The holomorphy conjecture roughly states that Igusa’s zeta function associated to a hypersurface and a character is holomorphic on $\mathbb{C}$ whenever the order of the character does not divide the order of any eigenvalue of the local monodromy of the hypersurface. In this article, we prove the holomorphy conjecture for surface singularities that are nondegenerate over $\mathbb{C}$ with respect to their Newton polyhedron. In order to provide relevant eigenvalues of monodromy, we first show a relation between the normalized volumes (which appear in the formula of Varchenko for the zeta function of monodromy) of the faces in a simplex in arbitrary dimension. We then study some specific character sums that show up when dealing with false poles. In contrast to the context of the trivial character, we here need to show fakeness of certain candidate poles other than those contributed by $B_{1}$-facets.

We prove an analogue of the classical Bateman–Horn conjecture on prime values of polynomials for the ring of polynomials over a large finite field. Namely, given non-associate, irreducible, separable and monic (in the variable $x$ ) polynomials $F_{1},\ldots ,F_{m}\in \mathbf{F}_{q}[t][x]$ , we show that the number of $f\in \mathbf{F}_{q}[t]$ of degree $n\geqslant \max (3,\deg _{t}F_{1},\ldots ,\deg _{t}F_{m})$ such that all $F_{i}(t,f)\in \mathbf{F}_{q}[t],1\leqslant i\leqslant m$ , are irreducible is

$$\begin{eqnarray}\displaystyle \biggl(\mathop{\prod }_{i=1}^{m}\frac{\unicode[STIX]{x1D707}_{i}}{N_{i}}\biggr)q^{n+1}(1+O_{m,\,\max \deg F_{i},\,n}(q^{-1/2})), & & \displaystyle \nonumber\end{eqnarray}$$

$N_{i}=n\deg _{x}F_{i}$

$F_{i}(t,f)$

$\deg f=n$

$\unicode[STIX]{x1D707}_{i}$

$F_{i}$

$\overline{\mathbf{F}}_{q}$

$\mathbf{F}_{q}(t)$

$F_{1},\ldots ,F_{m}$

$x$

$n$

$C$

$$\begin{eqnarray}\displaystyle \mathop{\prod }_{i=1}^{m}F_{i}(t,x)=0 & & \displaystyle \nonumber\end{eqnarray}$$

$(\sum _{i=1}^{m}\deg F_{i})^{2}/2$

$\deg$

$t,x$

$$\begin{eqnarray}\displaystyle p=\text{char}\,\mathbf{F}_{q}>\max _{1\leqslant i\leqslant m}N_{i}, & & \displaystyle \nonumber\end{eqnarray}$$

$N_{i}$

$F_{i}(t,f)$

$\deg f=n$

Since its introduction in 2010 by Lyubashevsky, Peikert and Regev, the ring learning with errors problem (ring-LWE) has become a popular building block for cryptographic primitives, due to its great versatility and its hardness proof consisting of a (quantum) reduction from ideal lattice problems. But, for a given modulus $q$ and degree $n$ number field $K$, generating ring-LWE samples can be perceived as cumbersome, because the secret keys have to be taken from the reduction mod $q$ of a certain fractional ideal ${\mathcal{O}}_{K}^{\vee }\subset K$ called the codifferent or ‘dual’, rather than from the ring of integers ${\mathcal{O}}_{K}$ itself. This has led to various non-dual variants of ring-LWE, in which one compensates for the non-duality by scaling up the errors. We give a comparison of these versions, and revisit some unfortunate choices that have been made in the recent literature, one of which is scaling up by ${|\unicode[STIX]{x1D6E5}_{K}|}^{1/2n}$ with $\unicode[STIX]{x1D6E5}_{K}$ the discriminant of $K$. As a main result, we provide, for any $\unicode[STIX]{x1D700}>0$, a family of number fields $K$ for which this variant of ring-LWE can be broken easily as soon as the errors are scaled up by ${|\unicode[STIX]{x1D6E5}_{K}|}^{(1-\unicode[STIX]{x1D700})/n}$.

In order to assess the security of cryptosystems based on the discrete logarithm problem in non-prime finite fields, as are the torus-based or pairing-based ones, we investigate thoroughly the case in $\mathbb{F}_{p^{6}}$ with the number field sieve. We provide new insights, improvements, and comparisons between different methods to select polynomials intended for a sieve in dimension 3 using a special-$\mathfrak{q}$ strategy. We also take into account the Galois action to increase the relation productivity of the sieving phase. To validate our results, we ran several experiments and real computations for various polynomial selection methods and field sizes with our publicly available implementation of the sieve in dimension 3, with special-$\mathfrak{q}$ and various enumeration strategies.

NTRU is a public-key cryptosystem introduced at ANTS-III. The two most used techniques in attacking the NTRU private key are meet-in-the-middle attacks and lattice-basis reduction attacks. Howgrave-Graham combined both techniques in 2007 and pointed out that the largest obstacle to attacks is the memory capacity that is required for the meet-in-the-middle phase. In the present paper an algorithm is presented that applies low-memory techniques to find ‘golden’ collisions to Odlyzko’s meet-in-the-middle attack against the NTRU private key. Several aspects of NTRU secret keys and the algorithm are analysed. The running time of the algorithm with a maximum storage capacity of $w$ is estimated and experimentally verified. Experiments indicate that decreasing the storage capacity $w$ by a factor $1<c<\sqrt{w}$ increases the running time by a factor $\sqrt{c}$.

For a $t$-nomial $f(x)=\sum _{i=1}^{t}c_{i}x^{a_{i}}\in \mathbb{F}_{q}[x]$, we show that the number of distinct, nonzero roots of $f$ is bounded above by $2(q-1)^{1-\unicode[STIX]{x1D700}}C^{\unicode[STIX]{x1D700}}$, where $\unicode[STIX]{x1D700}=1/(t-1)$ and $C$ is the size of the largest coset in $\mathbb{F}_{q}^{\ast }$ on which $f$ vanishes completely. Additionally, we describe a number-theoretic parameter depending only on $q$ and the exponents $a_{i}$ which provides a general and easily computable upper bound for $C$. We thus obtain a strict improvement over an earlier bound of Canetti et al. which is related to the uniformity of the Diffie–Hellman distribution. Finally, we conjecture that $t$-nomials over prime fields have only $O(t\log p)$ roots in $\mathbb{F}_{p}^{\ast }$ when $C=1$.

We consider the distribution of the polygonal paths joining partial sums of classical Kloosterman sums $\text{Kl}_{p}(a)$, as $a$ varies over $\mathbf{F}_{p}^{\times }$ and as $p$ tends to infinity. Using independence of Kloosterman sheaves, we prove convergence in the sense of finite distributions to a specific random Fourier series. We also consider Birch sums, for which we can establish convergence in law in the space of continuous functions. We then derive some applications.

We express the number of points on the Dwork hypersurface $X_{\unicode[STIX]{x1D706}}^{d}:x_{1}^{d}+x_{2}^{d}+\cdots +x_{d}^{d}=d\unicode[STIX]{x1D706}x_{1}x_{2}\cdots x_{d}$ over a finite field of order $q\not \equiv 1\,(\text{mod}\,d)$ in terms of McCarthy’s $p$-adic hypergeometric function for any odd prime $d$.

We study the average value of the divisor function $\unicode[STIX]{x1D70F}(n)$ for $n\leqslant x$ with $n\equiv a~\text{mod}~q$ . The divisor function is known to be evenly distributed over arithmetic progressions for all $q$ that are a little smaller than $x^{2/3}$ . We show how to go past this barrier when $q=p^{k}$ for odd primes $p$ and any fixed integer $k\geqslant 7$ .

Primitive prime divisors play an important role in group theory and number theory. We study a certain number-theoretic quantity, called $\unicode[STIX]{x1D6F7}_{n}^{\ast }(q)$ , which is closely related to the cyclotomic polynomial $\unicode[STIX]{x1D6F7}_{n}(x)$ and to primitive prime divisors of $q^{n}-1$ . Our definition of $\unicode[STIX]{x1D6F7}_{n}^{\ast }(q)$ is novel, and we prove it is equivalent to the definition given by Hering. Given positive constants $c$ and $k$ , we provide an algorithm for determining all pairs $(n,q)$ with $\unicode[STIX]{x1D6F7}_{n}^{\ast }(q)\leq cn^{k}$ . This algorithm is used to extend (and correct) a result of Hering and is useful for classifying certain families of subgroups of finite linear groups.

Let $m$ be a positive integer and $p$ a prime number. We prove the orthogonality of some character sums over the finite field $\mathbb{F}_{p^{m}}$ or over a subset of a finite field and use this to construct some new approximately mutually unbiased bases of dimension $p^{m}$ over the complex number field $\mathbb{C}$, especially with $p=2$.

Given a finite field of q elements, we consider a trajectory of the map associated with a polynomial ]. Using bounds of character sums, under some mild condition on f, we show that for an appropriate constant C > 0 no N ⩾ Cq½ distinct consecutive elements of such a trajectory are contained in a small subgroup of , improving the trivial lower bound . Using a different technique, we also obtain a similar result for very small values of N. These results are multiplicative analogues of several recently obtained bounds on the length of intervals containing N distinct consecutive elements of such a trajectory.

We discuss heuristic asymptotic formulae for the number of isogeny classes of pairing-friendly abelian varieties of fixed dimension $g\geqslant 2$ over prime finite fields. In each formula, the embedding degree $k\geqslant 2$ is fixed and the rho-value is bounded above by a fixed real ${\it\rho}_{0}>1$. The first formula involves families of ordinary abelian varieties whose endomorphism ring contains an order in a fixed CM-field $K$ of degree $g$ and generalizes previous work of the first author when $g=1$. It suggests that, when ${\it\rho}_{0}<g$, there are only finitely many such isogeny classes. On the other hand, there should be infinitely many such isogeny classes when ${\it\rho}_{0}>g$. The second formula involves families whose endomorphism ring contains an order in a fixed totally real field $K_{0}^{+}$ of degree $g$. It suggests that, when ${\it\rho}_{0}>2g/(g+2)$ (and in particular when ${\it\rho}_{0}>1$ if $g=2$), there are infinitely many isogeny classes of $g$-dimensional abelian varieties over prime fields whose endomorphism ring contains an order of $K_{0}^{+}$. We also discuss the impact that polynomial families of pairing-friendly abelian varieties has on our heuristics, and review the known cases where they are expected to provide more isogeny classes than predicted by our heuristic formulae.

In this paper, we present a decomposition of the elements of a finite field and illustrate the efficiency of this decomposition in evaluating some specific exponential sums over finite fields. The results can be employed in determining the Walsh spectrum of some Boolean functions.

In this paper, we consider the so-called “Furstenberg set problem” in high dimensions. First, following Wolff’s work on the two-dimensional real case, we provide “reasonable” upper bounds for the problem for $\mathbb{R}$ or $\mathbb{F}_{p}$. Next we study the “critical” case and improve the “trivial” exponent by ${\rm\Omega}(1/n^{2})$ for $\mathbb{F}_{p}^{n}$. Our key tool in obtaining this lower bound is a theorem about how things behave when the Loomis–Whitney inequality is nearly sharp, as it helps us to reduce the problem to dimension two.

This paper presents an algorithm to construct cryptographically strong genus $\def \xmlpi #1{}\def \mathsfbi #1{\boldsymbol {\mathsf {#1}}}\let \le =\leqslant \let \leq =\leqslant \let \ge =\geqslant \let \geq =\geqslant \def \Pr {\mathit {Pr}}\def \Fr {\mathit {Fr}}\def \Rey {\mathit {Re}}2$ curves and their Kummer surfaces via Rosenhain invariants and related Kummer parameters. The most common version of the complex multiplication (CM) algorithm for constructing cryptographic curves in genus 2 relies on the well-studied Igusa invariants and Mestre’s algorithm for reconstructing the curve. On the other hand, the Rosenhain invariants typically have much smaller height, so computing them requires less precision, and in addition, the Rosenhain model for the curve can be written down directly given the Rosenhain invariants. Similarly, the parameters for a Kummer surface can be expressed directly in terms of rational functions of theta constants. CM-values of these functions are algebraic numbers, and when computed to high enough precision, LLL can recognize their minimal polynomials. Motivated by fast cryptography on Kummer surfaces, we investigate a variant of the CM method for computing cryptographically strong Rosenhain models of curves (as well as their associated Kummer surfaces) and use it to generate several example curves at different security levels that are suitable for use in cryptography.

Let $\def \xmlpi #1{}\def \mathsfbi #1{\boldsymbol {\mathsf {#1}}}\let \le =\leqslant \let \leq =\leqslant \let \ge =\geqslant \let \geq =\geqslant \def \Pr {\mathit {Pr}}\def \Fr {\mathit {Fr}}\def \Rey {\mathit {Re}}G$ be a cyclic group written multiplicatively (and represented in some concrete way). Let $n$ be a positive integer (much smaller than the order of $G$). Let $g,h\in G$. The bounded height discrete logarithm problem is the task of finding positive integers $a$ and $b$ (if they exist) such that $a\leq n$, $b\leq n$ and $g^a=h^b$. (Provided that $b$ is coprime to the order of $g$, we have $h=g^{a/b}$ where $a/b$ is a rational number of height at most $n$. This motivates the terminology.)

The paper provides a reduction to the two-dimensional discrete logarithm problem, so the bounded height discrete logarithm problem can be solved using a low-memory heuristic algorithm for the two-dimensional discrete logarithm problem due to Gaudry and Schost. The paper also provides a low-memory heuristic algorithm to solve the bounded height discrete logarithm problem in a generic group directly, without using a reduction to the two-dimensional discrete logarithm problem. This new algorithm is inspired by (but differs from) the Gaudry–Schost algorithm. Both algorithms use $O(n)$ group operations, but the new algorithm is faster and simpler than the Gaudry–Schost algorithm when used to solve the bounded height discrete logarithm problem. Like the Gaudry–Schost algorithm, the new algorithm can easily be carried out in a distributed fashion.

The bounded height discrete logarithm problem is relevant to a class of attacks on the privacy of a key establishment protocol recently published by EMVCo for comment. This protocol is intended to protect the communications between a chip-based payment card and a terminal using elliptic curve cryptography. The paper comments on the implications of these attacks for the design of any final version of the EMV protocol.

The problem of solving polynomial equations over finite fields has many applications in cryptography and coding theory. In this paper, we consider polynomial equations over a ‘large’ finite field with a ‘small’ characteristic. We introduce a new algorithm for solving this type of equations, called the successive resultants algorithm (SRA). SRA is radically different from previous algorithms for this problem, yet it is conceptually simple. A straightforward implementation using Magma was able to beat the built-in Roots function for some parameters. These preliminary results encourage a more detailed study of SRA and its applications. Moreover, we point out that an extension of SRA to the multivariate case would have an important impact on the practical security of the elliptic curve discrete logarithm problem in the small characteristic case.

Supplementary materials are available with this article.

In this paper we study the discrete logarithm problem in medium- and high-characteristic finite fields. We propose a variant of the number field sieve (NFS) based on numerous number fields. Our improved algorithm computes discrete logarithms in $\def \xmlpi #1{}\def \mathsfbi #1{\boldsymbol {\mathsf {#1}}}\let \le =\leqslant \let \leq =\leqslant \let \ge =\geqslant \let \geq =\geqslant \def \Pr {\mathit {Pr}}\def \Fr {\mathit {Fr}}\def \Rey {\mathit {Re}}\mathbb{F}_{p^n}$ for the whole range of applicability of the NFS and lowers the asymptotic complexity from $L_{p^n}({1/3},({128/9})^{1/3})$ to $L_{p^n}({1/3},(2^{13}/3^6)^{1/3})$ in the medium-characteristic case, and from $L_{p^n}({1/3},({64/9})^{1/3})$ to $L_{p^n}({1/3},((92 + 26 \sqrt{13})/27)^{1/3})$ in the high-characteristic case.

We show that the exponent of distribution of the ternary divisor function $d_{3}$ in arithmetic progressions to prime moduli is at least $1/2+1/46$, improving results of Friedlander–Iwaniec and Heath-Brown. Furthermore, when averaging over a fixed residue class, we prove that this exponent is increased to $1/2+1/34$.