Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm)

Similar documents
Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction

Computing Individual Discrete Logarithms Faster in GF(p n ) with the NFS-DL Algorithm

Improving NFS for the discrete logarithm problem in non-prime nite elds

Extended Tower Number Field Sieve with Application to Finite Fields of Arbitrary Composite Extension Degree

A brief overwiev of pairings

On the complexity of computing discrete logarithms in the field F

Improving NFS for the discrete logarithm problem in non-prime finite fields

arxiv: v2 [cs.cr] 24 Nov 2016

Non-generic attacks on elliptic curve DLPs

Constructing Abelian Varieties for Pairing-Based Cryptography

Computing discrete logarithms in GF (p 6 )

Challenges with Assessing the Impact of NFS Advances on the Security of Pairing-based Cryptography

A quasi polynomial algorithm for discrete logarithm in small characteristic

A construction of 3-dimensional lattice sieve for number field sieve over GF(p n )

A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic

Discrete logarithms: Recent progress (and open problems)

Constructing Pairing-Friendly Elliptic Curves for Cryptography

Pairing-Friendly Elliptic Curves of Prime Order

On Generating Coset Representatives of P GL 2 (F q ) in P GL 2 (F q 2)

Explicit Complex Multiplication

A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm

Efficient hash maps to G 2 on BLS curves

Pairings for Cryptography

The Number Field Sieve for Barreto-Naehrig Curves: Smoothness of Norms

A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic

Cover and Decomposition Index Calculus on Elliptic Curves made practical

Fast, twist-secure elliptic curve cryptography from Q-curves

Algorithmes de calcul de logarithme discret dans les corps finis

A New Family of Pairing-Friendly elliptic curves

Problème du logarithme discret sur courbes elliptiques

Extended Tower Number Field Sieve: A New Complexity for the Medium Prime Case

REMARKS ON THE NFS COMPLEXITY

Higher dimensional sieving for the number field sieve algorithms

The number field sieve in the medium prime case

Mappings of elliptic curves

Constructing Families of Pairing-Friendly Elliptic Curves

Fast hashing to G2 on pairing friendly curves

Collecting relations for the Number Field Sieve in GF pp 6 q

A TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES

Updating key size estimations for pairings

Analysis of Optimum Pairing Products at High Security Levels

Breaking pairing-based cryptosystems using η T pairing over GF (3 97 )

The Tower Number Field Sieve

Computational algebraic number theory tackles lattice-based cryptography

Nearly Sparse Linear Algebra

Breaking pairing-based cryptosystems using η T pairing over GF (3 97 )

Faster Pairings on Special Weierstrass Curves

On the Discrete Logarithm Problem on Algebraic Tori

Block Wiedemann likes Schirokauer maps

Katherine Stange. ECC 2007, Dublin, Ireland

Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves

Polynomial Selection Using Lattices

Improvements to the number field sieve for non-prime finite fields

Speeding up Ate Pairing Computation in Affine Coordinates

Computational algebraic number theory tackles lattice-based cryptography

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

On Near Prime-Order Elliptic Curves with Small Embedding Degrees

Implementing Pairing-Based Cryptosystems

Solving a 6120-bit DLP on a Desktop Computer

On near prime-order elliptic curves with small embedding degrees (Full version)

Isogenies in a quantum world

Centrum Wiskunde & Informatica, Amsterdam, The Netherlands

Discrete Logarithm in GF(2 809 ) with FFS

Hyperelliptic curves

Faster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions

Generating more MNT elliptic curves

A TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES

FINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD

Quasi-reducible Polynomials

A NEW PERSPECTIVE ON THE POWERS OF TWO DESCENT FOR DISCRETE LOGARITHMS IN FINITE FIELDS THORSTEN KLEINJUNG AND BENJAMIN WESOLOWSKI

Asymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)

Pairings at High Security Levels

Discrete Logarithm Computation in Hyperelliptic Function Fields

The factorization of RSA D. J. Bernstein University of Illinois at Chicago

Good algebraic reading. MPRI Cours III. Integer factorization NFS. A) Definitions and properties

Some Efficient Algorithms for the Final Exponentiation of η T Pairing

Cado-nfs, a Number Field Sieve implementation

Elliptic Curve Discrete Logarithm Problem

Optimal TNFS-secure pairings on elliptic curves with even embedding degree

Efficient Key Agreement and Signature Schemes Using Compact Representations in GF (p 10 )

Polynomial Selection. Thorsten Kleinjung École Polytechnique Fédérale de Lausanne

Decomposed Attack for the Jacobian of a Hyperelliptic Curve over an Extension Field

Katherine Stange. Pairing, Tokyo, Japan, 2007

Advanced code-based cryptography. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Generating more Kawazoe-Takahashi Genus 2 Pairing-friendly Hyperelliptic Curves

Scalar multiplication in compressed coordinates in the trace-zero subgroup

Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes

An Alternate Decomposition of an Integer for Faster Point Multiplication on Certain Elliptic Curves

