No full-text available
To read the full-text of this research,
you can request a copy directly from the author.
A Course in Computational Algebraic Number Theory
... Most of the materials in Section 2.1, Section 2.2, Section 2.3, Section 2.4 and Section 2.5 can be found in basic algebraic number theory textbooks, especially [42], [36] and [19]. • All integers are algebraic integers. ...
... Theorem 2.2.1. (see Theorem 4.6.14 in [19]) I K is an abelian group under above product. ...
... Now we define the Hilbert class field of a number field K and highlight its importance in the study of the class group of K Definition 2.9.1. (page 198 of [19]) Let K be a number field. Then any embedding τ : K → C is called an infinite prime. ...
... We present the methods to compute class numbers and finding elements in the ideal class group with a large order. We follow the descriptions in [26] and [3]. There is a bijection between the class group of binary quadratic forms with discriminant d K < 0 and the ideal class group of the order with discriminant d K . ...
... , c 2 ) their composition (a 3 , b 3 , c 3 ) can be calculated by Algorithm 5.4.7 in Cohen's book[3]; • The form (a 3 , b 3 , c 3 ) is primitive and has discriminant d K but it is not necessarily reduced. The reduction Algorithm 5.4.2 of[3] applied to (a 3 , b 3 , c 3 ) outputs a primitive reduced quadratic form (a, b, c) with discriminant d K ; • We denote the multiplication of quadratic forms by •, i.e.(a, b, c) = (a 1 , b 1 , c 1 ) • (a 2 , b 2 , c 2 ).The neutral element I is represented by the triple(1, 0, −d K /4) if d K = 0 mod 4 and it is represented by (1, 1, (1 − d K )/4) if d K = 1 mod 4. The Algorithm of[26] determines whether an element of the ideal class group of the number field K = Q( √ −d) has an order of at least a value MinClass.Algorithm ([26]) Input: A primitive reduced quadratic form (a, b, c) of discriminant d K .Output: "true" if the order of the corresponding element of the ideal class group is at least MinClass; and "false" otherwise.1) ...
... , c 2 ) their composition (a 3 , b 3 , c 3 ) can be calculated by Algorithm 5.4.7 in Cohen's book[3]; • The form (a 3 , b 3 , c 3 ) is primitive and has discriminant d K but it is not necessarily reduced. The reduction Algorithm 5.4.2 of[3] applied to (a 3 , b 3 , c 3 ) outputs a primitive reduced quadratic form (a, b, c) with discriminant d K ; • We denote the multiplication of quadratic forms by •, i.e.(a, b, c) = (a 1 , b 1 , c 1 ) • (a 2 , b 2 , c 2 ).The neutral element I is represented by the triple(1, 0, −d K /4) if d K = 0 mod 4 and it is represented by (1, 1, (1 − d K )/4) if d K = 1 mod 4. The Algorithm of[26] determines whether an element of the ideal class group of the number field K = Q( √ −d) has an order of at least a value MinClass.Algorithm ([26]) Input: A primitive reduced quadratic form (a, b, c) of discriminant d K .Output: "true" if the order of the corresponding element of the ideal class group is at least MinClass; and "false" otherwise.1) Set t = I. 2) for i from 1 to MinClass -1 do Set t = t • (a, b, c). ...
... , 11 are analogous to this one and left to be a very good exercise for the reader. (3,1), (3,4), (3,7), (6, −1), (6,1), (6,4), (6, 7)} (mod 9). In particular, if the above conditions hold, then i(K ) = 1. ...
... , 11 are analogous to this one and left to be a very good exercise for the reader. (3,1), (3,4), (3,7), (6, −1), (6,1), (6,4), (6, 7)} (mod 9). In particular, if the above conditions hold, then i(K ) = 1. ...
... By Theorem 3.1, φ 2 provides two prime ideals of Z K lying above 2 with residue degree 2 each. Since there is only one monic irreducible polynomial of degree 2 in (1,2), (2, 1), and (4, 0). By Theorem 3.1, φ 1 provides three prime ideals of Z K lying above 2 with residue degree 1 each. ...
In this paper, we study the monogenity of any number field defined by a monic irreducible trinomial \(F(x)=x^{12}+ax^m+b\in \mathbb {Z}[x]\) with \(1\le m\le 11\) an integer. For every integer m, we give sufficient conditions on a and b so that the field index i(K) is not trivial. In particular, if \(i(K)\ne 1\), then K is not monogenic. For \(m=1\), we give necessary and sufficient conditions on a and b, which characterize when a rational prime p divides the index i(K). For every prime divisor p of i(K), we also calculate the highest power p dividing i(K), in such a way we answer the problem 22 of Narkiewicz (Elementary and analytic theory of algebraic numbers, Springer Verlag, Auflag, 2004) for the number fields defined by trinomials \(x^{12}+ax+b\).
... We refer the reader to Chapter 2 of [77] for a short summary of the group and field related topics. For a finite field reference, we recommend the book [73], and for algebraic number theory, especially from the algorithmic side, we recommend the book [23]. ...
... There are other useful basis representations, such as Hermite Normal Form (HNF, see section 2.4.2 of [23]) or LLL-reduced basis [66]. Using a suitable basis of ideal, we can quickly identify all elements of a bounded subspace of Z[α] belonging to a given ideal. ...
... A more complicated situation can appear if r(X) can be factored mod p i or in the case of ramified primes. It is thus better to compute exact ideal valuations by using Algorithm 4.8.17 of [23]. (6) Find non-trivial solution of the system of equations modulo q. ...
We have successfully implemented the NFS algorithm, and were able to solve the XTR-discrete logarithm problem. The final largest experiment executed was the computation of discrete logarithms in Fp6 with 40-bit prime characteristic (240-bit field size).
... We let ∆(f ) and ∆(K) denote the discriminants over Q, respectively, of f (x) and a number field K. If f (x) is irreducible, with f (θ) = 0 and K = Q(θ), then we have the well-known equation [1] (1.1) ...
... Definition 2.1 ( [1]). Let R be an integral domain with quotient field K, and let K be an algebraic closure of K. Let f (x), g(x) ∈ R [x], and suppose ...
We prove a new irreducibility criterion for certain septinomials in ℤ[ x ], and we use this result to construct infinite families of reciprocal septinomials of degree 2 ⁿ 3 that are monogenic for all n ≥1.
... Suppose that f (x) ∈ Z[x] is a monic polynomial that is irreducible over Q. Let Z K be the ring of integers of K = Q(θ), where f (θ) = 0. Then [3] ( ...
... The discriminant of F p (x) given in the next proposition follows from the formula for the discriminant of an arbitrary monic trinomial [14]. The next theorem is essentially an algorithmic adaptation, specifically for trinomials, of Dedekind's Index Criterion [3], which is a standard tool used to determine the monogenicity of an irreducible monic polynomial. ...
... We review the basic terminology and facts for binary quadratic forms and class numbers [2,13]. Let f (x, y) := ax 2 + bx y + cy 2 be a binary quadratic form. ...
... . If this is the case, then categories (1), (2), and (3) all contain this triple but otherwise do not intersect. This, in turn, happens iff n = 3k 2 for some k ∈ Z + . ...
Using a higher-dimensional analog of an identity known to Kronecker, we discover a new Andrews–Crandall-type identity and use it to count the number of integer solutions to x2+2y2+2z2=n\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x^2+2y^2+2z^2=n$$\end{document}.
... A basis B is called in Hermited Normal Form (HNF) if it is upper triangular, all elements on the diagonal are strictly positive, and any other elements b i j satisfies 0 ≤ b i j < b ii . It is easy to see that every integer lattice L = L(B) has a unique basis in Hermited Normal Form, denoted by HNF(L) (see Theorem 2.4.3 of Cohen (1993)). Moreover, given any basis B for lattice L , HNF(L) can be efficiently computed from B (see Cohen (1993). ...
... It is easy to see that every integer lattice L = L(B) has a unique basis in Hermited Normal Form, denoted by HNF(L) (see Theorem 2.4.3 of Cohen (1993)). Moreover, given any basis B for lattice L , HNF(L) can be efficiently computed from B (see Cohen (1993). ...
There are five models of fintech development in the world: the technology promotion model represented by the USA, the rule-driven model represented by the UK, the market pull model represented by China, the mixed competition model represented by Japan and Indonesia, and the model of fanning out from point to area represented by South Korea and Israel. In terms of the layout, the transformation of traditional financial hubs has been accelerated, China and the USA have outstanding advantages in fintech, and the Asia-Pacific region has great potential for fintech development. The fintech of China has been promoted to the worlds leading level; Japan boosts the rapid growth of fintech through advantages of backwardness; Singapore gathers innovative resources with a relaxed and inclusive atmosphere; South Korea promotes scale development of fintech industry by fanning out from point to area; India is gradually exerting its potential for fintech development; Israel builds the highland of fintech development through guidance plus service; Indonesia has gradually become a rising star in fintech development in Southeast Asia; Hong Kong promotes the momentum of sound fintech development with government assistance.
... A basis B is called in Hermited Normal Form (HNF) if it is upper triangular, all elements on the diagonal are strictly positive, and any other elements b i j satisfies 0 ≤ b i j < b ii . It is easy to see that every integer lattice L = L(B) has a unique basis in Hermited Normal Form, denoted by HNF(L) (see Theorem 2.4.3 of Cohen (1993)). Moreover, given any basis B for lattice L , HNF(L) can be efficiently computed from B (see Cohen (1993), Micciancio (2001)). ...
... It is easy to see that every integer lattice L = L(B) has a unique basis in Hermited Normal Form, denoted by HNF(L) (see Theorem 2.4.3 of Cohen (1993)). Moreover, given any basis B for lattice L , HNF(L) can be efficiently computed from B (see Cohen (1993), Micciancio (2001)). ...
The most known public key cryptosystem was introduced in 1978 by Rivest et al. (1978) and is now called the RSA public key cryptosystem in their honor. Later, a few authors gave a simple extension of RSA over algebraic numbers field (see Takagi and Naito (2015), Uematsu et al. (1985, 1986)), but they require that the ring of algebraic integers is Euclidean ring, and this requirement is much more stronger than the class number one condition. In this chapter, we introduce a high dimensional form of RSA by making use of the ring of algebraic integers of an algebraic number field and the lattice theory. We give an attainable algorithm (see Algorithm 1) which is significant both from the theoretical and practical point of view. Our main purpose in this chapter is to show that the high dimensional RSA is a lattice based on public key cryptosystem indeed, of which would be considered as a new number in the family of post-quantum cryptography (see Peikert (2014), Pradhanet al. (2019)). On the other hand, we give a matrix expression for any algebraic number fields (see Theorem 2), which is a new result even in the sense of classical algebraic number theory.
... The most important algorithms are divided into two subfamilies: primality tests and pseudo-primality tests. We refer to [4,Chapters 8 and 9], [8] and [13]] for surveys on known algorithms, from oldest to most recent. Actually, we are talking about a very long-standing mathematical problem which was already addressed by Euclid's Elements. ...
... we get that the set of such n is of cardinality (1) irregardless of the value of k. So, assuming b ≤ L(x) 2 , we get that (10) x kL(x) 4 ...
We describe the average sizes of the set of bad witnesses for a pseudo-primality test which is the product of a multiple-rounds Miller-Rabin test by the Galois test.
... In 1878, Dedekind gave the explicit factorization of the principal ideal pZ K when p does not divide the index (Z K : Z[θ]) for some primitive element θ ∈ Z K (see [8] and [23,Theorem 4.33]). He also gave a criterion known as Dedekind's criterion to test the divisibility of the index (Z K : Z[θ]) by p (see [7,Theorem 6.14], [8], and [23]). When p divides i(K), then Dedekind's theorem cannot give the prime ideal factorization of pZ K . ...
Let $K$ be a pure number field with $\alpha$ a complex root of a monic irreducible polynomial $F(x) = x^{120}-m \in \mathbb{Z}[x]$ with $ m \neq \pm 1 $. In this paper, we study the monogenity of $K$. More precisely, we prove that if $m$ is square-free, $m \not \equiv 1\md{4}$, $m \not \equiv \pm 1 \md{9} $, and $\ol{m}\not \in \{ \mp 1, 7, 18 \} \md {25}$, then $K$ is monogenic. On the other hand, if $m \equiv 1\md{4}$, $m \equiv 1 \md{9} $, or $m \equiv 1 \md{25}$, then $K$ is not monogenic. Our results are illustrated by some computational examples.
... Dedekind also gave a criterion which allows to test weither p does not divide (Z K : Z[α]) (see [6]). In 1894, Hensel developed a powerful approach by showing that the prime ideals of Z K lying above p are in one-to-one correspondence with the monic irreducible factors of F (x) over the field Q p of p-adic numbers and that the ramification index together with the residue degree of a prime ideal of Z K lying over p are same as those of the simple extension of Q obtained by adjoining a root of the corresponding irreducible factor of F (x) belonging to Q p [x]. ...
Let K = Q(α) be a number field, where α satisfies the monic irreducible polynomial F (x) = x5 + ax + b belonging to Z[x]. The purpose of this paper is to caracterise when a prime p is a common index divisor of K. More precisely, we give explicitly a necessary and sufficient conditions, on a and b for which K is not monogenic. Some useful examples are also given.
... The natural numbers a and a + 1 are called successive natural numbers. All necessary notions of elementary number theory are from [2,4] and those of computational number theory are from [1,6]. 165 ...
In this paper, we give a characterization of primes and composite natural numbers using the notion of the sum of successive natural numbers. We prove essentially that an odd natural number N ≥ 3 is prime if and only if the unique decomposition of N as a sum of successive natural numbers is the trivial decomposition N = a + (a + 1) with a = (N - 1) / 2.
... Following [11,Section 5.3], we define the Hurwitz class number H (N ), where N is a non-negative integer, as follows: binary quadratic forms of discriminant −N , with those classes that contain a multiple of x 2 + y 2 or x 2 + x y + y 2 counted with weight 1/2 or 1/3, respectively. ...
We find Hecke–Rogers type series representations of generating functions of the Hurwitz class numbers which are similar to certain mock theta functions. We also prove two combinatorial interpretations of Hurwitz class numbers which appeared on OEIS (see A238872 and A321440).
... In order to help the students gain familiarity with the cryptographic applications of modular arithmetic they are given 1 st and 2 nd order congruences mod n to solve for their homework. This also readies them for introduction to elliptic curves which use 3 rd order congruences [3]. Unfortunately, they often eschew modular methods of solving the 2 nd order congruences preferring to fall back on other methods of solving quadratic equations with which they have greater familiarity. ...
... If the system of equations is linear, there are many approaches available to determine the solutions (e.g., Gaussian elimination and matrix inverses [14], nullspace computation [13,14,19], linear programming [5], etc.). If the system happens to be polynomial in nature, then exact techniques employing resultants [7] or Gröbner bases [8,9] can be employed. However, these techniques have their shortcomings. ...
Systems of nonlinear equations can be quite difficult to solve, even when the system is small. As the systems grow in size, the complexity can increase dramatically to find all solutions. This research discusses transforming the system into a global optimization problem and making use of a newly developed cloud-based optimization solver to efficiently find solutions. Examples on large systems are presented.
... Later Boneh-Durfee [3] improved this attack to N 0.292 . Their attack is based on Coppersmith's [4] technique for finding small solutions to modular polynomial equations, which in turn is based on the Lenstra-Lenstra-Lovasz (LLL) lattice reduction algorithm [5,6]. Further, de Weger [7] investigated RSA vulnerability if the primes in the modulus had a small prime difference. ...
RSA is well known public-key cryptosystem in modern-day cryptography. Since the inception of the RSA, several attacks have been proposed on RSA. The Boneh–Durfee attack is the most prominent and they showed that if the secrete exponent is less than 0.292, RSA is completely vulnerable. In this paper, we further investigate the vulnerability of RSA whenever a secret exponent is large and the composite form with a few most significant bits of one of the primes exposed. Having a large secret exponent can avoid the Boneh–Durfee attack, but in this attack, we show that even though the secret exponent is large and has some specialized structure then RSA is still vulnerable. We follow the Jochemsz and May strategy for constructing the lattice, and the LLL algorithm is used for lattice reduction. Our attack outperforms most of the previous attacks.
... (5) 若 F/F ′ 是 Galois 扩张, 记 D P (F/F ′ ) 是 P 的分解群, I P (F/F ′ ) 为其惯性群; 此时, 使用记号 e p (F/F ′ ) = e P (F/F ′ ) 和 f p (F/F ′ ) = f P (F/F ′ ), 因为这些指数不依赖于 P 的选取. (6) 若 F/Q 和 F ′ /Q 均是 Galois 扩张, 使用记号 e p (F/F ′ ) = e P (F/F ′ ) 和 f p (F/F ′ ) = f P (F/F ′ ). (7) 若 p ⊂ O F 是素理想, p 的次数定义为 deg(p) := f p (F/Q). ...
... The algebraic number field K generated by P is in principle this set, only considered as ddimensional vector space over Q with basis B = {1, λ, λ 2 , ..., λ d−1 }. The complex number z ∈ Q(λ) is replaced by the column vectorz = x = (x 1 , ..., x d ) ′ in K. Cf. [20,5]. Let K ⊃ K denote the corresponding real vector space with coefficients x k ∈ R. ...
Self-similar sets require a separation condition to admit a nice mathematical structure. The classical open set condition (OSC) is difficult to verify. Zerner proved that there is a positive and finite Hausdorff measure for a weaker separation property which is always fulfilled for crystallographic data. Ngai and Wang gave more specific results for a finite type property (FT), and for algebraic data with a real Pisot expansion factor. We show how the algorithmic FT concept of Bandt and Mesing relates to the property of Ngai and Wang. Merits and limitations of the FT algorithm are discussed. Our main result says that FT is always true in the complex plane if the similarity mappings are given by a complex Pisot expansion factor $\lambda$ and algebraic integers in the number field generated by $\lambda .$ This extends the previous results and opens the door to huge classes of separated self-similar sets, with large complexity and an appearance of natural textures. Numerous examples are provided.
... Most of the code used to generate these images was written in Python, though the code for the animations (explained in section 3.1) and the generation of the Laurent polynomials g d (explained in Theorem 2 and section 3.1) was written in Sage for convenience reasons. Many algorithmic aspects of computing elliptic curve torsion points were based on the algorithms in [4,5], and these are often cited in the comments of the code itself. Readers may access our code at the following GitHub link: https://github.com/SamanthaPlatt/GaussianPeriodsandAnaloguesCode ...
Gaussian periods have been studied for centuries in the realms of number theory, field theory, cryptography, and elsewhere. However, it was only within the last decade or so that they began to be studied from a visual perspective. By plotting Gaussian periods in the complex plane, many interesting and insightful patterns can be seen, leading to various conjectures and theorems about their properties. In this paper, we offer a description of Gaussian periods, along with examples of the structure that can occur when plotting them in the complex plane. In addition to this, we offer two ways in which this study can be generalized to other situations -- one relating to supercharacter theory, the other relating to class field theory -- along with discussions and visual examples of each. We end the paper by including some code for readers to generate images on their own.
... The function bnfinit is an implementation of Buchmann subexponential algorithm for class groups and unit groups [12] by Cohen-Diaz-Olivier [13], [14]. It is based on searching relations between ideals in a set of prime ideals that generates the class group, and is correct under the assumption of the Riemann hypothesis for all Hecke L-functions attached to non-trivial characters of the ideal class group [7]. ...
It is proved that c = 689347 = 31*37*601 is the smallest conductor of a cyclic cubic number field K whose maximal unramified pro-3-extension E = F(3,infinity,K) possesses an automorphism group G = Gal(E/K) of order 6561 with coinciding relation and generator rank d2(G) = d1(G) = 3 and harmonically balanced transfer kernels kappa(G) in S(13).
... and it is known to be achieved by the Hermite normal form ofŨ (Cohen, 1993), ...
A spin space group provides a suitable way to fully exploit the symmetry of a spin arrangement with a negligible spin-orbit coupling. There has been a growing interest in applying spin symmetry analysis with the spin space group in the field of magnetism. However, there is no established algorithm to search for spin symmetry operations of the spin space group. This paper presents an exhaustive algorithm for determining spin symmetry operations of commensurate spin arrangements. The present algorithm searches for spin symmetry operations from the symmetry operations of a corresponding nonmagnetic crystal structure and determines their spin-rotation parts by solving a Procrustes problem. An implementation is distributed under a permissive free software license in spinspg v0.1.1: https://github.com/spglib/spinspg.
... See the books by Buell [Bue89] or Cohen [Coh93] for a longer exposition on quadratic forms. Note that while most references study the PSL(2, Z) action, we will need the extended PGL(2, Z) action, which no longer gives rise to a group. ...
In a primitive integral Apollonian circle packing, curvatures that appear must fall into one of six or eight residue classes modulo 24. The Local-Global Conjecture states that every sufficiently large integer in one of these residue classes will appear as a curvature in the packing. We prove that this conjecture is false for many packings, by proving that certain quadratic and quartic families are missed. We then formulate a new conjecture, and give computational evidence in support of it.
... is given by p ( p,r,k ) . Let f (x) ∈ ℤ[x] be the minimal polynomial of r,l+k,0 over ℚ[x] , which can be calculated using theoretical techniques, [9], or computational ones, [5]. The integral version of Hensel's Lemma allows the lifting of the factorization ...
In this work we present a standard model for Galois rings based on the standard model of their residual fields, that is, a a sequence of Galois rings starting with Zpr\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbb Z}_{p^r}$$\end{document} that coves all the Galois rings with that characteristic ring and such that there is an algorithm producing each member of the sequence whose input is the size of the required ring.
... If y is odd then 12 Swap y and z. 13 If x is even then 14 θ ← 1 2 + x 2 i + z 2 j + y 2 k. 15 else 16 θ ← x 2 i + y 2 j + z 2 k. 17 break out of the While loop 18 x ← x + p 19 until θ is defined 20 c ← 0 21 While c < r do 22 Translate θ to be minimally -suitable (Lemma 4.5). ...
In supersingular isogeny-based cryptography, the path-finding problem reduces to the endomorphism ring problem. Can path-finding be reduced to knowing just one endomorphism? It is known that a small degree endomorphism enables polynomial-time path-finding and endomorphism ring computation (in: Love and Boneh, ANTS XIV-Proceedings of the Fourteenth Algorithmic Number Theory Symposium, volume 4 of Open Book Ser. Math. Sci. Publ., Berkeley, 2020). An endomorphism gives an explicit orientation of a supersingular elliptic curve. In this paper, we use the volcano structure of the oriented supersingular isogeny graph to take ascending/descending/horizontal steps on the graph and deduce path-finding algorithms to an initial curve. Each altitude of the volcano corresponds to a unique quadratic order, called the primitive order. We introduce a new hard problem of computing the primitive order given an arbitrary endomorphism on the curve, and we also provide a sub-exponential quantum algorithm for solving it. In concurrent work (in: Wesolowski, Advances in cryptology-EUROCRYPT 2022, volume 13277 of Lecture Notes in Computer Science. Springer, Cham, 2022), it was shown that the endomorphism ring problem in the presence of one endomorphism with known primitive order reduces to a vectorization problem, implying path-finding algorithms. Our path-finding algorithms are more general in the sense that we don’t assume the knowledge of the primitive order associated with the endomorphism.
... In this conference paper, we have explained the RSA public-Key cryptosystem and Hill Chiper crypto system and exécute a math metical exemple of combinaient those crypto system to Secure the data (Cohen, 1994 ;Adhikari and Adhikari, 2007). ...
... К числу возможных приложений результатов исследований можно отнести теорию факторизации целых чисел [7], в том числе факторизацию с помощью полиномов [8], криптографию [9], алгебраическую теорию модулярных вычислений [10,11] и пр. ...
К сфеническим будем относить полиномы, образуемые произведением трёх (не обязательно различных) простых неприводимых полиномов с априори неизвестными степенями. Основная задача исследования состоит в разработке эффективного алгоритма факторизации степени сфенических полиномов, доставляющего минимум вычислительной сложности. Рассмотрены различные варианты решения проблемы факторизации в зависимости от соотношений степени и периода цикла этих полиномов. Период цикла сфенического полинома определён как параметр, равный числу неповторяющихся вычетов, вычисляемых на линейно-логарифмической шкале группы, образуемой полиномом. Предлагаемый алгоритм является инвариантным к характеристикам полей Галуа, порождаемых сомножителями сфенических полиномов. Корректность результатов исследования подтверждается многочисленными числовыми примерами.
... Given α, β two algebraic numbers, one can always compute the representations of α + β, αβ, 1 α , (α), (α), |α|, and decide α = β, α > β in polynomial time wrt the size of their representations. [5,12]. ...
Linear Recurrence Sequences (LRS) are a fundamental mathematical primitive for a plethora of applications such as model checking, probabilistic systems, computational biology, and economics. Positivity (are all terms of the given LRS at least 0?) and Ultimate Positivity (are all but finitely many terms of the given LRS at least 0?) are important open number-theoretic decision problems. Recently, the robust versions of these problems, that ask whether the LRS is (Ultimately) Positive despite small perturbations to its initialisation, have gained attention as a means to model the imprecision that arises in practical settings. In this paper, we consider Robust Positivity and Ultimate Positivity problems where the neighbourhood of the initialisation, specified in a natural and general format, is also part of the input. We contribute by proving sharp decidability results: decision procedures at orders our techniques can't handle would entail significant number-theoretic breakthroughs.
... Lemma 2.4 (see[4]) Let κ be a real number and x, y integers such thatκ − x y < 1 2y 2 .Then x/y = p k /q k is a convergent of the continued fraction expansion [a 0 , a 1 , . . .] of κ (with some k = 0, 1, . . ...
Recall that a repdigit in base g is a positive integer that has only one digit in its base g expansion; i.e., a number of the form \(a(g^m-1)/(g-1)\), for some positive integers \(m\ge 1\), \(g\ge 2\) and \(1\le a\le g-1\). In the present study, we investigate all Fibonacci or Lucas numbers which are expressed as products of three repdigits in base g. As illustration, we consider the case \(g=10\) where we show that the numbers 144 and 18 are the largest Fibonacci and Lucas numbers which can be expressible as products of three repdigits respectively. All this is done using linear forms in logarithms of algebraic numbers.
Fermat’s Last Theorem is a famous theorem in number theory which is difficult to prove. However, it is known that the version of polynomials with one variable of Fermat’s Last Theorem over ℂ can be proved very concisely. The aim of this paper is to study the similar problems about Fermat’s Last Theorem for multivariate (skew)-polynomials with any characteristic.
The main goal of this paper is to provide a complete answer to the Problem 22 of Narkiewicz (2004) for any sextic number field K generated by a root of a monic irreducible trinomial \(F(x)=x^6+ax^5+b\in \mathbb {Z}[x]\). Namely, we calculate the index of the field K. In particular, if \(i(K)\ne 1\), then K is not mongenic. Finally, we illustrate our results by some computational examples.
The Isogeny to Endomorphism Ring Problem (IsERP) asks to compute the endomorphism ring of the codomain of an isogeny between supersingular curves in characteristic p given only a representation for this isogeny, i.e. some data and an algorithm to evaluate this isogeny on any torsion point. This problem plays a central role in isogeny-based cryptography; it underlies the security of pSIDH protocol (ASIACRYPT 2022) and it is at the heart of the recent attacks that broke the SIDH key exchange. Prior to this work, no efficient algorithm was known to solve IsERP for a generic isogeny degree, the hardest case seemingly when the degree is prime.
In this paper, we introduce a new quantum polynomial-time algorithm to solve IsERP for isogenies whose degrees are odd and have \(O(\log \log p)\) many prime factors. As main technical tools, our algorithm uses a quantum algorithm for computing hidden Borel subgroups, a group action on supersingular isogenies from EUROCRYPT 2021, various algorithms for the Deuring correspondence and a new algorithm to lift arbitrary quaternion order elements modulo an odd integer N with \(O(\log \log p)\) many prime factors to powersmooth elements.
As a main consequence for cryptography, we obtain a quantum polynomial-time key recovery attack on pSIDH. The technical tools we use may also be of independent interest.
The presumed hardness of the Shortest Vector Problem for ideal lattices (Ideal-SVP) has been a fruitful assumption to understand other assumptions on algebraic lattices and as a security foundation of cryptosystems. Gentry [CRYPTO’10] proved that Ideal-SVP enjoys a worst-case to average-case reduction, where the average-case distribution is the uniform distribution over the set of inverses of prime ideals of small algebraic norm (below \(d^{O(d)}\) for cyclotomic fields, where d refers to the field degree). De Boer et al. [CRYPTO’20] obtained another random self-reducibility result for an average-case distribution involving integral ideals of norm \(2^{O(d^2)}\).
In this work, we show that Ideal-SVP for the uniform distribution over inverses of small-norm prime ideals reduces to Ideal-SVP for the uniform distribution over small-norm prime ideals. Combined with Gentry’s reduction, this leads to a worst-case to average-case reduction for the uniform distribution over the set of small-norm prime ideals. Using the reduction from Pellet-Mary and Stehlé [ASIACRYPT’21], this notably leads to the first distribution over NTRU instances with a polynomial modulus whose hardness is supported by a worst-case lattice problem.
In this paper, we introduce secure groups as a cryptographic scheme representing finite groups together with a range of operations, including the group operation, inversion, random sampling, and encoding/decoding maps. We construct secure groups from oblivious group representations combined with cryptographic protocols, implementing the operations securely. We present both generic and specific constructions, in the latter case specifically for number-theoretic groups commonly used in cryptography. These include Schnorr groups (with quadratic residues as a special case), Weierstrass and Edwards elliptic curve groups, and class groups of imaginary quadratic number fields. For concreteness, we develop our protocols in the setting of secure multiparty computation based on Shamir secret sharing over a finite field, abstracted away by formulating our solutions in terms of an arithmetic black box for secure finite field arithmetic or for secure integer arithmetic. Secure finite field arithmetic suffices for many groups, including Schnorr groups and elliptic curve groups. For class groups, we need secure integer arithmetic to implement Shanks’ classical algorithms for the composition of binary quadratic forms, which we will combine with our adaptation of a particular form reduction algorithm due to Agarwal and Frandsen. As a main result of independent interest, we also present an efficient protocol for the secure computation of the extended greatest common divisor. The protocol is based on Bernstein and Yang’s constant-time 2-adic algorithm, which we adapt to work purely over the integers. This yields a much better approach for multiparty computation but raises a new concern about the growth of the Bézout coefficients. By a careful analysis, we are able to prove that the Bézout coefficients in our protocol will never exceed 3max(a,b) in absolute value for inputs a and b. We have integrated secure groups in the Python package MPyC and have implemented threshold ElGamal and threshold DSA in terms of secure groups. We also mention how our results support verifiable multiparty computation, allowing parties to jointly create a publicly verifiable proof of correctness for the results accompanying the results of a secure computation.
Let \(f(x)=x^n+ax^2+bx+c \in {\textbf {Z}}[x]\) be an irreducible polynomial with \(b^2=4ac\) and let \(K={\textbf {Q}}(\theta )\) be an algebraic number field defined by a complex root \(\theta \) of f(x). Let \({\textbf {Z}}_K\) denote the ring of algebraic integers of K. The aim of this paper is to provide the necessary and sufficient conditions involving only a, c and n for a given prime p to divide the index of the subgroup \({\textbf {Z}}[\theta ]\) in \({\textbf {Z}}_K\). As a consequence, we provide families of monogenic algebraic number fields. Further, when \({\textbf {Z}}_K \ne {\textbf {Z}}[\theta ]\), we determine explicitly the index \([{\textbf {Z}}_K: {\textbf {Z}}[\theta ]]\) in some cases.
Elliptic curve cryptography (ECC) is a well-developed and widely used type of public key encryption that outperforms older cryptographic systems such as RSA. Because of its ability to provide improved security while using smaller key sizes, ECC has recently gained popularity. The computation of the private scalar integer that is used as a private key to generate the public key is the most important determinant of ECC security. The elliptic curve discrete logarithm problem (ECDLP) serves as the foundation for the complexity of ECC. The index calculus approach is one of the most effective strategies for solving ECDLP. In the recent years, significant progress has been made in theoretically and functionally improving the efficiency of the index calculus approach for ECDLP. This research looks at the recent advances in the algorithm and its complexity, new methodologies and methods for improving its efficiency, the current state of the art in this field, as well as outstanding research challenges that require further investigation. The goal of this paper is to provide an overview of the recent developments in this critical area of cryptography research. We compare and contrast cutting-edge algorithms and strategies designed to improve the method's efficiency.
In this work, we introduce the notion of k-almost prime polynomials formed by the product over a Galois field of an arbitrary characteristic p of exactly k irreducible polynomials. The study aims to develop an effective algorithm for factorizing the degree of such composite polynomials providing a minimum of computational complexity. The proposed algorithm is based on the solution of a system of two equations functionally related to the a priori unknown degree of the components of the compound polynomial. One of these equations reflects that the degree of the composite polynomial equals the sum of degrees of elements of this polynomial. The second equation is based on the so-called cycle period of the compound polynomial, which coincides with the least common multiple of the unknown degrees of the components of the compound polynomial. It is found that the expansion of the cycle period contains all the degrees of the factorizable compound polynomial. The computational volume reduction is achieved by switching from the linear scale of the multiplicative group of subtractions generated by the cycle period of the compound polynomial to the logarithmic scale.
A polynomial program is one in which all assignments are given by polynomial expressions and in which all branching is nondeterministic (as opposed to conditional). Given such a program, an algebraic invariant is one that is defined by polynomial equations over the program variables at each program location. Müller-Olm and Seidl have posed the question of whether one can compute the strongest algebraic invariant of a given polynomial program. In this paper we show that, while strongest algebraic invariants are not computable in general, they can be computed in the special case of affine programs, that is, programs with exclusively linear assignments. For the latter result our main tool is an algebraic result of independent interest: given a finite set of rational square matrices of the same dimension, we show how to compute the Zariski closure of the semigroup that they generate.
Unit group computations are a cryptographic primitive for which one has a fast quantum algorithm, but the required number of qubits is \(\tilde{O}(m^5)\). In this work we propose a modification of the algorithm for which the number of qubits is \(\tilde{O}(m^2)\) in the case of cyclotomic fields. Moreover, under a recent conjecture on the size of the class group of \(\mathbb Q(\zeta _m+\zeta _m^{-1})\), the quantum algorithm is much simpler because it is a hidden subgroup problem (HSP) algorithm rather than its error estimation counterpart: continuous hidden subgroup problem (CHSP). We also discuss the (minor) speed-up obtained when exploiting Galois automorphisms thanks to the Buchmann-Pohst algorithm over \(\mathcal {O}_K\)-lattices.
This work investigates the level lines of primary functions in the ring Z/nZ and explores their key indicator, the line indicator function. The properties of the line indicator function, such as strict positivity, multiplicativity, and fulfillment of the triangular inequality, are studied in detail. The correspondence with the Euler’s totient function is established, highlighting the connections between the properties of level lines in Z/nZ and fundamental arithmetic concepts. The fundamental identity of level lines is examined in algebra and arithmetic, offering applications in the factorization of polynomial squares and the unique representation of natural number squares. Lastly, the notion of multiplicative p-metric is introduced to gain a better understanding of modular multiplication in Z/nZ.
We present an efficient computational representation of central simple algebras using Brauer factor sets. Using this representation and polynomial quantum algorithms for number theoretical tasks such as factoring and $S$-unit group computation, we give a polynomial quantum algorithm for the explicit isomorphism problem over number field, which relies on a heuristic concerning the irreducibility of the characteristic polynomial of a random matrix with algebraic integer coefficients. We present another version of the algorithm which does not need any heuristic but which is only polynomial if the degree of the input algebra is bounded.
In this paper we first present an efficient protocol for the secure computation of the extended greatest common divisor, assuming basic secure integer arithmetic common to many MPC frameworks. The protocol is based on Bernstein and Yang’s constant-time 2-adic algorithm, which we adapt to work purely over the integers. This yields a much better approach for the MPC setting, but raises a new concern about the growth of the Bézout coefficients. By a careful analysis we are able to prove that the Bézout coefficients in our protocol will never exceed \(3\max (a,b)\) in absolute value for inputs a and b. Next, we present efficient protocols for implementing class groups of imaginary quadratic number fields in the MPC setting. We start from Shanks’ original algorithms for the efficient composition of binary quadratic forms and combine these with our particular adaptation of a forms reduction algorithm due to Agarwal and Frandsen. We will formulate this result in terms of secure groups, which are introduced as oblivious data structures implementing finite groups in a privacy-preserving manner. Our results show how class group operations can be run efficiently between multiple parties operating jointly on secret-shared group elements. We have integrated secure class groups in MPyC along with other instances of secure groups such as Schnorr groups and elliptic curves.
We consider the problem of deciding the existence of real roots of real-valued exponential polynomials with algebraic coefficients. Such functions arise as solutions of linear differential equations with real algebraic coefficients. We focus on two problems: the Zero Problem , which asks whether an exponential polynomial has a real root, and the Infinite Zeros Problem , which asks whether such a function has infinitely many real roots. Our main result is that for differential equations of order at most 8 the Zero Problem is decidable, subject to Schanuel’s Conjecture, whilst the Infinite Zeros Problem is decidable unconditionally. We show moreover that a decision procedure for the Infinite Zeros Problem at order 9 would yield an algorithm for computing the Lagrange constant of any given real algebraic number to arbitrary precision, indicating that it will be very difficult to extend our decidability results to higher orders.
We describe several algorithms for computing $e$-th roots of elements in a number field $K$, where $e$ is an odd prime-power integer. In particular we generalize Couveignes' and Thom\'e's algorithms originally designed to compute square-roots in the Number Field Sieve algorithm for integer factorization. Our algorithms cover most cases of $e$ and $K$ and allow to obtain reasonable timings even for large degree number fields and large exponents $e$. The complexity of our algorithms is better than general root finding algorithms and our implementation compared well in performance to these algorithms implemented in well-known computer algebra softwares. One important application of our algorithms is to compute the saturation phase in the Twisted-PHS algorithm for computing the Ideal-SVP problem over cyclotomic fields in post-quantum cryptography.
Let $K$ be a pure number field generated by a complex root of a monic irreducible polynomial $F(x)=x^{2^r\cdot7^s}-m\in \mathbb{Z}[x]$, where $m\neq \pm 1$ is a square free integer, $r$ and $s$ are two positive integers. In this paper, we study the monogenity of $K$. We prove that if $m\not\equiv 1\md{4}$ and $\overline{m}\not\in\{\pm \overline{1},\pm \overline{18},\pm \overline{19}\} \md{49}$, then $K$ is monogenic. But if $r\geq 2$ and $m\equiv 1\md{16}$ or $s\geq 3$, $\overline{m}\in\{ \overline{1}, \overline{18}, -\overline{19}\} \md{49}$, and $\nu_7(m^6-1)\geq 4$, then $K$ is not monogenic. Some illustrating examples are given at the end of the paper.
ResearchGate has not been able to resolve any references for this publication.