Approximately counting semismooth integers

An integer $n$ is $(y,z)$-semismooth if $n=pm$ where $m$ is an integer with all prime divisors $\le y$ and $p$ is 1 or a prime $\le z$. arge quantities of semismooth integers are utilized in modern integer factoring algorithms, such as the number field sieve, that incorporate the so-called large prime variant. Thus, it is useful for factoring practitioners to be able to estimate the value of $\Psi(x,y,z)$, the number of $(y,z)$-semismooth integers up to $x$, so that they can better set algorithm parameters and minimize running times, which could be weeks or months on a cluster supercomputer. In this paper, we explore several algorithms to approximate $\Psi(x,y,z)$ using a generalization of Buchstab's identity with numeric integration.Comment: To appear in ISSAC 2013, Boston M

Two Compact Incremental Prime Sieves

A prime sieve is an algorithm that finds the primes up to a bound $n$. We say that a prime sieve is incremental, if it can quickly determine if $n+1$ is prime after having found all primes up to $n$. We say a sieve is compact if it uses roughly $\sqrt{n}$ space or less. In this paper we present two new results: (1) We describe the rolling sieve, a practical, incremental prime sieve that takes $O(n\log\log n)$ time and $O(\sqrt{n}\log n)$ bits of space, and (2) We show how to modify the sieve of Atkin and Bernstein (2004) to obtain a sieve that is simultaneously sublinear, compact, and incremental. The second result solves an open problem given by Paul Pritchard in 1994

Order computations in generic groups

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Mathematics, 2007.This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.Includes bibliographical references (p. 205-211).We consider the problem of computing the order of an element in a generic group. The two standard algorithms, Pollard's rho method and Shanks' baby-steps giant-steps technique, both use [theta](N^1/2) group operations to compute abs([alpha])=N. A lower bound of [omega](N^1/2) has been conjectured. We disprove this conjecture, presenting a generic algorithm with complexity o(N^1/2). The running time is O((N/loglogN)^1/2) when N is prime, but for nearly half the integers N..., the complexity is O(N^1/3). If only a single success in a random sequence of problems is required, the running time is subexponential. We prove that a generic algorithm can compute [alpha] for all [alpha]... in near linear time plus the cost of single order computation with N=[lambda](S), where [lambda](S)=lcm[alpha] over [alpha]... For abelian groups, a random S...G or constant size suffices to compute [lamda](G), the exponent of the group. Having computed [lambda](G), we show that in most cases the structure of an abelian group G can be determined using an additional O(N^[delta]/4) group operations, given and O(N^[delta]) bound on abs(G)=N. The median complexity is approximately O(N^1/3) for many distributions of finite abelian groups, and o(N^1/2) in all but an extreme set of cases. A lower bound of [omega](N^1/2) had been assumed, based on a similar bound for the discrete logarithm problem. We apply these results to compute the ideal class groups of imaginary quadratic number fields, a standard test case for generic algorithms. the record class group computation by generic algorithm, for discriminant -4(10 +1), involved some 240 million group operations over the course of 15 days on a Sun SparcStation4. We accomplish the same task using 1/1000th the group operations, taking less than 3 seconds on a PC. Comparisons with non-generic algorithms for class group computation are also favorable in many cases. We successfully computed several class groups with discriminants containing more than 100 digits. These are believed to be the largest class groups ever computedby Andrew V. Sutherland.Ph.D

A note on Low Order assumptions in RSA groups

In this short note, we show that substantially weaker Low Order assumptions are sufficient to prove the soundness of Pietrzak’s protocol for proof of exponentiation in groups of unknown order. This constitutes the first step to a better understanding of the asymptotic computational complexity of breaking the soundness of the protocol. Furthermore, we prove the equivalence of the (weaker) Low Order assumption(s) and the Factoring assumption in RSA groups for a non-negligible portion of moduli. We argue that in practice our reduction applies for a considerable amount of deployed moduli. Our results have cryptographic applications, most importantly in the theory of recently proposed verifiable delay function constructions. Finally, we describe how to certify RSA moduli free of low order elements

An Introduction to A Class of Matrix Optimization Problems

Ph.DDOCTOR OF PHILOSOPH

Imaginary Quadratic Class Groups and a Survey of Time-Lock Cryptographic Applications

Imaginary quadratic class groups have been proposed as one of the main hidden-order group candidates for time-lock cryptographic applications such as verifiable delay functions (VDFs). They have the advantage over RSA groups that they do \emph{not} need a trusted setup. However, they have historically been significantly less studied by the cryptographic research community. This survey provides an introduction to the theory of imaginary quadratic class groups and discusses several considerations that need to be taken into account for practical applications. In particular, we describe the relevant computational problems and the main classical and quantum algorithms that can be used to solve them. From this discussion, it follows that choosing a discriminant $\Delta=-p$ with $p\equiv 3\mod{4}$ prime is one of the most promising ways to pick a class group \CL(\Delta) without the need for a trusted setup, while simultaneously making sure that there are no easy to find elements of low order in \CL(\Delta). We provide experimental data on class groups belonging to discriminants of this form, and compare them to the Cohen-Lenstra heuristics which predict the average behaviour of \CL(\Delta) belonging to a random \emph{fundamental} discriminant. Afterwards, we describe the most prominent constructions of VDFs based on hidden-order groups, and discuss their soundness and sequentiality when implemented in imaginary quadratic class groups. Finally, we briefly touch upon the post-quantum security of VDFs in imaginary quadratic class groups, where the time on can use a fixed group is upper bounded by the runtime of quantum polynomial time order computation algorithms

Reflections on the number field sieve

EThOS - Electronic Theses Online ServiceGBUnited Kingdo

Reflections on the number of field sieve

EThOS - Electronic Theses Online ServiceGBUnited Kingdo