A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic

Transcription

1 ECC, Chennai October 8, 2014 A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic Razvan Barbulescu 1 Pierrick Gaudry 2 Antoine Joux 3 Emmanuel Thomé 2 IMJ-PRG, Paris Loria, Nancy LIP6, Paris R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 0 / 28

2 Context The discrete logarithm problem (DLP) In a cyclic group G, given a generator g and an element g a, FIND a. We can search the smallest positive integer solution a or, more common, the residue of a modulo a prime factor l of #G. Choices for G 1. elliptic curves (estimated of exponential difficulty); 2. multiplicative group of finite fields (subexponential) 2.1 small characteristic, e.g. F 2 n and F 3 n, 2.2 non-small characteristic, e.g. F p and F p 2 Example When G = (F p ), given two integers g and h, if it exists, FIND x in g x h mod p. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 1 / 28

3 Motivation factorization same complexity discrete log. in F p analogous pairings inversion over F 2 n relies on relies on discrete log. in F 2 n elliptic curves discrete log. over F 2 n F Q is the field of Q elements, Q prime power. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 2 / 28

4 Shanks baby-step giant-step algorithm Let K N and write the discrete log of x as x = x 0 + K x 1, with 0 x 0 < K and 0 x 1 < N/K. Algorithm 1. Compute Baby Steps: For all i in [0, K 1], compte g i. Store in a hash table the resulting pairs (g i, i). 2. Compute Giant Steps: For all j in [0, N/K ], compute hg Kj. If the resulting element is in the BS table, then get the corresponding i, and return x = i + Kj. Theorem Discrete logarithms in a cyclic group of order N can be computed in less than 2 N operations. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 3 / 28

5 Shanks baby-step giant-step algorithm Let K N and write the discrete log of x as x = x 0 + K x 1, with 0 x 0 < K and 0 x 1 < N/K. Algorithm 1. Compute Baby Steps: For all i in [0, K 1], compte g i. Store in a hash table the resulting pairs (g i, i). 2. Compute Giant Steps: For all j in [0, N/K ], compute hg Kj. If the resulting element is in the BS table, then get the corresponding i, and return x = i + Kj. Theorem Discrete logarithms in a cyclic group of order N can be computed in less than 2 N operations. Multiplicative group of finite fields is not a generic groups! R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 3 / 28

6 History For two constatnts α [0, 1] and c > 0, we put ) L Q (α, c) = exp (c + o(1))(log Q) α (log log Q) 1 α Put n = log Q. L Q (0) = n O(1) i.e. polynomial; L Q (1) = 2 O(n) i.e. exponential; L Q (1/2) 2 n ; DLP algorithms invented in L Q (1/3) 2 3 n ; DLP algorithms invented in R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 4 / 28

7 Smoothness Definition A polynomial in F q [t] is m-smooth if it factors into polynomials of degree less than or equal to m. Computation One can test if a polynomial is smooth by factoring it (probabilistic polynomial). Theorem (Panario Gourdon Flajolet) The probability that a degree-n polynomial is m-smooth is 1/u u(1+o(1)) where u = n m. Cases: n = D, m = D/6 gives a constant probability; n = D, m = 1 gives a probability 1/D! 1/D D. n = log q L x (α, ), m = log q L x (β, ) gives a probability of 1/L x (α β, ); R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 5 / 28

8 Obtaining relations The finite field F q k is represented as F q [t]/ϕ for an irreducible polynomial ϕ F q [t] of degree k. Example Take q = 3, k = 5, ϕ = t 5 + t 4 + 2t 3 + 1, g = t F 3 5. We have t 5 2(t + 1)(t 3 + t 2 + 2t + 1) mod ϕ R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 6 / 28

9 Obtaining relations The finite field F q k is represented as F q [t]/ϕ for an irreducible polynomial ϕ F q [t] of degree k. Example Take q = 3, k = 5, ϕ = t 5 + t 4 + 2t 3 + 1, g = t F 3 5. We have t 5 2(t + 1)(t 3 + t 2 + 2t + 1) mod ϕ t 6 2(t 2 + 1)(t 2 + t + 2) mod ϕ R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 6 / 28

10 Obtaining relations The finite field F q k is represented as F q [t]/ϕ for an irreducible polynomial ϕ F q [t] of degree k. Example Take q = 3, k = 5, ϕ = t 5 + t 4 + 2t 3 + 1, g = t F 3 5. We have t 5 2(t + 1)(t 3 + t 2 + 2t + 1) mod ϕ t 6 2(t 2 + 1)(t 2 + t + 2) mod ϕ t 7 2(t + 2)(t + 1)(t + 1) mod ϕ R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 6 / 28

11 Obtaining relations The finite field F q k is represented as F q [t]/ϕ for an irreducible polynomial ϕ F q [t] of degree k. Example Take q = 3, k = 5, ϕ = t 5 + t 4 + 2t 3 + 1, g = t F 3 5. We have t 5 2(t + 1)(t 3 + t 2 + 2t + 1) mod ϕ t 6 2(t 2 + 1)(t 2 + t + 2) mod ϕ t 7 2(t + 2)(t + 1)(t + 1) mod ϕ The last relation gives: 7 log g t log g log g (t + 2) + 2 log g (t + 1) mod 11 R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 6 / 28

12 Obtaining relations The finite field F q k is represented as F q [t]/ϕ for an irreducible polynomial ϕ F q [t] of degree k. Example Take q = 3, k = 5, ϕ = t 5 + t 4 + 2t 3 + 1, g = t F 3 5. We have t 5 2(t + 1)(t 3 + t 2 + 2t + 1) mod ϕ t 6 2(t 2 + 1)(t 2 + t + 2) mod ϕ t 7 2(t + 2)(t + 1)(t + 1) mod ϕ The last relation gives: 7 log g t 1 log g (t + 2) + 2 log g (t + 1) mod 11 Proposition If a F q and l is a factor of q k 1 coprime to (q 1), then log a 0 mod l. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 6 / 28

13 Obtaining relations The finite field F q k is represented as F q [t]/ϕ for an irreducible polynomial ϕ F q [t] of degree k. Example Take q = 3, k = 5, ϕ = t 5 + t 4 + 2t 3 + 1, g = t F 3 5. We have t 5 2(t + 1)(t 3 + t 2 + 2t + 1) mod ϕ t 6 2(t 2 + 1)(t 2 + t + 2) mod ϕ The last relation gives: t log g t 1 log g (t + 2) + 2 log g (t + 1) mod 11 8 log g (t + 1) = 1 log g (t + 2) mod 11 9 log g (t + 2) = 2 log g t mod 11 We find log g (t + 1) 158 mod 11 and log g (t + 2) 54 mod 11. Proposition If a F q and l is a factor of q k 1 coprime to (q 1), then log a 0 mod l. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 6 / 28

14 Descent Example (cont d) Let us compute log g P for an arbitrary polynomial, say P = t 4 + t + 2. We have P 2 t 4 + t 3 + 2t 2 + 2t + 2 mod ϕ P 3 2(t + 1)(t + 2)(t 2 + 1) mod ϕ P 4 (t + 1)(t + 2)t 2 mod ϕ. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 7 / 28

15 Descent Example (cont d) Let us compute log g P for an arbitrary polynomial, say P = t 4 + t + 2. We have P 2 t 4 + t 3 + 2t 2 + 2t + 2 mod ϕ P 3 2(t + 1)(t + 2)(t 2 + 1) mod ϕ P 4 (t + 1)(t + 2)t 2 mod ϕ. By taking discrete logarithms we obtain So log g P = log g P = 1 log g (t + 1) + 1 log g (t + 2) + 2 log g t. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 7 / 28

16 Discrete logarithms of constants Here l is a prime factor of the group order q k 1, larger than q 1. Elements of F q Elements of F q F q k a q 1 = 1, so we have Hence, are represented in F q [t]/ ϕ by constants a. They satisfy log g (a q 1 ) log g (1) 0 mod l. Since l is prime and larger than q 1, (q 1) log g a 0 mod l. log g a 0 mod l. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 8 / 28

