Results 1  10
of
16
Solving Large Sparse Linear Systems Over Finite Fields
, 1991
"... Many of the fast methods for factoring integers and computing discrete logarithms require the solution of large sparse linear systems of equations over finite fields. This paper presents the results of implementations of several linear algebra algorithms. It shows that very large sparse systems can ..."
Abstract

Cited by 72 (2 self)
 Add to MetaCart
Many of the fast methods for factoring integers and computing discrete logarithms require the solution of large sparse linear systems of equations over finite fields. This paper presents the results of implementations of several linear algebra algorithms. It shows that very large sparse systems can be solved efficiently by using combinations of structured Gaussian elimination and the conjugate gradient, Lanczos, and Wiedemann methods. 1. Introduction Factoring integers and computing discrete logarithms often requires solving large systems of linear equations over finite fields. General surveys of these areas are presented in [14, 17, 19]. So far there have been few implementations of discrete logarithm algorithms, but many of integer factoring methods. Some of the published results have involved solving systems of over 6 \Theta 10 4 equations in more than 6 \Theta 10 4 variables [12]. In factoring, equations have had to be solved over the field GF (2). In that situation, ordinary...
Parallel Algorithms for Integer Factorisation
"... The problem of finding the prime factors of large composite numbers has always been of mathematical interest. With the advent of public key cryptosystems it is also of practical importance, because the security of some of these cryptosystems, such as the RivestShamirAdelman (RSA) system, depends o ..."
Abstract

Cited by 41 (17 self)
 Add to MetaCart
The problem of finding the prime factors of large composite numbers has always been of mathematical interest. With the advent of public key cryptosystems it is also of practical importance, because the security of some of these cryptosystems, such as the RivestShamirAdelman (RSA) system, depends on the difficulty of factoring the public keys. In recent years the best known integer factorisation algorithms have improved greatly, to the point where it is now easy to factor a 60decimal digit number, and possible to factor numbers larger than 120 decimal digits, given the availability of enough computing power. We describe several algorithms, including the elliptic curve method (ECM), and the multiplepolynomial quadratic sieve (MPQS) algorithm, and discuss their parallel implementation. It turns out that some of the algorithms are very well suited to parallel implementation. Doubling the degree of parallelism (i.e. the amount of hardware devoted to the problem) roughly increases the size of a number which can be factored in a fixed time by 3 decimal digits. Some recent computational results are mentioned – for example, the complete factorisation of the 617decimal digit Fermat number F11 = 2211 + 1 which was accomplished using ECM.
Computation of Discrete Logarithms in Prime Fields
 Design, Codes and Cryptography
, 1991
"... The presumed difficulty of computing discrete logarithms in finite fields is the basis of several popular public key cryptosystems. The secure identification option of the Sun Network File System, for example, uses discrete logarithms in a field GF (p) with p a prime of 192 bits. This paper describe ..."
Abstract

Cited by 38 (1 self)
 Add to MetaCart
The presumed difficulty of computing discrete logarithms in finite fields is the basis of several popular public key cryptosystems. The secure identification option of the Sun Network File System, for example, uses discrete logarithms in a field GF (p) with p a prime of 192 bits. This paper describes an implementation of a discrete logarithm algorithm which shows that primes of under 200 bits, such as that in the Sun system, are very insecure. Some enhancements to this system are suggested. 1. Introduction If p is a prime and g and x integers, then computation of y such that y j g x mod p; 0 y p \Gamma 1 (1.1) is referred to as discrete exponentiation. Using the successive squaring method, it is very fast (polynomial in the number of bits of jpj + jgj + jxj). On the other hand, the inverse problem, namely, given p; g, and y, to compute some x such that Equation 1.1 holds, which is referred to as the discrete logarithm problem, appears to be quite hard in general. Many of the mos...
Discrete Logarithms and Smooth Polynomials
 Contemporary Mathematics, AMS
, 1993
"... . This paper is a survey of recent advances in discrete logarithm algorithms. Improved estimates for smooth integers and smooth polynomials are also discussed. 1. Introduction If G denotes a group (written multiplicatively), and hgi the cyclic subgroup generated by g 2 G, then the discrete logarith ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
. This paper is a survey of recent advances in discrete logarithm algorithms. Improved estimates for smooth integers and smooth polynomials are also discussed. 1. Introduction If G denotes a group (written multiplicatively), and hgi the cyclic subgroup generated by g 2 G, then the discrete logarithm problem for G is to find, given g 2 G and y 2 hgi, the smallest nonnegative integer x such that y = g x . This integer x is called the discrete logarithm of y to the base g, and is written x = log g y. The discrete log problem has been studied by number theorists for a long time. The main reason for the intense current interest in it, though, is that many public key cryptosystems depend for their security on the assumption that it is hard, at least for suitably chosen groups. With the proposed adoption of the NIST digital signature algorithm [28] (based on the ElGamal [10] and Schnorr [35] proposals), even more attention is likely to be drawn to this area. There are already several su...
Improvements to the general number field sieve for discrete logarithms in prime fields
 Mathematics of Computation
, 2003
"... Abstract. In this paper, we describe many improvements to the number field sieve. Our main contribution consists of a new way to compute individual logarithms with the number field sieve without solving a very large linear system for each logarithm. We show that, with these improvements, the number ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
Abstract. In this paper, we describe many improvements to the number field sieve. Our main contribution consists of a new way to compute individual logarithms with the number field sieve without solving a very large linear system for each logarithm. We show that, with these improvements, the number field sieve outperforms the gaussian integer method in the hundred digit range. We also illustrate our results by successfully computing discrete logarithms with GNFS in a large prime field. 1.
Reducing Logarithms in Totally NonMaximal Imaginary Quadratic Orders to Logarithms in Finite Fields (Extended Abstract)
, 1999
"... Since nobody can guarantee that the computation of discrete logarithms in elliptic curves or IF p remains intractible for the future it is important to study cryptosystems based on alternative groups. A promising candidate, which was proposed by Buchmann and Williams [8], is the class group Cl(\D ..."
Abstract

Cited by 8 (5 self)
 Add to MetaCart
Since nobody can guarantee that the computation of discrete logarithms in elliptic curves or IF p remains intractible for the future it is important to study cryptosystems based on alternative groups. A promising candidate, which was proposed by Buchmann and Williams [8], is the class group Cl(\Delta) of an imaginary quadratic order O \Delta . This ring is isomorphic to the endomorphism ring of a nonsupersingular elliptic curve over a finite field. While in the meantime there was found a subexponential algorithm for the computation of discrete logarithms in Cl(\Delta) [16], this algorithm only has running time L \Delta [ 1 2 ; c] and is far less efficient than the number field sieve with L p [ 1 3 ; c] to compute logarithms in IF p . Thus one may choose the parameters smaller to obtain the same level of security. It is an open question whether there is an L \Delta [ 1 3 ; c] algorithm to compute discrete logarithms in arbitrary Cl(\Delta). Recently there were proposed cry...
A Note on Cyclic Groups, Finite Fields, and the Discrete Logarithm Problem
 Applicable Algebra in Engineering, Communication and Computing
, 1992
"... We show how the discrete logarithm problem in some finite cyclic groups can easily be reduced to the discrete logarithm problem in a finite field. The cyclic groups that we consider are the set of points on a singular elliptic curve over a finite field, the set of points on a genus 0 curve over a fi ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
We show how the discrete logarithm problem in some finite cyclic groups can easily be reduced to the discrete logarithm problem in a finite field. The cyclic groups that we consider are the set of points on a singular elliptic curve over a finite field, the set of points on a genus 0 curve over a finite field given by the Pell equation, and certain subgroups of the general linear group.
On the complexity of computing discrete logarithms and factoring integers
 Algorithmic Number Theory Symposium (ANTS VII
, 1987
"... Practically all knapsack public key cryptosystems have been broken in the last few years, and so essentially the only public key cryptosystems that still have some credibility and are widely known are those whose security depends on the difficulty of factoring integers (the RSA scheme and its varian ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Practically all knapsack public key cryptosystems have been broken in the last few years, and so essentially the only public key cryptosystems that still have some credibility and are widely known are those whose security depends on the difficulty of factoring integers (the RSA scheme and its variants) and those whose security depends on the difficulty of computing discrete logarithms in finite fields. Therefore, the computational complexity of these two problems is of great interest. At the time of the workshop, one aspect of the thencurrent state of knowledge on these two fundamental problems seemed to be highly unsatisfactory. This was the fact that all of the fast algorithms for discrete logarithms and all but one of the fast algorithims for factoring integers had running time estimates that depended on the efficiency with which matrices could be inverted. These algorithms require the solution of a system of linear equations of the form Ax = y, (1) where A is a matrix of size m by n, x and y are column vectors of lengths m and n, respectively, and m is close to n. The interesting ranges of values for n are between 10 3 and 10 7. Ordinary gaussian elimination requires that about n 3 steps for the solution of (1). Strassen’s algorithm, which might be practical for large n, takes about n log 2 7 = n 2. 807... steps. The best general purpose algorithm that is known, due to
A survey of cryptosystems based on imaginary quadratic orders (Extended Abstract)
, 1999
"... Since nobody can guarantee that popular public key cryptosystems based on factoring or the computation of discrete logarithms in some group will stay secure forever, it is important to study different primitives and groups which may be utilized if a popular class of cryptosystems gets broken. A pro ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Since nobody can guarantee that popular public key cryptosystems based on factoring or the computation of discrete logarithms in some group will stay secure forever, it is important to study different primitives and groups which may be utilized if a popular class of cryptosystems gets broken. A promising candidate for a group in which the DLproblem seems to be hard is the class group Cl(\Delta) of an imaginary quadratic order, as proposed by Buchmann and Williams [BuWi88]. Recently this type of group has obtained much attention, because there was proposed a very efficient cryptosystem based on nonmaximal imaginary quadratic orders [PaTa98a], later on called NICE (for New Ideal Coset Encryption) with quadratic decryption time. To our knowledge this is the only scheme having this property. First implementations show that the time for decryption is comparable to RSA encryption with e = 2 16 + 1. Very recently there was proposed an efficient NICESchnorr type signature scheme [HuMe99]...