Results 1 
6 of
6
Computing Hilbert class polynomials with the Chinese Remainder Theorem
, 2010
"... We present a spaceefficient algorithm to compute the Hilbert class polynomial HD(X) modulo a positive integer P, based on an explicit form of the Chinese Remainder Theorem. Under the Generalized Riemann Hypothesis, the algorithm uses O(D  1/2+ɛ log P) space and has an expected running time of O ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
We present a spaceefficient algorithm to compute the Hilbert class polynomial HD(X) modulo a positive integer P, based on an explicit form of the Chinese Remainder Theorem. Under the Generalized Riemann Hypothesis, the algorithm uses O(D  1/2+ɛ log P) space and has an expected running time of O(D  1+ɛ). We describe practical optimizations that allow us to handle larger discriminants than other methods, with D  as large as 1013 and h(D) up to 106. We apply these results to construct pairingfriendly elliptic curves of prime order, using the CM method.
The MD6 hash function A proposal to NIST for SHA3
, 2008
"... This report describes and analyzes the MD6 hash function and is part of our submission package for MD6 as an entry in the NIST SHA3 hash function competition 1. Significant features of MD6 include: • Accepts input messages of any length up to 2 64 − 1 bits, and produces message digests of any desir ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
This report describes and analyzes the MD6 hash function and is part of our submission package for MD6 as an entry in the NIST SHA3 hash function competition 1. Significant features of MD6 include: • Accepts input messages of any length up to 2 64 − 1 bits, and produces message digests of any desired size from 1 to 512 bits, inclusive, including
A GENERIC APPROACH TO SEARCHING FOR JACOBIANS
 MATHEMATICS OF COMPUTATION
, 2009
"... We consider the problem of finding cryptographically suitable Jacobians. By applying a probabilistic generic algorithm to compute the zeta functions of low genus curves drawn from an arbitrary family, we can search for Jacobians containing a large subgroup of prime order. For a suitable distribution ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
We consider the problem of finding cryptographically suitable Jacobians. By applying a probabilistic generic algorithm to compute the zeta functions of low genus curves drawn from an arbitrary family, we can search for Jacobians containing a large subgroup of prime order. For a suitable distribution of curves, the complexity is subexponential in genus 2, and O(N 1/12) in genus 3. We give examples of genus 2 and genus 3 hyperelliptic curves over prime fields with group orders over 180 bits in size, improving previous results. Our approach is particularly effective over lowdegree extension fields, where in genus 2 we find Jacobians over F p 2 and trace zero varieties over F p 3 with nearprime orders up to 372 bits in size. For p =2 61 − 1, the average time to find a group with 244bit nearprime order is under an hour on a PC.
STRUCTURE COMPUTATION AND DISCRETE LOGARITHMS IN FINITE ABELIAN pGROUPS
"... Abstract. We present a generic algorithm for computing discrete logarithms in a finite abelian pgroup H, improving the Pohlig–Hellman algorithm and its generalization to noncyclic groups by Teske. We then give a direct method to compute a basis for H without using a relation matrix. The problem of ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We present a generic algorithm for computing discrete logarithms in a finite abelian pgroup H, improving the Pohlig–Hellman algorithm and its generalization to noncyclic groups by Teske. We then give a direct method to compute a basis for H without using a relation matrix. The problem of computing a basis for some or all of the Sylow psubgroups of an arbitrary finite abelian group G is addressed, yielding a Monte Carlo algorithm to compute the structure of G using O(G  1/2) group operations. These results also improve generic algorithms for extracting pth roots in G. 1.
A LOWMEMORY ALGORITHM FOR FINDING SHORT PRODUCT REPRESENTATIONS IN FINITE GROUPS
"... Abstract. We describe a spaceefficient algorithm for solving a generalization of the subset sum problem in a �nite group G, using a Pollardρ approach. Given an element z and a sequence of elements S, our algorithm attempts to �nd a subsequence of S whose product in G is equal to z. For a random se ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We describe a spaceefficient algorithm for solving a generalization of the subset sum problem in a �nite group G, using a Pollardρ approach. Given an element z and a sequence of elements S, our algorithm attempts to �nd a subsequence of S whose product in G is equal to z. For a random sequence S of length dlog 2 n, where n = #G and d ⩾ 2 is a constant, we �nd that its expected running time is O ( � nlogn) group operations (we give a rigorous proof for d> 4), and it only needs to store O(1) group elements. We consider applications to class groups of imaginary quadratic �elds, and to �nding isogenies between elliptic curves over a �nite �eld. 1.
18.783 Elliptic Curves Spring 2013 Lecture #10 03/12/2013
"... 10.1 The discrete logarithm problem In its most standard form, the discrete logarithm problem (DLP) is stated as follows: Given α ∈ G and β ∈ 〈α〉, find the least positive integer x such that α x = β. In additive notation, we want xα = β. In any case, we call x the discrete logarithm of β with respec ..."
Abstract
 Add to MetaCart
10.1 The discrete logarithm problem In its most standard form, the discrete logarithm problem (DLP) is stated as follows: Given α ∈ G and β ∈ 〈α〉, find the least positive integer x such that α x = β. In additive notation, we want xα = β. In any case, we call x the discrete logarithm of β with respect to the base α, denoted by log α β. 1 We can formulate a slightly stronger version of the problem: Given α, β ∈ G, compute log α β if β ∈ 〈α〉, otherwise, report that β ∈ 〈α〉. This can be a significantly harder problem. For example, say we are using a randomized (Las Vegas) algorithm. If β lies in 〈α 〉 then we are guaranteed to eventually find logα β, but if not, we will never find it and it may be impossible to tell whether we are just very unlucky or β ∈ 〈α〉. On the other hand, with a deterministic algorithm such as the babysteps giantsteps method, we can unequivocally determine whether β lies in 〈α 〉 or not. There is also a generalization called the extended discrete logarithm: Given α, β ∈ G, determine the least positive integer y such that β y ∈ 〈α〉, and then output the pair (x, y), where x = log α β y.