Felix Fontein scite author profile

2011

Math. Comp.

Abstract. In this paper, we show a general way to interpret the infrastructure of a global field of arbitrary unit rank. This interpretation generalizes the prior concepts of the giant-step operation and f -representations, and makes it possible to relate the infrastructure to the (Arakelov) divisor class group of the global field. In the case of global function fields, we present results that establish that effective implementation of the presented methods is indeed possible, and we show how Shanks' baby-step giant-step method can be generalized to this situation.

Groups from cyclic infrastructures and Pohlig-Hellman in certain infrastructures

2008

In discrete logarithm based cryptography, a method by Pohlig and Hellman allows solving the discrete logarithm problem efficiently if the group order is known and has no large prime factors. The consequence is that such groups are avoided. In the past, there have been proposals for cryptography based on cyclic infrastructures. We will show that the Pohlig-Hellman method can be adapted to certain cyclic infrastructures, which similarly implies that certain infrastructures should not be used for cryptography. This generalizes a result by Müller, Vanstone and Zuccherato for infrastructures obtained from hyperelliptic function fields.We recall the Pohlig-Hellman method, define the concept of a cyclic infrastructure and briefly describe how to obtain such infrastructures from certain function fields of unit rank one. Then, we describe how to obtain cyclic groups from discrete cyclic infrastructures and how to apply the Pohlig-Hellman method to compute absolute distances, which is in general a computationally hard problem for cyclic infrastructures. Moreover, we give an algorithm which allows to test whether an infrastructure satisfies certain requirements needed for applying the Pohlig-Hellman method, and discuss whether the Pohlig-Hellman method is applicable in infrastructures obtained from number fields. Finally, we discuss how this influences cryptography based on cyclic infrastructures. Definition 2.1. Let R ∈ R >0 be a positive real number. A cyclic infrastructure (X, d) of circumference R is a non-empty finite set X with an injective map d : X → R/RZ, called the distance function.Definition 2.2. We say that a cyclic infrastructure (X, d) of circumference R is discrete if R ∈ Z and d(X) ⊆ Z/RZ.One can interpret finite cyclic groups as discrete cyclic infrastructures as follows: Let G = g be a finite cyclic group of order m and d : G → Z/mZ be the discrete logarithm map 1 (to the base g), i.e. we have g d(h) = h for every h ∈ g . By 1 The discrete logarithm of an element h ∈ g is sometimes, in particular in Elementary Number Theory, also called the index of h with respect to g.

PotLLL: a polynomial time version of LLL with deep insertions

Schneider

Wagner

2014

Des. Codes Cryptogr.

Lattice reduction algorithms have numerous applications in number theory, algebra, as well as in cryptanalysis. The most famous algorithm for lattice reduction is the LLL algorithm. In polynomial time it computes a reduced basis with provable output quality. One early improvement of the LLL algorithm was LLL with deep insertions (DeepLLL). The output of this version of LLL has higher quality in practice but the running time seems to explode. Weaker variants of DeepLLL, where the insertions are restricted to blocks, behave nicely in practice concerning the running time. However no proof of polynomial running time is known. In this paper PotLLL, a new variant of DeepLLL with provably polynomial running time, is presented. We compare the practical behavior of the new algorithm to classical LLL, BKZ as well as blockwise variants of DeepLLL regarding both the output quality and running time.

On the probability of generating a lattice

Journal of Symbolic Computation

Wocjan

2014

We study the problem of determining the probability that m vectors selected uniformly at random from the intersection of the full-rank lattice Λ in R n and the window [0, B) n generate Λ when B is chosen to be appropriately large. This problem plays an important role in the analysis of the success probability of quantum algorithms for solving the Discrete Logarithm Problem in infrastructures obtained from number fields and also for computing fundamental units of number fields.We provide the first complete and rigorous proof that 2n + 1 vectors suffice to generate Λ with constant probability (provided that B is chosen to be sufficiently large in terms of n and the covering radius of Λ and the last n + 1 vectors are sampled from a slightly larger window). Based on extensive computer simulations, we conjecture that only n+1 vectors sampled from one window suffice to generate Λ with constant success probability. If this conjecture is true, then a significantly better success probability of the above quantum algorithms can be guaranteed.