D. Coppersmith, A. M. Odlyzko, and R. Schroeppel, Discrete Logarithms in GF(p), Algorithmica 1(1): 1-15 (1986).  Home/Search   Document Not in Database   Summary   Related Articles   Check

....to be computed (given the log g (p) for p # P ) Variations. Various asymptotically faster variants of the same basic idea have been proposed that reduce the heuristic expected runtime to L p [1=2; 1] for the preparatory stage and L p [1=2; 1=2] per individual discrete logarithm; see [31, 59, 86] for details. One of these methods, the Gaussian integers method for the computation of discrete logarithms in F p is of particular interest. It not only gave Pollard the inspiration for the (special) number eld sieve integer factoring method, but it is also still of practical interest despite ....

D. Coppersmith, A.M. Odlyzko, R. Schroeppel, Discrete logarithms in GF(p), Algorithmica 1 (1986) 1-15.

....p m , where p is the characteristic of F q . In [5] G = F q , the multiplicative group of F q , was proposed as a candidate for implementing the Die Hellman key exchange system. There are probabilistic subexponential algorithms known for computing logarithms in F q when either q is a prime [4], or p is xed [3] or m is xed [7] A subexponential algorithm is an algorithm whose running time is O e (c o(1) log z) d (log log z) 1 d ; where log z is the size of the input, c is a constant, and 0 d 1. These algorithms are an asymptotic improvement on the general ....

D. Coppersmith, A. Odlyzko and R. Schroeppel, \Discrete logarithms in GF (p)", Algorithmica, 1 (1986), 1-15.

....handling of the unsieveable numbers; it may make Coppersmith s variant worthwhile for current sizes of D. The ideas behind these integer factorization methods are also used in the indexcalculus method of computing discrete logarithms in nite elds. See [175] 117] 2] 89] 26] 71] 17] [59], 100] 5] and [163] for the basic index calculus method; 158] 83] 159] 132] 160] 173] and [174] for an index calculus application of the number eld sieve; and [53] 58] 131] 115] and [7] for a function eld analogue. 4 DANIEL J. BERNSTEIN The same ideas are also used to ....

Don Coppersmith, Andrew M. Odlyzko, Richard Schroeppel, Discrete logarithms in GF(p), Algorithmica 1 (1986), 1-15. MR 87g:11167.

....digits) can be obtained. 2. Linear algebra. After sieving a very large, sparse linear system over GF(2) is obtained, and we want to find dependencies amongst the columns. It is not practical to do this by structured Gaussian elimination [25, 5] because the fill in is too large. Odlyzko [43,17] and Montgomery [37] showed that the Lanczos method [26] could be adapted for this purpose. This is nontrivial because a nonzero vector x over GF(2) can be orthogonal to itself, i.e. x T x = 0. To take advantage of bit parallel operations, Montgomery s program works with blocks of size ....

D. Coppersmith, A. Odlyzko and R. Schroeppel, Discrete logarithms in GF(p), Algorithmica 1 (1986), 1--15.

....algorithm is the basic index calculus algorithm, which applies to prime elds unchanged. If we let L = L(p) exp( 1 o(1) log p log log p) 1=2 ) then the running time for the rst phase is L p 2 , and for the second phase is L 1= p 2 (see [42] Coppersmith, Odlyzko, 9 and Schroeppel [13] proposed several algorithms, and provided heuristic arguments that they run in time L, while the second phase can be used to compute individual logarithms in time L 1=2 . The question whether an algorithm with provable running time L exists, remains open. An excellent survey of discrete ....

D. Coppersmith, A. M. Odlyzko, and R. Schroeppel. Discrete logarithms in GF(p). Algorithmica, 1:1-15, 1986.

....two quadratic polynomials. 7 2. Linear algebra. After sieving a very large, sparse linear system over GF(2) is obtained, and we want to nd dependencies amongst the columns. It is not practical to do this by structured Gaussian elimination [25, x5] because the ll in is too large. Odlyzko [43, 17] and Montgomery [37] showed that the Lanczos method [26] could be adapted for this purpose. This is nontrivial because a nonzero vector x over GF(2) can be orthogonal to itself, i.e. x T x = 0. To take advantage of bit parallel operations, Montgomery s program works with blocks of size ....

D. Coppersmith, A. Odlyzko and R. Schroeppel, Discrete logarithms in GF(p), Algorithmica 1 (1986), 1-15.

.... for determining the class number or discrete logarithms: The exhaustive search method, Pollard s Rho method ( Pol78] Shanks Baby Step Giant Step algorithm ( Coh95] including all variants (e.g. BJT96] the Hafner McCurley algorithm ( McC89, HM89] and the index calculus algorithms (e.g. COS ([COS86]) or NFS ( Web96] From the Brauer Siegel Theorem (see [Lan94] we know that for sufficiently large absolute value j Deltaj of the discriminant the product of regulator and class number is of the order of magnitude of p j Deltaj. As our experiments show, we already have hR p j Deltaj ....

D. Coppersmith, A.M. Odlyzko, and R. Schroeppel. Discrete logarithms in GF(p). Algorithmica, 1:1--15, 1986.

.... (ff 1 ) ff 2 ) Consequently, the factor bases consist of prime ideals of the ring of integers of Q(ff i ) Note that the factor base members are not element of the group in which the DL has to be computed. An early special case of the NFS, the Gaussian Integer method, has been published in [9] which we obtain by setting ZZ[ff 1 ] ZZ and ZZ[ff 2 ] to be an imaginary quadratic principal ideal ring. The relations consist of (small) pairs (c; d) 2 ZZ Theta ZZ, where the ideals (c dff 1 ) and (c dff 2 ) simultaneously split over the corresponding factor bases. The original number ....

D. Coppersmith, A. Odlyzko, and R. Schroeppel. Discrete logarithms in GF(p). Algorithmica 1, pages 1--15, 1986.

....relation to these systems as factoring does to RSA: the security of these systems rests on the assumption that discrete logs are difficult to compute. The discrete log problem has received much attention in recent years; descriptions of some of the most efficient algorithms can be found in [47] [21], and [33] The best discrete log problems have expected running times similar to that of the best factoring algorithms. Rivest [72] has analyzed the expected time to solve discrete log both in terms of computing power and money. 4.10 Which is easier, factoring or discrete log The asymptotic ....

D. Coppersmith, A.M. Odlyzko, and R. Schroeppel. Discrete logarithms in GF(p). Algorithmica, 1:1--15, 1986.

....finite field GF (2 n ) e c 2 (n) 1 3 (log n) 2 3 Table 1: Running times for discrete logarithm algorithms. calculating discrete logarithms in various cyclic groups. Some of these running times are estimates based on heuristics. For further discussion and analysis of these running times see [7, 8, 15, 17] The discrete logarithm was first used in cryptography for key exchange [9] and has since found many more applications [2, 3, 6, 10, 12, 16, 18] The security of individual and simultaneous bits of the discrete logarithm has been discussed by Blum and Micali [3] Long [13] Long and Wigderson ....

D. Coppersmith, A. M. Odlyzko, and R. Schroeppel. Discrete logarithms in gf(p). Algorithmica, 1:1--15, 1986.

....the number field. In the case of finding a relation of the form c dm j h Delta (s) mod p; where N (c dff) is B 2 smooth and h is B 1 smooth, we are done. This is accomplished via a procedure similar to the lattice sieve algorithm [24] and analogous to finding the special relations in [22]. The method we use is as follows. First we find two linear combinations of m and (s) dm y (s) c 2 ZZ; d 0 m y 0 (s) c 0 2 ZZ; where c; d; c 0 ; d 0 ; y; y 0 p (s) This is done by using the extended Euclidean algorithm. Set r : c Gamma dm, r 0 : c 0 Gamma d 0 ....

A. Odlyzko, M. LaMacchia, Discrete Logarithms in GF(p), 1991

....The fastest known general algorithm for computing discrete logarithms modulo p is based on the number field sieve and has asymptotic running time O i e c(log p) 1=3 (log log p) 2=3 j for some small constant c. At present the fastest implementations of discrete logarithm algorithms (see [21]) have larger asymptotic running time (both exponents 1=3 and 2=3 in the above formula must be replaced by 1=2) Computing discrete logarithms modulo a prime seems at present to be infeasible for primes of more than 120 digits. We refer to [59] and [52] for a discussion of discrete logarithm ....

D. Coppersmith, A.M. Odlyzko and R. Schroeppel, Discrete Logarithms in GF (p), Algorithmica, Vol. 1, pp. 1-15, 1986.

....number of operations required to decrypt individual ciphertexts at the cost of increasing the number of uses of A s decryption facility, and vice versa. The importance of this result is that the best currently known algorithms for factoring integers of the same size as n require L bit operations [2,8,9]. The memory required is L 1 2 bits for our attack, although it can be a very slow memory, such as a tape. Some factoring algorithms require negligible memory, while others also require L 1 2 . Therefore our attack on the RSA cryptosystem, although based on very special assumptions, appears ....

....to be required. However, as we note at the end of the next section, in practical situations the necessary increase in the modulus size is likely to be quite small. 2. The attack Our attack is a modification of an algorithm used for computing discrete logarithms in fields GF(p) for p a prime [2]. Many of the number theoretic estimates that we utilize can be found there and in [11] Let a 0 be fixed, and let k = n 1 2 . In the first stage we utilize user A s decrypting facility to obtain x D (mod n) for all x e S = S 1 S 2 , where S 1 = p: p L a , p a prime , 2.1) S 2 = ....

[Article contains additional citation context not shown here]

D. Coppersmith, A. M. Odlyzko, and R. Schroeppel, Discrete logarithms in GF(p), Algorithmica, to appear.

....that take advantage of this sparsity and operate faster than general ones. The introduction of structured Gaussian elimination [Odlyzko1] designed to produce smaller linear systems to be solved by other methods) and of the finite field versions of the Lanczos and conjugate gradient algorithms [CoppersmithOS, Odlyzko1], and the subsequent discovery of the Wiedemann algorithm [Wiedemann] led to a reduction in the estimates of the difficulty of the equation solving phase. However, practice lagged behind theory for a long time. Although large scale simulations with the structured Gaussian elimination had been ....

.... p does not have any special structure, the record is held by Weber [Weber] for an attack with the general number field sieve on a prime of 85 decimal digits, and by Joux and Lercier (May 26, 1998 email announcement [NMBRTHRY] on a prime of 90 decimal digits with the Gaussian integer method of [CoppersmithOS]. As in other survey papers, it is appropriate to warn that to obtain a proper estimate of security of discrete log problems it is better to consider what has been done in integer factorization. Much more effort has been devoted to that subject than to discrete logs, and most of the leading ....

D. Coppersmith, A. Odlyzko, and R. Schroeppel, Discrete logarithms in GF (p), Algorithmica 1 (1986), 1--15.

No context found.

D. Coppersmith, A. M. Odlyzko, and R. Schroeppel, Discrete Logarithms in GF(p), Algorithmica 1(1): 1-15 (1986).

No context found.

D. Coppersmith, A.M. Odlyzko, and R. Schroeppel. Discrete logarithms in GF(p). Algorithmica, 1:1-15, 1986.

No context found.

D. Coppersmith, A. Odlyzko, R. Schroeppel, Discrete logarithms in GF(p), Algorithmica 1, pp. 1--15, 1986

No context found.

A. Odlyzko, M. LaMacchia, Discrete Logarithms in GF(p), 1991

No context found.

D. Coppersmith, A. Odlyzko, R. Schroeppel, Discrete Logarithms in GF(p), Algorithmica 1, pp. 1--15, 1986

No context found.

D. Coppersmith, A. Odlyzko, R. Schroeppel, Discrete Logarithms in GF(p) , Algorithmica 1, 1986, pp. 1--15

No context found.

D. Coppersmith, A. Odlyzko, and R. Schroeppel. Discrete logarithms in GF(p). Algorithmica 1, pages 1--15, 1986.

No context found.

D. Coppersmith, A. Odlyzko and R. Schroeppel, \Discrete logarithms in GF (p)", Algorithmica, 1 (1986), 1-15.

No context found.

D. Coppersmith, A.M. Odlyzko, and R. Schroeppel. Discrete logarithms in GF(p). Algorithmica, 1:1-15, 1986.

No context found.

D. Coppersmith, A.M. Odlyzko, and R. Schroeppel. Discrete logarithms in GF(p). Algorithmica, 1:1-15, 1986.

No context found.

D. Coppersmith, A. Odlyzko, R. Schroeppel, Discrete Logarithms in GF(p), Algorithmica 1, pp. 1--15, 1986

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC