Kevin S. McCurley. The discrete logarithm problem. In Carl Pomerance, editor, Cryptology and Computational Number Theory, volume 42 of Proceedings of Symposia in Applied Mathematics, pages 49--74, Providence, 1990. American Mathematical Society.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....Blake et al. 4] and Coppersmith [6] show how to compute discrete logarithms fast in 1F27. Odlyzko s excellent survey [20] analyzes values of n such that discrete logarithms in IF2 are probably secure. There was some interest in producing data encryption processor chips for the case n = 593 (see [19], p. 69) As we can see, some cases when the degree n of the extension is a prime number p are of practical interest. On the other hand, the case n = pp2 for primes p,p2, has also received some attention. For instance, Agnew et al. 1] presented an implementation of elliptic curve cryptosystem ....

K.S. MCCURLEY. The discrete logarithm problem. In Proc. of Symposia in Applied Mathematics, pages 49-74. American Mathematical Society, 1990.

....that is, the unique non negative integer u with g u # x (mod p) 0 # u # p 2. The importance of the discrete logarithm for modern cryptography is well known, see [13, 23] Surveys of many e#cient algorithms (including heuristic ones) for computing the discrete logarithm can be found in [1, 10, 11, 13, 17, 18, 20, 21, 23]. Some algebraic and number theoretic characteristics of the discrete logarithm, including the degree of its polynomial representation and linear complexity have been studied in [2, 4, 5, 6, 7, 8, 9, 14, 16, 22, 24] Nevertheless, despite the recent theoretical and practical progress in studying ....

K. S. McCurley, `The discrete logarithm problem', Proc. Symp. in Appl. Math., Amer. Math. Soc., Providence, RI, 42 (1990), 49--74.

....of computing discrete logarithms in nite elds. See [175] 117] 2] 89] 26] 71] 17] 59] 100] 5] and [163] for the basic index calculus method; 158] 83] 159] 132] 160] 173] and [174] for an index calculus application of the number eld sieve; and [53] 58] 131] [115], and [7] for a function eld analogue. 4 DANIEL J. BERNSTEIN The same ideas are also used to compute class groups and regulators of number elds. See [87] 38] 39] 90] and [40] Acknowledgments. Thanks to Carl Pomerance for drawing my attention to the unsieveable integers in [54] Thanks ....

Kevin S. McCurley, The discrete logarithm problem, in [143] (1990), 49-74. MR 92d:11133.

....Square Exponent, Inverse Exponent. 1 Introduction Most modern cryptographic algorithms rely on assumptions on the computational di#culty of some particular number theoretic problem. One well known class of assumptions is related to the di#culty of computing discrete logarithms in cyclic groups [1]. In this class a number of variants exists. The most prominent ones besides Discrete Logarithm (DL) itself are the computational and decisional Di#e Hellman (DH) assumptions [2, 3, 4] and their generalization [5, 6] Less known assumptions are Matching Di#e Hellman [7, 8] Square Exponent 1 ....

Kevin S. McCurley. The discrete logarithm problem. In Carl Pomerance, editor, Cryptology and Computational Number Theory, volume 42 of Proceedings of Symposia in Applied Mathematics, pages 49--74, Providence, 1990. American Mathematical Society.

....due to Pollard [31] with no 2 rigorously proven running time) are the fastest known dicrete logarithm algorithms for general groups. For special groups such as the multiplicative group of a finite field, more efficient algorithms, namely the index calculus methods, are known. We refer to [26] for a detailed discussion of the discrete logarithm problem and algorithms for solving it. We now describe a method, due to Pohlig and Hellman [30] which allows to reduce the computation of discrete logarithms to the same problem in certain subgroups. Let H be a cyclic group with generator h ....

K.S. McCurley, The discrete logarithm problem, in Cryptology and computational number theory, C. Pomerance (ed.), Proc. of Symp. in Applied Math., vol. 42, pp. 49-74, American Mathematical Society, 1990. 29

....from g s A (g s B ) first. Definition 2 Let G be a finite cyclic group generated by g. The problem of computing from a 2 G a number s such that g s = a is called the discrete logarithm problem (DL problem) with respect to g. For a detailed discussion of the discrete logarithm problem, see [39] or Odlyzko s paper in this issue. For many groups it is not known whether the most efficient way of solving the DH problem is by solving the DL problem first. It is also unknown whether there exist groups for which the DH problem is substantially easier than the DL problem. This question is ....

....prime field for instance is based on the fact that the group elements of Z p can be interpreted as integers, which can be easily factored when they consist only of small prime factors. For a description of these methods we refer to the survey article on the discrete logarithm problem by McCurley [39] and the references therein, and to Odlyzko s paper in this issue. For certain groups however the fastest known algorithms for solving the DL problem are the general purpose algorithms described above. Examples of such groups are non supersingular elliptic curves and Jacobians of hyperelliptic ....

K. S. McCurley, The discrete logarithm problem, in Cryptology and computational number theory, C. Pomerance (Ed.), Proc. of Symp. in Applied Math., Vol. 42, pp. 49--74, American Mathematical Society, 1990.

....discrete logarithms. Throughout this paper, we have assumed that the group order and its factorization are known. This is the case in most known applications. It is conceivable that knowledge of jGj could be of some help in computing discrete logarithms. For example, the algorithm of Pollard (see [15]) requires knowledge of the group order. For the case of unknown factorization of the group order, note that in some cases the parameters of a smooth auxiliary group H p allow to compute p. If an appropriate multiplicative subgroup of an extension field of F p has smooth order, then p can be ....

K.S. McCurley, The discrete logarithm problem, in Cryptology and computational number theory, C. Pomerance (ed.), Proc. of Symp. in Applied Math., vol. 42, pp. 49-74, American Mathematical Society, 1990.

....till date, a hopelessly complex problem. No polynomial time algorithms are known to solve the problem, even when one allows randomization. The best known algorithm is the index calculus method that has sub exponential running time. See [25] for a generic description of the index calculus method, [1, 17] for application of this method to compute discrete logarithms in prime fields F p , and [21] for the same in arbitrary finite fields F p s . GFL implements this method for finding discrete logarithms in fields of both prime and prime power cardinalities. One should include the header file ....

K. McCurley, `The discrete logarithm problem', Cryptology and Computational Number Theory, Proc. Symp. in Appl. Math., 42 (1990), 49--74.

....used to compute individual logarithms in time L 1=2 . The question whether an algorithm with provable running time L exists, remains open. An excellent survey of discrete logarithms, and their cryptographic signi cance is [33] Another good survey, focusing on computational complexity issues is [30]. 5 Analytic Techniques We discuss now some techniques that have proved useful in problems related to those presented here. All the techniques are analytic, and come from two di erent elds: analytic number theory, and analytic combinatorics. The work of Pomerance and collaborators on the ....

K. S. McCurley. The discrete logarithm problem. Proc. of Symp. in Applied Math., 42:49-74, 1990.

....rediscovered, and precisely analyzed by Adleman in 1978. It was dubbed the index calculus by Andrew Odlyzko [25] Odlyzko s paper is an excellent discussion of the best algorithms known for discrete logarithms through 1985. For another point of view and an updated version see McCurley s survey [18]. The fact that there was a much faster method to solve the discrete logarithm problem made the use of the Diffie Hellman protocol more expensive (since the modulus p needed to be chosen much larger) and so, a bit less attractive. It was realized by many researchers that the Diffie Hellmann ....

....ind g l N : To choose the best value of N , we have a trade off: if we make N bigger, the probabilty that a random residue will completely factor increases, but the 5 size of the linear system that we must solve also gets bigger. To choose the best value involves some delicate number theory: see [18]. There are many variations and refinements of the above theme [1, 30, 36] some of which have made spectacular improvements on the basic algorithm. However, all of them are based on the idea of finding some means of being able to factor, or decompose, elements in some object (like the integers) ....

Kevin S. McCurley. The discrete logarithm problem. In Carl Pomerance, editor, Cryptology and Computational Number Theory, volume 42 of Proc. Symp. Appl. Math., pages 49--74. American Math. Soc., Providence, 1990.

.... 8863262181413347391236469 (75 decimal digits) and 16311784525650292068755854365669702024741136446212 03858931609458045532501874726047433264764355226803 78897 (105 decimal digits) The DLP challenge DLP 129 in [14] by K. S. McCurley for a 129 digits prime nite eld was solved on 25 January, 1998. The following is extracted from the e mail to the NTL by D. Weber. The setup is as follows a=7 ....

K. S. McCurley, The discrete logarithm problem, Proc. Symp. in Appl. Math. 42, Amer. Math. Soc., Providence, 1990, 49-74.

....of the discrete logarithm problem in certain groups. Historically the rst type of group considered was the multiplicative group of a nite prime eld, or more generally of any nite eld. However, the index calculus method provides a subexponential attack on such cryptosystems (see, for instance, [McC90]) so that long keys are needed to achieve an acceptable level of security. Elliptic curves over nite elds circumvent this problem, since no general subexponential algorithms are known for them, except for some easily avoided special cases ( MOV93] FR94] SA98] Sem98] Sma99] Hence only ....

Kevin S. McCurley. The discrete logarithm problem. In [Pom90], pages 49-74, 1990.

....a group G q of (known) prime order q (so G q is Abelian) for which polynomial time algorithms are known to determine equality of elements, test membership, compute inverses, multiply, and to randomly select elements. There is a vast variety of groups known to satisfy these requirements (see e.g. [27]) The advantages of working in such a group are that it is hard to distinguish between elements because they are all (except the unity element) generators of the group, and manipulating with indices is very convenient because one in effect is dealing with arithmetic in a field. Although our ....

McCurley, K., "The discrete logarithm problem", AMS Proc. Symp. Appl. Math, Vol. 42: Cryptology and Computational number theory (1991), pages 49--74.

....concerning the gap can be found in [22] 4. 2 Experimental Results Perhaps the most remarkable result of the DL variant of the NFS has probably been the success in solving McCurley s 129 digit discrete logarithm challenge [32] which McCurley published in his overview paper on the DL problem [19]. In view of the Diffie Hellman key exchange protocol introduced in [12] McCurley stated a challenge by using the following setup: b A = 12740218011997394682426924433432284974938204258693 16216545577352903229146790959986818609788130465951 66455458144280588076766033781 b B = ....

K. S. McCurley. The discrete logarithm problem. In Cryptology and Computational Number Theory, number 42 in Proc. Symp. in Applied Mathematics, pages 49--74. American Mathematical Society, 1990.

....and fast. The price for this is the problem of figuring out, after the fact, just how many times the register has been shifted. Recovering the actual number of shifts from the shift register contents corresponds to a problem in number theory and cryptography known as the discrete logarithm problem [17, 18]. Crytographic applications of the discrete logarithm favor structures in which the calculation, because it is part of decrypting, is difficult [6] We, on the other hand, are interested in systems in which the discrete logarithm is easy. The key insight behind this application is that in a ....

....of integers modulo m [3] The discrete logarithm problem is: given an element y 2 G, find the integer L in the range [0 : m Gamma 1] such that g L = y. We may write L = log g y. The discrete logarithm is sometimes called the index function; see the surveys by Odlyzko [18] and McCurley [17]. If an LFSR is initialized to 1, then L is the number of shifts that yield shift register contents y, provided the number of shifts is less than m. We will use the Pohlig Hellman Silver algorithm [23] originally developed for the multiplicative group of a Galois field (corresponding to a ....

K.S. McCurley, "The discrete logarithm problem," in Cryptology and Computational Number Theory, (C. Pomerance, ed.), Proc. of Symposia on Applied Math. Vol. 42, American Math. Soc., 1990, pp. 49-74.

....implementations of discrete logarithm algorithms (see [21] have larger asymptotic running time (both exponents 1=3 and 2=3 in the above formula must be replaced by 1=2) Computing discrete logarithms modulo a prime seems at present to be infeasible for primes of more than 120 digits. We refer to [59] and [52] for a discussion of discrete logarithm algorithms and to [57] for a treatment of the question whether breaking the Diffie Hellman protocol is equivalent to computing discrete logarithms in the underlying group. The fastest generic discrete logarithm algorithms applicable for any finite ....

K. McCurley, The discrete logarithm problem, in Cryptology and computational number theory, C. Pomerance (ed.), Proc. of Symp. in Applied Math., Vol. 42, pp. 49-74, American Mathematical Society, 1990.

No context found.

Kevin S. McCurley. The discrete logarithm problem. In Carl Pomerance, editor, Cryptology and Computational Number Theory, volume 42 of Proceedings of Symposia in Applied Mathematics, pages 49--74, Providence, 1990. American Mathematical Society.

No context found.

K.S. McCurley, "The discrete logarithm problem", pp.49-74 in: Cryptology and Computational Number Theory -- Proc. Symp. Applied Math., vol. 42 (1990), AMS.

No context found.

K. S. McCurley. The discrete logarithm problem. In Cryptology and Computational Number Theory, number 42 in Proc. Symp. in Applied Mathematics, pages 49--74. American Mathematical Society, 1990.

No context found.

Kevin S. McCurley. The discrete logarithm problem. In Carl Pomerance, editor, Cryptology and Computational Number Theory, volume 42 of Proceedings of Symposia in Applied Mathematics, pages 49--74, Providence, 1990. American Mathematical Society. 243

No context found.

K. S. McCurley, The discrete logarithm problem, in Cryptography and Computational Number Theory, C. Pomerance, ed., Proc. Symp. Appl. Math., Amer. Math. Soc., 1990.

No context found.

K. S. McCurley, The discrete logarithm problem, in Cryptography and Computational Number Theory, C. Pomerance, ed., Proc. Symp. Appl. Math.,Amer.Math. Soc., 1990.

No context found.

K. S. McCurley, The discrete logarithm problem, in Cryptology and computational number theory, C. Pomerance (Ed.), Proc. of Symp. in Applied Math., vol. 42, pp. 49--74, American Mathematical Society, 1990.

No context found.

K. S. McCurley, The discrete logarithm problem, in Cryptology and computational number theory, C. Pomerance (Ed.), Proc. of Symp. in Applied Math., Vol. 42, pp. 49--74, American Mathematical Society, 1990.

No context found.

K. S. McCurley, `The discrete logarithm problem', Proc. Symp. in Appl. Math., Amer. Math. Soc., Providence, RI, 42 (1990), 49--74.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC