Results 1 
7 of
7
Computing Discrete Logarithms With The Parallelized Kangaroo Method
 Method, CACR Combinatorics and Optimization Research Report
, 2001
"... . The Pollard kangaroo method computes discrete logarithms in arbitrary cyclic groups. It is applied if the discrete logarithm is known to lie in a certain interval, say [a; b], and then has expected running time O( p b a) group operations. In its serial version it uses very little storage. It ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
. The Pollard kangaroo method computes discrete logarithms in arbitrary cyclic groups. It is applied if the discrete logarithm is known to lie in a certain interval, say [a; b], and then has expected running time O( p b a) group operations. In its serial version it uses very little storage. It can be parallelized with linear speedup, and in its parallelized version its storage requirements can be eciently monitored. This makes the kangaroo method the most powerful method to solve the discrete logarithm problem in this situation. In this paper, we discuss various experimental and theoretical aspects of the method that are important for its most eective application. 1. Introduction The security of several important publickey cryptographic systems relies on the diculty of the discrete logarithm problem (DLP). Important examples are the Digital Signature Algorithm (DSA), which is based on the DLP in multiplicative subgroups of nite elds, or its elliptic curve analogon ECDSA,...
Point counting on Picard curves in large characteristic
 Math. Comp
, 2005
"... Abstract. We present an algorithm for computing the cardinality of the Jacobian of a random Picard curve over a finite field. If the underlying field is a prime field Fp, the algorithm has complexity O ( √ p). 1. ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
Abstract. We present an algorithm for computing the cardinality of the Jacobian of a random Picard curve over a finite field. If the underlying field is a prime field Fp, the algorithm has complexity O ( √ p). 1.
AN EXPLICIT TREATMENT OF CUBIC FUNCTION FIELDS WITH APPLICATIONS
"... Abstract. We give an explicit treatment of cubic function fields of characteristic at least five. This includes an efficient technique for converting such a field into standard form, formulae for the field discriminant and the genus, simple necessary and sufficient criteria for nonsingularity of th ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
Abstract. We give an explicit treatment of cubic function fields of characteristic at least five. This includes an efficient technique for converting such a field into standard form, formulae for the field discriminant and the genus, simple necessary and sufficient criteria for nonsingularity of the defining curve, and a characterization of all triangular integral bases. Our main result is a description of the signature of any rational place in a cubic extension that involves only the defining curve and the order of the base field. All these quantities only require simple polynomial arithmetic as well as a few squarefree polynomial factorizations and, in some cases, square and cube root extraction modulo an irreducible polynomial. We also illustrate why and how signature computation plays an important role in computing the class number of the function field. This in turn has applications to the study of zeros of zeta functions of function fields. 1.
Approximating Euler products and class number computation in algebraic function fields
"... Abstract. We provide a number of results that can be used to derive approximations for the Euler product representation of the zeta function of an arbitrary algebraic function field. Three such approximations are given here. Our results have two main applications. They lead to a computationally suit ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
Abstract. We provide a number of results that can be used to derive approximations for the Euler product representation of the zeta function of an arbitrary algebraic function field. Three such approximations are given here. Our results have two main applications. They lead to a computationally suitable algorithm for computing the class number of an arbitrary function field. The ideas underlying the class number algorithms in turn can be used to analyze the distribution of the zeros of its zeta function. 1.
and Tsujii’s algorithm
, 2010
"... Abstract. We present an algorithm based on the birthday paradox, which is a lowmemory parallel counterpart to the algorithm of Matsuo, Chao and Tsujii. This algorithm computes the group order of the Jacobian of a genus 2 curve over a finite field for which the characteristic polynomial of the Frobe ..."
Abstract
 Add to MetaCart
Abstract. We present an algorithm based on the birthday paradox, which is a lowmemory parallel counterpart to the algorithm of Matsuo, Chao and Tsujii. This algorithm computes the group order of the Jacobian of a genus 2 curve over a finite field for which the characteristic polynomial of the Frobenius endomorphism is known modulo some integer. The main tool is a 2dimensional pseudorandom walk that allows to heuristically choose random elements in a 2dimensional space. We analyze the expected running time based on heuristics that we validate by computer experiments. Compared with the original algorithm by Matsuo, Chao and Tsujii, we lose a factor of about 3 in running time, but the memory requirement drops from several GB to almost nothing. Our method is general and can be applied in other contexts to transform a babystep giantstep approach into a low memory algorithm. 1
Kangaroos in SideChannel Attacks
"... Abstract. Sidechannel attacks are a powerful tool to discover the cryptographic secrets of a chip or other device but only too often do they require too many traces or leave too many possible keys to explore. In this paper we show that for side channel attacks on discretelogarithmbased systems si ..."
Abstract
 Add to MetaCart
Abstract. Sidechannel attacks are a powerful tool to discover the cryptographic secrets of a chip or other device but only too often do they require too many traces or leave too many possible keys to explore. In this paper we show that for side channel attacks on discretelogarithmbased systems significantly more unknown bits can be handled by using Pollard’s kangaroo method: if b bits are unknown then the attack runs in 2b/2 instead of 2b. If an attacker has many targets in the same group and thus has reasons to invest in precomputation, the costs can even be brought down to 2b/3. Usually the separation between known and unknown keybits is not this clear cut – they are known with probabilities ranging between 100 % and 0%. Enumeration and rank estimation of cryptographic keys based on partial information derived from cryptanalysis have become important tools for security evaluations. They make the line between a broken and secure device more clear and thus help security evaluators determine how high the security of a device is. For symmetrickey cryptography there has been some recent work on key enumeration and rank estimation, but for discretelogarithmbased systems these algorithms fail because the subkeys are not independent and the algorithms cannot take advantage of the abovementioned faster attacks. We present enumeration as a new method to compute the rank of a key by using the probabilities together with (variations of) Pollard’s kangaroo algorithm and give experimental evidence.
INTEGRAL BASES AND SIGNATURES OF CUBIC FUNCTION FIELDS, WITH APPLICATIONS
"... Abstract. We give an explicit treatment of cubic function fields of characteristic at least five. This includes an efficient technique for converting such a field into standard form, formulae for the field discriminant and the genus, simple necessary and sufficient criteria for nonsingularity of th ..."
Abstract
 Add to MetaCart
Abstract. We give an explicit treatment of cubic function fields of characteristic at least five. This includes an efficient technique for converting such a field into standard form, formulae for the field discriminant and the genus, simple necessary and sufficient criteria for nonsingularity of the defining curve, and a characterization of all triangular integral bases. Our main result is a description of the signature of any rational place in a cubic extension that involves only the underlying curve and the order of the base field. All these quantities only require simple polynomial arithmetic as well as a few squarefree polynomial factorizations and, in some cases, square and cube root extraction modulo an irreducible polynomial. We also illustrate why and how signature computation plays an important role in computing the class number of the function field. This in turn has applications to the study of zeros of zeta functions of function fields. 1.