A Discrete Logarithm-based Approach to Compute Low-Weight Multiples of Binary Polynomials

Being able to compute efficiently a low-weight multiple of a given binary polynomial is often a key ingredient of correlation attacks to LFSR-based stream ciphers. The best known general purpose algorithm is based on the generalized birthday problem. We describe an alternative approach which is based on discrete logarithms and has much lower memory complexity requirements with a comparable time complexity.Comment: 12 page

New Acceleration of Nearly Optimal Univariate Polynomial Root-findERS

Univariate polynomial root-finding has been studied for four millennia and is still the subject of intensive research. Hundreds of efficient algorithms for this task have been proposed. Two of them are nearly optimal. The first one, proposed in 1995, relies on recursive factorization of a polynomial, is quite involved, and has never been implemented. The second one, proposed in 2016, relies on subdivision iterations, was implemented in 2018, and promises to be practically competitive, although user's current choice for univariate polynomial root-finding is the package MPSolve, proposed in 2000, revised in 2014, and based on Ehrlich's functional iterations. By proposing and incorporating some novel techniques we significantly accelerate both subdivision and Ehrlich's iterations. Moreover our acceleration of the known subdivision root-finders is dramatic in the case of sparse input polynomials. Our techniques can be of some independent interest for the design and analysis of polynomial root-finders.Comment: 89 pages, 5 figures, 2 table

A Multi-level Blocking Distinct Degree Factorization Algorithm

We give a new algorithm for performing the distinct-degree factorization of a polynomial P(x) over GF(2), using a multi-level blocking strategy. The coarsest level of blocking replaces GCD computations by multiplications, as suggested by Pollard (1975), von zur Gathen and Shoup (1992), and others. The novelty of our approach is that a finer level of blocking replaces multiplications by squarings, which speeds up the computation in GF(2)[x]/P(x) of certain interval polynomials when P(x) is sparse. As an application we give a fast algorithm to search for all irreducible trinomials x^r + x^s + 1 of degree r over GF(2), while producing a certificate that can be checked in less time than the full search. Naive algorithms cost O(r^2) per trinomial, thus O(r^3) to search over all trinomials of given degree r. Under a plausible assumption about the distribution of factors of trinomials, the new algorithm has complexity O(r^2 (log r)^{3/2}(log log r)^{1/2}) for the search over all trinomials of degree r. Our implementation achieves a speedup of greater than a factor of 560 over the naive algorithm in the case r = 24036583 (a Mersenne exponent). Using our program, we have found two new primitive trinomials of degree 24036583 over GF(2) (the previous record degree was 6972593)

Efficiently Detecting Torsion Points and Subtori

Suppose X is the complex zero set of a finite collection of polynomials in Z[x_1,...,x_n]. We show that deciding whether X contains a point all of whose coordinates are d_th roots of unity can be done within NP^NP (relative to the sparse encoding), under a plausible assumption on primes in arithmetic progression. In particular, our hypothesis can still hold even under certain failures of the Generalized Riemann Hypothesis, such as the presence of Siegel-Landau zeroes. Furthermore, we give a similar (but UNconditional) complexity upper bound for n=1. Finally, letting T be any algebraic subgroup of (C^*)^n we show that deciding whether X contains T is coNP-complete (relative to an even more efficient encoding),unconditionally. We thus obtain new non-trivial families of multivariate polynomial systems where deciding the existence of complex roots can be done unconditionally in the polynomial hierarchy -- a family of complexity classes lying between PSPACE and P, intimately connected with the P=?NP Problem. We also discuss a connection to Laurent's solution of Chabauty's Conjecture from arithmetic geometry.Comment: 21 pages, no figures. Final version, with additional commentary and references. Also fixes a gap in Theorems 2 (now Theorem 1.3) regarding translated subtor

Modular Las Vegas Algorithms for Polynomial Absolute Factorization

Let f(X,Y) \in \ZZ[X,Y] be an irreducible polynomial over \QQ. We give a Las Vegas absolute irreducibility test based on a property of the Newton polytope of $f$, or more precisely, of $f$ modulo some prime integer $p$. The same idea of choosing a $p$ satisfying some prescribed properties together with $LLL$ is used to provide a new strategy for absolute factorization of $f(X,Y)$. We present our approach in the bivariate case but the techniques extend to the multivariate case. Maple computations show that it is efficient and promising as we are able to factorize some polynomials of degree up to 400