Lecture Notes in Computer Science 5011 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA AlfredKobsa UniversityofCalifornia,Irvine,CA,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen UniversityofDortmund,Germany MadhuSudan MassachusettsInstituteofTechnology,MA,USA DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA GerhardWeikum Max-PlanckInstituteofComputerScience,Saarbruecken,Germany Alfred J. van der Poorten Andreas Stein (Eds.) Algorithmic Number Theory 8th International Symposium, ANTS-VIII Banff, Canada, May 17-22, 2008 Proceedings 1 3 VolumeEditors AlfredJ.vanderPoorten ceNTReforNumberTheoryResearch 1BimbilPlace,Killara,NSW2071,Australia E-mail:[email protected] AndreasStein CarlvonOssietzkyUniversitätOldenburg InstitutfürMathematik 26111Oldenburg,Germany E-mail:[email protected] LibraryofCongressControlNumber:2008925108 CRSubjectClassification(1998):F.2,G.2,E.3,I.1 LNCSSublibrary:SL1–TheoreticalComputerScienceandGeneralIssues ISSN 0302-9743 ISBN-10 3-540-79455-7SpringerBerlinHeidelbergNewYork ISBN-13 978-3-540-79455-4SpringerBerlinHeidelbergNewYork Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable toprosecutionundertheGermanCopyrightLaw. SpringerisapartofSpringerScience+BusinessMedia springer.com ©Springer-VerlagBerlinHeidelberg2008 PrintedinGermany Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SPIN:12262908 06/3180 543210 Preface The first Algorithmic Number Theory Symposium took place in May 1994 at Cornell University. The preface to its proceedings has the organizersexpressing the hope that the meeting would be “the first in a long series of international conferencesonthealgorithmic,computational,andcomplexitytheoreticaspects of number theory.” ANTS VIII was held May 17–22, 2008 at the Banff Centre in Banff, Alberta, Canada. It was the eighth in this lengthening series. The conference included four invited talks, by Johannes Buchmann (TU Darmstadt),AndrewGranville(Universit´edeMontr´eal),Fran¸coisMorain(E´cole Polytechnique),andHughWilliams(UniversityofCalgary),apostersession,and 28 contributed talks in appropriate areas of number theory. Each submitted paper was reviewed by at least two experts external to the Program Committee; the selection was made by the committee on the basis of thoserecommendations.TheSelfridgePrizeincomputationalnumbertheorywas awardedtotheauthorsofthebestcontributedpaperpresentedattheconference. The participants in the conference gratefully acknowledge the contribution made by the sponsors of the meeting. May 2008 Alf van der Poorten and Andreas Stein (Editors) Renate Scheidler (Organizing Committee Chair) Igor Shparlinski (ProgramCommittee Chair) Conference Website The names of the winners of the Selfridge Prize, material supplementing the contributed papers, and errata for the proceedings, as well as the abstracts of the posters and the posters presented at ANTS VIII, can be found at: http://ants.math.ucalgary.ca. I Cornell University (Ithaca, NY, USA) May 1994 LNCS 877 II Universit´e Bordeaux 1 (Talence, France) May 1996 LNCS 1122 III Reed College (Portland, Oregon, USA) June 1998 LNCS 1423 IV Universiteit Leiden (The Netherlands) July 2000 LNCS 1838 V University of Sydney (Australia) July 2002 LNCS 2369 VI University of Vermont (Burlington, VT, USA) May 2004 LNCS 3076 VII Technische Universita¨t Berlin (Germany) July 2006 LNCS 4076 VIII Banff Centre (Banff, Alberta, Canada) May 2008 LNCS 5011 Organization Organizing Committee Mark Bauer, University of Calgary, Canada Joshua Holden, Rose-Hulman Institute of Technology, USA Michael JacobsonJr., University of Calgary, Canada Renate Scheidler, University of Calgary, Canada (Chair) Jonathan Sorenson, Butler University, USA Program Committee Dan Bernstein, University of Illinois at Chicago, USA Nils Bruin, Simon Fraser University, Canada Ernie Croot, Georgia Institute of Technology, USA Andrej Dujella, University of Zagreb, Croatia Steven Galbraith, Royal Holloway University of London, UK Florian Heß, Technische Universit¨at Berlin, Germany Ming-Deh Huang, University of Southern California, USA Ju¨rgen Klu¨ners, Heinrich-Heine-Universita¨t Du¨sseldorf, Germany Kristin Lauter, Microsoft Research, USA St´ephane Louboutin, IML, France Florian Luca, UNAM, Mexico Daniele Micciancio, University of California at San Diego, USA Victor Miller, IDA, USA Oded Regev, Tel-Aviv University, Israel Igor Shparlinski, Macquarie University, Australia (Chair) Francesco Sica, Mount Allison University, USA Andreas Stein, Carl-von-OssietzkyUniversita¨t Oldenburg, Germany Arne Storjohann, University of Waterloo, Canada Tsuyoshi Takagi, Future University–Hakodate, Japan Edlyn Teske, University of Waterloo, Canada Felipe Voloch, University of Texas, USA Sponsoring Institutions The Pacific Institute for the Mathematical Sciences (PIMS) The Fields Institute The Alberta Informatics Circle of Research Excellence (iCORE) The Centre for Information Security and Cryptography (CISaC) Microsoft Research The Number Theory Foundation The University of Calgary Butler University Table of Contents Invited Papers Running Time Predictions for Factoring Algorithms .................. 