Download Advances in Cryptology — EUROCRYPT 2000: International by Stefania Cavallar, Bruce Dodson, Arjen K. Lenstra, Walter PDF

By Stefania Cavallar, Bruce Dodson, Arjen K. Lenstra, Walter Lioen, Peter L. Montgomery (auth.), Bart Preneel (eds.)

This ebook constitutes the refereed court cases of the overseas convention at the concept and alertness of Cryptographic recommendations, EUROCRYPT 2000, held in Bruges, Belgium, in could 2000. The 39 revised complete papers provided have been conscientiously chosen from a complete of one hundred fifty submissions in the course of a hugely aggressive reviewing technique. The e-book is split in topical sections of factoring and discrete logarithm, electronic signatures, inner most info retrieval, key administration protocols, threshold cryptography, public-key encryption, quantum cryptography, multi-party computation and knowledge concept, zero-knowledge, symmetric cryptography, Boolean capabilities and undefined, vote casting schemes, and move ciphers and block ciphers.

For the general case where the Jacobian is not cyclic and where we work in a subgroup of prime order n, we have to work a little to justify the computations, but in practice we do essentially the same. 5 Implementation and Results We have implemented the algorithm in two distinct parts. The first one deals with the building of the matrix and is written in the computer algebra system Magma [2], which is a very good compromise between high level programming and efficiency. The second part is our optimized implementation of the Lanczos algorithm written in C.

If the number of rows is greater than the number of columns plus one, delete one row (randomly chosen, or via an heuristic method). An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves 29 – Try the beginning of a Gaussian elimination, where the pivot is chosen as to minimize the augmentation of the weight of the matrix, and stopping when it increases the cost of Lanczos’s algorithm. For the examples below, we have run only the first three tasks, our implementation of the last one being unsatisfactory.

3]) that a particular line (e-value) is not hit (in the d-interval) by the majority of pairs (p, r). , it is too expensive to visit all A/(s∗q)1/2 e-values for all (p, r) ∈ P1 ∪P2 . Instead, per (p, r) only O(A2 /(s ∗ q ∗ p)) steps may be performed for the sieving over Vq . In [2] this problem is adequately solved by lattice sieving for each (p, r) pair, as proposed by Pollard (cf. his second article in [3]). Although the TWINKLE device may appear to solve the problem by processing all (p, r) pairs simultaneously for each sieve location, per line the initial B registers still have to be loaded for each (p, r) pair, which is obviously too expensive.

