# Joachim von zur GathenUniversity of Bonn | Uni Bonn · Institute for Computer Science and B-IT

Joachim von zur Gathen

Dr. phil., Universität Zürich, 1980

## About

201

Publications

34,464

Reads

**How we measure 'reads'**

A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more

5,789

Citations

Citations since 2017

## Publications

Publications (201)

In the area of symbolic-numerical computation within computer algebra, an interesting question is how “close” a random input is to the “critical” ones. Examples are the singular matrices in linear algebra or the polynomials with multiple roots for Newton's root-finding method. Bounds, sometimes very precise, are known for the volumes over R or C of...

The usual univariate interpolation problem of finding a monic polynomial f of degree n that interpolates n given values is well understood. This paper studies a variant where f is required to be composite, say, a composition of two polynomials of degrees d and e, respectively, with de=n, and therefore d+e-1 given values. Some special cases are easy...

We report on experiments with selected software and hardware (pseudo)random generators under controlled conditions and compare their throughput and consumed entropy. In software, we distinguish between number theoretic generators (which come with corresponding security reductions) and generators based on AES. True random generators covered by our s...

The functional (de)composition of polynomials is a topic in pure and computer algebra with many applications. The structure of decompositions of (suitably normalized) polynomials f=g∘h in F[x] over a field F is well understood in many cases, but less well when the degree of f is divisible by the positive characteristic p of F. This work investigate...

The functional (de)composition of polynomials is a topic in pure and computer algebra with many applications. The structure of decompositions of (suitably normalized) polynomials f(x) = g(h(x)) in F[x] over a field F is well understood in many cases, but less well when the degree of f is divisible by the positive characteristic p of F. This work in...

For an affine variety X defined over a finite prime field F_p and some integer h, we consider the discrete h-neighborhood of the set of F_p-rational points, consisting of those points over F_p whose distance from X is not more than h, for a natural notion of "distance". There is a natural upper bound on its size. We address the question whether the...

We apply a common measure of randomness, the entropy, in the context of iterated functions on a finite set with n elements. For a permutation, it turns out that this entropy is asymptotically (for a growing number of iterations) close to 2 \log_2(n) minus the entropy of the vector of its cycle lengths. For general functions, a similar approximation...

In the ElGamal signature and encryption schemes, an element $x$ of the underlying group $G = \mathbb{Z}_p^\times = \{1, \ldots, p-1 \}$ for a prime $p$ is also considered as an exponent, for example in $g^x$, where $g$ is a generator of G. This ElGamal map $x \mapsto g^x$ is poorly understood, and one may wonder whether it has some randomness prope...

There have been attempts to approximate the entropy of English by frequency analysis of large corpora. Our original goal was to deduce more precise estimates by extensive calculations. This did not work well, thus confirming a widely held belief in linguistics. In order to put this belief on a firm basis, we used a simplified language model, closel...

This paper deals with properties of the algebraic variety defined as the set
of zeros of a "typical" sequence of polynomials. We consider various types of
"nice" varieties: set-theoretic and ideal-theoretic complete intersections,
absolutely irreducible ones, and nonsingular ones. For these types, we present
a nonzero "obstruction" polynomial of ex...

Random numbers and random bit strings are essential in many areas of computer science, from sorting, routing in networks, and computer algebra to cryptography. Most computer systems provide a function like rand that delivers elements which look “random” in some sense. However, it is hard to come up with a practical and inexpensive way to generate t...

In an interactive proof system, a prover called Paula knows some fact and tries to convince a verifier Victor of its truth. This might be some property of a secret key, say, that its least bit is 0.

There is no single event that decided the outcome of the First World War 1914–1918. But the entry of the USA as a belligerent—after long hesitation—was a decisive factor in the success of the Entente, originally led by France and Great Britain. And the (in)famous telegram discussed in this paper played a role in changing the anti-war attitude in la...

We have seen a large diversity of topics in this text, but they all have one aspect in common: they are somehow related to things you can do on your computer at home. We now leave this homely world and discuss a new type of computation, namely quantum computing.

Encrypted messages usually contain funny symbols or jumbled letters which give away their nature. In steganography, one tries to hide even the fact that the message carries hidden information. Secret inks were popular through the centuries, and today we have steganographic techniques that try to hide information in digital files.

Publishing results is a major goal of active researchers in most sciences. Not so in cryptography: some of the top work remains secret, at least for a while. We now describe some of the contributors to cryptography BDH (before Diffie & Hellman). Others have played a role in this text before, among them Caesar, Augustus, Vigenère, Alberti, Porta, Ve...

This chapter starts with a look at some of the most popular cryptosystems. The description in this chapter focusses on the fundamental properties and leaves out some details, in particular proofs why certain things work the way they do. The complete underpinnings for these methods are provided in later chapters.

This chapter presents some historical examples of key addition systems. These are easy to describe with our modern notion of modular arithmetic.

Alongside RSA, the most important practical tools for asymmetric (public key) cryptography are protocols that work in groups.

This chapter discusses a class of groups called elliptic curves, which arise from algebraic geometry. We can compute efficiently in them and, in general, only the slow generic algorithms for discrete logarithms (Section 4.9) are known.

In this chapter, we discuss two attacks on “Boolean” cryptosystems, that is, on systems which employ sequences of operations on bits and bytes, but do not work in a “large” algebraic structure, as RSA and group cryptography do.

Chapter 6 presents two general attacks on Boolean cryptosystems. Once such attacks are known, cryptographers have to design systems that resist them.

When we meet people face-to-face, we usually either know who they are or they are introduced to us by someone whom we know. Things are different in the e-world.

Letters, words, and other pieces of text are changed by a substitution into a different piece. This creates confusion. A completely different effect is obtained by transpositions, which move the pieces around in a text without changing them individually; this creates diffusion. Suitably combined and generalized, these two operations form the basis...

Stars and starlets, luminaries and dignitaries from all scenes have tried their hand at cryptography, or somehow used it for their purposes. This chapter tells some anecdotes about nonprofessional users of cryptography. Several of them are well-known for their exploits in some other field.

The methods we discuss in this chapter deal with computational aspects of the geometry of numbers, a mathematical theory initiated by Hermann Minkowski in the 1890s.

This text is an introduction to cryptology, whose objective is to provide various aspects of security in electronic transactions. It consists of cryptography— the art of making secure systems—and cryptanalysis—the art of breaking them.

Esteemed as “le chiffre indèchiffrable”, the Vigenère cipher was considered unbreakable for over three centuries. Its workings and arithmetic nature have been explained in Example A.2 (v) and Chapter B. We now present an attack from 1863 which brings the system to its knees. However, it did not really diminish the system’s popularity, and the ciphe...

The purpose of a hash function is to distill a small amount of information out of large messages. But the amount has to be large enough so that it (usually) identifies the message uniquely. One requirement for cryptography is that it should be computationally hard for an adversary to generate two different messages with the same hash value.

Simple substitutions generalize the Caesar cipher. One step further are the nomenclators and codebooks, which we present in this chapter. They work like simple substitions, except that they have much larger alphabets: not just letters, but also digrams, syllables, words, and names of people and places. Examples exist already from the 14th century,...

For electronic business transactions over the internet, it is important to have a system for legally binding digital contracts. In a traditional paperbound agreement between two parties, both get a copy of the agreement signed by both parties. If a dispute arises later, there is a finely tuned legal system to deal with this. Courts will hold both s...

Formost of this text we are concerned with “modern” cryptography, whose current development started in the 1970s.

ENIGMA, Turing, COLOSSUS: what memorable names! How they shine compared to bland technocratic acronyms like RSA, DSA, or AES!

The meeting place of algebra and computer science is called computer algebra. We refer to von zur Gathen & Gerhard (2013) for a comprehensive introduction to it.

The present chapter is devoted to the background required for a better understanding of RSA.The first section proves that the system works correctly.

Most integers are composite and most univariate polynomials over a finite field are reducible. The Prime Number Theorem and a classical result of Gauß count the remaining ones, approximately and exactly. For polynomials in two or more variables, the situation changes dramatically. Most multivariate polynomials are irreducible. This survey presents...

We estimate the density of tubes around the algebraic variety of decomposable
univariate polynomials over the real and the complex numbers.

Given two sets $A$ and $B$ of integers, we consider the problem of finding a
set $S \subseteq A$ of the smallest possible cardinality such the greatest
common divisor of the elements of $S \cup B$ equals that of those of $A \cup
B$. The particular cases of $B = \emptyset$ and $\#B = 1$ are of special
interest and have some links with graph theory....

Safe primes and safe RSA moduli are used in several cryptographic
schemes. The most common notion is that of a prime p, where
is also prime. The latter is then a Sophie Germain prime.
Under appropriate heuristics, they exist in abundance and
can be generated efficiently. But the modern methods of analytic
number theory have – so far – not even allo...

Ritt's Second Theorem deals with composition collisions g o h = g* o h* of
univariate polynomials over a field, where deg g = deg h*. Joseph Fels Ritt
(1922) presented two types of such decompositions. His main result here is that
these comprise all possibilities, up to some linear transformations. Because of
these transformations, the result has b...

"Most" hypersurfaces in projective space are irreducible, and rather precise
estimates are known for the probability that a random hypersurface over a
finite field is reducible. This paper considers the parametrization of space
curves by the appropriate Chow variety, and provides bounds on the probability
that a random curve over a finite field is...

A univariate polynomial f over a field is decomposable if it is the composition f=g∘hf=g∘h of two polynomials g and h whose degree is at least 2. The tame case, where the field characteristic p does not divide the degree n of f, is reasonably well understood. The wild case, where p divides n, is more challenging. We present an efficient algorithm f...

The fastest algorithms for factoring a univariate polynomial f of degree n over a finite field use a baby-step/giant-step approach. The set {1,…,n} of potential factor degrees is partitioned into intervals. In a first stage, for each interval the product of all irreducible
factors with degree in the interval is determined, generalizing the method o...

A univariate polynomial f over a field is decomposable if f = g o h = g(h)
for nonlinear polynomials g and h. In order to count the decomposables, one has
to know the number of equal-degree collisions, that is f = g o h = g^* o h^*
with (g,h) != (g^*, h^*) and deg(g) = deg(g^*). Such collisions only occur in
the wild case, where the field character...

We consider the following computational problem: we are given two coprime univariate polynomials f0f0 and f1f1 over a ring RR and want to find whether after a small perturbation we can achieve a large gcd. We solve this problem in polynomial time for two notions of “large” (and “small”): large degree (when R=FR=F is an arbitrary field, in the gener...

The functional decomposition of polynomials has been a topic of great interest and importance in pure and computer algebra and their applications. The structure of compositions of (suitably normalized) polynomials f=g(h) over finite fields is well understood in many cases, but quite poorly when the degrees of both components are divisible by the ch...

We consider the composition f =g o h of two systems g= (g0, ..., gt) and h=(h0, ..., hs) of homogeneous multivariate polynomials over a field K, where each gj ∈ K[y0, ..., ys] has degree ℓ each hk ∈ K[x0, ..., xr] has degree m, and fi = gi(h0, ..., hs) ∈ K[x0, ..., xr] has degree n = ℓ · m, for 0 ≤ i ≤ t. The motivation of this paper is to...

The functional decomposition of polynomials has been a topic of great interest and importance in pure and computer algebra and their applications. The structure of compositions of (suitably normalized) polynomials f = g o h in Fq[x] is well understood in many cases, but quite poorly when the degrees of both components are divisible by the character...

Ritt's Second Theorem deals with compositions g • h = g * • h * of univariate polynomials over a field, where deg g = deg h * . Joseph Fels Ritt (1922) presented two types of such decompositions. His main result here is that these comprise all possibilities, up to some linear transformations. A recently established normal form describes Ritt's comp...

We present counting methods for some special classes of multivariate
polynomials over a finite field, namely the reducible ones, the s-powerful ones
(divisible by the s-th power of a nonconstant polynomial), and the relatively
irreducible ones (irreducible but reducible over an extension field). One
approach employs generating functions, another on...

We show how to accelerate the subset sum pseudorandom number generator with arbitrary weights. Some special choices of weights speed up the naive usage of this generator without losing the property of uniform distribution which has recently been established in the general case. Our results confirm that this generator can be useful for both cryptogr...

A univariate polynomial f over a field is decomposable if it is the composition f = g ⊕ h of two polynomials g and h whose degree is at least 2. We determine an approximation to the number of decomposable polynomials over a finite field. The tame case, where the field characteristic p does not divide the degree n of f, is reasonably well understood...

Computational Complexity Theory is the mathematical study of the intrinsic power and limitations of computational resources like time, space, or randomness. The current workshop focused on recent developments in various sub-areas including arithmetic complexity, Boolean complexity, communication complexity, cryptography, probabilistic proof systems...

A univariate polynomial f over a field is decomposable if it is the composition f = g(h) of two polynomials g and h whose degree is at least 2. We determine the dimension (over an algebraically closed field) of the set of decomposables, and an approximation to their number over a finite field. The tame case, where the field characteristic p does no...

A polynomial f (multivariate over a field) is decomposable if f = g(h) with g univariate of degree at least 2. We determine the dimension (over an algebraically closed field) of the set of decomposables, and an approximation to their number over a finite field. The relative error in our approximations is exponentially decaying in the input size. Co...

Among the bivariate polynomials over a finite field, most are irreducible. We count some classes of special polynomials, namely the reducible ones, those with a square factor, the “relatively irreducible” ones which are irreducible but factor over an extension field, and the singular ones, which have a root at which both partial derivatives vanish.

We consider the following computational problem: we are given two coprime univariate polynomials f
0 and f
1 over a ring \(\mathcal{R}\) and want to find whether after a small perturbation we can achieve a large gcd. We solve this problem in polynomial time for two notions of “large” (and “small”): large degree (when \(\mathcal{R} = \mathbb{F}\) is...

In this paper we propose a new structure for multiplication using optimal normal bases of type 2. The multiplier uses an efficient linear transformation to convert the normal basis representations of elements of \(\mathbb{F}_{q^{n}}\) to suitable polynomials of degree at most n over \(\mathbb{F}_{q}\). These polynomials are multiplied using any met...

The low weight polynomial multiple problem arises in the context of stream ciphers cryptanalysis and of efficient finite field arithmetic, and is believed to be d ifficult. It can be formulated as follows: given a polynomial f 2 F2(X) of degree d, and a bound n, the task is to find a low weight multiple of f of degree at most n. The best algorithm...

This article presents the original draft of the Zimmermann telegram from 1917 in facsimile. Its various annotations provide interesting insights, such as the idea to promise California to Japan and instructions concerning trans- mission and encryption. Further documents clarify how the telegram was sent and put various alternatives suggested in the...

Among the bivariate polynomials over a finite field, most are irreducible. We count some classes of special polynomials, namely the reducible ones, those with a square factor, the "relatively irreducible" ones which are irreducible but factor over an extension field, and the singular ones, which have a root at which both partial derivatives vanish.

We show that for arbitrary positive integers a1, . . ., a m with probability 6/π2 + o(1), the gcd of two linear combinations of these integers with rather small random integer coefficients coincides with gcd(a1, . . ., am). This naturally leads to a probabilistic algorithm for computing the gcd of several integers, with probability 6/π2 + o(1), via...

One of the long-standing open questions in the theory of parallel computation is the parallel complexity of the integer gcd
and related problems, such as modular inversion. We present a lower bound Ω(log n) for the CREW PRAM complexity for inversion modulo certain n-bit integers, including all such primes. For infinitely many moduli, our lower boun...

We study different possibilities of implementing Karatsuba multipliers for polynomials over F 2 on Field Programmable Gate Arrays (FPGAs). This is a core task for implementing finite fields of characteristic 2. Algorithmic and platform dependent optimizations yield efficient hardware designs. The resulting structure is hybrid in two different aspec...

A survey of parallel algorithms for algebraic problems is presented.

We present a probabilistic algorithm that finds the irreducible factors of a bivariate polynomial with coefficients from a finite field in time polynomial in the input size, i.e. in the degree of the polynomial and log (cardinality of field). The algorithm generalizes to multivariate polynomials and has polynomial running time for densely encoded i...

We show that Gauss periods of special type give an explicit polynomial-time construction of elements of exponentially large multiplicative order in some finite fields. It can be considered as a step towards solving the celebrated problem of finding primitive roots in finite fields in polynomial time.

Several methods of computing irreducible polynomials over finite fields are presented. If preprocessing, depending only on p , is allowed for free, then an irreducible polynomial of degree at least n over Z
p can be computed deterministically with O(n logp), i.e. O(output size), bit operations. The estimates for the preprocessing time depend on unp...

Can we be - algebraically - exact about something approximate? We may, in the first instance, reject vigorously this seemingly 'indecent' thought. However, we should realize that the addition of the - from an applications point of view suggestive - adjective ...

We study different possibilities of implementing Karatsuba multipliers for polynomials over double-struck F sign 2 on Field Programmable Gate Arrays (FPGAs). This is a core task for implementing finite fields of characteristic 2. Algorithmic and platform dependent optimizations yield efficient hardware designs. The resulting structure is hybrid in...

We consider the subset sum pseudorandom generator, introduced by Rueppel and Massey in 1985 and given by a linearly recurrent bit sequence u0, u1, ... of order n over ℤ2, and weights w = (w
0, ..., w
n − − 1) ∈ R
n
for some ring R. The rings R = ℤm
are of particular interest. The ith value produced by this generator is ∑0 ≤ j < nu
i + j
w
j
. It is...

We discuss two different ways to speed up exponentiation in nonprime finite
fields: on the one hand, reduction of the total number of operations, and on the
other hand, fast computation of a single operation. Two data
structures are particularly useful: sparse irreducible polynomials
and normal bases. We report on implementation results
for our met...

We show that for arbitrary positive integers a
1, ..., a
m
, with probability at least 6/π
2 + o(1), the gcd of two linear combinations of these integers with rather small random integer coefficients coincides with gcd (a
1, ..., a
m
). This naturally leads to a probabilistic algorithm for computing the gcd of several integers, with probability at...

A selective classified bibliography of symbolic computation in some areas of chemistry is provided together with some examples of computer algebra algorithms and techniques to facilitate future joint work of chemists and computer scientists. © 2004 Wiley Periodicals, Inc. Int J Quantum Chem, 2004

Much of modern cryptography relies on arithmetic—from RSA and elliptic curves to the AES. A little-known book by Comiers, published in 1690, seems to be the first recorded systematic use of arithmetic in cryptography. David Kahn's authoritative The Codebreakers mentions another work whose title links algebra and cryptography—“by a German, F. J. Buc...

We study exponentiation in nonprime nite elds with very spe- cial exponents such as they occur, for example, in inversion, primitivity tests, and polynomial factorization. Our algorithmic approach improves the corre- sponding exponentiation problem from about quadratic to about linear time.

We show how to apply fast arithmetic in conjunction with general Gauß periods in finite fields. This is an essential ingredient for some efficient exponentiation algorithms.

We introduce a new model of “generic discrete log algorithms” based on arithmetic circuits. It is conceptually simpler than
previous ones, is actually applicable to the natural representations of the popular groups, and we can derive upper and lower
bounds that differ only by a constant factor, namely 10.

We are given an unknown polynomial f ∈ ℤ[x] by a black box which on input a ∈ ℤ returns a value rq · f(a) for some unknown nonzero rational numbers ra. If we have appropriate upper bounds on the numerator and denominator of ra and the degree of f, then the coefficients of f can be computed in probabilistic polynomial time.

A necessary condition for irreducibility of a trinomial over a finite field, based on classical results of Stickelberger and Swan, is established. It is applied in the special case F3, and some experimental discoveries are reported.

In 1690, the blind French author Claude Comiers described the Vigenére cipher as addition of a key to the plaintext, modulo the alphabet size. The concept of modular arithmetic was then unknown, but Comiers was well aware of its cyclic nature. This seems to be the earliest description of a cryptosystem in arithmetic terms.

For many applications from the areas of cryptography and coding, finite field multiplication is the most resource and time consuming operation. We have designed and optimized four high performance parallel GF(2<sup>233</sup>) multipliers, for an FPGA realization, and analyzed the time and area complexities. One of the multipliers uses a new hybrid...

We study various combinatorial complexity measures of Boolean functions related to some natural arithmetic problems about binary polynomials, that is, polynomials over $$ \mathbb{F}_2 $$ . In particular, we consider the Boolean function deciding whether a given polynomial over $$ \mathbb{F}_2 $$ is squarefree. We obtain an exponential lower bound o...

In this paper, we discuss several notions of decomposition for multivariate polynomials, focusing on the relation with Lüroth’s theorem in field theory, and the finiteness and uniqueness of decompositions. We also present two polynomial time algorithms for decomposing (sparse) multivariate polynomials over an arbitrary field. This is the “full vers...

We solve two computational problems concerning plane algebraic curves over finite fields: generating a uniformly random point, and finding all points deterministically in amortized polynomial time (over a prime field, for nonexceptional curves).

Subresultants and polynomial remainder sequences are an important tool in polynomial computer algebra. In this survey, we sketch the history, formalize a unified framework for the various notions, derive a number of results from the early 1970s within our framework, and report on implementations.

For each natural number n we determine the average order #(n) of the elements in a cyclic group of order n. We show that a large fraction of the contribution to #(n) comes from the #(n) primitive elements of order n. It is therefore of interest to study also the function #(n) = #(n)/#(n). We determine the mean behavior of #, #, 1/#, and also consid...

Finite field arithmetic forms the mathematical basis for a variety of applications from the area of cryptography and coding. For finite fields of large extension degrees (as for cryptography), arithmetic operations are computation intensive and require dedicated hardware support under given timing constraints. We present a new architecture of a hig...

Joachim von zur Gathen and Thomas L uckingFB Mathematik-Informatik, Universitat Paderborn33095 Paderborn, Germanyfgathen,luckg@upb.de1 Introduction1.1 Historical contextThe Euclidean Algorithm was rst documented by Euclid (320-275 BC). Knuth(1981), p. 318, writes: \We might call it the granddaddy of all algorithms, becauseit is the oldest nontriv...

Computer algebra systems are now ubiquitous in all areas of science and engineering. This highly successful textbook, widely regarded as the 'bible of computer algebra', gives a thorough introduction to the algorithmic basis of the mathematical engine in computer algebra systems. Designed to accompany one- or two-semester courses for advanced under...

About two thirds or 480 pages of Knuth’ [Knuth 1998] volume on Seminumerical algorithms are devoted to Chapter 4, entitled Arithmetic. He states Research on seminumerical algorithms continues at a phenomenal rate. They are called seminumerical because they lie on the borderline between numeric and symbolic calculation. Each algorithm not only compu...

We describe an authentication scheme whose security is based on the hardness of finding roots of systems of sparse polynomial equations in many variables and of high degree. One of the new ideas is the use of many keys. In one authentication session, a small amount of information about only one of them, chosen randomly, is released; this may be use...

We describe algorithms for polynomial factorization over the binary field F-2, and their implementation. They allow polynomials of degree up to 250 000 to be factored in about one day of CPU time, distributing the work on two processors.