Lecture Notes in Computer Science 1423 Edited by G. Goos, J. Hartmanis and J. van Leeuwen J.P. Buhler ).dE( cimhtiroglA rebmuN yroehT Third International Symposium, ANTS-III Portland, Oregon, USA, June 21-25, 1998 Proceedings regnirpS Series Editors Gerhard Goos, Karlsruhe University, Germany Juris Hartmanis, Cornell University, NY, USA Jan van Leeuwen, Utrecht University, The Netherlands Volume Editor Joe P. Buhler Reed College 3203 S.E. Woodstock Blvd., Portland, OR 97202, USA E-mail: [email protected] Cataloging-in-Publication data applied for Die Deutsche Bibliothek - CIP-Einheitsaufnahme Algorithmic number theory : third international symposium ; proceedings / ANTS-III, Portland, Oregon, USA, June 21 - 25, 1998. Joe Buhler (ed.). - Berlin ; Heidelberg ; New York ; Barcelona ; Budapest ; Hong Kong ; London ; Milan ; Paris ; Santa Clara ; Singapore ; Tokyo : Springer, 1998 (Leclure notes m computer science ; Vol. 1423) ISBN 3-540-64657-4 CR Subject Classification (1991): 1.1, E2.2, G.2, E.3-4, J.2 1991 Mathematics Subject Classification: 11Yxx, 11T71, 68P25, 68Q40, 68Q25, 68Q20, 12Y05, 94A60 ISSN 0302-9743 ISBN 3-540-64657-4 Springer-Verlag Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer-Verlag. Violations are liable for prosecution under the German Copyright Law. (cid:14)9 Springer-Verlag Berlin Heidelberg 1998 Printed in Germany Typesetting: Camera-ready by author SPIN 10637477 06/3142 - 5 4 3 2 1 0 Printed on acid-free paper Preface The Algorithmic Number Theory Symposia (ANTS) were begun in 1994 in an effort to recognize the growing importance of algorithmic thinking, both theo- retical and practical, in number theory; the intent was that "number theory" was to be construed in a broad fashion. These conferences have been held every two years; the first was held at Cornell University, and the second was held at the Universit@ Bordeaux I in 1996. The third ANTS conference will be held at Reed College, in Portland, Ore- gon, USA, on June 21-25, 1998. The conference is being supported by grants from Reed College, the National Science Foundation, and the National Security Agency. The Program Committee consists of Eric Bach, Johannes Buchmann, Joe Buhler, Henri Cohen, Neal Koblitz, Bjorn Poonen, and Ren@ Schoof. They cer- tainly deserve thanks for the hard work of wading through a large number of manuscripts in a short period of time. The Local Arrangements Committee con- sists of Cathy D'Ambrosia, Danalee Buhler, Joe Buhler, Helen Ivey, and Jerry Shurman. The conference schedule includes invited talks by Professors Daniel Boneh (Stanford University), Noam Elkies (Harvard University), and Andrew Granville (the University of Georgia) together with 46 contributed talks, which are divided into very approximate categories in the table of contents. The task of getting the conference proceedings ready by the time of the conference has been made possible by the hard work of Cathy D'Ambrosia, the Springer-Verlag staff, and especially by Jerry Shurman's generous assistance in tackling the inevitable mi- asma of minutiae that arise in large text processing projects. April, 1998 Joe P. Buhler ANTS III Program Chair Table of Contents Invited Talk 1: Shimura Curve Computations ............................................ Noam .D Elkies (Harvard University) Invited Talk 2: The Decision Diffie-Hellman Problem .................................... 48 Dan Boneh (Stanford University) GCD Algorithms Parallel Implementation of Sch6nhage's Integer GCD Algorithm ......... 64 Giovanni Cesari (Universitd degli Studi di Trieste) The Complete Analysis of the Binary Euclidean Algorithm .............. 77 Brigitte Vallde (Universitd de Caen) Primality Cyclotomy Primality Proving - Recent Developments ................... 95 Preda Mih~ilescu (FingerPIN A G J~ ETH, Institut fiir wissentschaftliches Rechnen) Primality Proving Using Elliptic Curves: An Update ................... 111 F. Morain (Laboratoire d'Informatique ed l'Ecole polytechnique) Factoring Bounding Smooth Integers (Extended Abstract) ........................ 128 Daniel J. Bernstein (The University of Illinois at Chicago) Factorization of the Numbers of the Form m 3 -b c2m 2 -q clm+ co ....... 131 Zhang Mingzhi (Sichuan Union University) Modelling the Yield of Number Field Sieve Polynomials ................ 137 Brian Murphy (Australian National University) A Montgomery-Like Square Root for the Number Field Sieve ........... 151 Phong Nguyen (Ecole Normale Supgrieure) VIII Table of Contents Sieving Robert Bennion's "Hopping Sieve" . .................................... 169 William F. Galway (University of Illinois at Urbana-Champaign) Trading Time for Space in Prime Number Sieves ....................... 179 Jonathan P. Sorenson (Butler University) Analytic Number Theory Do Sums of 4 Biquadrates Have a Positive Density? .................... 196 Jean-Marc Deshouillers, Franfois Hennecart, Bernard Landreau (Universitd Bordeaux) New Experimental Results Concerning the Goldbach Conjecture ........ 204 J-M. Deshouillers (Universitd Bordeaux), H.J.J. te Riele (CWI), Y. Saouter (Institut ed Recherche en Informatique de Toulouse) Dense Admissible Sets ................................................. 216 Daniel M. Gordon, Gene Rodemich (Center for Communications Research) An Analytic Approach to Smooth Polynomials over Finite Fields ....... 226 Daniel Panario (University of Toronto), Xavier Gourdon (INRIA), Philippe Flajolet (INRIA ) Cryptography Generating a Product of Three Primes with an Unknown Factorization . 237 Dan Boneh, Jeremy Horwitz (Stanford University) On the Performance of Signature Schemes Based on Elliptic Curves ..... 252 Erik De Win (Katholieke Universiteit Leuven), Serge Mister (Queen's University), Bart Preneel (Katholieke Universiteit Leuven), Michael Wiener (Entrust Technologies) NTRU: A Ring-Based Public Key Cryptosystem ....................... 267 Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman (Brown University) Finding Length-3 Positive Cunningham Chains and their Cryptographic Significance ................................... 289 Adam Young (Columbia University), Moti Yung (CertCo) Linear Algebra, Lattices Reducing Ideal Arithmetic to Linear Algebra Problems ................. 299 Stefan Neis (Darmstadt University of Technology) Evaluation of Linear Relations between Vectors of a Lattice in Euclidean Space ..................................................... 311 I. A. Semaev An Efficient Parallel Block-Reduction Algorithm ....................... 323 Susanne Wetzel (Universit~it des Saarlandes) Table of Contents IX Series, Sums Fast Multiprecision Evaluation of Series of Rational Numbers ........... 338 B~uno Haible (ILOG), Thomas Papanikolaou (Laboratoire A2X) A Problem Concerning a Character Sum -- Extended Abstract ......... 351 E. Teske (Technische Universit~it Darmstadt), H.C. Williams (University of Manitoba) Formal Power Series and Their Continued Fraction Expansion .......... 358 All van der Poorten (Centre for Number Theory Research) Algebraic Number Fields Imprimitive Octic Fields with Small Discriminants ..................... 372 Henri Cohen, Francisco Diaz y Diaz, Michel Olivier (Universitg Bordeaux I) A Table of Totally Complex Number Fields of Small Discriminants ..... 381 Henri Cohen, Francisco Diaz y Diaz, Michel Olivier (Universitg Bordeaux I) Generating Arithmetically Equivalent Number Fields with Elliptic Curves ................................................... 392 Bart ed Smit (Rijksuniversiteit Leiden) Computing the Lead Term of an Abelian L-function ................... 400 David S. Dummit (University of Vermont), Brett A. Tangedal (College of Charleston) Timing Analysis of Targeted Hunter Searches .......................... 412 John .W Jones (Arizona State University), David P. Roberts (Rutgers University) On Successive Minima of Rings of Algebraic Integers ................... 424 Jacques Martinet (Universitd Bordeaux I) Class Groups and Fields Computation of Relative Quadratic Class Groups ...................... 433 Henri Cohen, Francisco Diaz y Diaz, Michel Olivier (Universitg Bordeaux I) Generating Class Fields using Shimura Reciprocity ..................... 441 Alice Gee, Peter Stevenhagen (Universiteit van Amsterdam) Irregularity of Prime Numbers over Real Quadratic Fields .............. 454 Joshua Holden (University of Massachusetts at Amherst) Experimental Results on Class Groups of Real Quadratic Fields (Extended Abstract) ................................................... 463 Michael J. Jacobson, .rY (Technische ti~tisrevinU Darmstadt) Computation of Relative Class Numbers of Imaginary Cyclic Fields of 2~ Degrees ..................................................... 475 Stgphane Louboutin (Universit~ ed Caen) X Table of Contents Curves Formal Groups, Elliptic Curves, and Some Theorems of Couveignes ..... 482 Antonia .W Bluher (National Security Agency) A Comparison of Direct and Indirect Methods for Computing Selmer Groups of an Elliptic Curve .................................................... 502 .Z Djabri (University of Kent at Canterbury), N.P. Smart (Hewlett-Packard )seirotarobaL An Algorithm for Approximate Counting of Points on Algebraic Sets over Finite Fields ...................................................... 514 heD-gniM Huang, Yiu-Chung Wong (University of Southern California) S-integral Points on Elliptic Curves and Fermat's Triple Equations ..... 528 A. Peth5 (Kossuth Lajos University), .E Herrmann, .H .G Zimmer (Universitiit sed )sednalraaS Speeding Up Pollard's Rho Method for Computing Discrete Logarithms 541 Edlyn Teske (Technische Universitiit Darmstadt) Function Fields A General Method of Constructing Global Function Fields with Many Rational Places ............................................ 555 dlaraH Niederreiter (Austrian Academy of Sciences), Chaoping Xing (The National University of )eropagniS Lattice Basis Reduction in Function Fields ............................. 567 Sachar Paulus (Darmstadt University of )ygolonhceT Comparing Real and Imaginary Arithmetics for Divisor Class Groups of Hyperelliptic Curves ................................................ 576 Sachar Paulus (Darmstadt University of ,)ygolonhceT Andreas Stein (University of )abotinaM Unit Computation in Purely Cubic Function Fields of Unit Rank 1 ..... 592 Renate Scheidler (University of ,)erawaleD Andreas Stein (University of )abotinaM An Improved Method of Computing the Regulator of a Real Quadratic Function Field ......................................................... 607 saerdnA Stein, Hugh .C Williams (University of )abotinaM The Equivalence Between Elliptic Curve and Quadratic Function Field Discrete Logarithms in Characteristic 2 ................................ 621 Robert .J Zuccherato (Entrust )seigolonhceT Author Index ........................................................ 639 Shimura Curve Computations Noam D. Elkies Harvard University Abstract. We give some methods for computing equations for certain Shimuracurves,naturalmapsbetweenthem,andspecialpointsonthem. We then illustrate these methods by working out several examples in varying degrees of detail. For instance, we compute coordinates for all the rationalCM points on the curves X(cid:3)(1) associated withthe quater- nion algebras over Q rami(cid:12)ed at f2;3g, f2;5g, f2;7g, and f3;5g. We concludewithalistofopen questionsthatmaypointthewaytofurther computational investigation ofthese curves. 1 Introduction 1.1 Why and How to Compute with Shimura Curves The classical modular curves, associated to congruence subgroups of PSL (Q), 2 have long held and repaid the interest of number theorists working theoreti- callyas wellas computationally.In the fundamentalpaper [S2] Shimurade(cid:12)ned curves associated with other quaternion algebras other over totallyreal number (cid:12)elds in the same way that the classical curves are associated with the algebra M (Q) of 2(cid:2)2 matrices over Q. These Shimura curves are now recognized as 2 closeanaloguesoftheclassicalmodularcurves: almosteveryresultinvolvingthe classicalcurves generalizes with some more work toShimuracurves, and indeed Shimura curves (cid:12)gure alongside classical ones in a key step in the recent proof of Fermat’s \last theorem" [Ri]. But computational work on Shimura curves lags far behind the extensive e(cid:11)ort devoted to the classical modular curves. The 19th century pioneers inves- tigated some arithmetic quotients of the upper half plane which we now recog- nizeas Shimuracurves (see forinstance [F1,F2])withthe same enthusiasmthat they applied to the PSL (Q) curves. But further inroads proved much harder 2 for Shimura curves than for their classical counterparts. The PSL (Q) curves 2 parametrize elliptic curves with some extra structure; the general elliptic curve hasasimpleexplicitformulawhichletsonedirectlywritedownthe(cid:12)rstfewmod- ularcurves andmapsbetween them.(Forinstance,thisishowTateobtainedthe equations for the (cid:12)rst few curves X (N) parametrizing elliptic curves with an 1 N-torsionpoint;see forinstance[Kn,pp.145{148].)Shimurashowedthatcurves associated with other quaternion algebras also parametrize geometric objects, butconsiderably morecomplicatedones (abelianvarieties withquaternionicen- domorphisms); even in the (cid:12)rst few cases beyond M (Q), explicit formulas for 2 these objects were obtained only recently [HM], and using such formulas to get J.P.Buhler(Ed.): ANTS-III,LNCS1423,pp. 1{47,1998. (cid:13)c Springer-VerlagBerlinHeidelberg1998 2 Noam D. Elkies attheShimuracurvesseemsamostdauntingtask.Moreover,mostmoderncom- putations with modular curves (e.g. [C,E5]) sidestep the elliptic interpretation and instead rely heavily on q-expansions, i.e. on the curves’ cusps. But arith- metic subgroups of PSL (R) other than those in PSL (Q) contain no parabolic 2 2 elements, so their Shimura curves have no cusps, and thus any method that requires q-expansions must fail. But while Shimura curves pose harder computational problems than clas- sical modular curves, e(cid:14)cient solutions to these problems promise great bene- (cid:12)ts. These curves tempt the computational number theorist not just because, likechallengingmountainpeaks,\they’re there",butbecause oftheir remarkable properties, direct applications, and potential for suggesting new ideas for theo- retical research. Some Shimura curves and natural maps between them provide some of the most interesting examples in the geometry of curves of low genus; for instance each of the (cid:12)ve curves of genus g 2[2;14]that attains the Hurwitz bound 84(g − 1) on the number of automorphisms of a curve in characteris- tic zero is a Shimura curve. Shimura curves, like classical and Drinfeld modular curves, reduce to curves over the (cid:12)nite (cid:12)eld Fq2 of q2 elements that attain the Drinfeld-Vla(cid:21)du(cid:24)tupper bound (q−1+o(1))g on the number ofpoints of acurve ofgenus g!1 over that (cid:12)eld [I3].Moreover, while allthree flavors ofmodular curves include towers that can be given by explicit formulas and thus used to construct gooderror-correcting codes [Go1,Go2,TVZ],onlythe Shimuracurves, precisely because of their lack of cusps, can give rise to totally unrami(cid:12)ed tow- ers, which should simplify the computation of the codes; we gave formulas for several such towers in [E6].Finally,the theory of modular curves indicates that CM (complex multiplication) points on Shimura curves, elliptic curves covered by them, and modular forms on them have number-theoretic signi(cid:12)cance. The abilitytoe(cid:14)cientlycompute such objects shouldsuggest new theoreticalresults and conjectures concerning the arithmetic of Shimura curves. For instance, the computations of CM points reported in this paper should suggest factorization formulas for the di(cid:11)erence between the coordinates of two such points analo- gous to those of Gross and Zagier [GZ] for j-invariants of elliptic curves, much as the computation of CM values of the Weber modular functions suggested the formulas of [YZ]. Also, as in [GS], rational CM points on rational Shimura curveswithonlythreeellipticpoints(i.e.comingfromarithmetictrianglegroups G ) yield identities A+B = C in coprime integers A;B;C with many re- p;q;r peated factors; we list the factorizations here, though we found no example in which A;B;C are perfect p;q;r-th powers, nor any new near-record ABC ra- tios. Finally,CM computations on Shimura curves may also make possible new Heegner-point constructions as in [E4]. So how do we carry out these computations? In a few cases (listed in [JL]), the extensive arithmetic theory of Shimura curves has been used to obtain ex- plicit equations, deducing from the curves’ p-adic uniformizations Diophantine conditions on the coe(cid:14)cients of their equations stringent enough to determine them uniquely. But we are interested, not only in the equations, but in modu- larcovers and maps between Shimuracurves associated to the same quaternion
Description: