Results 1  10
of
22
A tale of two sieves
 Notices Amer. Math. Soc
, 1996
"... It is the best of times for the game of factoring large numbers into their prime factors. In 1970 it was barely possible to factor “hard ” 20digit numbers. In 1980, in the heyday of the BrillhartMorrison continued fraction factoring algorithm, factoring of 50digit numbers was becoming commonplace ..."
Abstract

Cited by 39 (2 self)
 Add to MetaCart
It is the best of times for the game of factoring large numbers into their prime factors. In 1970 it was barely possible to factor “hard ” 20digit numbers. In 1980, in the heyday of the BrillhartMorrison continued fraction factoring algorithm, factoring of 50digit numbers was becoming commonplace. In 1990 my own quadratic sieve factoring algorithm had doubled the length of the numbers that could be factored, the record having 116 digits. By 1994 the quadratic sieve had factored the famous 129digit RSA challenge number that had been estimated in Martin Gardner’s 1976 Scientific American column to be safe for 40 quadrillion years (though other estimates around then were more modest). But the quadratic sieve is no longer the champion. It was replaced by Pollard’s number field sieve in the spring of 1996, when that method successfully split a 130digit RSA challenge number in about 15 % of the time the quadratic sieve would have taken. In this article we shall briefly meet these factorization algorithms—these two sieves—and some of the many people who helped to develop them. In the middle part of this century, computational issues seemed to be out of fashion. In most books the problem of factoring big numbers
Computation of Discrete Logarithms in Prime Fields
 Design, Codes and Cryptography
, 1991
"... The presumed difficulty of computing discrete logarithms in finite fields is the basis of several popular public key cryptosystems. The secure identification option of the Sun Network File System, for example, uses discrete logarithms in a field GF (p) with p a prime of 192 bits. This paper describe ..."
Abstract

Cited by 38 (1 self)
 Add to MetaCart
The presumed difficulty of computing discrete logarithms in finite fields is the basis of several popular public key cryptosystems. The secure identification option of the Sun Network File System, for example, uses discrete logarithms in a field GF (p) with p a prime of 192 bits. This paper describes an implementation of a discrete logarithm algorithm which shows that primes of under 200 bits, such as that in the Sun system, are very insecure. Some enhancements to this system are suggested. 1. Introduction If p is a prime and g and x integers, then computation of y such that y j g x mod p; 0 y p \Gamma 1 (1.1) is referred to as discrete exponentiation. Using the successive squaring method, it is very fast (polynomial in the number of bits of jpj + jgj + jxj). On the other hand, the inverse problem, namely, given p; g, and y, to compute some x such that Equation 1.1 holds, which is referred to as the discrete logarithm problem, appears to be quite hard in general. Many of the mos...
Batch RSA
, 1996
"... We present a variant of the RSA algorithm called Batch RSA with two important properties: • The cost per private operation is exponentially smaller than other number theoretic schemes ([9, 23, 22, 11, 13, 12], etc.). In practice, the new variant effectively performs several modular exponentiati ..."
Abstract

Cited by 32 (0 self)
 Add to MetaCart
We present a variant of the RSA algorithm called Batch RSA with two important properties: • The cost per private operation is exponentially smaller than other number theoretic schemes ([9, 23, 22, 11, 13, 12], etc.). In practice, the new variant effectively performs several modular exponentiations at the cost of a single modular exponentiation. This leads to a very fast RSAlike scheme whenever RSA is to be performed at some central site or when pureRSA encryption (vs. hybrid encryption) is to be performed. • An additional important feature of Batch RSA is the possibility of using a distributed Batch RSA process that isolates the private key from the system, irrespective of the size of the system, the number of sites, or the number of private operations that need be performed.
Open Problems in Number Theoretic Complexity, II
"... this paper contains a list of 36 open problems in numbertheoretic complexity. We expect that none of these problems are easy; we are sure that many of them are hard. This list of problems reflects our own interests and should not be viewed as definitive. As the field changes and becomes deeper, new ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
this paper contains a list of 36 open problems in numbertheoretic complexity. We expect that none of these problems are easy; we are sure that many of them are hard. This list of problems reflects our own interests and should not be viewed as definitive. As the field changes and becomes deeper, new problems will emerge and old problems will lose favor. Ideally there will be other `open problems' papers in future ANTS proceedings to help guide the field. It is likely that some of the problems presented here will remain open for the forseeable future. However, it is possible in some cases to make progress by solving subproblems, or by establishing reductions between problems, or by settling problems under the assumption of one or more well known hypotheses (e.g. the various extended Riemann hypotheses, NP 6= P; NP 6= coNP). For the sake of clarity we have often chosen to state a specific version of a problem rather than a general one. For example, questions about the integers modulo a prime often have natural generalizations to arbitrary finite fields, to arbitrary cyclic groups, or to problems with a composite modulus. Questions about the integers often have natural generalizations to the ring of integers in an algebraic number field, and questions about elliptic curves often generalize to arbitrary curves or abelian varieties. The problems presented here arose from many different places and times. To those whose research has generated these problems or has contributed to our present understanding of them but to whom inadequate acknowledgement is given here, we apologize. Our list of open problems is derived from an earlier `open problems' paper we wrote in 1986 [AM86]. When we wrote the first version of this paper, we feared that the problems presented were so difficult...
On the security of the tor authentication protocol
 In Proceedings of the Sixth Workshop on Privacy Enhancing Technologies (PET 2006
, 2006
"... Abstract. Tor is a popular anonymous Internet communication system, used by an estimated 250,000 users to anonymously exchange over five terabytes of data per day. The security of Tor depends on properly authenticating nodes to clients, but Tor uses a custom protocol, rather than an established one, ..."
Abstract

Cited by 19 (5 self)
 Add to MetaCart
Abstract. Tor is a popular anonymous Internet communication system, used by an estimated 250,000 users to anonymously exchange over five terabytes of data per day. The security of Tor depends on properly authenticating nodes to clients, but Tor uses a custom protocol, rather than an established one, to perform this authentication. In this paper, we provide a formal proof of security of this protocol, in the random oracle model, under reasonable cryptographic assumptions. 1
Discrete Logarithms and Smooth Polynomials
 Contemporary Mathematics, AMS
, 1993
"... . This paper is a survey of recent advances in discrete logarithm algorithms. Improved estimates for smooth integers and smooth polynomials are also discussed. 1. Introduction If G denotes a group (written multiplicatively), and hgi the cyclic subgroup generated by g 2 G, then the discrete logarith ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
. This paper is a survey of recent advances in discrete logarithm algorithms. Improved estimates for smooth integers and smooth polynomials are also discussed. 1. Introduction If G denotes a group (written multiplicatively), and hgi the cyclic subgroup generated by g 2 G, then the discrete logarithm problem for G is to find, given g 2 G and y 2 hgi, the smallest nonnegative integer x such that y = g x . This integer x is called the discrete logarithm of y to the base g, and is written x = log g y. The discrete log problem has been studied by number theorists for a long time. The main reason for the intense current interest in it, though, is that many public key cryptosystems depend for their security on the assumption that it is hard, at least for suitably chosen groups. With the proposed adoption of the NIST digital signature algorithm [28] (based on the ElGamal [10] and Schnorr [35] proposals), even more attention is likely to be drawn to this area. There are already several su...
Analysis of Bernstein's Factorization Circuit
, 2002
"... In [1], Bernstein proposed a circuitbased implementation of the matrix step of the number field sieve factorization algorithm. These circuits o er an asymptotic cost reduction under the measure "construction cost × run time". We evaluate the cost of these circuits, in agreement with [1], but ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
In [1], Bernstein proposed a circuitbased implementation of the matrix step of the number field sieve factorization algorithm. These circuits o er an asymptotic cost reduction under the measure "construction cost × run time". We evaluate the cost of these circuits, in agreement with [1], but argue that compared to previously known methods these circuits can factor integers that are 1.17 times larger, rather than 3.01 as claimed (and even this, only under the nonstandard cost measure).
Factoring estimates for a 1024bit RSA modulus
 IN: PROC. ASIACRYPT 2003, LNCS 2894
, 2003
"... We estimate the yield of the number field sieve factoring algorithm when applied to the 1024bit composite integer RSA1024 and the parameters as proposed in the draft version [17] of the TWIRL hardware factoring device [18]. We present the details behind the resulting improved parameter choices f ..."
Abstract

Cited by 12 (6 self)
 Add to MetaCart
We estimate the yield of the number field sieve factoring algorithm when applied to the 1024bit composite integer RSA1024 and the parameters as proposed in the draft version [17] of the TWIRL hardware factoring device [18]. We present the details behind the resulting improved parameter choices from [18].
Key Length
 CONTRIBUTION TO “THE HANDBOOK OF INFORMATION SECURITY"
, 2004
"... The key length used for a cryptographic protocol determines the highest security it can offer. If the key is found or ‘broken’, the security is undermined. Thus, key lengths must be chosen in accordance with the desired security. In practice, key lengths are mostly determined by standards, legacy sy ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
The key length used for a cryptographic protocol determines the highest security it can offer. If the key is found or ‘broken’, the security is undermined. Thus, key lengths must be chosen in accordance with the desired security. In practice, key lengths are mostly determined by standards, legacy system compatibility issues, and vendors. From a theoretical point of view selecting key lengths is more involved. Understanding the relation between security and key lengths and the impact of anticipated and unexpected cryptanalytic progress, requires insight into the design of the cryptographic methods and the mathematics involved in the attempts at breaking them. In this chapter practical and theoretical aspects of key size selection are discussed.