny graphs Λp(ℓ1) and Λp(ℓ2), the Rth bi-route number is denoted by

Ip(ℓ1, ℓ2, R) to alleviate the notion. It is the number of collisions (℘1, ℘2) in Λp(ℓ1, ℓ2) whereeach path ℘i has length less than R and lies in Λp(ℓi) with no backtracking:

Ip(ℓ1, ℓ2, R) =R∑

a1,a2=1

n∑

i,j=1

♯(Ci,j(ℓ

a11 )× Ci,j(ℓ

a22 )

). (13)

If the bi-route number is large, then many vertices with a path between them in Λp(ℓ1) wouldalso have a path between them in Λp(ℓ2) and vice versa. Hence, when it comes to findingpaths on the graphs, i.e. finding isogenies between elliptic curves, the bi-route number givesa general idea of how similar Λp(ℓ1) and Λp(ℓ2) are.

Remark 8. When considering the Rth bi-route number of expander graphs, it is importantto assume that R is relatively small. Indeed, when R is big (when R ∈ Θ(log(n))) a randomwalk on the graphs Λp(ℓi) becomes very close to the uniform distribution. So there will bemany paths, in both Λp(ℓ1) and Λp(ℓ2), between any two vertices. Therefore, for big R, theRth bi-route number will be uninformatively large and not very relevant.

Lemma 4.1. Let a1, a2 ≥ 1 and suppose that p ≡ 1 mod 12, thenn∑

j=1

♯(Cij(ℓ

a11 )× Cij(ℓ

a22 )

)= ♯Cii(ℓ

a11 ℓ

a22 ).

Proof. Consider the map

Φ :

n⋃

j=1

(Cij(ℓ

a11 )× Cij(ℓ

a22 )

)−→ Cii(ℓ

a11 ℓ

a22 ))

where (f, g) 7→ g∨ ◦ f . If f and g do not involve backtracking then g∨ ◦ f also does not. SoΦ is well defined. As the above union is disjoint, it is enough to show that Φ is a bijection.

First, suppose that we have maps f1 ∈ Homℓa11(Ei, Ej), f2 ∈ Homℓ

a11(Ei, Ej′), g1 ∈

Homℓa22(Ei, Ej) and g2 ∈ Homℓ

a22(Ei, Ej′) with cyclic kernels such that g∨1 ◦ f1 ∼ g∨2 ◦ f2, i.e.

ker(g∨1 ◦ f1) = ker(g∨2 ◦ f2) by Remark 6. We already know that both ker(f1) and ker(f2) areisomorphic to Z/ℓa11 Z, as they are cyclic and have size ℓa11 . But we need to show that they areequal, and not just isomorphic, in order to get f1 ∼ f2. Let K := ker(g∨1 ◦ f1) = ker(g∨2 ◦ f2).It must be cyclic of degree ℓa11 ℓ

a22 , so K ∼= Z/ℓa11 ℓ

a22 Z. But ker(f1), ker(f2) ⊆ K and Z/ℓa11 ℓ

a22 Z

has a unique subgroup isomorphic to Z/ℓa11 Z, so ker(f1) = ker(f2). In addition, the sequence

0 −→ Z/ℓa11 Z −→ Z/ℓa11 ℓa22 Z −→ Z/ℓa22 Z −→ 0

splits, and we must also have ker(g1) = ker(g2). Thus, Φ is injective.Now, let h : Ei −→ Ei be an isogeny of degree ℓa11 ℓ

a22 with cyclic kernel. Since p6 |ℓa11 ℓa22 , the

isogeny h must be separable and ♯ ker(h) = ℓa11 ℓa22 . So ker(h) ∼= Z/ℓa11 ℓ

a22 Z. Let A ∼= Z/ℓa11 Z

be the ℓ1-primary part of ker(h). Let E ′ := Ei/A. We get a canonical map f := Ei −→ E ′

of degree ℓa11 with kernel ker(f) = A ⊆ ker(h). Then, by Proposition 2.1, (see Corollary 4.11


in [11]), there exists a unique isogeny g′ : E ′ −→ Ei such that h = g′ ◦ f . Since we knowthat deg(h) = deg(g′) deg(f), we see that ♯ ker(g′) = ℓa22 . In addition, ker(g′) ∼= Z/ℓa22 Z sinceker(g′) = f(ker(h)) ∼= (Z/ℓa11 ℓ

a22 Z)/(ℓa11 ). Hence, both kernels of f and g′ are cyclic. Finally,

let g := (g′)∨ to get h = g∨ ◦ f = Φ(f, g) as desired. �

Lemma 4.1 allows us to give an alternate expression for theRth bi-route number Ip(ℓ1, ℓ2, R)originally defined as in equation (13):

Ip(ℓ1, ℓ2, R) =

R∑

a1,a2=1

n∑

i=1

♯Ci,i(ℓa11 ℓ

a22 )

=R∑

a1,a2=1

n∑

i=1

Bi,i(ℓa11 ℓ

a22 )− ♯{maps in Endℓ

a11 ℓ

a22(Ei) with scalar factors}.

(14)

Our goal now is to find a bound for Ip(ℓ1, ℓ2, R). We thus start by computing the number ofmaps in Endℓ

a11 ℓ

a22(Ei) with scalar factors.

Lemma 4.2. The number of isogenies in Endℓa11 ℓa22(Ei) with scalar factors is Bi,i(ℓ

a1−21 ℓa22 )+

Bi,i(ℓa11 ℓ

a2−22 )− Bi,i(ℓ

a1−21 ℓa2−2

2 ).

Proof. Let φ ∈ Endℓa11 ℓ

a22(Ei) be an isogeny involving a scalar factor. It must correspond to a

path that involves backtracking, as explained at the end of Section 2.4. However backtrackinginvolves composing a factor f (of minimal degree, without loss of generality) of φ with itsdual f∨ to get [deg(f)]. The map φ/[deg(f)], obtained by removing the backtracking causedby f ◦ f∨, is either in End

ℓa1−21 ℓ

a22(Ei) if the degree of f was ℓ1 or in End

ℓa11 ℓ

a2−22

(Ei) if the

degree of f was ℓ2. Therefore, by the inclusion-exclusion principle, the number of maps inEndℓ

a11 ℓ

a22(Ei) with scalar factors is equal to Bi,i(ℓ

a1−21 ℓa22 )+Bi,i(ℓ

a11 ℓ

a2−22 )−Bi,i(ℓ

a1−21 ℓa2−2

2 ). �

Lemma 4.2 and equation (14) allow us to write

Ip(ℓ1, ℓ2, R) =

R∑

a1,a2=1

Tr(B(ℓa11 ℓa22 ))− Tr(B(ℓa1−2

1 ℓa22 ))− Tr(B(ℓa11 ℓa2−22 )) + Tr(B(ℓa1−2

1 ℓa2−22 ))

= Tr(B(ℓR1 ℓR2 )) + Tr(B(ℓR−1

1 ℓR2 )) + Tr(B(ℓR1 ℓR−12 )) + Tr(B(ℓR−1

1 ℓR−12 ))

− Tr(B(ℓR1 ))− Tr(B(ℓR−11 ))− Tr(B(ℓR2 ))− Tr(B(ℓR−1

2 )) + n

(†)=

∑

s2≤4ℓR1 ℓR2

Hp(4ℓR1 ℓ

R2 − s2) +

∑

s2≤4ℓR1 ℓR−12

Hp(4ℓR1 ℓ

R−12 − s2)

+∑

s2≤4ℓR−11 ℓR2

Hp(4ℓR−11 ℓR2 − s2) +

∑

s2≤4ℓR−11 ℓR−1

2

Hp(4ℓR−11 ℓR−1

2 − s2)

−∑

s2≤4ℓR1

Hp(4ℓR1 − s2) −

∑

s2≤4ℓR−11

Hp(4ℓR−11 − s2)

−∑

s2≤4ℓR2

Hp(4ℓR2 − s2) −

∑

s2≤4ℓR−12

Hp(4ℓR−12 − s2) + n.

Recall that 2Hp(0) = n. Moreover, on the right hand side of (†) in the above equation, thereis precisely one instance of 2Hp(0) in the first 4 summations and two instances of −2Hp(0)

20 WISSAM GHANTOUS

in the last 4 summations. And since 0 ≤ Hp(D) ≤ H(D) for all D > 0, we have

Ip(ℓ1, ℓ2, R) =∑

s2<4ℓR1 ℓR2

Hp(4ℓR1 ℓ

R2 − s2) +

∑

s2<4ℓR1 ℓR−12

Hp(4ℓR1 ℓ

R−12 − s2)

+∑

s2<4ℓR−11 ℓR2

Hp(4ℓR−11 ℓR2 − s2) +

∑

s2<4ℓR−11 ℓR−1

2

Hp(4ℓR−11 ℓR−1

2 − s2)

−∑

s2<4ℓR1

Hp(4ℓR1 − s2) −

∑

s2<4ℓR−11

Hp(4ℓR−11 − s2)

−∑

s2<4ℓR2

Hp(4ℓR2 − s2) −

∑

s2<4ℓR−12

Hp(4ℓR−12 − s2)

(‡)≤

∑

s2<4ℓR1 ℓR2

H(4ℓR1 ℓR2 − s2) +

∑

s2<4ℓR1 ℓR−12

H(4ℓR1 ℓR−12 − s2)

+∑

s2<4ℓR−11 ℓR2

H(4ℓR−11 ℓR2 − s2) +

∑

s2<4ℓR−11 ℓR−1

2

H(4ℓR−11 ℓR−1

2 − s2).

(15)

Let us look closer at the last 4 summations of Hurwitz class numbers above, in (15). Weknow from Theorem 2.3 that

∑

s2<4ℓR1 ℓR2

H(4ℓR1 ℓR2 − s2) ≤ 2

∑

d|ℓR1 ℓR2

d−∑

d|ℓR1 ℓR2

min(d, ℓR1 ℓ

R2 /d

)

= 1(R is even)(ℓ1ℓ2)R/2 + 2

∑

d|ℓR1 ℓR2d>(ℓ1ℓ2)R/2

d.

Hence, we can bound the Rth bi-route number as follows.

Theorem 4.3. Let ℓ1 < ℓ2 and p ≡ 1 mod 12. The number of collisions (℘1, ℘2) inΛp(ℓ1, ℓ2), where each path ℘i has length less than R and lies in Λp(ℓi) with no backtracking,is bounded above by

Ip(ℓ1, ℓ2, R) ≤ (ℓ1ℓ2)⌊R/2⌋ + 2

∑

d|ℓR1 ℓR2d>(ℓ1ℓ2)R/2

d+ 2∑

d|ℓR−11 ℓR2

d>ℓ(R−1)/21 ℓR2

d+ 2∑

d|ℓR1 ℓR−12

d>ℓR1 ℓ(R−1)/22

d+ 2∑

d|ℓR−11 ℓR−1

2

d>(ℓ1ℓ2)(R−1)/2

d.

The bound in Theorem 4.3 depends on ℓ and R. And since R is never too big (see Remark8), the bound can be efficiently computed. Moreover, as explained in Remark 3, we actuallyexpect the value of Ip(ℓ1, ℓ2, R) to be less than half of the right hand side of (‡) in (15).

Let us now find a more concrete upper bound for Ip(ℓ1, ℓ2, R). Assume without loss ofgenerality that ℓ1 < ℓ2, then for all r ≥ 1,

∑

d|ℓr1ℓs2d>ℓ

r/21 ℓ

s/22

d =

r∑

i=0

s∑

j=1+⌊s/2+(r/2−i) logℓ2 (ℓ1)⌋ℓi1ℓ

j2 ≤

ℓr+11 ℓs+1

2 − ℓs+12 − (ℓ1 − 1)(r + 1)ℓ

r/21 ℓ

s/22

(ℓ1 − 1)(ℓ2 − 1). (16)

We can then combine (16) with Theorem 4.3 to obtain the following corollary.


Corollary 4.1. The Rth bi-route number of Λp(ℓ1) and Λp(ℓ2) is bounded above by

Ip(ℓ1, ℓ2, R) ≤ 2(ℓ1ℓ2)R (ℓ1 + 1)(ℓ2 + 1)

(ℓ1 − 1)(ℓ2 − 1)+ (ℓ1ℓ2)

⌊R/2⌋ − 4ℓR2 (ℓ2 + 1)

(ℓ1 − 1)(ℓ2 − 1)

−2(ℓ1ℓ2)

R−12 (

√ℓ1 + 1)(R

√ℓ2 +R +

√ℓ2)

ℓ2 − 1.

This gives us an idea of how many paths any two supersingular isogeny graphs can havein common. Their Rth bi-route number Ip(ℓ1, ℓ2, R) is in O

((ℓ1ℓ2)

R).

References

[1] D. X. Charles, K. E. Lauter, and E. Z. Goren. Cryptographic hash functions from expander graphs.Journal of Cryptology, 22(1):93–113, 2009.

[2] L. De Feo, D. Jao, and J. Plut. Towards quantum-resistant cryptosystems from supersingular ellipticcurve isogenies. Journal of Mathematical Cryptology, 8(3):209–247, 2014.

[3] M. Deuring. Die typen der multiplikatorenringe elliptischer funktionenkorper. In Abhandlungen aus dem

mathematischen Seminar der Universitat Hamburg, volume 14, pages 197–272. Springer, 1941.[4] J. Gierster. Ueber relationen zwischen klassenzahlen binarer quadratischer formen von negativer deter-

minante. Mathematische Annalen, 21(1):1–50, 1883.[5] O. Goldreich. Randomized methods in computation, lecture 10.

http://www.wisdom.weizmann.ac.il/~oded/PS/RND/l10.ps. pages 3–4, Spring 2001.[6] B. Gross. Heights and the special values of L-series. In Conference Proceedings of the CMS, volume 7,

1987.[7] A. Hurwitz. Ueber relationen zwischen classenanzahlen binarer quadratischer formen von negativer

determinante. Mathematische Annalen, 25(2):157–196, 1885.[8] L. Kronecker. Ueber die anzahl der verschiedenen classen quadratischer formen von negativer determi-

nante. Journal fur die reine und angewandte Mathematik, 1860(57):248–255, 1860.[9] L. Lovasz. Very large graphs. arXiv preprint arXiv:0902.0132, 2009.

[10] A. K. Pizer. Ramanujan graphs and hecke operators. Bulletin of the American Mathematical Society,23(1):127–137, 1990.

[11] J. H. Silverman. The arithmetic of elliptic curves, volume 106. Springer Science and Business Media,2009.

[12] J. Voight. Quaternion algebras. Springer Nature, 2021.

E-mail address: [email protected]

http://www.wisdom.weizmann.ac.il/~oded/PS/RND/l10.ps

[email protected]

arxiv:2101.08761v1 [math.nt] 21 jan 2021

Documents