Public-key cryptographic systems often involve raising elements of some group (e.g. GF(2 n), Z/NZ, or elliptic curves) to large powers. An important question is how fast this exponentiation can be done, which often determines whether a given system is practical. The best method for exponentiation depends strongly on the group being used, the hardware the system is implemented on, and whether one element is being raised repeatedly to different powers, different elements are raised to a fixed power, or both powers and group elements vary. This problem has received much attention, but the results are scattered through the literature. In this paper we survey the known methods for fast exponentiation, examining their relative strengths and weaknesses. 1

This paper speeds up Brent's algorithms for various high-precision computations in the power series ring C[[t]]. If it takes time 3 to compute a product then it takes time roughly 5:6 to compute a reciprocal; roughly 8:2 to compute a quotient or a logarithm; roughly 6:5 to compute a square root; roughly 9 to compute both a square root and a reciprocal square root; and roughly 10:4 to compute an exponential. The same ideas apply to approximate computations in R, Q p, etc.

. This paper surveys techniques for multiplying elements of various commutative rings. It covers Karatsuba multiplication, dual Karatsuba multiplication, Toom multiplication, dual Toom multiplication, the FFT trick, the twisted FFT trick, the split-radix FFT trick, Good's trick, the SchonhageStrassen trick, Schonhage's trick, Nussbaumer's trick, the cyclic SchonhageStrassen trick, and the Cantor-Kaltofen theorem. It emphasizes the underlying ring homomorphisms. 1.

We describe the complete factorization of the tenth Fermat number F 10 by the elliptic curve method (ECM). F 10 is a product of four prime factors with 8, 10, 40 and 252 decimal digits. The 40-digit factor was found after about 140 Mflop-years of computation. We also discuss the complete factorization of other Fermat numbers by ECM, and summarize the factorizations of F 5 ; : : : ; F 11 .

Abstract. This paper presents an algorithm that, given a prime n, finds and verifies a proof of the primality of n in random time (lg n) 4+o(1). Several practical speedups are incorporated into the algorithm and discussed in detail. 1.

This survey explains how some useful arithmetic operations can be sped up from quadratic time to essentially linear time.

We present a space-efficient algorithm to compute the Hilbert class polynomial HD(X) modulo a positive integer P, based on an explicit form of the Chinese Remainder Theorem. Under the Generalized Riemann Hypothesis, the algorithm uses O(|D | 1/2+ɛ log P) space and has an expected running time of O(|D | 1+ɛ). We describe practical optimizations that allow us to handle larger discriminants than other methods, with |D | as large as 1013 and h(D) up to 106. We apply these results to construct pairing-friendly elliptic curves of prime order, using the CM method.

. Let S be a nite set of positive integers. A \coprime base for S" means a set P of positive integers such that (1) each element of P is coprime to every other element of P and (2) each element of S is a product of powers of elements of P . There is a natural coprime base for S. This paper introduces an algorithm that computes the natural coprime base for S in essentially linear time. The best previous result was a quadratic-time algorithm of Bach, Driscoll, and Shallit. This paper also shows how to factor S into elements of P in essentially linear time. The algorithms apply to any free commutative monoid with fast algorithms for multiplication, division, and greatest common divisors; e.g., monic polynomials over a eld. They can be used as a substitute for prime factorization in many applications. 1.

This paper presents an algorithm that, given an integer n> 1, finds the largest integer k such that n is a kth power. A previous algorithm by the first author took time b 1+o(1) where b = lg n; more precisely, time b exp(O ( √ lg b lg lg b)); conjecturally, time b(lg b) O(1). The new algorithm takes time b(lg b) O(1). It relies on relatively complicated subroutines—specifically, on the first author’s fast algorithm to factor integers into coprimes—but it allows a proof of the b(lg b) O(1) bound without much background; the previous proof of b 1+o(1) relied on transcendental number theory.

This paper presents a randomized algorithm that, given a prime n, nds and veri es a proof of the primality of n in expected time (lg n) .