gh-38493: compute endomorphism orders for elliptic curves over finite fields (rank-2 case)
    
For an elliptic curve E over a finite field with an endomorphism algebra
of rank two over ℚ, the endomorphism ring is a superorder of the
"Frobenius order" ℤ[π].

This patch adds a simple method to compute the exact imaginary-quadratic
order containing ℤ[π] which is isomorphic to the endomorphism ring of
the curve, and generalizes the algorithm to supersingular elliptic
curves with a (rational) endomorphism algebra of rank 2.
    
URL: #38493
Reported by: Lorenz Panny
Reviewer(s): John Cremona, Lorenz Panny

Author: Release Manager

src/sage/schemes/elliptic_curves/ell_finite_field.py

@@ -682,27 +682,31 @@ def frobenius_order(self):
             This computes the curve cardinality, which may be
             time-consuming.
 
+        .. SEEALSO::
+
+            :meth:`endomorphism_order`
+
         EXAMPLES::
 
             sage: E = EllipticCurve(GF(11),[3,3])
             sage: E.frobenius_order()
-            Order of conductor 2 generated by phi
-             in Number Field in phi with defining polynomial x^2 - 4*x + 11
+            Order of conductor 2 generated by pi
+             in Number Field in pi with defining polynomial x^2 - 4*x + 11
 
-        For some supersingular curves, Frobenius is in Z and the Frobenius
-        order is Z::
+        For some supersingular curves, Frobenius is in `\ZZ` and the Frobenius
+        order is `\ZZ`::
 
             sage: # needs sage.rings.finite_rings
             sage: E = EllipticCurve(GF(25,'a'),[0,0,0,0,1])
             sage: R = E.frobenius_order()
             sage: R
             Order generated by []
-             in Number Field in phi with defining polynomial x + 5
+             in Number Field in pi with defining polynomial x + 5
             sage: R.degree()
             1
         """
         f = self.frobenius_polynomial().factor()[0][0]
-        return ZZ.extension(f,names='phi')
+        return ZZ.extension(f, names='pi')
 
     def frobenius(self):
         r"""
@@ -719,7 +723,7 @@ def frobenius(self):
 
             sage: E = EllipticCurve(GF(11),[3,3])
             sage: E.frobenius()
-            phi
+            pi
             sage: E.frobenius().minpoly()
             x^2 - 4*x + 11
 
@@ -1619,7 +1623,11 @@ def _fetch_cached_order(self, other):
 
     def height_above_floor(self, ell, e):
         r"""
-        Return the height of the `j`-invariant of this ordinary elliptic curve on its `\ell`-volcano.
+        Return the height of the `j`-invariant of this elliptic curve on its `\ell`-volcano.
+
+        The curve must have a rational endomorphism ring of rank 2: This includes all
+        ordinary elliptic curves over finite fields as well as those supersingular
+        elliptic curves with Frobenius not in `\ZZ`.
 
         INPUT:
 
@@ -1630,12 +1638,12 @@ def height_above_floor(self, ell, e):
 
         .. NOTE::
 
-            For an ordinary `E/\GF{q}`, and a prime `\ell`, the height
-            `e` of the `\ell`-volcano containing `j(E)` is the `\ell`-adic
+            For a suitable `E/\GF{q}`, and a prime `\ell`, the height
+            `e` of the `\ell`-volcano containing `E` is the `\ell`-adic
             valuation of the conductor of the order generated by the
-            Frobenius `\pi_E`; the height of `j(E)` on its
+            `\GF{q}`-Frobenius `\pi_E`; the height of `E` on its
             ell-volcano is the `\ell`-adic valuation of the conductor
-            of the order `\text{End}(E)`.
+            of the order `\text{End}_{\GF{q}}(E)`.
 
         ALGORITHM:
 
@@ -1652,30 +1660,71 @@ def height_above_floor(self, ell, e):
             sage: E.height_above_floor(2,8)
             5
         """
+        pi = self.frobenius()
+        if pi in ZZ:
+            raise ValueError("{} has a (rational) endomorphism ring of rank 4".format(self))
+
+        e = ZZ(e)
+        if not e:
+            return ZZ.zero()
+
         if self.is_supersingular():
-            raise ValueError("{} is not ordinary".format(self))
-        if e == 0:
-            return 0
+            if ell == self.base_field().characteristic():
+                # In this (exceptional) case, the Frobenius can always be divided
+                # by the maximal possible power of the characteristic. The reason
+                # is that Frobenius must be of the form phi o [p^k] where phi is
+                # a purely inseparable isogeny of degree 1 or p, hence this [p^k]
+                # can always be divided out while retaining an endomorphism.
+                assert self.base_field().cardinality().valuation(ell) >= 2*e
+                return e
+
+            # In the supersingular case, the j-invariant alone does not determine
+            # the level in the volcano. (The underlying reason is that there can
+            # be multiple non-F_q-isomorphic curves with a given j-invariant in
+            # the isogeny graph.)
+            # Example: y^2 = x^3 ± x over F_p with p congruent to 3 modulo 4 have
+            # distinct (rational) endomorphism rings.
+            # Thus we run the "probing the depths" algorithm with F_q-isomorphism
+            # classes of curves instead.
+            E0 = [self] * 3
+            E1 = [phi.codomain() for phi in self.isogenies_prime_degree(ell)]
+            assert E1
+            if len(E1) == 1:
+                return ZZ.zero()
+            assert len(E1) == ell + 1
+            h = ZZ.one()
+            while True:
+                for i in range(3):
+                    isogs = E1[i].isogenies_prime_degree(ell)
+                    try:
+                        step = next(phi for phi in isogs if not phi.codomain().is_isomorphic(E0[i]))
+                    except StopIteration:
+                        return h
+                    E0[i], E1[i] = step.domain(), step.codomain()
+                h += 1
+                assert h <= e
+            raise AssertionError('unreachable code -- this is a bug')
+
         j = self.j_invariant()
         if j in [0, 1728]:
             return e
         F = j.parent()
         x = polygen(F)
         from sage.rings.polynomial.polynomial_ring import polygens
         from sage.schemes.elliptic_curves.mod_poly import classical_modular_polynomial
-        X, Y = polygens(F, "X, Y", 2)
+        X, Y = polygens(F, 'X,Y')
         phi = classical_modular_polynomial(ell)(X, Y)
         j1 = phi([x,j]).roots(multiplicities=False)
         nj1 = len(j1)
         on_floor = self.two_torsion_rank() < 2 if ell == 2 else nj1 <= ell
         if on_floor:
-            return 0
+            return ZZ.zero()
         if e == 1 or nj1 != ell+1:  # double roots can only happen at the surface
             return e
         if nj1 < 3:
-            return 0
+            return ZZ.zero()
         j0 = [j,j,j]
-        h = 1
+        h = ZZ.one()
         while True:
             for i in range(3):
                 r = (phi([x,j1[i]])//(x-j0[i])).roots(multiplicities=False)
@@ -1760,6 +1809,69 @@ def endomorphism_discriminant_from_class_number(self, h):
                 return (v//cs[0])**2 * D0
         raise ValueError("Incorrect class number {}".format(h))
 
+    def endomorphism_order(self):
+        r"""
+        Return a quadratic order isomorphic to the endomorphism ring
+        of this elliptic curve, assuming the order has rank two.
+
+        .. NOTE::
+
+            In the future, this method will hopefully be extended to return a
+            :class:`~sage.algebras.quatalg.quaternion_algebra.QuaternionOrder`
+            object in the rank-4 case, but this has not been implemented yet.
+
+        .. SEEALSO::
+
+            :meth:`frobenius_order`
+
+        EXAMPLES::
+
+            sage: E = EllipticCurve(GF(11), [3,3])
+            sage: E.endomorphism_order()
+            Maximal Order generated by 1/2*pi + 1/2 in Number Field in pi with defining polynomial x^2 - 4*x + 11
+
+        It also works for supersingular elliptic curves provided that Frobenius
+        is not in `\ZZ`::
+
+            sage: E = EllipticCurve(GF(11), [1,0])
+            sage: E.is_supersingular()
+            True
+            sage: E.endomorphism_order()
+            Order of conductor 2 generated by pi in Number Field in pi with defining polynomial x^2 + 11
+
+        ::
+
+            sage: E = EllipticCurve(GF(11), [-1,0])
+            sage: E.is_supersingular()
+            True
+            sage: E.endomorphism_order()
+            Maximal Order generated by 1/2*pi + 1/2 in Number Field in pi with defining polynomial x^2 + 11
+
+        There are some exceptional cases where Frobenius itself is divisible
+        by the characteristic::
+
+            sage: EllipticCurve([GF(7^2).gen(), 0]).endomorphism_order()
+            Gaussian Integers generated by 1/7*pi in Number Field in pi with defining polynomial x^2 + 49
+            sage: EllipticCurve(GF(3^5), [1, 0]).endomorphism_order()
+            Order of conductor 2 generated by 1/9*pi in Number Field in pi with defining polynomial x^2 + 243
+            sage: EllipticCurve(GF(7^3), [-1, 0]).endomorphism_order()
+            Maximal Order generated by 1/14*pi + 1/2 in Number Field in pi with defining polynomial x^2 + 343
+        """
+        pi = self.frobenius()
+        if pi in ZZ:
+            raise NotImplementedError('the rank-4 case is not supported yet')
+
+        O = self.frobenius_order()
+        f0 = O.conductor()
+
+        f = 1
+        for l,e in f0.factor():
+            h = self.height_above_floor(l, e)
+            f *= l**(e-h)
+
+        K = O.number_field()
+        return K.order_of_conductor(f)
+
     def twists(self):
         r"""
         Return a list of `k`-isomorphism representatives of all