Let S be the sum-of-digits function in base 2, which returns the number of 1s in the base-2 expansion of a nonnegative integer. For a nonnegative integer t, define the asymptotic density

$${c_t} = \mathop {\lim }\limits_{N \to \infty } {1 \over N}|\{ 0 \le n < N:s(n + t) \ge s(n)\} |.$$

Symplectic finite semifields can be used to construct nonlinear binary codes of Kerdock type (i.e., with the same parameters of the Kerdock codes, a subclass of Delsarte–Goethals codes). In this paper, we introduce nonbinary Delsarte–Goethals codes of parameters $(q^{m+1}\ ,\ q^{m(r+2)+2}\ ,\ {\frac{q-1}{q}(q^{m+1}-q^{\frac{m+1}{2}+r})})$ over a Galois field of order $q=2^l$, for all $0\le r\le\frac{m-1}{2}$, with m ≥ 3 odd, and show the connection of this construction to finite semifields.

We improve some previously known deterministic algorithms for finding integer solutions $x,y$ to the exponential equation of the form $af^{x}+bg^{y}=c$ over finite fields.

A 1993 result of Alon and Füredi gives a sharp upper bound on the number of zeros of a multivariate polynomial over an integral domain in a finite grid, in terms of the degree of the polynomial. This result was recently generalized to polynomials over an arbitrary commutative ring, assuming a certain ‘Condition (D)’ on the grid which holds vacuously when the ring is a domain. In the first half of this paper we give a further generalized Alon–Füredi theorem which provides a sharp upper bound when the degrees of the polynomial in each variable are also taken into account. This yields in particular a new proof of Alon–Füredi. We then discuss the relationship between Alon–Füredi and results of DeMillo–Lipton, Schwartz and Zippel. A direct coding theoretic interpretation of Alon–Füredi theorem and its generalization in terms of Reed–Muller-type affine variety codes is shown, which gives us the minimum Hamming distance of these codes. Then we apply the Alon–Füredi theorem to quickly recover – and sometimes strengthen – old and new results in finite geometry, including the Jamison–Brouwer–Schrijver bound on affine blocking sets. We end with a discussion of multiplicity enhancements.

Since its introduction in 2010 by Lyubashevsky, Peikert and Regev, the ring learning with errors problem (ring-LWE) has become a popular building block for cryptographic primitives, due to its great versatility and its hardness proof consisting of a (quantum) reduction from ideal lattice problems. But, for a given modulus $q$ and degree $n$ number field $K$ , generating ring-LWE samples can be perceived as cumbersome, because the secret keys have to be taken from the reduction mod $q$ of a certain fractional ideal ${\mathcal{O}}_{K}^{\vee }\subset K$ called the codifferent or ‘dual’, rather than from the ring of integers ${\mathcal{O}}_{K}$ itself. This has led to various non-dual variants of ring-LWE, in which one compensates for the non-duality by scaling up the errors. We give a comparison of these versions, and revisit some unfortunate choices that have been made in the recent literature, one of which is scaling up by ${|\unicode[STIX]{x1D6E5}_{K}|}^{1/2n}$ with $\unicode[STIX]{x1D6E5}_{K}$ the discriminant of $K$ . As a main result, we provide, for any $\unicode[STIX]{x1D700}>0$ , a family of number fields $K$ for which this variant of ring-LWE can be broken easily as soon as the errors are scaled up by ${|\unicode[STIX]{x1D6E5}_{K}|}^{(1-\unicode[STIX]{x1D700})/n}$ .

In order to assess the security of cryptosystems based on the discrete logarithm problem in non-prime finite fields, as are the torus-based or pairing-based ones, we investigate thoroughly the case in $\mathbb{F}_{p^{6}}$ with the number field sieve. We provide new insights, improvements, and comparisons between different methods to select polynomials intended for a sieve in dimension 3 using a special- $\mathfrak{q}$ strategy. We also take into account the Galois action to increase the relation productivity of the sieving phase. To validate our results, we ran several experiments and real computations for various polynomial selection methods and field sizes with our publicly available implementation of the sieve in dimension 3, with special- $\mathfrak{q}$ and various enumeration strategies.