1 Ernie Croot, Andrew Granville, Robin Pemantle, and Prasad Tetali A New Look at an Old Equation................................... 37 R.E. Sawilla, A.K. Silvester, and H.C. Williams Elliptic Curves Cryptology and Generalizations Abelian Varieties with Prescribed Embedding Degree................. 60 David Freeman, Peter Stevenhagen, and Marco Streng Almost Prime Orders of CM Elliptic Curves Modulo p................ 74 Jorge Jim´enez Urroz Efficiently Computable Distortion Maps for Supersingular Curves ...... 88 Katsuyuki Takashima On Prime-Order Elliptic Curves with Embedding Degrees k =3, 4, and 6 .................................................. 102 Koray Karabina and Edlyn Teske Arithmetic of Elliptic Curves Computing in Component Groups of Elliptic Curves.................. 118 J.E. Cremona Some Improvements to 4-Descent on an Elliptic Curve................ 125 Tom Fisher Computing a Lower Bound for the CanonicalHeight on Elliptic Curves over Totally Real Number Fields................................... 139 Thotsaphon Thongjunthug Faster Multiplication in GF(2)[x] .................................. 153 Richard P. Brent, Pierrick Gaudry, Emmanuel Thom´e, and Paul Zimmermann Integer Factorization Predicting the Sieving Effort for the Number Field Sieve.............. 167 Willemien Ekkelkamp VIII Table of Contents Improved Stage 2 to P±1 Factoring Algorithms ..................... 180 Peter L. Montgomery and Alexander Kruppa K3 Surfaces Shimura Curve Computations Via K3 Surfaces of N´eron–Severi Rank at Least 19...................................................... 196 Noam D. Elkies K3 Surfaces of Picard Rank One and Degree Two.................... 212 Andreas-Stephan Elsenhans and J¨org Jahnel Number Fields Number Fields Ramified at One Prime.............................. 226 John W. Jones and David P. Roberts An Explicit Construction of Initial Perfect Quadratic Forms over Some Families of Totally Real Number Fields ............................. 240 Alar Leibak Functorial Properties of Stark Units in Multiquadratic Extensions...... 253 Jonathan W. Sands and Brett A. Tangedal Enumeration of Totally Real Number Fields of Bounded Root Discriminant .................................................... 268 John Voight Point Counting Computing Hilbert Class Polynomials .............................. 282 Juliana Belding, Reinier Bro¨ker, Andreas Enge, and Kristin Lauter Computing Zeta Functions in Families of Ca,b Curves Using Deformation..................................................... 296 Wouter Castryck, Hendrik Hubrechts, and Frederik Vercauteren Computing L-Series of Hyperelliptic Curves ......................... 312 Kiran S. Kedlaya and Andrew V. Sutherland Point Counting on Singular Hypersurfaces .......................... 327 Remke Kloosterman Arithmetic of Function Fields Efficient Hyperelliptic Arithmetic Using Balanced Representation for Divisors ........................................................ 342 Steven D. Galbraith, Michael Harrison, and David J. Mireles Morales Table of Contents IX Tabulation of Cubic Function Fields with Imaginary and Unusual Hessian......................................................... 357 Pieter Rozenhart and Renate Scheidler Modular Forms Computing Hilbert Modular Forms over Fields with Nontrivial Class Group .......................................................... 371 Lassina Demb´el´e and Steve Donnelly Hecke Operators and Hilbert Modular Forms ........................ 387 Paul E. Gunnells and Dan Yasaki Cryptography A Birthday Paradox for Markov Chains, with an Optimal Bound for Collision in the Pollard Rho Algorithm for Discrete Logarithm......... 402 Jeong Han Kim, Ravi Montenegro, Yuval Peres, and Prasad Tetali An Improved Multi-set Algorithm for the Dense Subset Sum Problem ........................................................ 416 Andrew Shallue Number Theory On the Diophantine Equation x2+2α5β13γ =yn .................... 430 Edray Goins, Florian Luca, and Alain Togb´e Non-vanishing of Dirichlet L-functions at the Central Point ........... 443 Sami Omar Author Index.................................................. 455 Running Time Predictions for Factoring Algorithms Ernie Croot1, Andrew Granville2, Robin Pemantle3, and Prasad Tetali4,(cid:2) 1 School of Mathematics, Georgia Tech, Atlanta, GA 30332-0160, USA [email protected] 2 D´epartement demath´ematiques et destatistique, Universit´ede Montr´eal, Montr´eal QCH3C 3J7, Canada [email protected] 3 Department of Mathematics, Universityof Pennsylvania,209 S. 33rd Street, Philadelphia, Pennsylvania 19104, USA [email protected] 4 School of Mathematics and College of Computing, Georgia Tech, Atlanta, GA 30332-0160, USA [email protected] In 1994,Carl Pomerance proposed the following problem: Select integers a ,a ,...,a at random from the interval [1,x], stopping when 1 2 J some(non-empty)(cid:2)subsequence,{ai :i∈I}whereI ⊆{1,2,...,J},has asquare product (that is a ∈ Z2). What can we say about the possible stopping i∈I i times, J? A1985algorithmofSchroeppelcanbeusedtoshowthatthisprocessstopsaf- terselecting(1+(cid:2))J (x)integersa withprobability1−o(1)(wherethefunction 0 j J (x) is given explicitly in (1) below. Schroeppel’s algorithm actually finds the 0 square product, and this has subsequently been adopted, with relatively minor modifications,byallfactorers.In1994Pomeranceshowedthat,withprobability 1−o(1), the processwill runthroughatleastJ (x)1−o(1) integersa , andasked 0 j for a more precise estimate of the stopping time. We conjecture that there is a “sharp threshold” for this stopping time, that is, with probability 1−o(1) one will first obtain a square product when (precisely) {e−γ +o(1)}J (x) integers 0 have been selected. Herein we will give a heuristic to justify our belief in this sharp transition. In our paper [4] we prove, with probability 1− o(1), that the first square product appears in time [(π/4)(e−γ −o(1))J (x), (e−γ +o(1))J (x)], 0 0 whereγ =0.577...istheEuler-Mascheroniconstant,improvingbothSchroeppel andPomerance’sresults.In this article we will provea weak versionof this the- orem(thoughstillimprovingontheresultsofbothSchroeppelandPomerance). (cid:2) The first author is supported in part by an NSF grant. Le deuxi`eme auteur est partiellement soutenu par une bourse de la Conseil de recherches en sciences na- turelleseteng´enieduCanada.ThethirdauthorissupportedinpartbyNSFGrant DMS-01-03635. A.J.vanderPoortenandA.Stein(Eds.):ANTS-VIII2008,LNCS5011,pp.1–36,2008. (cid:3)c Springer-VerlagBerlinHeidelberg2008 2 E. Croot et al. We also confirm the well established belief that, typically, none of the integers in the square product have large prime factors. Our methods provide an appropriate combinatorial framework for studying thelargeprimevariationsassociatedwiththequadraticsieveandotherfactoring algorithms.Thisallowsustoanalyzewhatfactorershavediscoveredinpractice. 1 Introduction Most factoring algorithms (including Dixon’s random squaresalgorithm[5], the quadraticsieve[14],themultiplepolynomialquadraticsieve[19],andthenumber fieldsieve[2]–see[18]foraniceexpositoryarticleonfactoringalgorithms)work by generating a pseudorandom sequence of integers a ,a ,..., with each 1 2 a ≡ b2 (mod n), i i for some known integer b (where n is the number to be factored), until some i subsequence of the a ’s has product equal to a square, say i Y2 =a ···a , i1 ik and set X2 =(b ···b )2. i1 ik Then n | Y2−X2 =(Y −X)(Y +X), and there is a good chance that gcd(n,Y −X) is a non-trivialfactor of n. If so, we have factored n. In his lecture at the 1994 International Congress of Mathematicians, Pomer- ance[16,17]observedthatinthe(heuristic)analysisofsuchfactoringalgorithms one assumes that the pseudo-random sequence a ,a ,... is close enough to ran- 1 2 dom that we can make predictions based on this assumption. Hence it makes sense to formulate this question in its own right. Pomerance’s Problem. Select positive integers a ,a ,··· ≤ x independently 1 2 atrandom(thatis,a =mwithprobability1/xforeachintegerm, 1≤m≤x), j stopping when some subsequence of the a ’s has product equal to a square (a i square product). What is the expected stopping time of this process ? There are several feasible positive practical consequences of resolving this question: – It may be that the expected stopping time is far less than what is obtained bythealgorithmscurrentlyused.Hencesuchananswermightpointtheway to speeding up factoring algorithms. – Even if this part of the process can not be easily sped up, a good under- standing of this stopping time might help us better determine the optimal choice of parameters for most factoring algorithms.
Description: