We formulate some conjectures about the precise determination of the monodromy groups of certain rigid local systems on $\mathbb{A}^{1}$ whose monodromy groups are known, by results of Kubert, to be finite. We prove some of them.

We prove that the exponent of distribution of $\unicode[STIX]{x1D70F}_{3}$ in arithmetic progressions can be as large as $\frac{1}{2}+\frac{1}{34}$, provided that the moduli is squarefree and has only sufficiently small prime factors. The tools involve arithmetic exponent pairs for algebraic trace functions, as well as a double $q$-analogue of the van der Corput method for smooth bilinear forms.

We show, under some natural restrictions, that orbits of polynomials cannot contain too many elements of small multiplicative order modulo a large prime p. We also show that for all but finitely many initial points either the multiplicative order of this point or the length of the orbit it generates (both modulo a large prime p) is large. The approach is based on the results of Dvornicich and Zannier (Duke Math. J. 139 (2007), 527–554) and Ostafe (2017) on roots of unity in polynomial orbits over the algebraic closure of the field of rational numbers.

The fractional derivatives include nonlocal information and thus their calculation requires huge storage and computational cost for long time simulations. We present an efficient and high-order accurate numerical formula to speed up the evaluation of the Caputo fractional derivative based on the L2-1σ formula proposed in [A. Alikhanov, J. Comput. Phys., 280 (2015), pp. 424-438], and employing the sum-of-exponentials approximation to the kernel function appeared in the Caputo fractional derivative. Both theoretically and numerically, we prove that while applied to solving time fractional diffusion equations, our scheme not only has unconditional stability and high accuracy but also reduces the storage and computational cost.

For a finite field of odd cardinality $q$ , we show that the sequence of iterates of $aX^{2}+c$ , starting at $0$ , always recurs after $O(q/\text{log}\log q)$ steps. For $X^{2}+1$ , the same is true for any starting value. We suggest that the traditional “birthday paradox” model is inappropriate for iterates of $X^{3}+c$ , when $q$ is 2 mod 3.

We improve a recent result of B. Hanson [Estimates for character sums with various convolutions. Preprint, 2015, arXiv:1509.04354] on multiplicative character sums with expressions of the type $a+b+cd$ and variables $a,b,c,d$ from four distinct sets of a finite field. We also consider similar sums with $a+b(c+d)$ . Our new bounds rely on some recent advances in additive combinatorics.

The holomorphy conjecture roughly states that Igusa’s zeta function associated to a hypersurface and a character is holomorphic on $\mathbb{C}$ whenever the order of the character does not divide the order of any eigenvalue of the local monodromy of the hypersurface. In this article, we prove the holomorphy conjecture for surface singularities that are nondegenerate over $\mathbb{C}$ with respect to their Newton polyhedron. In order to provide relevant eigenvalues of monodromy, we first show a relation between the normalized volumes (which appear in the formula of Varchenko for the zeta function of monodromy) of the faces in a simplex in arbitrary dimension. We then study some specific character sums that show up when dealing with false poles. In contrast to the context of the trivial character, we here need to show fakeness of certain candidate poles other than those contributed by $B_{1}$ -facets.

We prove an analogue of the classical Bateman–Horn conjecture on prime values of polynomials for the ring of polynomials over a large finite field. Namely, given non-associate, irreducible, separable and monic (in the variable $x$ ) polynomials $F_{1},\ldots ,F_{m}\in \mathbf{F}_{q}[t][x]$ , we show that the number of $f\in \mathbf{F}_{q}[t]$ of degree $n\geqslant \max (3,\deg _{t}F_{1},\ldots ,\deg _{t}F_{m})$ such that all $F_{i}(t,f)\in \mathbf{F}_{q}[t],1\leqslant i\leqslant m$ , are irreducible is

$$\begin{eqnarray}\displaystyle \biggl(\mathop{\prod }_{i=1}^{m}\frac{\unicode[STIX]{x1D707}_{i}}{N_{i}}\biggr)q^{n+1}(1+O_{m,\,\max \deg F_{i},\,n}(q^{-1/2})), & & \displaystyle \nonumber\end{eqnarray}$$

$N_{i}=n\deg _{x}F_{i}$

$F_{i}(t,f)$

$\deg f=n$

$\unicode[STIX]{x1D707}_{i}$

$F_{i}$

$\overline{\mathbf{F}}_{q}$

$\mathbf{F}_{q}(t)$

$F_{1},\ldots ,F_{m}$

$x$

$n$

$C$

$$\begin{eqnarray}\displaystyle \mathop{\prod }_{i=1}^{m}F_{i}(t,x)=0 & & \displaystyle \nonumber\end{eqnarray}$$

$(\sum _{i=1}^{m}\deg F_{i})^{2}/2$

$\deg$

$t,x$

$$\begin{eqnarray}\displaystyle p=\text{char}\,\mathbf{F}_{q}>\max _{1\leqslant i\leqslant m}N_{i}, & & \displaystyle \nonumber\end{eqnarray}$$

$N_{i}$

$F_{i}(t,f)$

$\deg f=n$

Since its introduction in 2010 by Lyubashevsky, Peikert and Regev, the ring learning with errors problem (ring-LWE) has become a popular building block for cryptographic primitives, due to its great versatility and its hardness proof consisting of a (quantum) reduction from ideal lattice problems. But, for a given modulus $q$ and degree $n$ number field $K$ , generating ring-LWE samples can be perceived as cumbersome, because the secret keys have to be taken from the reduction mod $q$ of a certain fractional ideal ${\mathcal{O}}_{K}^{\vee }\subset K$ called the codifferent or ‘dual’, rather than from the ring of integers ${\mathcal{O}}_{K}$ itself. This has led to various non-dual variants of ring-LWE, in which one compensates for the non-duality by scaling up the errors. We give a comparison of these versions, and revisit some unfortunate choices that have been made in the recent literature, one of which is scaling up by ${|\unicode[STIX]{x1D6E5}_{K}|}^{1/2n}$ with $\unicode[STIX]{x1D6E5}_{K}$ the discriminant of $K$ . As a main result, we provide, for any $\unicode[STIX]{x1D700}>0$ , a family of number fields $K$ for which this variant of ring-LWE can be broken easily as soon as the errors are scaled up by ${|\unicode[STIX]{x1D6E5}_{K}|}^{(1-\unicode[STIX]{x1D700})/n}$ .

In order to assess the security of cryptosystems based on the discrete logarithm problem in non-prime finite fields, as are the torus-based or pairing-based ones, we investigate thoroughly the case in $\mathbb{F}_{p^{6}}$ with the number field sieve. We provide new insights, improvements, and comparisons between different methods to select polynomials intended for a sieve in dimension 3 using a special- $\mathfrak{q}$ strategy. We also take into account the Galois action to increase the relation productivity of the sieving phase. To validate our results, we ran several experiments and real computations for various polynomial selection methods and field sizes with our publicly available implementation of the sieve in dimension 3, with special- $\mathfrak{q}$ and various enumeration strategies.

NTRU is a public-key cryptosystem introduced at ANTS-III. The two most used techniques in attacking the NTRU private key are meet-in-the-middle attacks and lattice-basis reduction attacks. Howgrave-Graham combined both techniques in 2007 and pointed out that the largest obstacle to attacks is the memory capacity that is required for the meet-in-the-middle phase. In the present paper an algorithm is presented that applies low-memory techniques to find ‘golden’ collisions to Odlyzko’s meet-in-the-middle attack against the NTRU private key. Several aspects of NTRU secret keys and the algorithm are analysed. The running time of the algorithm with a maximum storage capacity of $w$ is estimated and experimentally verified. Experiments indicate that decreasing the storage capacity $w$ by a factor $1<c<\sqrt{w}$ increases the running time by a factor $\sqrt{c}$ .

For a $t$ -nomial $f(x)=\sum _{i=1}^{t}c_{i}x^{a_{i}}\in \mathbb{F}_{q}[x]$ , we show that the number of distinct, nonzero roots of $f$ is bounded above by $2(q-1)^{1-\unicode[STIX]{x1D700}}C^{\unicode[STIX]{x1D700}}$ , where $\unicode[STIX]{x1D700}=1/(t-1)$ and $C$ is the size of the largest coset in $\mathbb{F}_{q}^{\ast }$ on which $f$ vanishes completely. Additionally, we describe a number-theoretic parameter depending only on $q$ and the exponents $a_{i}$ which provides a general and easily computable upper bound for  $C$ . We thus obtain a strict improvement over an earlier bound of Canetti et al. which is related to the uniformity of the Diffie–Hellman distribution. Finally, we conjecture that $t$ -nomials over prime fields have only $O(t\log p)$ roots in $\mathbb{F}_{p}^{\ast }$ when $C=1$ .

We consider the distribution of the polygonal paths joining partial sums of classical Kloosterman sums $\text{Kl}_{p}(a)$ , as $a$ varies over $\mathbf{F}_{p}^{\times }$ and as $p$ tends to infinity. Using independence of Kloosterman sheaves, we prove convergence in the sense of finite distributions to a specific random Fourier series. We also consider Birch sums, for which we can establish convergence in law in the space of continuous functions. We then derive some applications.

We express the number of points on the Dwork hypersurface $X_{\unicode[STIX]{x1D706}}^{d}:x_{1}^{d}+x_{2}^{d}+\cdots +x_{d}^{d}=d\unicode[STIX]{x1D706}x_{1}x_{2}\cdots x_{d}$ over a finite field of order $q\not \equiv 1\,(\text{mod}\,d)$ in terms of McCarthy’s $p$ -adic hypergeometric function for any odd prime $d$ .

We study the average value of the divisor function $\unicode[STIX]{x1D70F}(n)$ for $n\leqslant x$ with $n\equiv a~\text{mod}~q$ . The divisor function is known to be evenly distributed over arithmetic progressions for all $q$ that are a little smaller than $x^{2/3}$ . We show how to go past this barrier when $q=p^{k}$ for odd primes $p$ and any fixed integer $k\geqslant 7$ .

Primitive prime divisors play an important role in group theory and number theory. We study a certain number-theoretic quantity, called $\unicode[STIX]{x1D6F7}_{n}^{\ast }(q)$ , which is closely related to the cyclotomic polynomial $\unicode[STIX]{x1D6F7}_{n}(x)$ and to primitive prime divisors of $q^{n}-1$ . Our definition of $\unicode[STIX]{x1D6F7}_{n}^{\ast }(q)$ is novel, and we prove it is equivalent to the definition given by Hering. Given positive constants $c$ and $k$ , we provide an algorithm for determining all pairs $(n,q)$ with $\unicode[STIX]{x1D6F7}_{n}^{\ast }(q)\leq cn^{k}$ . This algorithm is used to extend (and correct) a result of Hering and is useful for classifying certain families of subgroups of finite linear groups.

Let $m$ be a positive integer and $p$ a prime number. We prove the orthogonality of some character sums over the finite field $\mathbb{F}_{p^{m}}$ or over a subset of a finite field and use this to construct some new approximately mutually unbiased bases of dimension $p^{m}$ over the complex number field $\mathbb{C}$, especially with $p=2$.

Given a finite field of q elements, we consider a trajectory of the map associated with a polynomial ]. Using bounds of character sums, under some mild condition on f, we show that for an appropriate constant C > 0 no N ⩾ Cq½ distinct consecutive elements of such a trajectory are contained in a small subgroup of , improving the trivial lower bound . Using a different technique, we also obtain a similar result for very small values of N. These results are multiplicative analogues of several recently obtained bounds on the length of intervals containing N distinct consecutive elements of such a trajectory.

We discuss heuristic asymptotic formulae for the number of isogeny classes of pairing-friendly abelian varieties of fixed dimension $g\geqslant 2$ over prime finite fields. In each formula, the embedding degree $k\geqslant 2$ is fixed and the rho-value is bounded above by a fixed real ${\it\rho}_{0}>1$ . The first formula involves families of ordinary abelian varieties whose endomorphism ring contains an order in a fixed CM-field $K$ of degree $g$ and generalizes previous work of the first author when $g=1$ . It suggests that, when ${\it\rho}_{0}<g$ , there are only finitely many such isogeny classes. On the other hand, there should be infinitely many such isogeny classes when ${\it\rho}_{0}>g$ . The second formula involves families whose endomorphism ring contains an order in a fixed totally real field $K_{0}^{+}$ of degree $g$ . It suggests that, when ${\it\rho}_{0}>2g/(g+2)$ (and in particular when ${\it\rho}_{0}>1$ if $g=2$ ), there are infinitely many isogeny classes of $g$ -dimensional abelian varieties over prime fields whose endomorphism ring contains an order of $K_{0}^{+}$ . We also discuss the impact that polynomial families of pairing-friendly abelian varieties has on our heuristics, and review the known cases where they are expected to provide more isogeny classes than predicted by our heuristic formulae.

In this paper, we present a decomposition of the elements of a finite field and illustrate the efficiency of this decomposition in evaluating some specific exponential sums over finite fields. The results can be employed in determining the Walsh spectrum of some Boolean functions.