17 Comments Index calculus family All L(1/2) and L(1/3) DLP algorithms follow the same scheme (of Kraitchik 1922): Relation collection; Linear algebra to get logs of factor base elements; Individual log, to handle any element. New algorithms Joux s L(1/4) algorithm still uses this terminology (but very different in nature). Quasi-polynomial time algorithm: it s time to stop speaking about factor base! R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 9 / 28

18 Records for fields F 2 n with prime n Let us compare to the factoring record: 768 bits in FFS is the choice in practice, and its variants Coppersmith (inseparable polynomials); Two rational sides FFS (Joux-Lercier). GIPS=giga instructions per second n date GIPS year algo. author Copp. Gordon,McCurley FFS Joux,Lercier Copp. Thomé FFS Joux,Lercier FFS Joux,Lercier FFS Caramel FFS Caramel 1 Using the same algorithm as for prime degrees. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 10 / 28

19 Records for fields F 2 n with prime n Let us compare to the factoring record: 768 bits in FFS is the choice in practice, and its variants Coppersmith (inseparable polynomials); Two rational sides FFS (Joux-Lercier). GIPS=giga instructions per second n date GIPS year algo. author Copp. Gordon,McCurley FFS Joux,Lercier Copp. Thomé FFS Joux,Lercier FFS Joux,Lercier FFS Caramel FFS Caramel The Caramel group completed the relation collection stage for n = 1039 with a computation of 384 GIPS years. Linear algebra must be adapted to larger sizes. 1 Using the same algorithm as for prime degrees. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 10 / 28

20 Composite degrees n Motivation To attack pairing-based cryptosystems, one can solve DLP in fields F p κn constant c 1. The security of pairings is evaluated under the hypothesis for a small DLP in F p n is equally hard when n is prime or composite. Theorem (Joux & Lercier 2006) Under the same assumptions as in the classical variante of FFS, if n has a small factor κ, then one can speed up 1. the relations collection phase by a factor κ; 2. the linear algebra stage by a factor κ 2. Joux-Lercier improvement in practice Two teams computed discrete logs in F 3 6n (pairings): a 2010 record for n = 71 (676 bits) using κ = 6; cost 14 GIPS year. a 2012 record for n = 97 (923 bits) using κ = 3; cost 290 GIPS years. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 11 / 28

21 Complexity improvements in 2013 for small characteristic Linear polynomials One computes discrete logs. of linear polynomials in polynomial time. Göloğlu, Granger, McGuire and Zumbrägel; Joux. Expressing log P as a sum of logs. of linear polynomials dominates the computations. Any polynomial Joux: L Q (1/4 + o(1)) operations; (this work): quasi-polynomial L Q (o(1)) operations. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 12 / 28

22 Main result Theorem (based on heuristics) Let K be any finite field F q k. A discrete logarithm in K can be computed in heuristic time max(q, k) O(log k). Cases: K = F 2 n, with prime n. Complexity is n O(log n). Much better than L 2 n(1/4 + o(1)) 2 4 n. K = F q k, with q = k O(1). Complexity is log Q O(log log Q), where Q = #K. Again, this is L Q (o(1)). K = F q k, with q L q k(α). Complexity is L q k(α + o(1)), i.e. better than Joux-Lercier or FFS for α < 1/3. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 13 / 28

23 A well-chosen model for F q 2k Simple case first We suppose first k q and k q + 2. Choosing ϕ (same as for Joux algorithm) Try random h 0, h 1 F q 2[t] with deg h 0, deg h 1 2 until T (t) := h 1 (t)t q h 0 (t) has an irreducible factor ϕ of degree k. Heuristic The existence of h 0 and h 1 is heuristic, but found in practice in O(k) trials. Properties of ϕ h 1 (t)t q h 0 (t) mod ϕ; ( ) P(t q h ) P 0 h 1 mod ϕ; ( ) h 0 h 1 P q P(t q ) P mod ϕ, where the tilde denotes the conjugation in F q 2. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 14 / 28

24 A famous identity Recall the identity x q x = α F q (x α). We further have x q y xy q = (α:β) P 1 (F q )(βx αy). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 15 / 28

25 A famous identity Recall the identity x q x = α F q (x α). We further have x q y xy q = (α:β) P 1 (F q )(βx αy). A machine to make relations x = t and y = 1: h 0 /h 1 t t q t α F q (t α). If the numerator of the left hand side is smooth, we obtain relations among linear polynomials. x = t + a, a F q, and y = 1: same relation. x = t + a, a F q 2, and y = 1: new relations. Joux algorithm uses this idea. Let P be the polynomial whose logarithm is requested. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 15 / 28

26 A famous identity Recall the identity x q x = α F q (x α). We further have x q y xy q = (α:β) P 1 (F q )(βx αy). A machine to make relations x = t and y = 1: h 0 /h 1 t t q t α F q (t α). If the numerator of the left hand side is smooth, we obtain relations among linear polynomials. x = t + a, a F q, and y = 1: same relation. x = t + a, a F q 2, and y = 1: new relations. Joux algorithm uses this idea. Let P be the polynomial whose logarithm is requested. x = ap + b and y = cp + d, a, b, c, d F q 2: let us show that the left side is congruent to a small degree polynomial, whereas the right hand side is smooth in some new sense. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 15 / 28

27 The right hand side is smooth (ap + b) q (cp + d) (ap + b)(cp + d) q = = = λ (α,β) P 1 (F q) (α,β) P 1 (F q) (α,β) P 1 (F q) β(ap + b) α(cp + d) ( cα + aβ)p (dα bβ) ( P ) dα bβ, aβ cα Here q + 1 out of the q elements of {1} {P + γ : γ F q 2} occur. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 16 / 28

28 The left hand side is small For m GL 2 (F q 2), let L m be the residue L m := h deg P 1 ( (ap + b) q (cp + d) (ap + b)(cp + d) q) mod ϕ(t). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 17 / 28

29 The left hand side is small For m GL 2 (F q 2), let L m be the residue L m := h deg P 1 ( (ap + b) q (cp + d) (ap + b)(cp + d) q) mod ϕ(t). We have deg L m 3 deg P. Indeed, we have L m = h deg P 1 (ã P(t q ) + b)(cp + d) (ap(t) + b)( c P(t q ) + d) ( ( ) ) ( ( ) ) = h deg P h0 h0 1 ã P + b (cp + d) (ap + b) c P + d. h 1 h 1 For a constant proportion of matrices m, L m is (deg P)/2-smooth. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 17 / 28

30 Procedure to break a polynomial P Each matrix m in the quotient set P q := PGL 2 (F q 2)/PGL 2 (F q ) such that L m is (deg P)/2-smooth leads to a different equation P e i,m i,m = λ (P + γ) vm(γ), where deg P i (deg P)/2; v m (γ) are integer exponents; λ is a costant in F q 2. i γ P 1 (F q 2) By taking discrete logarithm we find e i,m log P i,m γ i v m (γ) log(p + γ) mod l. Heuristic We have enough equations and we can combine them to obtain e i,m log P i,m log P mod l. i,m R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 18 / 28

31 Linear algebra step for P Since #PGL 2 (F q i) = q 3i q i, #P q = q 3 + q. A constant fraction give linear equations among logarithms, so the matrix below has more rows than columns. γ F q 2 m P q v m (γ) The heuristic states that we can combine the rows to obtain row (1, 0,..., 0). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 19 / 28

32 Arguments in favor of the heuristic Experiments The discriminant of matrices obtained for various polynomials P have no systematic common factor other than the divisors of q 3 q. The heuristic is used in the algorithm of Joux for degree two polynomials. For random instances of P, every randomly chosen matrix formed of q rows has maximal rank. Theory The full matrix of q 3 + q rows has maximal rank. We use the fact that there are a fixed number c 1 of blocks passing by each point of F q 2; there are a fixed number c 2 of blocks passing by two points. Does the matrix formed of a constant fraction of rows have maximal rank? R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 20 / 28

33 Building block of the quasi-polynomial algorithm We have just proved: Proposition (Under heuristic assumptions) There exists an algorithm whose complexity is polynomial in q and k and which can be used for the following two tasks. 1. Given an element of F q 2k represented by a polynomial P F q 2[t] with 2 deg P k 1, the algorithm returns an expression of log P as a linear combination of at most O(kq 2 ) logarithms log P i with deg P i 1 2 deg P and of log h The algorithm returns the logarithm of h 1 and the logarithms of all the elements of F q 2k of the form t + a, for a in F q 2. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 21 / 28

34 Complexity P deg = k deg = k/ deg = k/ deg = 1 Tree characteristics depth=log k because we half the degree at each level; arity=o(q 2 k) because the sons are polynomials in the LHS of the q 2 equations used; number of nodes=q O(log k) because k q + 2. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 22 / 28

35 Extending to the general case When q < k 2 we embed F q k in F q 2k with q = q log q k. The complexity q O(log k) transforms into max(q, k) O(log k). Note that q qk. The input size n is replaced by n log n. For any constant c ) ) ) exp (c(log n) 2 exp (c(log n + log log n) 2 = exp ((c + o(1))(log n) 2. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 23 / 28

36 Extending to the general case When q < k 2 we embed F q k in F q 2k with q = q log q k. The complexity q O(log k) transforms into max(q, k) O(log k). Note that q qk. The input size n is replaced by n log n. For any constant c ) ) ) exp (c(log n) 2 exp (c(log n + log log n) 2 = exp ((c + o(1))(log n) 2. Example 1. For F we compute logs in F = F The field F can be embedded in F q 2k with q = 3 6 and k = 509. Fields of composite degree (specific to pairings) embed in small fields. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 23 / 28

37 Hardness of DLP with respect to the size of characteristic ( ) The complexity of QPA when q = L q k(α) is L q k α + o(1) RSA 0 1/3 2/3 1 α R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 24 / 28

38 The traps of Cheng Wan Zhuang Trap In reaction to our preprint, Cheng, Wan and Zhuang noticed that our descent fails on divisors of h 1 t q h 0. Indeed, if P is such a divisor we cannot find relations i P e i,m i,m = λ γ P 1 (F q 2) (P + γ) v m(γ) mod (h 1 t q h 0 ), containing P in the RHS. Indeed, it forces P to occur in the LHS too, so it cannot be (deg P)/2-smooth. Our solution We have h D 1 P q h D 1 P(h 0 /h 1 ) mod x q h 1 h 0. The RHS is always divisible by P (it is problematic). Taking logs, we get D log h 1 + (q 1) log P = log Q, where Q is the RHS divided by P. In general, P Q, and, if deg h 0, h 1 2, then deg Q D. So we have related log P to other logarithms, and the descent can continue. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 25 / 28

39 Very weak fields Assume that k = q 1 (same is true for q + 1 and q). For many values of q we can take h 1 = 1 and h 0 = Ax for some generator A of F q 2. Then ϕ = x q 1 A. Then, for any a F q 2, we have (x + a) q = x q + ã = x q 1 x + ã = A(x + ã/a), where ã is the Frobenius conjugate of a. We obtain q log(x + a) = log(x + ã/a). Hence we can reduce the factor base by a factor k. For example for , the linear algebra time was accelerated by k 2 = Remark The smoothness probabilities are improved. For example, The proportion of matrices m P q which produce relations for the linear polynomials is 1/6! = 1/620 when max(deg h 0, deg h 1 ) = 2 and it is 1/3! for the weak case (Kummer). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 26 / 28

40 Records Algorithms in practice 1. relations collection (degree one and two): variants of GGMZ or Joux algorithm; 2. descent (degree three and more): variants of Joux algorithm. No QPA descent yet. Kummer and twisted Kummer extensions field bitsize date CPU time author GF( ) 6120 Apr k h GGMZ GF(( ) 6168 May k h J GF( ) 9234 Jan k h GKZ General extensions of composite degree field bitsize date CPU time author GF( ) 1303 Jan 14 1k h AMOR GF( ) * 4404 Jan 14 52k h GKZ GF( ) 3796 Aug 14 9k h JP * using a non-general speed-up: target elements in a subfield. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 27 / 28

41 Consequences and perspectives Consequences DLP in small characteristic finite fields is asymptotically weak. Small characteristic pairings are broken for the sizes proposed for cryptography. Perspectives even more practical improvements and records; eliminating the heuristics (a new quasi-polynomial algorithm was proposed by Granger, Kleinjung and Zumbrägel)(next talk); improvements in non-small characteristic: multiple field variants, new methods of polynomial selection. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 28 / 28