A.M. Odlyzko. Discrete logarithms and smooth polynomials. In Finite Fields: Theory, Applications and Algorithms, G. L. Mullen and P. Shiue, eds., Amer. Math. Soc., Contemporary Math. Vol. 168, pages 269--278, 1994. Available from http://www.research.att.com/amo  Home/Search   Document Details and Download   Summary   Related Articles   Check

....large n s Pr xUn h A (f(x) 2f Gamma1 (f(x) i where U n is the uniform distribution over f0; 1g . Popular candidates for one way functions are based on the conjectured intractability of integer factorization (cf. 19] for state of the art) the discrete logarithm problem (cf. [20] analogously) and decoding of random linear code [12] The infeasibility of inverting f yields a weak notion of unpredictability: Let b i (x) denotes the i bit of x. Then, for every probabilistic polynomial time algorithm A (and sufficiently large n) it must be the case that Pr i;x [A(i; ....

A.M. Odlyzko. Discrete logarithms and smooth polynomials. In Finite Fields: Theory, Applications and Algorithms, G. L. Mullen and P. Shiue, eds., Amer. Math. Soc., Contemporary Math. Vol. 168, pages 269--278, 1994. Available from http://www.research.att.com/amo

.... . One interesting variant uses the group of points on an elliptic curve over Z= for around 2 256 . This allows much shorter public keys, only 256 bits instead of 1536 bits, and is still conjectured to be safe. See the book [10] for more information on elliptic curve cryptography. See [23] for an introduction to modern discrete logarithm methods. See [30] for a recent example of what can be done with the number eld sieve. See my papers [7] and [8] for asymptotic improvements; 7] includes a comprehensive bibliography. 5. Public key signatures Here is a protocol for the sender to ....

Andrew M. Odlyzko, Discrete logarithms and smooth polynomials, in [20] (1994), 269-278. MR 95f:11107.

....current sizes of D. The ideas behind these integer factorization methods are also used in the indexcalculus method of computing discrete logarithms in nite elds. See [175] 117] 2] 89] 26] 71] 17] 59] 100] 5] and [163] for the basic index calculus method; 158] 83] 159] [132], 160] 173] and [174] for an index calculus application of the number eld sieve; and [53] 58] 131] 115] and [7] for a function eld analogue. 4 DANIEL J. BERNSTEIN The same ideas are also used to compute class groups and regulators of number elds. See [87] 38] 39] 90] and ....

Andrew M. Odlyzko, Discrete logarithms and smooth polynomials, in [125] (1994), 269-278. MR 95f:11107.

....results in a substantial improvement in eciency. The reason that Q may be as small is that all known subexponential algorithms for computing the discrete log are subexponential in the length of P (as long as P 1 is not too smooth) even when applied to the subgroup of size Q generated by g (see, [51, 59] for surveys on algorithms for the discrete log; the best known algorithm for general groups has time square root of the size of the group) How Much Con dence Can we Have in the DDH Assumption It is clear that the computational DH Problem is at most as hard as computing the discrete log (given ....

A. M. Odlyzko, Discrete logarithms and smooth polynomials, Contemporary Mathematics, AMS 1993.

....our knowledge at present a system based on this numeration is quite safe though for all constants C there is a number p 0 such that for all primes p p 0 the corresponding DL system it not of exponential security C. The best known method to compute the discrete logarithm is subexponential (cf. [Od]) The suggested size of p is at least 1024 bits. 1.4 Generic Systems In the examples in the last subsection we already had more structure available than necessary for us: The set A was the image of the numeration f of a nite cyclic group G. This will be so in the following sections, too. This ....

A.M.Odlyzko, Discrete Logarithms and Smooth Polynomials, in Finite Fields: Theory, Applications and Algorithms, G.L.Mullen and P. Shiue,eds. Cont. Math. 168 AMS (1994), 269-278.

....Pr xUn h A 0 (f(x) 2f Gamma1 (f(x) i 1 p(n) where U n is the uniform distribution over f0; 1g n . Popular candidates for one way functions are based on the conjectured intractability of integer factorization (cf. 30] for state of the art) the discrete logarithm problem (cf. [31] analogously) and decoding of random linear code [16] The infeasibility of inverting f yields a weak notion of unpredictability: Let b i (x) denotes the i th bit of x. Then, for every probabilistic polynomial time algorithm A (and sufficiently large n) it must be the case that Pr i;x [A(i; ....

A.M. Odlyzko. Discrete logarithms and smooth polynomials. In Finite Fields: Theory, Applications and Algorithms, G. L. Mullen and P. Shiue, eds., Amer. Math. Soc., Contemporary Math. Vol. 168, pages 269--278, 1994. Available from http://www.research.att.com/amo

....over a finite field. 1. Introduction The discrete logarithm problem in finite fields has been extensively studied in the last decade or so, due to its importance in several public key cryptosystems. The fastest known algorithms for finding discrete logarithms are based on index calculus methods [1, 2, 3, 5, 7, 8, 9, 12, 14]. An important component of an index calculus algorithm for finite fields of small characteristic is the generation of smooth polynomial relations, i.e. equivalences where both polynomials factor completely over a small factor base, usually a set of all irreducibles up to a given degree. Special ....

A. M. Odlyzko, Discrete logarithms and smooth polynomials, pp. 269-278, in Finite Fields: Theory, Applications, and Algorithms, (Gary L. Mullen and Peter Jau-Shyong Shiue, eds.), Contemporary Mathematics 168, AMS, 1994.

....indicated, no one has been able to prove that these discrete logarithm problems are really hard, but they have been studied by number theorists for considerable time with only limited success. For recent surveys and a more detailed study of the discrete logarithm problem, we refer the reader to [15, 18, 19]. We now describe two cryptosystems whose security is based on the assumption that the discrete logarithm problem is hard. The Di#e Hellman key exchange scheme is a protocol for establishing a common key between two users of a classical cryptosystem. As we mentioned earlier, for a large network of ....

A. M. Odlyzko, "Discrete logarithms and smooth polynomials", in Finite Fields: Theory, Applications, and Algorithms, G. L. Mullen and P. J.-S. Shiue (eds.), Contemporary Mathematics, Volume 168, American Mathematical Society, Providence, RI, 1994, 269--278.

....field sieve [Adlar] gives a heuristic expected running time of L q [1=3; c] for some positive constant c when q = p n and log p n g(n) where g is any function such that 0 g(n) 0:98 and lim n 1 g(n) 0. Surveys on the discrete logarithm problem have been published: vO91] McC90a] [Odl94]. Historically, advances in integer factoring algorithms have brought corresponding advances in discrete logarithm algorithms. The first author thinks it is an interesting research problem to establish whether reductions exist between C5 and C21. The second author finds the evidence for the ....

Andrew Odlyzko. Discrete logarithms and smooth polynomials. In Gary L. Mullen and Peter Shiue, editors, Finite Fields: Theory, Applications, and Algorithms, Contemporary Mathematics Series, Providence, RI, 1994. American Mathematical Society.

....of P Gamma 1. In fact, for most applications, taking g to be an element of order Q is an advantage. This is the case since all known subexponential algorithms for computing the discrete log will be subexponential in the length of P even when applied to the subgroup of size Q generated by g (see, [42, 45] for surveys on algorithms for the discrete log; the best known algorithm for general groups has time square root of the size of the group) Therefore, we can use a rather small prime Q (say, 160 bits long) which results in a substantial improvement in efficiency. How Much Confidence Can we Have ....

A. M. Odlyzko, Discrete logarithms and smooth polynomials, Contemporary Mathematics, AMS 1993.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC