Fast integer multiplication using generalized Fermat primes

For almost 35 years, Sch{\"o}nhage-Strassen's algorithm has been the fastest algorithm known for multiplying integers, with a time complexity O(n $\times$ log n $\times$ log log n) for multiplying n-bit inputs. In 2007, F{\"u}rer proved that there exists K > 1 and an algorithm performing this operation in O(n $\times$ log n $\times$ K log n). Recent work by Harvey, van der Hoeven, and Lecerf showed that this complexity estimate can be improved in order to get K = 8, and conjecturally K = 4. Using an alternative algorithm, which relies on arithmetic modulo generalized Fermat primes, we obtain conjecturally the same result K = 4 via a careful complexity analysis in the deterministic multitape Turing model

Isogeny graphs with maximal real multiplication

An isogeny graph is a graph whose vertices are principally polarized abelian varieties and whose edges are isogenies between these varieties. In his thesis, Kohel described the structure of isogeny graphs for elliptic curves and showed that one may compute the endomorphism ring of an elliptic curve defined over a finite field by using a depth first search algorithm in the graph. In dimension 2, the structure of isogeny graphs is less understood and existing algorithms for computing endomorphism rings are very expensive. Our setting considers genus 2 jacobians with complex multiplication, with the assumptions that the real multiplication subring is maximal and has class number one. We fully describe the isogeny graphs in that case. Over finite fields, we derive a depth first search algorithm for computing endomorphism rings locally at prime numbers, if the real multiplication is maximal. To the best of our knowledge, this is the first DFS-based algorithm in genus 2

Subquadratic computation of vector generating polynomials and improvement of the block Wiedemann algorithm

This paper describes a new algorithm for computing linear generators (vector generating polynomials) for matrix sequences, running in sub-quadratic time. This algorithm applies in particular to the sequential stage of Coppersmith's block Wiedemann algorithm. Experiments showed that our method can be substituted in place of the quadratic one proposed by Coppersmith, yielding important speedups even for realistic matrix sizes. The base fields we were interested in were finite fields of large characteristic. As an example, we have been able to compute a linear generator for a sequence of 4*4 matrices of length 242 304 defined over GF(2^607) in less than two days on one 667MHz alpha ev67 cpu

Computation of Discrete Logarithms in GF(2^607)

International audienceWe describe in this article how we have been able to extend the record for computations of discrete logarithms in characteristic 2 from the previous record over GF(2^503) to a newer mark of GF(2^607), using Coppersmith's algorithm. This has been made possible by several practical improvements to the algorithm. Although the computations have been carried out on fairly standard hardware, our opinion is that we are nearing the current limits of the manageable sizes for this algorithm, and that going substantially further will require deeper improvements to the method

Interactive certificate for the verification of Wiedemann's Krylov sequence: application to the certification of the determinant, the minimal and the characteristic polynomials of sparse matrices

Certificates to a linear algebra computation are additional data structures for each output, which can be used by a-possibly randomized- verification algorithm that proves the correctness of each output. Wiede-mann's algorithm projects the Krylov sequence obtained by repeatedly multiplying a vector by a matrix to obtain a linearly recurrent sequence. The minimal polynomial of this sequence divides the minimal polynomial of the matrix. For instance, if the $n\times n$ input matrix is sparse with n 1+o(1) non-zero entries, the computation of the sequence is quadratic in the dimension of the matrix while the computation of the minimal polynomial is n 1+o(1), once that projected Krylov sequence is obtained. In this paper we give algorithms that compute certificates for the Krylov sequence of sparse or structured $n\times n$ matrices over an abstract field, whose Monte Carlo verification complexity can be made essentially linear. As an application this gives certificates for the determinant, the minimal and characteristic polynomials of sparse or structured matrices at the same cost

Root optimization of polynomials in the number field sieve

The general number field sieve (GNFS) is the most efficient algorithm known for factoring large integers. It consists of several stages, the first one being polynomial selection. The quality of the chosen polynomials in polynomial selection can be modelled in terms of size and root properties. In this paper, we describe some algorithms for selecting polynomials with very good root properties.Comment: 16 pages, 18 reference

Time- and Space-Efficient Evaluation of Some Hypergeometric Constants

The currently best known algorithms for the numerical evaluation of hypergeometric constants such as $\zeta(3)$ to $d$ decimal digits have time complexity $O(M(d) \log^2 d)$ and space complexity of $O(d \log d)$ or $O(d)$. Following work from Cheng, Gergel, Kim and Zima, we present a new algorithm with the same asymptotic complexity, but more efficient in practice. Our implementation of this algorithm improves slightly over existing programs for the computation of $\pi$, and we announce a new record of 2 billion digits for $\zeta(3)$

Algorithmes de calcul de logarithmes discrets dans les corps finis

Membre du Jury : von zur Gathen, Joachim et Coppersmith, Don et Berger, Thierry et Villard, Gillles et Sendrier, Nicolas et Roblot, XavierComputing discrete logarithms is a fundamental task for public key cryptanalysis. The mere existence of a subexponential algorithm for this purpose is not su±cient to de¯nitely rule on the security level provided by some cryptosystem. Assessing state-of-the-art cryptanalysis calls for a thorough evaluation process. This dissertation contributes to such an evaluation. In particular, a record computation for discrete logarithms over F2607 is described.The first part of this thesis focuses on our study and use of Coppersmith's algorithm for computing discrete logarithms in finite fields of characteristic two. We brought several improvements to this algorithm, which made the record computation feasible. The relevance of such a computation extends beyond the realm of finite fields, because of the existence of the MOV reduction on the one hand, and the recently introduced identity-based cryptography onthe other hand.The second part of this work addresses the classical problem of solving large sparse linear systems over finite fields, using the full power of existing algorithms and hardware in order to solve the largest possible linear systems. Specifically, we show how the block Wiedemann algorithm can be substantially improved in order to become very competitive for solving large sparse linear systems over Fp. Practical considerations on the achievement of the computations implied by this work are also discussed. These computations involved large resources, and required an importantmanagement work on the human side. Driving such tasks also yields some observations.Le calcul de logarithmes discrets est un problème central en cryptologie. Lorsqu'un algorithme sous-exponentiel pour résoudre ce problème existe, le cryptosystème concerné n'est pas nécessairement considéré comme disqualifié, et il convient d'actualiser avec soin l'état de l'art de la cryptanalyse. Les travaux de ce mémoire s'inscrivent dans cette optique. Nous décrivons en particulier comment nous avons atteint un record de calculs de logarithmes discrets: \GFn(607).Dans une première partie, nous exposons les différentes améliorations que nous avons apportées à l'algorithme de Coppersmith pour le calcul de logarithmes discrets en caractéristique 2. Ces améliorations ont rendu possible le record que nous avons atteint. La portée de ce calcul dépassele simple cadre des corps finis, à cause de l'existence de la réduction MOV d'une part, et de la récente introduction des cryptosystèmes fondés sur l'identité.On s'intéresse plus en détail, dans une seconde partie du mémoire, au problème classique de la résolution d'un système linéaire creux défini sur un corps fini, porté aux limites de ce que la technologie (théorique et pratique) permet. Nous montrons comment une amélioration substantielle de l'algorithme de Wiedemann par blocs a rendu celui-ci compétitif pour la résolution d'un grand système linéaire creux sur \GF p.Une partie de ce mémoire est consacrée au point de vue de l'expérimentateur, grand utilisateur de moyens de calcul, de la surcharge de travail humain que cela impose, et des constatations que cette position amène

Refined Analysis of the Asymptotic Complexity of the Number Field Sieve

The classical heuristic complexity of the Number Field Sieve (NFS) is the solution of an optimization problem that involves an unknown function, usually noted $o(1)$ and called $\xi(N)$ throughout this paper, which tends to zero as the entry $N$ grows. The aim of this paper is to find optimal asymptotic choices of the parameters of NFS as $N$ grows, in order to minimize its heuristic asymptotic computational cost. This amounts to minimizing a function of the parameters of NFS bound together by a non-linear constraint. We provide precise asymptotic estimates of the minimizers of this optimization problem, which yield refined formulas for the asymptotic complexity of NFS. One of the main outcomes of this analysis is that $\xi(N)$ has a very slow rate of convergence: We prove that it is equivalent to $4{\log}{\log}{\log}\,N/(3{\log}{\log}\,N)$. Moreover, $\xi(N)$ has an unpredictable behavior for practical estimates of the complexity. Indeed, we provide an asymptotic series expansion of $\xi$ and numerical experiments indicate that this series starts converging only for $N>\exp(\exp(25))$, far beyond the practical range of NFS. This raises doubts on the relevance of NFS running time estimates that are based on setting $\xi=0$ in the asymptotic formula.Comment: Accepted for publication in Mathematical Cryptolog