Prime Numbers
Share Embed Flag
Download ePaper

Prime Numbers

Prime Numbers Prime Numbers

thales.doa.fmph.uniba.sk
from thales.doa.fmph.uniba.sk More from this publisher
10.12.2012 Views

5.7 Exercises 253 of each of these terms, index directly into the table to discover a collision. For the example t = 31, this leads immediately to the DL solution 7 723739097 ≡ 31 (mod 2 31 − 1). This exercise is a good start for working out out a general DL solver, which takes arbitrary input of p, g, l, t, then selects optimal parameters such as β. Incidentally, hash-table approaches such as this one have the interesting feature that the storage is essentially that of one list, not two lists. Moreover, if the hash-table indexing is thought of as one fundamental operation, the algorithm has operation complexity O(p 1/2 ); i.e., the ln p factor is removed. Note also one other convenience, which is that the hash table, once constructed, can be reused for another DL calculation (as long as g remains fixed). 5.7. [E. Teske] Let g be a generator of the finite cyclic group G, andlet h ∈ G. Suppose #G =2 m · n with m ≥ 0andn odd. Consider the following walk: h0 = g ∗ h, hk+1 = hk 2 . The terms hk are computed until hk = hj for some j

254 Chapter 5 EXPONENTIAL FACTORING ALGORITHMS 5.9. Here we describe an interesting way to effect a second stage, and end up asking an also interesting computational question. We have seen that a second stage makes sense if a hidden prime factor p of n has the form p = zq+1 where z is B-smooth and q ∈ (B,B ′ ] is a single outlying prime. One novel approach ([Montgomery 1992a], [Crandall 1996a]) to a second-stage implementation is this: After a stage-one calculation of b = aM(B) mod n as described in the text, one can as a second stage accumulate some product (here, g, h run over some fixed range, or respective sets) like this one: c = b gK hK − b mod n g=h and take gcd(n, c), hoping for a nontrivial factor. The theoretical task here is to explain why this method works to uncover that outlying prime q, indicating a rough probability (based on q, K, and the range of g, h) of uncovering a factor because of a lucky instance g K ≡ h K (mod q). An interesting computational question arising from this “g K ” method is, how does one compute rapidly the chain b 1K ,b 2K ,b 3K ,...,b AK , where each term is, as usual, obtained modulo n? Find an algorithm that in fact generates the indicated “hyperpower” chain, for fixed K, inonlyO(A) operations in ZN. 5.10. Show that equivalence of quadratic forms is an equivalence relation. 5.11. If two quadratic forms ax 2 + bxy + cy 2 and a ′ x 2 + b ′ xy + c ′ y 2 have the same range, must the coefficients (a ′ ,b ′ ,c ′ ) be related to the coefficients (a, b, c) as in (5.1) where α, β, γ, δ are integers and αδ − βγ = ±1? 5.12. Show that equivalent quadratic forms have the same discriminant. 5.13. Show that the quadratic form that is the output of Algorithm 5.6.2 is equivalent to the quadratic form that is the input. 5.14. Show that if (a, b, c) is a reduced quadratic form of discriminant D

5.7 Exercises 253<br />

of each of these terms, index directly into the table to discover a collision. For<br />

the example t = 31, this leads immediately to the DL solution<br />

7 723739097 ≡ 31 (mod 2 31 − 1).<br />

This exercise is a good start for working out out a general DL solver,<br />

which takes arbitrary input of p, g, l, t, then selects optimal parameters<br />

such as β. Incidentally, hash-table approaches such as this one have the<br />

interesting feature that the storage is essentially that of one list, not two<br />

lists. Moreover, if the hash-table indexing is thought of as one fundamental<br />

operation, the algorithm has operation complexity O(p 1/2 ); i.e., the ln p factor<br />

is removed. Note also one other convenience, which is that the hash table, once<br />

constructed, can be reused for another DL calculation (as long as g remains<br />

fixed).<br />

5.7. [E. Teske] Let g be a generator of the finite cyclic group G, andlet<br />

h ∈ G. Suppose #G =2 m · n with m ≥ 0andn odd. Consider the following<br />

walk:<br />

h0 = g ∗ h, hk+1 = hk 2 .<br />

The terms hk are computed until hk = hj for some j

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!