Given a primitive element g of a finite field GF(q), the discrete logarithm of a nonzero element u GF(q) is that integer k, 1 k q - 1, for which u = g k . The well-known problem of computing discrete logarithms in finite fields has acquired additional importance in recent years due to its applicability in cryptography. Several cryptographic systems would become insecure if an efficient discrete logarithm algorithm were discovered. This paper surveys and analyzes known algorithms in this area, with special attention devoted to algorithms for the fields GF(2 n ). It appears that in order to be safe from attacks using these algorithms, the value of n for which GF(2 n ) is used in a cryptosystem has to be very large and carefully chosen. Due in large part to recent discoveries, discrete logarithms in fields GF(2 n ) are much easier to compute than in fields GF(p) with p prime. Hence the fields GF(2 n ) ought to be avoided in all cryptographic applications. On the other hand, ...

. In Pollard's rho method, an iterating function f is used to define a sequence (y i ) by y i+1 = f(y i ) for i = 0; 1; 2; : : : , with some starting value y 0 . In this paper, we define and discuss new iterating functions for computing discrete logarithms with the rho method. We compare their performances in experiments with elliptic curve groups. Our experiments show that one of our newly defined functions is expected to reduce the number of steps by a factor of approximately 0:8, in comparison with Pollard's originally used function, and we show that this holds independently of the size of the group order. For group orders large enough such that the run time for precomputation can be neglected, this means a real-time speed-up of more than 1:2. 1. Introduction Let G be a finite cyclic group, written multiplicatively, and generated by the group element g. Given an element h in G, we wish to find the least non-negative number x such that g x = h. This problem is the discre...

. We consider Pollard's rho method for discrete logarithm computation. Usually, in the analysis of its running time the assumption is made that a random walk in the underlying group is simulated. We show that this assumption does not hold for the walk originally suggested by Pollard: its performance is worse than in the random case. We study alternative walks that can be efficiently applied to compute discrete logarithms. We introduce a class of walks that lead to the same performance as expected in the random case. We show that this holds for arbitrarily large prime group orders, thus making Pollard's rho method for prime group orders about 20% faster than before. 1. Introduction Let G be a finite cyclic group, written multiplicatively, and generated by the group element g. We define the discrete logarithm problem (DLP) as follows: given a group element h, find the least non-negative integer x such that h = g x . We write x = log g h and call it the discrete logarithm of h...

The best algorithms to compute discrete logarithms in arbitrary groups (of prime order) are the baby-step giant-step method, the rho method and the kangaroo method. The first two have (expected) running time O( p n) group operations (n denoting the group order), thereby matching Shoup's lower bounds. While the baby-step giant-step method is deterministic but with large memory requirements, the rho and the kangaroo method are probabilistic but can be implemented very space efficiently, and they can be parallelized with linear speed-up. In this paper, we present the state of the art in these methods.

Abstract. We call an integer semismooth with respect to y and z if each of its prime factors is ≤ y, and all but one are ≤ z. Such numbers are useful in various factoring algorithms, including the quadratic sieve. Let G(α, β)bethe asymptotic probability that a random integer n is semismooth with respect to n β and n α. We present new recurrence relations for G and related functions. We then give numerical methods for computing G,tablesofG, and estimates for the error incurred by this asymptotic approximation. 1.

Abstract. We present a new algorithm for computing the structure of a finite abelian group, which has to store only a fixed, small number of group elements, independent of the group order. We estimate the computational complexity by counting the group operations such as multiplications and equality checks. Under some plausible assumptions, we prove that the expected run time is O ( √ n)(withndenoting the group order), and we explicitly determine the Oconstants. We implemented our algorithm for ideal class groups of imaginary quadratic orders and present experimental results. 1.

Abstract not found

This paper gives a survey on cryptographic primitives based on class groups of imaginary quadratic orders (IQ cryptography, IQC). We present IQC versions of several well known cryptographic primitives, and we explain, why these primitives are secure if one assumes the hardness of the underlying problems. We give advice on the selection of the cryptographic parameters and show the impact of this advice on the eciency of some IQ cryptosystems.

Since nobody can guarantee that popular public key cryptosystems based on factoring or the computation of discrete logarithms in some group will stay secure forever, it is important to study different primitives and groups which may be utilized if a popular class of cryptosystems gets broken. A promising candidate for a group in which the DL-problem seems to be hard is the class group Cl(\Delta) of an imaginary quadratic order, as proposed by Buchmann and Williams [BuWi88]. Recently this type of group has obtained much attention, because there was proposed a very efficient cryptosystem based on non-maximal imaginary quadratic orders [PaTa98a], later on called NICE (for New Ideal Coset Encryption) with quadratic decryption time. To our knowledge this is the only scheme having this property. First implementations show that the time for decryption is comparable to RSA encryption with e = 2 16 + 1. Very recently there was proposed an efficient NICE-Schnorr type signature scheme [HuMe99]...

Practically all knapsack public key cryptosystems have been broken in the last few years, and so essentially the only public key cryptosystems that still have some credibility and are widely known are those whose security depends on the difficulty of factoring integers (the RSA scheme and its variants) and those whose security depends on the difficulty of computing discrete logarithms in finite fields. Therefore, the computational complexity of these two problems is of great interest. At the time of the workshop, one aspect of the then-current state of knowledge on these two fundamental problems seemed to be highly unsatisfactory. This was the fact that all of the fast algorithms for discrete logarithms and all but one of the fast algorithims for factoring integers had running time estimates that depended on the efficiency with which matrices could be inverted. These algorithms require the solution of a system of linear equations of the form Ax = y, (1) where A is a matrix of size m by n, x and y are column vectors of lengths m and n, respectively, and m is close to n. The interesting ranges of values for n are between 10 3 and 10 7. Ordinary gaussian elimination requires that about n 3 steps for the solution of (1). Strassen’s algorithm, which might be practical for large n, takes about n log 2 7 = n 2. 807... steps. The best general purpose algorithm that is known, due to