Let n be a positive integer and $\underline {n}=\{1,2,\ldots ,n\}$. A conjecture arising from certain polynomial near-ring codes states that if $k\geq 1$ and $a_{1},a_{2},\ldots ,a_{k}$ are distinct positive integers, then the symmetric difference $a_{1}\underline {n}\mathbin {\Delta }a_{2}\underline {n}\mathbin {\Delta }\cdots \mathbin {\Delta }a_{k}\underline {n}$ contains at least n elements. Here, $a_{i}\underline {n}=\{a_{i},2a_{i},\ldots ,na_{i}\}$ for each i. We prove this conjecture for arbitrary n and for $k=1,2,3$.

NTRU is a public-key cryptosystem introduced at ANTS-III. The two most used techniques in attacking the NTRU private key are meet-in-the-middle attacks and lattice-basis reduction attacks. Howgrave-Graham combined both techniques in 2007 and pointed out that the largest obstacle to attacks is the memory capacity that is required for the meet-in-the-middle phase. In the present paper an algorithm is presented that applies low-memory techniques to find ‘golden’ collisions to Odlyzko’s meet-in-the-middle attack against the NTRU private key. Several aspects of NTRU secret keys and the algorithm are analysed. The running time of the algorithm with a maximum storage capacity of $w$ is estimated and experimentally verified. Experiments indicate that decreasing the storage capacity $w$ by a factor $1<c<\sqrt{w}$ increases the running time by a factor $\sqrt{c}$ .

The security of several homomorphic encryption schemes depends on the hardness of variants of the approximate common divisor (ACD) problem. We survey and compare a number of lattice-based algorithms for the ACD problem, with particular attention to some very recently proposed variants of the ACD problem. One of our main goals is to compare the multivariate polynomial approach with other methods. We find that the multivariate polynomial approach is not better than the orthogonal lattice algorithm for practical cryptanalysis.

We also briefly discuss a sample-amplification technique for ACD samples and a pre-processing algorithm similar to the Blum–Kalai–Wasserman algorithm for learning parity with noise. The details of this work are given in the full version of the paper.

Let $\def \xmlpi #1{}\def \mathsfbi #1{\boldsymbol {\mathsf {#1}}}\let \le =\leqslant \let \leq =\leqslant \let \ge =\geqslant \let \geq =\geqslant \def \Pr {\mathit {Pr}}\def \Fr {\mathit {Fr}}\def \Rey {\mathit {Re}}G$ be a cyclic group written multiplicatively (and represented in some concrete way). Let $n$ be a positive integer (much smaller than the order of $G$). Let $g,h\in G$. The bounded height discrete logarithm problem is the task of finding positive integers $a$ and $b$ (if they exist) such that $a\leq n$, $b\leq n$ and $g^a=h^b$. (Provided that $b$ is coprime to the order of $g$, we have $h=g^{a/b}$ where $a/b$ is a rational number of height at most $n$. This motivates the terminology.)

The paper provides a reduction to the two-dimensional discrete logarithm problem, so the bounded height discrete logarithm problem can be solved using a low-memory heuristic algorithm for the two-dimensional discrete logarithm problem due to Gaudry and Schost. The paper also provides a low-memory heuristic algorithm to solve the bounded height discrete logarithm problem in a generic group directly, without using a reduction to the two-dimensional discrete logarithm problem. This new algorithm is inspired by (but differs from) the Gaudry–Schost algorithm. Both algorithms use $O(n)$ group operations, but the new algorithm is faster and simpler than the Gaudry–Schost algorithm when used to solve the bounded height discrete logarithm problem. Like the Gaudry–Schost algorithm, the new algorithm can easily be carried out in a distributed fashion.

The bounded height discrete logarithm problem is relevant to a class of attacks on the privacy of a key establishment protocol recently published by EMVCo for comment. This protocol is intended to protect the communications between a chip-based payment card and a terminal using elliptic curve cryptography. The paper comments on the implications of these attacks for the design of any final version of the EMV protocol.

This paper introduces ‘hyper-and-elliptic-curve cryptography’, in which a single high-security group supports fast genus-2-hyperelliptic-curve formulas for variable-base-point single-scalar multiplication (for example, Diffie–Hellman shared-secret computation) and at the same time supports fast elliptic-curve formulas for fixed-base-point scalar multiplication (for example, key generation) and multi-scalar multiplication (for example, signature verification).

The cubic version of the Lucas cryptosystem is set up based on the cubic recurrence relation of the Lucas function by Said and Loxton [‘A cubic analogue of the RSA cryptosystem’, Bull. Aust. Math. Soc.68 (2003), 21–38]. To implement this type of cryptosystem in a limited environment, it is necessary to accelerate encryption and decryption procedures. Therefore, this paper concentrates on improving the computation time of encryption and decryption in cubic Lucas cryptosystems. The new algorithm is designed based on new properties of the cubic Lucas function and mathematical techniques. To illustrate the efficiency of our algorithm, an analysis was carried out with different size parameters and the performance of the proposed and previously existing algorithms was evaluated with experimental data and mathematical analysis.

Brizolis asked for which primes p greater than 3 there exists a pair (g,h) such that h is a fixed point of the discrete exponential map with base g, or equivalently h is a fixed point of the discrete logarithm with base g. Various authors have contributed to the understanding of this problem. In this paper, we use p-adic methods, primarily Hensel’s lemma and p-adic interpolation, to count fixed points, two-cycles, collisions, and solutions to related equations modulo powers of a prime p.

From power series expansions of functions on curves over finite fields, one can obtain sequences with perfect or almost perfect linear complexity profile. It has been suggested by various authors to use such sequences as key streams for stream ciphers. In this work, we show how long parts of such sequences can be computed efficiently from short ones. Such sequences should therefore be considered to be cryptographically weak. Our attack leads in a natural way to a new measure of the complexity of sequences which we call expansion complexity.