NTRU is a public-key cryptosystem introduced at ANTS-III. The two most used techniques in attacking the NTRU private key are meet-in-the-middle attacks and lattice-basis reduction attacks. Howgrave-Graham combined both techniques in 2007 and pointed out that the largest obstacle to attacks is the memory capacity that is required for the meet-in-the-middle phase. In the present paper an algorithm is presented that applies low-memory techniques to find ‘golden’ collisions to Odlyzko’s meet-in-the-middle attack against the NTRU private key. Several aspects of NTRU secret keys and the algorithm are analysed. The running time of the algorithm with a maximum storage capacity of $w$ is estimated and experimentally verified. Experiments indicate that decreasing the storage capacity $w$ by a factor $1<c<\sqrt{w}$ increases the running time by a factor $\sqrt{c}$ .

Let $m$ be a positive integer and $p$ a prime number. We prove the orthogonality of some character sums over the finite field $\mathbb{F}_{p^{m}}$ or over a subset of a finite field and use this to construct some new approximately mutually unbiased bases of dimension $p^{m}$ over the complex number field $\mathbb{C}$, especially with $p=2$.

We discuss heuristic asymptotic formulae for the number of isogeny classes of pairing-friendly abelian varieties of fixed dimension $g\geqslant 2$ over prime finite fields. In each formula, the embedding degree $k\geqslant 2$ is fixed and the rho-value is bounded above by a fixed real ${\it\rho}_{0}>1$ . The first formula involves families of ordinary abelian varieties whose endomorphism ring contains an order in a fixed CM-field $K$ of degree $g$ and generalizes previous work of the first author when $g=1$ . It suggests that, when ${\it\rho}_{0}<g$ , there are only finitely many such isogeny classes. On the other hand, there should be infinitely many such isogeny classes when ${\it\rho}_{0}>g$ . The second formula involves families whose endomorphism ring contains an order in a fixed totally real field $K_{0}^{+}$ of degree $g$ . It suggests that, when ${\it\rho}_{0}>2g/(g+2)$ (and in particular when ${\it\rho}_{0}>1$ if $g=2$ ), there are infinitely many isogeny classes of $g$ -dimensional abelian varieties over prime fields whose endomorphism ring contains an order of $K_{0}^{+}$ . We also discuss the impact that polynomial families of pairing-friendly abelian varieties has on our heuristics, and review the known cases where they are expected to provide more isogeny classes than predicted by our heuristic formulae.

In this paper, we present a decomposition of the elements of a finite field and illustrate the efficiency of this decomposition in evaluating some specific exponential sums over finite fields. The results can be employed in determining the Walsh spectrum of some Boolean functions.

This paper presents an algorithm to construct cryptographically strong genus $\def \xmlpi #1{}\def \mathsfbi #1{\boldsymbol {\mathsf {#1}}}\let \le =\leqslant \let \leq =\leqslant \let \ge =\geqslant \let \geq =\geqslant \def \Pr {\mathit {Pr}}\def \Fr {\mathit {Fr}}\def \Rey {\mathit {Re}}2$ curves and their Kummer surfaces via Rosenhain invariants and related Kummer parameters. The most common version of the complex multiplication (CM) algorithm for constructing cryptographic curves in genus 2 relies on the well-studied Igusa invariants and Mestre’s algorithm for reconstructing the curve. On the other hand, the Rosenhain invariants typically have much smaller height, so computing them requires less precision, and in addition, the Rosenhain model for the curve can be written down directly given the Rosenhain invariants. Similarly, the parameters for a Kummer surface can be expressed directly in terms of rational functions of theta constants. CM-values of these functions are algebraic numbers, and when computed to high enough precision, LLL can recognize their minimal polynomials. Motivated by fast cryptography on Kummer surfaces, we investigate a variant of the CM method for computing cryptographically strong Rosenhain models of curves (as well as their associated Kummer surfaces) and use it to generate several example curves at different security levels that are suitable for use in cryptography.

Let $\def \xmlpi #1{}\def \mathsfbi #1{\boldsymbol {\mathsf {#1}}}\let \le =\leqslant \let \leq =\leqslant \let \ge =\geqslant \let \geq =\geqslant \def \Pr {\mathit {Pr}}\def \Fr {\mathit {Fr}}\def \Rey {\mathit {Re}}G$ be a cyclic group written multiplicatively (and represented in some concrete way). Let $n$ be a positive integer (much smaller than the order of $G$). Let $g,h\in G$. The bounded height discrete logarithm problem is the task of finding positive integers $a$ and $b$ (if they exist) such that $a\leq n$, $b\leq n$ and $g^a=h^b$. (Provided that $b$ is coprime to the order of $g$, we have $h=g^{a/b}$ where $a/b$ is a rational number of height at most $n$. This motivates the terminology.)

The paper provides a reduction to the two-dimensional discrete logarithm problem, so the bounded height discrete logarithm problem can be solved using a low-memory heuristic algorithm for the two-dimensional discrete logarithm problem due to Gaudry and Schost. The paper also provides a low-memory heuristic algorithm to solve the bounded height discrete logarithm problem in a generic group directly, without using a reduction to the two-dimensional discrete logarithm problem. This new algorithm is inspired by (but differs from) the Gaudry–Schost algorithm. Both algorithms use $O(n)$ group operations, but the new algorithm is faster and simpler than the Gaudry–Schost algorithm when used to solve the bounded height discrete logarithm problem. Like the Gaudry–Schost algorithm, the new algorithm can easily be carried out in a distributed fashion.

The bounded height discrete logarithm problem is relevant to a class of attacks on the privacy of a key establishment protocol recently published by EMVCo for comment. This protocol is intended to protect the communications between a chip-based payment card and a terminal using elliptic curve cryptography. The paper comments on the implications of these attacks for the design of any final version of the EMV protocol.

The problem of solving polynomial equations over finite fields has many applications in cryptography and coding theory. In this paper, we consider polynomial equations over a ‘large’ finite field with a ‘small’ characteristic. We introduce a new algorithm for solving this type of equations, called the successive resultants algorithm (SRA). SRA is radically different from previous algorithms for this problem, yet it is conceptually simple. A straightforward implementation using Magma was able to beat the built-in Roots function for some parameters. These preliminary results encourage a more detailed study of SRA and its applications. Moreover, we point out that an extension of SRA to the multivariate case would have an important impact on the practical security of the elliptic curve discrete logarithm problem in the small characteristic case.

Supplementary materials are available with this article.

We prove that under any projective embedding of an abelian variety A of dimension g, a complete set of addition laws has cardinality at least g+1, generalizing a result of Bosma and Lenstra for the Weierstrass model of an elliptic curve in ℙ2. In contrast, we prove, moreover, that if k is any field with infinite absolute Galois group, then there exists for every abelian variety A/k a projective embedding and an addition law defined for every pair of k-rational points. For an abelian variety of dimension 1 or 2, we show that this embedding can be the classical Weierstrass model or the embedding in ℙ15, respectively, up to a finite number of counterexamples for ∣k∣≤5 .

If C is a curve of genus 2 defined over a field k and J is its Jacobian, then we can associate a hypersurface K in ℙ3 to J, called the Kummer surface of J. Flynn has made this construction explicit in the case when the characteristic of k is not 2 and C is given by a simplified equation. He has also given explicit versions of several maps defined on the Kummer surface and shown how to perform arithmetic on J using these maps. In this paper we generalize these results to the case of arbitrary characteristic.

We consider ineducible Goppa codes of length qm over Fq defined by polynomials of degree r, where q = pt and p, m, r are distinct primes. The number of such codes, inequivalent under coordinate permutations and field automorphisms, is determined.