Polynomial Selection Using Lattices
Size: px
Start display at page:

Download "Polynomial Selection Using Lattices"

Transcription

1 Polynomial Selection Using Lattices Mathias Herrmann Alexander May Maike Ritzenhofen Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr-University Bochum Factoring 2009 September 12 th

2 Intro Need to find 2 irreducible polynomials f 1 (x), f 2 (x) Z[x] with common root m modulo N. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 2

3 Intro Need to find 2 irreducible polynomials f 1 (x), f 2 (x) Z[x] with common root m modulo N. deg(f 1 (x)) = 5 (algebraic polynomial) deg(f 2 (x)) = 1 (linear polynomial) Homogeneous form: F 1 (x, z) = a d x d + a d1 x d 1 z a 0 z d F 2 (x, z) = x mz Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 2

4 Intro Need to find 2 irreducible polynomials f 1 (x), f 2 (x) Z[x] with common root m modulo N. deg(f 1 (x)) = 5 (algebraic polynomial) deg(f 2 (x)) = 1 (linear polynomial) Homogeneous form: F 1 (x, z) = a d x d + a d1 x d 1 z a 0 z d F 2 (x, z) = x mz Currently, algorithm of Thorsten Kleinjung yields the best polynomial pairs. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 2

5 Good Polynomials Want to find many pairs (a, b) Z 2 such that F 1 (a, b) and F 2 (a, b) are smooth. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 3

6 Good Polynomials Want to find many pairs (a, b) Z 2 such that F 1 (a, b) and F 2 (a, b) are smooth. Need to be able to (quickly) compare polynomial (pairs). Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 3

7 Good Polynomials Want to find many pairs (a, b) Z 2 such that F 1 (a, b) and F 2 (a, b) are smooth. Need to be able to (quickly) compare polynomial (pairs). Quality Measures Q 2(f 1, f 2) = Z π 0 «α(f1) + log F 1( A cos θ, B sin θ) ρ log L 1 «α(f2) + log F 2( A cos θ, B sin θ) ρ dθ log L 2 Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 3

8 Good Polynomials Want to find many pairs (a, b) Z 2 such that F 1 (a, b) and F 2 (a, b) are smooth. Need to be able to (quickly) compare polynomial (pairs). Quality Measures Q 2(f 1, f 2) = Z π 0 0 Q 3(f 1) = α(f 1) + 1 Z 2 log «α(f1) + log F 1( A cos θ, B sin θ) ρ log L 1 «α(f2) + log F 2( A cos θ, B sin θ) ρ dθ log L 2 a A 0 < b B 1 F 1(a, b) 2 da dbc A Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 3

9 Good Polynomials Want to find many pairs (a, b) Z 2 such that F 1 (a, b) and F 2 (a, b) are smooth. Need to be able to (quickly) compare polynomial (pairs). Quality Measures Q 2(f 1, f 2) = Z π 0 0 Q 3(f 1) = α(f 1) + 1 Z 2 log «α(f1) + log F 1( A cos θ, B sin θ) ρ log L 1 «α(f2) + log F 2( A cos θ, B sin θ) ρ dθ log L 2 a A 0 < b B Q 4(f 1) = max 0 i d a i s d i 2 1 F 1(a, b) 2 da dbc A Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 3

10 Basics in Lattices Definition Let b 1,..., b n Q n be linearly independent vectors. The set { } n L := x Q n x = a i b i, a i Z is a lattice. i=1 Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 4

11 Basics in Lattices Definition Let b 1,..., b n Q n be linearly independent vectors. The set { } n L := x Q n x = a i b i, a i Z is a lattice. Described by basis matrix B(L) = i=1 b 1. b n Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 4

12 Basic polynomial selection using lattices Question How can we use lattices to perform a polynomial selection? Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 5

13 Basic polynomial selection using lattices Question How can we use lattices to perform a polynomial selection? Fix a root m modulo N. Linear polynomial is just f 2 (x) = x m. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 5

14 Basic polynomial selection using lattices Question How can we use lattices to perform a polynomial selection? Fix a root m modulo N. Linear polynomial is just f 2 (x) = x m. For algebraic polynomial use the following basis matrix. 1 x x 2... x d f 1 (m) m m m d N Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 5

15 Basic polynomial selection using lattices Question How can we use lattices to perform a polynomial selection? Fix a root m modulo N. Linear polynomial is just f 2 (x) = x m. For algebraic polynomial use the following basis matrix. 1 x x 2... x d f 1 (m) m m m d N Lattice reduction yields short lattice vector, i.e. polynomial with small coefficients. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 5

16 Skewness More sieve reports, if sieving region and polynomial are skewed x x x x x Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 6

17 Skewness More sieve reports, if sieving region and polynomial are skewed x x x x x Skewness in lattice basis Multiply basis matrix with a weight matrix that forces the polynomial to be skewed. W = s s s d S. After LLL reduction apply the inverse scaling to obtain desired polynomial. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 6

18 Result Obtain (skewed) polynomial with small coefficients. good polynomial with respect to. Q 4 (f 1 ) = max 0 i d a i s d i 2 Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 7

19 Result Obtain (skewed) polynomial with small coefficients. good polynomial with respect to. Q 4 (f 1 ) = max 0 i d a i s d i 2 BUT: We want to use a better approximation of number of sieve reports. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 7

20 Result Obtain (skewed) polynomial with small coefficients. good polynomial with respect to. Q 4 (f 1 ) = max 0 i d a i s d i 2 BUT: We want to use a better approximation of number of sieve reports. Use different norm for LLL to capture quality with respect to Q 3. Q 3 (f 1 ) = α(f 1 ) log a A 0 < b B F 1 (a, b) 2 da db Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 7

21 Modified Norm Alter norm used by LLL. Define v := v T Mv with M := 2 11 s s s s 0 35 s s s s s s s s s s s s s s S. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 8

22 Comparison: Quality with standard norm vs. new norm 45 new norm euclidean norm Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 9

23 Root Property Recall quality measure Q 3 (f 1 ) = α(f 1 ) }{{} Root property log F 1 (a, b) 2 da db a A } 0 < b B {{ } Size property Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 10

24 Root Property Recall quality measure Q 3 (f 1 ) = α(f 1 ) }{{} Root property log F 1 (a, b) 2 da db a A } 0 < b B {{ } Size property Size property optimed by LLL, but Root property α(f 1 ) has major influence on quality. Need to model in lattice. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 10

25 Lattice basis with improved root property 1 x x 2... x d f 1 (m) f 1 (α 1 )... f 1 (α k ) α αk m α α 1 k m 2 α α 2 k m d α1 d... αk d N p p k Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 11

26 Remarks Using some roots modulo small primes of Kleinjung s polynomial, we are able to reconstruct it with the lattice approach. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 12

27 Remarks Using some roots modulo small primes of Kleinjung s polynomial, we are able to reconstruct it with the lattice approach. However, we are not able to allow LLL to choose a set of roots modulo small primes. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 12

28 Remarks Using some roots modulo small primes of Kleinjung s polynomial, we are able to reconstruct it with the lattice approach. However, we are not able to allow LLL to choose a set of roots modulo small primes. Trying all possibilities to complex, No iterative method obvious. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 12

29 Remarks Using some roots modulo small primes of Kleinjung s polynomial, we are able to reconstruct it with the lattice approach. However, we are not able to allow LLL to choose a set of roots modulo small primes. Trying all possibilities to complex, No iterative method obvious. Need a different approach to obtain a good root property. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 12

30 Special Galois groups A theorem by Odoni states that asymptotically a polynomial, where the Galois group is the Frobenius group, yields smaller values. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 13

31 Special Galois groups A theorem by Odoni states that asymptotically a polynomial, where the Galois group is the Frobenius group, yields smaller values. Our goal: Use LLL to find good polynomials with the special Galois group. Generic polynomials with Galois group F 20 f gen(x; a, b) := x 5 + b 2 (a 2 + 4) 2a 17 «x 4 + 3b(a 2 + 4) + (a 2 + 4) + 13a 4 f gen(x; p, q) := x px p 2 x + q b(a 2 + 4) + 11a «2 8 x 2 + (a 6) x + 1 «2 + 1 x 3 Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 13

32 Special Galois groups A theorem by Odoni states that asymptotically a polynomial, where the Galois group is the Frobenius group, yields smaller values. Our goal: Use LLL to find good polynomials with the special Galois group. Generic polynomials with Galois group F 20 f gen(x; a, b) := x 5 + b 2 (a 2 + 4) 2a 17 «x 4 + 3b(a 2 + 4) + (a 2 + 4) + 13a 4 f gen(x; p, q) := x px p 2 x + q b(a 2 + 4) + 11a «2 8 x 2 + (a 6) x + 1 «2 + 1 x 3 But: unable to find a root m modulo N. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 13

33 Enforce special Galois group Generic polynomial with Frobenius group as Galois group. Compute roots modulo small primes and use these as input to lattice reduction, randomly chosen m. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 14

34 Enforce special Galois group Generic polynomial with Frobenius group as Galois group. Compute roots modulo small primes and use these as input to lattice reduction, randomly chosen m. Hope that roots enforce the resulting polynomial to have the desired Galois group. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 14

35 Enforce special Galois group Generic polynomial with Frobenius group as Galois group. Compute roots modulo small primes and use these as input to lattice reduction, randomly chosen m. Hope that roots enforce the resulting polynomial to have the desired Galois group. Only happened if a lot of roots modulo small primes were enforce, but then the size of coefficients was very bad. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 14

36 Optimize parameters a, b Try to find parameters of the generic polynomials. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 15

37 Optimize parameters a, b Try to find parameters of the generic polynomials. Fix m and use Coppersmith s Algorithm to find a, b s.th. f gen (m; a, b) = 0 mod N. Two problems arise: 1 Upper bounds on a, b are very small. Experiments never found suitable a, b. 2 Even if we found good algebraic polynomial, the polynomial pair may still be bad. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 15

38 Optimize parameters a, b Try to find parameters of the generic polynomials. Fix m and use Coppersmith s Algorithm to find a, b s.th. f gen (m; a, b) = 0 mod N. Two problems arise: 1 Upper bounds on a, b are very small. Experiments never found suitable a, b. 2 Even if we found good algebraic polynomial, the polynomial pair may still be bad. Add m as a further variable in Coppersmith s algortihm. But then the bounds get even worse and we cannot expect a solution. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 15

39 Finding a root m All previous approaches used a given root m. Now: Try to find a good m with lattice methods. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 16

40 Finding a root m All previous approaches used a given root m. Now: Try to find a good m with lattice methods. Translation Given a polynomial f(x) with root m modulo N, the polynomial f (x) := f(x α) has root m = m + α. (f (m ) = f(m α) = f(m + α α) = 0 mod N) Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 16

41 Idea Start with arbitrary polynomial (known root m modulo N). Compute coefficients of translated polynomials. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 17

42 Idea Start with arbitrary polynomial (known root m modulo N). Compute coefficients of translated polynomials. Translated polynomials f 1(x) = px m f 2(x) = a 5x 5 + a 4x 4 + a 3x 3 + a 2x 2 + a 1x + a 0 f 1(x) = f 1(x α) = p(x α) m = px (pα + m) f 2(x) = f 2(x α) = a 5x 5 + (a 4 5a 5α)x 4 + (a 3 4a 4α + 10a 5α 2 )x 3 +(a 2 3a 3α + 6a 4α 2 10a 5α 3 )x 2 +(a 1 2a 2α + 3a 3α 2 4a 4α 3 + 5a 5α 4 )x +(a 0 a 1α + a 2α 2 a 3α 3 + a 4α 4 a 5α 5 ). Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 17

43 Problem Description Find α such that coefficients of translated polynomial are small. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 18

44 Problem Description Find α such that coefficients of translated polynomial are small. System of modular equations g 1 (α) = pα m = ɛ 1 mod N g 2 (α) = a 4 5a 5 α = ɛ 2 mod N g 3 (α) = a 3 4a 4 α + 10a 5 α 2 = ɛ 3 mod N g 4 (α) = a 2 3a 3 α + 6a 4 α 2 10a 5 α 3 = ɛ 4 mod N g 5 (α) = a 1 2a 2 α + 3a 3 α 2 4a 4 α 3 + 5a 5 α 4 = ɛ 5 mod N g 6 (α) = a 0 a 1 α + a 2 α 2 a 3 α 3 + a 4 α 4 a 5 α 5 = ɛ 6 mod N. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 18

45 First Approach: SVP Solve SVP! Lattice L 1 g 1 (α) g 2 (α) g 3 (α) g 4 (α) g 5 (α) g 6 (α) m a 4 a 3 a 2 a 1 a 0 1 α 1 p 5a 5 4a 4 3a 3 2a 2 a 1 α a 5 6a 4 3a 3 a 2 α a 5 4a 4 a 3 α 4 1 5a 5 a 4 α 5 1 a 5 N N N B N A N N Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 19

46 First Approach: SVP Solve SVP! Lattice L 1 g 1 (α) g 2 (α) g 3 (α) g 4 (α) g 5 (α) g 6 (α) m a 4 a 3 a 2 a 1 a 0 1 α 1 p 5a 5 4a 4 3a 3 2a 2 a 1 α a 5 6a 4 3a 3 a 2 α a 5 4a 4 a 3 α 4 1 5a 5 a 4 α 5 1 a 5 N N N B N A N N Target vector t = (1, α, α 2, α 3, α 4, α 5, ɛ 1, ɛ 2, ɛ 3, ɛ 4, ɛ 5, ɛ 6 ). Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 19

47 Results Not possible to enforce geometric progression (1, α, α 2, α 3, α 4, α 5 ) of the first components. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 20

48 Results Not possible to enforce geometric progression (1, α, α 2, α 3, α 4, α 5 ) of the first components. Target vector is not among the short vectors in this lattice. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 20

49 Results Not possible to enforce geometric progression (1, α, α 2, α 3, α 4, α 5 ) of the first components. Target vector is not among the short vectors in this lattice. Need a different approach. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 20

50 Second Approach: LLL-Property Let B = b 1,..., b n be LLL-reduced. Then the Gram-Schmidt-orthogonalized vectors b i fulfill b i 2 i 1 4 ( det(l) b max ) 1 i. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 21

51 Second Approach: LLL-Property Let B = b 1,..., b n be LLL-reduced. Then the Gram-Schmidt-orthogonalized vectors b i fulfill b i 2 i 1 4 ( det(l) b max ) 1 i. If target vector is larger than orthogonalized vector, then < b i, t >= 0 gives polynomial equation. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 21

52 Second Approach: LLL-Property Let B = b 1,..., b n be LLL-reduced. Then the Gram-Schmidt-orthogonalized vectors b i fulfill b i 2 i 1 4 ( det(l) b max ) 1 i. If target vector is larger than orthogonalized vector, then < b i, t >= 0 gives polynomial equation. System of modular equations has 7 unknowns. If we find at least 7 orthogonal vectors that are larger than target vector, then we may be able to compute a solution. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 21

53 Remarks The lattice L 1 only yields 6 polynomials. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 22

54 Remarks The lattice L 1 only yields 6 polynomials. Extending the lattice basis Use additionally powers and products of the g i. g 1 (α) g 2 (α) g 3 (α)... g1 2 0 (α) g 1g 2 (α) m a 4 a 3 m 2 a 4 m α 1 p 5a 5 4a 4 2pm a 4 p + 5a 5 m α a 5 p 2 5a 5 p α 3 1 α 4 1 α 5 1 N N N N N 1 C A We can explicitly compute upper bounds on variables, s.th. we target vector will be shorter than at least 7 orthogonalized vectors. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 22

55 Experimental results Start with translated version of Kleinjung s polynomial pair f i (x) = f KJ i (x α) Goal: Recover the inverse transformation α = α. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 23

56 Experimental results Start with translated version of Kleinjung s polynomial pair f i (x) = f KJ i (x α) Goal: Recover the inverse transformation α = α. Explicit computation of upper bound on α : α N 0.6 Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 23

57 Experimental results Start with translated version of Kleinjung s polynomial pair f i (x) = f KJ i (x α) Goal: Recover the inverse transformation α = α. Explicit computation of upper bound on α : α N 0.6 (Note: Search space of exponential size in polynomial time!) Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 23

58 Experimental results Start with translated version of Kleinjung s polynomial pair f i (x) = f KJ i (x α) Goal: Recover the inverse transformation α = α. Explicit computation of upper bound on α : α N 0.6 (Note: Search space of exponential size in polynomial time!) We get enough polynomials, but... Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 23

59 Experimental results Start with translated version of Kleinjung s polynomial pair f i (x) = f KJ i (x α) Goal: Recover the inverse transformation α = α. Explicit computation of upper bound on α : α N 0.6 (Note: Search space of exponential size in polynomial time!) We get enough polynomials, but... Problem: Obtained system of equations is still not 0-dimensional. Does not allow to efficiently recover the root. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 23

60 Summary Improving polynomial selection for the GNFS using lattice methods. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 24

61 Summary Improving polynomial selection for the GNFS using lattice methods. We are able to construct polynomials with good size property. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 24

62 Summary Improving polynomial selection for the GNFS using lattice methods. We are able to construct polynomials with good size property. New definition of norm better resembles polynomial quality. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 24

63 Summary Improving polynomial selection for the GNFS using lattice methods. We are able to construct polynomials with good size property. New definition of norm better resembles polynomial quality. It is possible to provide (fixed) roots modulo (fixed) small primes, but no selection by LLL. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 24

64 Summary Improving polynomial selection for the GNFS using lattice methods. We are able to construct polynomials with good size property. New definition of norm better resembles polynomial quality. It is possible to provide (fixed) roots modulo (fixed) small primes, but no selection by LLL. Enforcing a special Galois group, s.th. the polynomial has a good root property dramatically worsens the size property. Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 24

65 Summary Improving polynomial selection for the GNFS using lattice methods. We are able to construct polynomials with good size property. New definition of norm better resembles polynomial quality. It is possible to provide (fixed) roots modulo (fixed) small primes, but no selection by LLL. Enforcing a special Galois group, s.th. the polynomial has a good root property dramatically worsens the size property. Searching for a good root m by means of LLL did not work (yet). Mathias Herrmann, Alexander May, Maike Ritzenhofen Polynomial Selection Using Lattices 24

Similar documents

Polynomial Selection. Thorsten Kleinjung École Polytechnique Fédérale de Lausanne

Polynomial Selection. Thorsten Kleinjung École Polytechnique Fédérale de Lausanne Polynomial Selection Thorsten Kleinjung École Polytechnique Fédérale de Lausanne Contents Brief summary of polynomial selection (no root sieve) Motivation (lattice sieving, monic algebraic polynomial)

More information

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,

More information

Looking back at lattice-based cryptanalysis

Looking back at lattice-based cryptanalysis September 2009 Lattices A lattice is a discrete subgroup of R n Equivalently, set of integral linear combinations: α 1 b1 + + α n bm with m n Lattice reduction Lattice reduction looks for a good basis

More information

Linear Algebra Massoud Malek

Linear Algebra Massoud Malek CSUEB Linear Algebra Massoud Malek Inner Product and Normed Space In all that follows, the n n identity matrix is denoted by I n, the n n zero matrix by Z n, and the zero vector by θ n An inner product

More information

Equidistributions in arithmetic geometry

Equidistributions in arithmetic geometry Equidistributions in arithmetic geometry Edgar Costa Dartmouth College 14th January 2016 Dartmouth College 1 / 29 Edgar Costa Equidistributions in arithmetic geometry Motivation: Randomness Principle Rigidity/Randomness

More information

Cryptanalysis via Lattice Techniques

Cryptanalysis via Lattice Techniques Cryptanalysis via Lattice Techniques Alexander May Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr-University Bochum crypt@b-it 2010, Aug 2010, Bonn Lecture 1, Mon Aug 2 Introduction

More information

1 Shortest Vector Problem

1 Shortest Vector Problem Lattices in Cryptography University of Michigan, Fall 25 Lecture 2 SVP, Gram-Schmidt, LLL Instructor: Chris Peikert Scribe: Hank Carter Shortest Vector Problem Last time we defined the minimum distance

More information

How to Factor N 1 and N 2 When p 1 = p 2 mod 2 t

How to Factor N 1 and N 2 When p 1 = p 2 mod 2 t How to Factor N 1 and N 2 When p 1 = p 2 mod 2 t Kaoru Kurosawa and Takuma Ueda Ibaraki University, Japan Abstract. Let N 1 = p 1q 1 and N 2 = p 2q 2 be two different RSA moduli. Suppose that p 1 = p 2

More information

Computational algebraic number theory tackles lattice-based cryptography

Computational algebraic number theory tackles lattice-based cryptography Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right

More information

Discrete Math, Fourteenth Problem Set (July 18)

Discrete Math, Fourteenth Problem Set (July 18) Discrete Math, Fourteenth Problem Set (July 18) REU 2003 Instructor: László Babai Scribe: Ivona Bezakova 0.1 Repeated Squaring For the primality test we need to compute a X 1 (mod X). There are two problems

More information

Dixon s Factorization method

Dixon s Factorization method Dixon s Factorization method Nikithkumarreddy yellu December 2015 1 Contents 1 Introduction 3 2 History 3 3 Method 4 3.1 Factor-base.............................. 4 3.2 B-smooth...............................

More information

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer. Attacks on RSA, some using LLL Recall RSA: N = pq hard to factor. Choose e with gcd(e,φ(n)) = 1, where φ(n) = (p 1)(q 1). Via extended Euclid, find d with ed 1 (mod φ(n)). Discard p and q. Public key is

More information

The complexity of factoring univariate polynomials over the rationals

The complexity of factoring univariate polynomials over the rationals The complexity of factoring univariate polynomials over the rationals Mark van Hoeij Florida State University ISSAC 2013 June 26, 2013 Papers [Zassenhaus 1969]. Usually fast, but can be exp-time. [LLL

More information

Discrete Logarithm Problem

Discrete Logarithm Problem Discrete Logarithm Problem Çetin Kaya Koç koc@cs.ucsb.edu (http://cs.ucsb.edu/~koc/ecc) Elliptic Curve Cryptography lect08 discrete log 1 / 46 Exponentiation and Logarithms in a General Group In a multiplicative

More information

Computational algebraic number theory tackles lattice-based cryptography

Computational algebraic number theory tackles lattice-based cryptography Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right

More information

Estimates for factoring 1024-bit integers. Thorsten Kleinjung, University of Bonn

Estimates for factoring 1024-bit integers. Thorsten Kleinjung, University of Bonn Estimates for factoring 1024-bit integers Thorsten Kleinjung, University of Bonn Contents GNFS Overview Polynomial selection, matrix construction, square root computation Sieving and cofactoring Strategies

More information

Finite fields: some applications Michel Waldschmidt 1

Finite fields: some applications Michel Waldschmidt 1 Ho Chi Minh University of Science HCMUS Update: 16/09/2013 Finite fields: some applications Michel Waldschmidt 1 Exercises We fix an algebraic closure F p of the prime field F p of characteristic p. When

More information

Homework 8 Solutions to Selected Problems

Homework 8 Solutions to Selected Problems Homework 8 Solutions to Selected Problems June 7, 01 1 Chapter 17, Problem Let f(x D[x] and suppose f(x is reducible in D[x]. That is, there exist polynomials g(x and h(x in D[x] such that g(x and h(x

More information

CSE 206A: Lattice Algorithms and Applications Winter The dual lattice. Instructor: Daniele Micciancio

CSE 206A: Lattice Algorithms and Applications Winter The dual lattice. Instructor: Daniele Micciancio CSE 206A: Lattice Algorithms and Applications Winter 2016 The dual lattice Instructor: Daniele Micciancio UCSD CSE 1 Dual Lattice and Dual Basis Definition 1 The dual of a lattice Λ is the set ˆΛ of all

More information

Factoring univariate polynomials over the rationals

Factoring univariate polynomials over the rationals Factoring univariate polynomials over the rationals Tommy Hofmann TU Kaiserslautern November 21, 2017 Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 1 / 31 Factoring univariate

More information

COMP 558 lecture 18 Nov. 15, 2010

COMP 558 lecture 18 Nov. 15, 2010 Least squares We have seen several least squares problems thus far, and we will see more in the upcoming lectures. For this reason it is good to have a more general picture of these problems and how to

More information

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.

More information

New Partial Key Exposure Attacks on RSA Revisited

New Partial Key Exposure Attacks on RSA Revisited New Partial Key Exposure Attacks on RSA Revisited M. Jason Hinek School of Computer Science, University of Waterloo Waterloo, Ontario, N2L-3G, Canada mjhinek@alumni.uwaterloo.ca March 7, 2004 Abstract

More information

Polynomial Selection for Number Field Sieve in Geometric View

Polynomial Selection for Number Field Sieve in Geometric View Polynomial Selection for Number Field Sieve in Geometric View Min Yang 1, Qingshu Meng 2, zhangyi Wang 2, Lina Wang 2, and Huanguo Zhang 2 1 International school of software, Wuhan University, Wuhan, China,

More information

A new security notion for asymmetric encryption Draft #8

A new security notion for asymmetric encryption Draft #8 A new security notion for asymmetric encryption Draft #8 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,

More information

Generating Subfields

Generating Subfields Generating Subfields joint with Marc van Hoeij, Andrew Novocin Jürgen Klüners Universität Paderborn Number Theory Conference, Bordeaux, 14th January 2013 Jürgen Klüners (Universität Paderborn) Generating

More information

Lattice Reductions over Euclidean Rings with Applications to Cryptanalysis

Lattice Reductions over Euclidean Rings with Applications to Cryptanalysis IMACC 2017 December 12 14, 2017 Lattice Reductions over Euclidean Rings with Applications to Cryptanalysis Taechan Kim and Changmin Lee NTT Secure Platform Laboratories, Japan and Seoul National University,

More information

Lattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption

Lattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption Lattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption Boaz Barak May 12, 2008 The first two sections are based on Oded Regev s lecture notes, and the third one on

More information

There are two things that are particularly nice about the first basis

There are two things that are particularly nice about the first basis Orthogonality and the Gram-Schmidt Process In Chapter 4, we spent a great deal of time studying the problem of finding a basis for a vector space We know that a basis for a vector space can potentially

More information

Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm)

Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm) Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm) Aurore Guillevic INRIA Saclay / GRACE Team École Polytechnique / LIX ECC 2015, Sept. 28th Aurore Guillevic (INRIA/LIX)

More information

Notes 10: List Decoding Reed-Solomon Codes and Concatenated codes

Notes 10: List Decoding Reed-Solomon Codes and Concatenated codes Introduction to Coding Theory CMU: Spring 010 Notes 10: List Decoding Reed-Solomon Codes and Concatenated codes April 010 Lecturer: Venkatesan Guruswami Scribe: Venkat Guruswami & Ali Kemal Sinop DRAFT

More information

Attacking Power Generators Using Unravelled Linearization: When Do We Output Too Much?

Attacking Power Generators Using Unravelled Linearization: When Do We Output Too Much? Attacking Power Generators Using Unravelled Linearization: When Do We Output Too Much? Mathias Herrmann, Alexander May Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr University Bochum,

More information

1: Introduction to Lattices

1: Introduction to Lattices CSE 206A: Lattice Algorithms and Applications Winter 2012 Instructor: Daniele Micciancio 1: Introduction to Lattices UCSD CSE Lattices are regular arrangements of points in Euclidean space. The simplest

More information

A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm

A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm Palash Sarkar and Shashank Singh Indian Statistical Institute, Kolkata September 5, 2016

More information

Quasi-reducible Polynomials

Quasi-reducible Polynomials Quasi-reducible Polynomials Jacques Willekens 06-Dec-2008 Abstract In this article, we investigate polynomials that are irreducible over Q, but are reducible modulo any prime number. 1 Introduction Let

More information

Linear Algebra. Min Yan

Linear Algebra. Min Yan Linear Algebra Min Yan January 2, 2018 2 Contents 1 Vector Space 7 1.1 Definition................................. 7 1.1.1 Axioms of Vector Space..................... 7 1.1.2 Consequence of Axiom......................

More information

Algorithms for ray class groups and Hilbert class fields

Algorithms for ray class groups and Hilbert class fields (Quantum) Algorithms for ray class groups and Hilbert class fields Sean Hallgren joint with Kirsten Eisentraeger Penn State 1 Quantum Algorithms Quantum algorithms for number theoretic problems: Factoring

More information

Math 299 Supplement: Modular Arithmetic Nov 8, 2013

Math 299 Supplement: Modular Arithmetic Nov 8, 2013 Math 299 Supplement: Modular Arithmetic Nov 8, 2013 Numbers modulo n. We have previously seen examples of clock arithmetic, an algebraic system with only finitely many numbers. In this lecture, we make

More information

Computing L-series of geometrically hyperelliptic curves of genus three. David Harvey, Maike Massierer, Andrew V. Sutherland

Computing L-series of geometrically hyperelliptic curves of genus three. David Harvey, Maike Massierer, Andrew V. Sutherland Computing L-series of geometrically hyperelliptic curves of genus three David Harvey, Maike Massierer, Andrew V. Sutherland The zeta function Let C/Q be a smooth projective curve of genus 3 p be a prime

More information

CSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio

CSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio CSE 206A: Lattice Algorithms and Applications Spring 2014 Basis Reduction Instructor: Daniele Micciancio UCSD CSE No efficient algorithm is known to find the shortest vector in a lattice (in arbitrary

More information

Construction of latin squares of prime order

Construction of latin squares of prime order Construction of latin squares of prime order Theorem. If p is prime, then there exist p 1 MOLS of order p. Construction: The elements in the latin square will be the elements of Z p, the integers modulo

More information

GALOIS GROUPS OF CUBICS AND QUARTICS (NOT IN CHARACTERISTIC 2)

GALOIS GROUPS OF CUBICS AND QUARTICS (NOT IN CHARACTERISTIC 2) GALOIS GROUPS OF CUBICS AND QUARTICS (NOT IN CHARACTERISTIC 2) KEITH CONRAD We will describe a procedure for figuring out the Galois groups of separable irreducible polynomials in degrees 3 and 4 over

More information

The Shortest Vector Problem (Lattice Reduction Algorithms)

The Shortest Vector Problem (Lattice Reduction Algorithms) The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V. Vazirani, Chapter 27 - Problem statement, general discussion - Lattices: brief introduction - The Gauss algorithm

More information

Mersenne factorization factory

Mersenne factorization factory Mersenne factorization factory Thorsten Kleinjung Arjen K. Lenstra & Joppe W. Bos* École Polytechnique Fédérale de Lausanne laboratory for cryptologic algorithms Microsoft Research presented by: Rob Granger

More information

COS 598D - Lattices. scribe: Srdjan Krstic

COS 598D - Lattices. scribe: Srdjan Krstic COS 598D - Lattices scribe: Srdjan Krstic Introduction In the first part we will give a brief introduction to lattices and their relevance in some topics in computer science. Then we show some specific

More information

LINEAR ALGEBRA 1, 2012-I PARTIAL EXAM 3 SOLUTIONS TO PRACTICE PROBLEMS

LINEAR ALGEBRA 1, 2012-I PARTIAL EXAM 3 SOLUTIONS TO PRACTICE PROBLEMS LINEAR ALGEBRA, -I PARTIAL EXAM SOLUTIONS TO PRACTICE PROBLEMS Problem (a) For each of the two matrices below, (i) determine whether it is diagonalizable, (ii) determine whether it is orthogonally diagonalizable,

More information

Integer factorization, part 1: the Q sieve. D. J. Bernstein

Integer factorization, part 1: the Q sieve. D. J. Bernstein Integer factorization, part 1: the Q sieve D. J. Bernstein Sieving small integers 0 using primes 3 5 7: 1 3 3 4 5 5 6 3 7 7 8 9 3 3 10 5 11 1 3 13 14 7 15 3 5 16 17 18 3 3 19 0 5 etc. Sieving and 611 +

More information

Lecture 5: CVP and Babai s Algorithm

Lecture 5: CVP and Babai s Algorithm NYU, Fall 2016 Lattices Mini Course Lecture 5: CVP and Babai s Algorithm Lecturer: Noah Stephens-Davidowitz 51 The Closest Vector Problem 511 Inhomogeneous linear equations Recall that, in our first lecture,

More information

Lattice Basis Reduction and the LLL Algorithm

Lattice Basis Reduction and the LLL Algorithm Lattice Basis Reduction and the LLL Algorithm Curtis Bright May 21, 2009 1 2 Point Lattices A point lattice is a discrete additive subgroup of R n. A basis for a lattice L R n is a set of linearly independent

More information

Numerical verification of BSD

Numerical verification of BSD Numerical verification of BSD for hyperelliptics of genus 2 & 3, and beyond... Raymond van Bommel (Universiteit Leiden) PhD project under supervision of: David Holmes (Leiden) Fabien Pazuki (Bordeaux/Copenhagen)

More information

Frobenius Distributions

Frobenius Distributions Frobenius Distributions Edgar Costa (MIT) September 11th, 2018 Massachusetts Institute of Technology Slides available at edgarcosta.org under Research Polynomials Write f p (x) := f(x) mod p f(x) = a n

More information

Field Theory Qual Review

Field Theory Qual Review Field Theory Qual Review Robert Won Prof. Rogalski 1 (Some) qual problems ˆ (Fall 2007, 5) Let F be a field of characteristic p and f F [x] a polynomial f(x) = i f ix i. Give necessary and sufficient conditions

More information

Finite Fields. [Parts from Chapter 16. Also applications of FTGT]

Finite Fields. [Parts from Chapter 16. Also applications of FTGT] Finite Fields [Parts from Chapter 16. Also applications of FTGT] Lemma [Ch 16, 4.6] Assume F is a finite field. Then the multiplicative group F := F \ {0} is cyclic. Proof Recall from basic group theory

More information

Non-generic attacks on elliptic curve DLPs

Non-generic attacks on elliptic curve DLPs Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith

More information

CSE 206A: Lattice Algorithms and Applications Spring Minkowski s theorem. Instructor: Daniele Micciancio

CSE 206A: Lattice Algorithms and Applications Spring Minkowski s theorem. Instructor: Daniele Micciancio CSE 206A: Lattice Algorithms and Applications Spring 2014 Minkowski s theorem Instructor: Daniele Micciancio UCSD CSE There are many important quantities associated to a lattice. Some of them, like the

More information

Public-key Cryptography: Theory and Practice

Public-key Cryptography: Theory and Practice Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 2: Mathematical Concepts Divisibility Congruence Quadratic Residues

More information

Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring

Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France

More information

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n).

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n). 18.310 lecture notes April 22, 2015 Factoring Lecturer: Michel Goemans We ve seen that it s possible to efficiently check whether an integer n is prime or not. What about factoring a number? If this could

More information

Inner product spaces. Layers of structure:

Inner product spaces. Layers of structure: Inner product spaces Layers of structure: vector space normed linear space inner product space The abstract definition of an inner product, which we will see very shortly, is simple (and by itself is pretty

More information

Course Notes: Week 1

Course Notes: Week 1 Course Notes: Week 1 Math 270C: Applied Numerical Linear Algebra 1 Lecture 1: Introduction (3/28/11) We will focus on iterative methods for solving linear systems of equations (and some discussion of eigenvalues

More information

EXAMPLES OF PROOFS BY INDUCTION

EXAMPLES OF PROOFS BY INDUCTION EXAMPLES OF PROOFS BY INDUCTION KEITH CONRAD 1. Introduction In this handout we illustrate proofs by induction from several areas of mathematics: linear algebra, polynomial algebra, and calculus. Becoming

More information

The number field sieve in the medium prime case

The number field sieve in the medium prime case The number field sieve in the medium prime case Frederik Vercauteren ESAT/COSIC - K.U. Leuven Joint work with Antoine Joux, Reynald Lercier, Nigel Smart Finite Field DLOG Basis finite field is F p = {0,...,

More information

ELEMENTARY LINEAR ALGEBRA

ELEMENTARY LINEAR ALGEBRA ELEMENTARY LINEAR ALGEBRA K R MATTHEWS DEPARTMENT OF MATHEMATICS UNIVERSITY OF QUEENSLAND First Printing, 99 Chapter LINEAR EQUATIONS Introduction to linear equations A linear equation in n unknowns x,

More information

FINITE GROUP THEORY: SOLUTIONS FALL MORNING 5. Stab G (l) =.

FINITE GROUP THEORY: SOLUTIONS FALL MORNING 5. Stab G (l) =. FINITE GROUP THEORY: SOLUTIONS TONY FENG These are hints/solutions/commentary on the problems. They are not a model for what to actually write on the quals. 1. 2010 FALL MORNING 5 (i) Note that G acts

More information

Solutions to odd-numbered exercises Peter J. Cameron, Introduction to Algebra, Chapter 2

Solutions to odd-numbered exercises Peter J. Cameron, Introduction to Algebra, Chapter 2 Solutions to odd-numbered exercises Peter J Cameron, Introduction to Algebra, Chapter 1 The answers are a No; b No; c Yes; d Yes; e No; f Yes; g Yes; h No; i Yes; j No a No: The inverse law for addition

More information

LINEAR ALGEBRA W W L CHEN

LINEAR ALGEBRA W W L CHEN LINEAR ALGEBRA W W L CHEN c W W L Chen, 1997, 2008. This chapter is available free to all individuals, on the understanding that it is not to be used for financial gain, and may be downloaded and/or photocopied,

More information

A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties:

A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties: Byte multiplication 1 Field arithmetic A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties: F is an abelian group under addition, meaning - F is closed under

More information

A new security notion for asymmetric encryption Draft #12

A new security notion for asymmetric encryption Draft #12 A new security notion for asymmetric encryption Draft #12 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,

More information

Solving All Lattice Problems in Deterministic Single Exponential Time

Solving All Lattice Problems in Deterministic Single Exponential Time Solving All Lattice Problems in Deterministic Single Exponential Time (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 Lattices Traditional area of mathematics Bridge between number theory

More information

Research Problems in Arithmetic Combinatorics

Research Problems in Arithmetic Combinatorics Research Problems in Arithmetic Combinatorics Ernie Croot July 13, 2006 1. (related to a quesiton of J. Bourgain) Classify all polynomials f(x, y) Z[x, y] which have the following property: There exists

More information

CDM. Finite Fields. Klaus Sutner Carnegie Mellon University. Fall 2018

CDM. Finite Fields. Klaus Sutner Carnegie Mellon University. Fall 2018 CDM Finite Fields Klaus Sutner Carnegie Mellon University Fall 2018 1 Ideals The Structure theorem Where Are We? 3 We know that every finite field carries two apparently separate structures: additive and

More information

A Course in Computational Algebraic Number Theory

A Course in Computational Algebraic Number Theory Henri Cohen 2008 AGI-Information Management Consultants May be used for personal purporses only or by libraries associated to dandelon.com network. A Course in Computational Algebraic Number Theory Springer

More information

Irreducible Polynomials over Finite Fields

Irreducible Polynomials over Finite Fields Chapter 4 Irreducible Polynomials over Finite Fields 4.1 Construction of Finite Fields As we will see, modular arithmetic aids in testing the irreducibility of polynomials and even in completely factoring

More information

From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem

From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem Curtis Bright December 9, 011 Abstract In Quantum Computation and Lattice Problems [11] Oded Regev presented the first known connection

More information

17 Galois Fields Introduction Primitive Elements Roots of Polynomials... 8

17 Galois Fields Introduction Primitive Elements Roots of Polynomials... 8 Contents 17 Galois Fields 2 17.1 Introduction............................... 2 17.2 Irreducible Polynomials, Construction of GF(q m )... 3 17.3 Primitive Elements... 6 17.4 Roots of Polynomials..........................

More information

Short multipliers for the extended gcd problem

Short multipliers for the extended gcd problem Short multipliers for the extended gcd problem Keith Matthews Abstract For given non zero integers s 1,, s m, the problem of finding integers a 1,, a m satisfying s = gcd (s 1,, s m ) = a 1 s 1 + + a m

More information

Lecture 22. r i+1 = b Ax i+1 = b A(x i + α i r i ) =(b Ax i ) α i Ar i = r i α i Ar i

Lecture 22. r i+1 = b Ax i+1 = b A(x i + α i r i ) =(b Ax i ) α i Ar i = r i α i Ar i 8.409 An Algorithmist s oolkit December, 009 Lecturer: Jonathan Kelner Lecture Last time Last time, we reduced solving sparse systems of linear equations Ax = b where A is symmetric and positive definite

More information

6.S897 Algebra and Computation February 27, Lecture 6

6.S897 Algebra and Computation February 27, Lecture 6 6.S897 Algebra and Computation February 7, 01 Lecture 6 Lecturer: Madhu Sudan Scribe: Mohmammad Bavarian 1 Overview Last lecture we saw how to use FFT to multiply f, g R[x] in nearly linear time. We also

More information

Hard Instances of Lattice Problems

Hard Instances of Lattice Problems Hard Instances of Lattice Problems Average Case - Worst Case Connections Christos Litsas 28 June 2012 Outline Abstract Lattices The Random Class Worst-Case - Average-Case Connection Abstract Christos Litsas

More information

PreCalculus Notes. MAT 129 Chapter 5: Polynomial and Rational Functions. David J. Gisch. Department of Mathematics Des Moines Area Community College

PreCalculus Notes. MAT 129 Chapter 5: Polynomial and Rational Functions. David J. Gisch. Department of Mathematics Des Moines Area Community College PreCalculus Notes MAT 129 Chapter 5: Polynomial and Rational Functions David J. Gisch Department of Mathematics Des Moines Area Community College September 2, 2011 1 Chapter 5 Section 5.1: Polynomial Functions

More information

From the shortest vector problem to the dihedral hidden subgroup problem

From the shortest vector problem to the dihedral hidden subgroup problem From the shortest vector problem to the dihedral hidden subgroup problem Curtis Bright University of Waterloo December 8, 2011 1 / 19 Reduction Roughly, problem A reduces to problem B means there is a

More information

In Z: x + 3 = 2 3x = 2 x = 1 No solution In Q: 3x = 2 x 2 = 2. x = 2 No solution. In R: x 2 = 2 x = 0 x = ± 2 No solution Z Q.

In Z: x + 3 = 2 3x = 2 x = 1 No solution In Q: 3x = 2 x 2 = 2. x = 2 No solution. In R: x 2 = 2 x = 0 x = ± 2 No solution Z Q. THE UNIVERSITY OF NEW SOUTH WALES SCHOOL OF MATHEMATICS AND STATISTICS MATH 1141 HIGHER MATHEMATICS 1A ALGEBRA. Section 1: - Complex Numbers. 1. The Number Systems. Let us begin by trying to solve various

More information

1 Fields and vector spaces

1 Fields and vector spaces 1 Fields and vector spaces In this section we revise some algebraic preliminaries and establish notation. 1.1 Division rings and fields A division ring, or skew field, is a structure F with two binary

More information

Diagonalizing Matrices

Diagonalizing Matrices Diagonalizing Matrices Massoud Malek A A Let A = A k be an n n non-singular matrix and let B = A = [B, B,, B k,, B n ] Then A n A B = A A 0 0 A k [B, B,, B k,, B n ] = 0 0 = I n 0 A n Notice that A i B

More information

a 11 x 1 + a 12 x a 1n x n = b 1 a 21 x 1 + a 22 x a 2n x n = b 2.

a 11 x 1 + a 12 x a 1n x n = b 1 a 21 x 1 + a 22 x a 2n x n = b 2. Chapter 1 LINEAR EQUATIONS 11 Introduction to linear equations A linear equation in n unknowns x 1, x,, x n is an equation of the form a 1 x 1 + a x + + a n x n = b, where a 1, a,, a n, b are given real

More information

Lecture Examples of problems which have randomized algorithms

Lecture Examples of problems which have randomized algorithms 6.841 Advanced Complexity Theory March 9, 2009 Lecture 10 Lecturer: Madhu Sudan Scribe: Asilata Bapat Meeting to talk about final projects on Wednesday, 11 March 2009, from 5pm to 7pm. Location: TBA. Includes

More information

Block Wiedemann likes Schirokauer maps

Block Wiedemann likes Schirokauer maps Block Wiedemann likes Schirokauer maps E. Thomé INRIA/CARAMEL, Nancy. /* EPI CARAMEL */ C,A, /* Cryptologie, Arithmétique : */ R,a, /* Matériel et Logiciel */ M,E, L,i= 5,e, d[5],q[999 ]={0};main(N ){for

More information

Roots of Unity, Cyclotomic Polynomials and Applications

Roots of Unity, Cyclotomic Polynomials and Applications Swiss Mathematical Olympiad smo osm Roots of Unity, Cyclotomic Polynomials and Applications The task to be done here is to give an introduction to the topics in the title. This paper is neither complete

More information

Discrete logarithms: Recent progress (and open problems)

Discrete logarithms: Recent progress (and open problems) Discrete logarithms: Recent progress (and open problems) CryptoExperts Chaire de Cryptologie de la Fondation de l UPMC LIP6 February 25 th, 2014 Discrete logarithms Given a multiplicative group G with

More information

6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC)

6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC) 6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC) 6.0 Introduction Elliptic curve cryptography (ECC) is the application of elliptic curve in the field of cryptography.basically a form of PKC which applies over the

More information

Quadratic reciprocity (after Weil) 1. Standard set-up and Poisson summation

Quadratic reciprocity (after Weil) 1. Standard set-up and Poisson summation (December 19, 010 Quadratic reciprocity (after Weil Paul Garrett garrett@math.umn.edu http://www.math.umn.edu/ garrett/ I show that over global fields k (characteristic not the quadratic norm residue symbol

More information

DS-GA 1002 Lecture notes 0 Fall Linear Algebra. These notes provide a review of basic concepts in linear algebra.

DS-GA 1002 Lecture notes 0 Fall Linear Algebra. These notes provide a review of basic concepts in linear algebra. DS-GA 1002 Lecture notes 0 Fall 2016 Linear Algebra These notes provide a review of basic concepts in linear algebra. 1 Vector spaces You are no doubt familiar with vectors in R 2 or R 3, i.e. [ ] 1.1

More information

Fast, twist-secure elliptic curve cryptography from Q-curves

Fast, twist-secure elliptic curve cryptography from Q-curves Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,

More information

Selected exercises from Abstract Algebra by Dummit and Foote (3rd edition).

Selected exercises from Abstract Algebra by Dummit and Foote (3rd edition). Selected exercises from Abstract Algebra by Dummit and Foote (3rd edition). Bryan Félix Abril 12, 2017 Section 14.2 Exercise 3. Determine the Galois group of (x 2 2)(x 2 3)(x 2 5). Determine all the subfields

More information

Physics 202 Laboratory 5. Linear Algebra 1. Laboratory 5. Physics 202 Laboratory

Physics 202 Laboratory 5. Linear Algebra 1. Laboratory 5. Physics 202 Laboratory Physics 202 Laboratory 5 Linear Algebra Laboratory 5 Physics 202 Laboratory We close our whirlwind tour of numerical methods by advertising some elements of (numerical) linear algebra. There are three

More information

Chapter 4. Vector Space Examples. 4.1 Diffusion Welding and Heat States

Chapter 4. Vector Space Examples. 4.1 Diffusion Welding and Heat States Chapter 4 Vector Space Examples 4.1 Diffusion Welding and Heat States In this section, we begin a deeper look into the mathematics for diffusion welding application discussed in Chapter 1. Recall that

More information

On the classication of algebras

On the classication of algebras Technische Universität Carolo-Wilhelmina Braunschweig Institut Computational Mathematics On the classication of algebras Morten Wesche September 19, 2016 Introduction Higman (1950) published the papers

More information

QUALIFYING EXAMINATION Harvard University Department of Mathematics Tuesday, February 25, 1997 (Day 1)

QUALIFYING EXAMINATION Harvard University Department of Mathematics Tuesday, February 25, 1997 (Day 1) QUALIFYING EXAMINATION Harvard University Department of Mathematics Tuesday, February 25, 1997 (Day 1) 1. Factor the polynomial x 3 x + 1 and find the Galois group of its splitting field if the ground

More information

INNER PRODUCT SPACE. Definition 1

INNER PRODUCT SPACE. Definition 1 INNER PRODUCT SPACE Definition 1 Suppose u, v and w are all vectors in vector space V and c is any scalar. An inner product space on the vectors space V is a function that associates with each pair of

More information

Math 121 Homework 6 Solutions

Math 121 Homework 6 Solutions Math 11 Homework 6 Solutions Problem 14. # 17. Let K/F be any finite extension and let α K. Let L be a Galois extension of F containing K and let H Gal(L/F ) be the subgroup corresponding to K. Define

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback