## The index calculus method using non-smooth polynomials (2001)

### Cached

### Download Links

- [www.ams.org]
- [www.ams.org]
- [www.ams.org]
- DBLP

### Other Repositories/Bibliography

Venue: | Mathematics of Computation |

Citations: | 6 - 2 self |

### BibTeX

@ARTICLE{Garefalakis01theindex,

author = {Theodoulos Garefalakis and Daniel Panario},

title = {The index calculus method using non-smooth polynomials},

journal = {Mathematics of Computation},

year = {2001},

volume = {70},

pages = {70--1253}

}

### OpenURL

### Abstract

Abstract. We study a generalized version of the index calculus method for the discrete logarithm problem in Fq, whenq = p n, p is a small prime and n →∞. The database consists of the logarithms of all irreducible polynomials of degree between given bounds; the original version of the algorithm uses lower bound equal to one. We show theoretically that the algorithm has the same asymptotic running time as the original version. The analysis shows that the best upper limit for the interval coincides with the one for the original version. The lower limit for the interval remains a free variable of the process. We provide experimental results that indicate practical values for that bound. We also give heuristic arguments for the running time of the Waterloo variant and of the Coppersmith method with our generalized database. 1.

### Citations

2717 | Hellman: New directions in cryptography
- Diffie, E
- 1976
(Show Context)
Citation Context ...epends on the assumption that finding discrete logarithms is hard, at least for certain groups. For instance, the security of cryptographic applications such as the Diffie-Hellman key exchange scheme =-=[5]-=-, ElGamal’s cryptosystem [6], and pseudorandom bit generators [2, 8] depend on the current ability (or inability) to solve the discrete logarithm problem efficiently. Several groups have been proposed... |

1115 |
A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
- Elgamal
- 1985
(Show Context)
Citation Context ...t finding discrete logarithms is hard, at least for certain groups. For instance, the security of cryptographic applications such as the Diffie-Hellman key exchange scheme [5], ElGamal’s cryptosystem =-=[6]-=-, and pseudorandom bit generators [2, 8] depend on the current ability (or inability) to solve the discrete logarithm problem efficiently. Several groups have been proposed for the implementation of c... |

604 |
How to generate cryptographically strong sequences of pseudorandom bits
- Blum, Micali
- 1984
(Show Context)
Citation Context ..., at least for certain groups. For instance, the security of cryptographic applications such as the Diffie-Hellman key exchange scheme [5], ElGamal’s cryptosystem [6], and pseudorandom bit generators =-=[2, 8]-=- depend on the current ability (or inability) to solve the discrete logarithm problem efficiently. Several groups have been proposed for the implementation of cryptographic systems, including the mult... |

284 |
Elliptic curve public key cryptosystems
- Menezes
- 1993
(Show Context)
Citation Context ...ntly. Several groups have been proposed for the implementation of cryptographic systems, including the multiplicative group of finite fields, the group of points of elliptic curves over finite fields =-=[14]-=-, class groups of number fields [3], and function fields [15], for instance. We focus on the discrete logarithm problem in the multiplicative group of finite fields Fq, whereq = p n , p is a small pri... |

179 |
Solving sparse linear equations over finite fields
- Wiedemann
- 1986
(Show Context)
Citation Context ... system is 4n log pe (1+o(1)) � m1 log p+ n m log 1 n � m1 ∼ e (1+o(1)) � m1 log p+ n m log 1 n � m1 . Furthermore, if a method for sparse linear systems is used like the method proposed by Wiedemann =-=[18]-=- (see also [16]), then the time for solving the system is (4tn log p) 2 ∼ e (2+o(1))(m1 log p) . Thus, the asymptotic running time of the first stage is given by n (1+o(1))(m1 log p+ m log e 1 n m ) (... |

89 |
Fast evaluation of logarithms in fields of characteristic two
- Coppersmith
- 1984
(Show Context)
Citation Context ... the standard factor base. The basic version of the index calculus algorithm has been rigorously analyzed [16]. In order to improve the running time of the method, several variants have been proposed =-=[1, 4]-=-. In Sections 4 and 5, we show that the heuristic arguments for the running time of the Waterloo algorithm and for the Coppersmith variant can be applied for our generalized version. Finally, we comme... |

36 | Computing discrete logarithms in real quadratic congruence function fields of large genus
- Müller, Stein, et al.
(Show Context)
Citation Context ...n of cryptographic systems, including the multiplicative group of finite fields, the group of points of elliptic curves over finite fields [14], class groups of number fields [3], and function fields =-=[15]-=-, for instance. We focus on the discrete logarithm problem in the multiplicative group of finite fields Fq, whereq = p n , p is a small prime and n is large. Lovorn Bender and Pomerance [13] present r... |

24 |
Discrete logarithms and their cryptographic significance
- Odlyzko
- 1985
(Show Context)
Citation Context ...lynomials over Fp of degree at most n − 1. The breakthrough in the computation of discrete logarithms in such groups was the development of the index calculus method. The basic method has been proven =-=[16]-=- to run in subexponential time of the form � exp ( � 2logp + o(1)) � � n log n . We revise the index calculus method in Section 2. As it is shown there and is well-known, the algorithm depends on find... |

19 |
Computing logarithms in finite fields of characteristic two
- Blake, Fuji-Hara, et al.
- 1984
(Show Context)
Citation Context ... the standard factor base. The basic version of the index calculus algorithm has been rigorously analyzed [16]. In order to improve the running time of the method, several variants have been proposed =-=[1, 4]-=-. In Sections 4 and 5, we show that the heuristic arguments for the running time of the Waterloo algorithm and for the Coppersmith variant can be applied for our generalized version. Finally, we comme... |

19 |
Rigorous discrete logarithm computations in finite fields via smooth polynomials
- Bender, Pomerance
- 1998
(Show Context)
Citation Context ...on fields [15], for instance. We focus on the discrete logarithm problem in the multiplicative group of finite fields Fq, whereq = p n , p is a small prime and n is large. Lovorn Bender and Pomerance =-=[13]-=- present results when p and n both tend to infinity. Using the isomorphism Fq ∼ = Fp[x]/(f), where f is a monic irreducible polynomial over Fp of Received by the editor May 24, 1999. 2000 Mathematics ... |

15 | Discrete Logarithms and Smooth Polynomials, in Finite - Odlyzko - 1994 |

14 | On the computation of discrete logarithms in class groups
- Buchmann, Düllmann
- 1991
(Show Context)
Citation Context ...sed for the implementation of cryptographic systems, including the multiplicative group of finite fields, the group of points of elliptic curves over finite fields [14], class groups of number fields =-=[3]-=-, and function fields [15], for instance. We focus on the discrete logarithm problem in the multiplicative group of finite fields Fq, whereq = p n , p is a small prime and n is large. Lovorn Bender an... |

9 |
Rigorous, subexponential algorithms for discrete logarithms over finite fields
- Lovorn
- 1992
(Show Context)
Citation Context ...+o(1))m1 log p . � p m1+1 p − 1 � � pm2+1 − + O p p − 1 m1/2� The quantity needed for the analysis of the algorithm is the size of the system of congruences created in the first stage. It is shown in =-=[12]-=- that if 4t log p n linear congruences are computed, the probability that the system has full rank is at least 1/2. 3.2. The probability of success. We now give an estimate on the number of repetition... |

7 | Irreducible polynomials of given forms
- Gao, Howell, et al.
- 1999
(Show Context)
Citation Context ...c irreducible polynomial f of degree n used to define the field F2 n is of the form f(x) =xn + f1(x), where deg f1 ≤ log 2 n. Little is known about the irreducibility of this type of polynomials; see =-=[7]-=- for general computational experiments with sparse polynomials over F2 and for applications of these polynomials. There exist some values of n with no irreducible polynomial of this form. On the other... |

6 | Gauss Periods: Orders and Cryptographical Applications
- Gao, Gathen, et al.
- 1998
(Show Context)
Citation Context ..., at least for certain groups. For instance, the security of cryptographic applications such as the Diffie-Hellman key exchange scheme [5], ElGamal’s cryptosystem [6], and pseudorandom bit generators =-=[2, 8]-=- depend on the current ability (or inability) to solve the discrete logarithm problem efficiently. Several groups have been proposed for the implementation of cryptographic systems, including the mult... |

3 |
Polynomials over finite fields free from large and small degree irreducible factors
- Garefalakis, Panario
- 1999
(Show Context)
Citation Context ...e is a particular case of the generalized factor base. This led us to the study of the number of polynomials over Fq with all their irreducible factors with degree in an interval. Our companion paper =-=[9]-=- provides the needed estimates; Section 3.2 summarizes the crucial results for our purposes here. In Section 3, we analyze the basic index calculus algorithm when a generalized factor base is consider... |

3 |
Finite Fields, volume20ofEncyclopedia of Mathematics and its Applications
- Lidl, Niederreiter
- 1983
(Show Context)
Citation Context ...educible polynomials over Fp with degree between m2 and m1, m2 <m1. Then, as m1 →∞,thesizet of the factor base S is bounded above by (1) e (1+o(1))m1 log p . Proof. It is well-known (see for instance =-=[11]-=-, Theorem 3.25) that the number Ik of monic irreducible polynomials of degree k over Fp is given by Ik = 1 k � d|k µ(d)p k/d = pk k + � d|k, d>1 µ(d)p k/d . It is easy to derive the following upper bo... |

1 |
zur Gathen and D. Panario. A survey on factoring polynomials over finite fields
- von
- 2000
(Show Context)
Citation Context ... the computation of gs (mod f) is done by repeated squaring, and takes time polynomial in n and log p. Moreover, the factorization of the polynomials can be done in probabilistic polynomial time (see =-=[10]-=- for a recent survey on the topic). Those computations introduce a multiplicative polynomial factor in the above estimate, which is absorbed in the o(1) of the exponent. Let us consider now m1 = knα (... |