Results 1  10
of
10
Subquadratictime factoring of polynomials over finite fields
 Math. Comp
, 1998
"... Abstract. New probabilistic algorithms are presented for factoring univariate polynomials over finite fields. The algorithms factor a polynomial of degree n over a finite field of constant cardinality in time O(n 1.815). Previous algorithms required time Θ(n 2+o(1)). The new algorithms rely on fast ..."
Abstract

Cited by 67 (11 self)
 Add to MetaCart
Abstract. New probabilistic algorithms are presented for factoring univariate polynomials over finite fields. The algorithms factor a polynomial of degree n over a finite field of constant cardinality in time O(n 1.815). Previous algorithms required time Θ(n 2+o(1)). The new algorithms rely on fast matrix multiplication techniques. More generally, to factor a polynomial of degree n over the finite field Fq with q elements, the algorithms use O(n 1.815 log q) arithmetic operations in Fq. The new “baby step/giant step ” techniques used in our algorithms also yield new fast practical algorithms at superquadratic asymptotic running time, and subquadratictime methods for manipulating normal bases of finite fields. 1.
Circuit Minimization Problem
 In ACM Symposium on Theory of Computing (STOC
, 1999
"... We study the complexity of the circuit minimization problem: given the truth table of a Boolean function f and a parameter s, decide whether f can be realized by a Boolean circuit of size at most s. We argue why this problem is unlikely to be in P (or even in P=poly) by giving a number of surpris ..."
Abstract

Cited by 26 (1 self)
 Add to MetaCart
We study the complexity of the circuit minimization problem: given the truth table of a Boolean function f and a parameter s, decide whether f can be realized by a Boolean circuit of size at most s. We argue why this problem is unlikely to be in P (or even in P=poly) by giving a number of surprising consequences of such an assumption. We also argue that proving this problem to be NPcomplete (if it is indeed true) would imply proving strong circuit lower bounds for the class E, which appears beyond the currently known techniques. Keywords: hard Boolean functions, derandomization, natural properties, NPcompleteness. 1 Introduction An nvariable Boolean function f n : f0; 1g n ! f0; 1g can be given by either its truth table of size 2 n , or a Boolean circuit whose size may be significantly smaller than 2 n . It is well known that most Boolean functions on n variables have circuit complexity at least 2 n =n [Sha49], but so far no family of sufficiently hard functions has ...
Linear recurrences with polynomial coefficients and computation of the CartierManin operator on hyperelliptic curves
 In International Conference on Finite Fields and Applications (Toulouse
, 2004
"... Abstract. We study the complexity of computing one or several terms (not necessarily consecutive) in a recurrence with polynomial coefficients. As applications, we improve the best currently known upper bounds for factoring integers deterministically and for computing the Cartier–Manin operator of h ..."
Abstract

Cited by 21 (8 self)
 Add to MetaCart
Abstract. We study the complexity of computing one or several terms (not necessarily consecutive) in a recurrence with polynomial coefficients. As applications, we improve the best currently known upper bounds for factoring integers deterministically and for computing the Cartier–Manin operator of hyperelliptic curves.
Fast algorithms for polynomial solutions of linear differential equations
 In Proceedings of ISSAC’05
, 2005
"... Si l’on se bornait à demander les intégrales entières, le problème n’offrirait aucune difficulté. 1 Joseph Liouville, 1833. We investigate polynomial solutions of homogeneous linear differential equations with coefficients that are polynomials with integer coefficients. The problems we consider are ..."
Abstract

Cited by 13 (5 self)
 Add to MetaCart
Si l’on se bornait à demander les intégrales entières, le problème n’offrirait aucune difficulté. 1 Joseph Liouville, 1833. We investigate polynomial solutions of homogeneous linear differential equations with coefficients that are polynomials with integer coefficients. The problems we consider are the existence of nonzero polynomial solutions, the determination of the dimension of the vector space of polynomial solutions, the computation of a basis of this space. Previous algorithms have a bit complexity that is at least quadratic in an integer N (that can be computed from the equation), even for merely detecting the existence of nonzero polynomial solutions. We give a deterministic algorithm that computes a compact representation of a basis of polynomial solutions in O(N log 3 N) bit operations. We also give a probabilistic algorithm that computes the dimension of the space of polynomial solutions in O ( √ N log 2 N) bit operations. In general, the integer N is not bounded polynomially in the bit size of the input differential equation. We isolate a class of equations for which detecting nonzero polynomial solutions can be performed in polynomial complexity. We discuss implementation issues and possible extensions.
Order computations in generic groups
 PHD THESIS MIT, SUBMITTED JUNE 2007. RESOURCES
, 2007
"... ..."
Faster Algorithms for Approximate Common Divisors: Breaking FullyHomomorphicEncryption Challenges over the Integers
 In Eurocrypto 2012
"... At EUROCRYPT ’10, van Dijk, Gentry, Halevi and Vaikuntanathan presented simple fullyhomomorphic encryption (FHE) schemes based on the hardness of approximate integer common divisors problems, which were introduced in 2001 by HowgraveGraham. There are two versions for these problems: the partial ve ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
At EUROCRYPT ’10, van Dijk, Gentry, Halevi and Vaikuntanathan presented simple fullyhomomorphic encryption (FHE) schemes based on the hardness of approximate integer common divisors problems, which were introduced in 2001 by HowgraveGraham. There are two versions for these problems: the partial version (PACD) and the general version (GACD). The seemingly easier problem PACD was recently used by Coron, Mandal, Naccache and Tibouchi at CRYPTO ’11 to build a more efficient variant of the FHE scheme by van Dijk et al.. We present a new PACD algorithm whose running time is essentially the “square root ” of that of exhaustive search, which was the best attack in practice. This allows us to experimentally break the FHE challenges proposed by Coron et al. Our PACD algorithm directly gives rise to a new GACD algorithm, which is exponentially faster than exhaustive search: namely, the running time is essentially the 3/4th root of that of exhaustive search. Interestingly, our main technique can also be applied to other settings, such as noisy factoring, fault attacks on CRTRSA signatures, and attacking lowexponent RSA encryption. 1
A Search for Wieferich and Wilson Primes
 Mathematics of Computation
, 1997
"... Abstract. An odd prime p is called a Wieferich prime if 2 p−1 ≡ 1 (mod p 2); alternatively, a Wilson prime if (p − 1)! ≡−1 (mod p 2). To date, the only known Wieferich primes are p = 1093 and 3511, while the only known Wilson primes are p =5,13, and 563. We report that there exist no new Wieferich p ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. An odd prime p is called a Wieferich prime if 2 p−1 ≡ 1 (mod p 2); alternatively, a Wilson prime if (p − 1)! ≡−1 (mod p 2). To date, the only known Wieferich primes are p = 1093 and 3511, while the only known Wilson primes are p =5,13, and 563. We report that there exist no new Wieferich primes p<4×1012, and no new Wilson primes p<5×108. It is elementary that both defining congruences above hold merely (mod p), and it is sometimes estimated on heuristic grounds that the “probability ” that p is Wieferich (independently: that p is Wilson) is about 1/p. We provide some statistical data relevant to occurrences of small values of the pertinent Fermat and Wilson quotients (mod p). Wieferich primes figure strongly in classical treatments of the first case of Fermat’s Last Theorem (“FLT(I)”). For an odd prime p not dividing xyz, Wieferich
Old and New Deterministic Factoring Algorithms
 In Cohen [1
, 1996
"... this paper, two more O(n ..."
On the Ultimate Complexity of Factorials
 Proc. 20th Intern. Symp. on Theoretical Aspects of Comp. Sci., Lect. Notes in Comp. Sci
, 2003
"... It has long been observed that certain factorization algorithms provide a way to write product of a lot of integers succinctly. In this paper, we study the problem of representing the product of all integers from 1 to n (n!) by straightline programs. Formally, we say that a sequence of integers ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
It has long been observed that certain factorization algorithms provide a way to write product of a lot of integers succinctly. In this paper, we study the problem of representing the product of all integers from 1 to n (n!) by straightline programs. Formally, we say that a sequence of integers a n is ultimately f(n)computable, if there exists a nonzero integer sequence m n such that for any n, a n m n can be computed by a straightline program (using only additions, subtractions and multiplications) of length at most f(n). Shub and Smale [12] showed that if n! is ultimately hard to compute, then algebraic version of NP P is true.
Few Product Gates but Many Zeros
"... Abstract A dgem is a {+, −, ×}circuit having very few ×gates and computing from {x} ∪ Z a univariate polynomial of degree d having d distinct integer roots. We introduce dgems because they could help factoring integers and because their existence for infinitely many d would blatantly disprove a ..."
Abstract
 Add to MetaCart
Abstract A dgem is a {+, −, ×}circuit having very few ×gates and computing from {x} ∪ Z a univariate polynomial of degree d having d distinct integer roots. We introduce dgems because they could help factoring integers and because their existence for infinitely many d would blatantly disprove a variant of the BlumCuckerShubSmale conjecture. A natural step towards validating the conjecture would thus be to rule out dgems for large d. Here we construct dgems for several values of d up to 55. Our 2 ngems for n ≤ 4 are skew, that is, each {+, −}gate adds an integer. We prove that skew 2 ngems if they exist require n {+, −}gates, and that these for n ≥ 5 would imply new solutions to the ProuhetTarryEscott problem in number theory. By contrast, skew dgems over the real numbers are shown to exist for every d. 1