Results 1  10
of
313
Factoring polynomials with rational coefficients
 Muth. Ann
, 1982
"... In this paper we present a polynomialtime algorithm to solve the following problem: given a nonzero polynomial fe Q[X] in one variable with rational coefficients, find the decomposition of f into irreducible factors in Q[X]. It is well known that this is equivalent to factoring primitive polynomia ..."
Abstract

Cited by 708 (9 self)
 Add to MetaCart
In this paper we present a polynomialtime algorithm to solve the following problem: given a nonzero polynomial fe Q[X] in one variable with rational coefficients, find the decomposition of f into irreducible factors in Q[X]. It is well known that this is equivalent to factoring primitive polynomials feZ[X] into irreducible factors in Z[X]. Here we call f ~ Z[X] primitive if the greatest common divisor of its coefficients (the content of f) is 1. Our algorithm performs well in practice, cf. [8]. Its running time, measured in bit operations, is O(nl2+n9(log[fD3). Here f~Tl[X] is the polynomial to be factored, n = deg(f) is the degree of f, and for a polynomial ~ a ~ i with real coefficients a i. i An outline of the algorithm is as follows. First we find, for a suitable small prime number p, a padic irreducible factor h of f, to a certain precision. This is done with Berlekamp's algorithm for factoring polynomials over small finite fields, combined with Hensel's lemma. Next we look for the irreducible factor h o of f in
SelfTesting/Correcting with Applications to Numerical Problems
, 1990
"... Suppose someone gives us an extremely fast program P that we can call as a black box to compute a function f . Should we trust that P works correctly? A selftesting/correcting pair allows us to: (1) estimate the probability that P (x) 6= f(x) when x is randomly chosen; (2) on any input x, compute ..."
Abstract

Cited by 347 (27 self)
 Add to MetaCart
Suppose someone gives us an extremely fast program P that we can call as a black box to compute a function f . Should we trust that P works correctly? A selftesting/correcting pair allows us to: (1) estimate the probability that P (x) 6= f(x) when x is randomly chosen; (2) on any input x, compute f(x) correctly as long as P is not too faulty on average. Furthermore, both (1) and (2) take time only slightly more than Computer Science Division, U.C. Berkeley, Berkeley, California 94720, Supported by NSF Grant No. CCR 8813632. y International Computer Science Institute, Berkeley, California 94704 z Computer Science Division, U.C. Berkeley, Berkeley, California 94720, Supported by an IBM Graduate Fellowship and NSF Grant No. CCR 8813632. the original running time of P . We present general techniques for constructing simple to program selftesting /correcting pairs for a variety of numerical problems, including integer multiplication, modular multiplication, matrix multiplicatio...
Efficient randomized patternmatching algorithms
, 1987
"... We present randomized algorithms to solve the
following stringmatching problem and some of its generalizations: Given a string X of length n (the pattern) and a string Y (the text), find the first occurrence of X as a consecutive block within Y. The algorithms represent strings of length n by much ..."
Abstract

Cited by 304 (0 self)
 Add to MetaCart
We present randomized algorithms to solve the
following stringmatching problem and some of its generalizations: Given a string X of length n (the pattern) and a string Y (the text), find the first occurrence of X as a consecutive block within Y. The algorithms represent strings of length n by much shorter strings called fingerprints, and achieve their efficiency by manipulating fingerprints instead of longer strings. The algorithms require a constant number of storage locations, and essentially run in real time. They are conceptually simple and easy to implement. The method readily generalizes to higherdimensional patternmatching problems.
Signature Schemes Based on the Strong RSA Assumption
 ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY
, 1998
"... We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled Strong RSA Assumption. Moreove ..."
Abstract

Cited by 154 (8 self)
 Add to MetaCart
We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled Strong RSA Assumption. Moreover, a hash function can be incorporated into the scheme in such a way that it is also secure in the random oracle model under the standard RSA Assumption.
The OneMoreRSAInversion Problems and the Security of Chaum’s Blind Signature Scheme
 Journal of Cryptology
, 2003
"... Abstract We introduce a new class of computational problems which we call the "onemoreRSAinversion " problems. Our main result is that two problems in this class, which we call the chosentarget and knowntarget inversion problems respectively, have polynomiallyequivalent comput ..."
Abstract

Cited by 68 (5 self)
 Add to MetaCart
Abstract We introduce a new class of computational problems which we call the &quot;onemoreRSAinversion &quot; problems. Our main result is that two problems in this class, which we call the chosentarget and knowntarget inversion problems respectively, have polynomiallyequivalent computational complexity. We show how this leads to a proof of security for Chaum's RSAbased blind signature scheme in the random oracle model based on the assumed hardness of either of these problems. We define and prove analogous results for &quot;onemorediscretelogarithm &quot; problems. Since the appearence of the preliminary version of this paper, the new problems we have introduced have found other uses as well.
Discrete logarithms in gf(p) using the number field sieve
 SIAM J. Discrete Math
, 1993
"... Recently, several algorithms using number field sieves have been given to factor a number n in heuristic expected time Ln[1/3; c], where Ln[v; c] = exp{(c + o(1))(log n) v (log log n) 1−v}, for n → ∞. In this paper we present an algorithm to solve the discrete logarithm problem for GF (p) with heur ..."
Abstract

Cited by 66 (1 self)
 Add to MetaCart
Recently, several algorithms using number field sieves have been given to factor a number n in heuristic expected time Ln[1/3; c], where Ln[v; c] = exp{(c + o(1))(log n) v (log log n) 1−v}, for n → ∞. In this paper we present an algorithm to solve the discrete logarithm problem for GF (p) with heuristic expected running time Lp[1/3; 3 2/3]. For numbers of a special form, there is an asymptotically slower but more practical version of the algorithm.
Succinct Quantum Proofs for Properties of Finite Groups
 In Proc. IEEE FOCS
, 2000
"... In this paper we consider a quantum computational variant of nondeterminism based on the notion of a quantum proof, which is a quantum state that plays a role similar to a certificate in an NPtype proof. Specifically, we consider quantum proofs for properties of blackbox groups, which are finite g ..."
Abstract

Cited by 63 (3 self)
 Add to MetaCart
In this paper we consider a quantum computational variant of nondeterminism based on the notion of a quantum proof, which is a quantum state that plays a role similar to a certificate in an NPtype proof. Specifically, we consider quantum proofs for properties of blackbox groups, which are finite groups whose elements are encoded as strings of a given length and whose group operations are performed by a group oracle. We prove that for an arbitrary group oracle there exist succinct (polynomiallength) quantum proofs for the Group NonMembership problem that can be checked with small error in polynomial time on a quantum computer. Classically this is impossibleit is proved that there exists a group oracle relative to which this problem does not have succinct proofs that can be checked classically with bounded error in polynomial time (i.e., the problem is not in MA relative to the group oracle constructed). By considering a certain subproblem of the Group NonMembership problem we obtain a simple proof that there exists an oracle relative to which BQP is not contained in MA. Finally, we show that quantum proofs for nonmembership and classical proofs for various other group properties can be combined to yield succinct quantum proofs for other group properties not having succinct proofs in the classical setting, such as verifying that a number divides the order of a group and verifying that a group is not a simple group.
Practical threshold RSA signatures without a trusted dealer
, 2001
"... Abstract. We propose a threshold RSA scheme which is as efficient as the fastest previous threshold RSA scheme (by Shoup), but where two assumptions needed in Shoup’s and in previous schemes can be dropped, namely that the modulus must be a product of safe primes and that a trusted dealer generates ..."
Abstract

Cited by 52 (4 self)
 Add to MetaCart
Abstract. We propose a threshold RSA scheme which is as efficient as the fastest previous threshold RSA scheme (by Shoup), but where two assumptions needed in Shoup’s and in previous schemes can be dropped, namely that the modulus must be a product of safe primes and that a trusted dealer generates the keys. The robustness (but not the unforgeability) of our scheme depends on a new intractability assumption, in addition to security of the underlying standard RSA scheme. 1