P.L. Montgomery. A Block Lanczos Algorithm for Finding Dependencies Over GF(2). In ## ######## ## ########## ###########, Springer-Verlag LNCS 921, 106-120, 1995.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....Lemma 7) The other is when # = 1, which means that the minimal polynomial of T equals its characteristic polynomial, and better lower bounds are given in Theorem 9. Our work was motivated by a connection with block iterative methods for solving large sparse linear systems over finite fields, see [3, 4, 8, 12, 14]. It improves upon the result in the report [15] used in an analysis of the block Wiedemann algorithm. A more di#cult and important question in the analysis of such algorithms is to bound the probability that certain truncated Krylov subspaces generate the whole space. More precisely, let Kry(T ....

P. L. Montgomery, A block Lanczos Algorithm for finding dependencies over GF (2), Advances in cryptology---EUROCRYPT '95 (Saint-Malo, 1995.

....prime factor (modulo n) is pB . As for modern factorization methods, a substantial speed up can be obtained by also considering the m i s which are pB smooth except for one or two factors [15] Another speed up can be obtained by using structured Gaussian elimination to solve Eq. 11) see [18] for an e#cient variation directly applicable to our case. 4 Generalizations 4.1 Higher exponents The signature scheme presented in Section 2 can be generalized to other even public exponents besides e = 2. Define # = lcm[ p 1) 2, q 1) 2] It su#ces to choose e relatively prime to #, the ....

Peter L. Montgomery. A block Lanczos algorithm for finding dependencies over GF(2). In L. C. Guillou and J.-J. Quisquater, editors, Advances in Cryptology -- EUROCRYPT '95, volume 921 of Lecture Notes in Computer Science, pages 106-- 120, 1995.

....the possibility of a division by zero when the standard Lanczos algorithm is applied. Lanczos methods with lookahead attempt to address this problem, and either reduce or eliminate the possibility of a division by zero; algorithms of this type have been described by Coppersmith [1] Montgomery [9], and Teitelbaum [12] These algorithms are somewhat more complicated than the standard algorithm, and may require additional storage space, additional matrix vector multiplications, or both so that the apparent advantage of using the Lanczos method over Wiedemann s algorithm may be reduced or ....

....that blocking may also be a means to diminish failure probabilities in the small field case. Whether any of these two advantages (fewer matrix times vector products, smaller failure probability) of the block Wiedemann algorithm in its sequential setting carry over to the block Lanczos approach [1, 9] is unknown to us. ....

Montgomery, P. L. A block Lanczos algorithm for finding dependencies over GF(2). In Proc. EUROCRYPT '95 (Heidelberg, Germany, 1995), vol. 921 of Springer Lecture Notes Comput. Sci., Springer Verlag, pp. 106--120.

....where such linear systems arise with N over 200; 000 [23, 25, 19] This has motivated several authors to develop fast finite field counterpart to numerical iterative methods. The conjugate gradient method has been used in [23] the Lanczos method in [23, 12] and the block Lanczos method in [8, 29]. But up to now, only the probabilistic analysis of Wiedemann [39] was giving a provably reliable and efficient method to solve Aw = 0 over small fields. This method is based on finding relations in Krylov subspaces using the BerlekampMassey algorithm [28] The same analysis could be applied to ....

P.L. Montgomery, A block Lanczos algorithm for finding dependencies over GF(2), EUROCRYPT '95, Heidelberg, Germany. Springer LNCS 921, 1995, pp. 106--120.

....the possibility of a division by zero when the standard Lanczos algorithm is applied. Lanczos methods with lookahead attempt to address this problem, and either reduce or eliminate the possibility of a division by zero; algorithms of this type have been described by Coppersmith [1] Montgomery [10], and Teitelbaum [13] These algorithms are somewhat more complicated than the standard algorithm, and may require additional storage space, additional matrix vector multiplications, or both so that the apparent advantage of using the Lanczos method over Wiedemann s algorithm may be reduced ....

....suggest that blocking is a means to diminish failure probabilities in the small field case. Whether any of these two advantages (fewer matrix times vector products, smaller failure probability) of the block Wiedemann algorithm in its sequential setting carry over to the block Lanczos approach [1, 10] is unknown to us. ....

Montgomery, P. L. A block Lanczos algorithm for finding dependencies over GF(2). In Proc. EUROCRYPT '95 (Heidelberg, Germany, 1995), vol. 921 of Springer Lecture Notes Comput. Sci., Springer Verlag, pp. 106--120.

....7) The other is when = 1, which means that the minimal polynomial of T equals its characteristic polynomial, and better lower bounds are given in Theorem 9. 2 Our work was motivated by a connection with block iterative methods for solving large sparse linear systems over finite fields, see [3, 4, 8, 12, 14]. It improves upon the result in the report [15] used in an analysis of the block Wiedemann algorithm. A more difficult and important question in the analysis of such algorithms is to bound the probability that certain truncated Krylov subspaces generate the whole space. More precisely, let ....

P. L. Montgomery, A block Lanczos Algorithm for finding dependencies over GF (2), Advances in cryptology---EUROCRYPT '95 (Saint-Malo,

.... [9] Gutknecht relates Lanczos recurrences to Pade approximations [16] Early termination for the Wiedemann algorithm when the minimum polynomial has a low degree requires preconditioning and is due to Austin Lobo (cf. 19] Block methods Projections by a block of vectors are analyzed in [6,7,29,17,36,37]. The different approaches for computing the matrix linear generator can be found in [7,2,17,35] Multivariable realizations from control theory are applied to the block Wiedemann algorithm in [36,37] A recent numerical treatment of the block Lanczos method is in [1] Sparse matrices over finite ....

P. L. Montgomery. A block Lanczos algorithm for finding dependencies over GF(2). In Proc. Eurocrypt

....the possibility of a division by zero when the standard Lanczos algorithm is applied. Lanczos methods with lookahead attempt to address this problem, and either reduce or eliminate the possibility of a division by zero; algorithms of this type have been described by Coppersmith [1] Montgomery [9], and Teitelbaum [12] These algorithms are somewhat more complicated than the standard algorithm, and may require additional storage space, additional matrix vector multiplications, or both so that the apparent advantage of using the Lanczos method over Wiedemann s algorithm may be reduced or ....

....that blocking may also be a means to diminish failure probabilities in the small field case. Whether any of these two advantages (fewer matrix times vector products, smaller failure probability) of the block Wiedemann algorithm in its sequential setting carry over to the block Lanczos approach [1, 9] is unknown to us. ....

Montgomery, P. L. A block Lanczos algorithm for finding dependencies over GF(2). In Proc. EUROCRYPT '95 (Heidelberg, Germany, 1995), vol. 921 of Springer Lecture Notes Comput. Sci., Springer Verlag, pp. 106--120.

....relations and relation sets V as columns. Finding a nonempty set S such that P S v(a; b) j 0 mod 2 is the same as calculating a non trivial vector from the null space of this matrix over F 2 . For huge sparse matrices the best known methods are iterative ones, such as the block Lanczos algorithm [17]. The output of this stage is a subset S of the relations such that both Q S (a Gamma bff 1 ) and Q S (a Gamma bff 2 ) are squares fi 2 and fl 2 in Q n [ff 1 ] and Q n [ff 2 ] respectively. The final stage consists of extracting the square root of both squares mentioned above. This is ....

....want to calculate some non trivial vectors of the null space of this matrix. Since Gaussian elimination [9, p. 425] requires too much memory for the large sparse matrices we have, we use a variation of the iterative Lanczos method. Proofs on both standard Lanczos and block Lanczos can be found in [17]. The standard Lanczos algorithm starts with a symmetric, positive definite k Theta k matrix A over the field K = R. If b 2 R k we solve Ax = b by iterating w 0 = b w i = Aw i Gamma1 Gamma i Gamma1 X j=0 c ij w j (i 0) where c ij = w T j A 2 w i Gamma1 w T j Aw j : 8.8) It can ....

[Article contains additional citation context not shown here]

Peter L. Montgomery. A block Lanczos algorithm for finding dependencies over GF(2). In L.C. Guillou and J.-J. Quisquater, editors, Advances in Cryptology -- EUROCRYPT '95, volume 921 of Lecture Notes in Computer Science, pages 106--120, Berlin, 1995. Springer--Verlag. References 26

....= 7 and 8. Even if we are not pivoting, we ask at least one relation not to contain more relations than this bound. Influence of merging on Block Lanczos s running time. Given an m Theta n matrix, n m, of total weight w, the running time estimate of Block Lanczos is given by O(wn) O(n 2 ) [16]. Both terms grow with n, so we will focus on reducing n. If we manage to reduce n by a certain factor while w does not grow by more than this factor, we will get a running time reduction, independently of the constants in the two terms. Moreover, we predict the constant in the O(n 2 ) term to ....

....still is beneficial to the running time. The condition for Deltaw becomes t(n Gamma 1; w Deltaw) Gamma t(n; w) 0: 2.3) Inequality (2. 3) is equivalent to 0 n ( 1 Gamma 2n)C Gamma w (n Gamma 1) Deltaw) n Gamma 1) Gamma2Cn Gamma w n Deltaw) Gamma w Gamma Cn: k Montgomery [16] gives the formula O(wn=K) O(n 2 ) for the running time. 2. Description of the new filter tasks 9 The inequality is satisfied if Deltaw 2C w n : It follows that the allowed weight increase grows with C and the average column weight w n . That means that denser matrices allow heavier ....

[Article contains additional citation context not shown here]

Peter L. Montgomery. A block Lanczos algorithm for finding dependencies over GF(2). In Louis C. Guillou and Jean-Jacques Quisquater, editors, Advances in Cryptology - Eurocrypt '95, volume 921 of Lecture Notes in Computer Science, pages 106--120. Springer-Verlag, 1995.

....Coppersmith showed how to do this first with his block Lanczos algorithm [6] However, his ideas are somewhat complicated and hard to program. He next developed a block Wiedemann algorithm which is not so difficult to program [7] Later, Peter Montgomery developed his own block Lanczos algorithm [17] and programmed it to solve some nfs matrices. One of these had 1,284,719 rows and 1,294,861 columns. The fact that he was able to solve a matrix this big not only put a spotlight on his algorithm, but also was one of the final links in making the nfs practical. For factoring matrices, both block ....

....must be enforced by the progarmmer. Software packages are available to provide communication between the machines. We used the popular package PVM, which stands for Parallel Virtual Machine. Below we describe a parallel implementation of Montgomery s block Lanczos. We refer the reader to [17] for a complete description of the algorithm. Block Lanczos is similar to standard Lanczos, but generalizes the ideas to work with subspaces. Each subspace will have a basis of up to 32 vectors, which are combined to form a block vector. The iteration is done on these block vectors. It is not ....

P. L. Montgomery, "A block Lanczos algorithm for finding dependencies over GF (2)," Advances in cryptology, Eurocrypt '95, Lecture Notes in Comput. Sci. 921 (1995), pp. 106-120.

....d # j=0 a j x j , it is clear that f(x)andg(x) have a common root m mod N . This method of polynomial selection is called the base m method. In principle, we can proceed as in SNFS, but many di#culties arise because of the large coe#cients of g(x) For details, we refer the reader to [36,37,41,47,48,62]. Su#ce it to say that the di#culties can be overcome and the method works Due to the constant factors involved it is slower than MPQS for numbers of less than about 110 decimal digits, but faster than MPQS for su#ciently large numbers, as anticipated from the theoretical run times given in 2. ....

....2. Linear algebra. After sieving a very large, sparse linear system over GF(2) is obtained, and we want to find dependencies amongst the columns. It is not practical to do this by structured Gaussian elimination [25, 5] because the fill in is too large. Odlyzko [43,17] and Montgomery [37] showed that the Lanczos method [26] could be adapted for this purpose. This is nontrivial because a nonzero vector x over GF(2) can be orthogonal to itself, i.e. x T x = 0. To take advantage of bit parallel operations, Montgomery s program works with blocks of size dependent on the wordlength ....

[Article contains additional citation context not shown here]

P. L. Montgomery, A block Lanczos algorithm for finding dependencies over GF(2), Advances in Cryptology: Proc. Eurocrypt'95, LNCS 921, Springer-Verlag, Berlin, 1995, 106--120. ftp://ftp.cwi.nl/pub/pmontgom/BlockLanczos.psa4.gz .

....use. The main advances in linear algebra for index calculus algorithms in the 1990s came from the parallelization of the Lanczos and Wiedemann algorithms by Coppersmith [Coppersmith2, Coppersmith3] Currently the most widely used parallel method is Montgomery s version of the Lanczos algorithm [Montgomery], where it is used after structured Gaussian elimination reduces the matrix to manageable size. These parallelization methods essentially speed up the basic algorithms over the field of two elements (the only case that is needed for integer factorization) by factors of 32 or 64 (depending on the ....

P. L. Montgomery, A block Lanczos algorithm for finding dependencies over GF (2), pp. 106--120 in Advances in Cryptology--EUROCRYPT '95, L. C. Guillou and J.-J. Quisquater, eds., Lecture Notes in Computer Science 921, Springer, 1995.

....The algorithm presented in this paper reduces the cardinality of these sets up to 30 . The resulting system of linear equations is therefore more sparse as before, which leads to significant improvements in the running time of the linear algebra step (with either the Lanczos algorithm ( 7] [11]) or structured Gaussian elimination [6] Compared with the total time that is needed to solve the systems (above all in IF p ) the time needed by the presented algorithm can be ignored. 1 Introduction Two of the most important problems in number theory and cryptography are the factorization ....

....(DL) in a finite prime field. These two problems can both be solved with the so called number field sieve algorithm (NFS) 9] 3] 13] Factoring and solving DL with NFS requires solving a large sparse system of linear equations. This can be done with either the Lanczos algorithm ( 7] [11]) or structured Gaussian elimination [6] The complexity of the Lanczos algorithm depends on the dimension and the weight of the system. In contrary to ordinary Gaussian elimination which depends only on the dimension of the system, the reduction effect that can be achieved with structured ....

P. L. Montgomery, A block Lanczos algorithm for finding dependencies over GF(2), Advances in Cryptology, EUROCRYPT '95, Lecture Notes in Computer Science, vol. 921 (1995), Springer Verlag, pp. 106 - 120

....the th columns of the a i separately. The latter is especially useful when the matrix is given by a black box procedure that uses very little space, like in the polynomial factoring application. A similar blocking approach is described for the Lanczos method by Coppersmith [1] and by Montgomery [12]. Again, a problem arises when w T i 1 Aw i 1 is a singular matrix, where w i 1 2 F n Thetafi q . A possibility described by Coppersmith is to maintain a new set of vectors that orthogonally spans a subspace of the Krylov space. Unfortunately, all known block methods must be considered ....

....methods appear to require at the worst 2n matrix times vector products. These improvements of the Wiedemann approach carries over to the parallel case. The block Lanczos method over F 2 has been implemented on an IBM 3090 computer by Coppersmith [1] and on a CRAY C90 computer by Montgomery [12]. The block Wiedemann method has been implemented over F 2 by Coppersmith on an IBM RS 6000 [2] and by Lobo on an IBM SP 2 [7] Furthermore, over F p the block Wiedemann method has been used on a network of workstations to solve linear systems and factor polynomials modulo a prime number [6, 11, ....

P. L. Montgomery. A block Lanczos algorithm for finding dependencies over GF(2), volume 921 of Springer Lecture Notes Comput. Sci., pages 106--120. Springer Verlag, Heidelberg, Germany, 1995.

....left after the filter step we omitted the small primes 40, thus reducing the weight by 15 . The resulting matrix had 6 699 191 rows, 6 711 336 columns, and weight 417 132 631 (62.27 non zeros per row) With the help of Peter Montgomery s Cray implementation of the block Lanczos algorithm (cf. [27]) it took 224 CPU hours and 2 Gbytes of central memory on the Cray C916 at the SARA Amsterdam Academic Computer Center to find 64 dependencies among the rows of this matrix. Calendar time for this job was 9.5 days. In order to extract from these 64 dependencies some dependencies for the matrix ....

Peter L. Montgomery. A block Lanczos algorithm for finding dependencies over GF(2). In Louis C. Guillou and Jean-Jacques Quisquater, editors, Advances in Cryptology -- Eurocrypt '95, volume 921 of Lecture Notes in Computer Science, pages 106--120, SpringerVerlag, Berlin, 1995.

....finally, those occurring three times were merged (4.7M relations left) Finding dependencies. The resulting matrix had 4 671 181 rows and 4 704 451 columns, and weight 151 141 999 (32.36 nonzeros per row) With the help of Peter Montgomery s Cray implementation of the block Lanczos algorithm (cf. [17]) it took almost 100 CPU hours and 810 Mbytes of central memory on the Cray C916 at the SARA Amsterdam Academic Computer Center to find 64 dependencies among the rows of this matrix. Calendar time for this job was five days. 3.4 The square root step During February 1 2, 1999, four square root ....

Peter L. Montgomery. A block Lanczos algorithm for finding dependencies over GF (2). In Louis C. Guillou and Jean-Jacques Quisquater, editors, Advances in Cryptology -- Eurocrypt '95, volume 921 of Lecture Notes in Computer Science, pages 106--120, SpringerVerlag, Berlin, 1995.

....left after the filter step we omitted the small primes 40, thus reducing the weight by 15 . The resulting matrix had 6 699 191 rows, 6 711 336 columns, and weight 417 132 631 (62.27 non zeros per row) With the help of Peter Montgomery s Cray implementation of the block Lanczos algorithm (cf. [27]) it took 224 CPU hours and 2 Gbytes of central memory on the Cray C916 at the SARA Amsterdam Academic Computer Center to find 64 dependencies among the rows of this matrix. Calendar time for this job was 9.5 days. In order to extract from these 64 dependencies some dependencies for the matrix ....

Peter L. Montgomery. A block Lanczos algorithm for finding dependencies over GF(2). In Louis C. Guillou and Jean-Jacques Quisquater, editors, Advances in Cryptology -- Eurocrypt '95, volume 921 of Lecture Notes in Computer Science, pages 106--120, Springer-Verlag, Berlin, 1995.

....384 j ( Gamma32) Delta ( Gamma27) Delta ( Gamma2) Delta 243 Delta ( Gamma1) mod 77) becomes 144000 2 j 648 2 (mod 77) which again gives the factorization 77 = 7 Delta 11. Traditionally, one solved the system Be = 0 by a variation of Gaussian elimination. Recently some iterative methods [2, 3, 7, 18] have been found. The iterative methods are superior when the matrix is large, since they require less storage (matrices arising from integer factorization problems are very sparse) For these large, sparse, matrices, the iterative methods are also faster if B is an n Theta n matrix, then ....

....from integer factorization problems. The N 105 matrix would require 200 gigabytes of memory to store in dense form, which is more than most sites have even on secondary storage. This prevented the Oregon researchers from finishing the work. The CWI researchers used a novel Block Lanczos algorithm [7] for the linear algebra phase, and completed the larger problem in 7.5 hours on a Cray C90 at the Academic Computing Center Amsterdam (SARA) 9. Acknowledgements This work was funded by CWI Centrum voor Wiskunde en Informatica (Amsterdam) and by the Stieltjes Institute for Mathematics (Leiden) ....

Peter L. Montgomery. A block Lanczos algorithm for finding dependencies over GF(2). Technical report, CWI Amsterdam, 1994. To appear. 364

No context found.

P.L. Montgomery. A Block Lanczos Algorithm for Finding Dependencies Over GF(2). In ## ######## ## ########## ###########, Springer-Verlag LNCS 921, 106-120, 1995.

No context found.

Montgomery, P. A block Lanczos algorithm for finding dependencies over GF(2). In EUROCRYPT'95, Heidelberg, Germany. Springer LNCS 921 (1995), pp. 106--120.

No context found.

P. L. Montgomery, A block Lanczos algorithm for finding dependencies over GF (2), Advances in Cryptology: Proc. Eurocrypt'95, LNCS 921, Springer-Verlag, Berlin, 1995, 106--120.

No context found.

P. L. Montgomery, A block Lanczos algorithm for finding dependencies over GF (2), Advances in Cryptology: Proc. Eurocrypt'95, LNCS 921, Springer-Verlag, Berlin, 1995, 106--120.

No context found.

P. L. Montgomery, "A block Lanczos Algorithm for finding dependencies over GF (2)", Advances in cryptology---EUROCRYPT '95 (Saint-Malo,

No context found.

M. P. Montgomery, A Block Lanczos Algorithm for Finding Dependencies over GF(2), Advances in cryptology---EUROCRYPT '95 (Saint-Malo, 1995), Lecture Notes in Computer Science 921, Springer, Berlin, 1995.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC