Most systematic tables of data associated to ranks of elliptic curves order the curves by conductor. Recent developments, led by work of Bhargava and Shankar studying the average sizes of $n$ -Selmer groups, have given new upper bounds on the average algebraic rank in families of elliptic curves over $\mathbb{Q}$ , ordered by height. We describe databases of elliptic curves over $\mathbb{Q}$ , ordered by height, in which we compute ranks and $2$ -Selmer group sizes, the distributions of which may also be compared to these theoretical results. A striking new phenomenon that we observe in our database is that the average rank eventually decreases as height increases.

Consider two ordinary elliptic curves $E,E^{\prime }$ defined over a finite field $\mathbb{F}_{q}$ , and suppose that there exists an isogeny $\unicode[STIX]{x1D713}$ between $E$ and $E^{\prime }$ . We propose an algorithm that determines $\unicode[STIX]{x1D713}$ from the knowledge of $E$ , $E^{\prime }$ and of its degree $r$ , by using the structure of the $\ell$ -torsion of the curves (where  $\ell$  is a prime different from the characteristic  $p$ of the base field). Our approach is inspired by a previous algorithm due to Couveignes, which involved computations using the $p$ -torsion on the curves. The most refined version of that algorithm, due to De Feo, has a complexity of  $\tilde{O} (r^{2})p^{O(1)}$ base field operations. On the other hand, the cost of our algorithm is $\tilde{O} (r^{2})\log (q)^{O(1)}$ , for a large class of inputs; this makes it an interesting alternative for the medium- and large-characteristic cases.

We study the elliptic curves in Cremona’s tables that are predicted by the Birch–Swinnerton-Dyer conjecture to have elements of order $7$ in their Tate–Shafarevich group. We show that in many cases these elements are visible in an abelian surface or abelian 3-fold.

Since its introduction in 2010 by Lyubashevsky, Peikert and Regev, the ring learning with errors problem (ring-LWE) has become a popular building block for cryptographic primitives, due to its great versatility and its hardness proof consisting of a (quantum) reduction from ideal lattice problems. But, for a given modulus $q$ and degree $n$ number field $K$ , generating ring-LWE samples can be perceived as cumbersome, because the secret keys have to be taken from the reduction mod $q$ of a certain fractional ideal ${\mathcal{O}}_{K}^{\vee }\subset K$ called the codifferent or ‘dual’, rather than from the ring of integers ${\mathcal{O}}_{K}$ itself. This has led to various non-dual variants of ring-LWE, in which one compensates for the non-duality by scaling up the errors. We give a comparison of these versions, and revisit some unfortunate choices that have been made in the recent literature, one of which is scaling up by ${|\unicode[STIX]{x1D6E5}_{K}|}^{1/2n}$ with $\unicode[STIX]{x1D6E5}_{K}$ the discriminant of $K$ . As a main result, we provide, for any $\unicode[STIX]{x1D700}>0$ , a family of number fields $K$ for which this variant of ring-LWE can be broken easily as soon as the errors are scaled up by ${|\unicode[STIX]{x1D6E5}_{K}|}^{(1-\unicode[STIX]{x1D700})/n}$ .

Lattice sieving is asymptotically the fastest approach for solving the shortest vector problem (SVP) on Euclidean lattices. All known sieving algorithms for solving the SVP require space which (heuristically) grows as $2^{0.2075n+o(n)}$ , where $n$ is the lattice dimension. In high dimensions, the memory requirement becomes a limiting factor for running these algorithms, making them uncompetitive with enumeration algorithms, despite their superior asymptotic time complexity.

We generalize sieving algorithms to solve SVP with less memory. We consider reductions of tuples of vectors rather than pairs of vectors as existing sieve algorithms do. For triples, we estimate that the space requirement scales as $2^{0.1887n+o(n)}$ . The naive algorithm for this triple sieve runs in time $2^{0.5661n+o(n)}$ . With appropriate filtering of pairs, we reduce the time complexity to $2^{0.4812n+o(n)}$ while keeping the same space complexity. We further analyze the effects of using larger tuples for reduction, and conjecture how this provides a continuous trade-off between the memory-intensive sieving and the asymptotically slower enumeration.

We report on our project to find explicit examples of K3 surfaces having real or complex multiplication. Our strategy is to search through the arithmetic consequences of RM and CM. In order to do this, an efficient method is needed for point counting on surfaces defined over finite fields. For this, we describe algorithms that are $p$ -adic in nature.

We describe an implementation for computing holomorphic and skew-holomorphic Jacobi forms of integral weight and scalar index on the full modular group. This implementation is based on formulas derived by one of the authors which express Jacobi forms in terms of modular symbols of elliptic modular forms. Since this method allows a Jacobi eigenform to be generated directly from a given modular eigensymbol without reference to the whole ambient space of Jacobi forms, it makes it possible to compute Jacobi Hecke eigenforms of large index. We illustrate our method with several examples.

We introduce an algorithm that can be used to compute the canonical height of a point on an elliptic curve over the rationals in quasi-linear time. As in most previous algorithms, we decompose the difference between the canonical and the naive height into an archimedean and a non-archimedean term. Our main contribution is an algorithm for the computation of the non-archimedean term that requires no integer factorization and runs in quasi-linear time.

In this paper we describe how to compute smallest monic polynomials that define a given number field  $\mathbb{K}$ . We make use of the one-to-one correspondence between monic defining polynomials of  $\mathbb{K}$ and algebraic integers that generate  $\mathbb{K}$ . Thus, a smallest polynomial corresponds to a vector in the lattice of integers of  $\mathbb{K}$ and this vector is short in some sense. The main idea is to consider weighted coordinates for the vectors of the lattice of integers of  $\mathbb{K}$ . This allows us to find the desired polynomial by enumerating short vectors in these weighted lattices. In the context of the subexponential algorithm of Biasse and Fieker for computing class groups, this algorithm can be used as a precomputation step that speeds up the rest of the computation. It also widens the applicability of their faster conditional method, which requires a defining polynomial of small height, to a much larger set of number field descriptions.

In this paper, we present novel algorithms for finding small relations and ideal factorizations in the ideal class group of an order in an imaginary quadratic field, where both the norms of the prime ideals and the size of the coefficients involved are bounded. We show how our methods can be used to improve the computation of large-degree isogenies and endomorphism rings of elliptic curves defined over finite fields. For these problems, we obtain improved heuristic complexity results in almost all cases and significantly improved performance in practice. The speed-up is especially high in situations where the ideal class group can be computed in advance.

In order to assess the security of cryptosystems based on the discrete logarithm problem in non-prime finite fields, as are the torus-based or pairing-based ones, we investigate thoroughly the case in $\mathbb{F}_{p^{6}}$ with the number field sieve. We provide new insights, improvements, and comparisons between different methods to select polynomials intended for a sieve in dimension 3 using a special- $\mathfrak{q}$ strategy. We also take into account the Galois action to increase the relation productivity of the sieving phase. To validate our results, we ran several experiments and real computations for various polynomial selection methods and field sizes with our publicly available implementation of the sieve in dimension 3, with special- $\mathfrak{q}$ and various enumeration strategies.

We describe the construction of a database of genus- $2$ curves of small discriminant that includes geometric and arithmetic invariants of each curve, its Jacobian, and the associated $L$ -function. This data has been incorporated into the $L$ -Functions and Modular Forms Database (LMFDB).

We compute the complete set of candidates for the zeta function of a K $3$ surface over $\mathbb{F}_{2}$ consistent with the Weil and Tate conjectures, as well as the complete set of zeta functions of smooth quartic surfaces over $\mathbb{F}_{2}$ . These sets differ substantially, but we do identify natural subsets which coincide. This gives some numerical evidence towards a Honda–Tate theorem for transcendental zeta functions of K $3$ surfaces; such a result would refine a recent theorem of Taelman, in which one must allow an uncontrolled base field extension.

We present a specialized point-counting algorithm for a class of elliptic curves over $\mathbb{F}_{p^{2}}$ that includes reductions of quadratic $\mathbb{Q}$ -curves modulo inert primes and, more generally, any elliptic curve over $\mathbb{F}_{p^{2}}$ with a low-degree isogeny to its Galois conjugate curve. These curves have interesting cryptographic applications. Our algorithm is a variant of the Schoof–Elkies–Atkin (SEA) algorithm, but with a new, lower-degree endomorphism in place of Frobenius. While it has the same asymptotic asymptotic complexity as SEA, our algorithm is much faster in practice.

In this article, we propose to use the character theory of compact Lie groups and their orthogonality relations for the study of Frobenius distribution and Sato–Tate groups. The results show the advantages of this new approach in several aspects. With samples of Frobenius ranging in size much smaller than the moment statistic approach, we obtain very good approximation to the expected values of these orthogonality relations, which give useful information about the underlying Sato–Tate groups and strong evidence of the correctness of the generalized Sato–Tate conjecture. In fact, $2^{10}$ to $2^{12}$ points provide satisfactory convergence. Even for $g=2$ , the classical approach using moment statistics requires about $2^{30}$ sample points to obtain such information.

We present JKL-ECM, an implementation of the elliptic curve method of integer factorization which uses certain twisted Hessian curves in a family studied by Jeon, Kim and Lee. This implementation takes advantage of torsion subgroup injection for families of elliptic curves over a quartic number field, in addition to the ‘small parameter’ speedup. We produced thousands of curves with torsion $\mathbb{Z}/6\mathbb{Z}\oplus \mathbb{Z}/6\mathbb{Z}$ and small parameters in twisted Hessian form, which admit curve arithmetic that is ‘almost’ as fast as that of twisted Edwards form. This allows JKL-ECM to compete with GMP-ECM for finding large prime factors. Also, JKL-ECM, based on GMP, accepts integers of arbitrary size. We classify the torsion subgroups of Hessian curves over $\mathbb{Q}$ and further examine torsion properties of the curves described by Jeon, Kim and Lee. In addition, the high-performance curves with torsion $\mathbb{Z}/2\mathbb{Z}\oplus \mathbb{Z}/8\mathbb{Z}$ of Bernstein et al. are completely recovered by the $\mathbb{Z}/4\mathbb{Z}\oplus \mathbb{Z}/8\mathbb{Z}$ family of Jeon, Kim and Lee, and hundreds more curves are produced besides, all with small parameters and base points.

NTRU is a public-key cryptosystem introduced at ANTS-III. The two most used techniques in attacking the NTRU private key are meet-in-the-middle attacks and lattice-basis reduction attacks. Howgrave-Graham combined both techniques in 2007 and pointed out that the largest obstacle to attacks is the memory capacity that is required for the meet-in-the-middle phase. In the present paper an algorithm is presented that applies low-memory techniques to find ‘golden’ collisions to Odlyzko’s meet-in-the-middle attack against the NTRU private key. Several aspects of NTRU secret keys and the algorithm are analysed. The running time of the algorithm with a maximum storage capacity of $w$ is estimated and experimentally verified. Experiments indicate that decreasing the storage capacity $w$ by a factor $1<c<\sqrt{w}$ increases the running time by a factor $\sqrt{c}$ .

The security of several homomorphic encryption schemes depends on the hardness of variants of the approximate common divisor (ACD) problem. We survey and compare a number of lattice-based algorithms for the ACD problem, with particular attention to some very recently proposed variants of the ACD problem. One of our main goals is to compare the multivariate polynomial approach with other methods. We find that the multivariate polynomial approach is not better than the orthogonal lattice algorithm for practical cryptanalysis.

We also briefly discuss a sample-amplification technique for ACD samples and a pre-processing algorithm similar to the Blum–Kalai–Wasserman algorithm for learning parity with noise. The details of this work are given in the full version of the paper.

Let $\mathbf{f}$ and $\mathbf{g}$ be polynomials of a bounded Euclidean norm in the ring $\mathbb{Z}[X]/\langle X^{n}+1\rangle$ . Given the polynomial $[\mathbf{f}/\mathbf{g}]_{q}\in \mathbb{Z}_{q}[X]/\langle X^{n}+1\rangle$ , the NTRU problem is to find $\mathbf{a},\mathbf{b}\in \mathbb{Z}[X]/\langle X^{n}+1\rangle$ with a small Euclidean norm such that $[\mathbf{a}/\mathbf{b}]_{q}=[\mathbf{f}/\mathbf{g}]_{q}$ . We propose an algorithm to solve the NTRU problem, which runs in $2^{O(\log ^{2}\unicode[STIX]{x1D706})}$ time when $\Vert \mathbf{g}\Vert ,\Vert \mathbf{f}\Vert$ , and $\Vert \mathbf{g}^{-1}\Vert$ are within some range. The main technique of our algorithm is the reduction of a problem on a field to one on a subfield. The GGH scheme, the first candidate of an (approximate) multilinear map, was recently found to be insecure by the Hu–Jia attack using low-level encodings of zero, but no polynomial-time attack was known without them. In the GGH scheme without low-level encodings of zero, our algorithm can be directly applied to attack this scheme if we have some top-level encodings of zero and a known pair of plaintext and ciphertext. Using our algorithm, we can construct a level- $0$ encoding of zero and utilize it to attack a security ground of this scheme in the quasi-polynomial time of its security parameter using the parameters suggested by Garg, Gentry and Halevi [‘Candidate multilinear maps from ideal lattices’, Advances in cryptology — EUROCRYPT 2013 (Springer, 2013) 1–17].

Given a sextic CM field $K$ , we give an explicit method for finding all genus- $3$ hyperelliptic curves defined over $\mathbb{C}$ whose Jacobians are simple and have complex multiplication by the maximal order of this field, via an approximation of their Rosenhain invariants. Building on the work of Weng [J. Ramanujan Math. Soc. 16 (2001) no. 4, 339–372], we give an algorithm which works in complete generality, for any CM sextic field $K$ , and computes minimal polynomials of the Rosenhain invariants for any period matrix of the Jacobian. This algorithm can be used to generate genus-3 hyperelliptic curves over a finite field  $\mathbb{F}_{p}$ with a given zeta function by finding roots of the Rosenhain minimal polynomials modulo  $p$ .