Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm)

Size: px

Start display at page:

Download "Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm)"

Teresa Singleton
5 years ago
Views:

1 Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm) Aurore Guillevic INRIA Saclay / GRACE Team École Polytechnique / LIX ECC 2015, Sept. 28th Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

2 Link with Logjam attack (N. Heninger s talk) Solving actual practical problem: Given a fixed finite field GF(q), Huge massive precomputation (weeks, months, years) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

3 Link with Logjam attack (N. Heninger s talk) Solving actual practical problem: Given a fixed finite field GF(q), Huge massive precomputation (weeks, months, years) log tab p i < B 0 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

4 Link with Logjam attack (N. Heninger s talk) Solving actual practical problem: Given a fixed finite field GF(q), Huge massive precomputation (weeks, months, years) log tab p i < B 0 Thousands of individual log computation < 1 min each Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

5 Link with Logjam attack (N. Heninger s talk) Solving actual practical problem: Given a fixed finite field GF(q), Huge massive precomputation (weeks, months, years) log tab p i < B 0 Thousands of individual log computation < 1 min each Logjam: GF(q) = GF(p) (standardized) prime field Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

6 Link with Logjam attack (N. Heninger s talk) Solving actual practical problem: Given a fixed finite field GF(q), Huge massive precomputation (weeks, months, years) log tab p i < B 0 Thousands of individual log computation < 1 min each Logjam: GF(q) = GF(p) (standardized) prime field Pairing-based cryptosystems: GF(q) = GF(p 2 ), GF(p 6 ), GF(p 12 ) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

7 Link with Logjam attack (N. Heninger s talk) Solving actual practical problem: Given a fixed finite field GF(q), Huge massive precomputation (weeks, months, years) log tab p i < B 0 Thousands of individual log computation < 1 min each Logjam: GF(q) = GF(p) (standardized) prime field Pairing-based cryptosystems: GF(q) = GF(p 2 ), GF(p 6 ), GF(p 12 ) Could we compute individual discrete logs in GF(p 2 ), GF(p 6 ), GF(p 12 ) in less than 1 min? Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

8 DLP in the target group of pairing-friendly curves DLP in the target group of pairing-friendly curves Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

9 DLP in the target group of pairing-friendly curves Why DLP in finite fields F p 2, F p 3,...? In a subgroup G = g of order l, (g, x) g x is easy (polynomial time) (g, g x ) x is (in well-chosen subgroup) hard: DLP. pairing: G 1 G 2 G T E(F p ) E(F p k ) F p k where E/F p is a pairing-friendly curve G 1, G 2, G T of large prime order l (generic attacks in O( l): take e.g. 256-bit l) 1 k 12 embedding degree: very specific property (specific attacks (NFS): take 3072-bit p k ) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

10 DLP in the target group of pairing-friendly curves DL records in small characteristic Small characteristic: supersingular curves E/F 2 n: G T F 2 4n, E/F 3 m: G T F 3 6m Practical attacks (first one and most recent): Hayashi, Shimoyama, Shinohara, Takagi: GF( ) ( 923 bit field) (2012) Granger, Kleinjung, Zumbragel: GF( ), GF( ) (2014) Adj, Menezes, Oliveira, Rodríguez-Henríquez: GF(3 822 ), GF(3 978 ) (2014) Joux: GF( ) (with Pierrot, 2014), GF( ) (2013) Theoretical attacks: [Barbulescu Gaudry Joux Thomé 14] Quasi-Polynomial-time Algorithm (QPA)... Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

11 DLP in the target group of pairing-friendly curves Common used pairing-friendly curves Curves over prime fields E/F p where QPA does NOT apply (with log p log l 256 bits, s.t. k log p 3072) supersingular: G T F p 2 (log p = 1536) [Miyaji Nakabayashi Takano 01] (MNT): G T F p 3 (log p = 1024), F p 4 (log p = 768), F p 6 (log p = 512) [Barreto Naehrig 05] (BN): G T F p 12 (log p = 256, optimal) [Kachisa Schaefer Scott 08] (KSS): G T F p 18 (used for 192-bit security level: 384-bit l, log p = 512, k log p = 9216) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

12 DLP in the target group of pairing-friendly curves Theoretical attacks in non-small characteristic fields Variants of NFS, generic fields MNFS [Coppersmith 89]: F p, [Barbulescu Pierrot 14], [Pierrot 15]: F p k Specific to pairing target groups, when p = P(x 0 ), with deg P 2 [Joux Pierrot 13] [Barbulescu Gaudry Kleinjung 15] Tower NFS Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

13 DLP in the target group of pairing-friendly curves Theoretical attacks in non-small characteristic fields Variants of NFS, generic fields MNFS [Coppersmith 89]: F p, [Barbulescu Pierrot 14], [Pierrot 15]: F p k Specific to pairing target groups, when p = P(x 0 ), with deg P 2 [Joux Pierrot 13] [Barbulescu Gaudry Kleinjung 15] Tower NFS These attacks were not taken into account in the 3072-bit target field recommendation. Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

14 DLP in the target group of pairing-friendly curves Last DL records, with the NFS-DL algorithm GF(p) GF(p 2 ), p 2 = q [BGGM15] Massive precomputation (d=core-day, y=core-year) [Logjam] 512-bit p: 10y 530-bit q: 0.2y GPU d [BGIJT14] 596-bit p: 131y 598-bit q: 0.75y + 18 GPU-d 175 faster Individual Discrete Log 512-bit p: 70s median 530-bit q : few d slow 768-bit p: 2d 600-bit q : few d slow [Logjam]: see weakdh.org [BGGM15]: Barbulescu, Gaudry, G., Morain [BGIJT14]: Bouvier, Gaudry, Imbert, Jeljeli, Thomé Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

15 DLP in the target group of pairing-friendly curves This talk: Faster individual discrete logarithm in F p k, especially k = 2, 3, 4, 6 Apply to pairing target group G T source code: part of Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

16 NFS Number Field Sieve algorithm NFS Number Field Sieve algorithm Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

17 NFS Number Field Sieve algorithm Number Field Sieve algorithm for DL in F p k 1. Polynomial selection: compute f (x), g(x) with ϕ = gcd(f, g) (mod p) and F p k = F p [x]/(ϕ(x)) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

18 NFS Number Field Sieve algorithm Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f (x), g(x) with 1. ϕ = gcd(f, g) (mod p) and F p k = F p [x]/(ϕ(x)) 2. Relation collection Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

19 NFS Number Field Sieve algorithm Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f (x), g(x) with 1. ϕ = gcd(f, g) (mod p) and F p k = F p [x]/(ϕ(x)) 2. Relation collection 3. Linear algebra modulo l p k 1. here we know the discrete log of a subset of elements. log DB p i < B 0 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

20 NFS Number Field Sieve algorithm Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f (x), g(x) with 1. ϕ = gcd(f, g) (mod p) and massive precomputation F p k = F p [x]/(ϕ(x)) 2. Relation collection 3. Linear algebra modulo l p k 1 here we know the discrete log of a subset of elements. log DB p i < B 0 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

21 NFS Number Field Sieve algorithm Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f (x), g(x) with 1. ϕ = gcd(f, g) (mod p) and massive precomputation F p k = F p [x]/(ϕ(x)) 2. Relation collection 3. Linear algebra modulo l p k 1 here we know the discrete log of a subset of elements. log DB 1. Individual target discrete logarithm p i < B 0 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

22 NFS Number Field Sieve algorithm Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f (x), g(x) with 1. ϕ = gcd(f, g) (mod p) and massive precomputation F p k = F p [x]/(ϕ(x)) 2. Relation collection 3. Linear algebra modulo l p k 1 here we know the discrete log of a subset of elements. log DB p i < B 0 1. Individual target discrete logarithm for each given DLP instance not so trivial this talk: pratical improvements very efficient for small k Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

23 NFS Number Field Sieve algorithm Example: [MNT01] parameters (explicitly advised to NOT use them) Polynomial selection: Conjugation method [BGGM15] k = 3, p = 12y , t = 6y 0 1, l p + 1 t = 12y y 0 + 2, with y 0 = f = 12x 6 24x 5 85x x x x + 12 ϕ y = g = x 3 yx 2 (y + 3)x 1, where y = y (ϕ y0 not irr.) = x x x 1 f (mod p) = 12ϕ y ϕ y = Res y (ϕ y, 12y 2 + 1) G = X + 6 F p 3 = F p [X ]/(ϕ(x )) randomized target T = t 0 + t 1 X + t 2 X 2 F p 3 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

24 NFS Number Field Sieve algorithm Preimage in Z[x]/(f (x)) and ρ map randomized target T = t 0 + t 1 X + t 2 X 2 F p = F 3 p [X ]/(ϕ(x )) Most simple preimage T choice: T = t 0 + t 1 x + t 2 x 2 Z[x]/(f (x)), with t i t i (mod p). We can always choose T s.t. t i < p deg T < deg f Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

25 NFS Number Field Sieve algorithm Preimage in Z[x]/(f (x)) and ρ map randomized target T = t 0 + t 1 X + t 2 X 2 F p = F 3 p [X ]/(ϕ(x )) Most simple preimage T choice: T = t 0 + t 1 x + t 2 x 2 Z[x]/(f (x)), with t i t i (mod p). We can always choose T s.t. t i < p deg T < deg f We need ρ(t) = T (where ρ is simply a reduction modulo (ϕ, p)) when f (resp. g) is monic Z[x] Z[x]/(f (x)) ρ f : x z F p k = F p [z]/(ϕ(z)) Z[y]/(g(y)) ρ g : y z Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

26 NFS Number Field Sieve algorithm Individual DL of random target T 0 F p k log DB Given G and a log database s.t. for all p i < B, log p i p i < B 0 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

27 NFS Number Field Sieve algorithm Individual DL of random target T 0 F p k log DB Given G and a log database s.t. for all p i < B, log p i p i < B 0 1. booting step (a.k.a. smoothing step): DO 1.1 take t at random in {1,..., l 1} and set T = G t T 0 (hence log G (T 0 ) = log G (T ) t) 1.2 factorize Norm(T) = q 1 q }{{} i (elements in DL database), too large: B 0<q i B 1 UNTIL q i B 1 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

28 NFS Number Field Sieve algorithm Individual DL of random target T 0 F p k log DB Given G and a log database s.t. for all p i < B, log p i p i < B 0 1. booting step (a.k.a. smoothing step): DO 1.1 take t at random in {1,..., l 1} and set T = G t T 0 (hence log G (T 0 ) = log G (T ) t) 1.2 factorize Norm(T) = q 1 q }{{} i (elements in DL database), too large: B 0<q i B 1 UNTIL q i B 1 2. dedicated recursive procedure for each new q i : q i = r 1 r j (elements in the DL database) with r 1,..., r j < B j < q i < B i. Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

29 NFS Number Field Sieve algorithm Individual DL of random target T 0 F p k log DB Given G and a log database s.t. for all p i < B, log p i p i < B 0 1. booting step (a.k.a. smoothing step): DO 1.1 take t at random in {1,..., l 1} and set T = G t T 0 (hence log G (T 0 ) = log G (T ) t) 1.2 factorize Norm(T) = q 1 q }{{} i (elements in DL database), too large: B 0<q i B 1 UNTIL q i B 1 2. dedicated recursive procedure for each new q i : q i = r 1 r j (elements in the DL database) with r 1,..., r j < B j < q i < B i. 3. log combination to find the individual target DL Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

30 NFS Number Field Sieve algorithm Individual DL of random target T 0 F p k log DB Given G and a log database s.t. for all p i < B, log p i p i < B 0 1. booting step (a.k.a. smoothing step): DO 1.1 take t at random in {1,..., l 1} and set T = G t T 0 (hence log G (T 0 ) = log G (T ) t) 1.2 factorize Norm(T) }{{} reduce this = q 1 q i }{{} too large: B 0<q i B 1 (elements in DL database), UNTIL q i B 1 2. dedicated recursive procedure for each new q i : q i = r 1 r j (elements in the DL database) with r 1,..., r j < B j < q i < B i. 3. log combination to find the individual target DL Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

31 Booting Step Booting Step Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

32 Booting Step Norm computation f monic, T = t 0 + t 1 x t d x d Z[x]/(f (x)), d < deg f : with f = max 1 i deg f f i Norm f (T) = Res(f, T) A T deg f f d Example: [MNT01], k = 3, deg g = 3, g = O(p 1/2 ) p = T = x x 2 f = 12x 6 24x 5 85x x x x + 12 g = x x x 1 Norm f (T)( T 6 f 2 ) = 1017bits p 6 Norm g (T)( T 3 g 2 ) = 665bits p 4 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

33 Booting Step Booting step complexity Given random target T 0 F p k, and G a generator of F p k repeat 1. take t at random in {1,..., l 1} and set T = g t T 0 2. factorize Norm(T) until it is B 1 -smooth: Norm(T) = q i B 1 q i p i B 0 p i L-notation: Q = p k, L Q [1/3, c] = e (c+o(1))(log Q)1/3 (log log Q) 2/3 for c > 0. Norm factorization done with ECM method, in time L B1 [1/2, 2] Lemma (Booting step running-time) if Norm(T) Q e, take B 1 = L Q [2/3, (e 2 /3) 1/3 ], then the running-time is L Q [1/3, (3e) 1/3 ] (and this is optimal). Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

34 Booting Step Booting step complexity F p : Norm(preimage) p = Q, running-time: L Q [1/3, 1.44] with B 1 = L Q [2/3, 0.69] [Commeine Semaev 06, Barbulescu 13] med. char. F p k, JLSV1 poly. select.: deg f = deg g = k, f = g = O(p 1/2 ), Norm(preimage) Q 3/2, running-time: L Q [1/3, 1.65], with B 1 = L Q [2/3, 0.91] [Joux Lercier Naccache Thomé 09, Barbulescu Pierrot 14] field F p F p k polynomial selec. gjl JLSV 1 Conj NFS dominating, c L Q [ 1 3, c], 512-bit Q Norm(T) < Q e = Q Q Q 3/2 Q time L Q [1/3, c], c nb of operations, 512-bit Q q i bound B Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

35 Optimizing the Preimage Computation Optimizing the Preimage Computation Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

36 Optimizing the Preimage Computation Preimage optimization f, deg f, f, g, deg g, g are given by the polynomial selection step (NFS-DL step 1) To reduce the norm, reduce T and/or reduce d = deg T Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

37 Optimizing the Preimage Computation Previous work F p : Rational Reconstruction. T Z/pZ, T is an integer < p. Rational Reconstruction gives T = u/v (mod p) with u, v < p booting step: we want u,v to be B 1 -smooth at the same time, instead of T to be B 1 -smooth. T is already split in two integers of half size each. [Blake Mullin Vanstone 84] Waterloo algorithm in F 2 [x]: T = U/V = u u d/2 x d/2 reduce degree v v d/2 x d/2 [Joux Lercier Smart Vercauteren 06] in F p k : T = U/V = u u d x d v v d x d, where u i, v i p 1/2 reduce coefficient size Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

38 Optimizing the Preimage Computation Previous work F p : Rational Reconstruction. T Z/pZ, T is an integer < p. Rational Reconstruction gives T = u/v (mod p) with u, v < p booting step: we want u,v to be B 1 -smooth at the same time, instead of T to be B 1 -smooth. T is already split in two integers of half size each. [Blake Mullin Vanstone 84] Waterloo algorithm in F 2 [x]: T = U/V = u u d/2 x d/2 reduce degree v v d/2 x d/2 [Joux Lercier Smart Vercauteren 06] in F p k : T = U/V = u u d x d v v d x d, where u i, v i p 1/2 reduce coefficient size How much is the booting step improved? Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

39 Optimizing the Preimage Computation Booting step: First experiments Commonly assumed: launch at morning coffee... finished for afternoon tea. F p bits was easy (BGGM15 record), as fast as for F p (< one day) F p 3 F p 4 What happened? 400 bits and MNT 508 bits were much slower (days, week) 400 bits was even worse (> one week) F p 3: T = p, deg f = 6, [JLSV06] method: Norm(T) Q c = 1.44 (but still much slower) F p 4: f = O(p 1/2 ), Norm(T) Q 3/2 c = 1.65 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

40 Optimizing the Preimage Computation Booting step: First experiments Commonly assumed: launch at morning coffee... finished for afternoon tea. F p bits was easy (BGGM15 record), as fast as for F p (< one day) F p 3 F p 4 What happened? 400 bits and MNT 508 bits were much slower (days, week) 400 bits was even worse (> one week) F p 3: T = p, deg f = 6, [JLSV06] method: Norm(T) Q c = 1.44 (but still much slower) F p 4: f = O(p 1/2 ), Norm(T) Q 3/2 c = 1.65 Because of the constant hidden in the O()? Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

41 Optimizing the Preimage Computation Our solution Lemma Let T F p k. log(t ) = log(u T ) (mod l) for any u in a proper subfield of F p k. Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

42 Optimizing the Preimage Computation Our solution Lemma Let T F p k. log(t ) = log(u T ) (mod l) for any u in a proper subfield of F p k. F p is a proper subfield of F p k target T = t 0 + t 1 x t d x d we divide the target by its leading term: log(t ) = log(t /t d ) (mod l) From now we assume that the target is monic. Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

43 Optimizing the Preimage Computation Our solution Lemma Let T F p k. log(t ) = log(u T ) (mod l) for any u in a proper subfield of F p k. F p is a proper subfield of F p k target T = t 0 + t 1 x t d x d we divide the target by its leading term: log(t ) = log(t /t d ) (mod l) From now we assume that the target is monic. Similar technique in pairing computation: Miller loop denominator elimination [Boneh Kim Lynn Scott 02] Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

44 Optimizing the Preimage Computation Subfield Simplification + LLL We want to reduce T. Example with F p 3: f = x x x x x 2 13x + 1 ϕ = x 3 yx 2 (y + 3)x 1 y Z T = t 0 + t 1 x + x 2 p p define L = t 0 t ϕ 0 ϕ 1 ϕ ϕ 0 ϕ 1 ϕ ϕ 0 ϕ 1 ϕ 2 1 LLL(L) outputs a short vector r, linear combination of L s rows. r = λ 0 p + λ 1 px + λ 2 T + λ 3 ϕ + λ 4 xϕ + λ 5 x 2 ϕ. r = r r 5 x 5, r i C det(l) 1/6 = O(p 1/3 ) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

45 Optimizing the Preimage Computation Subfield Simplification + LLL We want to reduce T. Example with F p 3: f = x x x x x 2 13x + 1 ϕ = x 3 yx 2 (y + 3)x 1 y Z T = t 0 + t 1 x + x 2 p p define L = t 0 t ϕ 0 ϕ 1 ϕ ϕ 0 ϕ 1 ϕ ϕ 0 ϕ 1 ϕ 2 1 LLL(L) outputs a short vector r, linear combination of L s rows. r = λ 0 p + λ 1 px + λ 2 T + λ 3 ϕ + λ 4 xϕ + λ 5 x 2 ϕ. r = r r 5 x 5, r i C det(l) 1/6 = O(p 1/3 ) log ρ(r) = log(t ) (mod l) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

46 Optimizing the Preimage Computation Subfield Simplification + LLL We want to reduce T. Example with F p 3: f = x x x x x 2 13x + 1 ϕ = x 3 yx 2 (y + 3)x 1 y Z T = t 0 + t 1 x + x 2 p p define L = t 0 t ϕ 0 ϕ 1 ϕ ϕ 0 ϕ 1 ϕ ϕ 0 ϕ 1 ϕ 2 1 ρ(p) = 0 F p k T ρ(ϕ) = 0 F p k LLL(L) outputs a short vector r, linear combination of L s rows. r = λ 0 p + λ 1 px + λ 2 T + λ 3 ϕ + λ 4 xϕ + λ 5 x 2 ϕ. r = r r 5 x 5, r i C det(l) 1/6 = O(p 1/3 ) log ρ(r) = log(t ) (mod l) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

47 Optimizing the Preimage Computation Subfield Simplification + LLL We want to reduce T. Example with F p 3: f = x x x x x 2 13x + 1 ϕ = x 3 yx 2 (y + 3)x 1 y Z T = t 0 + t 1 x + x 2 p p define L = t 0 t ϕ 0 ϕ 1 ϕ ϕ 0 ϕ 1 ϕ ϕ 0 ϕ 1 ϕ 2 1 ρ(p) = 0 F p k T ρ(ϕ) = 0 F p k LLL(L) outputs a short vector r, linear combination of L s rows. r = λ 0 p + λ 1 px + λ 2 T + λ 3 ϕ + λ 4 xϕ + λ 5 x 2 ϕ. r = r r 5 x 5, r i C det(l) 1/6 = O(p 1/3 ) log ρ(r) = log(t ) (mod l) because ρ(r) = λ 2 T with λ 2 F p Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

48 Optimizing the Preimage Computation Subfield Simplification + LLL Norm f (T) = Res(f, T) A T deg f f d Norm f (r) r 6 f 5 = O(p 2 ) = O(Q 2/3 ) < O(Q) MNT example: log Q = 508 bits Norm f (T) Norm g (T) L Q [1/3, c] q i B 1 = Q e bits Q e bits c time L Q [ 2 3, c] Nothing Q Q 4/ [JLSV06] Q 508 Q 5/ This work Q 2/3 340 Q Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

49 F p 4 F p 4: JLSV 1 polynomial selection and booting step improvement Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

50 F p 4 F p 4 of 400 bits [JLSV06] first method: choose f of degree 4 and very small coefficients, and set g = f + p. Booting step on f side, with the T = U/V method. Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

51 F p 4 F p 4 of 400 bits [JLSV06] first method: choose f of degree 4 and very small coefficients, and set g = f + p. Booting step on f side, with the T = U/V method. Relation collection and Linear algebra do not scale well for large p Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

52 F p 4 F p 4 of 400 bits [JLSV06] first method: choose f of degree 4 and very small coefficients, and set g = f + p. Booting step on f side, with the T = U/V method. Relation collection and Linear algebra do not scale well for large p We use JLSV06 other method: deg f = deg g = k, f = g = p 1/2 p = of 98 bits (30 dd) l = of 192 bits f = x x 3 6x x + 1 g = x x x x ϕ = g Terribly slow booting step (more than one week) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

53 F p 4 Terribly slow booting step T = t 0 + t 1 x + t 2 x 2 + x 3 define p L = 0 p p 0 t 0 t 1 t 2 1 dim 4 because max(deg f, deg g) = 4 compute LLL(L), get r, r p 3/4, Norm f (r) r 4 f 3 p 9/2 = Q 9/8 of 450 bits! Booting step, nb of operations: 2 44 Large prime bound B 1 of 82 bits Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

54 F p 4 Terribly slow booting step T = t 0 + t 1 x + t 2 x 2 + x 3 define p L = 0 p p 0 could we find something else, monic? t 0 t 1 t 2 1 dim 4 because max(deg f, deg g) = 4 compute LLL(L), get r, r p 3/4, Norm f (r) r 4 f 3 p 9/2 = Q 9/8 of 450 bits! Booting step, nb of operations: 2 44 Large prime bound B 1 of 82 bits Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

55 Our solution: quadratic subfield simplification F p 4 Lemma Let T F p k, k even. We can always find u F p k/2 and T F p k, such that T = u T and T is of degree k 2 instead of k 1. Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

56 Our solution: quadratic subfield simplification Lemma F p 4 Let T F p k, k even. We can always find u F p k/2 and T F p k, such that T = u T and T is of degree k 2 instead of k 1. p define L = 0 p 0 0 t 0 t t 0 t 1 t 2 1 LLL(L) short vector r linear combination of L rows r = r r 3 x 3, r i C det(l) 1/4 = O(p 1/2 ) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

57 Our solution: quadratic subfield simplification Lemma F p 4 Let T F p k, k even. We can always find u F p k/2 and T F p k, such that T = u T and T is of degree k 2 instead of k 1. p define L = 0 p 0 0 t 0 t t 0 t 1 t 2 1 ρ(p) = 0 F p k T T LLL(L) short vector r linear combination of L rows r = r r 3 x 3, r i C det(l) 1/4 = O(p 1/2 ) ρ(r) = λ 2 T + λ 3 T = (λ 2 u + λ 3 ) }{{} subfield F p k/2 T Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

58 Our solution: quadratic subfield simplification Lemma F p 4 Let T F p k, k even. We can always find u F p k/2 and T F p k, such that T = u T and T is of degree k 2 instead of k 1. p define L = 0 p 0 0 t 0 t t 0 t 1 t 2 1 ρ(p) = 0 F p k T T LLL(L) short vector r linear combination of L rows r = r r 3 x 3, r i C det(l) 1/4 = O(p 1/2 ) ρ(r) = λ 2 T + λ 3 T = (λ 2 u + λ 3 ) }{{} log ρ(r) = log(t ) (mod l) subfield F p k/2 Norm f (r) = r 4 f 3 = p 7/2 = Q 7/8 < Q Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32 T

59 F p 4 Summary of results G T F p 2 F p 3 F p 4 F p 6 Norm bound prev. Q [JLSV06] Q 3/2 (nothing) this work Q 1/2 Q 2/3 Q 7/8 Q 11/12 Booting step running time in L Q [1/3, c] prev. c (*) new c ** numerical values for a 512-bit Q prev. nb of operations new nb of operations q i bound B 1 = L Q [2/3, c ] previous B new B * [CommeineSemaev06, JouxLercierNaccacheThomé09, Barbulescu13, Bar.Pierrot14] ** with cubic subfield simplification Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

60 F p 4 Summary of results Accepted paper at Asiacrypt 2015, Auckland, New Zealand online version HAL guillevic@lix.polytechnique.fr Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

61 F p 4 DL record computation in F p 4 of 392 bits (120dd) Joint work with R. Barbulescu, P. Gaudry, F. Morain p = of 98 bits (30 dd) l = of 192 bits f = x x 3 6x x + 1 g = x x x x ϕ = g G = x + 3 F p 4 T 0 = x x x log G (T 0 ) = (mod l) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, / 32

Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction

Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction Aurore Guillevic and François Morain and Emmanuel Thomé University of Calgary, PIMS CNRS, LIX École Polytechnique, Inria, Loria SAC,