Arjen K. Lenstra and Jr. Hendrik W. Lenstra, editors. The development of the number field sieve, volume 1554 of Lecture Notes in Mathematics. Springer, 1993.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....since they are not adapted to currently known lattice reduction algorithms. To be useful, they would require very good lattice reduction for lattices of dimension over at least several thousands. We close this review by mentioning that current versions of the Number Field Sieve (NFS) see [87, 36]) the best algorithm known for factoring large integers, use lattice reduction. Indeed, LLL plays a crucial role in the last stage of NFS where one has to compute an algebraic square root of a huge algebraic number given as a product of hundreds of thousands of small ones. The best algorithm ....

A. K. Lenstra and H. W. Lenstra, Jr. The Development of the Number Field Sieve, volume 1554 of Lecture Notes in Mathematics. Springer-Verlag, 1993.

....to XOR. 3 in out 0 0 0 0 0 1 0 1 1 0 1 1 1 1 1 0 Table 1: The controlled NOT (CNOT) the only 2 bit gate needed for universal quantum logic. 3 Shor s factorization algorithm The asymptotically fastest known classical algorithm for prime factoring of integers is the number eld sieve [8], which can factor an integer n in O(exp(c(log n) 1=3 (log log n) 2=3 ) bit operations, for some constant c. Hence, it takes time exponential in the length of n. Shor s quantum algorithm [6] can do the same job in O( log n) 2 (log log n) log log log n) polynomial in the length of n. We ....

A. K. Lenstra and H. W. Lenstra, Jr., editors. The Development of the Number Field Sieve, volume 1554 of Lecture Notes in Mathematics. Springer, 1993.

....to (1.1) then this yields a proper factor of n in at least 50 of the tries. This principle is the basis for the best known 1. Introduction 2 general factorization methods, namely, the multi polynomial quadratic sieve (MPQS [Bre89, Pom85, PST88, Sil87, RLW89] and the number field sieve (NFS [LL93]) In this paper we discuss and compare the single large prime variation (PMPQS) and the double large prime variation (PPMPQS) of MPQS, and we factor many numbers in the 66 88 decimal digits range, mainly with PPMPQS, both on SGI workstations, and on a Cray C90 vectorcomputer. PPMPQS is known ....

A.K. Lenstra and H.W. Lenstra, Jr., editors. The development of the number field sieve, volume 1554 of Lecture Notes in Mathematics. Springer--Verlag, Berlin, 1993.

....for E, and l ES and kES be the security parameters for E swap. The on line signing costs for E and E swap are the same if l ES = 2k E l 2 E ) 1=3 : 5. 1) The best known factoring algorithms take time about T (l) C exp 64 9 1=3 l 1=3 (ln l) 2=3 for some constant C [LL93]. Therefore, we will assume that factoring l bit integers generated by Gen is (C 0 T (l) 0:199; secure for some and some constant C 0 . This means that, for a large enough and small enough q sig , the E scheme is about (C 0 T (l E ) T 2 (l E ; kE ) 4q hash 6 q sig T 1 (l E ; ....

A. Lenstra and H. Lenstra, editors. The development of the number eld sieve, volume 1554 of Lecture notes in Mathematics. Springer-Verlag, 1993.

....would be adversaries. For the Diffie Hellman protocol an adversary needed to solve the discrete logarithm problem, and for the RSA protocol he needed to factor large numbers. Since the time that these two papers appeared there have been significant improvements in solving both of these problems [14]. Nevertheless, solving neither problem is easy. In this paper, I discuss another, more complicated, algebraic object, known as an Elliptic Curve . Elliptic Curves have been objects of intense study by pure mathematicians for well over 100 years, and have many deep and interesting properties. ....

....the m th roots of unity, and so must be quite large almost all the time. 6 Elliptic Curves and other problems As stated above, Lenstra [15] used the properties of elliptic curves in order to give a fast algorithm for factoring integers. Unlike other fast algorithm, such as the number field sieve [14], the smaller the smallest prime divisor is, the faster the algorithm runs. In [16] Ueli Maurer, used elliptic curves to show how one could reduce the problem of calculating discrete logarithms to the Diffie Hellman problem, for some prime moduli. Later work by Maurer and Wolf [17] and Boneh and ....

Arjen K. Lenstra and Hendrik W. Lenstra, Jr., editors. The development of the Number Field Sieve, volume 1554 of Lecture Notes in Mathematics. Springer--Verlag, Berlin, Heidelberg, New York, 1993.

....T (l) C exp 64 9 1=3 l 1=3 (ln l) 2=3 3 Moreover, an optimization available to E but not to E swap is precomputing some powers of the xed base; this requires additional memory, so we will assume it is not implemented for the purposes of this analysis. 16 for some constant C [LL93]. Therefore, we will assume that factoring l bit integers generated by Gen is (C 0 T (l) 0:199; secure for some and some constant C 0 . This means that, for a large enough and small enough q sig , the E scheme is about (C 0 T (l E ) T 2 (l E ; kE ) 4q hash 6 q sig T 1 (l E ; ....

