. This paper surveys techniques for multiplying elements of various commutative rings. It covers Karatsuba multiplication, dual Karatsuba multiplication, Toom multiplication, dual Toom multiplication, the FFT trick, the twisted FFT trick, the split-radix FFT trick, Good's trick, the SchonhageStrassen trick, Schonhage's trick, Nussbaumer's trick, the cyclic SchonhageStrassen trick, and the Cantor-Kaltofen theorem. It emphasizes the underlying ring homomorphisms. 1.

Abstract. The aim of this paper is to justify the common cryptographic practice of selecting elliptic curves using their order as the primary criterion. We can formalize this issue by asking whether the discrete log problem (dlog) has the same difficulty for all curves over a given finite field with the same order. We prove that this is essentially true by showing polynomial time random reducibility of dlog among such curves, assuming the Generalized Riemann Hypothesis (GRH). We do so by constructing certain expander graphs, similar to Ramanujan graphs, with elliptic curves as nodes and low degree isogenies as edges. The result is obtained from the rapid mixing of random walks on this graph. Our proof works only for curves with (nearly) the same endomorphism rings. Without this technical restriction such a dlog equivalence might be false; however, in practice the restriction may be moot, because all known polynomial time techniques for constructing equal order curves produce only curves with nearly equal endomorphism rings.

We give a constructive proof of a theorem given in [Tate 84] which states that (under Stark's Conjecture) the field generated over a totally real field K by the Stark units contains the maximal real Abelian extension of K. As a direct application of this proof, we show how one can compute explicitly real Abelian extensions of K. We give two examples. In a series of important papers [Stark 71, Stark 75, Stark 76, Stark 80] H. M. Stark developed a body of conjectures relating the values of Artin L-functions at s = 1 (and hence, by the functional equation, their leading terms at s = 0) with certain algebraic quantities attached to extensions of number fields. For example, in the case of Abelian L-functions with a first-order zero at s = 0; the conjectural relation is between the first derivative of the L-functions and the logarithmic embedding of certain units in ray class fields known as Stark units, which are predicted to exist. The use of these conjectures to provide explicit generat...

Abstract. Given a “black box ” function to evaluate an unknown rational polynomial f ∈Q[x] at points modulo a prime p, we exhibit algorithms to compute the representation of the polynomial in the sparsest shifted power basis. That is, we determine the sparsity t∈Z>0, the shiftα∈Q, the exponents 0≤e1< e2<···<et, and the coefficients c1,...,ct∈Q\{0} such that f (x)=c1(x−α) e1 + c2(x−α) e2 +···+ct(x−α) et. The computed sparsity t is absolutely minimal over any shifted power basis. The novelty of our algorithm is that the complexity is polynomial in the (sparse) representation size and in particular is logarithmic in deg f. Our method combines previous celebrated results on sparse interpolation and computing sparsest shifts, and provides a way to handle polynomials with extremely high degree which are, in some sense, sparse in information. We give both an unconditional deterministic algorithm which is polynomial-time but has a rather high complexity, and a more practical probabilistic algorithm which relies on some unknown constants.

Abstract. Let L = Q(α) be an abelian number field of degree n. Most algorithms for computing the lattice of subfields of L require the computation of all the conjugates of α. This is usually achieved by factoring the minimal polynomial mα(x)ofαover L. In practice, the existing algorithms for factoring polynomials over algebraic number fields can handle only problems of moderate size. In this paper we describe a fast probabilistic algorithm for computing the conjugates of α, which is based on p-adic techniques. Given mα(x) anda rational prime p which does not divide the discriminant disc(mα(x)) of mα(x), the algorithm computes the Frobenius automorphism of p in time polynomial in the size of p and in the size of mα(x). By repeatedly applying the algorithm to randomly chosen primes it is possible to compute all the conjugates of α. 1.

Abstract. Let n be a positive integer. We say n looks like a power of 2moduloaprime pif there exists an integer ep ≥ 0 such that n ≡ 2 ep (mod p). First, we provide a simple proof of the fact that a positive integer which looks like a power of 2 modulo all but finitely many primes is in fact a powerof2. Next, we define an x-pseudopower of the base 2tobeapositiveintegern that is not a power of 2, but looks like a power of 2 modulo all primes p ≤ x. Let P2(x) denote the least such n. We give an unconditional upper bound on P2(x), a conditional result (on ERH) that gives a lower bound, and a heuristic argument suggesting that P2(x)isaboutexp(c2x/log x) for a certain constant c2. We compare our heuristic model with numerical data obtained by a sieve. Some results for bases other than 2 are also given. 1.

Introduction The construction of group ring elements that annihilate the ideal class groups of totally complex abelian extensions of Q is classical and goes back to work of Kummer and Stickelberger. A generalization to totally complex abelian extensions of totally real number fields was formulated by Brumer. Brumer's formulation fits into a more general framework known as the Brumer-Stark conjecture. We will verify this conjecture for a large number of examples belonging to an extended class of situations where the general status of the conjecture is still unknown. We assume throughout that k is a totally real basefield and K is a totally complex extension field, abelian over k. Let wK denote the number of roots of unity in K, m = [k : Q ], and G = Gal(K=k). We also let S =<F11.23

Abstract. We present a new algorithm for computing the centre of the Galois group of a given polynomial f ∈ Q[x] along with its action on the set of roots of f, without previously computing the group. We show that every element in the centre is representable by a family of polynomials in Q[x]. For computing such polynomials, we use quadratic Newton-lifting and truncated expressions of the roots of f over a p-adic number field. As an application we give a method for deciding the nilpotency of the Galois group. If f is irreducible with nilpotent Galois group, an algorithm for computing it is proposed. 1.

. The polynomial time algorithm of Lenstra, Lenstra, and Lov'asz [17] for

We present a construction of expander graphs obtained from Cayley graphs of narrow ray class groups, whose eigenvalue bounds follow from the Generalized Riemann Hypothesis. Our result implies that the Cayley graph of (Z/qZ) ∗ with respect to small prime generators is an expander. As another application, we show that the graph of small prime degree isogenies between ordinary elliptic curves achieves non-negligible eigenvalue separation, and explain the relationship between the expansion properties of these graphs and the security of the elliptic curve discrete logarithm problem. 1