# A Heuristic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic

EUROCRYPT, pp. 1-16, 2014.

EI

Keywords:

cryptographymedium prime casediscrete logarithm problemsmall characteristicfunction field sieveMore(1+)

Wei bo:

Abstract:

The difficulty of computing discrete logarithms in fields Fqk depends on the relative sizes of k and q. Until recently all the cases had a sub-exponential complexity of type L(1/3), similar to the factorization problem. In 2013, Joux designed a new algorithm with a complexity of L(1/4 + ) in small characteristic. In the same spirit, we pr...More

Code:

Data:

Introduction

- The discrete logarithm problem (DLP) was first proposed as a hard problem in cryptography in the seminal article of Diffie and Hellman [7].
- Together with factorization, it has become one of the two major pillars of public key cryptography.
- The problem of computing discrete logarithms has attracted a lot of attention.
- A first major progress was the realization that the DLP in finite fields can be solved in subexponential time, i.e. L(1/2) where LN (α) = exp O(α1−α).
- The step further reduced this to a heuristic L(1/3) running time in the full range of finite fields, from fixed characteristic finite fields to prime fields [2,6,11,3,17,18]

Highlights

- The discrete logarithm problem (DLP) was first proposed as a hard problem in cryptography in the seminal article of Diffie and Hellman [7]
- A first major progress was the realization that the discrete logarithm problem in finite fields can be solved in subexponential time, i.e. L(1/2) where LN (α) = exp O(α1−α)
- The algorithm presented in this article achieves a significant improvement of the asymptotic complexity of discrete logarithm in finite fields, in almost the whole range of parameters where the Function Field Sieve was presently the most competitive algorithm

Conclusion

- The algorithm presented in this article achieves a significant improvement of the asymptotic complexity of discrete logarithm in finite fields, in almost the whole range of parameters where the Function Field Sieve was presently the most competitive algorithm.
- The authors note that the analysis of the algorithm presented here is heuristic, as discussed in Section 5.
- It seems plausible to have the validity of algorithm rely on the sole heuristic of the validity of the smoothness estimates.
- One of the key factors which hinders the practical efficiency of this algorithm is the O(q2D) arity of the descent tree, compared to the O(q) arity achieved by techniques based on Gröbner bases [15] at the expense of a L(1/4 + ) complexity.
- By estimating the time required to compute discrete logarithms in F , 36·509 they showed the weakness of some pairing-based cryptosystems

Summary

## Introduction:

The discrete logarithm problem (DLP) was first proposed as a hard problem in cryptography in the seminal article of Diffie and Hellman [7].- Together with factorization, it has become one of the two major pillars of public key cryptography.
- The problem of computing discrete logarithms has attracted a lot of attention.
- A first major progress was the realization that the DLP in finite fields can be solved in subexponential time, i.e. L(1/2) where LN (α) = exp O(α1−α).
- The step further reduced this to a heuristic L(1/3) running time in the full range of finite fields, from fixed characteristic finite fields to prime fields [2,6,11,3,17,18]
## Conclusion:

The algorithm presented in this article achieves a significant improvement of the asymptotic complexity of discrete logarithm in finite fields, in almost the whole range of parameters where the Function Field Sieve was presently the most competitive algorithm.- The authors note that the analysis of the algorithm presented here is heuristic, as discussed in Section 5.
- It seems plausible to have the validity of algorithm rely on the sole heuristic of the validity of the smoothness estimates.
- One of the key factors which hinders the practical efficiency of this algorithm is the O(q2D) arity of the descent tree, compared to the O(q) arity achieved by techniques based on Gröbner bases [15] at the expense of a L(1/4 + ) complexity.
- By estimating the time required to compute discrete logarithms in F , 36·509 they showed the weakness of some pairing-based cryptosystems

- Table1: Prime factors appearing in determinant of random square submatrices of H (for one given set of random trials)

Reference

- Adj, G., Menezes, A., Oliveira, T., Rodríguez-Henríquez, F.: Weakness of F36·509 for discrete logarithm cryptography. In: Cao, Z., Zhang, F. (eds.) Pairing 2013. LNCS, vol. 8365, pp. 20–44. Springer, Heidelberg (2014)
- Adleman, L.: A subexponential algorithm for the discrete logarithm problem with applications to cryptography. In: 20th Annual Symposium on Foundations of Computer Science, pp. 55–60. IEEE (1979)
- Adleman, L.: The function field sieve. In: Huang, M.-D.A., Adleman, L.M. (eds.) ANTS 1994. LNCS, vol. 877, pp. 108–121. Springer, Heidelberg (1994)
- Blake, I.F., Fuji-Hara, R., Mullin, R.C., Vanstone, S.A.: Computing logarithms in finite fields of characteristic two. SIAM J. Alg. Disc. Meth. 5(2), 276–285 (1984)
- Cheng, Q., Wan, D., Zhuang, J.: Traps to the BGJT-algorithm for discrete logarithms. Cryptology ePrint Archive, Report 2013/673 (2013), http://eprint.iacr.org/2013/673/
- Coppersmith, D.: Fast evaluation of logarithms in fields of characteristic two. IEEE Transactions on Information Theory 30(4), 587–594 (1984)
- Diffie, W., Hellman, M.: New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)
- Göloglu, F., Granger, R., McGuire, G., Zumbrägel, J.: Discrete logarithm in GF(21971) (February 2013), Announcement to the NMBRTHRY list
- Göloglu, F., Granger, R., McGuire, G., Zumbrägel, J.: Discrete logarithm in GF(26120) (April 2013), Announcement to the NMBRTHRY list
- Göloğlu, F., Granger, R., McGuire, G., Zumbrägel, J.: On the Function Field Sieve and the Impact of Higher Splitting Probabilities. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 109–128. Springer, Heidelberg (2013)
- Gordon, D.M.: Discrete logarithms in GF(p) using the number field sieve. SIAM Journal on Discrete Mathematics 6(1), 124–138 (1993)
- Joux, A.: Discrete logarithm in GF(21778) (February 2013), Announcement to the NMBRTHRY list
- Joux, A.: Discrete logarithm in GF(24080) (March 2013), Announcement to the NMBRTHRY list
- Joux, A.: Discrete logarithm in GF(26168) (May 2013), Announcement to the NMBRTHRY list
- Joux, A.: Faster index calculus for the medium prime case application to 1175-bit and 1425-bit finite fields. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 177–193. Springer, Heidelberg (2013)
- Joux, A.: A new index calculus algorithm with complexity L(1/4 + o(1)) in very small characteristic. Cryptology ePrint Archive, Report 2013/095 (2013)
- Joux, A., Lercier, R.: The function field sieve in the medium prime case. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 254–270. Springer, Heidelberg (2006)
- Joux, A., Lercier, R., Smart, N., Vercauteren, F.: The number field sieve in the medium prime case. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 326–344. Springer, Heidelberg (2006)
- Panario, D., Gourdon, X., Flajolet, P.: An analytic approach to smooth polynomials over finite fields. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 226–236. Springer, Heidelberg (1998)
- Pohlig, S., Hellman, M.: An improved algorithm for computing logarithms over GF (p) and its cryptographic signifiance. IEEE Transactions on Information Theory 24(1), 106–110 (1978)
- Stinson, D.R.: Combinatorial designs: constructions and analysis. Springer (2003)

Tags

Comments