Results 1  10
of
12
PolynomialTime Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer
 SIAM J. on Computing
, 1997
"... A digital computer is generally believed to be an efficient universal computing device; that is, it is believed able to simulate any physical computing device with an increase in computation time by at most a polynomial factor. This may not be true when quantum mechanics is taken into consideration. ..."
Abstract

Cited by 882 (2 self)
 Add to MetaCart
A digital computer is generally believed to be an efficient universal computing device; that is, it is believed able to simulate any physical computing device with an increase in computation time by at most a polynomial factor. This may not be true when quantum mechanics is taken into consideration. This paper considers factoring integers and finding discrete logarithms, two problems which are generally thought to be hard on a classical computer and which have been used as the basis of several proposed cryptosystems. Efficient randomized algorithms are given for these two problems on a hypothetical quantum computer. These algorithms take a number of steps polynomial in the input size, e.g., the number of digits of the integer to be factored.
Simulating Physics with Computers
 SIAM Journal on Computing
, 1982
"... A digital computer is generally believed to be an efficient universal computing device; that is, it is believed able to simulate any physical computing device with an increase in computation time of at most a polynomial factor. This may not be true when quantum mechanics is taken into consideration. ..."
Abstract

Cited by 393 (1 self)
 Add to MetaCart
A digital computer is generally believed to be an efficient universal computing device; that is, it is believed able to simulate any physical computing device with an increase in computation time of at most a polynomial factor. This may not be true when quantum mechanics is taken into consideration. This paper considers factoring integers and finding discrete logarithms, two problems which are generally thought to be hard on a classical computer and have been used as the basis of several proposed cryptosystems. Efficient randomized algorithms are given for these two problems on a hypothetical quantum computer. These algorithms take a number of steps polynomial in the input size, e.g., the number of digits of the integer to be factored. AMS subject classifications: 82P10, 11Y05, 68Q10. 1 Introduction One of the first results in the mathematics of computation, which underlies the subsequent development of much of theoretical computer science, was the distinction between computable and ...
The Bit Extraction Problem or tResilient Functions
, 1985
"... \Gamma We consider the following adversarial situation. Let n, m and t be arbitrary integers, and let f : f0; 1g n 7! f0; 1g m be a function. An adversary, knowing the function f , sets t of the n input bits, while the rest (n \Gamma t input bits) are chosen at random (independently and with un ..."
Abstract

Cited by 154 (9 self)
 Add to MetaCart
\Gamma We consider the following adversarial situation. Let n, m and t be arbitrary integers, and let f : f0; 1g n 7! f0; 1g m be a function. An adversary, knowing the function f , sets t of the n input bits, while the rest (n \Gamma t input bits) are chosen at random (independently and with uniform probability distribution). The adversary tries to prevent the outcome of f from being uniformly distributed in f0; 1g m . The question addressed is for what values of n, m and t does the adversary necessarily fail in biasing the outcome of f : f0; 1g n 7! f0; 1g m , when being restricted to set t of the input bits of f . We present various lower and upper bounds on m's allowing an affirmative answer. These bounds are relatively close for t n=3 and for t 2n=3. Our results have applications in the fields of faulttolerance and cryptography. 1. INTRODUCTION The bit extraction problem formulated above The bit extraction problem was suggested by Brassard and Robert [BRref] and by V...
Expansion of Product Replacement Graphs
 Combinatorica
, 2001
"... . We establish a connection between the expansion coefficient of the product replacement graph \Gamma k (G) and the minimal expansion coefficient of a Cayley graph of G with k generators. In particular, we show that the product replacement graphs \Gamma k \Gamma PSL(2; p) \Delta form an expander ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
. We establish a connection between the expansion coefficient of the product replacement graph \Gamma k (G) and the minimal expansion coefficient of a Cayley graph of G with k generators. In particular, we show that the product replacement graphs \Gamma k \Gamma PSL(2; p) \Delta form an expander family, under assumption that all Cayley graphs of PSL(2; p), with at most k generators are expanders. This gives a new explanation of the outstanding performance of the product replacement algorithm and supports the speculation that all product replacement graphs are expanders [LP,P3].
A Sieve Auxiliary Function
, 1995
"... . In the sieve theories of RosserIwaniec and DiamondHalberstam Richert, the upper and lower bound sieve functions (F and f , respectively) satisfy a coupled system of differentialdifference equations with retarded arguments. To aid in the study of these functions, Iwaniec introduced a conjugate d ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
. In the sieve theories of RosserIwaniec and DiamondHalberstam Richert, the upper and lower bound sieve functions (F and f , respectively) satisfy a coupled system of differentialdifference equations with retarded arguments. To aid in the study of these functions, Iwaniec introduced a conjugate differencedifferential equation with an advanced argument, and gave a solution, q, which is analytic in the right halfplane. The analysis of the bounding sieve functions, F and f , is facilitated by an adjoint integral innerproduct relation which links the local behaviour of F \Gamma f with that of the sieve auxiliary function, q. In addition, q plays a fundamental role in determining the sieving limit of the combinatorial sieve, and hence in determining the boundary conditions of the sieve functions, F and f . The sieve auxiliary function, q, has been tabulated previously, but these data were not supported by numerical analysis, due to the prohibitive presence of highorder partial deriva...
The Similarities (and Differences) between Polynomials and Integers
, 1994
"... The purpose of this paper is to examine the two domains of the integers and the polynomials, in an attempt to understand the nature of complexity in these very basic situations. Can we formalize the integer algorithms which shed light on the polynomial domain, and vice versa? When will the casti ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
The purpose of this paper is to examine the two domains of the integers and the polynomials, in an attempt to understand the nature of complexity in these very basic situations. Can we formalize the integer algorithms which shed light on the polynomial domain, and vice versa? When will the casting of one in the other speed up an existing algorithm? Why do some problems not lend themselves to this kind of speedup? We give several simple and natural theorems that show how problems in one domain can be embedded in the other, and we examine the complexitytheoretic consequences of these embeddings. We also prove several results on the impossibility of solving integer problems by mimicking their polynomial counterparts. 1 Introduction It is a fact frequently remarked upon that polynomials and integers share a number of characteristics. Usually the Fast Fourier Transform is then Supported by NSF grants DMS8807202 and CCR9204630. y Supported by NSF grant CCR9207797. 1 giv...
Design and Analysis of PasswordBased Key Derivation Functions,” CTRSA 2005. A Glossary In this section we recall formal definitions for some of the notions used throughout this work. In the next section we introduce new definitions for key derivation fu
"... Abstract. A passwordbased key derivation function (KDF) – a function that derives cryptographic keys from a password – is necessary in many security applications. Like any passwordbased schemes, such KDFs are subject to key search attacks (often called dictionary attacks). Salt and iteration coun ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. A passwordbased key derivation function (KDF) – a function that derives cryptographic keys from a password – is necessary in many security applications. Like any passwordbased schemes, such KDFs are subject to key search attacks (often called dictionary attacks). Salt and iteration count are used in practice to significantly increase the workload of such attacks. These techniques have also been specified in widely adopted industry standards such as PKCS and IETF. Despite the importance and widespread usage, there has been no formal security analysis on existing constructions. In this paper, we propose a general security framework for passwordbased KDFs and introduce two security definitions each capturing a different attacking scenario. We study the most commonly used construction H (c) (p�s) and prove that the iteration count c, when fixed, does have an effect of stretching the password p by log 2 c bits. We then analyze the two standardized KDFs in PKCS#5. We show that both are secure if the adversary cannot influence the parameters but subject to attacks otherwise. Finally, we propose a new passwordbased KDF that is provably secure even when the adversary has full control of the parameters.
Probabilistic and Constructive Methods in Harmonic Analysis and Additive Number Theory
, 1994
"... We give several applications of the probabilistic method in harmonic analysis and additive number theory. We also give efficient constructions in place of previous probabilistic (existential) proofs. 1. Using the probabilistic method we prove that there exist integers p 1 ; : : : ; p N 0 for which ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
We give several applications of the probabilistic method in harmonic analysis and additive number theory. We also give efficient constructions in place of previous probabilistic (existential) proofs. 1. Using the probabilistic method we prove that there exist integers p 1 ; : : : ; p N 0 for which fi fi fi fi fi fi min x N X j=1 p j cos jx fi fi fi fi fi fi = O(s 1=3 ); as s !1, where s = P N j=1 p j . This improves a result of Odlyzko who proved a similar inequality with the right hand side replaced by O((s log s) 1=3 ). 2. Similarly we prove that there are frequencies 1 ! \Delta \Delta \Delta ! N 2 f1; : : : ; cNg, for c = 2, for which fi fi fi fi fi fi min x N X j=1 cos j x fi fi fi fi fi fi = O(N 1=2 ) and that this is impossible for smaller values of the positive constant c. 3. The previous result is used to prove easily a theorem of Erdos and Tur'an about the density of finite integer sequences with the property that any two elements have a different sum...
Quantum and Arithmetical Chaos
, 2003
"... Summary. The lectures are centered around three selected topics of quantum chaos: the Selberg trace formula, the twopoint spectral correlation functions of Riemann zeta function zeros, and of the Laplace–Beltrami operator for the modular group. The lectures cover a wide range of quantum chaos appli ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Summary. The lectures are centered around three selected topics of quantum chaos: the Selberg trace formula, the twopoint spectral correlation functions of Riemann zeta function zeros, and of the Laplace–Beltrami operator for the modular group. The lectures cover a wide range of quantum chaos applications and can serve as a nonformal introduction to mathematical methods of quantum chaos.
Computational Number Theory at CWI in 19701994
, 1994
"... this paper we present a concise survey of the research in Computational ..."