On Class Group Computations Using the Number Field Sieve

The best practical algorithm for class group computations in imaginary quadratic number fields (such as group structure, class number, discrete logarithm computations) is a variant of the quadratic sieve factoring algorithm. Paradoxical as it sounds, the principles of the number field sieve, in a strict sense, could not be applied to number field computations, yet. In this article we give an indication of the obstructions. In particular, we first present fundamental core elements of a number field sieve for number field computations of which it is absolutely unknown how to design them in a useful way. Finally, we show that the existence of a number field sieve for number field computations with a running time asymptotics similar to that of the genuine number field sieve likely implies the existence of an algorithm for elliptic curve related computational problems with subexponential running time

Quadratic Points on Modular Curves

In this paper we determine the quadratic points on the modular curves X_0(N), where the curve is non-hyperelliptic, the genus is 3, 4 or 5, and the Mordell--Weil group of J_0(N) is finite. The values of N are 34, 38, 42, 44, 45, 51, 52, 54, 55, 56, 63, 64, 72, 75, 81. As well as determining the non-cuspidal quadratic points, we give the j-invariants of the elliptic curves parametrized by those points, and determine if they have complex multiplication or are quadratic \Q-curves.Comment: Some improvements and corrections suggested by the referee are incorporated. Magma programs used to generate the data are now available with this arXiv versio

Twists of X(7) and primitive solutions to x^2+y^3=z^7

We find the primitive integer solutions to x^2+y^3=z^7. A nonabelian descent argument involving the simple group of order 168 reduces the problem to the determination of the set of rational points on a finite set of twists of the Klein quartic curve X. To restrict the set of relevant twists, we exploit the isomorphism between X and the modular curve X(7), and use modularity of elliptic curves and level lowering. This leaves 10 genus-3 curves, whose rational points are found by a combination of methods.Comment: 47 page

A kilobit hidden SNFS discrete logarithm computation

We perform a special number field sieve discrete logarithm computation in a 1024-bit prime field. To our knowledge, this is the first kilobit-sized discrete logarithm computation ever reported for prime fields. This computation took a little over two months of calendar time on an academic cluster using the open-source CADO-NFS software. Our chosen prime $p$ looks random, and $p--1$ has a 160-bit prime factor, in line with recommended parameters for the Digital Signature Algorithm. However, our p has been trapdoored in such a way that the special number field sieve can be used to compute discrete logarithms in $\mathbb{F}\_p^*$ , yet detecting that p has this trapdoor seems out of reach. Twenty-five years ago, there was considerable controversy around the possibility of back-doored parameters for DSA. Our computations show that trapdoored primes are entirely feasible with current computing technology. We also describe special number field sieve discrete log computations carried out for multiple weak primes found in use in the wild. As can be expected from a trapdoor mechanism which we say is hard to detect, our research did not reveal any trapdoored prime in wide use. The only way for a user to defend against a hypothetical trapdoor of this kind is to require verifiably random primes

Improvements in the computation of ideal class groups of imaginary quadratic number fields

We investigate improvements to the algorithm for the computation of ideal class groups described by Jacobson in the imaginary quadratic case. These improvements rely on the large prime strategy and a new method for performing the linear algebra phase. We achieve a significant speed-up and are able to compute ideal class groups with discriminants of 110 decimal digits in less than a week.Comment: 14 pages, 5 figure

Practical improvements to class group and regulator computation of real quadratic fields

We present improvements to the index-calculus algorithm for the computation of the ideal class group and regulator of a real quadratic field. Our improvements consist of applying the double large prime strategy, an improved structured Gaussian elimination strategy, and the use of Bernstein's batch smoothness algorithm. We achieve a significant speed-up and are able to compute the ideal class group structure and the regulator corresponding to a number field with a 110-decimal digit discriminant