SuperSolver: accelerating the Delfs-Galbraith algorithm with fast subfield root detection

We give a new algorithm for finding an isogeny from a given supersingular elliptic curve E/Fp2 to a subfield elliptic curve E/Fp, which is the bottleneck step of the DelfsGalbraith algorithm for the general supersingular isogeny problem. Our core ingredient is a novel method of rapidly determining whether a polynomial f ∈ L[X] has any roots in a subfield K ⊂ L, while crucially avoiding expensive root-finding algorithms. In the special case when f = Φ`,p(X, j) ∈ Fp2 [X], i.e. when f is the `-th modular polynomial evaluated at a supersingular j-invariant, this provides a means of efficiently determining whether there is an `-isogeny connecting the corresponding elliptic curve to a subfield curve. Together with the traditional Delfs-Galbraith walk, inspecting many `-isogenous neighbours in this way allows us to search through a larger proportion of the supersingular set per unit of time. Though the asymptotic Õ(p) complexity of our improved algorithm remains unchanged from that of the original Delfs-Galbraith algorithm, our theoretical analysis and practical implementation both show a significant reduction in the runtime of the subfield search. This sheds new light on the concrete hardness of the general supersingular isogeny problem, the foundational problem underlying isogeny-based cryptography.