Soonhak Kwon - Academia.edu (original) (raw)
Papers by Soonhak Kwon
Proceedings of the Japan Academy, Series A, Mathematical Sciences, 1996
Discrete Applied Mathematics
The study of Boolean functions with low c-differential uniformity has become recently an importan... more The study of Boolean functions with low c-differential uniformity has become recently an important topic of research. However, in odd characteristic case, there are not many results on the (c-)differential uniformity of functions that are not power functions. In this paper, we investigate the c-differential uniformity of the swapped inverse functions in odd characteristic, and show that their c-differential uniformities are at most 6 except for some special case.
Finite Fields and Their Applications
The c-differential uniformity is recently proposed to reflect resistance against some variants of... more The c-differential uniformity is recently proposed to reflect resistance against some variants of differential attack. Finding functions with low c-differential uniformity is attracting attention from many researchers. For even characteristic, it is known that permutations of low Carlitz rank have good cryptographic parameters, for example, low differential uniformity, high nonlinearity, etc. In this paper we show that permutations with low Carlitz rank have low c-differential uniformity. We also investigate c-differential uniformity of permutations with Carlitz rank 3 in detail.
16th IEEE Symposium on Computer Arithmetic, 2003. Proceedings.
Using the self duality of an optimal normal basis (ONB) of type II, we present a bit parallel sys... more Using the self duality of an optimal normal basis (ONB) of type II, we present a bit parallel systolic multiplier over GF (2 m) which has a low hardware complexity and a low latency. We show that our multiplier has a latency m + 1 and the basic cell of our circuit design needs 5 latches (flip-flops). On the other hand, most of other multipliers of the same type have latency 3m and the basic cell of each multiplier needs 7 latches. Comparing the gates areas in each basic cell, we find that the hardware complexity of our multiplier is 25 percent reduced from the multipliers with 7 latches.
Information Security and Privacy, 2005
In this paper, we present a closed formula for the Tate pairing computation for supersingular ell... more In this paper, we present a closed formula for the Tate pairing computation for supersingular elliptic curves defined over the binary field F2m of odd dimension. There are exactly three isomorphism classes of supersingular elliptic curves over F2m for odd m and our result is applicable to all these curves.
Lecture Notes in Computer Science, 2003
Division over a finite field GF (2 m) is the most time and area consuming operation. In this pape... more Division over a finite field GF (2 m) is the most time and area consuming operation. In this paper, A new division architecture for GF (2 m) using the standard basis representation is proposed. Based on a modified version of the binary extended greatest common divisor (GCD) algorithm, we design a compact and fast divider. The proposed divider can produce division results at a rate of one per 2m − 1 clock cycles. Analysis shows that the computational delay time of the proposed architecture is significantly less than previously proposed dividers with reduced transistor counts. Furthermore, since the new architecture does not restrict the choice of irreducible polynomials and has the features of regularity and modularity, it provides a high flexibility and scalability with respect to the field size m.
Selected Areas in Cryptography, 2004
XTR appeared in 2000 is a very promising alternative to elliptic curve cryptosystem. Though the b... more XTR appeared in 2000 is a very promising alternative to elliptic curve cryptosystem. Though the basic idea behind XTR is very elegant and universal, one needs to restrict the primes p such as p ≡ 2 (mod 3) for optimal normal bases since it involves many multiplications in GF (p 2). Moreover the restriction p ≡ 2 (mod 3) is consistently used to improve the time complexity for irreducibility testing for XTR polynomials. In this paper, we propose that a Gaussian normal basis of type (2, k) for small k can also be used for efficient field arithmetic for XTR when p ≡ 2 (mod 3). Furthermore we give a new algorithm for fast irreducibility testing and finding a generator of XTR group when p ≡ 1 (mod 3). Also we present an explicit generator of XTR group which does not need any irreducibility testing when there is a Gaussian normal basis of type (2, 3) in GF (p 2). We show that our algorithms are simple to implement and the time complexity of our methods are comparable to the best ones proposed so far.
Lecture Notes in Computer Science
Montgomery multiplication is one of the fundamental operations used in cryptographic algorithms, ... more Montgomery multiplication is one of the fundamental operations used in cryptographic algorithms, such as RSA and Elliptic Curve Cryptosystems. At CHES 1999, Tenca and Koç introduced a nowclassical architecture for implementing Montgomery multiplication in hardware. With parameters optimized for minimum latency, this architecture performs a single Montgomery multiplication in approximately 2n clock cycles, where n is the size of operands in bits. In this paper we propose and discuss an optimized hardware architecture performing the same operation in approximately n clock cycles. Our architecture is based on pre-computing partial results using two possible assumptions regarding the most significant bit of the previous word, and is only marginally more demanding in terms of the circuit area. The new radix-2 architecture can be extended for the case of radix-4, while preserving a factor of two speed-up over the corresponding radix-4 design by Tenca, Todorov, and Koç from CHES 2001. Our architecture has been verified by modeling it in Verilog-HDL, implementing it using Xilinx Virtex-II 6000 FPGA, and experimentally testing it using SRC-6 reconfigurable computer.
Lecture Notes in Computer Science, 2006
A novel portable hardware architecture for the Elliptic Curve Method of factoring, designed and o... more A novel portable hardware architecture for the Elliptic Curve Method of factoring, designed and optimized for application in the relation collection step of the Number Field Sieve, is described and analyzed. A comparison with an earlier proof-of-concept design by Pelzl,Šimka, et al. has been performed, and a substantial improvement has been demonstrated in terms of both the execution time and the area-time product. The ECM architecture has been ported across three different families of FPGA devices in order to select the family with the best performance to cost ratio. A timing comparison with a highly optimized software implementation, GMP-ECM, has been performed. Our results indicate that low-cost families of FPGAs, such as Xilinx Spartan 3, offer at least an order of magnitude improvement over the same generation of microprocessors in terms of the performance to cost ratio.
Lecture Notes in Computer Science, 2004
2006 IEEE International Conference on Field Programmable Technology, 2006
Electronics Letters, 2014
We clarify and generalize a cube root algorithm in F q proposed by Pocklington [1], and later red... more We clarify and generalize a cube root algorithm in F q proposed by Pocklington [1], and later rediscovered by Padró and Sáez [2]. We correct some mistakes in [2] and give a full generalization of the result in [1, 2] for the cube root algorithm. We also give the comparison of the implementation of Pocklington and Padró-Sáez algorithm with two most popular cube root algorithms, namely the Adleman-Manders-Miller algorithm and the Cipolla-Lehmer algorithm. To the authors' knowledge, our comparison is the first one which compares three fundamental algorithms together.
Journal of Number Theory, 1997
Let E be an elliptic curve over Q. Observing certain relations between the torsion subgroups of E... more Let E be an elliptic curve over Q. Observing certain relations between the torsion subgroups of E and E D , the D-quadratic twist of E, we prove that the torsion subgroups of E is stable for all but finitely many quadratic extensions. Moreover, using the result of K. Ono, we classify the torsion subgroup of E over all quadratic extensions when E is of the form E : y 2 =x(x+M)(x+N), where M and N are integers. In the special case when torsion subgroup of E over Q is isomorphic to ZÂ2ZÄ ZÂ8Z, we prove that the torsion subgroup of E is always stable under quadratic extensions.
IET Computers & Digital Techniques, 2008
The efficient design of digit-serial multipliers for special binary composite fields, F 2 nm wher... more The efficient design of digit-serial multipliers for special binary composite fields, F 2 nm where gcd(n, m) ¼ 1, is presented. These composite fields can be constructed via an irreducible pentanomial of degree nm but not an irreducible trinomial of degree nm. The conventional construction method for such digit-serial multipliers is to exploit the simplicity of pentanomials to obtain efficent linear feedback shift registers together with AND-XOR arrays. In this approach, these binary fields are constructed via irreducible trinomials of degree m with respect to F 2 n which in turn are also constructed via an irreducible trinomial (Hybrid I) or pentanomial (Hybrid II) over F 2. The bit-serial structure to the tower field and applying the bit-parallel structure to the ground field are applied to obtain the hybrid architecture. Three kinds of multipliers (conventional, Hybrid I and Hybrid II) are implemented using the same FPGA device. Since at least one level is constructed via a trinomial instead of a pentanomial, the hybrid multipliers are 10-33% more efficient than the conventional ones according to the post-place-and-route-timing analysis via Xilinx-ISE 7.1.
IEEE Transactions on Computers, 2009
Tate pairing based cryptosystems have recently emerged as an alternative to traditional public ke... more Tate pairing based cryptosystems have recently emerged as an alternative to traditional public key cryptosystems, because of their ability to be used in multi-party identity-based key management schemes. Due to the inherent parallelism of the existing pairing algorithms, high performance can be achieved via hardware realizations. Three schemes for Tate pairing computations have been proposed in the literature: cubic elliptic, binary elliptic, and binary hyperelliptic. In this paper, we propose a new FPGA-based architecture of the Tate pairing-based computation over binary fields. Even though our field sizes are larger than in the architectures based on cubic elliptic curves or binary hyperelliptic curves with the same security strength, nevertheless fewer multiplications in the underlying field need to be performed. As a result, the computational latency for a pairing computation has been reduced, and our implementation runs 2-to-20 times faster than the equivalent implementations of other pairing-based schemes at the same level of security strength. Furthermore, we ported our pairing designs for 8 field sizes ranging from 239 to 557 bits to the reconfigurable computer, SGI Altix-4700 supported by Silicon Graphics, Inc., and performance and cost are demonstrated.
Designs, Codes and Cryptography, 2006
Gauss periods give an exponentiation algorithm that is fast for many finite fields but slow for m... more Gauss periods give an exponentiation algorithm that is fast for many finite fields but slow for many other fields. The current paper presents a different method for construction of elements that yield a fast exponentiation algorithm for finite fields where the Gauss period method is slow or does not work. The basic idea is to use elements of low multiplicative order and search for primitive elements that are binomial or trinomial of these elements. Computational experiments indicate that such primitive elements exist, and it is shown that they can be exponentiated fast.
After Miller's original algorithm for the Tate pairing computation, many improved algorithms ... more After Miller's original algorithm for the Tate pairing computation, many improved algorithms have been suggested, to name just a few, by Galbraith et al. and Barreto et al., especially for the flelds with characteristic three. Also Duursma and Lee found a closed formula of the Tate pairing computation for the flelds with characteristic three. In this paper, we show that
Finite Fields and Their Applications
Finding permutation polynomials with low differential and boomerang uniformity is an important to... more Finding permutation polynomials with low differential and boomerang uniformity is an important topic in S-box designs of many block ciphers. For example, AES chooses the inverse function as its S-box, which is differentially 4-uniform and boomerang 6-uniform. Also there has been considerable research on many non-quadratic permutations which are obtained by modifying certain set of points from the inverse function. In this paper, we give a novel approach that shows that plenty of existing modifications of the inverse function are in fact affine equivalent to permutations of low Carlitz rank and those modifications cannot be APN (almost perfect nonlinear) unless the Carlitz rank is very large. Using nice properties of the permutations of Carlitz form, we present the complete list of permutations of Carlitz rank 3 having the boomerang uniformity six, and also give the complete classification of the differential uniformity of permutations of Carlitz rank 3. We also provide, up to affine equivalence, all the involutory permutations of Carlitz rank 3 having the boomerang uniformity six.
arXiv (Cornell University), Jan 16, 2015
Let F q be a finite field with q elements with prime power q and let r > 1 be an integer with q ≡... more Let F q be a finite field with q elements with prime power q and let r > 1 be an integer with q ≡ 1 (mod r). In this paper, we present a refinement of the Cipolla-Lehmer type algorithm given by H. C. Williams, and subsequently improved by K. S. Williams and K. Hardy. For a given r-th power residue c ∈ F q where r is an odd prime, the algorithm of H. C. Williams determines a solution of X r = c in O(r 3 log q) multiplications in F q , and the algorithm of K. S. Williams and K. Hardy finds a solution in O(r 4 +r 2 log q) multiplications in F q. Our refinement finds a solution in O(r 3 + r 2 log q) multiplications in F q. Therefore our new method is better than the previously proposed algorithms independent of the size of r, and the implementation result via SAGE shows a substantial speed-up compared with the existing algorithms.
Bulletin of the Korean Mathematical Society, 2016
The general number field sieve (GNFS) is asymptotically the fastest known factoring algorithm. On... more The general number field sieve (GNFS) is asymptotically the fastest known factoring algorithm. One of the most important steps of GNFS is to select a good polynomial pair. A standard way of polynomial selection (being used in factoring RSA challenge numbers) is to select a nonlinear polynomial for algebraic sieving and a linear polynomial for rational sieving. There is another method called a nonlinear method which selects two polynomials of the same degree greater than one. In this paper, we generalize Montgomery's method [7] using small geometric progression (GP) (mod N) to construct a pair of nonlinear polynomials. We introduce GP of length d + k with 1 ≤ k ≤ d − 1 and show that we can construct polynomials of degree d having common root (mod N), where the number of such polynomials and the size of the coefficients can be precisely determined.
Proceedings of the Japan Academy, Series A, Mathematical Sciences, 1996
Discrete Applied Mathematics
The study of Boolean functions with low c-differential uniformity has become recently an importan... more The study of Boolean functions with low c-differential uniformity has become recently an important topic of research. However, in odd characteristic case, there are not many results on the (c-)differential uniformity of functions that are not power functions. In this paper, we investigate the c-differential uniformity of the swapped inverse functions in odd characteristic, and show that their c-differential uniformities are at most 6 except for some special case.
Finite Fields and Their Applications
The c-differential uniformity is recently proposed to reflect resistance against some variants of... more The c-differential uniformity is recently proposed to reflect resistance against some variants of differential attack. Finding functions with low c-differential uniformity is attracting attention from many researchers. For even characteristic, it is known that permutations of low Carlitz rank have good cryptographic parameters, for example, low differential uniformity, high nonlinearity, etc. In this paper we show that permutations with low Carlitz rank have low c-differential uniformity. We also investigate c-differential uniformity of permutations with Carlitz rank 3 in detail.
16th IEEE Symposium on Computer Arithmetic, 2003. Proceedings.
Using the self duality of an optimal normal basis (ONB) of type II, we present a bit parallel sys... more Using the self duality of an optimal normal basis (ONB) of type II, we present a bit parallel systolic multiplier over GF (2 m) which has a low hardware complexity and a low latency. We show that our multiplier has a latency m + 1 and the basic cell of our circuit design needs 5 latches (flip-flops). On the other hand, most of other multipliers of the same type have latency 3m and the basic cell of each multiplier needs 7 latches. Comparing the gates areas in each basic cell, we find that the hardware complexity of our multiplier is 25 percent reduced from the multipliers with 7 latches.
Information Security and Privacy, 2005
In this paper, we present a closed formula for the Tate pairing computation for supersingular ell... more In this paper, we present a closed formula for the Tate pairing computation for supersingular elliptic curves defined over the binary field F2m of odd dimension. There are exactly three isomorphism classes of supersingular elliptic curves over F2m for odd m and our result is applicable to all these curves.
Lecture Notes in Computer Science, 2003
Division over a finite field GF (2 m) is the most time and area consuming operation. In this pape... more Division over a finite field GF (2 m) is the most time and area consuming operation. In this paper, A new division architecture for GF (2 m) using the standard basis representation is proposed. Based on a modified version of the binary extended greatest common divisor (GCD) algorithm, we design a compact and fast divider. The proposed divider can produce division results at a rate of one per 2m − 1 clock cycles. Analysis shows that the computational delay time of the proposed architecture is significantly less than previously proposed dividers with reduced transistor counts. Furthermore, since the new architecture does not restrict the choice of irreducible polynomials and has the features of regularity and modularity, it provides a high flexibility and scalability with respect to the field size m.
Selected Areas in Cryptography, 2004
XTR appeared in 2000 is a very promising alternative to elliptic curve cryptosystem. Though the b... more XTR appeared in 2000 is a very promising alternative to elliptic curve cryptosystem. Though the basic idea behind XTR is very elegant and universal, one needs to restrict the primes p such as p ≡ 2 (mod 3) for optimal normal bases since it involves many multiplications in GF (p 2). Moreover the restriction p ≡ 2 (mod 3) is consistently used to improve the time complexity for irreducibility testing for XTR polynomials. In this paper, we propose that a Gaussian normal basis of type (2, k) for small k can also be used for efficient field arithmetic for XTR when p ≡ 2 (mod 3). Furthermore we give a new algorithm for fast irreducibility testing and finding a generator of XTR group when p ≡ 1 (mod 3). Also we present an explicit generator of XTR group which does not need any irreducibility testing when there is a Gaussian normal basis of type (2, 3) in GF (p 2). We show that our algorithms are simple to implement and the time complexity of our methods are comparable to the best ones proposed so far.
Lecture Notes in Computer Science
Montgomery multiplication is one of the fundamental operations used in cryptographic algorithms, ... more Montgomery multiplication is one of the fundamental operations used in cryptographic algorithms, such as RSA and Elliptic Curve Cryptosystems. At CHES 1999, Tenca and Koç introduced a nowclassical architecture for implementing Montgomery multiplication in hardware. With parameters optimized for minimum latency, this architecture performs a single Montgomery multiplication in approximately 2n clock cycles, where n is the size of operands in bits. In this paper we propose and discuss an optimized hardware architecture performing the same operation in approximately n clock cycles. Our architecture is based on pre-computing partial results using two possible assumptions regarding the most significant bit of the previous word, and is only marginally more demanding in terms of the circuit area. The new radix-2 architecture can be extended for the case of radix-4, while preserving a factor of two speed-up over the corresponding radix-4 design by Tenca, Todorov, and Koç from CHES 2001. Our architecture has been verified by modeling it in Verilog-HDL, implementing it using Xilinx Virtex-II 6000 FPGA, and experimentally testing it using SRC-6 reconfigurable computer.
Lecture Notes in Computer Science, 2006
A novel portable hardware architecture for the Elliptic Curve Method of factoring, designed and o... more A novel portable hardware architecture for the Elliptic Curve Method of factoring, designed and optimized for application in the relation collection step of the Number Field Sieve, is described and analyzed. A comparison with an earlier proof-of-concept design by Pelzl,Šimka, et al. has been performed, and a substantial improvement has been demonstrated in terms of both the execution time and the area-time product. The ECM architecture has been ported across three different families of FPGA devices in order to select the family with the best performance to cost ratio. A timing comparison with a highly optimized software implementation, GMP-ECM, has been performed. Our results indicate that low-cost families of FPGAs, such as Xilinx Spartan 3, offer at least an order of magnitude improvement over the same generation of microprocessors in terms of the performance to cost ratio.
Lecture Notes in Computer Science, 2004
2006 IEEE International Conference on Field Programmable Technology, 2006
Electronics Letters, 2014
We clarify and generalize a cube root algorithm in F q proposed by Pocklington [1], and later red... more We clarify and generalize a cube root algorithm in F q proposed by Pocklington [1], and later rediscovered by Padró and Sáez [2]. We correct some mistakes in [2] and give a full generalization of the result in [1, 2] for the cube root algorithm. We also give the comparison of the implementation of Pocklington and Padró-Sáez algorithm with two most popular cube root algorithms, namely the Adleman-Manders-Miller algorithm and the Cipolla-Lehmer algorithm. To the authors' knowledge, our comparison is the first one which compares three fundamental algorithms together.
Journal of Number Theory, 1997
Let E be an elliptic curve over Q. Observing certain relations between the torsion subgroups of E... more Let E be an elliptic curve over Q. Observing certain relations between the torsion subgroups of E and E D , the D-quadratic twist of E, we prove that the torsion subgroups of E is stable for all but finitely many quadratic extensions. Moreover, using the result of K. Ono, we classify the torsion subgroup of E over all quadratic extensions when E is of the form E : y 2 =x(x+M)(x+N), where M and N are integers. In the special case when torsion subgroup of E over Q is isomorphic to ZÂ2ZÄ ZÂ8Z, we prove that the torsion subgroup of E is always stable under quadratic extensions.
IET Computers & Digital Techniques, 2008
The efficient design of digit-serial multipliers for special binary composite fields, F 2 nm wher... more The efficient design of digit-serial multipliers for special binary composite fields, F 2 nm where gcd(n, m) ¼ 1, is presented. These composite fields can be constructed via an irreducible pentanomial of degree nm but not an irreducible trinomial of degree nm. The conventional construction method for such digit-serial multipliers is to exploit the simplicity of pentanomials to obtain efficent linear feedback shift registers together with AND-XOR arrays. In this approach, these binary fields are constructed via irreducible trinomials of degree m with respect to F 2 n which in turn are also constructed via an irreducible trinomial (Hybrid I) or pentanomial (Hybrid II) over F 2. The bit-serial structure to the tower field and applying the bit-parallel structure to the ground field are applied to obtain the hybrid architecture. Three kinds of multipliers (conventional, Hybrid I and Hybrid II) are implemented using the same FPGA device. Since at least one level is constructed via a trinomial instead of a pentanomial, the hybrid multipliers are 10-33% more efficient than the conventional ones according to the post-place-and-route-timing analysis via Xilinx-ISE 7.1.
IEEE Transactions on Computers, 2009
Tate pairing based cryptosystems have recently emerged as an alternative to traditional public ke... more Tate pairing based cryptosystems have recently emerged as an alternative to traditional public key cryptosystems, because of their ability to be used in multi-party identity-based key management schemes. Due to the inherent parallelism of the existing pairing algorithms, high performance can be achieved via hardware realizations. Three schemes for Tate pairing computations have been proposed in the literature: cubic elliptic, binary elliptic, and binary hyperelliptic. In this paper, we propose a new FPGA-based architecture of the Tate pairing-based computation over binary fields. Even though our field sizes are larger than in the architectures based on cubic elliptic curves or binary hyperelliptic curves with the same security strength, nevertheless fewer multiplications in the underlying field need to be performed. As a result, the computational latency for a pairing computation has been reduced, and our implementation runs 2-to-20 times faster than the equivalent implementations of other pairing-based schemes at the same level of security strength. Furthermore, we ported our pairing designs for 8 field sizes ranging from 239 to 557 bits to the reconfigurable computer, SGI Altix-4700 supported by Silicon Graphics, Inc., and performance and cost are demonstrated.
Designs, Codes and Cryptography, 2006
Gauss periods give an exponentiation algorithm that is fast for many finite fields but slow for m... more Gauss periods give an exponentiation algorithm that is fast for many finite fields but slow for many other fields. The current paper presents a different method for construction of elements that yield a fast exponentiation algorithm for finite fields where the Gauss period method is slow or does not work. The basic idea is to use elements of low multiplicative order and search for primitive elements that are binomial or trinomial of these elements. Computational experiments indicate that such primitive elements exist, and it is shown that they can be exponentiated fast.
After Miller's original algorithm for the Tate pairing computation, many improved algorithms ... more After Miller's original algorithm for the Tate pairing computation, many improved algorithms have been suggested, to name just a few, by Galbraith et al. and Barreto et al., especially for the flelds with characteristic three. Also Duursma and Lee found a closed formula of the Tate pairing computation for the flelds with characteristic three. In this paper, we show that
Finite Fields and Their Applications
Finding permutation polynomials with low differential and boomerang uniformity is an important to... more Finding permutation polynomials with low differential and boomerang uniformity is an important topic in S-box designs of many block ciphers. For example, AES chooses the inverse function as its S-box, which is differentially 4-uniform and boomerang 6-uniform. Also there has been considerable research on many non-quadratic permutations which are obtained by modifying certain set of points from the inverse function. In this paper, we give a novel approach that shows that plenty of existing modifications of the inverse function are in fact affine equivalent to permutations of low Carlitz rank and those modifications cannot be APN (almost perfect nonlinear) unless the Carlitz rank is very large. Using nice properties of the permutations of Carlitz form, we present the complete list of permutations of Carlitz rank 3 having the boomerang uniformity six, and also give the complete classification of the differential uniformity of permutations of Carlitz rank 3. We also provide, up to affine equivalence, all the involutory permutations of Carlitz rank 3 having the boomerang uniformity six.
arXiv (Cornell University), Jan 16, 2015
Let F q be a finite field with q elements with prime power q and let r > 1 be an integer with q ≡... more Let F q be a finite field with q elements with prime power q and let r > 1 be an integer with q ≡ 1 (mod r). In this paper, we present a refinement of the Cipolla-Lehmer type algorithm given by H. C. Williams, and subsequently improved by K. S. Williams and K. Hardy. For a given r-th power residue c ∈ F q where r is an odd prime, the algorithm of H. C. Williams determines a solution of X r = c in O(r 3 log q) multiplications in F q , and the algorithm of K. S. Williams and K. Hardy finds a solution in O(r 4 +r 2 log q) multiplications in F q. Our refinement finds a solution in O(r 3 + r 2 log q) multiplications in F q. Therefore our new method is better than the previously proposed algorithms independent of the size of r, and the implementation result via SAGE shows a substantial speed-up compared with the existing algorithms.
Bulletin of the Korean Mathematical Society, 2016
The general number field sieve (GNFS) is asymptotically the fastest known factoring algorithm. On... more The general number field sieve (GNFS) is asymptotically the fastest known factoring algorithm. One of the most important steps of GNFS is to select a good polynomial pair. A standard way of polynomial selection (being used in factoring RSA challenge numbers) is to select a nonlinear polynomial for algebraic sieving and a linear polynomial for rational sieving. There is another method called a nonlinear method which selects two polynomials of the same degree greater than one. In this paper, we generalize Montgomery's method [7] using small geometric progression (GP) (mod N) to construct a pair of nonlinear polynomials. We introduce GP of length d + k with 1 ≤ k ≤ d − 1 and show that we can construct polynomials of degree d having common root (mod N), where the number of such polynomials and the size of the coefficients can be precisely determined.