We generate ray-class fields over imaginary quadratic fields in terms of Siegel–Ramachandra invariants, which are an extension of a result of Schertz. By making use of quotients of Siegel–Ramachandra invariants we also construct ray-class invariants over imaginary quadratic fields whose minimal polynomials have relatively small coefficients, from which we are able to solve certain quadratic Diophantine equations.

Inspired by methods of N. P. Smart, we describe an algorithm to determine all Picard curves over $\mathbb{Q}$ with good reduction away from 3, up to $\mathbb{Q}$ -isomorphism. A correspondence between the isomorphism classes of such curves and certain quintic binary forms possessing a rational linear factor is established. An exhaustive list of integral models is determined and an application to a question of Ihara is discussed.

In Ramsey theory one wishes to know how large a collection of objects can be while avoiding a particular substructure. A problem of recent interest has been to study how large subsets of the natural numbers can be while avoiding three-term geometric progressions. Building on recent progress on this problem, we consider the analogous problem over quadratic number fields. We first construct high-density subsets of the algebraic integers of an imaginary quadratic number field that avoid three-term geometric progressions. When unique factorization fails, or over a real quadratic number field, we instead look at subsets of ideals of the ring of integers. Our approach here is to construct sets ‘greedily’, a generalization of the greedy set of rational integers considered by Rankin. We then describe the densities of these sets in terms of values of the Dedekind zeta function. Next, we consider geometric-progression-free sets with large upper density. We generalize an argument by Riddell to obtain upper bounds for the upper density of geometric-progression-free subsets, and construct sets avoiding geometric progressions with high upper density to obtain lower bounds for the supremum of the upper density of all such subsets. Both arguments depend critically on the elements with small norm in the ring of integers.

For a finite field of odd cardinality $q$ , we show that the sequence of iterates of $aX^{2}+c$ , starting at $0$ , always recurs after $O(q/\text{log}\log q)$ steps. For $X^{2}+1$ , the same is true for any starting value. We suggest that the traditional “birthday paradox” model is inappropriate for iterates of $X^{3}+c$ , when $q$ is 2 mod 3.

We consider a smooth system of two homogeneous quadratic equations over $\mathbb{Q}$ in $n\geqslant 13$ variables. In this case, the Hasse principle is known to hold, thanks to the work of Mordell in 1959. The only local obstruction is over $\mathbb{R}$ . In this paper, we give an explicit algorithm to decide whether a nonzero rational solution exists and, if so, compute one.

Consider two ordinary elliptic curves $E,E^{\prime }$ defined over a finite field $\mathbb{F}_{q}$ , and suppose that there exists an isogeny $\unicode[STIX]{x1D713}$ between $E$ and $E^{\prime }$ . We propose an algorithm that determines $\unicode[STIX]{x1D713}$ from the knowledge of $E$ , $E^{\prime }$ and of its degree $r$ , by using the structure of the $\ell$ -torsion of the curves (where  $\ell$  is a prime different from the characteristic  $p$ of the base field). Our approach is inspired by a previous algorithm due to Couveignes, which involved computations using the $p$ -torsion on the curves. The most refined version of that algorithm, due to De Feo, has a complexity of  $\tilde{O} (r^{2})p^{O(1)}$ base field operations. On the other hand, the cost of our algorithm is $\tilde{O} (r^{2})\log (q)^{O(1)}$ , for a large class of inputs; this makes it an interesting alternative for the medium- and large-characteristic cases.

Lattice sieving is asymptotically the fastest approach for solving the shortest vector problem (SVP) on Euclidean lattices. All known sieving algorithms for solving the SVP require space which (heuristically) grows as $2^{0.2075n+o(n)}$ , where $n$ is the lattice dimension. In high dimensions, the memory requirement becomes a limiting factor for running these algorithms, making them uncompetitive with enumeration algorithms, despite their superior asymptotic time complexity.

We generalize sieving algorithms to solve SVP with less memory. We consider reductions of tuples of vectors rather than pairs of vectors as existing sieve algorithms do. For triples, we estimate that the space requirement scales as $2^{0.1887n+o(n)}$ . The naive algorithm for this triple sieve runs in time $2^{0.5661n+o(n)}$ . With appropriate filtering of pairs, we reduce the time complexity to $2^{0.4812n+o(n)}$ while keeping the same space complexity. We further analyze the effects of using larger tuples for reduction, and conjecture how this provides a continuous trade-off between the memory-intensive sieving and the asymptotically slower enumeration.

We report on our project to find explicit examples of K3 surfaces having real or complex multiplication. Our strategy is to search through the arithmetic consequences of RM and CM. In order to do this, an efficient method is needed for point counting on surfaces defined over finite fields. For this, we describe algorithms that are $p$ -adic in nature.

We introduce an algorithm that can be used to compute the canonical height of a point on an elliptic curve over the rationals in quasi-linear time. As in most previous algorithms, we decompose the difference between the canonical and the naive height into an archimedean and a non-archimedean term. Our main contribution is an algorithm for the computation of the non-archimedean term that requires no integer factorization and runs in quasi-linear time.

In this paper we describe how to compute smallest monic polynomials that define a given number field  $\mathbb{K}$ . We make use of the one-to-one correspondence between monic defining polynomials of  $\mathbb{K}$ and algebraic integers that generate  $\mathbb{K}$ . Thus, a smallest polynomial corresponds to a vector in the lattice of integers of  $\mathbb{K}$ and this vector is short in some sense. The main idea is to consider weighted coordinates for the vectors of the lattice of integers of  $\mathbb{K}$ . This allows us to find the desired polynomial by enumerating short vectors in these weighted lattices. In the context of the subexponential algorithm of Biasse and Fieker for computing class groups, this algorithm can be used as a precomputation step that speeds up the rest of the computation. It also widens the applicability of their faster conditional method, which requires a defining polynomial of small height, to a much larger set of number field descriptions.

In this paper, we present novel algorithms for finding small relations and ideal factorizations in the ideal class group of an order in an imaginary quadratic field, where both the norms of the prime ideals and the size of the coefficients involved are bounded. We show how our methods can be used to improve the computation of large-degree isogenies and endomorphism rings of elliptic curves defined over finite fields. For these problems, we obtain improved heuristic complexity results in almost all cases and significantly improved performance in practice. The speed-up is especially high in situations where the ideal class group can be computed in advance.

In order to assess the security of cryptosystems based on the discrete logarithm problem in non-prime finite fields, as are the torus-based or pairing-based ones, we investigate thoroughly the case in $\mathbb{F}_{p^{6}}$ with the number field sieve. We provide new insights, improvements, and comparisons between different methods to select polynomials intended for a sieve in dimension 3 using a special- $\mathfrak{q}$ strategy. We also take into account the Galois action to increase the relation productivity of the sieving phase. To validate our results, we ran several experiments and real computations for various polynomial selection methods and field sizes with our publicly available implementation of the sieve in dimension 3, with special- $\mathfrak{q}$ and various enumeration strategies.

We present a specialized point-counting algorithm for a class of elliptic curves over $\mathbb{F}_{p^{2}}$ that includes reductions of quadratic $\mathbb{Q}$ -curves modulo inert primes and, more generally, any elliptic curve over $\mathbb{F}_{p^{2}}$ with a low-degree isogeny to its Galois conjugate curve. These curves have interesting cryptographic applications. Our algorithm is a variant of the Schoof–Elkies–Atkin (SEA) algorithm, but with a new, lower-degree endomorphism in place of Frobenius. While it has the same asymptotic asymptotic complexity as SEA, our algorithm is much faster in practice.

We present JKL-ECM, an implementation of the elliptic curve method of integer factorization which uses certain twisted Hessian curves in a family studied by Jeon, Kim and Lee. This implementation takes advantage of torsion subgroup injection for families of elliptic curves over a quartic number field, in addition to the ‘small parameter’ speedup. We produced thousands of curves with torsion $\mathbb{Z}/6\mathbb{Z}\oplus \mathbb{Z}/6\mathbb{Z}$ and small parameters in twisted Hessian form, which admit curve arithmetic that is ‘almost’ as fast as that of twisted Edwards form. This allows JKL-ECM to compete with GMP-ECM for finding large prime factors. Also, JKL-ECM, based on GMP, accepts integers of arbitrary size. We classify the torsion subgroups of Hessian curves over $\mathbb{Q}$ and further examine torsion properties of the curves described by Jeon, Kim and Lee. In addition, the high-performance curves with torsion $\mathbb{Z}/2\mathbb{Z}\oplus \mathbb{Z}/8\mathbb{Z}$ of Bernstein et al. are completely recovered by the $\mathbb{Z}/4\mathbb{Z}\oplus \mathbb{Z}/8\mathbb{Z}$ family of Jeon, Kim and Lee, and hundreds more curves are produced besides, all with small parameters and base points.

NTRU is a public-key cryptosystem introduced at ANTS-III. The two most used techniques in attacking the NTRU private key are meet-in-the-middle attacks and lattice-basis reduction attacks. Howgrave-Graham combined both techniques in 2007 and pointed out that the largest obstacle to attacks is the memory capacity that is required for the meet-in-the-middle phase. In the present paper an algorithm is presented that applies low-memory techniques to find ‘golden’ collisions to Odlyzko’s meet-in-the-middle attack against the NTRU private key. Several aspects of NTRU secret keys and the algorithm are analysed. The running time of the algorithm with a maximum storage capacity of $w$ is estimated and experimentally verified. Experiments indicate that decreasing the storage capacity $w$ by a factor $1<c<\sqrt{w}$ increases the running time by a factor $\sqrt{c}$ .

The security of several homomorphic encryption schemes depends on the hardness of variants of the approximate common divisor (ACD) problem. We survey and compare a number of lattice-based algorithms for the ACD problem, with particular attention to some very recently proposed variants of the ACD problem. One of our main goals is to compare the multivariate polynomial approach with other methods. We find that the multivariate polynomial approach is not better than the orthogonal lattice algorithm for practical cryptanalysis.

We also briefly discuss a sample-amplification technique for ACD samples and a pre-processing algorithm similar to the Blum–Kalai–Wasserman algorithm for learning parity with noise. The details of this work are given in the full version of the paper.

Let $\mathbf{f}$ and $\mathbf{g}$ be polynomials of a bounded Euclidean norm in the ring $\mathbb{Z}[X]/\langle X^{n}+1\rangle$ . Given the polynomial $[\mathbf{f}/\mathbf{g}]_{q}\in \mathbb{Z}_{q}[X]/\langle X^{n}+1\rangle$ , the NTRU problem is to find $\mathbf{a},\mathbf{b}\in \mathbb{Z}[X]/\langle X^{n}+1\rangle$ with a small Euclidean norm such that $[\mathbf{a}/\mathbf{b}]_{q}=[\mathbf{f}/\mathbf{g}]_{q}$ . We propose an algorithm to solve the NTRU problem, which runs in $2^{O(\log ^{2}\unicode[STIX]{x1D706})}$ time when $\Vert \mathbf{g}\Vert ,\Vert \mathbf{f}\Vert$ , and $\Vert \mathbf{g}^{-1}\Vert$ are within some range. The main technique of our algorithm is the reduction of a problem on a field to one on a subfield. The GGH scheme, the first candidate of an (approximate) multilinear map, was recently found to be insecure by the Hu–Jia attack using low-level encodings of zero, but no polynomial-time attack was known without them. In the GGH scheme without low-level encodings of zero, our algorithm can be directly applied to attack this scheme if we have some top-level encodings of zero and a known pair of plaintext and ciphertext. Using our algorithm, we can construct a level- $0$ encoding of zero and utilize it to attack a security ground of this scheme in the quasi-polynomial time of its security parameter using the parameters suggested by Garg, Gentry and Halevi [‘Candidate multilinear maps from ideal lattices’, Advances in cryptology — EUROCRYPT 2013 (Springer, 2013) 1–17].

Let $C/\mathbf{Q}$ be a curve of genus three, given as a double cover of a plane conic. Such a curve is hyperelliptic over the algebraic closure of $\mathbf{Q}$ , but may not have a hyperelliptic model of the usual form over $\mathbf{Q}$ . We describe an algorithm that computes the local zeta functions of $C$ at all odd primes of good reduction up to a prescribed bound $N$ . The algorithm relies on an adaptation of the ‘accumulating remainder tree’ to matrices with entries in a quadratic field. We report on an implementation and compare its performance to previous algorithms for the ordinary hyperelliptic case.

We propose an algorithm to verify the $p$ -part of the class number for a number field $K$ , provided $K$ is totally real and an abelian extension of the rational field $\mathbb{Q}$ , and $p$ is any prime. On fields of degree 4 or higher, this algorithm has been shown heuristically to be faster than classical algorithms that compute the entire class number, with improvement increasing with larger field degrees.