H. W. Lenstra, Jr., C. Pomerance, A rigorous time bound for factoring integers, J. Amer. Math. Soc. 5 (1992), 483--516.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....methods of [68] 142] and [171] seem slower than the continued fraction method, but they have the virtue of provably nding the complete factorization of every D in subexponential average time. The Schnorr Seysen Lenstra LenstraPomerance class group method developed in [161] 164] 102] and [110] is more complicated but provably factors every composite D in average time y 2 o(1) with y as above. Each of these methods has the same outline as the continued fraction method; it is crucial to provably recognize smooth n s quickly. One can do this with the elliptic curve method or the ....

Hendrik W. Lenstra, Jr., Carl Pomerance, A rigorous time bound for factoring integers, Journal of the American Mathematical Society 5 (1992), 483-516. MR 92m:11145.

.... quantum operations, for c = 3 o(1) or c = 2 o(1) if we use fast Fourier transform techniques) Other deterministic factoring methods will factor N in O( p N) or exp(cn) steps, where c = 1=2 o(1) The best known rigorous probabilistic classical algorithm (using index calculus methods) [LP] uses exp(c(n log n) 1=2 ) elementary classical operations, c = 1 o(1) There is also an algorithm with a heuristic expected running time of exp(c(n 1=3 (log n) 2=3 ) elementary classical operations (see [MOV] for an overview and references) for c = 1:902 o(1) Thus, in terms of ....

Lenstra, H. W. Jr., and Pomerance, C.: A Rigorous Time Bound For Factoring Integers, Journal of the AMS, Volume 5, Number 2, (1992) 483-516.

....If it is a square, then we should nd an element 2 Z[ such that 2 = A new idea utilizing the LLL reduction algorithm is introduced in [17] D) Many of the run time results are not rigorous ones. Therefore a more precise analysis of computational complexity is required. See the paper [13] about this subject. E) Consider the problem to re ne the sieving stage related to the above (3C) Namely, nd an algorithm to put the square root test in the sieving stage. F) Apply the GNFS to the DLP. Recall that the NFS itself was inspired by a discrete logarithm algorithm for a prime using ....

H. W. Lenstra, C. Pomerance, A rigorous time bound for factoring integers, J. Amer. Math. Soc. 5 (1992), 483-516.

....to McCurley [McC89] who obtained the same time bound for the computation of the class group of an imaginary quadratic eld we do not have to make any assumptions on the behavior of intermediate results. For background information on quadratic elds, and their class groups we refer the reader to [LP92] and [Coh93] 2 The imaginary quadratic case Description of the Algorithm Let K be an imaginary quadratic eld of discriminant Gammad. For ease of calculation we will work with binary forms instead of ideals. We denote by Cl( Gammad) the set of PSL 2 (ZZ) equivalence classes of positive denite ....

....e 6= f jve j r log d if e 2 H, or else jve j log d IqRelation(f; a; H; r) 1. repeat 2. Draw random (ue)e2H from IN H r with the uniform distribution 3. Let f 0 = a; b; c) be the reduced form in the class f u Q e2H e ue . 4. until attempt to factor a with Algorithm 7. 2 out of [LP92] is successful where we choose y : Ld ( 1 2 ; 1 p 8 ) as upper bound for divisors of a . 5. Find with method (2.8) of [LP92] te )e2F s.th. a; b; c) Y e2F e t e ; and let te = 0 for e 2 E n F . 6. return (se)e2E , where se : 8 : u ue Gamma te if e = f , ue ....

[Article contains additional citation context not shown here]

H.W. Lenstra Jr. and C. Pomerance. A rigorous time bound for factoring integers. J. Amer. Math. Soc., 5:483516, 1992.

....0 2 O(LN 0 (ae o(1) and N N S 2 O(LN 0 (oe o(1) for some constants ae, oe 0. The assumption N 2 O (N 0 ) implies that LN (c) 2 O(LN 0 (c) o(1) Taking into account that N can be factored in expected time in O(LN (1 o(1) O(LN 0 (1 o(1) by the algorithm presented in [LP92] and introducing an exponent such that t s 2 O (n 0 ) we can specialise (3) to obtain O (L N 0 (max(1; 2ae; 1 )ae oe) o(1) In fact, the constants for all examples presented below are worse than 1 anyway, so that the need for factoring N has no influence on our running time ....

H. W. Lenstra Jr. and C. Pomerance. A rigorous time bound for factoring integers. J. Amer. Math. Soc., 5(3):483--516, 1992.

....mod r for each prime divisor l of r 1. The latter can be done in polynomial time. Primality testing and finding the integer factorization of r 1 can be both done, for any # 0, with the following number of bit operations: # O(exp[ 1 #) log 1 2 M log 1 2 log M ] probabilistically [14], # O(M 1 4 # ) deterministically [20] # O(M 1 5 # ) deterministically under the ERH [19] For a probabilistic algorithm, we select r uniformly at random in the interval [2N 1, 2M 1] then the probability of success is at least #R #[2N 1, 2M 1] # # q (2M 1) #(2N) 2M # 1 ....

H. W. Lenstra and C. Pomerance, `A rigorous time bound for factoring integers', J. Amer. Math. Soc., 5 (1992), 483--516.

....the result. Probability Distribution of the Pseudo Random Element Choice Algorithm. We show that the described algorithm for pseudorandomly choosing an element of the class group of an algebraic number field leads to a distribution that is almost uniform. Proposition 1. Theorem 5. 2 of [LP92]) Consider the imaginary quadratic number field K with discriminant Delta K 2 ZZ 0 , its class group ClK , and its class number hK = jCl K j. Let G be a generating system of ClK , a] 2 ClK . Then the number of vectors r = r( p] p]2G 2 f1; 2; j Delta K jg jGj solving Q [p]2G [p] ....

H.W. Lenstra Jr. and C. Pomerance. A rigorous time bound for factoring integers. J. Amer. Math. Soc., 5:483--516, 1992.

.... Delta log u log log u O 1 ffl log n ; 2) where u = log x log y and n is the degree of the normal closure of F over Q. For F = Q this result was proved by Pomerance [5] It was generalized to imaginary quadratic fields F by Seysen [6] 7] see also Lenstra and Pomerance [3]. Our theorem can be used to analyze the complexity of the probabilistic class group and regulator algorithm, which was presented in [1] Hazlewood [2] and others obtained results which look similar to Theorem 1. In those statements, however, the number field is fixed whereas in our theorem the ....

H.W. Lenstra jr. and C. Pomerance, A rigorous time bound for factoring integers, J. American Math. Society, 5, (1992), 483--516.

....from (n) and (n) is readily determined from the prime factorization of n. Let L(n) e p log n log log n : There is a randomized factoring algorithm with rigorous time complexityL(n) p 4=3 o(1) which appeared recently [9] and this is improved to L(n) 1 o(1) in a forthcoming paper [6]. As a function of n these complexity bounds are sublinear. 8 We know of no way to compute E 3 ; E 2 ; or E 1 in general without having to factor n. However, E 0 can be computed without factorization, in time O(log c n) for some constant c. In this special case we are able to replace ....

H. W. Lenstra, Jr. and Carl Pomerance, A rigorous time bound for factoring integers, J. Amer. Math. Soc., to appear.

.... an average case algorithm for factoring that beats any known factoring algorithm; the best known (worst case) deterministic factoring algorithm has the running time approximately 2 n=4 on n bit integers [Pol74, Str76] while the best probabilistic algorithm runs in time approximately 2 p n [LP92]. Corollary 3 If MCSP is in P, then, for any ffl 0, there is an algorithm running in time 2 n ffl that factors Blum integers well on the average. The widely believed hardness of factoring may be taken as the most compelling piece of evidence that MCSP is hard. However, we give more examples ....

H.W. Lenstra Jr. and C. Pomerance. A rigorous time bound for factoring integers. Journal of the American Mathematical Society, 5(3):483--516, 1992.

....for each prime divisor l of r Gamma 1. The latter can be done in polynomial time. Primality testing and finding the integer factorization of r Gamma 1 can be both done, for any 0, with the following number of bit operations: ffi O(exp[ 1 ) log 1=2 M log 1=2 log M ] probabilistically [8], ffi O(M 1=4 ) deterministically [15] ffi O(M 1=5 ) deterministically under the ERH [14] For a probabilistic algorithm, we select r uniformly at random in the interval [2N 1; 2M 1] then the probability of success is at least #R #[2N 1; 2M 1] a (2M 1) Gamma (2N) ....

H. W. Lenstra and C. Pomerance, "A rigorous time bound for factoring integers", J. Amer. Math. Soc., 5 (1992), 483--516.

.... partir de cette m ethode, on peut alors imaginer un algorithme de type combinaisons de congruences, dans laquelle on remplace la factorisation de nombres auxiliaires par celle de formes quadratiques [Sey87] Signalons que cette derni ere m ethode a un temps de calcul heuristique de L(N) 1 (voir [LP91] D autre part, il est aussi facile de concevoir que le probl eme du logarithme discret se pose dans le groupe H( Delta) Un algorithme de type combinaisons de congruences a et e propos e par McCurley [McC89] 4.2 Th eorie alg ebrique des nombres Un corps de nombre K = Q( est d efini comme ....

Lenstra, Jr. (H. W.) et Pomerance (Carl). -- A rigorous time bound for factoring integers. -- February 1991. Preprint.

....been proved to be L(n) c is due to Dixon [Dix81] Dixon s algorithm is unfortunately not practical. A determination of the complexity of C5 would have significance in cryptography [RSA78] Rem5 94 A great deal of progress has been made in the area of factoring integers. Lenstra and Pomerance [LP92] proved the existence of a probabilistic algorithm for factoring integers with an expected running time of Ln [1=2; 1] improving on Dixon s bound. Another interesting development was the discovery of the number field sieve. A heuristic analysis suggests that there exists a constant c 0 such ....

H. W. Lenstra, Jr. and Carl Pomerance. A rigorous time bound for factoring integers. Journal of the American Mathematical Society, 5:483--516, 1992.

....is OE(q Gamma 1) q AE 1 log log q : Therefore, with probability close to one, among say blog log q log log log qc random elements of F q there is a primitive root of this field. Combining this fact with the subexponential probabilistic integer factorization algorithm of Lenstra and Pomerance [26] we obtain a probabilistic algorithm to find a primitive root of F q in the expected time exp i Gamma 1 o(1) Delta (log q log log q) 1=2 j : 4 Problems AP1, AP2 First of all, there are several families of explicitly given polynomials which are known to be irreducible. Many of them can ....

H. W. Lenstra and C. Pomerance, `A rigorous time bound for factoring integers', J. Amer. Math. Soc., 5(1992), 483--516.

....for each prime divisor l of r Gamma 1. The latter can be done in polynomial time. Primality testing and finding the integer factorization of r Gamma 1 can be both done, for any 0, with the following number of bit operations: ffi O(exp[ 1 ) log 1=2 M log 1=2 log M ] probabilistically [14], ffi O(M 1=4 ) deterministically [20] ffi O(M 1=5 ) deterministically under the ERH [19] For a probabilistic algorithm, we select r uniformly at random in the interval [2N 1; 2M 1] then the probability of success is at least #R #[2N 1; 2M 1] q (2M 1) Gamma (2N) ....

H. W. Lenstra and C. Pomerance, `A rigorous time bound for factoring integers', J. Amer. Math. Soc., 5 (1992), 483--516.

....were invented especially for this purpose, although Simon s problem does not appear contrived and could conceivably be useful. Discrete logarithms and integer factoring are two number theory problems which have been studied extensively but for which no polynomial time algorithms are known [16, 20, 21, 26]. In fact, these problems are so widely believed to be hard that cryptosystems based on their hardness have been proposed, and the RSA public key cryptosystem [27] based on the hardness of fac2 toring, is in use. We show that these problems can be solved in BQP. Currently, nobody knows how to ....

H. W. Lenstra, Jr. and C. Pomerance, "A rigorous time bound for factoring integers," J. Amer. Math. Soc. Vol. 5, pp. 483--516 (1992).

No context found.

H. W. Lenstra, Jr., C. Pomerance, A rigorous time bound for factoring integers, J. Amer. Math. Soc. 5 (1992), 483--516.

....m 1. The best completely proved deterministic algorithm is derived from the fast factorials factoring method of Pollard and Strassen (see [22, Section 4] and it runs in time at most m 1=6 o(1) The fastest completely proved probabilistic algorithm is the class group relations method (see [21]) which runs in expected time Lm [1=2; 1 o(1) where L x [a; b] exp Gamma b(log x) a (log log x) 1 Gammaa Delta . The elliptic curve method (see [19] is conjectured to solve the problem in expected time at most Lm [1=2; p 2=3 o(1) and the number field sieve (see [5] in time ....

H. W. Lenstra, Jr., C. Pomerance, A rigorous time bound for factoring integers, J. Amer. Math. Soc. 5 (1992), 483--516.

No context found.

H.W. Lenstra jr. and C. Pomerance, A rigorous time bound for factoring integers, J. American Math. Society, 5, (1992), 483--516.

No context found.

H.W. Lenstra Jr. and C. Pomerance. A rigorous time bound for factoring integers. J. Amer. Math. Soc., 5:483516, 1992.

No context found.

H.W. Lenstra Jr. and C. Pomerance. A rigorous time bound for factoring integers. J. Amer. Math. Soc., 5:483--516, 1992.

No context found.

H.W. Lenstra Jr. and C. Pomerance. A rigorous time bound for factoring integers. Journal of the American Mathematical Society, 5(3):483-516, 1992.

No context found.

H. W. Lenstra and C. Pomerance. A rigorous time bound for factoring integers. Journal of the American Mathematical Society, 5(3):483-516, 1992.

No context found.

H. W. Lenstra, Jr. and C. Pomerance, A rigorous time bound for factoring integers, J. Amer. Math. Soc., vol. 5 (1992), pp. 483--516.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC