A Heuristic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic

EUROCRYPT, pp. 1-16, 2014.

Cited by: 278|Bibtex|Views44|Links
EI
Keywords:
cryptographymedium prime casediscrete logarithm problemsmall characteristicfunction field sieveMore(1+)
Wei bo:
The algorithm presented in this article achieves a significant improvement of the asymptotic complexity of discrete logarithm in finite fields, in almost the whole range of parameters where the Function Field Sieve was presently the most competitive algorithm

Abstract:

The difficulty of computing discrete logarithms in fields Fqk depends on the relative sizes of k and q. Until recently all the cases had a sub-exponential complexity of type L(1/3), similar to the factorization problem. In 2013, Joux designed a new algorithm with a complexity of L(1/4 + ) in small characteristic. In the same spirit, we pr...More

Code:

Data:

Introduction
  • The discrete logarithm problem (DLP) was first proposed as a hard problem in cryptography in the seminal article of Diffie and Hellman [7].
  • Together with factorization, it has become one of the two major pillars of public key cryptography.
  • The problem of computing discrete logarithms has attracted a lot of attention.
  • A first major progress was the realization that the DLP in finite fields can be solved in subexponential time, i.e. L(1/2) where LN (α) = exp O(α1−α).
  • The step further reduced this to a heuristic L(1/3) running time in the full range of finite fields, from fixed characteristic finite fields to prime fields [2,6,11,3,17,18]
Highlights
  • The discrete logarithm problem (DLP) was first proposed as a hard problem in cryptography in the seminal article of Diffie and Hellman [7]
  • A first major progress was the realization that the discrete logarithm problem in finite fields can be solved in subexponential time, i.e. L(1/2) where LN (α) = exp O(α1−α)
  • The algorithm presented in this article achieves a significant improvement of the asymptotic complexity of discrete logarithm in finite fields, in almost the whole range of parameters where the Function Field Sieve was presently the most competitive algorithm
Conclusion
  • The algorithm presented in this article achieves a significant improvement of the asymptotic complexity of discrete logarithm in finite fields, in almost the whole range of parameters where the Function Field Sieve was presently the most competitive algorithm.
  • The authors note that the analysis of the algorithm presented here is heuristic, as discussed in Section 5.
  • It seems plausible to have the validity of algorithm rely on the sole heuristic of the validity of the smoothness estimates.
  • One of the key factors which hinders the practical efficiency of this algorithm is the O(q2D) arity of the descent tree, compared to the O(q) arity achieved by techniques based on Gröbner bases [15] at the expense of a L(1/4 + ) complexity.
  • By estimating the time required to compute discrete logarithms in F , 36·509 they showed the weakness of some pairing-based cryptosystems
Summary
  • Introduction:

    The discrete logarithm problem (DLP) was first proposed as a hard problem in cryptography in the seminal article of Diffie and Hellman [7].
  • Together with factorization, it has become one of the two major pillars of public key cryptography.
  • The problem of computing discrete logarithms has attracted a lot of attention.
  • A first major progress was the realization that the DLP in finite fields can be solved in subexponential time, i.e. L(1/2) where LN (α) = exp O(α1−α).
  • The step further reduced this to a heuristic L(1/3) running time in the full range of finite fields, from fixed characteristic finite fields to prime fields [2,6,11,3,17,18]
  • Conclusion:

    The algorithm presented in this article achieves a significant improvement of the asymptotic complexity of discrete logarithm in finite fields, in almost the whole range of parameters where the Function Field Sieve was presently the most competitive algorithm.
  • The authors note that the analysis of the algorithm presented here is heuristic, as discussed in Section 5.
  • It seems plausible to have the validity of algorithm rely on the sole heuristic of the validity of the smoothness estimates.
  • One of the key factors which hinders the practical efficiency of this algorithm is the O(q2D) arity of the descent tree, compared to the O(q) arity achieved by techniques based on Gröbner bases [15] at the expense of a L(1/4 + ) complexity.
  • By estimating the time required to compute discrete logarithms in F , 36·509 they showed the weakness of some pairing-based cryptosystems
Tables
  • Table1: Prime factors appearing in determinant of random square submatrices of H (for one given set of random trials)
Download tables as Excel
Reference
  • Adj, G., Menezes, A., Oliveira, T., Rodríguez-Henríquez, F.: Weakness of F36·509 for discrete logarithm cryptography. In: Cao, Z., Zhang, F. (eds.) Pairing 2013. LNCS, vol. 8365, pp. 20–44. Springer, Heidelberg (2014)
    Google ScholarLocate open access versionFindings
  • Adleman, L.: A subexponential algorithm for the discrete logarithm problem with applications to cryptography. In: 20th Annual Symposium on Foundations of Computer Science, pp. 55–60. IEEE (1979)
    Google ScholarLocate open access versionFindings
  • Adleman, L.: The function field sieve. In: Huang, M.-D.A., Adleman, L.M. (eds.) ANTS 1994. LNCS, vol. 877, pp. 108–121. Springer, Heidelberg (1994)
    Google ScholarFindings
  • Blake, I.F., Fuji-Hara, R., Mullin, R.C., Vanstone, S.A.: Computing logarithms in finite fields of characteristic two. SIAM J. Alg. Disc. Meth. 5(2), 276–285 (1984)
    Google ScholarLocate open access versionFindings
  • Cheng, Q., Wan, D., Zhuang, J.: Traps to the BGJT-algorithm for discrete logarithms. Cryptology ePrint Archive, Report 2013/673 (2013), http://eprint.iacr.org/2013/673/
    Locate open access versionFindings
  • Coppersmith, D.: Fast evaluation of logarithms in fields of characteristic two. IEEE Transactions on Information Theory 30(4), 587–594 (1984)
    Google ScholarLocate open access versionFindings
  • Diffie, W., Hellman, M.: New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)
    Google ScholarLocate open access versionFindings
  • Göloglu, F., Granger, R., McGuire, G., Zumbrägel, J.: Discrete logarithm in GF(21971) (February 2013), Announcement to the NMBRTHRY list
    Google ScholarFindings
  • Göloglu, F., Granger, R., McGuire, G., Zumbrägel, J.: Discrete logarithm in GF(26120) (April 2013), Announcement to the NMBRTHRY list
    Google ScholarFindings
  • Göloğlu, F., Granger, R., McGuire, G., Zumbrägel, J.: On the Function Field Sieve and the Impact of Higher Splitting Probabilities. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 109–128. Springer, Heidelberg (2013)
    Google ScholarLocate open access versionFindings
  • Gordon, D.M.: Discrete logarithms in GF(p) using the number field sieve. SIAM Journal on Discrete Mathematics 6(1), 124–138 (1993)
    Google ScholarLocate open access versionFindings
  • Joux, A.: Discrete logarithm in GF(21778) (February 2013), Announcement to the NMBRTHRY list
    Google ScholarFindings
  • Joux, A.: Discrete logarithm in GF(24080) (March 2013), Announcement to the NMBRTHRY list
    Google ScholarFindings
  • Joux, A.: Discrete logarithm in GF(26168) (May 2013), Announcement to the NMBRTHRY list
    Google ScholarFindings
  • Joux, A.: Faster index calculus for the medium prime case application to 1175-bit and 1425-bit finite fields. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 177–193. Springer, Heidelberg (2013)
    Google ScholarLocate open access versionFindings
  • Joux, A.: A new index calculus algorithm with complexity L(1/4 + o(1)) in very small characteristic. Cryptology ePrint Archive, Report 2013/095 (2013)
    Google ScholarLocate open access versionFindings
  • Joux, A., Lercier, R.: The function field sieve in the medium prime case. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 254–270. Springer, Heidelberg (2006)
    Google ScholarLocate open access versionFindings
  • Joux, A., Lercier, R., Smart, N., Vercauteren, F.: The number field sieve in the medium prime case. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 326–344. Springer, Heidelberg (2006)
    Google ScholarLocate open access versionFindings
  • Panario, D., Gourdon, X., Flajolet, P.: An analytic approach to smooth polynomials over finite fields. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 226–236. Springer, Heidelberg (1998)
    Google ScholarLocate open access versionFindings
  • Pohlig, S., Hellman, M.: An improved algorithm for computing logarithms over GF (p) and its cryptographic signifiance. IEEE Transactions on Information Theory 24(1), 106–110 (1978)
    Google ScholarLocate open access versionFindings
  • Stinson, D.R.: Combinatorial designs: constructions and analysis. Springer (2003)
    Google ScholarFindings
Your rating :
0

 

Tags
Comments