On the coefficients of the polynomial in the number field sieve

Polynomial selection is very important in number field sieve. If the yield of a pair of polynomials is closely correlated with the coefficients of the polynomials, we can select polynomials by checking the coefficients first. This can speed up the selection of good polynomials. In this paper, we aim to study the correlation between the polynomial coefficients and the yield of the polynomials. By theoretical analysis and experiments, we find that a polynomial with the ending coefficient containing more small primes is usually better in yield than the one whose ending coefficient contains less. One advantage of the ending coefficient over the leading coefficient is that the ending coefficient is bigger and can contain more small primes in root optimizing stage. Using the complete discrimination system, we also analyze the condition on coefficients to obtain more real roots

Root numbers and the parity problem

Let E be a one-parameter family of elliptic curves over a number field. It is natural to expect the average root number of the curves in the family to be zero. All known counterexamples to this folk conjecture occur for families obeying a certain degeneracy condition. We prove that the average root number is zero for a large class of families of elliptic curves of fairly general type. Furthermore, we show that any non-degenerate family E has average root number 0, provided that two classical arithmetical conjectures hold for two homogeneous polynomials with integral coefficients constructed explicitly in terms of E. The first such conjecture -- commonly associated with Chowla -- asserts the equidistribution of the parity of the number of primes dividing the integers represented by a polynomial. We prove the conjecture for homogeneous polynomials of degree 3. The second conjecture used states that any non-constant homogeneous polynomial yields to a square-free sieve. We sharpen the existing bounds on the known cases by a sieve refinement and a new approach combining height functions, sphere packings and sieve methods.Comment: 291 pages, PhD thesi

Explicit Mertens' theorems for number fields

To study the distribution of prime ideals in a number field, there are two important results which must be considered: Mertens’ theorems for number fields and the prime ideal theorem. The prime ideal theorem is a stronger result on average, but its effective version can face significant technical issues. It is not immediately obvious, but an effective version of Mertens' theorems for number fields (which we prove in Theorem 1.1.3) avoids all of the technical issues that present in the effective prime ideal theorem. Several ingredients are needed to prove Theorem 1.1.3. The most important ingredient is an explicit estimate for the ideal-counting function. This explicit estimate is of independent interest too, because it generalises the widely useful floor function into the number fields setting. Therefore, we update the latest explicit estimate for the ideal-counting function in Theorem 3.1.1. Because there are no technical obstructions to consider, Theorem 1.1.3 can be applied more broadly than the prime ideal theorem. In particular, for an irreducible polynomial g with integer coefficients and sufficiently large rational primes p, there is an explicit connection between the number of solutions to the congruence g(x) = 0 modulo p and the prime ideals in a certain number field; we prove this in Lemma 5.2.1. Now, this number at each p defines a multiplicative function that unlocks nice applications in sieve methods, such as bounds on the number of rational primes represented by a polynomial. Therefore, we use Lemma 5.2.1 and Theorem 1.1.3 to establish explicit Nagell theorems in Corollary 5.1.1; these are weighted Mertens' theorems that appear in the literature pertaining to sieve methods. Using Corollary 5.1.1, we then prove an explicit formula for the number k of irreducible factors of a polynomial with integer coefficients; this is presented in Corollary 5.1.3. A deterministic algorithm to compute k emerges from this formula. To demonstrate what would be possible if the far-reaching Generalised Riemann Hypothesis (GRH) was proven, we establish conditional versions of our main results throughout as well

Root optimization of polynomials in the number field sieve

The general number field sieve (GNFS) is the most efficient algorithm known for factoring large integers. It consists of several stages, the first one being polynomial selection. The quality of the chosen polynomials in polynomial selection can be modelled in terms of size and root properties. In this paper, we describe some algorithms for selecting polynomials with very good root properties.Comment: 16 pages, 18 reference

Solving discrete logarithms on a 170-bit MNT curve by pairing reduction

Pairing based cryptography is in a dangerous position following the breakthroughs on discrete logarithms computations in finite fields of small characteristic. Remaining instances are built over finite fields of large characteristic and their security relies on the fact that the embedding field of the underlying curve is relatively large. How large is debatable. The aim of our work is to sustain the claim that the combination of degree 3 embedding and too small finite fields obviously does not provide enough security. As a computational example, we solve the DLP on a 170-bit MNT curve, by exploiting the pairing embedding to a 508-bit, degree-3 extension of the base field.Comment: to appear in the Lecture Notes in Computer Science (LNCS

Montgomery's method of polynomial selection for the number field sieve

The number field sieve is the most efficient known algorithm for factoring large integers that are free of small prime factors. For the polynomial selection stage of the algorithm, Montgomery proposed a method of generating polynomials which relies on the construction of small modular geometric progressions. Montgomery's method is analysed in this paper and the existence of suitable geometric progressions is considered

A kilobit hidden SNFS discrete logarithm computation

We perform a special number field sieve discrete logarithm computation in a 1024-bit prime field. To our knowledge, this is the first kilobit-sized discrete logarithm computation ever reported for prime fields. This computation took a little over two months of calendar time on an academic cluster using the open-source CADO-NFS software. Our chosen prime $p$ looks random, and $p--1$ has a 160-bit prime factor, in line with recommended parameters for the Digital Signature Algorithm. However, our p has been trapdoored in such a way that the special number field sieve can be used to compute discrete logarithms in $\mathbb{F}\_p^*$ , yet detecting that p has this trapdoor seems out of reach. Twenty-five years ago, there was considerable controversy around the possibility of back-doored parameters for DSA. Our computations show that trapdoored primes are entirely feasible with current computing technology. We also describe special number field sieve discrete log computations carried out for multiple weak primes found in use in the wild. As can be expected from a trapdoor mechanism which we say is hard to detect, our research did not reveal any trapdoored prime in wide use. The only way for a user to defend against a hypothetical trapdoor of this kind is to require verifiably random primes