The problem of finding the prime factors of large composite numbers has always been of mathematical interest. With the advent of public key cryptosystems it is also of practical importance, because the security of some of these cryptosystems, such as the Rivest-Shamir-Adelman (RSA) system, depends on the difficulty of factoring the public keys. In recent years the best known integer factorisation algorithms have improved greatly, to the point where it is now easy to factor a 60-decimal digit number, and possible to factor numbers larger than 120 decimal digits, given the availability of enough computing power. We describe several algorithms, including the elliptic curve method (ECM), and the multiple-polynomial quadratic sieve (MPQS) algorithm, and discuss their parallel implementation. It turns out that some of the algorithms are very well suited to parallel implementation. Doubling the degree of parallelism (i.e. the amount of hardware devoted to the problem) roughly increases the size of a number which can be factored in a fixed time by 3 decimal digits. Some recent computational results are mentioned – for example, the complete factorisation of the 617-decimal digit Fermat number F11 = 2211 + 1 which was accomplished using ECM.

We provide a compendium of evaluation methods for the Riemann zeta function, presenting formulae ranging from historical attempts to recently found convergent series to curious oddities old and new. We concentrate primarily on practical computational issues, such issues depending on the domain of the argument, the desired speed of computation, and the incidence of what we call "value recycling".

For odd square-free n > 1 the cyclotomic polynomial n (x) satises the identity of Gauss 4 n (x) = A 2 n ( 1) (n 1)=2 nB 2 n : A similar identity of Aurifeuille, Le Lasseur and Lucas is n (( 1) (n 1)=2 x) = C 2 n nxD 2 n or, in the case that n is even and square-free, n=2 ( x 2 ) = C 2 n nxD 2 n ; Here A n (x); : : : ; D n (x) are polynomials with integer coecients. We show how these coef- cients can be computed by simple algorithms which require O(n 2 ) arithmetic operations and work over the integers. We also give explicit formulae and generating functions for A n (x); : : : ; D n (x), and illustrate the application to integer factorization with some numerical examples.

This article describes an implementation of the NFS, including the choice of two quadratic polynomials, both classical sieving and a special form of lattice sieving (line sieving), the block Lanczos method and a new square root algorithm. Finally some data on factorizations obtained with this implementation are listed, including the record factorization of 12^151 -1.

Abstract. Let E/Q be an elliptic curve with discriminant ∆, and let P ∈ E(Q). The standard method for computing the canonical height ˆh(P)isas a sum of local heights ˆh(P) = ˆ λ∞(P)+ ∑ p ˆ λp(P). There are well-known series for computing the archimedean height ˆ λ∞(P), and the non-archimedean heights ˆ λp(P) are easily computed as soon as all prime factors of ∆ have been determined. However, for curves with large coefficients it may be difficult or impossible to factor ∆. In this note we give a method for computing the nonarchimedean contribution to ˆh(P) which is quite practical and requires little or no factorization. We also give some numerical examples illustrating the algorithm. Let E be an elliptic curve defined over a number field K, saygivenbyaWeierstrass equation E: y 2 + a1xy + a3y = x 3 + a2x 2 (1) + a4x + a6. The canonical height on E is a quadratic form ˆh: E(K) − → R. The canonical height is an extremely important theoretical and computational tool in the arithmetic study of elliptic curves. See [18, Chapter VIII, Section 9] for the definition and basic properties of ˆ h, and [20], [21], and [23] for some discussion of how to compute ˆ h in practice. In this paper, which may be considered as a continuation of our earlier note [20], we will discuss the computation of the canonical height for curves E whose coefficients a1,...,a6 are large. We note that this is not a mere intellectual exercise, since curves with huge integer coefficients have already made their appearance in the search for curves whose Mordell-Weil group E(Q) has large rank [5], [11], [12], [13], [14], and the standard tool for proving that a set of points P1,...,Pr ∈ E(Q) is linearly independent is to check the non-vanishing of the height regulator matrix det ( 〈Pi,Pj 〉 ). Here the height pairing 〈·, · 〉 is defined (up to a normalizing factor) by the formula 〈P, Q 〉 = ˆ h(P + Q) − ˆ h(P) − ˆ h(Q). Tate’s definition ˆ h(P) = limn→ ∞ 4 −n h ( x(2 n P) ) of the canonical height is not practical for numerical computations. Instead, one uses the Néron-Tate decomposition of the canonical height into a sum of local heights, one for each distinct Received by the editor October 24, 1995.

Abstract. We describe a new general method to perform part of the setup stage of the XTR system introduced at Crypto 2000, namely finding the trace of a generator of the XTR group. Our method is substantially faster than the general method presented at Asiacrypt 2000. As a side result, we obtain an efficient method to test subgroup membership when using XTR. 1

Abstract. Let π(x) denote the number of primes ≤ x and let li(x) denotethe usual integral logarithm of x. We prove that there are at least 10153 integer values of x in the vicinity of 1.39822 × 10316 with π(x)> li(x). This improves earlier bounds of Skewes, Lehman, and te Riele. We also plot more than 10000 values of π(x) − li(x) in four different regions, including the regions discovered by Lehman, te Riele, and the authors of this paper, and a more distant region in the vicinity of 1.617 × 109608,whereπ(x) appears to exceed li(x) bymore than.18x 1 2 / log x. The plots strongly suggest, although upper bounds derived to date for li(x) − π(x) are not sufficient for a proof, that π(x) exceeds li(x) for at least 10311 integers in the vicinity of 1.398 × 10316. If it is possible to improve our bound for π(x) − li(x) by finding a sign change before 10316,our first plot clearly delineates the potential candidates. Finally, we compute the logarithmic density of li(x) − π(x) and find that as x departs from the region in the vicinity of 1.62 × 109608, the density is 1 − 2.7 × 10−7 =.99999973, and that it varies from this by no more than 9 × 10−8 over the next 1030000 integers. This should be compared to Rubinstein and Sarnak.

Abstract. We have shown by machine proof that F24 =2224 +1iscomposite. The rigorous Pépin primality test was performed using independently developed programs running simultaneously on two different, physically separated processors. Each program employed a floating-point, FFT-based discrete weighted transform (DWT) to effect multiplication modulo F24. The final, respective Pépin residues obtained by these two machines were in complete agreement. Using intermediate residues stored periodically during one of the floating-point runs, a separate algorithm for pure-integer negacyclic convolution verified the result in a “wavefront ” paradigm, by running simultaneously on numerous additional machines, to effect piecewise verification of a saturating set of deterministic links for the Pépin chain. We deposited a final Pépin residue for possible use by future investigators in the event that a proper factor of F24 should be discovered; herein we report the more compact, traditional Selfridge-Hurwitz residues. For the sake of completeness, we also generated a Pépin residue for F23, and via the Suyama test determined that the known cofactor of this number is composite. 1. Computational history of Fermat numbers It is well known that P. Fermat, in the early part of the 17th century, described the numbers Fn =2 2n

odd, then the computation of Uk does not require the computation of U l j (j 1). Proof : Since k is odd (i.e. k0 = 1), Uk(= U l 0 ) = Uh 1 V l 1 l 1 . Thus, only the value of Uh 1 is needed. We only need to show that the value of Uh j-1 can be derived from Uh j . By Eq. (5) and depending on the value of k j-1 , we have the following cases: . if k j-1 = 0, then (l j-1 , h j-1 ) = (2l j , l j + h j ); . if k j-1 = 1, then (l j-1 , h j-1 ) = (l j + h j , 2h j ). Hence, if k j-1 = 0, then h j-1(= h j + l j = 2l j + 1) is odd and Uh j-1 = Uh j V l j l j ; otherwise, h j-1(= 2h j ) is even and Uh j-1 = Uh j Vh j . We now are ready to give the algorithm that we shall extend to the case where k is even. Inputs: k = 2 s i=s k i 2 i-s , (ks = 1) P, Q Outputs: (Uk , Vk ) Uh = 1; V l = 2; Vh = P ; Q l = 1; Qh = 1; for j from n 1 to s + 1 by -1 if k[j] == 1 then Qh = Q l Vh ; Vh Qh else Qh = Q l ; Q l fi Qh ; Qh =

This paper is merely an interpretation and formalization of the original ideas of the authors referenced in the text. It was written only because we were unable to find an elegant, complete algorithm described with convincing clarity in the literature