this paper contains a list of 36 open problems in numbertheoretic complexity. We expect that none of these problems are easy; we are sure that many of them are hard. This list of problems reflects our own interests and should not be viewed as definitive. As the field changes and becomes deeper, new problems will emerge and old problems will lose favor. Ideally there will be other `open problems' papers in future ANTS proceedings to help guide the field. It is likely that some of the problems presented here will remain open for the forseeable future. However, it is possible in some cases to make progress by solving subproblems, or by establishing reductions between problems, or by settling problems under the assumption of one or more well known hypotheses (e.g. the various extended Riemann hypotheses, NP 6= P; NP 6= coNP). For the sake of clarity we have often chosen to state a specific version of a problem rather than a general one. For example, questions about the integers modulo a prime often have natural generalizations to arbitrary finite fields, to arbitrary cyclic groups, or to problems with a composite modulus. Questions about the integers often have natural generalizations to the ring of integers in an algebraic number field, and questions about elliptic curves often generalize to arbitrary curves or abelian varieties. The problems presented here arose from many different places and times. To those whose research has generated these problems or has contributed to our present understanding of them but to whom inadequate acknowledgement is given here, we apologize. Our list of open problems is derived from an earlier `open problems' paper we wrote in 1986 [AM86]. When we wrote the first version of this paper, we feared that the problems presented were so difficult...

A new version of Euclid’s GCD algorithm is proposed. It matches the best existing parallel integer GCD algorithms since it can be achieved in Oɛ(n / log n) time using at most n 1+ɛ processors on CRCW PRAM. 1.

A new parallel extended GCD algorithm is proposed. It matches the best existing parallel integer GCD algorithms of Sorenson and Chor and Goldreich, since it can be achieved in Oɛ(n / log n) time using at most n 1+ɛ processors on CRCW PRAM. Sorenson and Chor and Goldreich both use a modular approach which consider the least significant bits. By contrast, our algorithm only deals with the leading bits of the integers u and v, with u ≥ v. This approach is more suitable for extended GCD algorithms since the coefficients of the extended version a and b, such that au + bv = gcd(u, v), are deeply linked with the order of magnitude of the rational v/u and its continuants. Consequently, the computation of such coefficients is much easier.

A secret-sharing scheme enables a dealer to distribute a secret among n parties such that only some predefined authorized sets of parties will be able to reconstruct the secret from their shares. The (monotone) collection of authorized sets is called an access structure, and is freely identified with its characteristic monotone function f : 1}. A family of secret-sharing schemes is called efficient if the total length of the n shares is polynomial in n. Most previously known secret-sharing schemes belonged to a class of linear schemes, whose complexity coincides with the monotone span program size of their access structure. Prior to this work there was no evidence that nonlinear schemes can be significantly more efficient than linear schemes, and in particular there were no candidates for schemes efficiently realizing access structures which do not lie in NC.

We present two new algorithms for computing the Jacobi Symbol: the right-shift and left-shift k-ary algorithms. For inputs of at most n bits in length, both algorithms take O(n 2 = log n) time and O(n) space. This is asymptotically faster than the traditional algorithm, which is based in Euclid's algorithm for computing greatest common divisors. In practice, we found our new algorithms to be about two to three times faster for inputs of 100 to 1000 decimal digits in length. We also present parallel versions of both algorithms for the CRCW PRAM. One version takes O ffl (n= log log n) time using O(n 1+ffl ) processors, giving the first sublinear parallel algorithms for this problem, and the other version takes polylog time using a subexponential number of processors.

A new parallelization of Euclid’s greatest common divisor algorithm is proposed. It matches the best existing integer GCD algorithms since it can be achieved in parallel Oε(n/log n) time using only n 1+ε processors on a Priority CRCW PRAM.

Most of integer GCD algorithms use one or several basic transformations which reduce at each step the size of the inputs integers u and v.These transformations called reductions are studied in a general framework.Our investigations lead to many applications such as a new integer division and a new reduction called Modular Reduction or MR for short.This reduction is, at least theoretically, optimal on some subset of reductions, if we consider the number of bits chopped by each reductions.Although its computation is rather di cult, we suggest, as a rst attempt, a weaker version which is more e cient in time.Sequential and parallel integer GCD algorithms are designed based on this new reduction and our experiments show that it performs as well as the Weber’s version of the Sorenson’s k-ary reduction. c ○ 2003 Elsevier B.V. All rights reserved. 1.

www.elsevier.com/locate/ipl

Abstract We present a new GCD algorithm for two integers that combines both the Euclidean and the binary gcd approaches. We give its worst case time analysis and prove that its bit-time complexity is still O(n 2) for two n-bit integers. However, our preliminar experiments show that it is very fast for small integers. A parallel version of this algorithm matches the best presently known time complexity, namely O ( n log n) time with n1+ɛ, for any constant ɛ> 0.

A new parallel extended GCD algorithm is proposed. It matches the best existing parallel integer GCD algorithms of Sorenson and Chor and Goldreich, since it can be achieved in Oɛ(n / log n) time using at most n 1+ɛ processors on CRCW PRAM. Sorenson and Chor and Goldreich both use a modular approach which consider the least significant bits. By contrast, our algorithm only deals with the leading bits of the integers u and v, with u � v. This approach is more suitable for extended GCD algorithms since the coefficients of the extended version a and b, such that au + bv = gcd(u, v), are deeply linked with the order of magnitude of the rational v/u and its continuants. Consequently, the computation of such coefficients is much easier. © 2007 Elsevier B.V. All rights reserved.