Results 1  10
of
48
Discrete Logarithms in Finite Fields and Their Cryptographic Significance
, 1984
"... Given a primitive element g of a finite field GF(q), the discrete logarithm of a nonzero element u GF(q) is that integer k, 1 k q  1, for which u = g k . The wellknown problem of computing discrete logarithms in finite fields has acquired additional importance in recent years due to its appl ..."
Abstract

Cited by 104 (7 self)
 Add to MetaCart
Given a primitive element g of a finite field GF(q), the discrete logarithm of a nonzero element u GF(q) is that integer k, 1 k q  1, for which u = g k . The wellknown problem of computing discrete logarithms in finite fields has acquired additional importance in recent years due to its applicability in cryptography. Several cryptographic systems would become insecure if an efficient discrete logarithm algorithm were discovered. This paper surveys and analyzes known algorithms in this area, with special attention devoted to algorithms for the fields GF(2 n ). It appears that in order to be safe from attacks using these algorithms, the value of n for which GF(2 n ) is used in a cryptosystem has to be very large and carefully chosen. Due in large part to recent discoveries, discrete logarithms in fields GF(2 n ) are much easier to compute than in fields GF(p) with p prime. Hence the fields GF(2 n ) ought to be avoided in all cryptographic applications. On the other hand, ...
Efficient blind signatures without random oracles
 In Carlo Blundo and Stelvio Cimato, editors, SCN 2004
, 2004
"... Abstract. The only known blind signature scheme that is secure in the standard model [20] is based on general results about multiparty computation, and thus it is extremely inefficient. The main result of this paper is the first provably secure blind signature scheme which is also efficient. We dev ..."
Abstract

Cited by 23 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The only known blind signature scheme that is secure in the standard model [20] is based on general results about multiparty computation, and thus it is extremely inefficient. The main result of this paper is the first provably secure blind signature scheme which is also efficient. We develop our construction as follows. In the first step, which is a significant result on its own, we devise and prove the security of a new variant for the CramerShoupFischlin signature scheme. We are able to show that for generating signatures, instead of using randomly chosen prime exponents one can securely use randomly chosen odd integer exponents which significantly simplifies the signature generating process. We obtain our blind signing function as a secure and efficient twoparty computation that cleverly exploits its algebraic properties and those of the Paillier encryption scheme. The security of the resulting signing protocol relies on the Strong RSA assumption and the hardness of decisional composite residuosity; we stress that it does not rely on the existence of random oracles. 1
Approximating the number of integers free of large prime factors
 Math. Comp
, 1997
"... Abstract. Define Ψ(x, y) to be the number of positive integers n ≤ x such that n has no prime divisor larger than y. We present a simple algorithm that log log x approximates Ψ(x, y) inO(y { log y + 1}) floating point operations. log log y This algorithm is based directly on a theorem of Hildebrand ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Define Ψ(x, y) to be the number of positive integers n ≤ x such that n has no prime divisor larger than y. We present a simple algorithm that log log x approximates Ψ(x, y) inO(y { log y + 1}) floating point operations. log log y This algorithm is based directly on a theorem of Hildebrand and Tenenbaum. We also present data which indicate that this algorithm is more accurate in practice than other known approximations, including the wellknown approximation Ψ(x, y) ≈ xρ(log x / log y), where ρ(u) is Dickman’s function. 1.
On the distribution in short intervals of integers having no large prime factor
 J. Number Theory
, 1987
"... Our motivation for the study of integers having no large prime factor arises from the factoring problem. The computational complexity of the problem of factoring a general integer N has received a great deal of attention recently due to its relation to the security of certain public key cryptosystem ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
(Show Context)
Our motivation for the study of integers having no large prime factor arises from the factoring problem. The computational complexity of the problem of factoring a general integer N has received a great deal of attention recently due to its relation to the security of certain public key cryptosystems [13]. All of the fastest known factoring algorithms
DENSE EGYPTIAN FRACTIONS
, 1998
"... Abstract. Every positive rational number has representations as Egyptian fractions (sums of reciprocals of distinct positive integers) with arbitrarily many terms and with arbitrarily large denominators. However, such representations normally use a very sparse subset of the positive integers up to t ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
Abstract. Every positive rational number has representations as Egyptian fractions (sums of reciprocals of distinct positive integers) with arbitrarily many terms and with arbitrarily large denominators. However, such representations normally use a very sparse subset of the positive integers up to the largest denominator. We show that for every positive rational there exist representations as Egyptian fractions whose largest denominator is at most N and whose denominators form a positive proportion of the integers up to N, for sufficiently large N; furthermore, the proportion is within a small factor of best possible. 1.
Arbitrarily Tight Bounds On The Distribution Of Smooth Integers
 Proceedings of the Millennial Conference on Number Theory
, 2002
"... This paper presents lower bounds and upper bounds on the distribution of smooth integers; builds an algebraic framework for the bounds; shows how the bounds can be computed at extremely high speed using FFTbased powerseries exponentiation; explains how one can choose the parameters to achieve ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
This paper presents lower bounds and upper bounds on the distribution of smooth integers; builds an algebraic framework for the bounds; shows how the bounds can be computed at extremely high speed using FFTbased powerseries exponentiation; explains how one can choose the parameters to achieve any desired level of accuracy; and discusses several generalizations.
On values taken on by the largest prime factor of shifted primes
 J. Australian Math. Soc
"... ..."
(Show Context)
Multivariate Diophantine equations with many solutions
, 2001
"... Among other things we show that for each ntuple of positive rational numbers (a 1 ; : : : ; a n ) there are sets of primes S of arbitrarily large cardinality s such that the solutions of the equation a 1 x 1 + +a n x n = 1 with x 1 ; : : : ; x n Sunits are not contained in fewer than exp((4 + ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
(Show Context)
Among other things we show that for each ntuple of positive rational numbers (a 1 ; : : : ; a n ) there are sets of primes S of arbitrarily large cardinality s such that the solutions of the equation a 1 x 1 + +a n x n = 1 with x 1 ; : : : ; x n Sunits are not contained in fewer than exp((4 + o(1))s 1=2 (log s) 1=2 ) proper linear subspaces of C n . This generalizes a result of Erdős, Stewart and Tijdeman [7] for Sunit equations in two variables. Further, we prove that for any algebraic number field K of degree n, any integer m with 1 m < n, and any sufficiently large s there are integers 0 ; : : : ; m in K which are linearly independent over Q , and prime numbers p 1 ; : : : ; p s , such that the norm polynomial equation jN K=Q ( 0 + 1 x 1 + + mxm )j = p z1 1 p zs s has at least expf(1+o(1)) n m s m=n (log s) 1+m=n g solutions in x 1 ; : : : ; xm ; z 1 ; : : : ; z s 2 Z. This generalizes a result of Moree and Stewart [19] for m = 1. Our main tool, also established in this paper, is an effective lower bound for the number K;T (X; Y ) of ideals in a number field K of norm X composed of prime ideals which lie outside a given finite set of prime ideals T and which have norm Y . This generalizes results of Caneld, Erdős and Pomerance [6] and of Moree and Stewart [19].
Fast Bounds on the Distribution of Smooth Numbers
, 2006
"... Let P(n) denote the largest prime divisor of n, andlet Ψ(x,y) be the number of integers n ≤ x with P(n) ≤ y. Inthispaper we present improvements to Bernstein’s algorithm, which finds rigorous upper and lower bounds for Ψ(x,y). Bernstein’s original algorithm runs in time roughly linear in y. Our fi ..."
Abstract

Cited by 6 (5 self)
 Add to MetaCart
(Show Context)
Let P(n) denote the largest prime divisor of n, andlet Ψ(x,y) be the number of integers n ≤ x with P(n) ≤ y. Inthispaper we present improvements to Bernstein’s algorithm, which finds rigorous upper and lower bounds for Ψ(x,y). Bernstein’s original algorithm runs in time roughly linear in y. Our first, easy improvement runs in time roughly y 2/3. Then, assuming the Riemann Hypothesis, we show how to drastically improve this. In particular, if log y is a fractional power of log x, which is true in applications to factoring and cryptography, then our new algorithm has a running time that is polynomial in log y, and gives bounds as tight as, and often tighter than, Bernstein’s algorithm.
Another generalization of Wiener’s attack on RSA
 Africacrypt 2008. LNCS
, 2008
"... Abstract. A wellknown attack on RSA with low secretexponent d was given by Wiener in 1990. Wiener showed that using the equation ed − (p − 1)(q − 1)k = 1 and continued fractions, one can efficiently recover the secretexponent d and factor N = pq from the public key (N, e) as long as d < 1 3 N ..."
Abstract

Cited by 5 (5 self)
 Add to MetaCart
Abstract. A wellknown attack on RSA with low secretexponent d was given by Wiener in 1990. Wiener showed that using the equation ed − (p − 1)(q − 1)k = 1 and continued fractions, one can efficiently recover the secretexponent d and factor N = pq from the public key (N, e) as long as d < 1 3 N 1 4. In this paper, we present a generalization of Wiener’s attack. We show that every public exponent e that satisfies eX − (p − u)(q − v)Y = 1 with 1 ≤ Y < X < 2 − 1 4 N 1 4, u  < N 1 [ 4, v = − qu p − u and all prime factors of p − u or q − v are less than 10 50 yields the factorization of N = pq. We show that the number of these exponents is at least N 1 2 −ε.