Notation

Basic mathematical notation

∅ The empty set
#S The number of elements in the finite set S
S−T Set difference of sets S and T
Z, Q, R, C integers, rationals, reals and complex numbers
N, Z>0 Natural numbers
Z/rZ Integers modulo r
Fq Finite field of q = pm elements
Zp , Qp p-adic ring, field, where p (sometimes also called l) is a prime.
hg1 , . . . , gn i Group generated by g1 , . . . , gn
(g1 , . . . , gn ) Ideal generated over a ring R by g1 , . . . , gn ∈ R
ϕ(n) Euler phi function
ζ(n) Riemann zeta function
λ(N ) Carmichael lambda function
a | b, a ∤ b b is/is not a multiple of a
qn , rn Quotient and remainder in n-th step of Euclidean algorithm
sn , tn Numbers arising in the extended Euclidean algorithm to compute gcd(a, b),
they satisfy rn = asn + btn
hn /kn Convergents of a continued fraction expansion
log2 (x) Logarithm to base 2
log(x) Natural logarithm
[0, 1] {x ∈ R : 0 ≤ x ≤ 1}
≈ Approximately equal (we do not give a precise definition), such as π ≈ 3.1415
(al−1 . . . a1 a0 )2 Binary representation of an integer a
v, w Vectors
0 Zero vector
ei i-th unit vector
In n × n identity matrix
hx, xi Inner product
kxk Euclidean length of a vector (2 norm)
k · ka ℓa -norm for a ∈ N
span{v 1 , . . . , v n } Span of a set of vectors
rank(A) Rank of a matrix A
Mn (R) n × n matrices over the ring R
⌊x⌋ Round x ∈ R down to an integer
⌈x⌉ Round x ∈ R up to an integer
[x], ⌊x⌉ Closest integer to x, with [1/2] = ⌊1/2⌉ = 1

15
16 CONTENTS

Notation for polynomials and fields

Fq Finite field of q = pm elements
F (x) Irreducible polynomial defining a finite field
θ Generator of a finite field
TrFqm /Fq Trace
NFqn /Fq or N Norm map with respect to Fqn /Fq
k Ground field, always assumed to be perfect
char(k) The characteristic of k (either 0 or a prime)
k An algebraic closure of k
k′ A field extension of k contained in k
Gal(k′ /k) Galois group if k′ /k is Galois
trdeg Transcendence degree
F (x) Polynomial of degree d
F ′ (x) The derivative of the polynoial F (x)
R(F, G), Rx (F (x), G(x)) Resultant of polynomials
R1 (x), Ri (x), T (x) Polynomials arising in polynomial factorisation algorithms of Section 2.12
deg(F (x)), deg x (F (x)) Degree of polynomial
deg(f (x)) Total degree of polynomial
F Polynomial in Fq [x] of degree m defining Fqm = Fq [x]/(F (x))
ZF Ring of integers of number field F
Cl(O) Class group of order O
h(O) Class number of order O
Notation for algorithms and complexity
O(f ) Big O notation
o(f ) Little o notation
Õ(f ) Soft O notation
Ω(f ) Big Omega notation
Θ(f ) Big Theta notation
≤R Reduction
len(a) The bit-length of a
wt(m) The Hamming weight of m (number of ones in binary expansion)
M (n) The cost of multiplication of two n-bit integers
M (d, q) = M (d log(dq)) The cost of multiplying two degree d polynomials over Fq
s←S s ∈ S chosen according to an (implicit) distribution on S
LN (a, c) Subexponential function
O, A Oracle
Notation for algebraic geometry
Ga (k) Additive group (k, +)
Gm (k) Multiplicative group (k∗ , .)
mult Multiplication map in an algebraic group
inverse Inverse map in an algebraic group
[g] Orbit or equivalence class of g under an automorphism
G/ψ Set of orbits/equivalence classes of G under the automorphism ψ
An (k) Affine space, points (x1 , . . . , xn )
Pn (k) Projective space, points (x0 : . . . |xn )
(x0 : · · · : xn ) Homogeneous coordinate for point of Pn
≡ Equivalence of (n + 1)-tuples to define projective space
x Either (x1 , . . . , xn ) ∈ An (k) or (x0 : · · · : xn ) ∈ Pn (k)
X, Y Algebraic set
X(k) k-rational points of X
CONTENTS 17

V (I) Zero set of the ideal I

(S) Ideal over k[x] generated by the set S
Ik (X), I(X) Ideal over k corresponding to the algebraic set X over k
rad(I) Radical of the ideal I
k[X] Coordinate ring of algebraic set X
k(X)m k(C) Function field of X (resp. C)
F, K, L Function field
Ui Subset of Pn comprising all points (x0 : · · · : xn ) with xi 6= 0
ϕi Rational map ϕi : An → Pn with image Ui
ϕ Rational map ϕn
ϕ∗i Homogenisation map from k[y1 , . . . , yn ] to k[x0 , . . . , xn ]
ϕ−1
i Rational map Pn → An
ϕ−1∗
i De-homogenisation k[x0 , . . . , xn ] → k[y1 , . . . , yn ]
X ∩ An Abbreviation for ϕ−1n (X ∩ Un )
f Homogenisation of the polynomial f
I Homogenisation of the ideal I
X Projective closure of algebraic set X ⊆ An
O(X) Regular functions on variety X
dim(X) Dimension of the algebraic variety X
φ Rational map or morphism of varieties
p A prime ideal of a ring
S −1 R The localiation of a ring with respect to a multiplicative set S
Rp The localisation of a ring at the prime ideal p
OP,k (X), OP Local ring of X at P .
mP,k (X), mP Maximal ideal of OP,k (X)
JX,P Jacobian matrix of X = V (f1 , . . . , fm ) ⊆ An at P
C Curve
E Elliptic curve
C(k), E(k) The k-rational points of C (resp. E)
OE , OC Point at infinity on a curve
ι(P ) If P = (x, y) then ι(P ) = (x, −y − a1 x − a3 )
vP (f ) Valuation of function f ∈ k(C) at point P
tP Uniformizer at P
l(x, y) Line between points P1 and P2 on an elliptic curve
v(x) Vertical line on an elliptic curve
Homk (E1 , E2 ), Endk (E) Homomorphisms/endos of elliptic curves
Tl (E) Tate module of an elliptic curve
x(P ), xP , y(P ), yP Coordinates of the point P = (xP , yP ) ∈ C(k)
πq q-power Frobenius map
P0 A given k-rational point on a curve
Φn (x) n-th cyclotomic polynomial
Gq,n Cyclotomic subgroup of F∗qn of order Φn (q)
g An element of Gq,n
θ Generator over Fq of a finite field Fq2
TrFqn /Fq or Tr Trace map with respect to Fqn /Fq
Tn Algebraic torus
comp Torus compression function
decomp Torus decompression function
⋆ Partial group operation for T2
18 CONTENTS

Vn Trace of g n in LUC
U Hypersurface in the construction of T6
pU Rational parameterisation of the hypersurface U
χg (x) Characteristic polynomial over Fq2 of element of Fq6
tn Trace of g n in XTR
F (x), H(x) Polynomials in k[x] used to define a curve
E(x, y) Weierstrass equation y 2 + H(x)y − F (x)
a1 , a2 , a3 , a4 , a6 Coefficients of Weierstrass equation
D Divisor
div(f ) Divisor of the function f
Supp(D) Support of a divisor
Divk (C) Divisors on C defined over k
Div0k (C) Degree zero divisors on C defined over k
Prink (C) Principal divisors on C
D Divisor class
Pic0k (C) Degree zero divisor class group of curve C over k
≡ Linear equivalence (i.e., equivalence of divisors)
v′ | v Extension of valuations
Rv Valuation ring
mv Maximal ideal of the valuation
Lk (D) Riemann-Roch space for divisor D
ℓk (D) Dimension of Riemann-Roch space for D
D ≤ D′ Ordering relation on divisors
DivEff Set of all effective divisors
Picdk (X) Divisor class group (degree d divisor class group of X over the field k)
degx a(x) Degree in x of the polynomial a(x)
deg(φ) Degree of the morphism φ
deg(D) Degree of the divisor D
φ∗ Pullback under a morphism
φ∗ Pushforward under a morphism
g genus of curve C
∂F/∂x Standard partial differentiation of polynomials or rational functions
hdx Differential on C
Ωk (C) Set of differentials on C over k
ω Differential on C
ωE Invariant differential on elliptic curve E
div(ω) Divisor of a differential on C
(C, P ), (E, O) A pointed curve, i.e., a curve over k together
with a specified k-rational point.
τQ Translation map
[n] Multiplication by n map on an elliptic curve (or torus or Abelian variety)
E[n] Points of order dividing n on an elliptic curve
Twist(E) Set of classes of twists of E
E (d) Quadratic twist of E
Homk (E1 , E2 ) Group of isogenies from E1 to E2 over k
Endk (E) Ring of isogenies from E to itself over k
ker(φ) Kernel of an isogeny
t∞ Uniformizer on elliptic curve at OE
P (T ) Characteristic polynomial of Frobenius
CONTENTS 19

φ̂ Dual isogeny
degs (φ) Separable degree
degi (φ) Inseparable degree
(Y : Xd : · · · : X0 ) Variables for projective non-singular equation of hyperelliptic curve
C† Image of hyperelliptic curve C under map swapping ∞ and zero
ρP Birational map from hyperelliptic curve taking P to infinity
(u(x), v(x)) Mumford representation for semi-reduced divisors
∞+ , ∞− Points at infinity on a hyperelliptic curve
monic(u(x)) Monic polynomial obtain by dividing by the leading coefficient
div(u(x), y − v(x)) Greatest common divisor of div(u(x)) and div(y − v(x))
u† , v † , v ‡ Polynomials arising in Cantor reduction and reduction at infinity
D† Semi-reduced divisor arising from Cantor’s reduction
D∞ Effective Divisor on a hyperelliptic curve of degree g with support only at infinity
(u(x), v(x), n) Divisor div(u(x), y − v(x)) ∩ A2 + n(∞+ ) + (g − deg(u(x)) − n)(∞− )
JC Jacobian variety of the curve C
Θ Mumford theta divisor
L(t) L-polynomial of the curve C over Fq
αi Roots of P (T ) and reciprocal roots of L(t) for curve C over Fq
K/k Fields in Weil descent attack

Notation for algorithms in algebraic groups

NAF Non-adjacent form
w-NAF or NAFw Width w non-adjacent form
D Digit set for an expansion
digit Function assigning to an integer and integer in D
weight Weight of the expansion
logg (h) Discrete logarithm problem (g ∈ G)
r Large prime, the order of g ∈ G
(mods m) Modular reduction to signed residue
1 Coefficient −1 in a signed expansion
PH Pohlig-Hellman algorithm
BSGS Baby-step-giant-step algorithm
Sj Sets for representation problem and product DLP
Lj Lists for generalised birthday algorithm
LSBm m least signficant bits
MSBm m most signficant bits, or bits specifying a decomposition of
the domain into equal partitions
HNP Hidden number problem

Notation in Chapter 14
G An algebraic group or algebraic group quotient
g An element in an AG or AGQ G, usually of prime order r
r The prime order of an element g
h An element in hgi
a The discrete logarithm of h with respect to g
S A set
N Size of the set S, or an integer to be factored
π(X) The number of primes ≤ X
Pr Probability
¬E Complemenent of an event E
20 CONTENTS

l The number of elements sampled from S

nS Number of partitions in Pollard walk
S Map from G to Z/nS Z
b(g) Binary representation of g ∈ G
X Random variable
xi Random walk sequence
(ai , bi ) Representation of walk element xi = g ai hbi
(uj , vj ) Powers of g and h in random walk steps
gj A jump in the random walk
walk The random walk function
lt Length of tail of Pollard rho walk
lh Length of cycle (or head) of Pollard rho walk
ǫ A small positive real number
D Set of distinguished points
nD Number of bits used to define distinguishing property
θ Probability that a random g ∈ G is a distinguished point
NP Number of processors
n Number of steps made by tame kangaroo
type Indicator ‘tame’ or ‘wild’
s Spacing between starting positions of kangaroos in the same herd
NC Size of generic equivalence class
x Equivalence class of x
x̂ Equivalence class representative of class of x
Aut(G) Automorphism group of an algebraic group G
b Start of interval; usually set to 0
w Length of interval
m Mean step size
f :S→S Function in parallel collision search
fi : Si → R Function in meet-in-the-middle attack
I Set {0, 1, . . . , N − 1}
σi : I → Si Functions in parallel meet-in-middle-attack
ρ : R → I × 1, 2 Function in parallel meet-in-middle-attack
f (x) Function in Pollard rho factoring
Notation in Chapter 15
Ψ(X, Y ) Number of Y -smooth integers less than X
f (n) ∼ g(n) If limn→∞ f (n)/g(n) = 1
ρ(u) Dickman-de Bruijn function
TB Expected number of trials until a random integer 1 ≤ x < N is B-smooth
LN (a, c) Subexponential function
B Factor base
B Bound on primes to define B
s Number of elements in factor base B
I(n) number of irreducible polynomials of degree n
N (n, b) number of b-smooth polynomials of degree exactly equal to n
p(n, b) probability that a uniformly chosen polynomial of degree at most n is b-smooth
Summn (x1 , . . . , xn ) Summation polynomial
CONTENTS 21

Notation for Part IV

b, v, w Row vectors (usually in Rm )
0 Zero vector in Rm
ei i-th unit vector in Rm
In n × n identity matrix
hx, xi Inner product
kxk Euclidean length (ℓ2 norm)
k · ka ℓa -norm for a ∈ N
span{v 1 , . . . , v n } Span of a set of vectors over R
rank(A) Rank of a matrix A
⌊x⌉ Closest integer to x, ⌊1/2⌉ = 1
B Basis matrix for a lattice
L Lattice
b∗i Gram-Schmidt vector arising from ordered basis {b1 , . . . , bn }
µi,j Gram-Schmidt coefficient hbi , b∗j i/hb∗j , b∗j i
Bi kb∗i k2
λi Successive minima of a lattice
det(L) Determinant of a lattice
γn Hermite’s constant
X Bound on the size of the entries in the basis matrix L
B(i) i × m matrix formed by the first i rows of B
di Determinant of matrix of hbj , bk i for 1 ≤ j, k ≤ i
D Product of di
P1/2 (B) Fundamental domain (parallelepiped) for lattice basis B
F (x), F (x, y) Polynomial with “small” root
G(x), G(x, y) Polynomial with “small” root in common with F (x) (resp., F (x, y))
X, Y Bounds on size of root in Coppersmith’s method
bF Coefficient vector of polynomial F
R(F, G), Rx (F (x), G(x)) Resultant of polynomials
W Bound in Coppersmith’s method
P, R Constants in noisy Chinese remaindering
amp(x) The amplitude gcd(P, x − R) in noisy Chinese remaindering
B, B ′ Basis matrices for GGH encryption
In n × n identity matrix
U Invertible matrix disguising the private key in GGH
m, e, c Message (respectively, error vector, ciphertext) in McEliece or GGH
σ Entry in error vector in GGH
M Size of coefficients in message in GGH
s GGH signature
a1 , . . . , an Subset sum weights
b1 , . .P
. , bn Superincreasing sequence
n
s = i=1 xi ai The sum in a subset sum instance, with xi ∈ {0, 1}
d Density of a subset sum instance
π Permutation of {1, . . . , n} used in the Merkle-Hellman cryptosystem
σ Vector in Nguyen attack
M Modulus in Merkle-Hellman knapsack
W Multiplier in Merkle-Hellman knapsack
U W −1 (mod M ) in Merkle-Hellman
t Number of iterations in iterated Merkle-Hellman knapsack
22 CONTENTS

Notation for cryptography

κ Security parameter
M Message space
PK Public key space
SK Private key space
C Ciphertext space
pk Public key
sk Private key
m Message
c, (c1 , c2 ) Ciphertext
s, (s1 , s2 ) Signature
Enc Symmetric encryption
Dec Symmetric decryption
g Element of an algebraic group G
⊥ Symbol for invalid ciphertext or algorithm failure
H Cryptographic hash function
qS Number of signature queries in security proof
F (s1 ) Function used in Elgamal and DSA signatures
DLP Discrete logarithm problem
CDH Computational Diffie-Hellman problem
DDH Decisional Diffie-Hellman problem
kdf Key derivation function
−1
Inverse-DH Inverse Diffie-Hellman problem (g, g a ) 7→ g a
Static-DH Static Diffie-Hellman problem
Strong-DH Strong Diffie-Hellman problem
Square-DH Square Diffie-Hellman problem
Hash-DH Hash Diffie-Hellman problem
Adv Advantage of an algorithm
MAC Message authentication code
KEM Key encapsulation mechanism
DEM Date encapsulation mechanism
K Key space (for a KEM)
Xg1 ,g2 ,h A set used in the security proof of the Cramer-Shoup encryption scheme
id Identity of a user
S The set of RSA moduli
CONTENTS 23

Notation used in Part VII

E/G Quotient elliptic curve by subgroup G
Φd (x, y) Modular polynomial
̃ j-invariant of isogenous curve in Elkies method
a, b, l O-ideals
XE,Fq ,S Isogeny graph
E[l] Kernel of isogeny corresponding to ideal l
δv (S) Vertex boundary of a set S in a graph
δe (S) Edge boundary of a set S in a graph
f (D) Evaluation of function f at divisor D
en Weil pairing
tn Tate-Lichtenbaum pairing
t̂n Reduced Tate-Lichtenbaum pairing
k(q, n) Embedding degree
G1 , G2 Eigenspaces of Frobenius in E[r]
T t − 1, used in the ate pairing
aT (Q, P ) Ate pairing