A quasi polynomial algorithm for discrete logarithm in small characteristic

Transcription

1 CCA seminary January 10, 2014 A quasi polynomial algorithm for discrete logarithm in small characteristic Razvan Barbulescu 1 Pierrick Gaudry 2 Antoine Joux 3 Emmanuel Thomé 2 LIX, École Polytechnique Loria, Nancy LIP 6, Paris R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 0 / 34

2 Motivation For any prime power Q, F Q is the field of Q elements. factorization same complexity dlog. in F p analoguous pairings in small char. rely on dlog. in F 2 n or F 3 n rely on elliptic curve dlog. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 1 / 34

3 Discrete logarithm Definition Let g and h be two elements in a cyclic group. We call discrete logarithm of g in base h, if it exists, the smallest positive integer x such that g x = h. Example DSA signature relies on the difficulty of solving the equation for a prime p and integers g and h. g x h mod p, Example Pairing based crypto-systems in small characteristic rely, in particular, on the difficulty of solving the equation g(x ) x h(x ) mod ϕ(x ), for an irreducible polynomial ϕ(x ) in F 2 [X ] or F 3 [X ]. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 2 / 34

4 The Pohlig-Hellman reduction Let N = p e i i Let g i = g N/pe i i Then, g i is of order p e i i be the factorization of the group order. and h i = h N/pe i i. and h i = g x i i, where x i x mod p e i i. Theorem Using the Chinese Remainder Theorem, the DLP in G reduces to DLPs in groups whose orders are prime powers. A similar trick, à la Hensel, allows to reduce the DLP modulo a prime power to several DLPs modulo primes. Theorem (Pohlig-Hellman reduction) The DLP in G cyclic of composite order is not harder than the DLP in the subgroup of G of largest prime order. In the following we compute dlogs modulo a prime divisor l of the group order. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 3 / 34

5 Shanks baby-step giant-step algorithm Let K be a parameter (in the end, K N). Write the dlog x as x = x 0 + K x 1, with 0 x 0 < K and 0 x 1 < N/K. Algorithm 1. Compute Baby Steps: For all i in [0, K 1], compte g i. Store in a hash table the resulting pairs (g i, i). 2. Compute Giant Steps: For all j in [0, N/K ], compute hg Kj. If the resulting element is in the BS table, then get the corresponding i, and return x = i + Kj. Theorem Discrete logarithms in a cyclic group of order N can be computed in less than 2 N operations. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 4 / 34

6 Summary of generic algorithms Putting things together, one obtain: Theorem (DLP in generic groups) Let G be a cyclic group of order N, and let p be the largest prime factor of N. The DLP in G can be solved in O( p) operations in G (up to factors that are polynomial in log N). Pollard s Rho method has the same time complexity, but a low memory complexity. Finite fields are not generic groups! R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 5 / 34

7 Outline of the talk Background Discrete logarithm in small caracteristic The algorithm Some comments R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 6 / 34

8 The L notation Sub-exponential algorithms have complexities of the order of n O(1) 2 nα with 0 < α < 1, where n is the bit-size of the input. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 7 / 34

9 The L notation Sub-exponential algorithms have complexities of the order of n O(1) 2 nα with 0 < α < 1, where n is the bit-size of the input. A more precise function is: where n = log x. ) L x (α, c) = exp (cn α (log n) 1 α, R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 7 / 34

10 The L notation Sub-exponential algorithms have complexities of the order of n O(1) 2 nα with 0 < α < 1, where n is the bit-size of the input. A more precise function is: where n = log x. ) L x (α, c) = exp (cn α (log n) 1 α, The most common values of α are 0 for polynomial-time algorithms; 1 for exponential ones; 1/2 for older DL algorithms; 1/3 for algorithms used in today s records of factorization, dlog in large, medium and small caracteristic. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 7 / 34

11 Smoothness Definition A polynomial in F q [t] is m-smooth if all its irreducible factors have degree less than m. Theorem (Panario Gourdon Flajolet) The probability that a degree-n polynomial is m-smooth is 1/u u(1+o(1)) where u = n m. Cases: n = log q L x (α, ), m = log q L x (β, ) gives a probability of 1/L x (α β, ); n = D, m = D/6 gives a constant probability; n = D, m = 1 gives a probability 1/D! 1/D D. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 8 / 34

12 Obtaining relations The finite field F q k is represented as F q [t]/ϕ for an irreducible degree k polynomial ϕ F q [t]. Example Take q = 3, k = 5, ϕ = x 5 + x 4 + 2x and l = 11 (divisor of 3 5 1). We have x 5 x 6 2(x + 1)(x 3 + x 2 + 2x + 1) mod ϕ 2(x 2 + 1)(x 2 + x + 2) mod ϕ x 7 2(x + 2)(x + 1) 2 mod ϕ. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 9 / 34

13 Obtaining relations The finite field F q k is represented as F q [t]/ϕ for an irreducible degree k polynomial ϕ F q [t]. Example Take q = 3, k = 5, ϕ = x 5 + x 4 + 2x and l = 11 (divisor of 3 5 1). We have x 5 x 6 2(x + 1)(x 3 + x 2 + 2x + 1) mod ϕ 2(x 2 + 1)(x 2 + x + 2) mod ϕ x 7 2(x + 2)(x + 1) 2 mod ϕ. The last relation gives: 7 log x x 1 log x (x + 2) + 2 log x (x + 1) R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 9 / 34

14 Obtaining relations The finite field F q k is represented as F q [t]/ϕ for an irreducible degree k polynomial ϕ F q [t]. Example Take q = 3, k = 5, ϕ = x 5 + x 4 + 2x and l = 11 (divisor of 3 5 1). We have x 5 x 6 2(x + 1)(x 3 + x 2 + 2x + 1) mod ϕ 2(x 2 + 1)(x 2 + x + 2) mod ϕ x 7 2(x + 2)(x + 1) 2 mod ϕ. The last relation gives: 7 log x x 1 log x (x + 2) + 2 log x (x + 1) 8 log x (x + 1) 1 log x (x + 2) 9 log x (x + 2) 2 log x x. We find log x (x + 1) 4 mod 11 and log x (x + 2) 10 mod 11. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 9 / 34

15 L(1/2) index calculus in F 2 n = F 2 [x]/ϕ(x) Algorithm To compute the log of h in base g: 0. Fix a smoothness bound B, and construct the factor base F = {p i irreducible and monic; deg p i B}. 1. Collect relations. Repeat the following until #F relations have been found: 1.1 Pick a at random and compute z = g a mod ϕ. 1.2 check if z is smooth. 1.3 If yes, write z as a product of elements of F and store the corresponding relation as a row of a matrix. 2. Linear algebra. Find a vector v in the right-kernel of the matrix, modulo 2 n 1. Normalizing to get log g = 1, this gives the log of all factor base elements. 3. Individual logs. Pick b at random until h b is smooth. Deduce the log of h. Note B = log 2 L(α, ). Then #F = L(α); the cost of the relation collection stage is L(α)L(1 α) while the linear algebra has a cost of L(α) 2 = L(α). We optimize the complexity for α = 1/2. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 10 / 34

16 L(1/2) index calculus: comments All L(1/2) and L(1/3) DLP algorithms follow the same scheme: Relation collection; Linear algebra to get logs of factor base elements; Individual log, to handle any element. Joux s L(1/4) algorithm still uses this terminology (but very different in nature). Quasi-polynomial time algorithm: it s time to stop speaking about factor base! R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 11 / 34

17 Records for fields F 2 n with prime n The most studied algorithm in small characteristic is the function field sieve (FFS) of complexity L(1/3). Joux and Lercier gave a variant and Coppersmith s algorithm can be seen as a particular case. n date GIPS year algo. author Copp. Gordon,McCurley FFS Joux,Lercier Copp. Thomé FFS Joux,Lercier FFS Joux,Lercier FFS Caramel FFS Caramel 1 Using the same algorithm as for prime degrees. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 12 / 34

18 Records for fields F 2 n with prime n The most studied algorithm in small characteristic is the function field sieve (FFS) of complexity L(1/3). Joux and Lercier gave a variant and Coppersmith s algorithm can be seen as a particular case. n date GIPS year algo. author Copp. Gordon,McCurley FFS Joux,Lercier Copp. Thomé FFS Joux,Lercier FFS Joux,Lercier FFS Caramel FFS Caramel Caramel completed the relation collection stage for n = 1039 with a computation of 384 GIPS years. Linear algebra must be adapted to larger sizes. 1 Using the same algorithm as for prime degrees. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 12 / 34

19 Composed degrees n Pairings issued instances of discrete logarithm have composed exponent: 4n, 6n or 12n. Theorem Under the same assumptions as in the classical variante of FFS, if n has a factor κ less than 3 n, then 1. the relations collection phase can be sped up by κ; 2. the linear algebra stage can be sped up by κ 2. Two japanese teams computed discrete logs in F 3 6n (pairings): a 2010 record for n = 71 (676 bits) using κ = 6; cost 14 GIPS year. a 2012 record for n = 97 (923 bits) using κ = 3; cost 290 GIPS years. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 13 / 34

20 Results of the year 2013 The fields F q 2k and F q 3k with k q are weak; if k {q 1, q, q + 1} they are very weak. (Joux) R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 14 / 34

21 Results of the year 2013 The fields F q 2k and F q 3k with k q are weak; if k {q 1, q, q + 1} they are very weak. (Joux) Two methods for relation collection and linear algebra in polynomial time. (Joux and Göloğlu et al.) R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 14 / 34

22 Results of the year 2013 The fields F q 2k and F q 3k with k q are weak; if k {q 1, q, q + 1} they are very weak. (Joux) Two methods for relation collection and linear algebra in polynomial time. (Joux and Göloğlu et al.) Amazing records by Joux (n = 6168) and Göloğlu et al.(n = 6120). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 14 / 34

23 Results of the year 2013 The fields F q 2k and F q 3k with k q are weak; if k {q 1, q, q + 1} they are very weak. (Joux) Two methods for relation collection and linear algebra in polynomial time. (Joux and Göloğlu et al.) Amazing records by Joux (n = 6168) and Göloğlu et al.(n = 6120). Individual logarithm in time L(1/4 + o(1)) by Joux. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 14 / 34

24 Results of the year 2013 The fields F q 2k and F q 3k with k q are weak; if k {q 1, q, q + 1} they are very weak. (Joux) Two methods for relation collection and linear algebra in polynomial time. (Joux and Göloğlu et al.) Amazing records by Joux (n = 6168) and Göloğlu et al.(n = 6120). Individual logarithm in time L(1/4 + o(1)) by Joux. One can embed F 2 n with prime n in a field F q 2k with k q (Joux). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 14 / 34

25 Results of the year 2013 The fields F q 2k and F q 3k with k q are weak; if k {q 1, q, q + 1} they are very weak. (Joux) Two methods for relation collection and linear algebra in polynomial time. (Joux and Göloğlu et al.) Amazing records by Joux (n = 6168) and Göloğlu et al.(n = 6120). Individual logarithm in time L(1/4 + o(1)) by Joux. One can embed F 2 n with prime n in a field F q 2k with k q (Joux). Quasi-polynomial algorithm of complexity n O(log n) for prime n (this work). Estimation of the weakness of small caracteristic pairings by Adj et al.. for example pairing based crypto-systems over have security of 80 bits instead of 128 bits. (BGJT is used in tandem with Joux s algorithm) R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 14 / 34

26 Outline of the talk Background Discrete logarithm in small caracteristic The algorithm Some comments R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 15 / 34

27 Main result Theorem (based on heuristics) Let K be any finite field F q k. A discrete logarithm in K can be computed in heuristic time max(q, k) O(log k). Cases: K = F 2 n, with prime n. Complexity is n O(log n). Much better than L 2 n(1/3 + o(1)) 2 3 n. K = F q k, with q k. Complexity is log Q O(log log Q), where Q = #K. Again, this is L Q (o(1)). K = F q k, with q L q k(α). Complexity is L q k(α + o(1)), i.e. better than Joux-Lercier or FFS for α < 1/3. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 16 / 34

28 We suppose first k q and k q + 2. Representing F q 2k Choosing ϕ: Try random h 0, h 1 F q 2[x] with deg h 0, deg h 1 2 until T (x) := h 1 (x)x q h 0 (x) has an irreducible factor of degree k. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 17 / 34

29 Representing F q 2k We suppose first k q and k q + 2. Choosing ϕ: Try random h 0, h 1 F q 2[x] with deg h 0, deg h 1 2 until T (x) := h 1 (x)x q h 0 (x) has an irreducible factor of degree k. Remark The existence of h 0 and h 1 is heuristic, but found in practice in time O(k). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 17 / 34

30 Representing F q 2k We suppose first k q and k q + 2. Choosing ϕ: Try random h 0, h 1 F q 2[x] with deg h 0, deg h 1 2 until T (x) := h 1 (x)x q h 0 (x) has an irreducible factor of degree k. Remark The existence of h 0 and h 1 is heuristic, but found in practice in time O(k). h 1 (x)x q h 0 (x) mod ϕ(x). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 17 / 34

31 Representing F q 2k We suppose first k q and k q + 2. Choosing ϕ: Try random h 0, h 1 F q 2[x] with deg h 0, deg h 1 2 until T (x) := h 1 (x)x q h 0 (x) has an irreducible factor of degree k. Remark The existence of h 0 and h 1 is heuristic, but found in practice in time O(k). h 1 (x)x q h 0 (x) mod ϕ(x). If P F q 2[x] then h 1 (x) deg P P(x) q = h 1 (x) deg P P(x q ) ( ) h 1 (x) deg P h0 P h 1 mod ϕ(x), where P is the polynomial obtained after conjugating all coefficients. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 17 / 34

32 Building block Proposition (Under heuristic assumptions) There exists an algorithm whose complexity is polynomial in q and k and which can be used for the following two tasks. 1. Given an element of K represented by a polynomial P F q 2[X ] with 2 deg P k 1, the algorithm returns an expression of log P(X ) as a linear combination of at most O(kq 2 ) logarithms log P i (X ) with deg P i 1 2 deg P and of log h 1 (X ). 2. The algorithm returns the logarithm of h 1 (X ) and the logarithms of all the elements of K of the form X + a, for a in F q 2. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 18 / 34

33 Descent tree P deg = k deg = k/ deg = k/ deg = 1 Attention: nodes can repeat; in particular the number of leaves is less than q 2, the number of polynomials x + γ. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 19 / 34

34 The descent tree Each node of the descent tree corresponds to one application of the Proposition, hence its arity is in q 2 D. level deg P i width of tree 0 k 1 1 k/2 q 2 k 2 k/4 q 2 k q 2 k 2 3. k/8. q 2 k q 2 k 2 q2 k 4. log k 1 q 2 log k k log k Total number of nodes = q O(log k). Each node yields a cost that is polynomial in q, hence one can solve discrete logarithms in F q 2k with k q + 2 in time q O(log k). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 20 / 34

35 Proof idea Recall that the individual log for Index Calculus is done using equations P i = R i, where i is a random integer and R i is the residue of x i P modulo ϕ. We search relations L S = γ S(P + γ) where S is a subset of F q 2 and L S is the residue of γ S (P + γ) modulo ϕ. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 21 / 34

36 Proof: The left hand side Let log P be the required computation. For every matrix m = have log L m log R m where ( a c ) b GL 2 (F q 2) we d R m := h 1 (x) deg P ( (ap + b) q (cp + d) (ap + b)(cp + d) q) mod ϕ(x ). and L m := R m mod ϕ. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 22 / 34

37 Proof: The left hand side Let log P be the required computation. For every matrix m = have log L m log R m where ( a c ) b GL 2 (F q 2) we d R m := h 1 (x) deg P ( (ap + b) q (cp + d) (ap + b)(cp + d) q) mod ϕ(x ). and L m := R m mod ϕ. We have deg L m 3 deg P. Indeed, we have L m = h deg P 1 (ã P(x q ) + b)(cp(x) + d) (ap(x) + b)( c P(x q ) + d) ( ( ) ) ( = h deg P h0 (X ) 1 ã P + b (cp(x ) + d) (ap(x ) + b) c P h 1 (X ) ( ) ) h0 (X ) + d. h 1 (X ) R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 22 / 34

38 The right hand side Recall the identity x q x = α F q (x α). We further have x q y xy q = (α:β) P 1 (F q )(βx αy) and R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 23 / 34

39 The right hand side Recall the identity x q x = α F q (x α). We further have x q y xy q = (α:β) P 1 (F q )(βx αy) and (ap + b) q (cp + d) (ap + b)(cp + d) q = = = λ (α,β) P 1 (F q) (α,β) P 1 (F q) (α,β) P 1 (F q) β(ap + b) α(cp + d) ( cα + aβ)p (dα bβ) ( P ) dα bβ, aβ cα Here q + 1 out of the q elements of {1} {P + a : a F q 2} occur. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 23 / 34

40 Linear algebra step for P If L m is 1 2 deg P-smooth we have γ P 1 (F q 2)(P + γ) vm(γ) = i P e i i, for some polynomials P i with deg P i 1 2 deg P and { 1, if γ = dα bβ aβ cα v m (γ) = with (α : β) P1 (F q ), 0 otherwise. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 24 / 34

41 Notation P q := PGL(2, q 2 )/PGL(2, q). Linear algebra step for P Since #PGL(2, q) = q 3 q, #P q = q 3 + q. γ P 1 (F q 2) m P q v m (γ) Since L m has degree 3 deg P, its heuristic probability to be 1 2 deg P-smooth is constant. Hence the matrix has Θ(q 3 ) rows and q columns. We make the heuristic that the matrix has rank q R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 25 / 34

42 Evidence in favour of the heuristic We computed the discriminant over Z of some matrices obtained as above; denoted δ i. In our example, the discriminant δ i of q random rows had the same probability to be divisible by a large prime l as a random integer. q #trials in gcd({δ i }) in gcd(δ i, δ j ) , 3 431, , 5 none above q , 3 none above q , 13 none above q , , 3, 5 none above q , , 11 none above q 2 R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 26 / 34

43 Arity of the descent tree log P is obtained as a sum of at most q 2 linear combinations. Each linear combination has at most 3 deg P terms. So, we have at most O(q 2 deg P) new polynomials. Adj et al. gave a method to compute the average number of divisors for a smooth polynomial. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 27 / 34

44 Outline of the talk Background Discrete logarithm in small caracteristic The algorithm Some comments R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 28 / 34

45 The embedding trick log g h has the same value as elements of F q k or as any field F q k where q is a multiple of q. When q < k 2 we embed F q k in F q 2k with q = q log qk. Note that q qk. The input size log Q = k log q is replaced by 2k log q 2k log(qk) 4 log Q log log Q. When replacing log Q by log Q log log Q a polynomial algorithm changes the big-oh by a soft-oh; a sub-exponential L(α) algorithm becomes L(α + o(1)); a quasi-polynomial one changes the constant in the big-oh. Example 1. For F we compute logs in F = F The field F can be embedded in F q 2k with q = 3 6 and k = 509. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 29 / 34

46 Very weak fields Assume that k = q 1 (same is true for q + 1 and q). For many values of q we can take h 1 = 1 and h 0 = Ax for some generator A of F q 2. Then ϕ = x q 1 A. Then, for any a F q 2, we have (x + a) q = x q + ã = x q 1 x + ã = A(x + ã/a), where ã is the Frobenius conjugate of a. We obtain q log(x + a) = log(x + ã/a). Hence we can reduce the factor base by a factor k. For example for , the linear algebra time was accelerated by k 2 = Remark The smoothness probabilities are improved. For example, The proportion of matrices m P q which produce relations for the linear polynomials is 1/6! = 1/620 when max(deg h 0, deg h 1 ) = 2 and it is 1/3! for the weak case (Kummer). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 30 / 34

47 The traps of Cheng Wan Zhuang In a recent preprint, Cheng, Wan and Zhuang noticed that the two last heuristics might fail. Let P(X ) be a divisor of h 1 X q h 0 (not the one used to define F q 2k). It can be checked that P will divide both sides of relations we try to construct. In general, such a P can not be descended in the usual way. And if P is linear, then we will not get its logarithm in the usual way. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 31 / 34

48 The CWZ traps: solutions CWZ proposed to just avoid these elements: still get a quasi-polynomial time complexity. We propose an alternative solution to descend a problematic P of degree D: We have h D 1 P q h D 1 P(h 0 /h 1 ) mod x q h 1 h 0. The RHS is always divisible by P (it is problematic). Taking logs, we get D log h 1 + (q 1) log P = log Q, where Q is the RHS divided by P. In general, P Q, and, if deg h 0, h 1 2, then deg Q D. So we have related log P to other logarithms, and the descent can continue. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 32 / 34

49 Conclusion Looking back: 30 years ago, first L(1/3) DL algorithm by Coppersmith; It took more than a decade to get this complexity for a wide range of scenarios; Still recent progress on L(1/3)-algorithms. Interesting times! We are entering a better-than-l(1/3) era; A lot of theoretical and practical improvements are expected in the next few months / years; At the moment, absolutely no clue how to extend the quasi-polynomial complexity to large characteristic, or to remove the quasi. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 33 / 34

50 RSA 0 1/3 2/3 1 α The complexity of discrete logarithm for a given size log Q with respect to the caracteristic q = L(α) R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 34 / 34