Complexity news: discrete logarithms in multiplicative groups of small-characteristic finite fields the algorithm of Barbulescu, Gaudry, Joux, Thomé
Size: px
Start display at page:

Download "Complexity news: discrete logarithms in multiplicative groups of small-characteristic finite fields the algorithm of Barbulescu, Gaudry, Joux, Thomé"

Transcription

1 Complexity news: discrete logarithms in multiplicative groups of small-characteristic finite fields the algorithm of Barbulescu, Gaudry, Joux, Thomé D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Advertisement, maybe related: iml.univ-mrs.fr/ati/ geocrypt2013/ , Tahiti. Submit talks this month! Also somewhat related: I m starting to analyze cost of NFS + CVP for class groups, unit groups, short generators of ideals, etc.; exploiting subfields (find short norms first), small Galois groups, etc. Anyone else working on this? Cryptanalytic applications: attack NTRU, Ring-LWE, FHE. I think NTRU should switch to random prime-degree extensions with big Galois groups.

2 ity news: logarithms in ative groups of aracteristic finite fields ithm of Barbulescu, Joux, Thomé rnstein y of Illinois at Chicago & he Universiteit Eindhoven ment, maybe related: v-mrs.fr/ati/ t2013/ 07 11, Tahiti. alks this month! Also somewhat related: I m starting to analyze cost of NFS + CVP for class groups, unit groups, short generators of ideals, etc.; exploiting subfields (find short norms first), small Galois groups, etc. Anyone else working on this? Cryptanalytic applications: attack NTRU, Ring-LWE, FHE. I think NTRU should switch to random prime-degree extensions with big Galois groups. Discrete Goal: Co group iso F! q Z= represent Algorithm h 1 ; h 2 ; : Algorithm log g h 1 ; l for some log m g g 7! 1, i

3 in ps of finite fields arbulescu, mé is at Chicago & iteit Eindhoven ybe related: /ati/ hiti. onth! Also somewhat related: I m starting to analyze cost of NFS + CVP for class groups, unit groups, short generators of ideals, etc.; exploiting subfields (find short norms first), small Galois groups, etc. Anyone else working on this? Cryptanalytic applications: attack NTRU, Ring-LWE, FHE. I think NTRU should switch to random prime-degree extensions with big Galois groups. Discrete logarithm Goal: Compute so group isomorphism F! q Z=(q 1), represented in the Algorithm input: h 1 ; h 2 ; : : : 2 F q. Algorithm output: log g h 1 ; log g h 2 ; : : for some g. log means the g g 7! 1, if it exists.

4 ds go & hoven d: Also somewhat related: I m starting to analyze cost of NFS + CVP for class groups, unit groups, short generators of ideals, etc.; exploiting subfields (find short norms first), small Galois groups, etc. Anyone else working on this? Cryptanalytic applications: attack NTRU, Ring-LWE, FHE. I think NTRU should switch to random prime-degree extensions with big Galois groups. Discrete logarithms Goal: Compute some group isomorphism F! q Z=(q 1), represented in the usual way Algorithm input: h 1 ; h 2 ; : : : 2 F q. Algorithm output: log g h 1 ; log g h 2 ; : : : 2 Z=(q for some g. log means the isomorphis g g 7! 1, if it exists.

5 Also somewhat related: I m starting to analyze cost of NFS + CVP for class groups, unit groups, short generators of ideals, etc.; exploiting subfields (find short norms first), small Galois groups, etc. Anyone else working on this? Cryptanalytic applications: attack NTRU, Ring-LWE, FHE. I think NTRU should switch to random prime-degree extensions with big Galois groups. Discrete logarithms Goal: Compute some group isomorphism F! q Z=(q 1), represented in the usual way. Algorithm input: h 1 ; h 2 ; : : : 2 F q. Algorithm output: log g h 1 ; log g h 2 ; : : : 2 Z=(q 1) for some g. log means the isomorphism g g 7! 1, if it exists.

6 ewhat related: ing to analyze FS + CVP groups, unit groups, erators of ideals, etc.; g subfields rt norms first), lois groups, etc. lse working on this? lytic applications: TRU, Ring-LWE, FHE. TRU should switch to prime-degree extensions Galois groups. Discrete logarithms Goal: Compute some group isomorphism F! q Z=(q 1), represented in the usual way. Algorithm input: h 1 ; h 2 ; : : : 2 F q. Algorithm output: log g h 1 ; log g h 2 ; : : : 2 Z=(q 1) for some g. log means the isomorphism g g 7! 1, if it exists. Generic on avera uniform, Want so

7 ated: lyze P nit groups, ideals, etc.; first), s, etc. g on this? ications: g-lwe, FHE. ld switch to ree extensions ups. Discrete logarithms Goal: Compute some group isomorphism F! q Z=(q 1), represented in the usual way. Algorithm input: h 1 ; h 2 ; : : : 2 F q. Algorithm output: log g h 1 ; log g h 2 ; : : : 2 Z=(q 1) for some g. log means the isomorphism g g 7! 1, if it exists. Generic log g alg on average q 1=2+o( uniform, q 1=3+o(1) Want something fa

8 , c.; E. to ions Discrete logarithms Goal: Compute some group isomorphism F! q Z=(q 1), represented in the usual way. Algorithm input: h 1 ; h 2 ; : : : 2 F q. Algorithm output: log g h 1 ; log g h 2 ; : : : 2 Z=(q 1) for some g. log means the isomorphism g g 7! 1, if it exists. Generic log algorithms: g on average q 1=2+o(1) operati uniform, q 1=3+o(1) non-unifo Want something faster.

9 Discrete logarithms Goal: Compute some group isomorphism F! q Z=(q 1), represented in the usual way. Generic log algorithms: g on average q 1=2+o(1) operations uniform, q 1=3+o(1) non-uniform. Want something faster. Algorithm input: h 1 ; h 2 ; : : : 2 F q. Algorithm output: log g h 1 ; log g h 2 ; : : : 2 Z=(q 1) for some g. log means the isomorphism g g 7! 1, if it exists.

10 Discrete logarithms Goal: Compute some group isomorphism F! q Z=(q 1), represented in the usual way. Algorithm input: h 1 ; h 2 ; : : : 2 F q. Algorithm output: log g h 1 ; log g h 2 ; : : : 2 Z=(q 1) for some g. log means the isomorphism g g 7! 1, if it exists. Generic log algorithms: g on average q 1=2+o(1) operations uniform, q 1=3+o(1) non-uniform. Want something faster. Basic index calculus : 1968 Western Miller, 1979 Merkle, 1979 Adleman, 1983 Hellman Reyneri, 1984 Blake Fuji-Hara Mullin Vanstone, 1985 ElGamal, 1986 Coppersmith Odlyzko Schroeppel, 1991 LaMacchia Odlyzko, 1993 Adleman DeMarrais, 1995 Semaev, 1998 Bender Pomerance.

11 logarithms mpute some morphism (q 1), ed in the usual way. input: : : 2 F q. output: og g h 2 ; : : : 2 Z=(q 1) g. eans the isomorphism f it exists. Generic log algorithms: g on average q 1=2+o(1) operations uniform, q 1=3+o(1) non-uniform. Want something faster. Basic index calculus : 1968 Western Miller, 1979 Merkle, 1979 Adleman, 1983 Hellman Reyneri, 1984 Blake Fuji-Hara Mullin Vanstone, 1985 ElGamal, 1986 Coppersmith Odlyzko Schroeppel, 1991 LaMacchia Odlyzko, 1993 Adleman DeMarrais, 1995 Semaev, 1998 Bender Pomerance. NFS : Gordon, Odlyzko, Weber D 1998 We Lercier, 2 Smart V FFS : 1 Coppersm Odlyzko, Gordon 1999 Ad Joux Le 2010/20 Wang M

12 s me usual way. : 2 Z=(q 1) isomorphism Generic log algorithms: g on average q 1=2+o(1) operations uniform, q 1=3+o(1) non-uniform. Want something faster. Basic index calculus : 1968 Western Miller, 1979 Merkle, 1979 Adleman, 1983 Hellman Reyneri, 1984 Blake Fuji-Hara Mullin Vanstone, 1985 ElGamal, 1986 Coppersmith Odlyzko Schroeppel, 1991 LaMacchia Odlyzko, 1993 Adleman DeMarrais, 1995 Semaev, 1998 Bender Pomerance. NFS : 1991 Schir Gordon, 1993 Schi Odlyzko, 1996 Sch Weber Denny, Weber Denn Lercier, 2006 Joux Smart Vercauteren FFS : 1984 Copp Coppersmith Dave Odlyzko, 1990 Mc Gordon McCurley, 1999 Adleman Hu Joux Lercier, /2012 Hayash Wang Matsuo Sh

13 . 1) m Generic log algorithms: g on average q 1=2+o(1) operations uniform, q 1=3+o(1) non-uniform. Want something faster. Basic index calculus : 1968 Western Miller, 1979 Merkle, 1979 Adleman, 1983 Hellman Reyneri, 1984 Blake Fuji-Hara Mullin Vanstone, 1985 ElGamal, 1986 Coppersmith Odlyzko Schroeppel, 1991 LaMacchia Odlyzko, 1993 Adleman DeMarrais, 1995 Semaev, 1998 Bender Pomerance. NFS : 1991 Schirokauer, 1 Gordon, 1993 Schirokauer, 1 Odlyzko, 1996 Schirokauer Weber Denny, 1996 Weber, 1998 Weber Denny, 2001 Jo Lercier, 2006 Joux Lercier Smart Vercauteren. FFS : 1984 Coppersmith, 1 Coppersmith Davenport, 19 Odlyzko, 1990 McCurley, 19 Gordon McCurley, 1994 Adl 1999 Adleman Huang, 2001 Joux Lercier, 2006 Joux Ler 2010/2012 Hayashi Shinoha Wang Matsuo Shirase Taka

14 Generic log algorithms: g on average q 1=2+o(1) operations uniform, q 1=3+o(1) non-uniform. Want something faster. Basic index calculus : 1968 Western Miller, 1979 Merkle, 1979 Adleman, 1983 Hellman Reyneri, 1984 Blake Fuji-Hara Mullin Vanstone, 1985 ElGamal, 1986 Coppersmith Odlyzko Schroeppel, 1991 LaMacchia Odlyzko, 1993 Adleman DeMarrais, 1995 Semaev, 1998 Bender Pomerance. NFS : 1991 Schirokauer, 1993 Gordon, 1993 Schirokauer, 1994 Odlyzko, 1996 Schirokauer Weber Denny, 1996 Weber, 1998 Weber Denny, 2001 Joux Lercier, 2006 Joux Lercier Smart Vercauteren. FFS : 1984 Coppersmith, 1985 Coppersmith Davenport, 1985 Odlyzko, 1990 McCurley, 1992 Gordon McCurley, 1994 Adleman, 1999 Adleman Huang, 2001 Joux Lercier, 2006 Joux Lercier, 2010/2012 Hayashi Shinohara Wang Matsuo Shirase Takagi.

15 log algorithms: g ge q 1=2+o(1) operations q 1=3+o(1) non-uniform. mething faster. dex calculus : 1968 Miller, 1979 Merkle, leman, 1983 Hellman 1984 Blake Fuji-Hara anstone, 1985 ElGamal, ppersmith Odlyzko el, 1991 LaMacchia 1993 Adleman is, 1995 Semaev, nder Pomerance. NFS : 1991 Schirokauer, 1993 Gordon, 1993 Schirokauer, 1994 Odlyzko, 1996 Schirokauer Weber Denny, 1996 Weber, 1998 Weber Denny, 2001 Joux Lercier, 2006 Joux Lercier Smart Vercauteren. FFS : 1984 Coppersmith, 1985 Coppersmith Davenport, 1985 Odlyzko, 1990 McCurley, 1992 Gordon McCurley, 1994 Adleman, 1999 Adleman Huang, 2001 Joux Lercier, 2006 Joux Lercier, 2010/2012 Hayashi Shinohara Wang Matsuo Shirase Takagi. FFS, c Shimoya Detrey G Videau Z Barbules Gaudry Zimmerm

16 orithms: 1) operations non-uniform. ster. lus : Merkle, 83 Hellman e Fuji-Hara 1985 ElGamal, Odlyzko amacchia eman emaev, erance. NFS : 1991 Schirokauer, 1993 Gordon, 1993 Schirokauer, 1994 Odlyzko, 1996 Schirokauer Weber Denny, 1996 Weber, 1998 Weber Denny, 2001 Joux Lercier, 2006 Joux Lercier Smart Vercauteren. FFS : 1984 Coppersmith, 1985 Coppersmith Davenport, 1985 Odlyzko, 1990 McCurley, 1992 Gordon McCurley, 1994 Adleman, 1999 Adleman Huang, 2001 Joux Lercier, 2006 Joux Lercier, 2010/2012 Hayashi Shinohara Wang Matsuo Shirase Takagi. FFS, continued: Shimoyama Shino Barbulesc Detrey Gaudry Je Videau Zimmerma Barbulescu Bouvie Gaudry Jeljeli Tho Zimmermann.

17 ons rm., n ra mal, NFS : 1991 Schirokauer, 1993 Gordon, 1993 Schirokauer, 1994 Odlyzko, 1996 Schirokauer Weber Denny, 1996 Weber, 1998 Weber Denny, 2001 Joux Lercier, 2006 Joux Lercier Smart Vercauteren. FFS : 1984 Coppersmith, 1985 Coppersmith Davenport, 1985 Odlyzko, 1990 McCurley, 1992 Gordon McCurley, 1994 Adleman, 1999 Adleman Huang, 2001 Joux Lercier, 2006 Joux Lercier, 2010/2012 Hayashi Shinohara Wang Matsuo Shirase Takagi. FFS, continued: 2012 Hay Shimoyama Shinohara Taka Barbulescu Bouvier Detrey Gaudry Jeljeli Thom Videau Zimmermann, Barbulescu Bouvier Detrey Gaudry Jeljeli Thomé Videa Zimmermann.

18 NFS : 1991 Schirokauer, 1993 Gordon, 1993 Schirokauer, 1994 Odlyzko, 1996 Schirokauer Weber Denny, 1996 Weber, 1998 Weber Denny, 2001 Joux Lercier, 2006 Joux Lercier Smart Vercauteren. FFS : 1984 Coppersmith, 1985 Coppersmith Davenport, 1985 Odlyzko, 1990 McCurley, 1992 Gordon McCurley, 1994 Adleman, 1999 Adleman Huang, 2001 Joux Lercier, 2006 Joux Lercier, 2010/2012 Hayashi Shinohara Wang Matsuo Shirase Takagi. FFS, continued: 2012 Hayashi Shimoyama Shinohara Takagi, Barbulescu Bouvier Detrey Gaudry Jeljeli Thomé Videau Zimmermann, Barbulescu Bouvier Detrey Gaudry Jeljeli Thomé Videau Zimmermann.

19 NFS : 1991 Schirokauer, 1993 Gordon, 1993 Schirokauer, 1994 Odlyzko, 1996 Schirokauer Weber Denny, 1996 Weber, 1998 Weber Denny, 2001 Joux Lercier, 2006 Joux Lercier Smart Vercauteren. FFS : 1984 Coppersmith, 1985 Coppersmith Davenport, 1985 Odlyzko, 1990 McCurley, 1992 Gordon McCurley, 1994 Adleman, 1999 Adleman Huang, 2001 Joux Lercier, 2006 Joux Lercier, 2010/2012 Hayashi Shinohara Wang Matsuo Shirase Takagi. FFS, continued: 2012 Hayashi Shimoyama Shinohara Takagi, Barbulescu Bouvier Detrey Gaudry Jeljeli Thomé Videau Zimmermann, Barbulescu Bouvier Detrey Gaudry Jeljeli Thomé Videau Zimmermann. Not your grandpa s FFS : Joux, Joux, Göloğlu Granger McGuire Zumbrägel, Göloğlu Granger McGuire Zumbrägel, Barbulescu Gaudry Joux Thomé.

20 1991 Schirokauer, Schirokauer, Schirokauer enny, 1996 Weber, ber Denny, 2001 Joux 006 Joux Lercier ercauteren. 984 Coppersmith, 1985 ith Davenport, McCurley, 1992 McCurley, 1994 Adleman, leman Huang, 2001 rcier, 2006 Joux Lercier, 12 Hayashi Shinohara atsuo Shirase Takagi. FFS, continued: 2012 Hayashi Shimoyama Shinohara Takagi, Barbulescu Bouvier Detrey Gaudry Jeljeli Thomé Videau Zimmermann, Barbulescu Bouvier Detrey Gaudry Jeljeli Thomé Videau Zimmermann. Not your grandpa s FFS : Joux, Joux, Göloğlu Granger McGuire Zumbrägel, Göloğlu Granger McGuire Zumbrägel, Barbulescu Gaudry Joux Thomé. Reasona for fixed FFS cost log T 2 (

21 okauer, 1993 rokauer, 1994 irokauer 6 Weber, y, 2001 Joux Lercier. ersmith, 1985 nport, 1985 Curley, Adleman, ang, 2001 Joux Lercier, i Shinohara irase Takagi. FFS, continued: 2012 Hayashi Shimoyama Shinohara Takagi, Barbulescu Bouvier Detrey Gaudry Jeljeli Thomé Videau Zimmermann, Barbulescu Bouvier Detrey Gaudry Jeljeli Thomé Videau Zimmermann. Not your grandpa s FFS : Joux, Joux, Göloğlu Granger McGuire Zumbrägel, Göloğlu Granger McGuire Zumbrägel, Barbulescu Gaudry Joux Thomé. Reasonable conjec for fixed characteri FFS costs T whe log T 2 (log q) 1=3+

22 ux eman, cier, ra gi. FFS, continued: 2012 Hayashi Shimoyama Shinohara Takagi, Barbulescu Bouvier Detrey Gaudry Jeljeli Thomé Videau Zimmermann, Barbulescu Bouvier Detrey Gaudry Jeljeli Thomé Videau Zimmermann. Not your grandpa s FFS : Joux, Joux, Göloğlu Granger McGuire Zumbrägel, Göloğlu Granger McGuire Zumbrägel, Barbulescu Gaudry Joux Thomé. Reasonable conjectures for fixed characteristic: FFS costs T where log T 2 (log q) 1=3+o(1).

23 FFS, continued: 2012 Hayashi Shimoyama Shinohara Takagi, Barbulescu Bouvier Detrey Gaudry Jeljeli Thomé Videau Zimmermann, Barbulescu Bouvier Detrey Gaudry Jeljeli Thomé Videau Zimmermann. Reasonable conjectures for fixed characteristic: FFS costs T where log T 2 (log q) 1=3+o(1). Not your grandpa s FFS : Joux, Joux, Göloğlu Granger McGuire Zumbrägel, Göloğlu Granger McGuire Zumbrägel, Barbulescu Gaudry Joux Thomé.

24 FFS, continued: 2012 Hayashi Shimoyama Shinohara Takagi, Barbulescu Bouvier Detrey Gaudry Jeljeli Thomé Videau Zimmermann, Barbulescu Bouvier Detrey Gaudry Jeljeli Thomé Videau Zimmermann. Reasonable conjectures for fixed characteristic: FFS costs T where log T 2 (log q) 1=3+o(1) Joux algorithm: log T 2 (log q) 1=4+o(1). Not your grandpa s FFS : Joux, Joux, Göloğlu Granger McGuire Zumbrägel, Göloğlu Granger McGuire Zumbrägel, Barbulescu Gaudry Joux Thomé.

25 FFS, continued: 2012 Hayashi Shimoyama Shinohara Takagi, Barbulescu Bouvier Detrey Gaudry Jeljeli Thomé Videau Zimmermann, Barbulescu Bouvier Detrey Gaudry Jeljeli Thomé Videau Zimmermann. Not your grandpa s FFS : Joux, Joux, Göloğlu Granger McGuire Zumbrägel, Göloğlu Granger McGuire Zumbrägel, Barbulescu Gaudry Joux Thomé. Reasonable conjectures for fixed characteristic: FFS costs T where log T 2 (log q) 1=3+o(1) Joux algorithm: log T 2 (log q) 1=4+o(1) Barbulescu Gaudry Joux Thomé algorithm: log T 2 (log log q) 2+o(1).

26 FFS, continued: 2012 Hayashi Shimoyama Shinohara Takagi, Barbulescu Bouvier Detrey Gaudry Jeljeli Thomé Videau Zimmermann, Barbulescu Bouvier Detrey Gaudry Jeljeli Thomé Videau Zimmermann. Not your grandpa s FFS : Joux, Joux, Göloğlu Granger McGuire Zumbrägel, Göloğlu Granger McGuire Zumbrägel, Barbulescu Gaudry Joux Thomé. Reasonable conjectures for fixed characteristic: FFS costs T where log T 2 (log q) 1=3+o(1) Joux algorithm: log T 2 (log q) 1=4+o(1) Barbulescu Gaudry Joux Thomé algorithm: log T 2 (log log q) 2+o(1) Shor algorithm: log T 2 (log log q) 1+o(1), proven; but needs a quantum computer.

27 ontinued: 2012 Hayashi ma Shinohara Takagi, Barbulescu Bouvier audry Jeljeli Thomé immermann, cu Bouvier Detrey Jeljeli Thomé Videau ann. r grandpa s FFS : Joux, Joux, Göloğlu Granger Zumbrägel, Granger McGuire el, Barbulescu Joux Thomé. Reasonable conjectures for fixed characteristic: FFS costs T where log T 2 (log q) 1=3+o(1) Joux algorithm: log T 2 (log q) 1=4+o(1) Barbulescu Gaudry Joux Thomé algorithm: log T 2 (log log q) 2+o(1) Shor algorithm: log T 2 (log log q) 1+o(1), proven; but needs a quantum computer. Field con I ll make q = p 2n p is an o n 2 Z, p Most int Example (Can you p 2n 1 Find ra with an ' of deg Construc

28 2012 Hayashi hara Takagi, u Bouvier ljeli Thomé nn, r Detrey mé Videau s FFS : 3.02 Joux, ranger el, cguire 6 Barbulescu mé. Reasonable conjectures for fixed characteristic: FFS costs T where log T 2 (log q) 1=3+o(1) Joux algorithm: log T 2 (log q) 1=4+o(1) Barbulescu Gaudry Joux Thomé algorithm: log T 2 (log log q) 2+o(1) Shor algorithm: log T 2 (log log q) 1+o(1), proven; but needs a quantum computer. Field construction I ll make simplifyin q = p 2n where p is an odd prime n 2 Z, p p n Most interesting: Example: p = 100 (Can you find all p p 2n 1 = (p n 1 Find random po with an irreducible ' of degree n. Construct F q as F

29 ashi gi, é 04 u, 5 scu Reasonable conjectures for fixed characteristic: FFS costs T where log T 2 (log q) 1=3+o(1) Joux algorithm: log T 2 (log q) 1=4+o(1) Barbulescu Gaudry Joux Thomé algorithm: log T 2 (log log q) 2+o(1) Shor algorithm: log T 2 (log log q) 1+o(1), proven; but needs a quantum computer. Field construction I ll make simplifying assumpt q = p 2n where p is an odd prime power, n 2 Z, p p n p. Most interesting: n p. Example: p = 1009, n = 99 (Can you find all primes divi p 2n 1 = (p n 1)(p n + 1) Find random poly in F p 2[x with an irreducible divisor ' of degree n. Construct F q as F p 2[x]='.

30 Reasonable conjectures for fixed characteristic: FFS costs T where log T 2 (log q) 1=3+o(1) Joux algorithm: log T 2 (log q) 1=4+o(1) Barbulescu Gaudry Joux Thomé algorithm: log T 2 (log log q) 2+o(1) Shor algorithm: log T 2 (log log q) 1+o(1), proven; but needs a quantum computer. Field construction I ll make simplifying assumption: q = p 2n where p is an odd prime power, n 2 Z, p p n p. Most interesting: n p. Example: p = 1009, n = 997. (Can you find all primes dividing p 2n 1 = (p n 1)(p n + 1)?) Find random poly in F 2[x] p with an irreducible divisor ' of degree n. Construct F q as F p 2[x]='.

31 ble conjectures characteristic: s T where log q) 1=3+o(1). Joux algorithm: log q) 1=4+o(1). Barbulescu Gaudry omé algorithm: log log q) 2+o(1). r algorithm: log log q) 1+o(1), proven; s a quantum computer. Field construction I ll make simplifying assumption: q = p 2n where p is an odd prime power, n 2 Z, p p n p. Most interesting: n p. Example: p = 1009, n = 997. (Can you find all primes dividing p 2n 1 = (p n 1)(p n + 1)?) Find random poly in F 2[x] p with an irreducible divisor ' of degree n. Construct F q as F p 2[x]='. How ma What s c has an ir ' of deg For n express e uniquely (p 2 ) deg (p 2 ) n = (p 2 ) deg chance Similar s Factoring ) Quick

32 tures stic: re o(1). rithm: o(1). u Gaudry ithm: +o(1). m: +o(1), proven; m computer. Field construction I ll make simplifying assumption: q = p 2n where p is an odd prime power, n 2 Z, p p n p. Most interesting: n p. Example: p = 1009, n = 997. (Can you find all primes dividing p 2n 1 = (p n 1)(p n + 1)?) Find random poly in F 2[x] p with an irreducible divisor ' of degree n. Construct F q as F p 2[x]='. How many polys t What s chance tha has an irreducible ' of degree n? For n deg r < 2 express each succe uniquely as ' cof (p 2 ) deg r+1 polys (p 2 ) n =n monic i (p 2 ) deg r n+1 co chance 1=n that Similar story for de Factoring r is fast. ) Quickly find r,

33 ven; ter. Field construction I ll make simplifying assumption: q = p 2n where p is an odd prime power, n 2 Z, p p n p. Most interesting: n p. Example: p = 1009, n = 997. (Can you find all primes dividing p 2n 1 = (p n 1)(p n + 1)?) Find random poly in F 2[x] p with an irreducible divisor ' of degree n. Construct F q as F p 2[x]='. How many polys to try? What s chance that r 2 F p 2 has an irreducible divisor ' of degree n? For n deg r < 2n: express each successful r uniquely as ' cofactor. (p 2 ) deg r+1 polys r, (p 2 ) n =n monic irreds ', (p 2 ) deg r n+1 cofactors ) chance 1=n that r works. Similar story for deg r 2n. Factoring r is fast. ) Quickly find r, '.

34 Field construction I ll make simplifying assumption: q = p 2n where p is an odd prime power, n 2 Z, p p n p. Most interesting: n p. Example: p = 1009, n = 997. (Can you find all primes dividing p 2n 1 = (p n 1)(p n + 1)?) Find random poly in F 2[x] p with an irreducible divisor ' of degree n. Construct F q as F p 2[x]='. How many polys to try? What s chance that r 2 F 2[x] p has an irreducible divisor ' of degree n? For n deg r < 2n: express each successful r uniquely as ' cofactor. (p 2 ) deg r+1 polys r, (p 2 ) n =n monic irreds ', (p 2 ) deg r n+1 cofactors ) chance 1=n that r works. Similar story for deg r 2n. Factoring r is fast. ) Quickly find r, '.

35 struction simplifying assumption: where dd prime power, p n p. eresting: n p. : p = 1009, n = 997. find all primes dividing = (p n 1)(p n + 1)?) ndom poly in F 2[x] p irreducible divisor ree n. t F q as F p 2[x]='. How many polys to try? What s chance that r 2 F 2[x] p has an irreducible divisor ' of degree n? For n deg r < 2n: express each successful r uniquely as ' cofactor. (p 2 ) deg r+1 polys r, (p 2 ) n =n monic irreds ', (p 2 ) deg r n+1 cofactors ) chance 1=n that r works. Similar story for deg r 2n. Factoring r is fast. ) Quickly find r, '. Don t us (Starting Find ' d x p x 2 Then x p p 2 choic so overw that at l e.g. p = can have Easily ge x p = x 2 x p = (x But large

36 g assumption: power, p. n p. 9, n = 997. rimes dividing )(p n + 1)?) ly in F 2[x] p divisor p 2 [x]='. How many polys to try? What s chance that r 2 F 2[x] p has an irreducible divisor ' of degree n? For n deg r < 2n: express each successful r uniquely as ' cofactor. (p 2 ) deg r+1 polys r, (p 2 ) n =n monic irreds ', (p 2 ) deg r n+1 cofactors ) chance 1=n that r works. Similar story for deg r 2n. Factoring r is fast. ) Quickly find r, '. Don t use random (Starting now: aba Find ' dividing x p x 2 for so Then x p = x 2 + p 2 choices of 2 so overwhelmingly that at least one w e.g. p = 1009, n = can have Easily generalize: x p = x 2 + x + x p = (x + )=(x + But larger degrees

37 ion: 7. ding?) ] How many polys to try? What s chance that r 2 F 2[x] p has an irreducible divisor ' of degree n? For n deg r < 2n: express each successful r uniquely as ' cofactor. (p 2 ) deg r+1 polys r, (p 2 ) n =n monic irreds ', (p 2 ) deg r n+1 cofactors ) chance 1=n that r works. Similar story for deg r 2n. Factoring r is fast. ) Quickly find r, '. Don t use random polys! (Starting now: abandon proo Find ' dividing x p x 2 for some 2 F Then x p = x 2 + in F q. p 2 choices of 2 F 2, p so overwhelmingly likely that at least one works. e.g. p = 1009, n = 997: can have = Easily generalize: e.g., take x p = x 2 + x + or x p = (x + )=(x + ). But larger degrees are slower

38 How many polys to try? What s chance that r 2 F 2[x] p has an irreducible divisor ' of degree n? For n deg r < 2n: express each successful r uniquely as ' cofactor. (p 2 ) deg r+1 polys r, (p 2 ) n =n monic irreds ', (p 2 ) deg r n+1 cofactors ) chance 1=n that r works. Similar story for deg r 2n. Factoring r is fast. ) Quickly find r, '. Don t use random polys! (Starting now: abandon proofs.) Find ' dividing x p x 2 for some 2 F 2. p Then x p = x 2 + in F q. p 2 choices of 2 F 2, p so overwhelmingly likely that at least one works. e.g. p = 1009, n = 997: can have = 0. Easily generalize: e.g., take x p = x 2 + x + or x p = (x + )=(x + ). But larger degrees are slower.

39 ny polys to try? hance that r 2 F p 2[x] reducible divisor ree n? deg r < 2n: ach successful r as ' cofactor. r+1 polys r, n monic irreds ', r n+1 cofactors ) 1=n that r works. tory for deg r 2n. r is fast. ly find r, '. Don t use random polys! (Starting now: abandon proofs.) Find ' dividing x p x 2 for some 2 F 2. p Then x p = x 2 + in F q. p 2 choices of 2 F 2, p so overwhelmingly likely that at least one works. e.g. p = 1009, n = 997: can have = 0. Easily generalize: e.g., take x p = x 2 + x + or x p = (x + )=(x + ). But larger degrees are slower. Low-deg First step build tab each sma Easily ch Small h D 1; D

40 o try? t r 2 F 2[x] p divisor n: ssful r actor. r, rreds ', factors ) r works. g r 2n. '. Don t use random polys! (Starting now: abandon proofs.) Find ' dividing x p x 2 for some 2 F 2. p Then x p = x 2 + in F q. p 2 choices of 2 F 2, p so overwhelmingly likely that at least one works. e.g. p = 1009, n = 997: can have = 0. Easily generalize: e.g., take x p = x 2 + x + or x p = (x + )=(x + ). But larger degrees are slower. Low-degree discret First step of algori build table of h 7! each small h 2 F p 2 Easily choose g at Small h : deg h D 1; D 2 O(log

41 [x] Don t use random polys! (Starting now: abandon proofs.) Find ' dividing x p x 2 for some 2 F 2. p Then x p = x 2 + in F q. p 2 choices of 2 F 2, p so overwhelmingly likely that at least one works. e.g. p = 1009, n = 997: can have = 0. Easily generalize: e.g., take x p = x 2 + x + or x p = (x + )=(x + ). But larger degrees are slower. Low-degree discrete logs First step of algorithm: build table of h 7! log g h for each small h 2 F p 2[x] 'F p Easily choose g at same tim Small h : deg h D. Cho D 1; D 2 O(log n= log log

42 Don t use random polys! (Starting now: abandon proofs.) Find ' dividing x p x 2 for some 2 F 2. p Then x p = x 2 + in F q. p 2 choices of 2 F 2, p so overwhelmingly likely Low-degree discrete logs First step of algorithm: build table of h 7! log g h for each small h 2 F 2[x] 'F 2[x]. p p Easily choose g at same time. Small h : deg h D. Choose D 1; D 2 O(log n= log log n). that at least one works. e.g. p = 1009, n = 997: can have = 0. Easily generalize: e.g., take x p = x 2 + x + or x p = (x + )=(x + ). But larger degrees are slower.

43 Don t use random polys! (Starting now: abandon proofs.) Find ' dividing x p x 2 for some 2 F 2. p Then x p = x 2 + in F q. p 2 choices of 2 F 2, p so overwhelmingly likely that at least one works. e.g. p = 1009, n = 997: can have = 0. Low-degree discrete logs First step of algorithm: build table of h 7! log g h for each small h 2 F 2[x] 'F 2[x]. p p Easily choose g at same time. Small h : deg h D. Choose D 1; D 2 O(log n= log log n). Non-uniform approach: algorithm A q knows table! Easily generalize: e.g., take x p = x 2 + x + or x p = (x + )=(x + ). But larger degrees are slower.

44 Don t use random polys! (Starting now: abandon proofs.) Find ' dividing x p x 2 for some 2 F 2. p Then x p = x 2 + in F q. p 2 choices of 2 F 2, p so overwhelmingly likely that at least one works. e.g. p = 1009, n = 997: can have = 0. Easily generalize: e.g., take x p = x 2 + x + or x p = (x + )=(x + ). But larger degrees are slower. Low-degree discrete logs First step of algorithm: build table of h 7! log g h for each small h 2 F 2[x] 'F 2[x]. p p Easily choose g at same time. Small h : deg h D. Choose D 1; D 2 O(log n= log log n). Non-uniform approach: algorithm A q knows table! Two reasons to be more explicit: 1. Want A with q as an input. 2. Method to build table will be reused for larger h.

45 e random polys! now: abandon proofs.) ividing for some 2 F 2. p = x 2 + in F q. es of 2 F 2, p helmingly likely east one works. 1009, n = 997: = 0. neralize: e.g., take + x + or + )=(x + ). r degrees are slower. Low-degree discrete logs First step of algorithm: build table of h 7! log g h for each small h 2 F 2[x] 'F 2[x]. p p Easily choose g at same time. Small h : deg h D. Choose D 1; D 2 O(log n= log log n). Non-uniform approach: algorithm A q knows table! Two reasons to be more explicit: 1. Want A with q as an input. 2. Method to build table will be reused for larger h. The first Q (x for x p x 2 Hope tha splits in Not an u 50% o Then log P l This is a among d of monic

46 polys! ndon proofs.) me 2 F 2. p in F q. F 2, p likely orks. 997: = 0. e.g., take or ). are slower. Low-degree discrete logs First step of algorithm: build table of h 7! log g h for each small h 2 F 2[x] 'F 2[x]. p p Easily choose g at same time. Small h : deg h D. Choose D 1; D 2 O(log n= log log n). Non-uniform approach: algorithm A q knows table! Two reasons to be more explicit: 1. Want A with q as an input. 2. Method to build table will be reused for larger h. The first relation f Q (x ) x for F p 2[x]: eq x p x 2 ; force Hope that x 2 x splits in F p 2[x], sa Not an unreasonab 50% of quadratic Then log g f 1 + log P log g (x This is a relation among discrete log of monic linear po

47 fs.) p Low-degree discrete logs First step of algorithm: build table of h 7! log g h for each small h 2 F 2[x] 'F 2[x]. p p Easily choose g at same time. Small h : deg h D. Choose D 1; D 2 O(log n= log log n). Non-uniform approach: algorithm A q knows table! Two reasons to be more explicit: 1. Want A with q as an input. 2. Method to build table will be reused for larger h. The first relation for D = 1 Q (x ) x 2 x + for F p 2[x]: equal mod x p x 2 ; forces = in F q Hope that x 2 x + splits in F p 2[x], say as f 1 f Not an unreasonable hope: 50% of quadratics split. Then log g f 1 + log g f 2 = P log g (x ). This is a relation among discrete logs of monic linear polys.

48 Low-degree discrete logs First step of algorithm: build table of h 7! log g h for each small h 2 F 2[x] 'F 2[x]. p p Easily choose g at same time. Small h : deg h D. Choose D 1; D 2 O(log n= log log n). Non-uniform approach: algorithm A q knows table! Two reasons to be more explicit: 1. Want A with q as an input. 2. Method to build table will be reused for larger h. The first relation for D = 1 Q (x ) x 2 x +. for F p 2[x]: equal mod x p x 2 ; forces = in F q. Hope that x 2 x + splits in F p 2[x], say as f 1 f 2. Not an unreasonable hope: 50% of quadratics split. Then log g f 1 + log g f 2 = P log g (x ). This is a relation among discrete logs of monic linear polys.

49 ree discrete logs of algorithm: le of h 7! log g h for ll h 2 F 2[x] 'F 2[x]. p p oose g at same time. : deg h D. Choose 2 O(log n= log log n). orm approach: A q knows table! sons to be more explicit: A with q as an input. od to build table used for larger h. The first relation for D = 1 Q (x ) x 2 x +. for F p 2[x]: equal mod x p x 2 ; forces = in F q. Hope that x 2 x + splits in F p 2[x], say as f 1 f 2. Not an unreasonable hope: 50% of quadratics split. Then log g f 1 + log g f 2 = P log g (x ). This is a relation among discrete logs of monic linear polys. More rel For a; b; (cx + d) = (cx + (ax + = (cx + (ax + (cx + (ax + Left side linear po Often rig

50 e logs thm: log g h for [x] 'F 2[x]. p same time. D. Choose n= log log n). ach: s table! more explicit: as an input. table arger h. The first relation for D = 1 Q (x ) x 2 x +. for F p 2[x]: equal mod x p x 2 ; forces = in F q. Hope that x 2 x + splits in F p 2[x], say as f 1 f 2. Not an unreasonable hope: 50% of quadratics split. Then log g f 1 + log g f 2 = P log g (x ). This is a relation among discrete logs of monic linear polys. More relations for For a; b; c; d 2 F p 2 (cx + d) Y (ax + = (cx + d)(ax + b (ax + b)(cx + d = (cx + d)(a p x p + (ax + b)(c p x p + (cx + d)(a p (x 2 (ax + b)(c p (x 2 + Left side is produc linear polys in F p 2 Often right side is

51 2[x]. e. ose n). licit: t. The first relation for D = 1 Q (x ) x 2 x +. for F p 2[x]: equal mod x p x 2 ; forces = in F q. Hope that x 2 x + splits in F p 2[x], say as f 1 f 2. Not an unreasonable hope: 50% of quadratics split. Then log g f 1 + log g f 2 = P log g (x ). This is a relation among discrete logs of monic linear polys. More relations for D = 1 For a; b; c; d 2 F p 2: (cx + d) Y (ax + b (cx = (cx + d)(ax + b) p (ax + b)(cx + d) p = (cx + d)(a p x p + b p ) (ax + b)(c p x p + d p ) (cx + d)(a p (x 2 + ) + b p (ax + b)(c p (x 2 + ) + d p Left side is product of linear polys in F p 2[x]. Often right side is too.

52 The first relation for D = 1 Q (x ) x 2 x +. for F p 2[x]: equal mod x p x 2 ; forces = in F q. Hope that x 2 x + splits in F p 2[x], say as f 1 f 2. Not an unreasonable hope: 50% of quadratics split. Then log g f 1 + log g f 2 = P log g (x ). This is a relation among discrete logs of monic linear polys. More relations for D = 1 For a; b; c; d 2 F p 2: (cx + d) Y (ax + b (cx + d)) = (cx + d)(ax + b) p (ax + b)(cx + d) p = (cx + d)(a p x p + b p ) (ax + b)(c p x p + d p ) (cx + d)(a p (x 2 + ) + b p ) (ax + b)(c p (x 2 + ) + d p ). Left side is product of linear polys in F p 2[x]. Often right side is too.

53 relation for D = 1 ) x 2 x +. F 2[x]: equal mod p ; forces = in F q. t x 2 x + F 2[x], say as p f 1 f 2. nreasonable hope: f quadratics split. f g 1 + log g f 2 = og g (x ). relation iscrete logs linear polys. More relations for D = 1 For a; b; c; d 2 F p 2: (cx + d) Y (ax + b (cx + d)) = (cx + d)(ax + b) p (ax + b)(cx + d) p = (cx + d)(a p x p + b p ) (ax + b)(c p x p + d p ) (cx + d)(a p (x 2 + ) + b p ) (ax + b)(c p (x 2 + ) + d p ). Left side is product of linear polys in F p 2[x]. Often right side is too. 2 F p 2; ) M; M m 2 GL 2 ) M; m No other Is there the set o in PGL 2 ( Cremona Bartel gi Mindless is not a but want

54 or D = 1 2 x +. ual mod s = in F q. + y as f 1 f 2. le hope: s split. g f 2 = ). s lys. More relations for D = 1 For a; b; c; d 2 F p 2: (cx + d) Y (ax + b (cx + d)) = (cx + d)(ax + b) p (ax + b)(cx + d) p = (cx + d)(a p x p + b p ) (ax + b)(c p x p + d p ) (cx + d)(a p (x 2 + ) + b p ) (ax + b)(c p (x 2 + ) + d p ). Left side is product of linear polys in F p 2[x]. Often right side is too. 2 F p 2; M = a c b d ) M; M are redu m 2 GL 2 (F p ); M 2 ) M; mm are red No other obvious r Is there a nice way the set of cosets o in PGL 2 (F p 2)? Be Cremona points m Bartel gives solutio Mindless enumerat is not a real bottle but want fast mult

55 .. 2. More relations for D = 1 For a; b; c; d 2 F p 2: (cx + d) Y (ax + b (cx + d)) = (cx + d)(ax + b) p (ax + b)(cx + d) p = (cx + d)(a p x p + b p ) (ax + b)(c p x p + d p ) (cx + d)(a p (x 2 + ) + b p ) (ax + b)(c p (x 2 + ) + d p ). Left side is product of linear polys in F p 2[x]. Often right side is too. 2 F 2; M d = a b 2 GL2 (F p c ) M; M are redundant. m 2 GL 2 (F p ); M 2 GL 2 (F p 2 ) M; mm are redundant. No other obvious redundanc Is there a nice way to repres the set of cosets of PGL 2 (F p in PGL 2 (F p 2)? Best hints so Cremona points me to F p 4=F Bartel gives solution for GL 2 Mindless enumeration of cos is not a real bottleneck here but want fast multipoint eva

56 More relations for D = 1 For a; b; c; d 2 F p 2: (cx + d) Y (ax + b (cx + d)) = (cx + d)(ax + b) p (ax + b)(cx + d) p = (cx + d)(a p x p + b p ) (ax + b)(c p x p + d p ) (cx + d)(a p (x 2 + ) + b p ) (ax + b)(c p (x 2 + ) + d p ). Left side is product of linear polys in F p 2[x]. Often right side is too. 2 F 2; M d = a b 2 GL2 (F 2) p c p ) M; M are redundant. m 2 GL 2 (F p ); M 2 GL 2 (F p 2) ) M; mm are redundant. No other obvious redundancies. Is there a nice way to represent the set of cosets of PGL 2 (F p ) in PGL 2 (F p 2)? Best hints so far: Cremona points me to F p 4=F p 2; Bartel gives solution for GL 2. Mindless enumeration of cosets is not a real bottleneck here but want fast multipoint eval.

57 ations for D = 1 c; d 2 F p 2: Y (ax + b (cx + d)) d)(ax + b) p b)(cx + d) p d)(a p x p + b p ) b)(c p x p + d p ) d)(a p (x 2 + ) + b p ) b)(c p (x 2 + ) + d p ). is product of lys in F p 2[x]. ht side is too. 2 F 2; M d = a b 2 GL2 (F 2) p c p ) M; M are redundant. m 2 GL 2 (F p ); M 2 GL 2 (F p 2) ) M; mm are redundant. No other obvious redundancies. Is there a nice way to represent the set of cosets of PGL 2 (F p ) in PGL 2 (F p 2)? Best hints so far: Cremona points me to F p 4=F p 2; Bartel gives solution for GL 2. Mindless enumeration of cosets is not a real bottleneck here but want fast multipoint eval. p 3 + p p conjectu Each suc Only p 2 Expect e to determ (or most unless p BGJT sa but fast gives bet (How to Maybe c where

58 D = 1 : b (cx + d)) ) p ) p b p ) d p ) + ) + b p ) ) + d p ). t of [x]. too. 2 F 2; M d = a b 2 GL2 (F 2) p c p ) M; M are redundant. m 2 GL 2 (F p ); M 2 GL 2 (F p 2) ) M; mm are redundant. No other obvious redundancies. Is there a nice way to represent the set of cosets of PGL 2 (F p ) in PGL 2 (F p 2)? Best hints so far: Cremona points me to F p 4=F p 2; Bartel gives solution for GL 2. Mindless enumeration of cosets is not a real bottleneck here but want fast multipoint eval. p 3 + p potential re conjecturally ind Each succeeds with Only p 2 monic line Expect enough rela to determine their (or most logs: ok unless p is very sm BGJT say sparse li but fast matrix mu gives better const (How to avoid ann Maybe cleanest: x where generates

59 ) ). + d)) 2 F 2; M d = a b 2 GL2 (F 2) p c p ) M; M are redundant. m 2 GL 2 (F p ); M 2 GL 2 (F p 2) ) M; mm are redundant. No other obvious redundancies. Is there a nice way to represent the set of cosets of PGL 2 (F p ) in PGL 2 (F p 2)? Best hints so far: Cremona points me to F p 4=F p 2; Bartel gives solution for GL 2. Mindless enumeration of cosets is not a real bottleneck here but want fast multipoint eval. p 3 + p potential relations, conjecturally independent. Each succeeds with chance Only p 2 monic linear polys. Expect enough relations to determine their logs (or most logs: ok to miss a unless p is very small. BGJT say sparse linear algeb but fast matrix multiplicatio gives better const in expone (How to avoid annihilating F Maybe cleanest: x p = x 2 + where generates F p 2.)

60 2 F 2; M d = a b 2 GL2 (F 2) p c p ) M; M are redundant. m 2 GL 2 (F p ); M 2 GL 2 (F p 2) ) M; mm are redundant. No other obvious redundancies. Is there a nice way to represent the set of cosets of PGL 2 (F p ) in PGL 2 (F p 2)? Best hints so far: Cremona points me to F p 4=F p 2; Bartel gives solution for GL 2. Mindless enumeration of cosets is not a real bottleneck here but want fast multipoint eval. p 3 + p potential relations, conjecturally independent. Each succeeds with chance 1=6. Only p 2 monic linear polys. Expect enough relations to determine their logs (or most logs: ok to miss a few), unless p is very small. BGJT say sparse linear algebra; but fast matrix multiplication gives better const in exponent. (How to avoid annihilating F p 2? Maybe cleanest: x p = x 2 + 1, where generates F p 2.)

61 d a b 2 GL2 (F 2) c p are redundant. M = (F p ); M 2 GL 2 (F p 2) M are redundant. obvious redundancies. a nice way to represent f cosets of PGL 2 (F p ) F p 2)? Best hints so far: points me to F p 4=F p 2; ves solution for GL 2. enumeration of cosets real bottleneck here fast multipoint eval. p 3 + p potential relations, conjecturally independent. Each succeeds with chance 1=6. Only p 2 monic linear polys. Expect enough relations to determine their logs (or most logs: ok to miss a few), unless p is very small. BGJT say sparse linear algebra; but fast matrix multiplication gives better const in exponent. (How to avoid annihilating F p 2? Maybe cleanest: x p = x 2 + 1, where generates F p 2.) More rel For each (ch + d) = (ch + (ah + = (ch + (ah + (ch + (ah + Left side sometim 5% as

62 2 GL2 (F 2) p ndant. GL 2 (F 2) p undant. edundancies. to represent f PGL 2 (F p ) st hints so far: e to F p 4=F p 2; n for GL 2. ion of cosets neck here ipoint eval. p 3 + p potential relations, conjecturally independent. Each succeeds with chance 1=6. Only p 2 monic linear polys. Expect enough relations to determine their logs (or most logs: ok to miss a few), unless p is very small. BGJT say sparse linear algebra; but fast matrix multiplication gives better const in exponent. (How to avoid annihilating F p 2? Maybe cleanest: x p = x 2 + 1, where generates F p 2.) More relations for For each small h 2 (ch + d) Y (ah + = (ch + d)(ah + b (ah + b)(ch + d = (ch + d)(a p h p + (ah + b)(c p h p + (ch + d)(a p h(x (ah + b)(c p h(x 2 Left side is produc sometimes right si 5% as D! 1.

63 ) p 2 ) ies. ent ) far: p 2;. ets l. p 3 + p potential relations, conjecturally independent. Each succeeds with chance 1=6. Only p 2 monic linear polys. Expect enough relations to determine their logs (or most logs: ok to miss a few), unless p is very small. BGJT say sparse linear algebra; but fast matrix multiplication gives better const in exponent. (How to avoid annihilating F p 2? Maybe cleanest: x p = x 2 + 1, where generates F p 2.) More relations for arbitrary D For each small h 2 F p 2[x]: (ch + d) Y (ah + b (ch = (ch + d)(ah + b) p (ah + b)(ch + d) p = (ch + d)(a p h p + b p ) (ah + b)(c p h p + d p ) (ch + d)(a p h(x 2 + ) + b (ah + b)(c p h(x 2 + ) + d Left side is product of small sometimes right side is too. 5% as D! 1. BGJT say

64 p 3 + p potential relations, conjecturally independent. Each succeeds with chance 1=6. Only p 2 monic linear polys. Expect enough relations to determine their logs (or most logs: ok to miss a few), unless p is very small. BGJT say sparse linear algebra; but fast matrix multiplication gives better const in exponent. (How to avoid annihilating F p 2? Maybe cleanest: x p = x 2 + 1, where generates F p 2.) More relations for arbitrary D For each small h 2 F p 2[x]: (ch + d) Y (ah + b (ch + d)) = (ch + d)(ah + b) p (ah + b)(ch + d) p = (ch + d)(a p h p + b p ) (ah + b)(c p h p + d p ) (ch + d)(a p h(x 2 + ) + b p ) (ah + b)(c p h(x 2 + ) + d p ). Left side is product of small polys; sometimes right side is too. 5% as D! 1. BGJT say 1=6.

65 otential relations, rally independent. ceeds with chance 1=6. monic linear polys. nough relations ine their logs logs: ok to miss a few), is very small. y sparse linear algebra; matrix multiplication ter const in exponent. avoid annihilating F p 2? leanest: x p = x 2 + 1, generates F p 2.) More relations for arbitrary D For each small h 2 F p 2[x]: (ch + d) Y (ah + b (ch + d)) = (ch + d)(ah + b) p (ah + b)(ch + d) p = (ch + d)(a p h p + b p ) (ah + b)(c p h p + d p ) (ch + d)(a p h(x 2 + ) + b p ) (ah + b)(c p h(x 2 + ) + d p ). Left side is product of small polys; sometimes right side is too. 5% as D! 1. BGJT say 1=6. Larger d What if Use sam (ch + d) (ch + (ah + Occasion product We now Left side factor ba Solve for

66 lations, ependent. chance 1=6. ar polys. tions logs to miss a few), all. near algebra; ltiplication in exponent. ihilating F p 2? p = x 2 + 1, F p 2.) More relations for arbitrary D For each small h 2 F p 2[x]: (ch + d) Y (ah + b (ch + d)) = (ch + d)(ah + b) p (ah + b)(ch + d) p = (ch + d)(a p h p + b p ) (ah + b)(c p h p + d p ) (ch + d)(a p h(x 2 + ) + b p ) (ah + b)(c p h(x 2 + ) + d p ). Left side is product of small polys; sometimes right side is too. 5% as D! 1. BGJT say 1=6. Larger discrete log What if D < deg h Use same equation (ch + d) Y (ah + (ch + d)(a p h(x (ah + b)(c p h(x 2 Occasionally right product of small p We now know thos Left side is produc factor base: fh + Solve for each log g

67 1=6. few), ra; n nt. p 2? 1, More relations for arbitrary D For each small h 2 F p 2[x]: (ch + d) Y (ah + b (ch + d)) = (ch + d)(ah + b) p (ah + b)(ch + d) p = (ch + d)(a p h p + b p ) (ah + b)(c p h p + d p ) (ch + d)(a p h(x 2 + ) + b p ) (ah + b)(c p h(x 2 + ) + d p ). Left side is product of small polys; sometimes right side is too. 5% as D! 1. BGJT say 1=6. Larger discrete logs What if D < deg h 2D? Use same equation: (ch + d) Y (ah + b (ch (ch + d)(a p h(x 2 + ) + b (ah + b)(c p h(x 2 + ) + d Occasionally right side is product of small polys. We now know those discrete Left side is product on new factor base: fh + : 2 F p Solve for each log g (h + ).

68 More relations for arbitrary D For each small h 2 F p 2[x]: (ch + d) Y (ah + b (ch + d)) = (ch + d)(ah + b) p (ah + b)(ch + d) p = (ch + d)(a p h p + b p ) (ah + b)(c p h p + d p ) (ch + d)(a p h(x 2 + ) + b p ) (ah + b)(c p h(x 2 + ) + d p ). Left side is product of small polys; sometimes right side is too. 5% as D! 1. BGJT say 1=6. Larger discrete logs What if D < deg h 2D? Use same equation: (ch + d) Y (ah + b (ch + d)) (ch + d)(a p h(x 2 + ) + b p ) (ah + b)(c p h(x 2 + ) + d p ). Occasionally right side is product of small polys. We now know those discrete logs. Left side is product on new factor base: fh + : 2 F p 2g. Solve for each log g (h + ).

69 ations for arbitrary D small h 2 F p 2[x]: Y (ah + b (ch + d)) d)(ah + b) p b)(ch + d) p d)(a p h p + b p ) b)(c p h p + d p ) d)(a p h(x 2 + ) + b p ) b)(c p h(x 2 + ) + d p ). is product of small polys; es right side is too. D! 1. BGJT say 1=6. Larger discrete logs What if D < deg h 2D? Use same equation: (ch + d) Y (ah + b (ch + d)) (ch + d)(a p h(x 2 + ) + b p ) (ah + b)(c p h(x 2 + ) + d p ). Occasionally right side is product of small polys. We now know those discrete logs. Left side is product on new factor base: fh + : 2 F p 2g. Solve for each log g (h + ). For deg h D-smoot so u u Need p Note fre Works fo Reminisc (1977 Sc ( p q + (a + b mod larg Factor b pq +

70 arbitrary D F 2[x]: p b (ch + d)) ) p ) p b p ) d p ) 2 + ) + b p ) + ) + d p ). t of small polys; de is too. BGJT say 1=6. Larger discrete logs What if D < deg h 2D? Use same equation: (ch + d) Y (ah + b (ch + d)) (ch + d)(a p h(x 2 + ) + b p ) (ah + b)(c p h(x 2 + ) + d p ). Occasionally right side is product of small polys. We now know those discrete logs. Left side is product on new factor base: fh + : 2 F p 2g. Solve for each log g (h + ). For deg h (u=3) D-smoothness cha so u u p 3 relatio Need p 2 relation Note free relations Works for u log Reminiscent of line (1977 Schroeppel) ( p q + a)( pq (a + b) p q + mod large prime q Factor base in line pq + a [ fsm

71 + d)) p ) p ). polys; 1=6. Larger discrete logs What if D < deg h 2D? Use same equation: (ch + d) Y (ah + b (ch + d)) (ch + d)(a p h(x 2 + ) + b p ) (ah + b)(c p h(x 2 + ) + d p ). Occasionally right side is product of small polys. We now know those discrete logs. Left side is product on new factor base: fh + : 2 F p 2g. Solve for each log g (h + ). For deg h (u=3)d: D-smoothness chance u u so u u p 3 relations. Need p 2 relations. Note free relations: smooth Works for u log p= log log Reminiscent of linear sieve (1977 Schroeppel): ( p q + a)( pq + b) (a + b) p q + ab + pq mod large prime q. Factor base in linear sieve: pq + a [ fsmall primes

72 Larger discrete logs What if D < deg h 2D? Use same equation: (ch + d) Y (ah + b (ch + d)) (ch + d)(a p h(x 2 + ) + b p ) (ah + b)(c p h(x 2 + ) + d p ). Occasionally right side is product of small polys. We now know those discrete logs. Left side is product on new factor base: fh + : 2 F p 2g. Solve for each log g (h + ). For deg h (u=3)d: D-smoothness chance u u so u u p 3 relations. Need p 2 relations. Note free relations: smooth h +. Works for u log p= log log p. Reminiscent of linear sieve (1977 Schroeppel): ( p q + a)( pq + b) (a + b) p q + ab + pq 2 mod large prime q. Factor base in linear sieve: pq + a [ fsmall primesg. q

73 iscrete logs D < deg h 2D? e equation: Y (ah + b (ch + d)) d)(a p h(x 2 + ) + b p ) b)(c p h(x 2 + ) + d p ). ally right side is of small polys. know those discrete logs. is product on new se: fh + : 2 F p 2g. each log g (h + ). For deg h (u=3)d: D-smoothness chance u u so u u p 3 relations. Need p 2 relations. Note free relations: smooth h +. Works for u log p= log log p. Reminiscent of linear sieve (1977 Schroeppel): ( p q + a)( pq + b) (a + b) p q + ab + pq 2 mod large prime q. Factor base in linear sieve: pq + a [ fsmall primesg. q Arbitrary For (u=3 Use sam (ch + d) (ch + (ah + Occasion side; aga Have see (u=3)dp O(1) su of which

74 s 2D? : b (ch + d)) 2 + ) + b p ) + ) + d p ). side is olys. e discrete logs. t on new : 2 F 2g. p (h + ). For deg h (u=3)d: D-smoothness chance u u so u u p 3 relations. Need p 2 relations. Note free relations: smooth h +. Works for u log p= log log p. Reminiscent of linear sieve (1977 Schroeppel): ( p q + a)( pq + b) (a + b) p q + ab + pq 2 mod large prime q. Factor base in linear sieve: pq + a [ fsmall primesg. q Arbitrary discrete l For (u=3)d < deg Use same equation (ch + d) Y (ah + (ch + d)(a p h(x (ah + b)(c p h(x 2 Occasionally (u=3) side; again fh + Have seen subrout (u=3)d-smooth di p O(1) subroutine c of which Θ(p 2 ) are

75 + d)) p ) p ). logs. 2g. For deg h (u=3)d: D-smoothness chance u u so u u p 3 relations. Need p 2 relations. Note free relations: smooth h +. Works for u log p= log log p. Reminiscent of linear sieve (1977 Schroeppel): ( p q + a)( pq + b) (a + b) p q + ab + pq 2 mod large prime q. Factor base in linear sieve: pq + a [ fsmall primesg. q Arbitrary discrete logs For (u=3)d < deg h (u=3 Use same equation (ch + d) Y (ah + b (ch (ch + d)(a p h(x 2 + ) + b (ah + b)(c p h(x 2 + ) + d Occasionally (u=3)d-smooth side; again fh + g for left s Have seen subroutine to com (u=3)d-smooth discrete logs p O(1) subroutine calls, of which Θ(p 2 ) are importan

76 For deg h (u=3)d: D-smoothness chance u u so u u p 3 relations. Need p 2 relations. Note free relations: smooth h +. Works for u log p= log log p. Reminiscent of linear sieve (1977 Schroeppel): ( p q + a)( pq + b) (a + b) p q + ab + pq 2 mod large prime q. Factor base in linear sieve: pq + a [ fsmall primesg. q Arbitrary discrete logs For (u=3)d < deg h (u=3) 2 D: Use same equation (ch + d) Y (ah + b (ch + d)) (ch + d)(a p h(x 2 + ) + b p ) (ah + b)(c p h(x 2 + ) + d p ). Occasionally (u=3)d-smooth right side; again fh + g for left side. Have seen subroutine to compute (u=3)d-smooth discrete logs. p O(1) subroutine calls, of which Θ(p 2 ) are important.

Similar documents

Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm)

Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm) Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm) Aurore Guillevic INRIA Saclay / GRACE Team École Polytechnique / LIX ECC 2015, Sept. 28th Aurore Guillevic (INRIA/LIX)

More information

Discrete logarithms: Recent progress (and open problems)

Discrete logarithms: Recent progress (and open problems) Discrete logarithms: Recent progress (and open problems) CryptoExperts Chaire de Cryptologie de la Fondation de l UPMC LIP6 February 25 th, 2014 Discrete logarithms Given a multiplicative group G with

More information

A brief overwiev of pairings

A brief overwiev of pairings Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks

More information

On the complexity of computing discrete logarithms in the field F

On the complexity of computing discrete logarithms in the field F On the complexity of computing discrete logarithms in the field F 3 6 509 Francisco Rodríguez-Henríquez CINVESTAV-IPN Joint work with: Gora Adj Alfred Menezes Thomaz Oliveira CINVESTAV-IPN University of

More information

A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic

A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic Razvan Barbulescu 1, Pierrick Gaudry 1, Antoine Joux 2,3, and Emmanuel Thomé 1 1 Inria, CNRS, University of

More information

Traps to the BGJT-Algorithm for Discrete Logarithms

Traps to the BGJT-Algorithm for Discrete Logarithms Submitted exclusively to the London Mathematical Society doi:10.1112/0000/000000 Traps to the BGJT-Algorithm for Discrete Logarithms Qi Cheng, Daqing Wan and Jincheng Zhuang Abstract In the recent breakthrough

More information

The number field sieve in the medium prime case

The number field sieve in the medium prime case The number field sieve in the medium prime case Frederik Vercauteren ESAT/COSIC - K.U. Leuven Joint work with Antoine Joux, Reynald Lercier, Nigel Smart Finite Field DLOG Basis finite field is F p = {0,...,

More information

A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic

A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic ECC, Chennai October 8, 2014 A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic Razvan Barbulescu 1 Pierrick Gaudry 2 Antoine Joux 3 Emmanuel Thomé 2 IMJ-PRG, Paris Loria,

More information

Computational algebraic number theory tackles lattice-based cryptography

Computational algebraic number theory tackles lattice-based cryptography Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right

More information

A quasi polynomial algorithm for discrete logarithm in small characteristic

A quasi polynomial algorithm for discrete logarithm in small characteristic CCA seminary January 10, 2014 A quasi polynomial algorithm for discrete logarithm in small characteristic Razvan Barbulescu 1 Pierrick Gaudry 2 Antoine Joux 3 Emmanuel Thomé 2 LIX, École Polytechnique

More information

Solving a 6120-bit DLP on a Desktop Computer

Solving a 6120-bit DLP on a Desktop Computer Solving a 6120-bit DLP on a Desktop Computer Faruk Göloğlu, Robert Granger, Gary McGuire, and Jens Zumbrägel Claude Shannon Institute Complex & Adaptive Systems Laboratory School of Mathematical Sciences

More information

Computing Individual Discrete Logarithms Faster in GF(p n ) with the NFS-DL Algorithm

Computing Individual Discrete Logarithms Faster in GF(p n ) with the NFS-DL Algorithm Computing Individual Discrete Logarithms Faster in GF(p n ) with the NFS-DL Algorithm Aurore Guillevic 1,2 1 Inria Saclay, Palaiseau, France 2 École Polytechnique/LIX, Palaiseau, France guillevic@lixpolytechniquefr

More information

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers

More information

Problème du logarithme discret sur courbes elliptiques

Problème du logarithme discret sur courbes elliptiques Problème du logarithme discret sur courbes elliptiques Vanessa VITSE Université de Versailles Saint-Quentin, Laboratoire PRISM Groupe de travail équipe ARITH LIRMM Vanessa VITSE (UVSQ) DLP over elliptic

More information

Non-generic attacks on elliptic curve DLPs

Non-generic attacks on elliptic curve DLPs Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith

More information

Integer factorization, part 1: the Q sieve. D. J. Bernstein

Integer factorization, part 1: the Q sieve. D. J. Bernstein Integer factorization, part 1: the Q sieve D. J. Bernstein Sieving small integers 0 using primes 3 5 7: 1 3 3 4 5 5 6 3 7 7 8 9 3 3 10 5 11 1 3 13 14 7 15 3 5 16 17 18 3 3 19 0 5 etc. Sieving and 611 +

More information

Short generators without quantum computers: the case of multiquadratics

Short generators without quantum computers: the case of multiquadratics Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry

More information

A GENERAL POLYNOMIAL SIEVE

A GENERAL POLYNOMIAL SIEVE A GENERAL POLYNOMIAL SIEVE SHUHONG GAO AND JASON HOWELL Abstract. An important component of the index calculus methods for finding discrete logarithms is the acquisition of smooth polynomial relations.

More information

Computational algebraic number theory tackles lattice-based cryptography

Computational algebraic number theory tackles lattice-based cryptography Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right

More information

Hyperelliptic curves

Hyperelliptic curves 1/40 Hyperelliptic curves Pierrick Gaudry Caramel LORIA CNRS, Université de Lorraine, Inria ECC Summer School 2013, Leuven 2/40 Plan What? Why? Group law: the Jacobian Cardinalities, torsion Hyperelliptic

More information

Short generators without quantum computers: the case of multiquadratics

Short generators without quantum computers: the case of multiquadratics Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein & Christine van Vredendaal University of Illinois at Chicago Technische Universiteit Eindhoven 19 January 2017

More information

Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction

Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction Aurore Guillevic and François Morain and Emmanuel Thomé University of Calgary, PIMS CNRS, LIX École Polytechnique, Inria, Loria SAC,

More information

part 2: detecting smoothness part 3: the number-field sieve

part 2: detecting smoothness part 3: the number-field sieve Integer factorization, part 1: the Q sieve Integer factorization, part 2: detecting smoothness Integer factorization, part 3: the number-field sieve D. J. Bernstein Problem: Factor 611. The Q sieve forms

More information

Theorem 5.3. Let E/F, E = F (u), be a simple field extension. Then u is algebraic if and only if E/F is finite. In this case, [E : F ] = deg f u.

Theorem 5.3. Let E/F, E = F (u), be a simple field extension. Then u is algebraic if and only if E/F is finite. In this case, [E : F ] = deg f u. 5. Fields 5.1. Field extensions. Let F E be a subfield of the field E. We also describe this situation by saying that E is an extension field of F, and we write E/F to express this fact. If E/F is a field

More information

Short generators without quantum computers: the case of multiquadratics

Short generators without quantum computers: the case of multiquadratics Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal Technische Universiteit Eindhoven 1 May 2017 Joint work with: Jens Bauch & Daniel J. Bernstein & Henry de

More information

Hyperelliptic Curve Cryptography

Hyperelliptic Curve Cryptography Hyperelliptic Curve Cryptography A SHORT INTRODUCTION Definition (HEC over K): Curve with equation y 2 + h x y = f x with h, f K X Genus g deg h(x) g, deg f x = 2g + 1 f monic Nonsingular 2 Nonsingularity

More information

Algorithmes de calcul de logarithme discret dans les corps finis

Algorithmes de calcul de logarithme discret dans les corps finis Algorithmes de calcul de logarithme discret dans les corps finis Grenoble, École de printemps C2 2014 E. Thomé CARAMEL /* */ C,A, /* */ R,a, /* */ M,E, L,i= 5,e, d[5],q[999 ){for ]={0};main(N (;i--;e=scanf("%"

More information

On Generating Coset Representatives of P GL 2 (F q ) in P GL 2 (F q 2)

On Generating Coset Representatives of P GL 2 (F q ) in P GL 2 (F q 2) On Generating Coset Representatives of P GL 2 F q in P GL 2 F q 2 Jincheng Zhuang 1,2 and Qi Cheng 3 1 State Key Laboratory of Information Security Institute of Information Engineering Chinese Academy

More information

Finding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago

Finding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago The number-field sieve Finding small factors of integers Speed of the number-field sieve D. J. Bernstein University of Illinois at Chicago Prelude: finding denominators 87366 22322444 in R. Easily compute

More information

Breaking pairing-based cryptosystems using η T pairing over GF (3 97 )

Breaking pairing-based cryptosystems using η T pairing over GF (3 97 ) Breaking pairing-based cryptosystems using η T pairing over GF (3 97 ) Takuya Hayashi 1, Takeshi Shimoyama 2, Naoyuki Shinohara 3, and Tsuyoshi Takagi 1 1 Kyushu University 2 FUJITSU LABORATORIES Ltd.

More information

Improving NFS for the discrete logarithm problem in non-prime nite elds

Improving NFS for the discrete logarithm problem in non-prime nite elds Improving NFS for the discrete logarithm problem in non-prime nite elds Razvan Barbulescu, Pierrick Gaudry, Aurore Guillevic, Francois Morain Institut national de recherche en informatique et en automatique

More information

DISCRETE LOGARITHMS IN FINITE FIELDS. Dean Phillip Rei. B.A., University of Colorado at Boulder, B.A., University of Colorado at Denver, 1987

DISCRETE LOGARITHMS IN FINITE FIELDS. Dean Phillip Rei. B.A., University of Colorado at Boulder, B.A., University of Colorado at Denver, 1987 DISCRETE LOGARITHMS IN FINITE FIELDS by Dean Phillip Rei B.A., University of Colorado at Boulder, 1980 B.A., University of Colorado at Denver, 1987 A thesis submitted to the University of Colorado at Denver

More information

Decomposed Attack for the Jacobian of a Hyperelliptic Curve over an Extension Field

Decomposed Attack for the Jacobian of a Hyperelliptic Curve over an Extension Field Decomposed Attack for the Jacobian of a Hyperelliptic Curve over an Extension Field Koh-ichi Nagao nagao@kanto-gakuin.ac.jp Dept. of Engineering, Kanto Gakuin Univ., 1-50-1 Mutsuura Higashi Kanazawa-ku

More information

A L A BA M A L A W R E V IE W

A L A BA M A L A W R E V IE W A L A BA M A L A W R E V IE W Volume 52 Fall 2000 Number 1 B E F O R E D I S A B I L I T Y C I V I L R I G HT S : C I V I L W A R P E N S I O N S A N D TH E P O L I T I C S O F D I S A B I L I T Y I N

More information

Nearly Sparse Linear Algebra

Nearly Sparse Linear Algebra Nearly Sparse Linear Algebra Antoine Joux 1,2,4 and Cécile Pierrot 3,4 1 CryptoExperts, France 2 Chaire de Cryptologie de la Fondation de l UPMC 3 CNRS and Direction Générale de l Armement 4 Laboratoire

More information

The factorization of RSA D. J. Bernstein University of Illinois at Chicago

The factorization of RSA D. J. Bernstein University of Illinois at Chicago The factorization of RSA-1024 D. J. Bernstein University of Illinois at Chicago Abstract: This talk discusses the most important tools for attackers breaking 1024-bit RSA keys today and tomorrow. The same

More information

Improving NFS for the discrete logarithm problem in non-prime finite fields

Improving NFS for the discrete logarithm problem in non-prime finite fields Improving NFS for the discrete logarithm problem in non-prime finite fields Razvan Barbulescu, Pierrick Gaudry, Aurore Guillevic, François Morain To cite this version: Razvan Barbulescu, Pierrick Gaudry,

More information

A connection between number theory and linear algebra

A connection between number theory and linear algebra A connection between number theory and linear algebra Mark Steinberger Contents 1. Some basics 1 2. Rational canonical form 2 3. Prime factorization in F[x] 4 4. Units and order 5 5. Finite fields 7 6.

More information

Cover and Decomposition Index Calculus on Elliptic Curves made practical

Cover and Decomposition Index Calculus on Elliptic Curves made practical Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a previously unreachable curve over F p 6 Vanessa VITSE Antoine JOUX Université de Versailles Saint-Quentin, Laboratoire

More information

P a g e 5 1 of R e p o r t P B 4 / 0 9

P a g e 5 1 of R e p o r t P B 4 / 0 9 P a g e 5 1 of R e p o r t P B 4 / 0 9 J A R T a l s o c o n c l u d e d t h a t a l t h o u g h t h e i n t e n t o f N e l s o n s r e h a b i l i t a t i o n p l a n i s t o e n h a n c e c o n n e

More information

REMARKS ON THE NFS COMPLEXITY

REMARKS ON THE NFS COMPLEXITY REMARKS ON THE NFS COMPLEXITY PAVOL ZAJAC Abstract. In this contribution we investigate practical issues with implementing the NFS algorithm to solve the DLP arising in XTR-based cryptosystems. We can

More information

GALOIS GROUPS OF CUBICS AND QUARTICS (NOT IN CHARACTERISTIC 2)

GALOIS GROUPS OF CUBICS AND QUARTICS (NOT IN CHARACTERISTIC 2) GALOIS GROUPS OF CUBICS AND QUARTICS (NOT IN CHARACTERISTIC 2) KEITH CONRAD We will describe a procedure for figuring out the Galois groups of separable irreducible polynomials in degrees 3 and 4 over

More information

Extended Tower Number Field Sieve with Application to Finite Fields of Arbitrary Composite Extension Degree

Extended Tower Number Field Sieve with Application to Finite Fields of Arbitrary Composite Extension Degree Extended Tower Number Field Sieve with Application to Finite Fields of Arbitrary Composite Extension Degree Taechan Kim 1 and Jinhyuck Jeong 2 1 NTT Secure Platform Laboratories, Japan taechan.kim@lab.ntt.co.jp

More information

Solving Elliptic Curve Discrete Logarithm Problems Using Weil Descent

Solving Elliptic Curve Discrete Logarithm Problems Using Weil Descent Solving Elliptic Curve Discrete Logarithm Problems Using Weil Descent Michael Jacobson University of Manitoba jacobs@cs.umanitoba.ca Alfred Menezes Certicom Research & University of Waterloo ajmeneze@uwaterloo.ca

More information

A construction of 3-dimensional lattice sieve for number field sieve over GF(p n )

A construction of 3-dimensional lattice sieve for number field sieve over GF(p n ) A construction of 3-dimensional lattice sieve for number field sieve over GF(p n ) Kenichiro Hayasaka 1, Kazumaro Aoki 2, Tetsutaro Kobayashi 2, and Tsuyoshi Takagi 3 Mitsubishi Electric, Japan NTT Secure

More information

Summation polynomial algorithms for elliptic curves in characteristic two

Summation polynomial algorithms for elliptic curves in characteristic two Summation polynomial algorithms for elliptic curves in characteristic two Steven D. Galbraith and Shishay W. Gebregiyorgis Mathematics Department, University of Auckland, New Zealand. S.Galbraith@math.auckland.ac.nz,sgeb522@aucklanduni.ac.nz

More information

Post-Quantum Cryptography

Post-Quantum Cryptography Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike

More information

The quantum threat to cryptography

The quantum threat to cryptography The quantum threat to cryptography Ashley Montanaro School of Mathematics, University of Bristol 20 October 2016 Quantum computers University of Bristol IBM UCSB / Google University of Oxford Experimental

More information

Block Wiedemann likes Schirokauer maps

Block Wiedemann likes Schirokauer maps Block Wiedemann likes Schirokauer maps E. Thomé INRIA/CARAMEL, Nancy. /* EPI CARAMEL */ C,A, /* Cryptologie, Arithmétique : */ R,a, /* Matériel et Logiciel */ M,E, L,i= 5,e, d[5],q[999 ]={0};main(N ){for

More information

MTH Abstract Algebra II S17. Review for the Final Exam. Part I

MTH Abstract Algebra II S17. Review for the Final Exam. Part I MTH 411-1 Abstract Algebra II S17 Review for the Final Exam Part I You will be allowed to use the textbook (Hungerford) and a print-out of my online lecture notes during the exam. Nevertheless, I recommend

More information

Open problems in lattice-based cryptography

Open problems in lattice-based cryptography University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear

More information

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.

More information

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago Distinguishing prime numbers from composite numbers: the state of the art D. J. Bernstein University of Illinois at Chicago Is it easy to determine whether a given integer is prime? If easy means computable

More information

Polynomial Selection for Number Field Sieve in Geometric View

Polynomial Selection for Number Field Sieve in Geometric View Polynomial Selection for Number Field Sieve in Geometric View Min Yang 1, Qingshu Meng 2, zhangyi Wang 2, Lina Wang 2, and Huanguo Zhang 2 1 International school of software, Wuhan University, Wuhan, China,

More information

The point decomposition problem in Jacobian varieties

The point decomposition problem in Jacobian varieties The point decomposition problem in Jacobian varieties Jean-Charles Faugère2, Alexandre Wallet1,2 1 2 ENS Lyon, Laboratoire LIP, Equipe AriC UPMC Univ Paris 96, CNRS, INRIA, LIP6, Equipe PolSys 1 / 19 1

More information

Table of C on t en t s Global Campus 21 in N umbe r s R e g ional Capac it y D e v e lopme nt in E-L e ar ning Structure a n d C o m p o n en ts R ea

Table of C on t en t s Global Campus 21 in N umbe r s R e g ional Capac it y D e v e lopme nt in E-L e ar ning Structure a n d C o m p o n en ts R ea G Blended L ea r ni ng P r o g r a m R eg i o na l C a p a c i t y D ev elo p m ent i n E -L ea r ni ng H R K C r o s s o r d e r u c a t i o n a n d v e l o p m e n t C o p e r a t i o n 3 0 6 0 7 0 5

More information

The filtering step of discrete logarithm and integer factorization algorithms

The filtering step of discrete logarithm and integer factorization algorithms The filtering step of discrete logarithm and integer factorization algorithms Cyril Bouvier To cite this version: Cyril Bouvier. The filtering step of discrete logarithm and integer factorization algorithms.

More information

Solving a 6120-bit DLP on a Desktop Computer

Solving a 6120-bit DLP on a Desktop Computer Solving a 6120-bit DLP on a Desktop Computer Faruk Göloğlu, Robert Granger, Gary McGuire, and Jens Zumbrägel Complex & Adaptive Systems Laboratory and School of Mathematical Sciences University College

More information

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago A brief survey of post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption

More information

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago Distinguishing prime numbers from composite numbers: the state of the art D. J. Bernstein University of Illinois at Chicago Is it easy to determine whether a given integer is prime? If easy means computable

More information

50 Algebraic Extensions

50 Algebraic Extensions 50 Algebraic Extensions Let E/K be a field extension and let a E be algebraic over K. Then there is a nonzero polynomial f in K[x] such that f(a) = 0. Hence the subset A = {f K[x]: f(a) = 0} of K[x] does

More information

A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm

A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm Palash Sarkar and Shashank Singh Indian Statistical Institute, Kolkata September 5, 2016

More information

On the Discrete Logarithm Problem on Algebraic Tori

On the Discrete Logarithm Problem on Algebraic Tori On the Discrete Logarithm Problem on Algebraic Tori R. Granger 1 and F. Vercauteren 2 1 University of Bristol, Department of Computer Science, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB,

More information

Independence of Heegner Points Joseph H. Silverman (Joint work with Michael Rosen)

Independence of Heegner Points Joseph H. Silverman (Joint work with Michael Rosen) Independence of Heegner Points Joseph H. Silverman (Joint work with Michael Rosen) Brown University Cambridge University Number Theory Seminar Thursday, February 22, 2007 0 Modular Curves and Heegner Points

More information

OH BOY! Story. N a r r a t iv e a n d o bj e c t s th ea t e r Fo r a l l a g e s, fr o m th e a ge of 9

OH BOY! Story. N a r r a t iv e a n d o bj e c t s th ea t e r Fo r a l l a g e s, fr o m th e a ge of 9 OH BOY! O h Boy!, was or igin a lly cr eat ed in F r en ch an d was a m a jor s u cc ess on t h e Fr en ch st a ge f or young au di enc es. It h a s b een s een by ap pr ox i ma t ely 175,000 sp ect at

More information

arxiv: v4 [cs.dm] 4 Nov 2013

arxiv: v4 [cs.dm] 4 Nov 2013 arxiv:1304.1206v4 [cs.dm] 4 Nov 2013 Finding primitive elements in finite fields of small characteristic Ming-Deh Huang and Anand Kumar Narayanan Abstract. We describe a deterministic algorithm for finding

More information

Integer factorization, part 1: the Q sieve. part 2: detecting smoothness. D. J. Bernstein

Integer factorization, part 1: the Q sieve. part 2: detecting smoothness. D. J. Bernstein Integer factorization, part 1: the Q sieve Integer factorization, part 2: detecting smoothness D. J. Bernstein The Q sieve factors by combining enough -smooth congruences ( + ). Enough log. Plausible conjecture:

More information

Discrete Logarithm Problem

Discrete Logarithm Problem Discrete Logarithm Problem Çetin Kaya Koç koc@cs.ucsb.edu (http://cs.ucsb.edu/~koc/ecc) Elliptic Curve Cryptography lect08 discrete log 1 / 46 Exponentiation and Logarithms in a General Group In a multiplicative

More information

Relation collection for the Function Field Sieve

Relation collection for the Function Field Sieve Relation collection for the Function Field Sieve Jérémie Detrey, Pierrick Gaudry and Marion Videau CARAMEL project-team, LORIA, INRIA / CNRS / Université de Lorraine, Vandœuvre-lès-Nancy, France Email:

More information

Public Key Algorithms

Public Key Algorithms Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/

More information

NTRU Prime. Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal. Technische Universiteit Eindhoven

NTRU Prime. Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal. Technische Universiteit Eindhoven NTRU Prime Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal Technische Universiteit Eindhoven 25 August 2016 Tanja Lange NTRU Prime https://eprint.iacr.org/2016/461

More information

On Partial Lifting and the Elliptic Curve Discrete Logarithm Problem

On Partial Lifting and the Elliptic Curve Discrete Logarithm Problem On Partial Lifting and the Elliptic Curve Discrete Logarithm Problem Qi Cheng 1 and Ming-Deh Huang 2 1 School of Computer Science The University of Oklahoma Norman, OK 73019, USA. Email: qcheng@cs.ou.edu.

More information

Commutative Rings and Fields

Commutative Rings and Fields Commutative Rings and Fields 1-22-2017 Different algebraic systems are used in linear algebra. The most important are commutative rings with identity and fields. Definition. A ring is a set R with two

More information

Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago

Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases D. J. Bernstein University of Illinois at Chicago NSF ITR 0716498 Part I. Linear maps Consider computing 0

More information

Thanks to: University of Illinois at Chicago NSF DMS Alfred P. Sloan Foundation

Thanks to: University of Illinois at Chicago NSF DMS Alfred P. Sloan Foundation Building circuits for integer factorization D. J. Bernstein Thanks to: University of Illinois at Chicago NSF DMS 0140542 Alfred P. Sloan Foundation I want to work for NSA as an independent contractor.

More information

Lecture Prelude: Agarwal-Biswas Probabilistic Testing

Lecture Prelude: Agarwal-Biswas Probabilistic Testing 6.S897 Algebra and Computation March 19, 2012 Lecture 12 Lecturer: Madhu Sudan Scribe: Zeyuan Allen Zhu 1 Today s Problem: Primality Testing Given an n-bit integer N, output YES if n is prime and NO otherwise.

More information

The point decomposition problem in Jacobian varieties

The point decomposition problem in Jacobian varieties The point decomposition problem in Jacobian varieties Alexandre Wallet ENS Lyon, Laboratoire LIP, Equipe AriC 1 / 38 1 Generalities Discrete Logarithm Problem Short State-of-the-Art for curves About Index-Calculus

More information

Galois Theory Overview/Example Part 1: Extension Fields. Overview:

Galois Theory Overview/Example Part 1: Extension Fields. Overview: Galois Theory Overview/Example Part 1: Extension Fields I ll start by outlining very generally the way Galois theory works. Then, I will work through an example that will illustrate the Fundamental Theorem

More information

Smoothness Testing of Polynomials over Finite Fields

Smoothness Testing of Polynomials over Finite Fields Smoothness Testing of Polynomials over Finite Fields Jean-François Biasse and Michael J. Jacobson Jr. Department of Computer Science, University of Calgary 2500 University Drive NW Calgary, Alberta, Canada

More information

I. Introduction. MPRI Cours Lecture IIb: Introduction to integer factorization. F. Morain. Input: an integer N; Output: N = k

I. Introduction. MPRI Cours Lecture IIb: Introduction to integer factorization. F. Morain. Input: an integer N; Output: N = k F. Morain École polytechnique MPRI cours 2-12-2 2009-2010 3/26 F. Morain École polytechnique MPRI cours 2-12-2 2009-2010 4/26 MPRI Cours 2-12-2 I. Introduction ECOLE POLYTECHNIQUE F. Morain Lecture IIb:

More information

On Class Group Computations Using the Number Field Sieve

On Class Group Computations Using the Number Field Sieve On Class Group Computations Using the Number Field Sieve Mark L. Bauer 1 and Safuat Hamdy 2 1 University of Waterloo Centre for Applied Cryptographic Research Waterloo, Ontario, N2L 3G1 mbauer@math.uwaterloo.ca

More information

Tables of elliptic curves over number fields

Tables of elliptic curves over number fields Tables of elliptic curves over number fields John Cremona University of Warwick 10 March 2014 Overview 1 Why make tables? What is a table? 2 Simple enumeration 3 Using modularity 4 Curves with prescribed

More information

Integration by partial fractions

Integration by partial fractions Roberto s Notes on Integral Calculus Chapter : Integration methods Section 15 Integration by partial fractions with non-repeated quadratic factors What you need to know already: How to use the integration

More information

T h e C S E T I P r o j e c t

T h e C S E T I P r o j e c t T h e P r o j e c t T H E P R O J E C T T A B L E O F C O N T E N T S A r t i c l e P a g e C o m p r e h e n s i v e A s s es s m e n t o f t h e U F O / E T I P h e n o m e n o n M a y 1 9 9 1 1 E T

More information

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a. INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e

More information

Elliptic Curves and Public Key Cryptography

Elliptic Curves and Public Key Cryptography Elliptic Curves and Public Key Cryptography Jeff Achter January 7, 2011 1 Introduction to Elliptic Curves 1.1 Diophantine equations Many classical problems in number theory have the following form: Let

More information

FACTORIZATION OF IDEALS

FACTORIZATION OF IDEALS FACTORIZATION OF IDEALS 1. General strategy Recall the statement of unique factorization of ideals in Dedekind domains: Theorem 1.1. Let A be a Dedekind domain and I a nonzero ideal of A. Then there are

More information

University of Illinois at Chicago. Prelude: What is the fastest algorithm to sort an array?

University of Illinois at Chicago. Prelude: What is the fastest algorithm to sort an array? Challenges in quantum algorithms for integer factorization 1 D. J. Bernstein University of Illinois at Chicago Prelude: What is the fastest algorithm to sort an array? def blindsort(x): while not issorted(x):

More information

Discrete Logarithm in GF(2 809 ) with FFS

Discrete Logarithm in GF(2 809 ) with FFS Discrete Logarithm in GF(2 809 ) with FFS Razvan Barbulescu, Cyril Bouvier, Jérémie Detrey, Pierrick Gaudry, Hamza Jeljeli, Emmanuel Thomé, Marion Videau, and Paul Zimmermann CARAMEL project-team, LORIA,

More information

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Elliptic Curves Spring 2013 Lecture #12 03/19/2013 18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring

More information

Lecture 8: Finite fields

Lecture 8: Finite fields Lecture 8: Finite fields Rajat Mittal IIT Kanpur We have learnt about groups, rings, integral domains and fields till now. Fields have the maximum required properties and hence many nice theorems can be

More information

Improvements to the number field sieve for non-prime finite fields

Improvements to the number field sieve for non-prime finite fields Improvements to the number field sieve for non-prime finite fields Razvan Barbulescu, Pierrick Gaudry, Aurore Guillevic, François Morain To cite this version: Razvan Barbulescu, Pierrick Gaudry, Aurore

More information

FOR SALE T H S T E., P R I N C E AL BER T SK

FOR SALE T H S T E., P R I N C E AL BER T SK FOR SALE 1 50 1 1 5 T H S T E., P R I N C E AL BER T SK CHECK OUT THIS PROPERTY ON YOUTUBE: LIVINGSKY CONDOS TOUR W W W. LIV IN G S K YC O N D O S. C A Th e re is ou tstan d in g val ue in these 52 re

More information

School of Mathematics and Statistics. MT5836 Galois Theory. Handout 0: Course Information

School of Mathematics and Statistics. MT5836 Galois Theory. Handout 0: Course Information MRQ 2017 School of Mathematics and Statistics MT5836 Galois Theory Handout 0: Course Information Lecturer: Martyn Quick, Room 326. Prerequisite: MT3505 (or MT4517) Rings & Fields Lectures: Tutorials: Mon

More information

Fast, twist-secure elliptic curve cryptography from Q-curves

Fast, twist-secure elliptic curve cryptography from Q-curves Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,

More information

Chapter 3. Rings. The basic commutative rings in mathematics are the integers Z, the. Examples

Chapter 3. Rings. The basic commutative rings in mathematics are the integers Z, the. Examples Chapter 3 Rings Rings are additive abelian groups with a second operation called multiplication. The connection between the two operations is provided by the distributive law. Assuming the results of Chapter

More information

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n).

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n). 18.310 lecture notes April 22, 2015 Factoring Lecturer: Michel Goemans We ve seen that it s possible to efficiently check whether an integer n is prime or not. What about factoring a number? If this could

More information

Fermat s Last Theorem for Regular Primes

Fermat s Last Theorem for Regular Primes Fermat s Last Theorem for Regular Primes S. M.-C. 22 September 2015 Abstract Fermat famously claimed in the margin of a book that a certain family of Diophantine equations have no solutions in integers.

More information

Igusa class polynomials

Igusa class polynomials Number Theory Seminar Cambridge 26 April 2011 Elliptic curves An elliptic curve E/k (char(k) 2) is a smooth projective curve y 2 = x 3 + ax 2 + bx + c. Q P P Q E is a commutative algebraic group Endomorphisms

More information

Galois fields/1. (M3) There is an element 1 (not equal to 0) such that a 1 = a for all a.

Galois fields/1. (M3) There is an element 1 (not equal to 0) such that a 1 = a for all a. Galois fields 1 Fields A field is an algebraic structure in which the operations of addition, subtraction, multiplication, and division (except by zero) can be performed, and satisfy the usual rules. More

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback