DOCSLIB.ORG

UNIVERSITY of CALGARY Unconditional Class Group

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
UNIVERSITY of CALGARY Unconditional Class Group UNIVERSITY OF CALGARY Unconditional Class Group Tabulation to 240 by Anton S. Mosunov A THESIS SUBMITTED TO THE FACULTY OF GRADUATE STUDIES IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE CALGARY, ALBERTA July, 2014 c Anton S. Mosunov 2014 Abstract In this thesis, we aim to tabulate the class groups of binary quadratic forms for all fun- damental discriminants ∆ < 0 satisfying j∆j < 240. Our computations are performed in several stages. We first multiply large polynomials in order to produce class numbers h(∆) for ∆ 6≡ 1 (mod 8). This stage is followed by the resolution of class groups Cl∆ with the Buchmann-Jacobson-Teske algorithm, which can be significantly accelerated when the class numbers are known. In order to determine Cl∆ for ∆ ≡ 1 (mod 8), we use this algorithm in conjunction with Bach's conditional averaging method and the Eichler-Selberg trace formula, required for unconditional verification. Our novel class group tabulation method allowed us to gather unconditional numerical evidence in support of certain hypotheses, such as the Littlewood's bounds on L(1; χ∆) and the Cohen-Lenstra heuristics. i Acknowledgements I am grateful to my supervisor, Dr. Michael J. Jacobson, Jr., who suggested this exciting project to me when I was still a Baccalaureate student. Without him, this project would not have started, and most certainly would not be finished, as his wise advice were of enormous help to my research. I thank Prof. Richard K. Guy and Dr. Renate Scheidler for their comments on my thesis. I would also like to thank \Alberta Innovates Technology Futures" for their generous support of my project over the past two years. I hope that they will find it worth their investments. All of my computations were performed on one of WestGrid's supercomputers, and I would like to acknowledge an outstanding work of their support personnel, namely Douglas Phillips, Masao Fujinaga, and especially Belaid Moa, who spent countless hours over the phone helping to debug my program. Perhaps, the most warm and tender thank you goes to my dear family, who always supported me when I was eight thousand kilometres away from home. They made my arrival to Canada possible, and I will always be thankful for this great opportunity. Finally, I thank all of my friends on both sides of the Atlantic Ocean, especially my fellow graduate students Sebastian Lindner, Longsheng Zhou and Ostap Orobets for making office time pass joyfully. ii Table of Contents Abstract ........................................i Acknowledgements .................................. ii Table of Contents . iii List of Tables . iv List of Figures . .v 1 INTRODUCTION . .1 1.1 Motivation . .2 1.2 Previous Work and Contribution . .3 1.3 Organization of the Thesis . .5 2 NUMBER THEORY BACKGROUND . .7 2.1 Binary Quadratic Forms . .8 2.2 Binary Quadratic Forms with Even Middle Coefficient . 13 2.3 Subdivision of Classes Into Genera . 17 2.4 Ternary Quadratic Forms . 21 3 THE THETA SERIES . 24 3.1 Jacobi Theta Functions . 24 3.2 Relationship Between Theta Series and Class Numbers . 27 3.3 Class Number Tabulation Formulas . 31 4 OUT-OF-CORE MULTIPLICATION . 36 4.1 Out-of-Core Multiplication with Chinese Remainder Theorem . 36 4.2 Algorithms . 41 4.3 Computational Parameters . 50 4.4 Complexity Analysis . 52 5 CLASS GROUP COMPUTATION . 58 5.1 Bach's Bound on the Size of the Group . 59 5.2 The Class Group Computation . 60 5.3 Unconditional Verification . 67 6 IMPLEMENTATION AND NUMERICAL RESULTS . 71 6.1 Implementation . 71 6.2 Performance . 72 6.3 Littlewood's Bounds . 78 6.4 The Cohen-Lenstra Heuristics . 97 6.5 Exotic Groups . 104 7 CONCLUSION . 134 7.1 Future Work . 135 Bibliography . 138 iii List of Tables 2.1 Subdivision of classes of forms with determinant D = −52 ·7 into orders . 14 2.2 Subdivision of classes of forms with determinant D = −32 ·5 · 7 into genera . 19 2.3 Characteristic numbers of forms with determinant D = −32 ·5 · 7 ........... 21 4.1 Extraction of coefficients from H(x)........................... 40 5.1 Suggested values of Q for Bach's averaging method . 59 6.1 Computational parameters . 72 6.2 Timings for the class number tabulation program . 73 6.3 Timings for the class group tabulation program . 75 6.4 Counts of h(∆) with various divisibility properties . 75 6.5 Timings for various class group tabulation implementations . 76 6.6 Timings for the verification program . 77 6.7 Mean values of L(1; χ∆) for various congruence classes of ∆ . 81 6.8 Successive L(1; χ∆) maxima, ∆ ≡ 1 (mod 8) . 82 6.9 Successive ULI∆ maxima, ∆ ≡ 1 (mod 8) . 86 6.10 Successive L(1; χ∆) minima, ∆ ≡ 1 (mod 8) . 88 6.11 Successive LLI∆ minima, ∆ ≡ 1 (mod 8) . 89 6.12 Successive L(1; χ∆) maxima, ∆ ≡ 5 (mod 8) . 90 6.13 Successive ULI∆ maxima, ∆ ≡ 5 (mod 8) . 92 6.14 Successive L(1; χ∆) minima, ∆ ≡ 5 (mod 8) . 93 6.15 Successive LLI∆ minima, ∆ ≡ 5 (mod 8) . 94 6.16 Successive L(1; χ∆) maxima, ∆ ≡ 0 (mod 4) . 95 6.17 Successive ULI maxima, ∆ ≡ 0 (mod 4) . 95 6.18 Successive L(1; χ∆) minima, ∆ ≡ 0 (mod 4) . 96 6.19 Successive LLI minima, ∆ ≡ 0 (mod 4) . 96 6.20 Number of noncyclic odd parts of class groups . 100 6.21 Counts of class numbers divisible by l .......................... 101 6.22 Counts of class numbers divisible by l2 .......................... 102 6.23 Counts of class numbers divisible by l3 .......................... 103 6.24 Counts of class groups with l-rank = r .......................... 104 6.25 Non-cyclic rank 2 2-Sylow squared subgroups . 107 6.26 Non-cyclic rank 2 p-Sylow subgroups . 110 6.27 Non-cyclic rank 3 2-Sylow squared subgroups . 117 6.28 Non-cyclic rank 3 p-Sylow subgroups . 121 6.29 Non-cyclic rank 4 2-Sylow squared subgroups . 123 6.30 Non-cyclic rank 4 p-Sylow subgroups . 125 6.31 Non-cyclic rank 5 2-Sylow squared subgroups . 126 6.32 Doubly non-cyclic class groups . 127 6.33 Trebly non-cyclic class groups . 132 6.34 Quadruply non-cyclic class groups . 133 7.1 Values of R3(n) for squarefree n ≡ 7 (mod 8) . 136 iv List of Figures and Illustrations 6.1 Program performance when N varies, B = 211, T = 26, m = 212 ....... 73 6.2 Program performance when B varies, N = 232, T = 26, m = 212 ....... 73 6.3 Program performance when T varies, N = 232, B = 28, m = 28 ........ 74 6.4 Scalability of the verification algorithm, LHS ................. 77 6.5 Scalability of the verification algorithm, RHS ................. 77 28 28 6.6 Local ULI∆ maxima for x ≤ j∆j < x + 2 ; x 2 2 Z .............. 96 28 28 6.7 Local LLI∆ minima for x ≤ j∆j < x + 2 ; x 2 2 Z .............. 97 6.8 Ratios of non-cyclic odd parts of class groups . 100 6.9 Values of pl(x)................................... 101 6.10 Values of pl2 (x).................................. 102 6.11 Values of pl3 (x).................................. 103 6.12 Values of pl;2(x).................................. 104 6.13 Values of pl;3(x).................................. 104 v List of Algorithms 4.1 Initialization [HTW10, Algorithm 1 : Phase 1] . 43 4.2 Multiplication [HTW10, Algorithm 1 : Phase 2] . 44 4.3 Restoration [HTW10, Algorithm 1 : Phase 3] . 45 4.4 Initialization of a block of #3(q)......................... 46 4.5 Initialization of a block of r(q)......................... 47 4.6 Initialization of a block of r(q2)......................... 47 2 4.7 Initialization of a block of #3(q)......................... 48 4.8 Initialization of a block of r2(q)......................... 49 4.9 Initialization of a block of r2(q2)........................ 50 5.1 Bach's approximation of log L(1; χ∆) [Bac95] . 60 5.2 BJT algorithm [Ram06, Algorithm 3.1] . 65 5.3 Verification algorithm [Ram06, Algorithm 4.1] . 70 vi Chapter 1 INTRODUCTION The class group of binary quadratic forms is a mathematical object that was thoroughly studied by many mathematicians over the past two centuries. First discovered by Gauß in 1798, this group consists of equivalence classes of binary quadratic forms, i.e. integer variable functions of the form ax2 + bxy + cy2 with a; b; c 2 Z. Quadratic forms in every equivalence class of a certain class group possess the same discriminant ∆ = b2 − 4ac. For that reason, this finite abelian group is denoted by Cl∆, in order to indicate that the structure of a group varies depending on ∆. Many things are known about the class group. For example, if we know its class number h(∆), which is merely the size of Cl∆, we can find a non-trivial factor of ∆. Also, from the prime factorization of ∆ we can determine the parity of h(∆), as well as the rank of the 2-Sylow subgroup. Reduction and composition algorithms, such as NUCOMP developed by Shanks [Sha89], allow us to efficiently manipulate the elements of Cl∆. However, the number of open questions about Cl∆ most certainly exceeds the number of answered. For example, the structure computation of Cl∆ is believed to be hard. The computation of the class number h(∆) is considered to be a difficult problem as well. However, the heuristics of Cohen and Lenstra allow us to make certain predictions regarding the structure of the class group, and divisibility properties of h(∆) [CL83, CL84]. Also, Littlewood's bounds allow to deduce an estimate on the size of h(∆) [Lit28]. However, Littlewood's result depends on the Extended Riemann Hypothesis, and might potentially be incorrect. Both Cohen-Lenstra heuristics and the Littlewood's bounds require careful examination, which we do in this thesis by providing an extensive computational evidence in their support.
Load more

Recommended publications
  • Improvements in Computing Discrete Logarithms in Finite Fields
    ISSN (Print): 2476-8316 ISSN (Online): 2635-3490 Dutse Journal of Pure and Applied Sciences (DUJOPAS), Vol. 5 No. 1a June 2019 Improvements in Computing Discrete Logarithms in Finite Fields 1*Ali Maianguwa Shuaibu, 2Sunday Babuba & 3James Andrawus 1, 2,3 Department of Mathematics, Federal University Dutse, Jigawa State Email: [email protected] Abstract The discrete logarithm problem forms the basis of numerous cryptographic systems. The most efficient attack on the discrete logarithm problem in the multiplicative group of a finite field is via the index calculus. In this paper, we examined a non-generic algorithm that uses index calculus. If α is a generator × × for 퐹푝 then the discrete logarithm of 훽 ∈ 퐹푝 with respect to 훼 is also called the index of 훽 (with respect to 훼), whence the term index calculus. This algorithm depends critically on the distribution of smooth numbers (integers with small prime factors), which naturally leads to a discussion of two algorithms for factoring integers that also depend on smooth numbers: the Pollard 푝 − 1method and the elliptic curve method. In conclusion, we suggest improved elliptic curve as well as hyperelliptic curve cryptography methods as fertile ground for further research. Keywords: Elliptic curve, Index calculus, Multiplicative group, Smooth numbers Introduction 푥 It is known that the logarithm 푙표푔푏 푎 is a number x such that 푏 = 푎, for given numbers a and b. Similarly, in any group G, powers 푏푘 can be defined for all integers 푘, and 푘 the discrete logarithm푙표푔푏 푎 is an integer k such that 푏 = 푎. In number theory,푥 = 푥 푖푛푑푟푎(푚표푑 푚) is read as the index of 푎 to the base r modulo m which is equivalent to 푟 = 푎(푚표푑 푚) if r is the primitive root of m and greatest common divisor, 푔푐푑( 푎, 푚) = 1.
    [Show full text]
  • The Index Calculus Method Using Non-Smooth Polynomials
    MATHEMATICS OF COMPUTATION Volume 70, Number 235, Pages 1253{1264 S 0025-5718(01)01298-4 Article electronically published on March 7, 2001 THE INDEX CALCULUS METHOD USING NON-SMOOTH POLYNOMIALS THEODOULOS GAREFALAKIS AND DANIEL PANARIO Abstract. We study a generalized version of the index calculus method for n the discrete logarithm problem in Fq ,whenq = p , p is a small prime and n !1. The database consists of the logarithms of all irreducible polynomials of degree between given bounds; the original version of the algorithm uses lower bound equal to one. We show theoretically that the algorithm has the same asymptotic running time as the original version. The analysis shows that the best upper limit for the interval coincides with the one for the original version. The lower limit for the interval remains a free variable of the process. We provide experimental results that indicate practical values for that bound. We also give heuristic arguments for the running time of the Waterloo variant and of the Coppersmith method with our generalized database. 1. Introduction Let G denote a group written multiplicatively and hgi the cyclic subgroup gen- erated by g 2 G.Giveng and y 2hgi,thediscrete logarithm problem for G is to find the smallest integer x such that y = gx.Theintegerx is called the discrete logarithm of y in the base g, and is written x =logg y. The main reason for the intense current interest on the discrete logarithm prob- lem (apart from being interesting on a purely mathematical level) is that the se- curity of many public-key cryptosystems depends on the assumption that finding discrete logarithms is hard, at least for certain groups.
    [Show full text]
  • Index Calculus in the Trace Zero Variety 3
    INDEX CALCULUS IN THE TRACE ZERO VARIETY ELISA GORLA AND MAIKE MASSIERER Abstract. We discuss how to apply Gaudry’s index calculus algorithm for abelian varieties to solve the discrete logarithm problem in the trace zero variety of an elliptic curve. We treat in particular the practically relevant cases of field extensions of degree 3 or 5. Our theoretical analysis is compared to other algorithms present in the literature, and is complemented by results from a prototype implementation. 1. Introduction Given an elliptic curve E defined over a finite field Fq, consider the group E(Fqn ) of rational points over a field extension of prime degree n. Since E is defined over Fq, the group E(Fqn ) contains the subgroup E(Fq) of Fq-rational points of E. Moreover, it contains the subgroup Tn of − points P E(F n ) whose trace P + ϕ(P )+ ... + ϕn 1(P ) is zero, where ϕ denotes the Frobenius ∈ q homomorphism on E. The group Tn is called the trace zero subgroup of E(Fqn ), and it is the group of Fq-rational points of the trace zero variety relative to the field extension Fqn Fq. In this paper, we study the hardness of the DLP in the trace zero variety. Our| interest in this question has several motivations. First of all, supersingular trace zero varieties can achieve higher security per bit than supersingular elliptic curves, as shown by Rubin and Silverberg in [RS02, RS09] and by Avanzi and Cesena in [AC07, Ces10]. Ideally, in pairing-based proto- F∗ cols the embedding degree k is such that the DLP in Tn and in qkn have the same complexity.
    [Show full text]
  • Integer Factorization and Computing Discrete Logarithms in Maple
    Integer Factorization and Computing Discrete Logarithms in Maple Aaron Bradford∗, Michael Monagan∗, Colin Percival∗ [email protected], [email protected], [email protected] Department of Mathematics, Simon Fraser University, Burnaby, B.C., V5A 1S6, Canada. 1 Introduction As part of our MITACS research project at Simon Fraser University, we have investigated algorithms for integer factorization and computing discrete logarithms. We have implemented a quadratic sieve algorithm for integer factorization in Maple to replace Maple's implementation of the Morrison- Brillhart continued fraction algorithm which was done by Gaston Gonnet in the early 1980's. We have also implemented an indexed calculus algorithm for discrete logarithms in GF(q) to replace Maple's implementation of Shanks' baby-step giant-step algorithm, also done by Gaston Gonnet in the early 1980's. In this paper we describe the algorithms and our optimizations made to them. We give some details of our Maple implementations and present some initial timings. Since Maple is an interpreted language, see [7], there is room for improvement of both implementations by coding critical parts of the algorithms in C. For example, one of the bottle-necks of the indexed calculus algorithm is finding and integers which are B-smooth. Let B be a set of primes. A positive integer y is said to be B-smooth if its prime divisors are all in B. Typically B might be the first 200 primes and y might be a 50 bit integer. ∗This work was supported by the MITACS NCE of Canada. 1 2 Integer Factorization Starting from some very simple instructions | \make integer factorization faster in Maple" | we have implemented the Quadratic Sieve factoring al- gorithm in a combination of Maple and C (which is accessed via Maple's capabilities for external linking).
    [Show full text]
  • Quantum Arithmetics and the Relationship Between Real and P-Adic Physics
    Quantum Arithmetics and the Relationship between Real and p-Adic Physics M. Pitk¨anen Email: [email protected]. http://tgd.wippiespace.com/public_html/. November 7, 2011 Abstract This chapter suggests answers to the basic questions of the p-adicization program, which are following. 1. Is there a duality between real and p-adic physics? What is its precice mathematic formula- tion? In particular, what is the concrete map p-adic physics in long scales (in real sense) to real physics in short scales? Can one find a rigorous mathematical formulationof canonical identification induced by the map p ! 1=p in pinary expansion of p-adic number such that it is both continuous and respects symmetries. 2. What is the origin of the p-adic length scale hypothesis suggesting that primes near power of two are physically preferred? Why Mersenne primes are especially important? The answer to these questions proposed in this chapter relies on the following ideas inspired by the model of Shnoll effect. The first piece of the puzzle is the notion of quantum arithmetics formulated in non-rigorous manner already in the model of Shnoll effect. 1. Quantum arithmetics is induced by the map of primes to quantum primes by the standard formula. Quantum integer is obtained by mapping the primes in the prime decomposition of integer to quantum primes. Quantum sum is induced by the ordinary sum by requiring that also sum commutes with the quantization. 2. The construction is especially interesting if the integer defining the quantum phase is prime. One can introduce the notion of quantum rational defined as series in powers of the preferred prime defining quantum phase.
    [Show full text]
  • Quantum Arithmetics and the Relationship Between Real and P-Adic Physics
    CONTENTS 1 Quantum Arithmetics and the Relationship between Real and p-Adic Physics M. Pitk¨anen, June 19, 2019 Email: [email protected]. http://tgdtheory.com/public_html/. Recent postal address: Rinnekatu 2-4 A 8, 03620, Karkkila, Finland. Contents 1 Introduction 4 1.1 Overall View About Variants Of Quantum Integers . .5 1.2 Motivations For Quantum Arithmetics . .6 1.2.1 Model for Shnoll effect . .6 1.2.2 What could be the deeper mathematics behind dualities? . .6 1.2.3 Could quantum arithmetics allow a variant of canonical identification re- specting both symmetries and continuity? . .7 1.2.4 Quantum integers and preferred extremals of K¨ahleraction . .8 1.3 Correspondence Along Common Rationals And Canonical Identification: Two Man- ners To Relate Real And P-Adic Physics . .8 1.3.1 Identification along common rationals . .8 1.3.2 Canonical identification and its variants . .9 1.3.3 Can one fuse the two views about real-p-adic correspondence . .9 1.4 Brief Summary Of The General Vision . 10 1.4.1 Two options for quantum integers . 11 1.4.2 Quantum counterparts of classical groups . 11 2 Various options for Quantum Arithmetics 12 2.1 Comparing options I and II . 12 2.2 About the choice of the quantum parameter q ..................... 14 2.3 Canonical identification for quantum rationals and symmetries . 15 2.4 More about the non-uniqueness of the correspondence between p-adic integers and their quantum counterparts . 16 2.5 The three basic options for Quantum Arithmetics . 18 CONTENTS 2 3 Could Lie groups possess quantum counterparts with commutative elements exist? 18 3.1 Quantum counterparts of special linear groups .
    [Show full text]
  • INDEX CALCULUS in the TRACE ZERO VARIETY 1. Introduction
    INDEX CALCULUS IN THE TRACE ZERO VARIETY ELISA GORLA AND MAIKE MASSIERER Abstract. We discuss how to apply Gaudry's index calculus algorithm for abelian varieties to solve the discrete logarithm problem in the trace zero variety of an elliptic curve. We treat in particular the practically relevant cases of field extensions of degree 3 or 5. Our theoretical analysis is compared to other algorithms present in the literature, and is complemented by results from a prototype implementation. 1. Introduction Given an elliptic curve E defined over a finite field Fq, consider the group E(Fqn ) of rational points over a field extension of prime degree n. Since E is defined over Fq, the group E(Fqn ) contains the subgroup E(Fq) of Fq-rational points of E. Moreover, it contains the subgroup Tn of n−1 points P 2 E(Fqn ) whose trace P + '(P ) + ::: + ' (P ) is zero, where ' denotes the Frobenius homomorphism on E. The group Tn is called the trace zero subgroup of E(Fqn ), and it is the group of Fq-rational points of the trace zero variety relative to the field extension Fqn jFq. In this paper, we study the hardness of the DLP in the trace zero variety. Our interest in this question has several motivations. First of all, supersingular trace zero varieties can achieve higher security per bit than supersingular elliptic curves, as shown by Rubin and Silverberg in [RS02, RS09] and by Avanzi and Cesena in [AC07, Ces10]. Ideally, in pairing-based proto- ∗ cols the embedding degree k is such that the DLP in Tn and in Fqkn have the same complexity.
    [Show full text]
  • Minsquare Factors and Maxfix Covers of Graphs
    Minsquare Factors and Maxfix Covers of Graphs Nicola Apollonio1 and Andr´as Seb˝o2 1 Department of Statistics, Probability, and Applied Statistics University of Rome “La Sapienza”, Rome, Italy 2 CNRS, Leibniz-IMAG, Grenoble, France Abstract. We provide a polynomial algorithm that determines for any given undirected graph, positive integer k and various objective functions on the edges or on the degree sequences, as input, k edges that minimize the given objective function. The tractable objective functions include linear, sum of squares, etc. The source of our motivation and at the same time our main application is a subset of k vertices in a line graph, that cover as many edges as possible (maxfix cover). Besides the general al- gorithm and connections to other problems, the extension of the usual improving paths for graph factors could be interesting in itself: the ob- jects that take the role of the improving walks for b-matchings or other general factorization problems turn out to be edge-disjoint unions of pairs of alternating walks. The algorithm we suggest also works if for any sub- set of vertices upper, lower bound constraints or parity constraints are given. In particular maximum (or minimum) weight b-matchings of given size can be determined in polynomial time, combinatorially, in more than one way. 1 Introduction Let G =(V,E) be a graph that may contain loops and parallel edges, and let k>0 be an integer. The main result of this work is to provide a polynomial algorithm for finding a subgraph of cardinality k that minimizes some pregiven objective function on the edges or the degree sequences of the graph.
    [Show full text]
  • The Past, Evolving Present and Future of Discrete Logarithm
    The Past, evolving Present and Future of Discrete Logarithm Antoine Joux, Andrew Odlyzko and Cécile Pierrot Abstract The first practical public key cryptosystem ever published, the Diffie-Hellman key exchange algorithm, relies for its security on the assumption that discrete logarithms are hard to compute. This intractability hypothesis is also the foundation for the security of a large variety of other public key systems and protocols. Since the introduction of the Diffie-Hellman key exchange more than three decades ago, there have been substantial algorithmic advances in the computation of discrete logarithms. However, in general the discrete logarithm problem is still considered to be hard. In particular, this is the case for the multiplicative group of finite fields with medium to large characteristic and for the additive group of a general elliptic curve. This paper presents a current survey of the state of the art concerning discrete logarithms and their computation. 1 Introduction 1.1 The Discrete Logarithm Problem Many popular public key cryptosystems are based on discrete exponentiation. If G is a multi- plicative group, such as the group of invertible elements in a finite field or the group of points on an elliptic curve, and g is an element of G, then gx is the discrete exponentiation of base g to the power x. This operation shares basic properties with ordinary exponentiation, for example gx+y = gx · gy. The inverse operation is, given h in G, to determine a value of x, if it exists, such that h = gx. Such a number x is called a discrete logarithm of h to the base g, since it shares many properties with the ordinary logarithm.
    [Show full text]
  • Cover and Decomposition Index Calculus on Elliptic Curves Made Practical
    Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a previously unreachable curve over Fp6 Antoine Joux1 and Vanessa Vitse2 1 DGA and Universit´ede Versailles Saint-Quentin, Laboratoire PRISM, 45 avenue des Etats-Unis,´ F-78035 Versailles cedex, France [email protected] 2 Universit´ede Versailles Saint-Quentin, Laboratoire PRISM, 45 avenue des Etats-Unis,´ F-78035 Versailles cedex, France [email protected] Abstract. We present a new \cover and decomposition" attack on the elliptic curve discrete logarithm problem, that combines Weil descent and decomposition-based index calculus into a single discrete logarithm algorithm. This attack applies, at least theoretically, to all composite degree extension fields, and is particularly well-suited for curves defined 3 over Fp6 . We give a real-size example of discrete logarithm computations on a curve over a 151-bit degree 6 extension field, which would not have been practically attackable using previously known algorithms. Key words: elliptic curve, discrete logarithm, index calculus, Weil descent, decomposition attack 1 Introduction Elliptic curves are used in cryptography to provide groups where the discrete logarithm problem is thought to be difficult. We recall that given a finite group G (written additively) and two elements P; Q 2 G, the discrete logarithm problem (DLP) consists in computing, when it exists, an integer x such that Q = xP . When elliptic curves are used in cryptographic applications, the DLP is usually considered to be as difficult as in a generic group of the same size [31]. As a consequence, for a given security level, the key size is much smaller than for other popular cryptosystems based on factorization or discrete logarithms in finite fields.
    [Show full text]
  • RSA, Integer Factorization, Diffie–Hellman, Discrete Logarithm
    RSA, integer factorization, Diffie–Hellman, discrete logarithm computation Aurore Guillevic Inria Nancy, France November 12, 2020 1/71 Aurore Guillevic [email protected] • L1-L2 at Université de Bretagne Sud, Lorient (2005–2007) • L3 Vannes (2007–2008) • M1-M2 maths and cryptography at Université de Rennes 1 (2008–2010) • internship and PhD at Thales Communication, Gennevilliers (92) • post-doc at Inria Saclay (2 years) and Calgary (Canada, 1 year) • researcher in cryptography at Inria Nancy since November 2016 • adjunct assistant professor at Polytechnique (2017–2020) 2/71 Outline Preliminaries RSA, and integer factorization problem Naive methods Quadratic sieve Number Field Sieve Bad randomness: gcd, Coppersmith attacks Diffie-Hellman, and the discrete logarithm problem Generic algorithms of square root complexity Pairings 3/71 Introduction: public-key cryptography Introduced in 1976 (Diffie–Hellman, DH) and 1977 (Rivert–Shamir–Adleman, RSA) Asymmetric means distinct public and private keys • encryption with a public key • decryption with a private key • deducing the private key from the public key is a very hard problem Two hard problems: • Integer factorization (for RSA) • Discrete logarithm computation in a finite group (for Diffie–Hellman) 4/71 Textbooks Alfred Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996. Christof Paar and Jan Pelzl. Understanding Cryptography, a Textbook for Students and Practitioners. Springer, 2010. (Two texbooks [PP10] (Paar and Pelzl) are available at the library at Lorient, code 005.8 PAA). Relvant chapters: 6, 7, 8, and 10. During lockdown, the library is opened: see La BU sur rendez-vous https://www-actus.univ-ubs.fr/fr/index/actualites/scd/ covid-19-la-bu-sur-rdv.html Lecture notes: https://gitlab.inria.fr/guillevi/enseignement/ (Lorient → Master-CSSE.md) 5/71 Textbooks The Handbook is available in PDF for free.
    [Show full text]
  • Exact Formulas for the Generalized Sum-Of-Divisors Functions)
    Exact Formulas for the Generalized Sum-of-Divisors Functions Maxie D. Schmidt School of Mathematics Georgia Institute of Technology Atlanta, GA 30332 USA [email protected] [email protected] Abstract We prove new exact formulas for the generalized sum-of-divisors functions, σα(x) := dα. The formulas for σ (x) when α C is fixed and x 1 involves a finite sum d x α ∈ ≥ over| all of the prime factors n x and terms involving the r-order harmonic number P ≤ sequences and the Ramanujan sums cd(x). The generalized harmonic number sequences correspond to the partial sums of the Riemann zeta function when r > 1 and are related to the generalized Bernoulli numbers when r 0 is integer-valued. ≤ A key part of our new expansions of the Lambert series generating functions for the generalized divisor functions is formed by taking logarithmic derivatives of the cyclotomic polynomials, Φ (q), which completely factorize the Lambert series terms (1 qn) 1 into n − − irreducible polynomials in q. We focus on the computational aspects of these exact ex- pressions, including their interplay with experimental mathematics, and comparisons of the new formulas for σα(n) and the summatory functions n x σα(n). ≤ 2010 Mathematics Subject Classification: Primary 30B50; SecondaryP 11N64, 11B83. Keywords: Divisor function; sum-of-divisors function; Lambert series; cyclotomic polynomial. Revised: April 23, 2019 arXiv:1705.03488v5 [math.NT] 19 Apr 2019 1 Introduction 1.1 Lambert series generating functions We begin our search for interesting formulas for the generalized sum-of-divisors functions, σα(n) for α C, by expanding the partial sums of the Lambert series which generate these functions in the∈ form of [5, 17.10] [13, 27.7] § § nαqn L (q) := = σ (m)qm, q < 1.
    [Show full text]