A. Lenstra and H. Lenstra (eds.), The development of the number eld sieve, Lecture Notes in Mathematics, vol 1554, Springer-Verlag, 1993.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....problem [15] Most bounds on the density of smooth integers make use of analytic tools. In contrast, our bounds are derived by purely algebraic (and algorithmic) means. 4. GENERALIZED CRT LIST DECODING Common integer factoring algorithms such as the quadratic sieve [15] and the number eld sieve [16] work by searching for smooth integers. However, rather than searching for smooth integers in a given interval, these algorithms search for integers x 2 [ B; B] such that f(x) is s smooth. Here f(x) is some low degree polynomial and B and s are some prede ned parameters. For example, to factor ....

A. Lenstra, H.W. Lenstra Jr., \The development of the number eld sieve", Lecture Notes in Mathematics, Vol. 1554, Springer-Verlag, 1994.

....p. One obtains a lower bound on distr f by increasing each lg norm p to a nearby multiple of 1= For previous work see [68] in the case K = Q[ 1] 42] 35] 55] 72] 73] 79] and [12] In some applications notably integer factorization with the number eld sieve, as described in [74] one wants to know the distribution of smooth elements of R. A fractional power series exponentiation over Q[G] where G is the ideal class group of R, produces bounds on the distribution of smooth ideals in each ideal class; in particular, the distribution of smooth principal ideals. One can ....

Arjen K. Lenstra, Hendrik W. Lenstra, Jr. (editors), The development of the number eld sieve, Lecture Notes in Mathematics 1554, Springer-Verlag, Berlin, 1993. ISBN 3-540-57013-6. MR 96m:11116.

....(MPQS) method to complete the factorization. In some cases we prefer to use the number eld sieve (NFS) if it is predicted to be faster than MPQS 4 . We do not describe ECM, MPQS or NFS here. The reader should refer to [16, 17, 19] for a general description of ECM, to [2, 23] for MPQS, and to [15, 13, 21] for NFS. A recent survey is [7] The particular implementations of ECM by Brent and Montgomery are described in [6, 18] Table 3 shows the number of factors found by several methods in the preparation of Updates 1 3. For ECM and MPQS these only include penultimate factors of at least 30 digits. ....

A. K. Lenstra and H. W. Lenstra, Jr. (editors), The development of the number eld sieve, Lecture Notes in Mathematics 1554, Springer-Verlag, Berlin, 1993.

....X in terms of a function F (n) Part IV and Part V analyze F (n) Part V completes the proof of Theorem 1 by showing that F (n) is essentially linear in log n. Part VI surveys several practical improvements. Motivation. Before attempting to factor n with algorithms such as the number eld sieve [16], one should make sure that n is not a perfect power, or at least not a prime power. This is a practical reason to implement some power testing method, though not necessarily a quick one. Speed is more important in other applications. According to [18] there is a theoretically interesting method ....

Arjen K. Lenstra, Hendrik W. Lenstra, Jr. (editors), The development of the number eld sieve, Lecture Notes in Mathematics 1554, Springer-Verlag, Berlin, 1993.

....the number eld sieve is the same as the formal relation between the multiple polynomial quadratic sieve and the quadratic sieve. 1. Introduction The object of this paper is to show that the multiple polynomial variation [9] of the quadratic sieve [8] has an analogue for the number eld sieve [5]. In section 2 we review the now standard sieving technique introduced in [8] with emphasis on concepts shared by the quadratic sieve and the number eld sieve. In section 3 we explain how the general multiple lattice idea applies to the quadratic sieve and the number eld sieve. 2. Sieving An ....

....discovered the quadratic sieve [8] The multiple lattice variation was rst discovered by James A. Davis, then applied by Davis together with Diane B. Holdridge [4] and independently discovered and applied by Peter L. Montgomery [9] Later John M. Pollard discovered the number eld sieve [5] and applied the Davis Holdridge variation to it [7] Several versions of the multiple lattice quadratic sieve and the multiple lattice number eld sieve have their own names. The Davis Holdridge version is the special q variation; the Montgomery version is the multiple polynomial variation; and ....

Arjen K. Lenstra, Hendrik W. Lenstra, Jr. (editors), The development of the number eld sieve, Lecture Notes in Mathematics 1554, Springer-Verlag, Berlin, 1993.

....we cannot avoid the q sig factor in the security proof: the security level of FDH cannot be proven equivalent to RSA. For the concrete analysis, we need to assume a lower bound for the complexity of breaking RSA for a given key size. The running time of the best factoring algorithm known (NFS [14]) for factoring a modulus N is about TNFS (k) exp(C (log N) 1=3 (log log N) 2=3 ) where C 1:923. Therefore we might assume that RSA is (t; secure for any (t; satisfying t(k) k) TNFS (k) For a 1024 bit modulus, we obtain that RSA is (t; t 2 86 ) secure for all t 2 ....

A. Lenstra and H. Lenstra (eds.), The development of the number eld sieve, Lecture Notes in Mathematics, vol 1554, Springer-Verlag, 1993.

....Public keys. The public key corresponding to (p; q) is the product pq. This product is between 2 1535 and 2 1536 . There is no known practical algorithm that will compute pq 7 (p; q) with nonnegligible probability. The number eld sieve needs roughly 2 100 operations to nd p and q; see [13]. Presumably the attacker does not have this much time, so he will instead use Lenstra s elliptic curve method, which has a tiny chance of discovering p and q after a small amount of computation; see [14] If he can a ord 2 80 such computations then his chance of success is still below 2 40 . ....

Arjen K. Lenstra, Hendrik W. Lenstra, Jr. (editors), The development of the number eld sieve, Lecture Notes in Mathematics 1554, Springer-Verlag, Berlin, 1993.

....of f are that it be non trivial and that f(x) f(x mod P ) Such a function does not see R. Hence the name partially oblivious. 1. Introduction It is not known how to eciently factor a large integer N . Currently, the algorithm with best asymptotic complexity is the Number Field Sieve (see [6] ) For numbers below a certain size (currently believed to be about 100 decimal digits) either the Quadratic Sieve [12] or Lenstra s Elliptic Curve Method (ECM) 7] are faster. Which of these algorithms to use depends on the size of N and of the smallest prime factor of N . When the size of the ....

A. Lenstra, H. W. Lenstra, Eds., The development of the number eld sieve, Lecture Notes in Mathematics, 1554, Springer-Verlag (1993).

....algorithm [39] and the Multiple Polynomial Quadratic Sieve (MPQS) algorithm [46, 59] which under plausible assumptions have expected run time O(exp( p c ln N ln ln N) where c is a constant (depending on details of the algorithm) For MPQS, c 1. The Number Field Sieve (NFS) algorithm [29, 30], which under plausible assumptions has expected run time O(exp(c(ln N) 1=3 (ln ln N) 2=3 ) where c is a constant (depending on details of the algorithm and on the form of N ) B. The run time depends mainly on the size of f; the factor found. We can assume that f N 1=2 . Examples are ....

....form. The special number eld sieve (SNFS) is a relatively new algorithm which does take advantage of the special form (4) In concept it is similar to the quadratic sieve algorithm, but it works over an algebraic number eld de ned by a, e and b. We refer the interested reader to Lenstra et al. [29, 30] for details, and merely give an example to show the power of the algorithm. 5.1 SNFS examples Consider the 155 decimal digit number F 9 = N = 2 2 9 1 as a candidate for factoring by SNFS. Note that 8N = m 5 8, where m = 2 103 . We may work in the number eld Q( where satis es ....

A. K. Lenstra and H. W. Lenstra, Jr. (editors), The development of the number eld sieve, Lecture Notes in Mathematics 1554, Springer-Verlag, Berlin, 1993.

....x and powers of exp(ln x) x, the order of L x [u; v] is said to be subexponential in the size ln x of x if 0 u 1. 2 K. NAKAMULA A good introduction to the NFS is given in [10] Basic facts, improvements, related topics, references and a history of the NFS can be found in the lecture notes [9]. A historical description of the NFS including its recent developments can be found in [23] A variation of the GNFS with four large primes is introduced in [5] A multiple polynomial variation of the GNFS is introduced in [6] An application of the NFS to solve the Discrete Logarithm Problem, or ....

A. K. Lenstra, H. W. Lenstra, Jr. (eds.), The development of the number eld sieve, Lecture Notes in Mathematics 1554, Springer-Verlag, 1993.

....so that it is easier to compare lattice factoring to existing algorithms. We rst introduce some notation. Let T (p) be the function de ned by: T (p) exp ( log p) This function is analogous to the L ; p) function commonly used to describe the running time of factoring algorithms [6]. Recall that L ; p) exp (log p) log log p) 1 One can easily see that T (p) is slightly smaller than L ;1 (p) We can now state a special case of Theorem 3.1. Corollary 5.1 Let N = p r q be given where p and q are both k bit integers. Suppose r = log p) for some . ....

A. Lenstra, H.W. Lenstra Jr., \The development of the number eld sieve", Lecture Notes in Mathematics, Vol. 1554, Springer-Verlag, 1994.

No context found.

A.K. Lenstra, H.W. Lenstra, Jr., (eds.), The development of the number eld sieve, Lecture Notes in Math. 1554, Springer-Verlag 1993

....to L( Thus, a random integer L[2=3; is L( smooth with probability L( 3 ) The notation L 1:901 o(1) in [1] corresponds to L(1:901 ) here. We write =x for = x o(1) for n 1. 2.2 Ordinary NFS. To factor n using the NFS, more or less following the approach from [11], one selects a positive integer d = log n log log n 1=3 for a positive value that is yet to be determined, an integer m close to n 1= d 1) a polynomial f(X) P d i=0 f i X i 2 Z[X ] such that f(m) 0 mod n with each f i of the same order of magnitude as m, a rational ....

....our purposes. A pair (a; b) of integers is called a relation if a and b are coprime, b 0, a bm is B r smooth, and b f(a=b) is B a smooth. Each relation corresponds to a sparse D dimensional bit vector with D (B r ) #f(p; r) p prime B a ; f(r) 0 mod pg (B r ) B a ) cf. [11]) In the relation collection step a set of more than D relations is sought. Given this set, one or more linear dependencies modulo 2 among the corresponding D dimensional bit vectors are constructed in the matrix step. Per dependency there is a chance of at least 50 (exactly 50 for RSA moduli) ....

[Article contains additional citation context not shown here]

A.K. Lenstra, H.W. Lenstra, Jr., (eds.), The development of the number eld sieve, Lecture Notes in Math. 1554, Springer-Verlag 1993

....the linear sieve itself and its runtime analysis never got the attention it deserved. Fortunately, however, it led to the quadratic sieve when Pomerance, attending a lecture by Schroeppel, realized that it may be a good idea to take i = j in the linear sieve. 4.2. 7 Number Field Sieve [65]. At this point the number eld sieve is the fastest general purpose factoring algorithm that has been published. It is based on an idea by Pollard in 1988 to factor numbers of the form x 3 k for small k (see his rst article in [65] This method was quickly generalized to a factoring method ....

....to take i = j in the linear sieve. 4.2.7 Number Field Sieve [65] At this point the number eld sieve is the fastest general purpose factoring algorithm that has been published. It is based on an idea by Pollard in 1988 to factor numbers of the form x 3 k for small k (see his rst article in [65]) This method was quickly generalized to a factoring method for numbers of the form x d k, a method that is currently referred to as the special number eld sieve. It proved to be practical by factoring the ninth Fermat number F 9 = 2 2 9 1. This happened in 1990, long before F 9 was ....

[Article contains additional citation context not shown here]

A.K. Lenstra, H.W. Lenstra, Jr., (eds.), The development of the number eld sieve, Lecture Notes in Math. 1554, Springer-Verlag 1993.

No context found.

A. Lenstra and H. Lenstra (eds.), The development of the number eld sieve, Lecture Notes in Mathematics, vol 1554, Springer-Verlag, 1993.

No context found.

A. K. Lenstra and H. W. Lenstra, Jr. (Eds.), The development of the number eld sieve. Lecture Notes in Mathematics, 1554, Springer, (1991).

No context found.

A. Lenstra and H. Lenstra (eds.), The development of the number eld sieve, Lecture Notes in Mathematics, vol 1554, Springer-Verlag, 1993.

No context found.

A. Lenstra and H. Lenstra (eds.), The development of the number eld sieve, Lecture Notes in Mathematics, vol 1554, Springer-Verlag, 1993.

No context found.

A. Lenstra and H. Lenstra (eds.), The development of the number eld sieve, Lecture Notes in Mathematics, vol 1554, Springer-Verlag, 1993.

No context found.

A. K. Lenstra and H. W. Lenstra, Jr. (editors), The development of the number eld sieve, Lecture Notes in Mathematics 1554, Springer-Verlag, Berlin, 1993.

No context found.

Arjen K. Lenstra, Hendrik W. Lenstra, Jr. (editors), The development of the number eld sieve, Lecture Notes in Mathematics 1554, Springer-Verlag, Berlin, 1993.

No context found.

Arjen K. Lenstra, Hendrik W. Lenstra, Jr. (editors), The development of the number eld sieve, Lecture Notes in Mathematics 1554, Springer-Verlag, Berlin, 1993. ISBN 3-540{ 57013-6. MR 96m:11116.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC