Results 1  10
of
14
Discrete Logarithms in Finite Fields and Their Cryptographic Significance
, 1984
"... Given a primitive element g of a finite field GF(q), the discrete logarithm of a nonzero element u GF(q) is that integer k, 1 k q  1, for which u = g k . The wellknown problem of computing discrete logarithms in finite fields has acquired additional importance in recent years due to its appl ..."
Abstract

Cited by 87 (6 self)
 Add to MetaCart
Given a primitive element g of a finite field GF(q), the discrete logarithm of a nonzero element u GF(q) is that integer k, 1 k q  1, for which u = g k . The wellknown problem of computing discrete logarithms in finite fields has acquired additional importance in recent years due to its applicability in cryptography. Several cryptographic systems would become insecure if an efficient discrete logarithm algorithm were discovered. This paper surveys and analyzes known algorithms in this area, with special attention devoted to algorithms for the fields GF(2 n ). It appears that in order to be safe from attacks using these algorithms, the value of n for which GF(2 n ) is used in a cryptosystem has to be very large and carefully chosen. Due in large part to recent discoveries, discrete logarithms in fields GF(2 n ) are much easier to compute than in fields GF(p) with p prime. Hence the fields GF(2 n ) ought to be avoided in all cryptographic applications. On the other hand, ...
Speeding Up Pollard's Rho Method For Computing Discrete Logarithms
, 1998
"... . In Pollard's rho method, an iterating function f is used to define a sequence (y i ) by y i+1 = f(y i ) for i = 0; 1; 2; : : : , with some starting value y 0 . In this paper, we define and discuss new iterating functions for computing discrete logarithms with the rho method. We compare their pe ..."
Abstract

Cited by 44 (7 self)
 Add to MetaCart
. In Pollard's rho method, an iterating function f is used to define a sequence (y i ) by y i+1 = f(y i ) for i = 0; 1; 2; : : : , with some starting value y 0 . In this paper, we define and discuss new iterating functions for computing discrete logarithms with the rho method. We compare their performances in experiments with elliptic curve groups. Our experiments show that one of our newly defined functions is expected to reduce the number of steps by a factor of approximately 0:8, in comparison with Pollard's originally used function, and we show that this holds independently of the size of the group order. For group orders large enough such that the run time for precomputation can be neglected, this means a realtime speedup of more than 1:2. 1. Introduction Let G be a finite cyclic group, written multiplicatively, and generated by the group element g. Given an element h in G, we wish to find the least nonnegative number x such that g x = h. This problem is the discre...
On Random Walks For Pollard's Rho Method
 Mathematics of Computation
, 2000
"... . We consider Pollard's rho method for discrete logarithm computation. Usually, in the analysis of its running time the assumption is made that a random walk in the underlying group is simulated. We show that this assumption does not hold for the walk originally suggested by Pollard: its performa ..."
Abstract

Cited by 31 (5 self)
 Add to MetaCart
. We consider Pollard's rho method for discrete logarithm computation. Usually, in the analysis of its running time the assumption is made that a random walk in the underlying group is simulated. We show that this assumption does not hold for the walk originally suggested by Pollard: its performance is worse than in the random case. We study alternative walks that can be efficiently applied to compute discrete logarithms. We introduce a class of walks that lead to the same performance as expected in the random case. We show that this holds for arbitrarily large prime group orders, thus making Pollard's rho method for prime group orders about 20% faster than before. 1. Introduction Let G be a finite cyclic group, written multiplicatively, and generated by the group element g. We define the discrete logarithm problem (DLP) as follows: given a group element h, find the least nonnegative integer x such that h = g x . We write x = log g h and call it the discrete logarithm of h...
SquareRoot Algorithms For The Discrete Logarithm Problem (a Survey)
 In Public Key Cryptography and Computational Number Theory, Walter de Gruyter
, 2001
"... The best algorithms to compute discrete logarithms in arbitrary groups (of prime order) are the babystep giantstep method, the rho method and the kangaroo method. The first two have (expected) running time O( p n) group operations (n denoting the group order), thereby matching Shoup's lower bounds ..."
Abstract

Cited by 27 (0 self)
 Add to MetaCart
The best algorithms to compute discrete logarithms in arbitrary groups (of prime order) are the babystep giantstep method, the rho method and the kangaroo method. The first two have (expected) running time O( p n) group operations (n denoting the group order), thereby matching Shoup's lower bounds. While the babystep giantstep method is deterministic but with large memory requirements, the rho and the kangaroo method are probabilistic but can be implemented very space efficiently, and they can be parallelized with linear speedup. In this paper, we present the state of the art in these methods.
Asymptotic semismoothness probabilities
 Mathematics of computation
, 1996
"... Abstract. We call an integer semismooth with respect to y and z if each of its prime factors is ≤ y, and all but one are ≤ z. Such numbers are useful in various factoring algorithms, including the quadratic sieve. Let G(α, β)bethe asymptotic probability that a random integer n is semismooth with res ..."
Abstract

Cited by 22 (1 self)
 Add to MetaCart
Abstract. We call an integer semismooth with respect to y and z if each of its prime factors is ≤ y, and all but one are ≤ z. Such numbers are useful in various factoring algorithms, including the quadratic sieve. Let G(α, β)bethe asymptotic probability that a random integer n is semismooth with respect to n β and n α. We present new recurrence relations for G and related functions. We then give numerical methods for computing G,tablesofG, and estimates for the error incurred by this asymptotic approximation. 1.
A space efficient algorithm for group structure computation
 Math. Comp
, 1998
"... Abstract. We present a new algorithm for computing the structure of a finite abelian group, which has to store only a fixed, small number of group elements, independent of the group order. We estimate the computational complexity by counting the group operations such as multiplications and equality ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
Abstract. We present a new algorithm for computing the structure of a finite abelian group, which has to store only a fixed, small number of group elements, independent of the group order. We estimate the computational complexity by counting the group operations such as multiplications and equality checks. Under some plausible assumptions, we prove that the expected run time is O ( √ n)(withndenoting the group order), and we explicitly determine the Oconstants. We implemented our algorithm for ideal class groups of imaginary quadratic orders and present experimental results. 1.
Order computations in generic groups
 PHD THESIS MIT, SUBMITTED JUNE 2007. RESOURCES
, 2007
"... ..."
A Survey on IQ Cryptography
 In Proceedings of Public Key Cryptography and Computational Number Theory
, 2001
"... This paper gives a survey on cryptographic primitives based on class groups of imaginary quadratic orders (IQ cryptography, IQC). We present IQC versions of several well known cryptographic primitives, and we explain, why these primitives are secure if one assumes the hardness of the underlying p ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
This paper gives a survey on cryptographic primitives based on class groups of imaginary quadratic orders (IQ cryptography, IQC). We present IQC versions of several well known cryptographic primitives, and we explain, why these primitives are secure if one assumes the hardness of the underlying problems. We give advice on the selection of the cryptographic parameters and show the impact of this advice on the eciency of some IQ cryptosystems.
On the complexity of computing discrete logarithms and factoring integers
 Algorithmic Number Theory Symposium (ANTS VII
, 1987
"... Practically all knapsack public key cryptosystems have been broken in the last few years, and so essentially the only public key cryptosystems that still have some credibility and are widely known are those whose security depends on the difficulty of factoring integers (the RSA scheme and its varian ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Practically all knapsack public key cryptosystems have been broken in the last few years, and so essentially the only public key cryptosystems that still have some credibility and are widely known are those whose security depends on the difficulty of factoring integers (the RSA scheme and its variants) and those whose security depends on the difficulty of computing discrete logarithms in finite fields. Therefore, the computational complexity of these two problems is of great interest. At the time of the workshop, one aspect of the thencurrent state of knowledge on these two fundamental problems seemed to be highly unsatisfactory. This was the fact that all of the fast algorithms for discrete logarithms and all but one of the fast algorithims for factoring integers had running time estimates that depended on the efficiency with which matrices could be inverted. These algorithms require the solution of a system of linear equations of the form Ax = y, (1) where A is a matrix of size m by n, x and y are column vectors of lengths m and n, respectively, and m is close to n. The interesting ranges of values for n are between 10 3 and 10 7. Ordinary gaussian elimination requires that about n 3 steps for the solution of (1). Strassen’s algorithm, which might be practical for large n, takes about n log 2 7 = n 2. 807... steps. The best general purpose algorithm that is known, due to
A survey of cryptosystems based on imaginary quadratic orders (Extended Abstract)
, 1999
"... Since nobody can guarantee that popular public key cryptosystems based on factoring or the computation of discrete logarithms in some group will stay secure forever, it is important to study different primitives and groups which may be utilized if a popular class of cryptosystems gets broken. A pro ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Since nobody can guarantee that popular public key cryptosystems based on factoring or the computation of discrete logarithms in some group will stay secure forever, it is important to study different primitives and groups which may be utilized if a popular class of cryptosystems gets broken. A promising candidate for a group in which the DLproblem seems to be hard is the class group Cl(\Delta) of an imaginary quadratic order, as proposed by Buchmann and Williams [BuWi88]. Recently this type of group has obtained much attention, because there was proposed a very efficient cryptosystem based on nonmaximal imaginary quadratic orders [PaTa98a], later on called NICE (for New Ideal Coset Encryption) with quadratic decryption time. To our knowledge this is the only scheme having this property. First implementations show that the time for decryption is comparable to RSA encryption with e = 2 16 + 1. Very recently there was proposed an efficient NICESchnorr type signature scheme [HuMe99]...