The number field sieve in the medium prime case

Transcription

1 The number field sieve in the medium prime case Frederik Vercauteren ESAT/COSIC - K.U. Leuven Joint work with Antoine Joux, Reynald Lercier, Nigel Smart

2

3 Finite Field DLOG Basis finite field is F p = {0,..., p 1}, with p prime Let q = p n, then extension field F q F p [x]/(f (x)) with f (x) F p [x] of degree n and irreducible Multiplicative group F q is cyclic, take generator g Let h F q, then h = g d with d = log g h the DLOG

4 Number field sieve Index calculus algorithm used for factoring, then DLOGs Let q = p n with p prime, then complexity expressed by L q (α, c) = exp((c + o(1))(log q) α (log log q) 1 α ) Large p: number field sieve with running time as long as log p > n 2+ε L q (1/3, (64/9) 1/3 ) Small p: function field sieve with running time as long as p n o( n) L q (1/3, (32/9) 1/3 ) In the gap, i.e. log p < n 2+ε and p > n o( n), have to resort to Adleman - DeMarrais with complexity L q (1/2)

5 : setup To compute discrete logarithms in F p Two number fields K 1 = Q and K 2 = Q[X]/(f (X)) with: ) 1/3 ( The degree of f is d 3 1/3 log p log log p Exists m Z with f (m) 0 mod p, i.e. ring homomorphism φ 2 : O 2 F p E.g. f can be obtained by base m p 1/d expansion of p Choose two factor bases F 1 and F 2 F 1 : integer primes p < B for some bound B F2 : degree 1 prime ideals of norm < B

6 : sieving Sieve over pairs of integers (a, b) with gcd(a, b) = 1 and a, b < S for some bound S a bm is B-smooth No(a θ2 b) is B-smooth with f (θ 2 ) = 0 and No(a θ 2 b) = b d f ( a b ) Since No(a θ 2 b) is B-smooth the ideal a θ 2 b factors over F 2 since only degree 1 (or index divisors) appear a θ 2 b = i p e i i

7 : relations (a, b) with a bm and a θ 2 b B-smooth gives relation Need to get rid of ideals and work with elements only... Simplicity: assume class number h(k ) = 1 and computable unit group, then a θ 2 b = r i=0 u λ i i i γ e i i with u 1,..., u r fundamental units and p i = γ i Finally, by using φ 2 from O 2 to F p obtain a bm j p e j j r φ 2 (u i ) λ i φ 2 (γ i ) e i i=0 i mod p

8 : relations Take logs of both sides, obtain relation between DLOGs e j log g p j j r i=0 λ i log g φ 2 (u i )+ i e i log g φ 2 (γ i ) mod (p 1) Need to collect #F 1 + #F 2 + d + ε relations Solve sparse linear system using Lanczos or Wiedemann Individual DLOGs: descent procedure (see more later)

9 Schirokauer s extension for n > 1 Number field K 1 is chosen such that O 1 /po 1 = Fq, so K 1 has degree at least n Number field K 2 is extension of K 1, i.e. K 2 = K 1 [X]/(f (X)) Collect pairs (a, b) O 1 O 1 with similar properties as before: a bm is B-smooth where m O1 such that f (m) po 1 a θ 2 b is B-smooth with f (θ 2 ) = 0 Leads to L q (1/3)-algorithm for fixed n and p Main disadvantage: not really practical (only n = 2 has been attempted by Weber) Choice of polynomial f depends on input DLOG problem

10 Basic variation p = L p n(2/3, c): setup Finite fields F p n with p = L p n(2/3, c) and c near 2 (1/3) 1/3 Choose polynomial f 1 of degree n irreducible over F p very small coefficients (e.g. use poly to define F q ) Choose polynomial f 2 = f 1 + p K 1 Q[X]/(f 1 (X)) = Q[θ 1 ] and K 2 = Q[X]/(f2 (X)) = Q[θ 2 ] Note: f 1 f 2 mod p, so have compatible homomorphisms φ i : O i F q, for i = 1, 2 with φ 1 (θ 1 ) = φ 2 (θ 2 ) No relative extensions necessary and f i independent of input DLOG

11 Basic variation p = L p n(2/3, c): sieving/linear algebra Factor bases F 1 and F 2 of degree 1 ideals of small norm Choose smoothness bound B and a sieve limit S Pairs (a, b) of coprime integers, a S and b S No(a bθ 1 ) and No(a bθ 2 ) B-smooth Add logarithmic maps to take into account h(k i ) 1 and unit groups Obtain linear equation between logarithms of ideals in the smoothness bases Solve using SGE and Lanczos or Wiedemann

12 Basic variation p = L p n(2/3, c): individual DLOG Recursive special q-descent procedure similar to F p Represent F p n as F p [t]/(f 1 (t)) Assume we want to compute log t y with y F p n Search for element z = y i t j for some i, j N with 1. lifting z K 1, norm factors into primes smaller than some bound B 1 L p n(2/3, 1/3 1/3 ), 2. only degree one prime ideals in the factorisation of (z) 3. E.g.: the norm of the lift of z should be squarefree Remark: probability of squarefree smoothness is about 6/π 2 probability of smoothness

13 Basic variation p = L p n(2/3, c): individual DLOG Factor principal ideal generated by z as (z) = p ei i p i F 1 Ideals q j not contained in F 1, so need to compute DLOGs For each q j, perform special-q j descent: 1. Sieve over pairs (a, b) such that q j (a bθ 1 ) and j q e j j No(a bθ 1 )/No(q j ) and No(a bθ 2 ) B 2 -smooth B 2 < B 1 2. Factor (a bθ 1 ) and (a bθ 2 ) to obtain new special q j s 3. Repeat until bound B k < B DLOGs of all q j known Remark: special q j in both number fields K 1 and K 2

14 Definition 120-digit challenge Adaptation of Joux & Lercier s implementation for F p Finite field F p 3 with p = π p = Group order p 3 1 has 110-bit factor l Definition of number fields K 1 and K 2 by f 1 (X) = X 3 + X 2 2X 1 and f 2 (X) = f 1 (X) + p, where we have F p 3 F p [t]/(f 1 (t))

15 Number fields K 1 and K 2 Q[θ 1 ] is a cubic cyclic number field with Galois group Aut(Q[θ 1 ]) = {θ 1 θ 1, θ 1 θ 2 1 2, θ 1 θ 2 1 θ 1 + 1} K 1 has class number 1 and System of fundamental units u 1 = θ and u 2 = θ θ 1 1 Q[θ 2 ] has signature (1, 1), so only need single Schirokauer logarithmic map λ

16 Factor bases and sieving Smoothness bases with prime ideals in the Q[θ1 ] side, we include prime ideals, but only are meaningful due to the Galois action, in the Q[θ 2 ] side, we include prime ideals. Lattice sieving: only algebraic integers a + bθ 2 divisible by prime ideal in Q[θ 2 ] Norms to be smoothed in Q[θ 2 ] are 150 bit integers Norms in Q[θ 1 ] are 110 bit integers Sieving took 12 days on a 1.15 GHz 16-processors HP AlphaServer GS1280

17 Linear algebra Compute the kernel of a matrix Coefficients mostly equal modulo l to ±1, ±p or ±p 2 SGE: matrix with non null entries Lanczos s algorithm: about one week h(k 1 ) = 1, check DLOGs of generators of ideals in F 1 (t 2 + t + 1) (p3 1)/l = G , (t 3) (p3 1)/l = G , (3 t 1) (p3 1)/l = G , where G = g (p3 1)/ l and g = 2t + 1.

18 Individual DLOGs Challenge γ = 2 i=0 ( π pi+1 mod p)t i Using Pollard-Rho, computed DLOG modulo (p 3 1)/l, To obtain a complete result, we expressed γ = t t t t , Numerator and denominator are both smooth in Q[θ 1 ] Three level tree with 80 special-q ideals Recovered DLOG modulo l, namely Each special-q sieving took 10 minutes or a total of 14 hours

19 Variation I: smaller p Polynomial setup same as in basic case Main problem: sieving space is not large enough, due to larger n cannot collect enough relations Solution: sieve over elements of larger degree than 1 t a i θ1 i i=0 and t a i θ2 i i=0 Bound on norm: (n + t) n+t B a n B f t with Ba is an upper bound on the absolute values of the a i B f a similar bound on the coefficients of f 1 (resp. f 2 )

20 Variation II: larger p p is too large to simply add to f 1, so need different polynomial construction Only requirement is: f 1 (x) f 2 (x) mod p Idea: construct f 2 (x) of degree > n with small coefficients such that f 1 (x) f 2 (x) over Q Choose constant W and construct f 1 (x) = f 0 (x + W ), coefficient at least W n Use LLL to reduce the lattice L = ( f 1 (x) xf 1 (x) x 2 f 1 (x) x D n f 1 (x) p px px 2 px D ) Need vector with coefficients smaller than W n so 2 (D+1)/4 p n/(d+1) W n

21 Complexity of variations p can be written as L q (l p, c) with 1/3 < l p < 2/3 L q (1/3, (128/9) 1/3 ) L q (1/3, ) p can be written as L q (2/3, c) for a constant c L q (1/3, 2c ) with c = 4 ( 3t 3 4(t + 1) ) 1/3 sieve over elements of degree t with 3c 3 t(t + 1) 2 32 = 0 p can be written as L q (2/3, c) for a constant c L q (1/3, 2c ) with 9c 3 6 c c c 2 c 8 = 0 p can be written as L q (l p, c) with l p > 2/3 L q (1/3, (64/9) 1/3 ) L q (1/3, )

22 JLSV NFS: complexity = L q (1/3, 2c ) 2.4 t -> oo 2.3 t = c t = D > n t = c

23 Conclusions New, simple and practical variations of NFS Can simply adapt existing implementations of NFS for F p More optimisations: large prime variation, multiple number fields,... Combined with work Joux/Lercier on FFS: obtain two families of algorithms such that DLOGs in F p n can be computed in L p n(1/3) time

24 Optimisation I: Galois extensions p is inert in K 1, so isomorphism Gal(K 1 /Q) Gal(F q /F p ) Thus: K 1 has to be a cyclic number field of degree n Partition factor base F 1 in n parts F 1,k with k = 1,..., n n (a bθ 1 ) = k=1 p i F 1,1 ψ k (p i ) ei,k with Gal(K 1 /Q) = ψ Choose ψ such log g φ 1 (ψ(δ i ))) = p log g φ 1 (δ i ) with p i = δ i Effectively divides factor base size by n

25 Optimisation II: choice of polynomials Two possible optimisations: Poss I: Maximise automorphism group of K 1 and K 2 simultaneously Example: p 2, 5 mod 9, can take f 1 = x 6 + x f 2 = x 6 + (p + 1)x K 1 is Galois and K 2 has non-trivial automorphism order 2 Poss II: balance size of coefficients of f 1 and f 2 Remark: better to adapt sieving region...

26 Optimisation III: individual logarithms Instead of factoring z, first write z as ai t i bi t i with a i and b i are of the order of p. Use LLL to find short vector in lattice L z tz t 2 z t n 1 z p pt pt 2 pt n L = Expect LLL finds short vector of norm p.