D. Shanks. Class number, a theory of factorization and genera. In Proc. Symp. Pure Math. 20, pages 415--440. AMS, Providence, R.I., 1971.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....exhaustive search. Then we call an algorithm a square root algorithm if it needs to perform (expected) O( p n ) group operations to compute the solution. All generic square root algorithms for the DLP known to date are based on only a few methods: the baby step giant step method due to Shanks [Sha71], and the rho method and the kangaroo method, due to Pollard [Pol78] The baby step giant step method is a deterministic method that uses a time memory trade o and takes const p ord g group operations and has to store const p ord g group elements. The rho method is a probabilistic method ....

....the following de nition: De nition 2.6. Let E(x) be the expected value of x. The E(x) DLP is: given E(x) g and h = g x , nd x. The E(x) DLP can be solved in expected running time O( p E(x) 3. Baby Step Giant Step Methods The baby step giant step method has been introduced by D. Shanks [Sha71] to compute ideal class numbers of quadratic number elds. Shanks was looking for certain multiples of element orders that were known to lie in certain residue classes and were expected to lie in certain intervals. Applied to the standard DLP, the baby step giant step method can be described as ....

D. Shanks. Class number, a theory of factorization and genera. In Proc. Symp. Pure Math. 20, pages 415-440. AMS, Providence, R.I., 1971.

....b in the multiplicative group. With high probability the order of b will be nearly as large as xy, which is of magnitude N=fi 2 . Hence a solution c to b c j b u mod N with c C is very likely to be the correct value. We now solve this equation by the baby step giant step method of Shanks [10]. Let D be an integer larger than p C and form the lists b 0 ; b D ; b 2D ; b D 2 mod N and b u ; b u Gamma1 ; b u GammaD mod N: FURTHER ATTACKS ON SERVER AIDED RSA CRYPTOSYSTEMS 3 We can sort these lists and find a common value b rD j b u Gammas in time ....

Daniel Shanks, Class number, a theory of factorization and genera, In Lewis [4], pp. 415--440. Pembroke College, Oxford E-mail address: mckee@maths.ox.ac.uk Queens' College, Cambridge E-mail address: rgep@cam.ac.uk

....roughly equal size, and given any group element g we can check to which of these sets it belongs. The space requirements of algorithms using the rho method are negligible. Therefore, to solve the DLP in groups of large group orders, this method is superior to Shanks baby step giant step method [14] that has roughly the same run time but space requirements O( p jGj ) Pollard s original algorithm for discrete logarithm computation [12] could be used on a programmable calculator, and Pollard applied it to residue class groups (Z=pZ) p prime) with group orders up to 10 6 . Nowadays, ....

D. Shanks. Class number, a theory of factorization and genera. In Proc. Symp. Pure Math. 20, pages 415--440. AMS, Providence, R.I., 1971.

.... q s (q) and C(k; Q; b k 1 2 c X i=1 (2i) k 2i ( 1) i 1 (2 ) 2i G 2i 1 (Q; 3 log Q b k 1 2 c X i=1 (2i) k 2i G 2i 1 (Q; 2Q ) 2i ; then by (5) we see that S(k) 0 if T 1 (Q; L(1; F 1 (Q; C(k; Q; 6) Now a result of Elliott (see [10]) implies that for z between 0 and 2 it is very likely that T 1 (Q; 1 z, especially if z is small. This suggests that if k, Q, p and z are chosen such that C(k; Q; 1 z, the chance that T 1 (Q; C(k; Q; is very good. For example, if p is selected such that (q) 1 for q = 2; ....

D. Shanks. Class number, a theory of factorization and genera. In Proc. Symp. Pure Math. 20, pages 415-440. AMS, Providence, R.I., 1971.

....that the run time of the trial division, which is of course deterministic, is Ln [1; 1=2 o(1) As an application of the Fast Fourier Transform, there is a deterministic factoring method of run time Ln [1; 1=4 o(1) as described in [22, pp. 107 109] The run time of the Class Group Method in [26] is also Ln [1; 1=4 o(1) and it is decreased to Ln [1; 1=5 o(1) assuming that certain Extended Riemann Hypotheses are true as is analyzed in [25] There are several other deterministic factoring methods as in [15] but the problem to re ne the run time has made not so much progress. One of ....

D. Shanks, Class Number, a theory of factorization and genera, Proc. Symp. in Pure Math. 20, Amer. Math. Soc., Providence, 1971, 415-440.

....algorithm. Set a = a 1 a 2 d 2 and b = b 1 u 1 a 1 (b 2 b 1 ) u 3 (f b 2 1 b 1 h) d mod a: This composition algorithm goes back to Gau , who described an analogous procedure for composing binary quadratic forms in [Gau01] Article 242; its ecient application is due to Shanks ([Sha71]) Note that the formula for b in Algorithm 1 of [MWZ98] is less ecient than the one presented here, which is the generalisation of Formula (C 3a ) in [Can87] to the arbitrary characteristic case. The extended Euclidian algorithm To complete the description of the composition step and to x the ....

D. Shanks. Class number, a theory of factorization and genera. In [Lew71], pages 415{ 440, 1971.

....number x such that g x = h. We all x the discrete logarithm of h to the base g. If no special properties of the group are exploited, the best algorithms to determine x have (expected) running time O( p n) where n = ord g. These algorithms are based on Shanks baby step giant step method [Sha71] in which case they require O( p n) elements to store, or on Pollard s rho method [Pol78] Pollard s rho method has the advantage that it has negligible space requirements, and it can be parallelized with linear speedup [vOW99] If we are given an interval [a; b) such that x is known to lie in ....

D. Shanks, Class number, a theory of factorization and genera, Proc. Symp. Pure Math. 20, AMS, Providence, R.I., 1971, pp. 415--440.

....It is important to note that the serial version of the kangaroo method is very space ecient, and that the space requirements of the parallelized version can be adjusted to the constraints of the machines. This is a big advantage over square root attacks based on Shanks baby step giant step method [Sha71]. The objects with which we deal in real quadratic function elds are reduced principal ideals, which do not constitute a group. However, the baby step giant step method could be e ciently adapted to this setting by de ning analogues of baby steps and giant steps that make use of the ideal ....

D. Shanks. Class number, a theory of factorization and genera. In Proc. Symp. Pure Math. 20, pages 415-440. AMS, Providence, R.I., 1971.

....is equivalent to x j x 0 x 1 r x 2 r 2 Delta Delta Delta x h Gamma2 r h Gamma2 x h Gamma1 r h Gamma1 mod r h : 2. 3 Shanks s Baby Step Giant Step Algorithm The first algorithm, which is deterministic and runs in time O( p n) is Shanks s Baby Step Giant Step algorithm [23]. Let m = b p nc 1, such that x = x 1 m x 2 with (unknown) x 1 ; x 2 m. After computing a set M : fa mi j 0 i mg (the giant steps) it remains to decide whether one of the elements a Gammaj b; 0 j m lies in M (the baby steps) If a match is found, a mi = a Gammaj b, ....

D. Shanks. Class number, a theory of factorization and genera. In Proc. Symposium Pure Mathematics, volume 20, pages 415--440. American Mathematical Society, 1970.

....their unique adapted bases. This means that a i = Q i ; P i p D] Infrastructure in Real Quadratic Function Fields 6 where Q i ; P i 2 k[x] Q i j(D Gamma P 2 i ) and deg(P i ) deg(Q i ) and sgn(Q i ) 1 : To compute the product of a 1 and a 2 , we use the same ideas as Shanks, [Sha71], as employed, for example, in [Len82] or [SW88] Our aim is to find a primitive OK ideal c = Q; P p D] and a polynomial S 2 k[x] such that a 1 a 2 = S)c, where Qj(D Gamma P 2 ) deg(P ) deg(Q) and sgn(Q) 1 = sgn(S) We obtain S = gcd (Q 1 ; Q 2 ; P 1 P 2 ) 3.1) Q = Q 1 Q 2 ....

D. Shanks. Class number, a theory of factorization and genera. In Proc. Symp. Pure Math. 20, pages 415--440. AMS, Providence, R.I., 1971.

....in the results. This might bring more information, but one can t see what happens at first sight. So we simplified the model in order to increase the ease of reading. 2 The Shanks Algorithm The computation of the order of an element fl of G is done by the well known BabyStep Giant Step Algorithm [Sh70] of Shanks: Suppose the order of fl is bounded by L; then compute fl 1 = 1fl; fl d p Le = lp L m fl; if fl i is equal to 0G , output i (these are the Baby Steps; we will include fl 0 = 0G ) If not, denote fl d p Le by fl 1 and compute fl 2 = 2fl 1 ; fl b p ....

D. Shanks, Class Number, A Theory of Factorization and Genera, Proceedings Symposium Pure Mathematics, Vol. 20, American Mathematical Society, 1970, S. 415--440.

....Indeed, Shanks was motivated by this problem to develop fast methods because the Lehmers were producing large values of p as possible candidates. Throughout this correspondence it is possible to see Shanks develop and refine the ideas which were to culminate in a very important paper (Shanks [13]) where he introduced the baby step giant step method for evaluating h(d) and his method of factorization of d, based essentially on the determination of ambiguous ideal classes in the class group of K . He even recognized that his technique for evaluating h(d) was likely to be of complexity ....

....X i=1 (2i) Gamma k 2i Delta ( Gamma1) i 1 (2 ) 2i G 2i 1 (Q; Gamma 3 log Q b k Gamma1 2 c X i=1 (2i) Gamma k 2i Delta G 2i 1 (Q; 2Q ) 2i ; then by (3.1) we see that S(k) 0 if T 1 (Q; L(1; F 1 (Q; C(k; Q; 3. 2) Now a result of Elliott (see [13]) asserts that if Q 2 and F (Q; z; is the density of all positive d (here (q) i Gammad q j ) such that T 1 (Q; 1= 1 z) or T 1 (Q; 1 z (0 z 2) then there exist constants A, B such that F (Q; z; 2A expf GammaBQ log 2 (1 z)g: This strongly suggests that if p ....

D. Shanks, Class number, a theory of factorization and genera, Proc. Symp. Pure Math. 20, AMS, Providence, R.I., 1971, pp. 415--440.

....roughly equal size, and given any group element g we can check to which of these sets it belongs. The space requirements of algorithms using the rho method are negligible. Therefore, to solve the DLP in groups of large group orders, this method is superior to Shanks baby step giant step method [14] that has roughly the same run time but space requirements O( p jGj ) Pollard s original algorithm for discrete logarithm computation [12] could be used on a programmable calculator, and Pollard applied it to residue class groups (ZZ=pZZ) p prime) with group orders up to 10 6 . Nowadays, ....

D. Shanks. Class number, a theory of factorization and genera. In Proc. Symp. Pure Math. 20, pages 415--440. AMS, Providence, R.I., 1971.

....field with the same discriminant. 1.1. ORGANIZATION OF THE THESIS 3 Arithmetic in quadratic fields has led to the development of new integer factoring algorithms. It is known that if Delta is composite, then the class number of the imaginary quadratic field Q( p GammaD) must be even. Shanks [Sha71] has shown that one can factor the discriminant Delta if one can compute the class number of Q( p GammaD) and in particular a field element of order 2. Such elements correspond to ambiguous binary quadratic forms, those forms that are equal to their inverses. He also gave an analogous method ....

....C(D) for each of the thousands of solutions we obtained. We considered both positive and negative values of D; and we discuss the method we used to evaluate h in imaginary quadratic fields, which makes use of the well known ideas of Lenstra [Len82] and Shanks baby step giant step algorithm [Sha71]. We were able to find several polynomials which have higher asymptotic densities than any other currently known polynomials of this type. 6 CHAPTER 1. INTRODUCTION Finally, in Chapter 7 we briefly discuss some of the other aspects of quadratic fields we have not looked at, including the recent ....

[Article contains additional citation context not shown here]

D. Shanks, Class number, a theory of factorization and genera, Proc. Symp. Pure Math. 20, AMS, Providence, R.I., 1971, pp. 415--440.

....a = f ff 1 ; ff 2 ; ff r g. We say that two integral OK ideals a and b are equivalent, written a b, if there exist some non zero elements ff; fi 2 OK such that ( ff ) a = fi ) b. 7 Ideal Product To compute the product of two primitive OK ideals, we use the same ideas as Shanks, [Sh2], as employed, for example, in [L] or [S W1] Let a i = Q i ; P i p D ] for i = 1; 2, be two primitive OK ideals, where Q i j( D Gamma P 2 i ) Without loss of generality, we assume that they are given with adapted bases, and that the polynomials Q i are monic. In view of (6.3) this ....

D. Shanks, Class Number, A Theory of Factorization and Genera. Proc. Symp. Pure Math. 20, 1971, 415-440. ( Amer. Math. Soc. )

....Z Theta Delta Delta Delta Theta Z=m k Z: This isomorphism is given in terms of the images of the generators. The integers m i are the uniquely determined invariants of G. In this paper we present improved versions of Shanks algorithms for solving these problems. As in Shanks original method [10] (see also [4] 8] operations in G and table look ups are used in our algorithms. The table entries are pairs (S z ; z) where S is a set of group elements, z belongs to the set Z S of all maps S Gamma Z, and S z = Q g2S g z(g) When we estimate the complexity of our algorithms, ....

....of integers. Then, each look up in the table R requires just one computation of a hash value and usually one equality test for group elements. As we see from Theorem 2.3, the efficiency of Algorithm 2.2 depends largely on the appropriate choice of the initial step width v. As noted by Shanks [10], the optimal choice of v is v = p jhgij: This results in about 2 p jhgij group multiplications in our algorithm. If v is chosen too large (in comparison with p jhgij) we waste space and time because the set R is too big. If v is chosen too small, we waste time because of superfluous ....

[Article contains additional citation context not shown here]

D. Shanks, Class number, a theory of factorization and genera, Proc. Symp. Pure Math. 20, AMS, Providence, R.I., 1971, pp. 415--440.

No context found.

D. Shanks, Class number, a theory of factorization and genera, Proc. Symp. Pure Math. 20 (

No context found.

D. Shanks. Class number, a theory of factorization and genera. In Proc. Symp. Pure Math. 20, pages 415--440. AMS, Providence, R.I., 1971.

No context found.

D. Shanks. Class number, a theory of factorization and genera. In Proc. Symposium Pure Mathematics, volume 20, pages 415--440. American Mathematical Society, 1970.

No context found.

D. Shanks, Class Number, A Theory of Factorization and Genera, Proceedings Symposium Pure Mathematics, Vol. 20, American Mathematical Society, 1970, S. 415--440.

No context found.

D. Shanks, Class number, a theory of factorization and genera, Proc. Symp. Pure Math. 20, AMS, Providence, R.I., 1971, pp. 415--440. 22

No context found.

D. Shanks, Class number, a theory of factorization and genera, in Proc. Symp. Pure Math. 20, pp. 415-440. AMS, Providence, R.I., 1971.

No context found.

D. Shanks. Class number, a theory of factorization and genera. In in Proc. Symp. Pure Math., volume 20, pages 415--440. AMS, 1971.

No context found.

D. Shanks. A Theory of Factorization and Genera. In Proc. Symp. Pure Math., 20:415--440, 1971.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC