Improving NFS for the discrete logarithm problem in non-prime nite elds

Size: px

Start display at page:

Download "Improving NFS for the discrete logarithm problem in non-prime nite elds"

Gyles Blake
6 years ago
Views:

1 Improving NFS for the discrete logarithm problem in non-prime nite elds Razvan Barbulescu, Pierrick Gaudry, Aurore Guillevic, Francois Morain Institut national de recherche en informatique et en automatique (INRIA) Ecole Polytechnique/LIX Centre national de la recherche scientique (CNRS) Universit e de Lorraine Eurocrypt 2015, April 27th Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

2 Our Work F p 2: target group of pairing-based cryptosystems Record computation of a Discrete Logarithm (DL) in F p 2 of 600 bits (log 2 p = 300 bits) DL in F p 2 is 260 times faster than DL in F p of same size serious consequences for pairing-based crypto source code: Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

3 Context : Discrete logarithm problem (DLP) in F p n In a subgroup g of F pn of order l, (g, x) g x is easy (polynomial time) (g, g x ) x is (in well-chosen subgroup) hard: DLP. In our work: We attack DL in F p 2, starting point of F p 3, F p 4,... F p 12 p is large: quasi polynomial time algo. does NOT apply DLP in these F p n still asymptotically as hard as in the 90's consequences for pairing-based crypto: F p 2 target group Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

4 Practical improvements and new asymptotic complexities L-notation: Q = p n, L Q [1/3, c] = e (c+o(1))(log Q)1/3 (log log Q) 2/3 for c > 0. DL in F p n, small n, large p: complexity in L p n[1/3, 1.92] (as for RSA modulus factorization) since the 90's n 2: two new polynomial selection methods great improvements in practice record of 600 bits Bonus: asymptotic complexity improvements in medium caracteristic case α = 1/3 c, previous work c, our work DL in F p n, p = L Q (2/3, c ) 1.92 < c < DL in F p n, medium p MNFS variants: see [Pierrot15], Eurocrypt Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

5 Number Field Sieve algorithm for DL in F p n Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

6 Number Field Sieve algorithm for DL in F p n 1. Polynomial Selection: compute f (x), g(x) dene number elds K f, K g. Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

7 Number Field Sieve algorithm for DL in F p n 1. Polynomial Selection: compute f (x), g(x) dene number elds K f, K g. Q[x] Q[x]/(f (x)) Q[y]/(g(y)) Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

8 Number Field Sieve algorithm for DL in F p n 1. Polynomial Selection: compute f (x), g(x) dene number elds K f, K g. Q[x] Q[x]/(f (x)) Q[y]/(g(y)) ρ f : x z ρ g : y z F p n = F p [z]/(ϕ(z)) Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

9 Number Field Sieve algorithm for DL in F p n 1. Polynomial Selection: compute f (x), g(x) dene number elds K f, K g. 2. Relation collection between ideals of each number eld. Q[x] a bx Q[x]/(f (x)) Q[y]/(g(y)) a by ρ f : x z ρ g : y z F p n = F p [z]/(ϕ(z)) Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

10 Number Field Sieve algorithm for DL in F p n 1. Polynomial Selection: compute f (x), g(x) dene number elds K f, K g. 2. Relation collection between ideals of each number eld. Q[x] a bx Q[x]/(f (x)) Q[y]/(g(y)) a by ρ f : a bx a bz ρ g : a by a bz F p n = F p [z]/(ϕ(z)) Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

11 Number Field Sieve algorithm for DL in F p n 1. Polynomial Selection: compute f (x), g(x) dene number elds K f, K g. 2. Relation collection between ideals of each number eld. Q[x] a bx Q[x]/(f (x)) Q[y]/(g(y)) a by ρ f : a bx a bz ρ g : a by a bz F p n = F p [z]/(ϕ(z)) 3. Linear algebra modulo l p n 1. here we know the discrete log of a subset of ideals of K f, K g. Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

12 Number Field Sieve algorithm for DL in F p n 1. Polynomial Selection: compute f (x), g(x) dene number elds K f, K g. 2. Relation collection between ideals of each number eld. Q[x] a bx Q[x]/(f (x)) Q[y]/(g(y)) a by ρ f : a bx a bz ρ g : a by a bz F p n = F p [z]/(ϕ(z)) 3. Linear algebra modulo l p n 1. here we know the discrete log of a subset of ideals of K f, K g. 4. Individual Logarithm. Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

13 Relation collection We need a high smoothness probability of ideals (a bx) K f, (a by) K g, a, b < E integers Norm Kf /Q(a bx) and Norm Kg /Q(a by) we approximate Norm Kf /Q(a bx) E deg f f with f = max 1 i deg f f i we want to minimize the product of norms: E deg f f E deg g g We need f, g of small degrees f, g of small coecients Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

14 Relation collection We need a high smoothness probability of ideals (a bx) K f, (a by) K g, a, b < E integers Norm Kf /Q(a bx) and Norm Kg /Q(a by) we approximate Norm Kf /Q(a bx) E deg f f with f = max 1 i deg f f i we want to minimize the product of norms: E deg f f E deg g g We need f, g of small degrees f, g of small coecients We cannot have both, we need to balance degrees and coecient sizes. Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

15 Our New Polynomial Selection for F p n A. The generalized Joux-Lercier method A. Generalized Joux-Lercier method Simplied version: deg f = n + 1, deg g = n 1. choose f, deg f = n + 1, s.t. 2. f f ϕ mod p, ϕ a monic irreducible factor of degree n modulo p ϕ(x) = ϕ 0 + ϕ 1 x + + x n 3. Reduce the following matrix using LLL p deg ϕ =.. M =. n rows p LLL(M) = } ϕ 0 ϕ row g 0 g 1 g n 4. g = g 0 + g 1 x + + g n x n, g = O(p n/(n+1) ) E deg f +deg g f g = E 2n+1 O(p n/(n+1) ) Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

16 Our New Polynomial Selection for F p n A. The generalized Joux-Lercier method A. Generalized Joux-Lercier method: example p = and n = 2 f = x 3 + x + 1 ϕ = x x p M = p LLL g = x x ϕ 0 ϕ 1 1 f = O(1), g = O(p 2/3 ) Historical remark: this construction appears in Barbulescu PhD thesis (2013) In January we were told about Matyukhin's work [ÌÀÒÞÕÈÍ 2006]: ÝÔÔÅÊÒÈÂÍÛÉ ÂÀÐÈÀÍÒ ÌÅÒÎÄÀ ÐÅØÅÒÀ ÈÑËÎÂÎÃÎ ÏÎËß ÄËß ÄÈÑÊÐÅÒÍÎÃÎ ËÎÃÀÐÈÔÌÈÐÎÂÀÍÈß Â ÏÎËÅ GF(p k ). Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

17 Our New Polynomial Selection for F p n B. The Conjugation Method B. The Conjugation Method for F p 2: example 1. p = 7 mod 8 2. f = x irreducible over Z, small 3. f = (x 2 + 2x + 1)(x 2 2x + 1) over Q( 2) 4. x 2 2 has two roots ±r mod p 5. ϕ = x 2 + rx + 1 is irreducible over F p since p 7 mod 8, and over Z 6. compute (u, v) s.t. u/v r mod p, with u, v p 1/2 with the rational reconstruction method 7. g = vx 2 + ux + v v ϕ mod p Generalize to higher n: deg f = 2n, deg g = n, f = O(1), g = O(p 1/2 ) E deg f +deg g f g = E 3n O(p 1/2 ) Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

18 Discrete Logarithm Record in 600-bit F p 2 Our Record: Discrete Logarithm in F p 2 of 600 bits p = \ (300 bits) p + 1 = 8 l l = \ (295 bits) p 1 = 6 h 0 with h 0 a 295 bit prime Cryptographic subgroup: G of order l For our record: Q = p 2, log 2 Q = 600, optimal value of E around log 2 E = 27 bits. Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

19 Discrete Logarithm Record in 600-bit F p 2 Our Record: Discrete Logarithm in F p 2 of 600 bits Polynomial selection: Generalized Joux Lercier: f = x 3 + x + 1, g = O(p 2/3 ), Norms bounded by E 5 p 2/3 of 339 bits Conjugation: f = x 4 + 1, g = O(p 1/2 ), Norms bounded by E 6 p 1/2 of 317 bits 22 bits less f = x g = x x g = 150 bits ϕ = x 2 + yx + 1, log 2 y = log 2 p Target: s = (π(2 298 )/8) x + (γ ) F p 2 = F p [x]/(ϕ(x)) gen = x + 2 Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

20 Discrete Logarithm Record in 600-bit F p 2 Speed-up of Relation Collection and Linear Algebra Galois automorphism: x 1/x both for f = x and g = vx 2 + ux + v a bx b + ax: a second relation for free speed-up by a factor 2 for relation collection speed-up by a factor 4 for linear algebra Finally, others important algebraic simplication and speed-up log gen s \ mod l. Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

21 Discrete Logarithm Record in 600-bit F p 2 Record running-time comparison in years for 600-bit inputs relation linear Algorithm collection algebra total NFS Integer Factorization 5y 0.5y 5.5y 11 NFS DL in F p 50y 80y 130y 260 This work: NFS DL in F p 2 0.4y 0.05y (GPU) 0.5y 1 DL in F p 2 < Integer Factorization < DL in F p Paper: Algebraic secrets: Source code: Download it and solve your own DL in F p 2 Stay tuned for more records during summer. Barbulescu, Gaudry, Guillevic, Morain NFS-DL in F p n April 27th, / 13

Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm)

Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm) Aurore Guillevic INRIA Saclay / GRACE Team École Polytechnique / LIX ECC 2015, Sept. 28th Aurore Guillevic (INRIA/LIX)