Results 1  10
of
14
Discrete logarithms in gf(p) using the number field sieve
 SIAM J. Discrete Math
, 1993
"... Recently, several algorithms using number field sieves have been given to factor a number n in heuristic expected time Ln[1/3; c], where Ln[v; c] = exp{(c + o(1))(log n) v (log log n) 1−v}, for n → ∞. In this paper we present an algorithm to solve the discrete logarithm problem for GF (p) with heur ..."
Abstract

Cited by 63 (1 self)
 Add to MetaCart
Recently, several algorithms using number field sieves have been given to factor a number n in heuristic expected time Ln[1/3; c], where Ln[v; c] = exp{(c + o(1))(log n) v (log log n) 1−v}, for n → ∞. In this paper we present an algorithm to solve the discrete logarithm problem for GF (p) with heuristic expected running time Lp[1/3; 3 2/3]. For numbers of a special form, there is an asymptotically slower but more practical version of the algorithm.
On the list and bounded distance decodability of the ReedSolomon codes
 In Proc. FOCS 2004
, 2004
"... For an errorcorrecting code and a distance bound, the list decoding problem is to compute all the codewords within a given distance to a received message. The bounded distance decoding problem is to find one codeword if there is at least one codeword within the given distance, or to output the empt ..."
Abstract

Cited by 17 (7 self)
 Add to MetaCart
For an errorcorrecting code and a distance bound, the list decoding problem is to compute all the codewords within a given distance to a received message. The bounded distance decoding problem is to find one codeword if there is at least one codeword within the given distance, or to output the empty set if there is not. Obviously the bounded distance decoding problem is not as hard as the list decoding problem. For a ReedSolomon code [n, k]q, a simple counting argument shows that for any integer 0 < g < n, there exists at least one Hamming ball of radius n−g, which contains at least � � n g−k g /q many codewords. Let ˆg(n, k, q) be the smallest positive integer g such that � � n g−k g /q < 1. One knows that k ≤ ˆg(n, k, q) ≤ √ nk ≤ n. For the distance bound up to n − √ nk, it is well known that both the list and bounded distance decoding can be solved efficiently. For the distance bound between n − √ nk and n − ˆg(n, k, q), we do not know whether the ReedSolomon code is list, or bounded distance decodable, nor do we know whether there are polynomially many codewords in all balls of the radius. It is generally believed that the answers to both questions are no. There are public key cryptosystems proposed recently, whose security is based on the assumptions. In this paper, we prove: (1) List decoding can not be done for radius n − ˆg(n, k, q) or larger, otherwise the discrete logarithm over F q ˆg(n,k,q)−k is easy. (2) Let h and g be
Discrete Logarithms and Smooth Polynomials
 Contemporary Mathematics, AMS
, 1993
"... . This paper is a survey of recent advances in discrete logarithm algorithms. Improved estimates for smooth integers and smooth polynomials are also discussed. 1. Introduction If G denotes a group (written multiplicatively), and hgi the cyclic subgroup generated by g 2 G, then the discrete logarith ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
. This paper is a survey of recent advances in discrete logarithm algorithms. Improved estimates for smooth integers and smooth polynomials are also discussed. 1. Introduction If G denotes a group (written multiplicatively), and hgi the cyclic subgroup generated by g 2 G, then the discrete logarithm problem for G is to find, given g 2 G and y 2 hgi, the smallest nonnegative integer x such that y = g x . This integer x is called the discrete logarithm of y to the base g, and is written x = log g y. The discrete log problem has been studied by number theorists for a long time. The main reason for the intense current interest in it, though, is that many public key cryptosystems depend for their security on the assumption that it is hard, at least for suitably chosen groups. With the proposed adoption of the NIST digital signature algorithm [28] (based on the ElGamal [10] and Schnorr [35] proposals), even more attention is likely to be drawn to this area. There are already several su...
Asymptotically Fast Discrete Logarithms in Quadratic Number Fields
 LNCS
, 2000
"... This article presents algorithms for computing discrete logarithms in class groups of quadratic number fields. In the case of imaginary quadratic fields, the algorithm is based on methods applied by Hafner and McCurley [HM89] to determine the structure of the class group of imaginary quadratic field ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
This article presents algorithms for computing discrete logarithms in class groups of quadratic number fields. In the case of imaginary quadratic fields, the algorithm is based on methods applied by Hafner and McCurley [HM89] to determine the structure of the class group of imaginary quadratic fields. In the case of real quadratic fields, the algorithm of Buchmann [Buc89] for computation of class group and regulator forms the basis. We employ the rigorous elliptic curve factorization algorithm of Pomerance [Pom87], and an algorithm for solving systems of linear Diophantine equations proposed and analysed by Mulders and Storjohann [MS99]. Under the assumption of the Generalized Riemann Hypothesis, we obtain for fields with discriminant d a rigorously proven time bound of L jdj [ 1 2 ; 3 4 p 2].
Comments on search procedures for primitive roots
 Math.Comp.66
, 1997
"... Abstract. Let p be an odd prime. Assuming the Extended Riemann Hypothesis, we show how to construct O((log p) 4 (log log p) −3) residues modulo p, one of which must be a primitive root, in deterministic polynomial time. Granting some wellknown character sum bounds, the proof is elementary, leading ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Abstract. Let p be an odd prime. Assuming the Extended Riemann Hypothesis, we show how to construct O((log p) 4 (log log p) −3) residues modulo p, one of which must be a primitive root, in deterministic polynomial time. Granting some wellknown character sum bounds, the proof is elementary, leading to an explicit algorithm. 1.
Implementation Of The AtkinGoldwasserKilian Primality Testing Algorithm
 Rapport de Recherche 911, INRIA, Octobre
, 1988
"... . We describe a primality testing algorithm, due essentially to Atkin, that uses elliptic curves over finite fields and the theory of complex multiplication. In particular, we explain how the use of class fields and genus fields can speed up certain phases of the algorithm. We sketch the actual impl ..."
Abstract

Cited by 9 (7 self)
 Add to MetaCart
. We describe a primality testing algorithm, due essentially to Atkin, that uses elliptic curves over finite fields and the theory of complex multiplication. In particular, we explain how the use of class fields and genus fields can speed up certain phases of the algorithm. We sketch the actual implementation of this test and its use on testing large primes, the records being two numbers of more than 550 decimal digits. Finally, we give a precise answer to the question of the reliability of our computations, providing a certificate of primality for a prime number. IMPLEMENTATION DU TEST DE PRIMALITE D' ATKIN, GOLDWASSER, ET KILIAN R'esum'e. Nous d'ecrivons un algorithme de primalit'e, principalement du `a Atkin, qui utilise les propri'et'es des courbes elliptiques sur les corps finis et la th'eorie de la multiplication complexe. En particulier, nous expliquons comment l'utilisation du corps de classe et du corps de genre permet d'acc'el'erer les calculs. Nous esquissons l'impl'ementati...
Removing Randomness From Computational Number Theory
, 1989
"... In recent years, many probabilistic algorithms (i.e., algorithms that can toss coins) that run in polynomial time have been discovered for problems with no known deterministic polynomial time algorithms. Perhaps the most famous example is the problem of testing large (say, 100 digit) numbers for pri ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
In recent years, many probabilistic algorithms (i.e., algorithms that can toss coins) that run in polynomial time have been discovered for problems with no known deterministic polynomial time algorithms. Perhaps the most famous example is the problem of testing large (say, 100 digit) numbers for primality. Even for problems which are known to have deterministic polynomial time algorithms, these algorithms are often not as fast as some probabilistic algorithms for the same problem. Even though probabilistic algorithms are useful in practice, we would like to know, for both theoretical and practical reasons, if randomization is really necessary to obtain the most efficient algorithms for certain problems. That is, we would like to know for which problems there is an inherent gap between the deterministic and probabilistic complexities of these problems. In this research, we consider two problems of a number theoretic nature: factoring polynomials over finite fields and constructing irred...
Provable Partial Key Escrow
"... Abstract. In this paper we first propose two new concepts concerning the notion of key escrow schemes: provable partiality and independence. Roughly speaking, a scheme has provable partiality if the existence of a polynomial time for recovering the secret from escrowed information implies there is a ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. In this paper we first propose two new concepts concerning the notion of key escrow schemes: provable partiality and independence. Roughly speaking, a scheme has provable partiality if the existence of a polynomial time for recovering the secret from escrowed information implies there is a polynomial time algorithm for solving a well known intractable problem. A scheme is independent if the secret key and the escrowed information are independent. Finally, we propose a new verifiable partial key escrow scheme, based on McCurley’s encryption scheme, satisfying both of the above criteria.