The aim of this paper is to describe the theory and implementation of the Elliptic Curve Primality Proving algorithm.

{ A new knapsack type public key cryptosystem is introduced. The system is based on a novel application of arithmetic in nite elds, following a construction by Bose and Chowla. By appropriately choosing the parameters, one can control the density of the resulting knapsack, which is the ratio between the number of elements in the knapsack and their size in bits. In particular, the density can be made high enough to foil \low density" attacks against our system. At the moment, no attacks capable of \breaking" this system in a reasonable amount of time are known. Research supported by NSF grant MCS{8006938. Part of this research was done while the rst author was visiting Bell Laboratories, Murray Hill, NJ. A preliminary version of this work was presented in Crypto 84 and has appeared in [8]. 1 1.

Abstract. We call an integer semismooth with respect to y and z if each of its prime factors is ≤ y, and all but one are ≤ z. Such numbers are useful in various factoring algorithms, including the quadratic sieve. Let G(α, β)bethe asymptotic probability that a random integer n is semismooth with respect to n β and n α. We present new recurrence relations for G and related functions. We then give numerical methods for computing G,tablesofG, and estimates for the error incurred by this asymptotic approximation. 1.

. We present a new deterministic algorithm for factoring polynomials over Z p of degree n. We show that the worst-case running time of our algorithm is O(p 1=2 (log p) 2 n 2+ffl ), which is faster than the running times of previous deterministic algorithms with respect to both n and p. We also show that our algorithm runs in polynomial time for all but at most an exponentially small fraction of the polynomials of degree n over Z p . Specifically, we prove that the fraction of polynomials of degree n over Z p for which our algorithm fails to halt in time O((log p) 2 n 2+ffl ) is O((n log p) 2 =p). Consequently, the average-case running time of our algorithm is polynomial in n and log p. Keywords: factorization, finite fields, irreducible polynomials. This research was supported by NSF grants DCR-8504485 and DCR-8552596. Appeared in Information Processing Letters 33, pp. 261--267, 1990. An preliminary version of this paper appeared as University of Wisconsin--Madison, Comput...

This paper derives basic probabilistic properties of random polynomials over finite fields that are of interest in the study of polynomial factorization algorithms. We show that the main characteristics of random polynomial can be treated systematically by methods of "analytic combinatorics" based on the combined use of generating functions and of singularity analysis. Our object of study is the classical factorization chain which is described in Fig. 1 and which, despite its simplicity, does not appear to have been totally analysed so far. In this paper, we provide a complete average-case analysis.

A random integer N, drawn uniformly from the set {1,2,..., n), has a prime factorization of the form N = a1a2...aM where ax ^ a2>... ^ aM. We establish the asymptotic distribution, as «-» • oo, of the vector A(«) = (loga,/logiV: i:> 1) in a transparent manner. By randomly re-ordering the components of A(«), in a size-biased manner, we obtain a new vector B(n) whose asymptotic distribution is the GEM distribution with parameter 1; this is a distribution on the infinite-dimensional simplex of vectors (xv x2,...) having non-negative components with unit sum. Using a standard continuity argument, this entails the weak convergence of A(/i) to the corresponding Poisson-Dirichlet distribution on this simplex; this result was obtained by Billingsley [3]. 1.

Abstract. The only known blind signature scheme that is secure in the standard model [20] is based on general results about multi-party computation, and thus it is extremely inefficient. The main result of this paper is the first provably secure blind signature scheme which is also efficient. We develop our construction as follows. In the first step, which is a significant result on its own, we devise and prove the security of a new variant for the Cramer-Shoup-Fischlin signature scheme. We are able to show that for generating signatures, instead of using randomly chosen prime exponents one can securely use randomly chosen odd integer exponents which significantly simplifies the signature generating process. We obtain our blind signing function as a secure and efficient two-party computation that cleverly exploits its algebraic properties and those of the Paillier encryption scheme. The security of the resulting signing protocol relies on the Strong RSA assumption and the hardness of decisional composite residuosity; we stress that it does not rely on the existence of random oracles. 1

We give a precise average-case analysis of a complete polynomial factorization chain over finite fields by methods based on generating functions and singularity analysis. Polynomes al'eatoires et factorisation de polynomes R'esum'e Nous donnons une analyse en moyenne pr'ecise d'une chaine compl`ete de factorisation de polynomes sur les corps finis par des m'ethodes fond'ees sur les fonctions g'en'eratrices et l'analyse de singularit'es. To appear in Automata, Languages and Programming, Proceedings of the 23rd ICALP colloquium, Paderborn, July 1996, F. Meyer auf der Heide, Ed., in Lecture Notes in Computer Science. Random Polynomials and Polynomial Factorization Philippe Flajolet, 1 Xavier Gourdon, 1 and Daniel Panario 2 1 Algorithms Project, INRIA Rocquencourt, F-78153 Le Chesnay, France. 2 Department of Computer Science, University of Toronto, Toronto, Canada M5S-1A4. E-mails: Philippe.Flajolet@inria.fr, Xavier.Gourdon@inria.fr, daniel@cs.toronto.edu. Abstract. We give a pr...

At present, there are two competing index calculus variants for computing discrete logarithms in (Z/pZ) * in practice. The purpose of this paper is to summarize the recent practical experience with a generalized implementation covering both a variant of the Number Field Sieve and the Gaussian integer method. By this implementation we set a record with p consisting of 85 decimal digits. With regard to computational results, including the running time, we provide a comparison of the two methods for this value of p.

Abstract. Let P(n) denote the largest prime divisor of n, andlet Ψ(x,y) be the number of integers n ≤ x with P(n) ≤ y. Inthispaper we present improvements to Bernstein’s algorithm, which finds rigorous upper and lower bounds for Ψ(x,y). Bernstein’s original algorithm runs in time roughly linear in y. Our first, easy improvement runs in time roughly y 2/3. Then, assuming the Riemann Hypothesis, we show how to drastically improve this. In particular, if log y is a fractional power of log x, which is true in applications to factoring and cryptography, then our new algorithm has a running time that is polynomial in log y, and gives bounds as tight as, and often tighter than, Bernstein’s algorithm. 1