Polynomial arithmetic and applications in number theory

Similar documents
Old and new algorithms for computing Bernoulli numbers

Computing L-series coefficients of hyperelliptic curves

Smoothness Testing of Polynomials over Finite Fields

Counting points on hyperelliptic curves

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

Math Topics in Algebra Course Notes: A Proof of Fermat s Last Theorem. Spring 2013

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

Counting points on smooth plane quartics

8 Elliptic Curve Cryptography

The Sato-Tate conjecture for abelian varieties

Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem

Hyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago

Fixed points for discrete logarithms

Problème du logarithme discret sur courbes elliptiques

Lecture 1: Introduction to Public key cryptography

Fermat s Last Theorem for Regular Primes

Algebra II. A2.1.1 Recognize and graph various types of functions, including polynomial, rational, and algebraic functions.

Lecture 6: Cryptanalysis of public-key algorithms.,

Non-generic attacks on elliptic curve DLPs

Fast Cryptography in Genus 2

Toward High Performance Matrix Multiplication for Exact Computation

C.T.Chong National University of Singapore

Counting points on genus 2 curves over finite

Irregular Primes and Cyclotomic Invariants to 12 Million

Short generators without quantum computers: the case of multiquadratics

IDEAL CLASSES AND THE KRONECKER BOUND

Real Analysis Prelim Questions Day 1 August 27, 2013

14 Diffie-Hellman Key Agreement

3.4. ZEROS OF POLYNOMIAL FUNCTIONS

The Elliptic Curve in https

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Probabilistic Aspects of the Integer-Polynomial Analogy

Explicit Methods in Algebraic Number Theory

Parallel Integer Polynomial Multiplication Changbo Chen, Svyatoslav Parallel Integer Covanov, Polynomial FarnamMultiplication

CPSC 518 Introduction to Computer Algebra Schönhage and Strassen s Algorithm for Integer Multiplication

Hyperelliptic curves

6.080/6.089 GITCS Apr 15, Lecture 17

part 2: detecting smoothness part 3: the number-field sieve

Galois fields/1. (M3) There is an element 1 (not equal to 0) such that a 1 = a for all a.

No.6 Selection of Secure HC of g = divisors D 1, D 2 defined on J(C; F q n) over F q n, to determine the integer m such that D 2 = md 1 (if such

Presentation of Normal Bases

Endomorphism algebras of semistable abelian varieties over Q of GL(2)-type

Mechanizing Elliptic Curve Associativity

NOVEMBER 22, 2006 K 2

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

Algebraic number theory Revision exercises

Cryptography IV: Asymmetric Ciphers

Discrete Logarithm Problem

Counting in number theory. Fibonacci integers. Carl Pomerance, Dartmouth College. Rademacher Lecture 3, University of Pennsylvania September, 2010

Galois Theory TCU Graduate Student Seminar George Gilbert October 2015

1. a) Let ω = e 2πi/p with p an odd prime. Use that disc(ω p ) = ( 1) p 1

Faster arithmetic for number-theoretic transforms

Basic Algorithms in Number Theory

Integer factorization, part 1: the Q sieve. part 2: detecting smoothness. D. J. Bernstein

On the complexity of computing discrete logarithms in the field F

A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic

SIEVE METHODS FOR VARIETIES OVER FINITE FIELDS AND ARITHMETIC SCHEMES

Postmodern Primality Proving

Implementation of the DKSS Algorithm for Multiplication of Large Numbers

The Berlekamp algorithm

14 Ordinary and supersingular elliptic curves

Polynomials over finite fields. Algorithms and Randomness

GENERATION OF RANDOM PICARD CURVES FOR CRYPTOGRAPHY. 1. Introduction

Isogeny graphs, modular polynomials, and point counting for higher genus curves

D-MATH Algebra II FS18 Prof. Marc Burger. Solution 26. Cyclotomic extensions.

Counting points on curves: the general case

P -adic root separation for quadratic and cubic polynomials

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Finite Fields: An introduction through exercises Jonathan Buss Spring 2014

Cover and Decomposition Index Calculus on Elliptic Curves made practical

Lecture Notes, Week 6

Computing Generator in Cyclotomic Integer Rings

Arithmétique et Cryptographie Asymétrique

this to include the explicit maps, please do so!

A Note on Cyclotomic Integers

Thanks to: University of Illinois at Chicago NSF CCR Alfred P. Sloan Foundation

Efficient Key Agreement and Signature Schemes Using Compact Representations in GF (p 10 )

Congruent Number Problem and Elliptic curves

Theoretical Cryptography, Lecture 13

Park Forest Math Team. Meet #3. Algebra. Self-study Packet

On inverting the VMPC one-way function

Point counting and real multiplication on K3 surfaces

Computing Bernoulli numbers

Definition For a set F, a polynomial over F with variable x is of the form

Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes

A Course in Computational Algebraic Number Theory

Class groups and Galois representations

Chapter 4 Mathematics of Cryptography

Private Key Cryptography. Fermat s Little Theorem. One Time Pads. Public Key Cryptography

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Algorithmic Factorization of Polynomials over Number Fields

Lecture 10 - MAC s continued, hash & MAC

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

9 Knapsack Cryptography

Class numbers of algebraic function fields, or Jacobians of curves over finite fields

Distributed computation of the number. of points on an elliptic curve

FERMAT S LAST THEOREM FOR REGULAR PRIMES KEITH CONRAD

Primality testing: variations on a theme of Lucas. Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA

6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC)

18.785: Analytic Number Theory, MIT, spring 2006 (K.S. Kedlaya) Dirichlet series and arithmetic functions

Transcription:

Polynomial arithmetic and applications in number theory September 26, 2008

What is my research about? Computational number theory. Most of the time, I use big computers to multiply and divide big polynomials over coefficient rings that applied mathematicians usually don t care about to study problems of interest to number theorists.

Topics in polynomial arithmetic Algorithms for arithmetic in (Z/nZ)[x], where say n < 2 64 and 1 degree 10 9 Large-integer arithmetic (GMP library) Variants of Kronecker substitution Variants of FFT methods (Schönhage Nussbaumer convolution, number-theoretic transforms, floating-point FFTs) Smooth performance with respect to degree Cache-friendly algorithms

Two applications Counting points on hyperelliptic curves over finite fields (half my Ph.D. thesis) Verification of the Kummer Vandiver conjecture (joint work with Joe Buhler, Center for Communications Research, San Diego)

Hyperelliptic curves over finite fields A hyperelliptic curve C of genus g over GF(p n ) is an equation y 2 = f (x) where f GF(p n )[x] is monic, squarefree, degree 2g + 1. Basic problem: given f, compute the zeta function of C. (Equivalently: count the number of solutions (x, y) to y 2 = f (x) in GF(p nk ) for k = 1,..., g.)

Cryptographic applications From the zeta function one can deduce the number of points N p ng on the Jacobian of C over GF(p n ). If we get lucky, N is prime, and then the curve can be used to construct a secure public-key cryptosystem (e.g. Diffie Hellman key exchange in the Jacobian, where the discrete logarithm problem is presumably hard). A common benchmark for cryptographic size is N = 2 160.

Various algorithms Many counting algorithms, too numerous to list. Here are a few: Naive counting: exponential in log p, g, n Schoof Pila (1992): polynomial in log p, n, exponential in g Kedlaya (2001): soft-linear in p, polynomial in n, g My thesis (2008): soft-linear in p, polynomial in n, g All (but the first) depend heavily on asymptotically fast polynomial arithmetic.

A big example Record genus 3 example computed with p algorithm: y 2 = x 7 + 29723259490794204x 6 +13669080989682802x 5 +31024378462415735x 4 + 12535160111191415x 3 +23344313901215683x 2 +3192716983602209x+16088167167540442 over GF(p) where p = 2 55 55 = 36028797018963913. Order of Jacobian is N = 46768052141791550072336765593390889080855547973784 2 165. Took 48.3 hours, used 90 GB RAM. Unfortunately N is not prime :-(

The Kummer Vandiver conjecture Major open problem in algebraic number theory, proposed in 1849 by Kummer (and later by Vandiver). The claim is: For all primes p, the class number of the maximal real subfield of the p-th cyclotomic field is not divisible by p.

Lightning course in algebraic number theory Remember unique factorisation in Q? 30 = 2 3 5 = 5 2 3 = ( 3) ( 2) 5. Unique factorisation is broken in some algebraic number rings: 6 = 2 3 = (1 + 5) (1 5). The elements 2, 3, 1 ± 5 are all irreducible (but not prime ) integers in Q( 5).

The class number The class number h(r) measures how badly unique factorisation is broken in R: h(q) = 1: not broken at all h(q( 5)) = 2: somewhat broken h(q( 163)) = 1: not broken at all h(q( 4 74)) = 100: more badly broken (Technically, h(r) = number of equivalence classes of ideals in R under I J if αi = βj for some α, β R.)

Cyclotomic fields The p-th cyclotomic field is Q(ζ p ) where ζ p = e 2πi/p. The maximal real subfield of the p-th cyclotomic field is Q(ζ p ) + = Q(ζ p ) R = Q(ζ p + ζp 1 ), about half the size of Q(ζ p ) (algebraically speaking). Kummer Vandiver says that p never divides h(q(ζ p ) + ).

Testing Kummer Vandiver Extremely difficult to compute h(q(ζ p ) + ). Value is not definitively known beyond p = 67 (Schoof, 2003). Can t compute h(q(ζ p ) + ) directly, but can indirectly test divisibility by p. For each p, it comes down to multiplying together two certain polynomials of degree p/2 with coefficients in Z/pZ, and checking which coefficients of the product are zero.

The computation Previous record: all 788,060 primes less than 16,000,000 (Buhler et al, 2001). Current project: aiming for all 7,603,553 primes less than 2 27 = 134,217,728. Running on two supercomputers at the Texas Advanced Computing Center (TACC) at the University of Texas: Lonestar: 1460 4-core Intel Xeon = 5,840 cores Ranger: 3936 16-core AMD Opteron = 62,976 cores (world s 4th largest computer as of June 2008) Total CPU time: 220,000 hours (half of it already burned up). We ve done up to about p = 88 million so far.

Is Kummer Vandiver true? No counterexamples found so far, but many number theorists expect that Kummer Vandiver is false! Why?? Are number theorists always so peverse???

Heuristics A probabilistic argument implies that the number of counterexamples up to X is about 1 2 log log X. Up to 16,000,000, expect only about 1.40 counterexamples. Up to 134,217,728, expect only about 1.46 counterexamples. If you believe the heuristics, we have about a 4% chance of success this time around. If you believe the heuristics and Moore s Law, perhaps one counterexample per 200 years.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback