## Computing discrete logarithms in real quadratic congruence function fields of large genus (1999)

### Cached

### Download Links

- [www.ams.org]
- [www.informatik.tu-darmstadt.de]
- DBLP

### Other Repositories/Bibliography

Venue: | Math. Comp |

Citations: | 36 - 8 self |

### BibTeX

@ARTICLE{Müller99computingdiscrete,

author = {Volker Müller and Andreas Stein and Christoph Thiel},

title = {Computing discrete logarithms in real quadratic congruence function fields of large genus},

journal = {Math. Comp},

year = {1999},

volume = {68},

pages = {807--822}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. The discrete logarithm problem in various finite abelian groups is the basis for some well known public key cryptosystems. Recently, real quadratic congruence function fields were used to construct a public key distribution system. The security of this public key system is based on the difficulty of a discrete logarithm problem in these fields. In this paper, we present a probabilistic algorithm with subexponential running time that computes such discrete logarithms in real quadratic congruence function fields of sufficiently large genus. This algorithm is a generalization of similar algorithms for real quadratic number fields. 1.

### Citations

913 |
A Course in Computational Algebraic Number Theory
- Cohen
- 1996
(Show Context)
Citation Context ... the expected running time of these methods is L(D) √ 2+o(1) , where L(D) =exp √ log D log log D. These algorithms can also be used to find generators of principal ideals (this is explained in [1] or =-=[6]-=- in more detail). We will apply the ideas to real quadratic congruence function fields. Note that the analogous Riemann Hypothesis holds for function fields (see [31]). In the following, we shall alwa... |

337 |
Algebraic Function Fields and Codes
- Stichtenoth
- 1993
(Show Context)
Citation Context ... To compute explicit bounds, we need further representations of the L-function and the ζ-function by series and products. We denote by g the genus of K. It is well-known (see for example [9], [12] or =-=[29]-=-) that (17) ζ(s, K) =Z(u, K) = 2g� i=1 (1 − ωi u) (1−u)(1−qu) ,s814 VOLKER MÜLLER, ANDREAS STEIN, AND CHRISTOPH THIEL where ωi = qρi (i =1,2,... ,2g)andρ1,... ,ρ2g are zeros of ζ(s, K). Then, 1/ωi (i ... |

95 |
les courbes algébriques et les variétés qui s’en déduisent
- Sur
- 1945
(Show Context)
Citation Context ...deals (this is explained in [1] or [6] in more detail). We will apply the ideas to real quadratic congruence function fields. Note that the analogous Riemann Hypothesis holds for function fields (see =-=[31]-=-). In the following, we shall always assume that the degree of D is at least 4. This is no restriction since it is known that R =1fordeg(D)=2.But then the given problem can be solved in polynomial tim... |

66 |
Explicit bounds for primality testing and related problems
- Bach
- 1990
(Show Context)
Citation Context ...t that the ideal class group Cl of a real quadratic congruence function field is generated by prime ideals of small absolute norm. In the case of real quadratic number fields, it could be proven (see =-=[3]-=-) that if GRH is true then the class group is generated by the classes containing prime ideals of norm at most 12(log(∆)) 2 , where ∆ is the discriminant. For real quadratic congruence function fields... |

63 | Discrete Logarithms in GF(p) Using the Number Field Sieve
- Gordon
- 1993
(Show Context)
Citation Context ...ey cryptosystems are based on the difficulty of a discrete logarithm problem (DL problem) in some finite abelian group. For some groups, such as the multiplicative group IF ∗ q of a finite field (see =-=[10]-=-), or the class group of a real quadratic number field (see [1]), subexponential algorithms for solving the DL problem are known. Using the infrastructure of the set R of reduced principal ideals of a... |

54 | Quadratische Körper im Gebiet der Höheren - Artin |

51 | A subexponential algorithm for the determination of class groups and regulators of algebraic number fields, Séminaire de Théorie des Nombres
- Buchmann
- 1988
(Show Context)
Citation Context ... our algorithm to compute a generator of a given principal ideal and the degree of that generator. The idea of our algorithm is similar to the algorithm of Hafner and McCurley [18] (resp. of Buchmann =-=[4]-=- and Abel [1]) for computing the class group and the regulator of imaginary quadratic (resp. real quadratic) number fields. In both cases, it could be proved under the assumption of the generalized Ri... |

49 | The Distribution of Prime Numbers - Ingham - 1990 |

48 |
The infrastructure of a real quadratic field and its applications
- Shanks
- 1972
(Show Context)
Citation Context ...e set R of reduced principal ideals of a real quadratic congruence function field (that is very similar to the infrastructure of the cycle of reduced ideals of a real quadratic number field; see [5], =-=[24]-=-, et al.), Scheidler, Stein and Williams (see [21]) recently constructed a public key distribution system. To break their system, it is sufficient to solve the following problem: given an integral bas... |

36 | Die Nullstellen der Kongruenz-zetafunktionen in gewissen zkylishen Fallen - Davenport, Hasse - 1934 |

28 | Key-exchange in real quadratic congruence function elds
- Scheidler, Stein, et al.
- 1996
(Show Context)
Citation Context ...ratic congruence function field (that is very similar to the infrastructure of the cycle of reduced ideals of a real quadratic number field; see [5], [24], et al.), Scheidler, Stein and Williams (see =-=[21]-=-) recently constructed a public key distribution system. To break their system, it is sufficient to solve the following problem: given an integral basis of a reduced principal ideal A, find the degree... |

25 | Number theory - Hasse - 2002 |

25 | Analytische Zahlentheorie in Körpern der Charakteristik p - Schmidt - 1931 |

24 |
Introduction to the Theory of Algebraic Numbers and Functions
- Eichler
- 1966
(Show Context)
Citation Context ... 1 P 1−u fP . To compute explicit bounds, we need further representations of the L-function and the ζ-function by series and products. We denote by g the genus of K. It is well-known (see for example =-=[9]-=-, [12] or [29]) that (17) ζ(s, K) =Z(u, K) = 2g� i=1 (1 − ωi u) (1−u)(1−qu) ,s814 VOLKER MÜLLER, ANDREAS STEIN, AND CHRISTOPH THIEL where ωi = qρi (i =1,2,... ,2g)andρ1,... ,ρ2g are zeros of ζ(s, K). ... |

22 |
Lectures on the theory of algebraic functions of one variable
- Deuring
- 1973
(Show Context)
Citation Context ...lity is used in Section 5 to compute the expected running time of the algorithm of this paper. 1.1. Basic definitions. The following basic information about congruence function fields can be found in =-=[7]-=-, [22], [2] and [32]. Let K/k be an algebraic congruence function field of one variable over the finite field k =IFqof constants of odd characteristic with q elements, and let x ∈ K be such that K is ... |

19 | Rigorous discrete logarithm computations in finite fields via smooth polynomials - Bender, Pomerance - 1998 |

18 |
Cryptographic key distribution and computation in class groups
- McCurley, “Short
- 1989
(Show Context)
Citation Context ...e the main ideas used in our algorithm to compute a generator of a given principal ideal and the degree of that generator. The idea of our algorithm is similar to the algorithm of Hafner and McCurley =-=[18]-=- (resp. of Buchmann [4] and Abel [1]) for computing the class group and the regulator of imaginary quadratic (resp. real quadratic) number fields. In both cases, it could be proved under the assumptio... |

18 |
Some methods for evaluating the regulator of a real quadratic function field, Experiment
- Stein, Williams
- 1999
(Show Context)
Citation Context ...lts on zeta functions for function fields, we can approximate the value of h ′ R by a number Θ satisfying h ′ R ≤ Θ ≤ 2h ′ R. The approximation Θ can be derived by techniques similar to those used in =-=[28]-=- and can be found in [27, Theorem 6.2.1]. Suppose that, using the methods of Section 2.4, we have computed values ˜ h and ˜ R assumed to be ideal class number and regulator. We have found a generating... |

15 |
Ein Algorithmus zur Berechnung der Klassenzahl und des Regulators reellquadratischer Ordnungen, Ph.D.thesis,Universität des Saarlandes
- Abel
- 1994
(Show Context)
Citation Context ...ithm problem (DL problem) in some finite abelian group. For some groups, such as the multiplicative group IF ∗ q of a finite field (see [10]), or the class group of a real quadratic number field (see =-=[1]-=-), subexponential algorithms for solving the DL problem are known. Using the infrastructure of the set R of reduced principal ideals of a real quadratic congruence function field (that is very similar... |

13 | Quadratic fields and factorization, Computational methods in number theory - Schoof - 1982 |

13 |
Baby step-giant step-Verfahren in reellquadratischen Kongruenzfunktionenkörpern mit Charakteristik ungleich 2
- Stein
- 1992
(Show Context)
Citation Context ...c number field, the unit group E of K is of the form E =IF ∗ q ×〈ɛ〉,whereɛ∈Kis a fundamental unit of K. Then, R =deg(ɛ). 1.2. Ideals. We summarize the most important facts about ideals of O (cf. [2], =-=[26]-=-). Any non-zero integral ideal A of O can be written as A = SQIF q [x]+(SP + S √ D)IFq[x], where S, P, Q ∈ IF q [x] with Q|(D−P 2 ) and sgn(S) =sgn(Q)=1.The polynomials S and Q are uniquely determined... |

13 | Short representation of quadratic integers
- Buchmann, Thiel, et al.
- 1995
(Show Context)
Citation Context ...of the set R of reduced principal ideals of a real quadratic congruence function field (that is very similar to the infrastructure of the cycle of reduced ideals of a real quadratic number field; see =-=[5]-=-, [24], et al.), Scheidler, Stein and Williams (see [21]) recently constructed a public key distribution system. To break their system, it is sufficient to solve the following problem: given an integr... |

12 |
Artins Theorie der quadratischen Kongruenzfunktionenk orper und ihre Anwendung auf die Berechnung der Einheiten- und Klassengruppen
- Weis, Zimmer
(Show Context)
Citation Context ...tion 5 to compute the expected running time of the algorithm of this paper. 1.1. Basic definitions. The following basic information about congruence function fields can be found in [7], [22], [2] and =-=[32]-=-. Let K/k be an algebraic congruence function field of one variable over the finite field k =IFqof constants of odd characteristic with q elements, and let x ∈ K be such that K is a finite, separable ... |

9 | Basic Number Theory (Third Edition - Weil - 1974 |

6 |
Trotter Jr., Hermite normal form computation using modulo determinant arithmetic, Center for Operations Research and Econometrics
- Domich, Kannan, et al.
- 1985
(Show Context)
Citation Context ... addition, we compute the Smith normal form of B ′ C . The computation of the Hermite normal form, the Smith normal form, and the determinant, respectively, can be done in L[5ρ], L[3ρ], L[3ρ] (see[6],=-=[8]-=-, [18]). For computing the degree of a generator of an ideal A, we considered two situations in Section 2.3: if A splits over FC, we need time L[4ρ] for computing the degree of a generator. If the ide... |

5 |
Short representation of quadratic integers”, Computational algebra and number theory, Mathematics and its applications, vol 325
- Buchmann, Thiel, et al.
- 1995
(Show Context)
Citation Context ...of the set R of reduced principal ideals of a real quadratic congruence function field (that is very similar to the infrastructure of the cycle of reduced ideals of a real quadratic number field; see =-=[5]-=-, [24], et al.), Scheidler, Stein and Williams (see [21]) recently constructed a public key distribution system. To break their system, it is sufficient to solve the following problem: given an integr... |

5 |
Algorithmen in reell-quadratischen Kongruenzfunktionenk"orpern
- Stein
- 1996
(Show Context)
Citation Context ...visor with χ(P) �= 1 in algebraic congruence function fields. If one proceeds in the same way as Bach [3] did in the case of algebraic number fields, one obtains the same bound as in Corollary 1 (see =-=[27]-=-); however, since L-functions of function fields are essentially polynomials, the result can be derived more easily than in the traditional context. Theorem 2. Let χ be a character (of finite order) w... |

2 | Quadratische KörperimGebietederhöheren Kongruenzen - Artin - 1924 |

2 | Primdivisorsatz fur algebraische Funktionenkorper uber einem endlichen Konstantenkorper. Mathematische Zeitschrift 40 - Reichardt, Der - 1936 |

1 | Renee Lovorn Bender], Rigorous, Subexponential Algorithms for Discrete Logarithms Over Finite Fields - Lovorn - 1992 |

1 |
Lineare Algebra über Z, Diploma Thesis, Universität des Saarlandes
- Müller
- 1994
(Show Context)
Citation Context ...hm is therefore L[2ρ + 1 4ρ ]. If C can be factored, i.e. C = � kC i=1 pzi i then we have kC� B = i=1 p zi−ei i = αA. Finally, we have to solve (9) and to compute (10). By the techniques described in =-=[19]-=-, this can be done in L[4ρ] operations in IFq. We can now discuss the optimal choice for ρ. Since the computation of the generating system requires L[2ρ + 1 4ρ ] operations, optimizing ρ means solving... |