Recently, several algorithms using number field sieves have been given to factor a number n in heuristic expected time Ln[1/3; c], where Ln[v; c] = exp{(c + o(1))(log n) v (log log n) 1−v}, for n → ∞. In this paper we present an algorithm to solve the discrete logarithm problem for GF (p) with heuristic expected running time Lp[1/3; 3 2/3]. For numbers of a special form, there is an asymptotically slower but more practical version of the algorithm.

This paper (1) gives complete details of an algorithm to compute approximate kth roots; (2) uses this in an algorithm that, given an integer n>1, either writes n as a perfect power or proves that n is not a perfect power; (3) proves, using Loxton's theorem on multiple linear forms in logarithms, that this perfect-power decomposition algorithm runs in time (log n) . 1.

It is the best of times for the game of factoring large numbers into their prime factors. In 1970 it was barely possible to factor “hard ” 20-digit numbers. In 1980, in the heyday of the Brillhart-Morrison continued fraction factoring algorithm, factoring of 50-digit numbers was becoming commonplace. In 1990 my own quadratic sieve factoring algorithm had doubled the length of the numbers that could be factored, the record having 116 digits. By 1994 the quadratic sieve had factored the famous 129-digit RSA challenge number that had been estimated in Martin Gardner’s 1976 Scientific American column to be safe for 40 quadrillion years (though other estimates around then were more modest). But the quadratic sieve is no longer the champion. It was replaced by Pollard’s number field sieve in the spring of 1996, when that method successfully split a 130-digit RSA challenge number in about 15 % of the time the quadratic sieve would have taken. In this article we shall briefly meet these factorization algorithms—these two sieves—and some of the many people who helped to develop them. In the middle part of this century, computational issues seemed to be out of fashion. In most books the problem of factoring big numbers

. The discrete logarithm problem forms the basis of numerous cryptographic systems. The most effective attack on the discrete logarithm problem in the multiplicative group of a finite field is via the index calculus, but no such method is known for elliptic curve discrete logarithms. Indeed, Miller [23] has given a brief heuristic argument as to why no such method can exist. IN this note we give a detailed analysis of the index calculus for elliptic curve discrete logarithms, amplifying and extending miller's remarks. Our conclusions fully support his contention that the natural generalization of the index calculus to the elliptic curve discrete logarithm problem yields an algorithm with is less efficient than a brute-force search algorithm. 0. Introduction The discrete logarithm problem for the multiplicative group F q of a finite field can be solved in subexponential time using the Index Calculus method, which appears to have been first discovered by Kraitchik [14, 15] in the 192...

Abstract not found

This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MIT with notes written for Mihir Bellare’s Cryptography and network security course at UCSD. In addition, Rosario Gennaro (as Teaching Assistant for the course in 1996) contributed Section 9.6, Section 11.4, Section 11.5, and Appendix D to the notes, and also compiled, from various sources, some of the problems in Appendix E. Cryptography is of course a vast subject. The thread followed by these notes is to develop and explain the notion of provable security and its usage for the design of secure protocols. Much of the material in Chapters 2, 3 and 7 is a result of scribe notes, originally taken by MIT graduate students who attended Professor Goldwasser’s Cryptography and Cryptanalysis course over the years, and later edited by Frank D’Ippolito who was a teaching assistant for the course in 1991. Frank also contributed much of the advanced number theoretic material in the Appendix. Some of the material in Chapter 3 is from the chapter on Cryptography, by R. Rivest, in the Handbook of Theoretical Computer Science. Chapters 4, 5, 6, 8 and 10, and Sections 9.5 and 7.4.6, were written by Professor Bellare for his Cryptography and network security course at UCSD.

Erdös [8] conjectured that there are x 1;o(1) Carmichael numbers up to x, whereas Shanks [24] was skeptical as to whether one might even nd an x up to which there are more than p x Carmichael numbers. Alford, Granville and Pomerance [2] showed that there are more than x 2=7 Carmichael numbers up to x, and gave arguments which even convinced Shanks (in person-to-person discussions) that Erdös must be correct. Nonetheless, Shanks's skepticism stemmed from an appropriate analysis of the data available to him (and his reasoning is still borne out by Pinch's extended new data [14,15]), and so we herein derive conjectures that are consistent with Shanks's observations, while tting in with the viewpoint of Erdös [8] and the results of [2,3].

Abstract. We estimate the yield of the number field sieve factoring algorithm when applied to the 1024-bit composite integer RSA-1024 and the parameters as proposed in the draft version [17] of the TWIRL hardware factoring device [18]. We present the details behind the resulting improved parameter choices from [18].

Abstract. We exhibit an attack against a signature scheme recently proposed by Gennaro, Halevi and Rabin [9]. The scheme’s security is based on two assumptions namely the strong RSA assumption and the existence of a division-intractable hash-function. For the latter, the authors conjectured a security level exponential in the hash-function’s digest size whereas our attack is sub-exponential with respect to the digest size. Moreover, since the new attack is optimal, the length of the hash function can now be rigorously fixed. In particular, to get a security level equivalent to 1024-bit RSA, one should use a digest size of approximately 1024 bits instead of the 512 bits suggested in [9]. 1

Abstract. We present two algorithms to compute the endomorphism ring of an ordinary elliptic curve E defined over a finite field Fq. Under suitable heuristic assumptions, both have subexponential complexity. We bound the complexity of the first algorithm in terms of log q, while our bound for the second algorithm depends primarily on log |DE|, where DE is the discriminant of the order isomorphic to End(E). As a byproduct, our method yields a short certificate that may be used to verify that the endomorphism ring is as claimed. 1.