Results 1  10
of
16
Faster Factoring of Integers of a Special Form
, 1996
"... . A speedup of Lenstra's Elliptic Curve Method of factorization is presented. The speedup works for integers of the form N = PQ^2 , where P is a prime sufficiently smaller than Q. The result is of interest to cryptographers, since integers with secret factorization of this form are being used in dig ..."
Abstract

Cited by 18 (0 self)
 Add to MetaCart
. A speedup of Lenstra's Elliptic Curve Method of factorization is presented. The speedup works for integers of the form N = PQ^2 , where P is a prime sufficiently smaller than Q. The result is of interest to cryptographers, since integers with secret factorization of this form are being used in digital signatures. The algorithm makes use of what we call "Jacobi signatures". We believe these to be of independent interest. 1 Introduction It is not known how to efficiently factor a large integer N . Currently, the algorithm with best asymptotic complexity is the Number Field Sieve (see [6] ). For numbers below a certain size (currently believed to be about 120 integers), either the Quadratic Sieve [14] or the Elliptic Curve Method [7] are faster. Which of these algorithms to use depends on the size of N and of the smallest prime factor of N . When the size of the smallest factor is sufficiently smaller than p N , the Elliptic Curve Method is the fastest of the three. In this no...
Security analysis of the GennaroHaleviRabin signature scheme
 IN PROCEEDINGS OF EUROCRYPT 2000
, 2000
"... We exhibit an attack against a signature scheme recently proposed by Gennaro, Halevi and Rabin [9]. The scheme’s security is based on two assumptions namely the strong RSA assumption and the existence of a divisionintractable hashfunction. For the latter, the authors conjectured a security level ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
We exhibit an attack against a signature scheme recently proposed by Gennaro, Halevi and Rabin [9]. The scheme’s security is based on two assumptions namely the strong RSA assumption and the existence of a divisionintractable hashfunction. For the latter, the authors conjectured a security level exponential in the hashfunction’s digest size whereas our attack is subexponential with respect to the digest size. Moreover, since the new attack is optimal, the length of the hash function can now be rigorously fixed. In particular, to get a security level equivalent to 1024bit RSA, one should use a digest size of approximately 1024 bits instead of the 512 bits suggested in [9].
Factoring estimates for a 1024bit RSA modulus
 IN: PROC. ASIACRYPT 2003, LNCS 2894
, 2003
"... We estimate the yield of the number field sieve factoring algorithm when applied to the 1024bit composite integer RSA1024 and the parameters as proposed in the draft version [17] of the TWIRL hardware factoring device [18]. We present the details behind the resulting improved parameter choices f ..."
Abstract

Cited by 12 (6 self)
 Add to MetaCart
We estimate the yield of the number field sieve factoring algorithm when applied to the 1024bit composite integer RSA1024 and the parameters as proposed in the draft version [17] of the TWIRL hardware factoring device [18]. We present the details behind the resulting improved parameter choices from [18].
An analytic approach to smooth polynomials over finite fields
 in Algorithmic Number Theory: Third Intern. Symp., ANTSIII
, 1998
"... Abstract. We consider the largest degrees that occur in the decomposition of polynomials over finite fields into irreducible factors. We expand the range of applicability of the Dickman function as an approximation for the number of smooth polynomials, which provides precise estimates for the discr ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
Abstract. We consider the largest degrees that occur in the decomposition of polynomials over finite fields into irreducible factors. We expand the range of applicability of the Dickman function as an approximation for the number of smooth polynomials, which provides precise estimates for the discrete logarithm problem. In addition, we characterize the distribution of the two largest degrees of irreducible factors, a problem relevant to polynomial factorization. As opposed to most earlier treatments, our methods are based on a combination of exact descriptions by generating functions and a specific complex asymptotic method. 1
Order computations in generic groups
 PHD THESIS MIT, SUBMITTED JUNE 2007. RESOURCES
, 2007
"... ..."
On Quadratic Polynomials for the Number Field Sieve
 Australian Computer Science Communications
, 1997
"... . The newest, and asymptotically the fastest known integer factorisation algorithm is the number field sieve. The area in which the number field sieve has the greatest capacity for improvement is polynomial selection. The best known polynomial selection method finds quadratic polynomials. In this pa ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
. The newest, and asymptotically the fastest known integer factorisation algorithm is the number field sieve. The area in which the number field sieve has the greatest capacity for improvement is polynomial selection. The best known polynomial selection method finds quadratic polynomials. In this paper we examine the smoothness properties of integer values taken by these polynomials. Given a quadratic NFS polynomial f , let \Delta be its discriminant. We show that a prime p can divide values taken by f only if (\Delta=p) = 1. We measure the effect of this residuosity property on the smoothness of fvalues by adapting a parameter ff, developed for analysis of MPQS, to quadratic NFS polynomials. We estimate the yield of smooth values for these polynomials as a function of ff, and conclude that practical changes in ff might bring significant changes in the yield of smooth and almost smooth polynomial values. Keywords: integer factorisation, number field sieve 1
Arbitrarily Tight Bounds On The Distribution Of Smooth Integers
 Proceedings of the Millennial Conference on Number Theory
, 2002
"... This paper presents lower bounds and upper bounds on the distribution of smooth integers; builds an algebraic framework for the bounds; shows how the bounds can be computed at extremely high speed using FFTbased powerseries exponentiation; explains how one can choose the parameters to achieve ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
This paper presents lower bounds and upper bounds on the distribution of smooth integers; builds an algebraic framework for the bounds; shows how the bounds can be computed at extremely high speed using FFTbased powerseries exponentiation; explains how one can choose the parameters to achieve any desired level of accuracy; and discusses several generalizations.
Approximating the number of integers without large prime factors
 Mathematics of Computation
, 2004
"... Abstract. Ψ(x, y) denotes the number of positive integers ≤ x and free of prime factors>y. Hildebrand and Tenenbaum gave a smooth approximation formula for Ψ(x, y) in the range (log x) 1+ɛ
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. Ψ(x, y) denotes the number of positive integers ≤ x and free of prime factors>y. Hildebrand and Tenenbaum gave a smooth approximation formula for Ψ(x, y) in the range (log x) 1+ɛ <y ≤ x,whereɛ is a fixed positive number ≤ 1/2. In this paper, by modifying their approximation formula, we provide a fast algorithm to approximate Ψ(x, y). The computational complexity of this algorithm is O ( � (log x)(log y)). We give numerical results which show that this algorithm provides accurate estimates for Ψ(x, y) andisfaster than conventional methods such as algorithms exploiting Dickman’s function. 1.
The Number of Relations in the Quadratic Sieve Algorithm
, 1996
"... The subject of our study is the single large prime variation of the quadratic sieve algorithm. We derive a formula for the average numbers of complete and incomplete relations per polynomial, directly generated by the algorithm. The number of additional complete relations from the incomplete relatio ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
The subject of our study is the single large prime variation of the quadratic sieve algorithm. We derive a formula for the average numbers of complete and incomplete relations per polynomial, directly generated by the algorithm. The number of additional complete relations from the incomplete relations is then computed by a known formula. Hence practical hints for the optimal choice of the parameter values can be derived. We further compare theoretical estimates for the total number of smooth integers in an interval with countings in practice. AMS Subject Classification (1991): 11A51, 11Y05 CR Subject Classification (1991): F.2.1 Keywords & Phrases: Factorization, Multiple Polynomial Quadratic Sieve, Vector supercomputer, Cluster of work stations 1. Introduction We assume that the reader is familiar with the multiple polynomial quadratic sieve algorithm [Bre89, Pom85, PST88, Sil87, RLW89]. We consider the single large prime variation of the algorithm and write MPQS for short. If we ...