Many of the fast methods for factoring integers and computing discrete logarithms require the solution of large sparse linear systems of equations over finite fields. This paper presents the results of implementations of several linear algebra algorithms. It shows that very large sparse systems can be solved efficiently by using combinations of structured Gaussian elimination and the conjugate gradient, Lanczos, and Wiedemann methods. 1. Introduction Factoring integers and computing discrete logarithms often requires solving large systems of linear equations over finite fields. General surveys of these areas are presented in [14, 17, 19]. So far there have been few implementations of discrete logarithm algorithms, but many of integer factoring methods. Some of the published results have involved solving systems of over 6 \Theta 10 4 equations in more than 6 \Theta 10 4 variables [12]. In factoring, equations have had to be solved over the field GF (2). In that situation, ordinary...

The presumed difficulty of computing discrete logarithms in finite fields is the basis of several popular public key cryptosystems. The secure identification option of the Sun Network File System, for example, uses discrete logarithms in a field GF (p) with p a prime of 192 bits. This paper describes an implementation of a discrete logarithm algorithm which shows that primes of under 200 bits, such as that in the Sun system, are very insecure. Some enhancements to this system are suggested. 1. Introduction If p is a prime and g and x integers, then computation of y such that y j g x mod p; 0 y p \Gamma 1 (1.1) is referred to as discrete exponentiation. Using the successive squaring method, it is very fast (polynomial in the number of bits of jpj + jgj + jxj). On the other hand, the inverse problem, namely, given p; g, and y, to compute some x such that Equation 1.1 holds, which is referred to as the discrete logarithm problem, appears to be quite hard in general. Many of the mos...

this paper contains a list of 36 open problems in numbertheoretic complexity. We expect that none of these problems are easy; we are sure that many of them are hard. This list of problems reflects our own interests and should not be viewed as definitive. As the field changes and becomes deeper, new problems will emerge and old problems will lose favor. Ideally there will be other `open problems' papers in future ANTS proceedings to help guide the field. It is likely that some of the problems presented here will remain open for the forseeable future. However, it is possible in some cases to make progress by solving subproblems, or by establishing reductions between problems, or by settling problems under the assumption of one or more well known hypotheses (e.g. the various extended Riemann hypotheses, NP 6= P; NP 6= coNP). For the sake of clarity we have often chosen to state a specific version of a problem rather than a general one. For example, questions about the integers modulo a prime often have natural generalizations to arbitrary finite fields, to arbitrary cyclic groups, or to problems with a composite modulus. Questions about the integers often have natural generalizations to the ring of integers in an algebraic number field, and questions about elliptic curves often generalize to arbitrary curves or abelian varieties. The problems presented here arose from many different places and times. To those whose research has generated these problems or has contributed to our present understanding of them but to whom inadequate acknowledgement is given here, we apologize. Our list of open problems is derived from an earlier `open problems' paper we wrote in 1986 [AM86]. When we wrote the first version of this paper, we feared that the problems presented were so difficult...

Numerous cryptosystems have been designed to be secure under the assumption that the computation of discrete logarithms is infeasible. This paper reports on an aggressive attempt to discover the size of fields of characteristic two for which the computation of discrete logarithms is feasible. We discover several things that were previously overlooked in the implementation of Coppersmith’s algorithm, some positive, and some negative. As a result of this work we have shown that fields as large as GF(2 503) can definitely be attacked. Keywords: Discrete Logarithms, Cryptography. 1

. In this article we survey recent developments concerning the discrete logarithm problem. Both theoretical and practical results are discussed. We emphasize the case of finite fields, and in particular, recent modifications of the index calculus method, including the number field sieve and the function field sieve. We also provide a sketch of the some of the cryptographic schemes whose security depends on the intractibility of the discrete logarithm problem. 1 Introduction Let G be a cyclic group generated by an element t. The discrete logarithm problem in G is to compute for any b 2 G the least non-negative integer e such that t e = b. In this case, we write log t b = e. Our purpose, in this paper, is to survey recent work on the discrete logarithm problem. Our approach is twofold. On the one hand, we consider the problem from a purely theoretical perspective. Indeed, the algorithms that have been developed to solve it not only explore the fundamental nature of one of the basic s...

. This paper is a survey of recent advances in discrete logarithm algorithms. Improved estimates for smooth integers and smooth polynomials are also discussed. 1. Introduction If G denotes a group (written multiplicatively), and hgi the cyclic subgroup generated by g 2 G, then the discrete logarithm problem for G is to find, given g 2 G and y 2 hgi, the smallest nonnegative integer x such that y = g x . This integer x is called the discrete logarithm of y to the base g, and is written x = log g y. The discrete log problem has been studied by number theorists for a long time. The main reason for the intense current interest in it, though, is that many public key cryptosystems depend for their security on the assumption that it is hard, at least for suitably chosen groups. With the proposed adoption of the NIST digital signature algorithm [28] (based on the ElGamal [10] and Schnorr [35] proposals), even more attention is likely to be drawn to this area. There are already several su...

Abstract. — The two main systems used for public key cryptography are RSA and protocols based on the discrete logarithm problem in some cyclic group. We focus on the latter problem and state cryptographic protocols and mathematical background material. Résumé (Éléments mathématiques de la cryptographie à clef publique). — Les deux systèmes principaux de cryptographie à clef publique sont RSA et le calcul de logarithmes discrets dans un groupe cyclique. Nous nous intéressons aux logarithmes discrets et présentons les faits mathématiques qu’il faut connaître pour apprendre la cryptographie mathématique. 1. Data Security and Arithmetic Cryptography is, in the true sense of the word, a classic discipline: we find it in Mesopotamia and Caesar used it. Typically, the historical examples involve secret services and military. Information is exchanged amongst a limited community in which each member is to be trusted. Like Caesar’s chiffre these systems were entirely symmetric. Thus, the communicating parties needed to have a common key which is used to de- and encrypt. The key exchange posed a problem (and gives a marvellous plot for spy-novels) but the number of people involved was rather bounded. This has changed dramatically because of electronic communication in public networks. Since 2000 Mathematics Subject Classification. — 11T71. Key words and phrases. — Elliptic curve cryptography, mathematics of public key cryptography, hyperelliptic curves. The authors would like to thank the organizers of the conference for generous support, an interesting program and last but not least for a very inspiring and pleasant atmosphere. The second author acknowledges financial support by STORK

. In this paper we show, that the elliptic curve cryptosystem by Menezes and Vanstone is not really a probabilistic cipher, in contrast to its design. Each ciphertext leaks some kind of information, which could be used for unauthorized decryption, if the cryptosystem is set up in a careless way. But in any case we have a loss of efficiency, since the additional effort, which always comes with probabilistic encryption, does not pay. 1 Introduction Elliptic curves are popular settings for building efficient public-key cryptosystems, since in general computing discrete logarithms in these groups is difficult. If we have, for example, a non-supersingular curve over a prime field F p , for which the discrete logarithm problem is hard (this can be checked efficiently [6]), DL is intractable for p with about 45 (or more) decimal digits. In comparison, factorization of hard composite numbers, whose difficulty guarantees the security of the RSA cryptosystem for example, is tractable for numbers...