Newsgroups: sci.crypt
Path: msuinfo!caen!sdd.hp.com!cs.utexas.edu!qt.cs.utexas.edu!yale.edu!jvnc.net!darwin.sura.net!gatech!news.ans.net!yktnews!admin!yktnews!victor
From: victor@watson.ibm.com (Victor Miller)
Subject: Re: Discrete log question (was Re: Field Elliptical Encryption)
Sender: news@watson.ibm.com (NNTP News Poster)
Message-ID: <VICTOR.92Feb3145001@irt.watson.ibm.com>
In-Reply-To: victor@watson.ibm.com's message of Mon, 3 Feb 1992 16:36:33 GMT
Date: Mon, 3 Feb 1992 19:50:01 GMT
Reply-To: victor@watson.ibm.com
Disclaimer: This posting represents the poster's views, not necessarily those of IBM
References: <1992Jan29.003819.26360@msuinfo.cl.msu.edu>
	<VICTOR.92Jan31185659@irt.watson.ibm.com>
	<1992Feb3.150650.7565@cunixf.cc.columbia.edu>
	<VICTOR.92Feb3113633@irt.watson.ibm.com>
Nntp-Posting-Host: irt.watson.ibm.com
Organization: IBM, T.J. Watson Research Center

I should add to my last posting.  First, my paper on "Use of Elliptic
Curves in Cryptography" is in Advances in Cryptology -- Crypto '85,
edited by Hugh C. Williams, Springer Lecture Notes in Computer Science
number 218, on pages 417-426.  Also, instead of the baby step giant
step algorithm (which needs space about sqrt(p)) it is probably more
practical to use a variant of the Pollard rho method (Pollard, "Monte
Carlo Methods for Index computation", Math. Comp.,32 (1978), 918-924).

Also there was a typo in my last posting:

L[1;x] where L[a;x] = exp(sqrt(log x)^a (log log x)^{1-a}).


I meant to say L[1/2;x] where L[a;x] = exp((log x)^a (log log
x)^{1-a}).  Recent results of Coppersmith and Dan Gordon have brought
this figure down to L[1/3;x] where we are working in a finite field of
small characteristic (usually 2 -- Coppersmith) and finite fields
Z mod primes (D. Gordon -- using the number field sieve).  The former
is very practical, the latter isn't (as of yet).
--
			Victor S. Miller
			Vnet and Bitnet:  VICTOR at WATSON
			Internet: victor@watson.ibm.com
			IBM, TJ Watson Research Center