A. Lenstra and H. Lenstra, editors. The development of the number eld sieve, volume 1554 of Lecture notes in Mathematics. Springer-Verlag, 1993.

....since they are not adapted to currently known lattice reduction algorithms. To be useful, they would require very good lattice reduction for lattices of dimension over at least several thousands. We close this review by mentioning that current versions of the Number Field Sieve (NFS) see [72, 30]) the best algorithm known for factoring large integers, use lattice reduction. Indeed, LLL plays a crucial role in the last stage of NFS where one has to compute an algebraic square root of a huge algebraic number given as a product of hundreds of thousands of small ones. The best algorithm ....

A. K. Lenstra and H. W. Lenstra, Jr. The Development of the Number Field Sieve, volume 1554 of Lecture Notes in Mathematics. Springer-Verlag, 1993.

....idealized) quantum computer could factor large integers in polynomial time. This was an astounding discovery, since mathematicians throughout history have searched for an efficient way to factor numbers without success, since at least the time of Euclid. The best known classical algorithm [32] takes exponential time. 1 In x3 of this paper we will summarize Shor s algorithm and the discoveries leading to its development. 1 More precisely, O(exp(n 1=3 log(n 2=3 ) 1 Quantum Logic Primitives. Shor s discovery has spurred a flurry of recent activity in quantum computation ....

A. K. Lenstra and H. W. Lenstra, editors. The Development of the Number Field Sieve, volume 1554 of Lecture Notes in Mathematics. Springer-Verlag, 1993. .

....existing technology. Of course those two techniques are complementary and they permit to advise precisely what parameters are to be used today for a given application. In a way our work is similar in spirit to the work performed by researchers dealing with large scale factorization problems (see [6]) even if, modestly, we are dealing with much simpler math objects basically related to linear equations. In this paper, we first focus on the Shamir PKP scheme. Attacks have been proposed by Georgiades [4] Baritaud, Campana, Chauvaud, Gilbert [1] and Chauvaud, Patarin [2] and, after a ....

A. Lenstra and H. Lenstra. The Development of the Number Field Sieve, volume 1554 of Lecture Notes in Mathematics. Springer-Verlag, 1993.

.... schemes with properties as described above do not exist (at least not in an asymptotic sense, if private keys are long enough) The complexity of breaking nearly linear encryption schemes would be subexponential, comparable in nature to the complexity of known factorization algorithms (see, e.g. BLP94] 4.2 The Plausibility of Our Challenges Challenge 1 calls for eOEcient algorithms for nding the maximum cliques in 4.2 1 graphs that have small cliques. Challenge 2 calls for approximating the size of the maximum clique within a factor of two. Straightforward probabilistic arguments show ....

J. P. Buhler, H. W. Lenstra, and Carl Pomerance. The development of the number ĝeld sieve, volume 1554 of Lecture Notes in Mathematics. Springer-Verlag, Berlin, 1994.

....technology. Of course those two techniques are complementary and they permit to advise precisely what parameters are to be used today for a given application. In a way our work is similar in spirit to the work performed by researchers dealing 2 with large scale factorization problems (see [6]) even if, modestly, we are dealing with much simpler math objects basically related to linear equations. In this paper, we first focus on the Shamir PKP scheme. Attacks have been proposed by Georgiades [4] Baritaud, Campana, Chauvaud, Gilbert [1] and Chauvaud, Patarin [2] and, after a ....

A. Lenstra and H. Lenstra. The Development of the Number Field Sieve, volume 1554 of Lecture Notes in Mathematics. Springer-Verlag, 1993.

....be solved in expected time L 1 3 (p) 2 o(1) exp (2 o(1) 3 q log p log log 2 p : Note: Theorem 3. 4 is a rare example where the elliptic curve method produces an algorithm with a running time of L 1=3 (p) Such running times are usually associated with the number field sieve [20]. Proof We improve the algorithm of Theorem 3.1 by using a two step algorithm. Let IF p be a black box field and let [x] 2 IF p . The idea is to generate an elliptic curve E a;b over IF p with n points such that the largest prime divisor of n is L 2=3 (p) By the smoothness assumption this can be ....

....n) Proof To simplify the exposition we assume that n is square free. This restriction can be easily lifted using methods of Pohlig and Hellman [31] which will be discussed in section 4.3 (Lemma 4. 3) Since one can factor integers in expected exp( 1 o(1) 3 q log n log 2 log n) time (see [20]) it is possible to factor the plain text ring into a direct product of finite fields: ZZ n = Q s i=1 IF p i where the p i are distinct primes. Let K e ; K d be some encryption decryption key pair. Given E(x; K e ) we wish to find x in the required time bound. For each p i we define the black box ....

[Article contains additional citation context not shown here]

A. Lenstra and H.W. Lenstra, editors. The development of the number field sieve, volume 1554 of Lecture Notes in Mathematics. Springer-Verlag, 1994.

....since they are not adapted to currently known lattice reduction algorithms. To be useful, they would require very good lattice reduction for lattices of dimension over at least several thousands. We close this review by mentioning that current versions of the Number Field Sieve (NFS) see [72, 30]) the best algorithm known for factoring large integers, use lattice reduction. Indeed, LLL plays a crucial role in the last stage of NFS where one has to compute an algebraic square root of a huge algebraic number given as a product of hundreds of thousands of small ones. The best algorithm ....

A. K. Lenstra and H. W. Lenstra, Jr. The Development of the Number Field Sieve, volume 1554 of Lecture Notes in Mathematics. Springer-Verlag, 1993.

No context found.

A.K. Lenstra and H.W. Lenstra, Jr. The development of the number field sieve, volume 1554 of Lecture Notes in Mathematics. Springer--Verlag, Berlin, 1993.

....of the stateof the art of factoring large numbers has become crucial for RSA based cryptographic applications. Since then, major algorithmic progress was marked by the publication of the Quadratic Sieve [34] in 1985, the Elliptic Curve algorithm [25] in 1987, and the Number Field Sieve in 1990 [20]. The largest factored (difficult) numbers were registered carefully, and reports of new records were invariably presented at cryptographic conferences. We mention Eurocrypt 89 (C100 1 [22] Eurocrypt 90 (C107 and C116 [23] Crypto 93 (C120, 13] Asiacrypt 94 (C129, 2] Asiacrypt 96 ....

....bit for RSA should achieve a sufficient level of security for tactical secrets for the next ten years. This is for long term secrecy purposes, for short term authenticity purposes 512 bit might suffice in this century. 3. Factoring RSA 155 We assume that the reader is familiar with NFS [20], but for convenience we briefly describe the method here. Let N be the number we wish to factor, known to be composite. There are four main steps in NFS: polynomial selection, sieving, linear algebra, and square root. The polynomial selection step selects two irreducible polynomials f 1 (x) and ....

A.K. Lenstra and H.W. Lenstra, Jr., editors. The Development of the Number Field Sieve, volume 1554 of Lecture Notes in Mathematics. Springer-Verlag, Berlin, 1993.

.... Crypto 93 (C120, 8] Asiacrypt 94 (C129, 1] and Asiacrypt 96 (C130, 6] The 130 digit number was factored with help of the Number Field Sieve method (NFS) the others were factored using the Quadratic Sieve method (QS) For information about QS, see [21] For information about NFS, see [13]. For additional information, implementations and previous large NFS factorizations, see [9, 10, 11, 12] In this paper, we report on the factoring of RSA 140 by NFS and the implications for RSA. The number RSA 140 was taken from the RSA Challenge list [23] In Sect. 2 we estimate how far we ....

....using NFS, will turn out to be quite manageable. As a result 512 bit RSA moduli do, in our opinion, not o#er more than marginal security, and should no longer be used in any serious application. 3. Factoring RSA 140 4 3. Factoring RSA 140 We assume that the reader is familiar with NFS [13], but for convenience we briefly describe the method here. Let N be the number we wish to factor, known to be composite. There are four main steps in NFS: polynomial selection, sieving, linear algebra, and square root. In the polynomial selection step, two irreducible polynomials f 1 (x) and f 2 ....

A.K. Lenstra and H.W. Lenstra, Jr., editors. The Development of the Number Field Sieve, volume 1554 of Lecture Notes in Mathematics. Springer-Verlag, Berlin, 1993.

....of the state of the art of factoring large numbers has become crucial for RSA based cryptographic applications. Since then, major algorithmic progress was marked by the publication of the Quadratic Sieve [34] in 1985, the Elliptic Curve algorithm [25] in 1987, and the Number Field Sieve in 1990 [20]. The largest factored (difficult) numbers were registered carefully, and reports of new records were invariably presented at cryptographic conferences. We mention Eurocrypt 89 (C100 1 [22] Eurocrypt 90 (C107 and C116 [23] Crypto 93 (C120, 13] Asiacrypt 94 (C129, 2] Asiacrypt 96 ....

....1024 bit for RSA should achieve a sufficient level of security for tactical secrets for the next ten years. This is for long term secrecy purposes, for short term authenticity purposes 512 bit might suffice in this century. 3 Factoring RSA 155 We assume that the reader is familiar with NFS [20], but for convenience we briefly describe the method here. Let N be the number we wish to factor, known to be composite. There are four main steps in NFS: polynomial selection, sieving, linear algebra, and square root. The polynomial selection step selects two irreducible polynomials f 1 (x) and ....

A.K. Lenstra and H.W. Lenstra, Jr., editors. The Development of the Number Field Sieve, volume 1554 of Lecture Notes in Mathematics. Springer-Verlag, Berlin, 1993.

No context found.

Arjen K. Lenstra and Jr. Hendrik W. Lenstra, editors. The development of the number field sieve, volume 1554 of Lecture Notes in Mathematics. Springer, 1993.

No context found.

Arjen K. Lenstra and Jr. Hendrik W. Lenstra, editors. The development of the number eld sieve, volume 1554 of Lecture Notes in Mathematics. Springer, 1993.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC