Deterministic equation solving over finite fields

It is shown how to solve diagonal forms in many variables over finite fields by means of a deterministic efficient algorithm. Applications to norm equations, quadratic forms, and elliptic curves are given.Thomas Stieltjes Institute for MathematicsUBL - phd migration 201

Rational points on certain hyperelliptic curves over finite fields

Let $K$ be a field, $a, b\in K$ and $ab\neq 0$. Let us consider the polynomials $g_{1}(x)=x^n+ax+b, g_{2}(x)=x^n+ax^2+bx$, where $n$ is a fixed positive integer. In this paper we show that for each $k\geq 2$ the hypersurface given by the equation \begin{equation*} S_{k}^{i}: u^2=\prod_{j=1}^{k}g_{i}(x_{j}),\quad i=1, 2. \end{equation*} contains a rational curve. Using the above and Woestijne's recent results \cite{Woe} we show how one can construct a rational point different from the point at infinity on the curves $C_{i}:y^2=g_{i}(x), (i=1, 2)$ defined over a finite field, in polynomial time.Comment: Revised version will appear in Bull. Polish Acad. Sci. Mat

Sequences of irreducible polynomials without prescribed coefficients over odd prime fields

In this paper we construct infinite sequences of monic irreducible polynomials with coefficients in odd prime fields by means of a transformation introduced by Cohen in 1992. We make no assumptions on the coefficients of the first polynomial $f_0$ of the sequence, which belongs to \F_p [x], for some odd prime $p$, and has positive degree $n$. If $p^{2n}-1 = 2^{e_1} \cdot m$ for some odd integer $m$ and non-negative integer $e_1$, then, after an initial segment $f_0, ..., f_s$ with $s \leq e_1$, the degree of the polynomial $f_{i+1}$ is twice the degree of $f_i$ for any $i \geq s$.Comment: 10 pages. Fixed a typo in the reference

On Solving Systems of Diagonal Polynomial Equations Over Finite Fields

We present an algorithm to solve a system of diagonal polynomial equations over finite fields when the number of variables is greater than some fixed polynomial of the number of equations whose degree depends only on the degree of the polynomial equations. Our algorithm works in time polynomial in the number of equations and the logarithm of the size of the field, whenever the degree of the polynomial equations is constant. As a consequence we design polynomial time quantum algorithms for two algebraic hidden structure problems: for the hidden subgroup problem in certain semidirect product p-groups of constant nilpotency class, and for the multi-dimensional univariate hidden polynomial graph problem when the degree of the polynomials is constant.Comment: A preliminary extended abstract of this paper has appeared in Proceedings of FAW 2015, Springer LNCS vol. 9130, pp. 125-137 (2015

Polynomial time quantum algorithms for certain bivariate hidden polynomial problems

We present a new method for solving the hidden polynomial graph problem (HPGP) which is a special case of the hidden polynomial problem (HPP). The new approach yields an efficient quantum algorithm for the bivariate HPGP even when the input consists of several level set superpositions, a more difficult version of the problem than the one where the input is given by an oracle. For constant degree, the algorithm is polylogarithmic in the size of the base field. We also apply the results to give an efficient quantum algorithm for the oracle version of the HPP for an interesting family of bivariate hidden functions. This family includes diagonal quadratic forms and elliptic curves.Comment: Theorem numbering changed; new subsection with a high-level description of the main algorith

Connecting Kani's Lemma and path-finding in the Bruhat-Tits tree to compute supersingular endomorphism rings

We give a deterministic polynomial time algorithm to compute the endomorphism ring of a supersingular elliptic curve in characteristic p, provided that we are given two noncommuting endomorphisms and the factorization of the discriminant of the ring $\mathcal{O}_0$ they generate. At each prime $q$ for which $\mathcal{O}_0$ is not maximal, we compute the endomorphism ring locally by computing a q-maximal order containing it and, when $q \neq p$, recovering a path to $\text{End}(E) \otimes \mathbb{Z}_q$ in the Bruhat-Tits tree. We use techniques of higher-dimensional isogenies to navigate towards the local endomorphism ring. Our algorithm improves on a previous algorithm which requires a restricted input and runs in subexponential time under certain heuristics. Page and Wesolowski give a probabilistic polynomial time algorithm to compute the endomorphism ring on input of a single non-scalar endomorphism. Beyond using techniques of higher-dimensional isogenies to divide endomorphisms by a scalar, our methods are completely different.Comment: 32 pages. 5 figures. Submitte

Structure-preserving signatures from type II pairings

We investigate structure-preserving signatures in asymmetric bilinear groups with an efficiently computable homomorphism from one source group to the other, i.e., the Type II setting. It has been shown that in the Type I and Type III settings, structure-preserving signatures need at least 2 verification equations and 3 group elements. It is therefore natural to conjecture that this would also be required in the intermediate Type II setting, but surprisingly this turns out not to be the case. We construct structure-preserving signatures in the Type II setting that only require a single verification equation and consist of only 2 group elements. This shows that the Type II setting with partial asymmetry is different from the other two settings in a way that permits the construction of cryptographic schemes with unique properties. We also investigate lower bounds on the size of the public verification key in the Type II setting. Previous work on structure-preserving signatures has explored lower bounds on the number of verification equations and the number of group elements in a signature but the size of the verification key has not been investigated before.We show that in the Type II setting it is necessary to have at least 2 group elements in the public verification key in a signature scheme with a single verification equation. Our constructions match the lower bounds so they are optimal with respect to verification complexity, signature sizes and verification key sizes. In fact, in terms of verification complexity, they are the most efficient structure preserving signature schemes to date. We give two structure-preserving signature schemes with a single verification equation where both the signatures and the public verification keys consist of two group elements each. One signature scheme is strongly existentially unforgeable, the other is fully randomizable. Having such simple and elegant structure-preserving signatures may make the Type II setting the easiest to use when designing new structure-preserving cryptographic schemes, and lead to schemes with the greatest conceptual simplicity