A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm

Size: px

Start display at page:

Download "A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm"

Reginald Fields
6 years ago
Views:

1 A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm Palash Sarkar and Shashank Singh Indian Statistical Institute, Kolkata September 5, 2016 ECC2016

2 (Tower) Number Field Sieve Algorithm

3 Number Field Sieve Algorithm It is an index calculus algorithm to compute indices i.e., discrete logarithms in the finite fields. It consists of 4 main steps. Polynomial Selection Relation Collection Linear Algebra Individual discrete logarithm 1

4 NFS for Finite Fields F p n Field Representation: F p n = F p[x] ϕ(x) = F p(m) How is ϕ(x) chosen? Choose f(x), g(x) Z[x], s.t., f(x) mod p and g(x) mod p, have a common irreducible factor ϕ(x) of degree n over F p. Q(α) = Q[x] Q[x] f(x), Q(β) = g(x) 2

5 NFS for Finite Fields F p n Field Representation: x Z[x] F p n = F p[x] ϕ(x) = F p(m) How is ϕ(x) chosen? Choose f(x), g(x) Z[x], s.t., f(x) mod p and g(x) mod p, have a common irreducible factor ϕ(x) of degree n over F p. Q(α) = Q[x] Q[x] f(x), Q(β) = g(x) α Q(α) α m Commutative diagram ᾱ F p (m) x β m β Q(β) O f = Integer Ring of Q(α) O g = Integer Ring of Q(β) h f = Class number of Q(α) h g = Class number of Q(β) β 2

6 Relation Collection Phase -An Overview ζ(x) x Z[x] x β ζ(x) α ζ(α)o f = a e i i Q(α) Q(β) ζ(β)o g = b l i i ideal to elt α m ᾱ β β ideal to elt ζ(α) h f = u 1 b l i i F p (m) m ζ(β) hg = u 2 b l i i Since ζ(α) = ζ(β), we have a relation.

7 Relation Collection Phase -An Overview ζ(x) x Z[x] x β ζ(x) α ζ(α)o f = a e i i Q(α) Q(β) ζ(β)o g = b l i i ideal to elt α m ᾱ β β ideal to elt ζ(α) h f = u 1 b l i i F p (m) m ζ(β) hg = u 2 b l i i { } prime ideals in O f or O g, either having norm less than B F = Since ζ(α) = ζ(β), we have a relation. or lying above the prime factors of l(f) and l(g) res. 3

8 Why is Polynomial Selection Phase important? ζ(x) Z[x] Factorisation Res(f, ζ) ζ(α)o f = a e i i ζ(α) h f = u 1 b l i i 4

9 Why is Polynomial Selection Phase important? Complexity Res(f, ζ) Res(g, ζ) ( ) t 1E 2(deg f+deg g) f g t where t 1 = deg(ζ) and coefficient(ζ) [ E 2/t, E 2/t] ζ(x) Z[x] ζ(α)o f = a e i i ζ(α) h f = u 1 b l i i Factorisation Res(f, ζ) 4

10 Why is Polynomial Selection Phase important? Complexity Res(f, ζ) Res(g, ζ) ( ) t 1E 2(deg f+deg g) f g t where t 1 = deg(ζ) and coefficient(ζ) [ E 2/t, E 2/t] ζ(x) Z[x] ζ(α)o f = a e i i ζ(α) h f = u 1 b l i i Factorisation Res(f, ζ) Aim of the Polynomial Selection step is to choose f(x) and g(x) suitable for NFS algorithm such that their degree and the coefficient size are minimal. 4

11 Polynomial Selection Algorithms

12 Polynomial Selection Basic Idea: Choose f(x) randomly; having small integer coefficients and modulo p, an irreducible factor ϕ(x) of degree n. Construct g(x) from ϕ(x) and f(x). 5

13 Generalised Joux-Lercier [D. Matyukhin, Barbulescu et al.] Let ϕ(x) = x n + ϕ n 1 x n ϕ 1 x + ϕ 0 and r deg(ϕ). M ϕ,r = p p ϕ 0 ϕ 1 ϕ n ϕ 0 ϕ 1 ϕ n 1 1 px 0.. px n 1 ϕ(x). x r n ϕ(x) Apply the LLL algorithm to M ϕ,r and let the first row of the resulting LLL-reduced matrix be [g 0, g 1,..., g r 1, g r ]. Define g(x) = g 0 + g 1 x + + g r 1 x r 1 + g r x r. Notation: g = LLL (M ϕ,r ) and g = O ( p n/(r+1))

14 Generalised Joux-Lercier [D. Matyukhin, Barbulescu et al.] Let ϕ(x) = x n + ϕ n 1 x n ϕ 1 x + ϕ 0 and r deg(ϕ). M ϕ,r = p p ϕ 0 ϕ 1 ϕ n ϕ 0 ϕ 1 ϕ n 1 1 px 0.. px n 1 ϕ(x). x r n ϕ(x) Can we further reduce the size of g? Apply the LLL algorithm to M ϕ,r and let the first row of the resulting LLL-reduced matrix be [g 0, g 1,..., g r 1, g r ]. Define g(x) = g 0 + g 1 x + + g r 1 x r 1 + g r x r. Notation: g = LLL (M ϕ,r ) and g = O ( p n/(r+1))

15 Generalised Joux-Lercier [D. Matyukhin, Barbulescu et al.] Let ϕ(x) = x n + ϕ n 1 x n ϕ 1 x + ϕ 0 and r deg(ϕ). M ϕ,r = p p ϕ 0 ϕ 1 ϕ n ϕ 0 ϕ 1 ϕ n 1 1 px 0.. px n 1 ϕ(x). x r n ϕ(x) Can we further reduce the size of g? Apply the LLL algorithm to M ϕ,r and let the first row of the resulting LLL-reduced matrix be [g 0, g 1,..., g r 1, g r ]. Define g(x) = g 0 + g 1 x + + g r 1 x r 1 + g r x r. What if some coeff s of ϕ(x) are zero or small? Notation: g = LLL (M ϕ,r ) and g = O ( p n/(r+1))

16 Generalised Joux-Lercier [D. Matyukhin, Barbulescu et al.] Let ϕ(x) = x n + ϕ n 1 x n ϕ 1 x + ϕ 0 and r deg(ϕ). M ϕ,r = p p ϕ 0 ϕ 1 ϕ n ϕ 0 ϕ 1 ϕ n 1 1 px 0.. px n 1 ϕ(x). x r n ϕ(x) Can we further reduce the size of g? Apply the LLL algorithm to M ϕ,r and let the first row of the resulting LLL-reduced matrix be [g 0, g 1,..., g r 1, g r ]. Define g(x) = g 0 + g 1 x + + g r 1 x r 1 + g r x r. What if some coeff s of ϕ(x) are zero or small? Can we ignore the cols corres. to 0 coeff s? Notation: g = LLL (M ϕ,r ) and g = O ( p n/(r+1)) 6

17 Let ϕ(x) = ϕ 0 + ϕ 2 x 2 + ϕ 4 x x n. Take r = n. M ϕ,r = x 0 x 2 x 4... x n p p ϕ 0 ϕ 2 ϕ n 2 1 px 0 px 2. px n 2 ϕ(x) det (M ϕ,r ) = p n 2 and so g = O ( p n/2(n/2+1)) = O ( p n/(n+2))

18 Let Take r = n. M ϕ,r = ϕ(x) = ϕ 0 + ϕ 2 x 2 + ϕ 4 x x n. x 0 x 2 x 4... x n p p ϕ 0 ϕ 2 ϕ n 2 1 px 0 px 2. px n 2 ϕ(x) This can be done for every divisor d of n. i.e., ϕ(x) = ϕ 0 + ϕ d x d x n. It is hard to obtain ϕ(x) of this form. What if we start with a f(x) of this form and try to get a required ϕ(x)? det (M ϕ,r ) = p n 2 and so g = O ( p n/2(n/2+1)) = O ( p n/(n+2))

19 Let Take r = n. M ϕ,r = det (M ϕ,r ) = p n 2 f(x) = ϕ(x) = ϕ 0 + ϕ 2 x 2 + ϕ 4 x x n. x 0 x 2 x 4... x n p p ϕ 0 ϕ 2 ϕ n 2 1 px 0 px 2. px n 2 ϕ(x) This can be done for every divisor d of n. i.e., ϕ(x) = ϕ 0 + ϕ d x d x n. It is hard to obtain ϕ(x) of this form. What if we start with a f(x) of this form and try to get a required ϕ(x)? and so g = O ( p n/2(n/2+1)) = O ( p n/(n+2)) ( ) f 0 + f d x d f n x n + f n+d x n+d +... = A 1 (x d ) = (ϕ 0 + ϕ d x d x n ) f (x) 7

20 Polynomial Selection Method(A): Algorithm: A: A new method of polynomial selection. Input: p, n, d (a factor of n) and r n/d. Output: f(x), g(x) and ϕ(x). Let k = n/d; repeat Randomly choose a monic irr A 1 (x) with small coeff.: deg A 1 = r + 1; mod p, A 1 (x) has an irr factor A 2 (x) of deg k. Choose monic C 0 (x) and C 1 (x): deg C 0 = d and deg C 1 < d. Define f(x) = Res y (A 1 (y), C 0 (x) + y C 1 (x)) ; ϕ(x) = Res y (A 2 (y), C 0 (x) + y C 1 (x)) mod p; ψ(x) = LLL(M A2,r); g(x) = Res y (ψ(y), C 0 (x) + y C 1 (x)). until f(x) and g(x) are irr over Z and ϕ(x) is irr over F p.; return f(x), g(x) and ϕ(x).

21 Polynomial Selection Method(A): Algorithm: A: A new method of polynomial selection. Input: p, n, d (a factor of n) and r n/d. Output: f(x), g(x) and ϕ(x). Let k = n/d; repeat Randomly choose a monic irr A 1 (x) with small coeff.: deg A 1 = r + 1; mod p, A 1 (x) has an irr factor A 2 (x) of deg k. Choose monic C 0 (x) and C 1 (x): deg C 0 = d and deg C 1 < d. Define f(x) = Res y (A 1 (y), C 0 (x) + y C 1 (x)) ; ϕ(x) = Res y (A 2 (y), C 0 (x) + y C 1 (x)) mod p; ψ(x) = LLL(M A2,r); g(x) = Res y (ψ(y), C 0 (x) + y C 1 (x)). until f(x) and g(x) are irr over Z and ϕ(x) is irr over F p.; return f(x), g(x) and ϕ(x). 8

22 Polynomial Selection Method(A): Generalised Joux-Lercier d = 1 New Results 1 < d < n d = n Algorithm-A r > n d New Results d = n r = n d Generalisation Conjugation [Barbulescu et al.] 9

23 ( Complexity =L 1 Q, 2c ( 3 b) for boundary case i.e., p = 2 LQ, c ) 3 p

24 ( Complexity =L 1 Q, 2c ( 3 b) for boundary case i.e., p = 2 LQ, c ) 3 p Can we obtain this complexity of boudary case to the medium prime case? Yes, increase p. Tower NFS Algorithms 10

25 Tower Number Field Sieve Algorithm R := Z[z]/ h(z) R[x] K f R[x] f(x) mod ϕ(x) (mod p) Commutative diagram F p ηκ mod ϕ(x) (mod p) R[x] g(x) K g F p ηκ := (R/pR)[x] (ϕ(x)) h(z) Z[z] is a monic polynomial of deg η, irreducible mod p. Both f(x) and g(x) are irreducible over R. Over F p η, f(x) and g(x) have a common factor ϕ(x) of deg κ.

26 Tower Number Field Sieve Algorithm R := Z[z]/ h(z) R[x] K f K g K f R[x] f(x) mod ϕ(x) (mod p) Commutative diagram F p ηκ mod ϕ(x) (mod p) R[x] g(x) K g F p ηκ := (R/pR)[x] (ϕ(x)) K h Q Number Fields h(z) Z[z] is a monic polynomial of deg η, irreducible mod p. Both f(x) and g(x) are irreducible over R. Over F p η, f(x) and g(x) have a common factor ϕ(x) of deg κ. 11

27 Extended Tower Number Field Sieve [Kim and Barbulescu] Setting Field: F Q with Q = p n where n = ηκ such that gcd(η, κ) = 1. These choices of (η, κ), allow us to chose f(x) and g(x) in Z[x], not in R[x], without affecting the commutative diagram of TNFS. 12

28 Extended Tower Number Field Sieve [Kim and Barbulescu] Setting Field: F Q with Q = p n where n = ηκ such that gcd(η, κ) = 1. These choices of (η, κ), allow us to chose f(x) and g(x) in Z[x], not in R[x], without affecting the commutative diagram of TNFS. 12

29 Extended Tower Number Field Sieve [Kim and Barbulescu] Setting Field: F Q with Q = p n where n = ηκ such that gcd(η, κ) = 1. These choices of (η, κ), allow us to chose f(x) and g(x) in Z[x], not in R[x], without affecting the commutative diagram of TNFS. For details we refer to Taechan Kim and Razvan Barbulescu, Extended Tower Number Field Sieve : A New Complexity for Medium Prime Case. CRYPTO Palash Sarkar and Shashank Singh, Tower Number Field Sieve Variant of a Recent Polynomial Selection Method. Cryptology eprint Archive: Report 2016/

30 Extended Tower Number Field Sieve [Kim and Barbulescu] Setting Field: F Q with Q = p n where n = ηκ such that gcd(η, κ) = 1. These Howchoices restrictive of (η, is the κ), allow uswhat to chose if n f(x) is a composite and g(x) in Z[x], condition not ingcd(η, R[x], κ) without = 1? affecting the prime commutative power? diagram of TNFS. For details we refer to Taechan Kim and Razvan Barbulescu, Extended Tower Number Field Sieve : A New Complexity for Medium Prime Case. CRYPTO Palash Sarkar and Shashank Singh, Tower Number Field Sieve Variant of a Recent Polynomial Selection Method. Cryptology eprint Archive: Report 2016/401.

31 Extended Tower Number Field Sieve [Kim and Barbulescu] Setting Field: F Q with Q = p n where n = ηκ such that gcd(η, κ) = 1. These Howchoices restrictive of (η, is the κ), allow uswhat to chose if n f(x) is a composite and g(x) in Z[x], condition not ingcd(η, R[x], κ) without = 1? affecting the prime commutative power? diagram of TNFS. For details we refer to Taechan Palash Sarkar Kim andrazvan Shashank Barbulescu, Singh, A General ExtendedPolynomial Tower Number SelectionField Method Sieve and : ANew NewAsymptotic ComplexityComplexities for Medium for Prime the Case. TowerCRYPTO Number Field Sieve Algorithm. Cryptology eprint Palash Archive: Sarkar Report and2016/485. Shashank(accepted Singh, Tower at Asiacrypt Number 2016) Field Sieve Variant of a Recent Polynomial Selection Method. Cryptology eprint Archive: Report 2016/

32 A General Polynomial Selection Method R := Z[z]/ h(z) R[x] ζ(x) R[x], deg x (ζ) = t 1 K f R[x] f(x) mod ϕ(x) (mod p) Commutative diagram F p ηκ mod ϕ(x) (mod p) R[x] g(x) K g F p ηκ := (R/pR)[x] (ϕ(x)) Aim is to get f(x) (res. g(x)) of small degree and norm size i.e. f. f = max f i,j where f(x) = ξ 0 (z) + ξ 1 (z)x ξ r 1 (z)x r 1 + x r = f ij x i z j 13

33 A General Polynomial Selection Method R := Z[z]/ h(z) R[x] ζ(x) R[x], deg x (ζ) = t 1 K f R[x] f(x) mod ϕ(x) (mod p) Commutative diagram F p ηκ mod ϕ(x) (mod p) R[x] g(x) K g F p ηκ := (R/pR)[x] (ϕ(x)) Aim is to get f(x) (res. g(x)) of small degree and norm size i.e. f.(why?) f = max f i,j where f(x) = ξ 0 (z) + ξ 1 (z)x ξ r 1 (z)x r 1 + x r = f ij x i z j 13

34 GJL Matrix Basic idea remains same as that of Algorithm A. Crucial to algorithm A was the following matrix. GJL Matrix: p M A2,r = p a 0 a 1 a n a 0 a 1 a n 1 1 (r+1) (r+1) We extend the idea of the GJL to work for tower fields. In the TNFS set-up, Q = p n where n = ηκ. 14

35 GJL Matrix for TNFS Let ϕ(x) = (ϕ 00 + ϕ 01 z) + (ϕ 10 + ϕ 11 z)x x 2. Note that η = 2. Let λ = η. Take r = n. M ϕ,2 = p p p p 0 ϕ 00 ϕ 01 ϕ 10 ϕ 11 1

36 GJL Matrix for TNFS Let ϕ(x) = (ϕ 00 + ϕ 01 z) + (ϕ 10 + ϕ 11 z)x x 2. Note that η = 2. Let λ = η. Take r = n. M ϕ,2 = diag λk (p) p p p p 0 ϕ 00 ϕ 01 ϕ 10 ϕ 11 1

37 GJL Matrix for TNFS Let ϕ(x) = (ϕ 00 + ϕ 01 z) + (ϕ 10 + ϕ 11 z)x x 2. Note that η = 2. Let λ = η. Take r = n. M ϕ,2 = diag λk (p) p p p p 0 ϕ 00 ϕ 01 ϕ 10 ϕ 11 1 ϕ

38 GJL Matrix for TNFS Let ϕ(x) = (ϕ 00 + ϕ 01 z) + (ϕ 10 + ϕ 11 z)x x 2. Note that η = 2. Let λ = η. Take r = n. M ϕ,2 = diag λk (p) p p p p 0 ϕ 00 ϕ 01 ϕ 10 ϕ 11 1 ϕ [ = diag λk (p) 0 ϕ 1 ] 15

39 Let ϕ(x) = (ϕ 00 + ϕ 01 z) + (ϕ 10 + ϕ 11 z)x + x 2. Note that η = 2. Let λ = η. Take r = n + 1. p p p p ϕ 00 ϕ 01 ϕ 10 ϕ p ϕ 00 ϕ 01 ϕ 10 ϕ 11 1

40 Let ϕ(x) = (ϕ 00 + ϕ 01 z) + (ϕ 10 + ϕ 11 z)x + x 2. Note that η = 2. Let λ = η. Take r = n + 1. p p p p ϕ 00 ϕ 01 ϕ 10 ϕ p ϕ 00 ϕ 01 ϕ 10 ϕ 11 1

41 Let ϕ(x) = (ϕ 00 + ϕ 01 z) + (ϕ 10 + ϕ 11 z)x + x 2. Note that η = 2. Let λ = η. Take r = n + 1. p p p p ϕ 00 ϕ 01 ϕ 10 ϕ p ϕ 00 ϕ 01 ϕ 10 ϕ 11 1 = diag λk (p) ϕ 1 0 λ 1,1+λk diag λ 1 (p) shift λ (ϕ) 1 16

42 ϕ(x) =(ϕ 00 + ϕ 01 z + ϕ 02 z 2 ) + (ϕ 10 + ϕ 11 z + ϕ 12 z 2 )x + (ϕ 20 + ϕ 21 z + ϕ 22 z 2 )x 2 + x 3. p p p p p p p p p ϕ 00 ϕ 01 ϕ 02 ϕ 10 ϕ 11 ϕ 12 ϕ 20 ϕ 21 ϕ p p ϕ 00 ϕ 01 ϕ 02 ϕ 10 ϕ 11 ϕ 12 ϕ 20 ϕ 21 ϕ 22 1

43 ϕ(x) =(ϕ 00 + ϕ 01 z + ϕ 02 z 2 ) + (ϕ 10 + ϕ 11 z + ϕ 12 z 2 )x + (ϕ 20 + ϕ 21 z + ϕ 22 z 2 )x 2 + x 3. p p p p p p p p p ϕ 00 ϕ 01 ϕ 02 ϕ 10 ϕ 11 ϕ 12 ϕ 20 ϕ 21 ϕ p p ϕ 00 ϕ 01 ϕ 02 ϕ 10 ϕ 11 ϕ 12 ϕ 20 ϕ 21 ϕ

44 GJL Matrix for TNFS in general form Let ϕ(x) = x k + ϕ k 1 (z)x k ϕ 1 (z)x + ϕ 0 (z) R[x], where each ϕ i (z) = ϕ i,0 + ϕ i,1 z + + ϕ i,η 1 z η 1 is a polynomial of degree less than η with the coefficients ϕ i,j in Z. Let λ = η. Let ϕ = (ϕ 0,0,..., ϕ 0,λ 1,..., ϕ k 1,0,..., ϕ k 1,λ 1 ). M ϕ,r = diag λk (p) ϕ 1 0 λ 1,1+λk diag λ 1 (p) shift λ (ϕ) 1 0 λ 1,1+λ(k+1) diag λ 1 (p) shift 2λ (ϕ) λ 1,1+λ(r 1) diag λ 1 (p) shift (r k)λ (ϕ) 1 where, for a vector a, let shift i (a) be the vector (0,..., 0, a). }{{} i (rλ+1) (rλ+1) 18

45 ψ(x) = LLL(M ϕ,r ) Since the matrix has rλ + 1 rows, each entry of the first row of the matrix formed by applying LLL to M ϕ,r is at most p r(λ 1)+k rλ+1. So, each ψ i,j and also ψ r is at most this value. Consequently, ψ = p r(λ 1)+k rλ+1 = Q 1 n r(λ 1)+k rλ+1 = Q ε/n (1) where ε = r(λ 1) + k. (2) rλ + 1 Note that for k r, ε < 1. The quantity ε will be another parameter in the asymptotic analysis. 19

46 Algorithm 3: C: Polynomial selection for TNFS. Input: p, n = ηκ, d (a factor of κ), r κ/d and λ [1, η]. Output: f(x), g(x) and ϕ(x). Let k = κ/d, R = Z[z]/(h(z)), F p η = F p[z]/(h(z)); repeat Randomly choose a monic A 1(x) R[x] such that: deg A 1(x) = r + 1 A 1(x) is irreducible over Q[z]/(h(z)) and hence over R. A 1(x) has coefficient polynomials of size O(ln(p)). over F p η, A 1(x) has an irreducible factor A 2(x) of degree k such that all the coefficient polynomials of A 2(x) have degrees at most λ 1. Randomly choose monic C 0(x) and C 1(x) with small integer coeff s such that deg C 0(x) = d and deg C 1(x) < d. Define f(x) = Res y (A 1(y), C 0(x) + y C 1(x)) ; ϕ(x) = Res y (A 2(y), C 0(x) + y C 1(x)) mod p; ψ(x) = LLL(M A2,r); g(x) = Res y (ψ(y), C 0(x) + y C 1(x)). until f(x) and g(x) are irreducible over Q[z]/(h(z)) (and hence over R) and ϕ(x) is irreducible over F p η = F p[z]/(h(z)). return f(x), g(x) and ϕ(x). 20

47 Proposition The outputs f(x), g(x) and ϕ(x) of Algorithm C satisfy the following. 1. deg(f) = d(r + 1); deg(g) = rd and deg(ϕ) = κ; 2. over F p n, both f(x) and g(x) have ϕ(x) as a factor; 3. f = O(ln(p)) and g = O(Q ε/n ). Consequently, if φ is a sieving polynomial of degree (t 1), then N(φ, f) = E 2d(r+1)/t L Q (2/3, o(1)); N(φ, g) = E 2dr/t Q (t 1)ε/κ L Q (2/3, o(1)); N(φ, f) N(φ, g) = E (2d(2r+1))/t Q (t 1)ε/κ L Q (2/3, o(1)). 21

48 Polynomial Selection Method(C): Algorithm-A η = 1 λ = 1 New Results gcd(η, κ) 1 λ = η Algorithm-C gcd(η, κ) 1 1 < λ < η New Results η > 1 gcd(η, κ) = 1 λ = 1 Algorithm-B [extnfs]

49 Polynomial Selection Method(C): Algorithm-A η = 1 λ = 1 New Results gcd(η, κ) 1 λ = η Algorithm-C not practical gcd(η, κ) 1 1 < λ < η New Results η > 1 gcd(η, κ) = 1 λ = 1 Algorithm-B [extnfs] 22

50 Product of norms for various polynomial selection methods Figure 1: Polynomials for F p 8 23

51 Product of norms for various polynomial selection methods.. Figure 2: Polynomials for F p 9 24

52 Product of norms for various polynomial selection methods.. Figure 3: Polynomials for F p 12 25

53 Asymptotic Complexity Analysis Setting: For 1/3 < a 2/3, write p = L Q (a, c p ), where c p = 1 n ( ) 1 a ln Q ln ln Q Recall that n = ηκ, k = κ/d, r k, λ [1, η] and ε is given by ε = r(λ 1) + k. rλ + 1 (3) Let η can be written as ( ) ln Q 2/3 a η = c η. ln ln Q (4) Then κ = 1 ( ) ln Q 1/3 where c θ = c p c η. c θ ln ln Q 26

54 Asymptotic Complexity Analysis The size of the factor basis B. Cost of Linear Algebra B 2. Sieving polynomial ζ(x) of deg (t 1) and ζ = E 2/(tη) are considered. So the total number of polynomials sieved is E 2, which is the cost of relation collection step.

55 Asymptotic Complexity Analysis The size of the factor basis B. Cost of Linear Algebra B 2. Sieving polynomial ζ(x) of deg (t 1) and ζ = E 2/(tη) are considered. So the total number of polynomials sieved is E 2, which is the cost of relation collection step. Let π be the probability of getting a single relation. Requirements: Cost(L. A.)=Cost(R. C.) Sufficient Relations

56 Asymptotic Complexity Analysis The size of the factor basis B. Cost of Linear Algebra B 2. Sieving polynomial ζ(x) of deg (t 1) and ζ = E 2/(tη) are considered. So the total number of polynomials sieved is E 2, which is the cost of relation collection step. Let π be the probability of getting a single relation. Requirements: Cost(L. A.)=Cost(R. C.) Sufficient Relations E 2 π = B and B 2 = E 2 E = B = π 1

57 Asymptotic Complexity Analysis The size of the factor basis B. Cost of Linear Algebra B 2. Sieving polynomial ζ(x) of deg (t 1) and ζ = E 2/(tη) are considered. So the total number of polynomials sieved is E 2, which is the cost of relation collection step. Let π be the probability of getting a single relation. Requirements: Cost(L. A.)=Cost(R. C.) Sufficient Relations Compute π? E 2 π = B and B 2 = E 2 Let B = L Q (1/3, c b ) = E E = B = π 1

58 Computation of π π is Computed using Canfield-Erdös-Pomerance theorem. Canfield-Erdös-Pomerance (CEP) theorem Let π = Ψ(Γ, B) be the probability that a random positive integer which is at most Γ is B-smooth. Let Γ = L Q (z, γ) and B = L Q (b, c b ). Then π 1 = Ψ(Γ, B) 1 = L Q ( z b, (z b) γ c b ). (5) 28

59 Computation of π π is Computed using Canfield-Erdös-Pomerance theorem. Canfield-Erdös-Pomerance (CEP) theorem Let π = Ψ(Γ, B) be the probability that a random positive integer which is at most Γ is B-smooth. Let Γ = L Q (z, γ) and B = L Q (b, c b ). Then π 1 = Ψ(Γ, B) 1 = L Q ( z b, (z b) γ c b ). (5) We have Γ equal to, Γ = N(φ, f) N(φ, g) = E (2d(2r+1))/t Q (t 1)ε/κ L Q (2/3, o(1)). 28

60 Lemma Let n = ηκ and κ = kd for positive integers η, k and d. For a fixed t, using the expressions for p, E(= B) and η, we obtain the following. E 2 t d(2r+1) = L Q ( Q (t 1)ε 2/3, 2c b(2r+1) c θ kt ) ; κ = L Q (2/3, (t 1)c θ ε). (6) So, Γ = L Q ( 2 3, 2c b(2r + 1) c θ kt π 1 = L Q ( 1 3, 1 3 ( 2(2r + 1) c θ kt ) + (t 1)c θ ε + (t 1)c )) θε c b 29

61 Complexity From the condition π 1 = B, we get c b = 1 ( 2(2r + 1) 3 c θ kt + (t 1)c θε c b ). (7) Solving the quadratic for c b and choosing the positive root gives c b = 2(2r + 1) 6c θ kt + (2r ) (t 1)c θε. 3c θ kt 3 Complexity is given by Comp B 2 = L Q (1/3, 2c b ). 30

62 Minimise 2c b with respect to c θ 0 = c b c θ = 2(2r + 1) 6ktc 2 θ Solving we get ( (2r + 1 3c θ kt ) ) 2 1/2 ( 2(2r + (t 1)c θε + 1) 2 3 9k 2 t 2 c 3 + θ ( ) 2r c 3 3 θ = 8 3kt (t 1)ε. ) (t 1)ε 3 Taking cube roots on both sides gives the value of c θ. Substituting this value of c θ in the expression of c b, we get 2c b = = ( ) 64(2r + 1)(t 1)ε 1/3 (8) 9kt ( 64(2r + 1)(t 1) 9kt ) r(λ 1) + k 1/3. (9) rλ

63 Minimise 2c b with respect to c θ.. The expression on the right hand side of (8) clearly increases as t increases. So, to minimise 2c b, we should choose the minimum value of t which is t = 2. With t = 2, the right hand side of (8) becomes ( ) 32(2r + 1) r(λ 1) + k 1/3 (10) 9k rλ

64 Case λ = 1: The right hand side of (10) becomes ( ) 32(2r + 1) 9(r + 1) which takes the minimum value of (48/9) 1/3 for r = 1. This can arise in the following ways. η = 1, a = 2/3: This corresponds to the boundary case and the minimum complexity is L Q (1/3, (48/9) 1/3 ) [Algorithm A]. η > 1, 1/3 < a < 2/3: Here we require gcd(η, κ) = 1. Again, the min complexity is L Q (1/3, (48/9) 1/3 ). [extnfs-b]. Algorithm-A η = 1 λ = 1 Algorithm-C η > 1 (η, κ) = 1 λ = 1 Algorithm-B [extnfs-ss] 33

65 Case λ = η > 1: For fixed k, minimum of (10) is achieved for r = k. ( ) 32(2k + 1) η 1/3. (11) 9 kη + 1 Minimum of (11) is obtained at k = κ and thus the minimum value of 2c b in this case is ( ) 32(2κ + 1) η 1/3 = 9 κη + 1 ( ) 32(2n + η) 1/3. (12) 9(n + 1) 34

66 New complexity results Suppose that n can be written as n = η i for some prime η and some i > If η = 2, then the minimum possible value of 2c b for the case λ = η = 2 is (64/9) 1/ for all n = 2 i. In particular, this case covers n = 4, 8, If η = 3 and n = 9, then the minimum possible value of 2c b for the case λ = η = 3 is (112/15) 1/ If η = 5 and n = 25, then the minimum possible value of 2c b for the case λ = η = 5 is (880/117) 1/

67 Figure 4: Complexity plots for the medium prime case using the extnfs algorithm. 36

68 Complexity for the MexTNFS variant Figure 5: Complexity plots for the medium prime case using the MexTNFS algorithm. 37

69 Recent developments Jinhyuck Jeong and Taechan Kim, Extended Tower Number Field Sieve with Application to Finite Fields of Arbitrary Composite Extension Degree. Cryptology eprint Archive, Report 2016/526 Palash Sarkar and Shashank Singh, A Generalisation of the Conjugation Method for Polynomial Selection for the Extended Tower Number Field Sieve Algorithm. Cryptology eprint Archive, Report 2016/537 38

70 Algorithm 4: D: Polynomial selection for TNFS. Input: p, n = ηκ, d (such that d κ and gcd(η, d/κ) = 1), r κ/d Output: f(x), g(x) and ϕ(x). Let k = κ/d, R = Z[z]/(h(z)), F p η = F p[z]/(h(z)); repeat Randomly choose a monic A 1(x) Z[x] such that: deg A 1(x) = r + 1 A 1(x) is irreducible over Z. A 1(x) has coefficient polynomials of size O(ln(p)). over F p, A 1(x) has an irreducible factor A 2(x) of degree k such that A 2(x) is irr over F p η. Randomly choose monic C 0(x) and C 1(x) in R[x] such that C i is small for i = 0, 1; deg C 0(x) = d and deg C 1(x) < d. Define f(x) = Res y (A 1(y), C 0(x) + y C 1(x)) ; ϕ(x) = Res y (A 2(y), C 0(x) + y C 1(x)) mod p; ψ(x) = LLL(M A2,r); g(x) = Res y (ψ(y), C 0(x) + y C 1(x)). until f(x) and g(x) are irreducible over Q[z]/(h(z)) (and hence over R) and ϕ(x) is irreducible over F p η = F p[z]/(h(z)). return f(x), g(x) and ϕ(x). 39

71 Asymptotic Analysis 40

72 Asymptotic Analysis 40

Extended Tower Number Field Sieve with Application to Finite Fields of Arbitrary Composite Extension Degree

Extended Tower Number Field Sieve with Application to Finite Fields of Arbitrary Composite Extension Degree Taechan Kim 1 and Jinhyuck Jeong 2 1 NTT Secure Platform Laboratories, Japan taechan.kim@lab.ntt.co.jp