# Volume 12, issue 1

### 1. On subset sum problem in branch groups

We consider a group-theoretic analogue of the classic subset sum problem. In this brief note, we show that the subset sum problem is NP-complete in the first Grigorchuk group. More generally, we show NP-hardness of that problem in weakly regular branch groups, which implies NP-completeness if the group is, in addition, contracting.

### 2. Optimal Ate Pairing on Elliptic Curves with Embedding Degree $9,15$ and $27$

Much attention has been given to the efficient computation of pairings on elliptic curves with even embedding degree since the advent of pairing-based cryptography. The few existing works in the case of odd embedding degrees require some improvements. This paper considers the computation of optimal ate pairings on elliptic curves of embedding degrees $k=9$, $15$, $27$ which have twists of order three. Our main goal is to provide a detailed arithmetic and cost estimation of operations in the tower extensions field of the corresponding extension fields. A good selection of parameters enables us to improve the theoretical cost for the Miller step and the final exponentiation using the lattice-based method as compared to the previous few works that exist in these cases. In particular, for $k=15$, $k=27$, we obtain an improvement, in terms of operations in the base field, of up to 25% and 29% respectively in the computation of the final exponentiation. We also find that elliptic curves with embedding degree $k=15$ present faster results than BN12 curves at the 128-bit security level. We provide a MAGMA implementation in each case to ensure the correctness of the formulas used in this work.

### 3. A fault attack on the Niederreiter cryptosystem using binary irreducible Goppa codes

A fault injection framework for the decryption algorithm of the Niederreiter public-key cryptosystem using binary irreducible Goppa codes and classical decoding techniques is described. In particular, we obtain low-degree polynomial equations in parts of the secret key. For the resulting system of polynomial equations, we present an efficient solving strategy and show how to extend certain solutions to alternative secret keys. We also provide estimates for the expected number of required fault injections, apply the framework to state-of-the-art security levels, and propose countermeasures against this type of fault attack.

### 4. On the lattice of subgroups of a free group: complements and rank

A $\vee$-complement of a subgroup $H \leqslant \mathbb{F}_n$ is a subgroup $K \leqslant \mathbb{F}_n$ such that $H \vee K = \mathbb{F}_n$. If we also ask $K$ to have trivial intersection with $H$, then we say that $K$ is a $\oplus$-complement of $H$. The minimum possible rank of a $\vee$-complement (resp. $\oplus$-complement) of $H$ is called the $\vee$-corank (resp. $\oplus$-corank) of $H$. We use Stallings automata to study these notions and the relations between them. In particular, we characterize when complements exist, compute the $\vee$-corank, and provide language-theoretical descriptions of the sets of cyclic complements. Finally, we prove that the two notions of corank coincide on subgroups that admit cyclic complements of both kinds.