The filtering step of discrete logarithm and integer factorization algorithms

Complexity news: discrete logarithms in multiplicative groups of small-characteristic finite fields the algorithm of Barbulescu, Gaudry, Joux, Thomé

Efficient Tate Pairing Computation Using Double-Base Chains

Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2

Genus 2 Hyperelliptic Curve Families with Explicit Jacobian Order Evaluation and Pairing-Friendly Constructions

Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago

Factoring univariate polynomials over the rationals

Arithmétique et Cryptographie Asymétrique

Lattice Reductions over Euclidean Rings with Applications to Cryptanalysis

Discrete Logarithm Problem

Modular Multiplication in GF (p k ) using Lagrange Representation

ON THE USE OF THE LATTICE SIEVE IN THE 3D NFS

Transcription:

Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm) Aurore Guillevic INRIA Saclay / GRACE Team École Polytechnique / LIX ECC 2015, Sept. 28th Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 1 / 32

Link with Logjam attack (N. Heninger s talk) Solving actual practical problem: Given a fixed finite field GF(q), Huge massive precomputation (weeks, months, years) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 2 / 32

Link with Logjam attack (N. Heninger s talk) Solving actual practical problem: Given a fixed finite field GF(q), Huge massive precomputation (weeks, months, years) log tab p i < B 0 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 2 / 32

Link with Logjam attack (N. Heninger s talk) Solving actual practical problem: Given a fixed finite field GF(q), Huge massive precomputation (weeks, months, years) log tab p i < B 0 Thousands of individual log computation < 1 min each Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 2 / 32

Link with Logjam attack (N. Heninger s talk) Solving actual practical problem: Given a fixed finite field GF(q), Huge massive precomputation (weeks, months, years) log tab p i < B 0 Thousands of individual log computation < 1 min each Logjam: GF(q) = GF(p) (standardized) prime field Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 2 / 32

Link with Logjam attack (N. Heninger s talk) Solving actual practical problem: Given a fixed finite field GF(q), Huge massive precomputation (weeks, months, years) log tab p i < B 0 Thousands of individual log computation < 1 min each Logjam: GF(q) = GF(p) (standardized) prime field Pairing-based cryptosystems: GF(q) = GF(p 2 ), GF(p 6 ), GF(p 12 ) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 2 / 32

Link with Logjam attack (N. Heninger s talk) Solving actual practical problem: Given a fixed finite field GF(q), Huge massive precomputation (weeks, months, years) log tab p i < B 0 Thousands of individual log computation < 1 min each Logjam: GF(q) = GF(p) (standardized) prime field Pairing-based cryptosystems: GF(q) = GF(p 2 ), GF(p 6 ), GF(p 12 ) Could we compute individual discrete logs in GF(p 2 ), GF(p 6 ), GF(p 12 ) in less than 1 min? Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 2 / 32

DLP in the target group of pairing-friendly curves DLP in the target group of pairing-friendly curves Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 3 / 32

DLP in the target group of pairing-friendly curves Why DLP in finite fields F p 2, F p 3,...? In a subgroup G = g of order l, (g, x) g x is easy (polynomial time) (g, g x ) x is (in well-chosen subgroup) hard: DLP. pairing: G 1 G 2 G T E(F p ) E(F p k ) F p k where E/F p is a pairing-friendly curve G 1, G 2, G T of large prime order l (generic attacks in O( l): take e.g. 256-bit l) 1 k 12 embedding degree: very specific property (specific attacks (NFS): take 3072-bit p k ) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 4 / 32

DLP in the target group of pairing-friendly curves DL records in small characteristic Small characteristic: supersingular curves E/F 2 n: G T F 2 4n, E/F 3 m: G T F 3 6m Practical attacks (first one and most recent): Hayashi, Shimoyama, Shinohara, Takagi: GF(3 6 97 ) ( 923 bit field) (2012) Granger, Kleinjung, Zumbragel: GF(2 9234 ), GF(2 4404 ) (2014) Adj, Menezes, Oliveira, Rodríguez-Henríquez: GF(3 822 ), GF(3 978 ) (2014) Joux: GF(3 2395 ) (with Pierrot, 2014), GF(2 6168 ) (2013) Theoretical attacks: [Barbulescu Gaudry Joux Thomé 14] Quasi-Polynomial-time Algorithm (QPA)... Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 5 / 32

DLP in the target group of pairing-friendly curves Common used pairing-friendly curves Curves over prime fields E/F p where QPA does NOT apply (with log p log l 256 bits, s.t. k log p 3072) supersingular: G T F p 2 (log p = 1536) [Miyaji Nakabayashi Takano 01] (MNT): G T F p 3 (log p = 1024), F p 4 (log p = 768), F p 6 (log p = 512) [Barreto Naehrig 05] (BN): G T F p 12 (log p = 256, optimal) [Kachisa Schaefer Scott 08] (KSS): G T F p 18 (used for 192-bit security level: 384-bit l, log p = 512, k log p = 9216) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 6 / 32

DLP in the target group of pairing-friendly curves Theoretical attacks in non-small characteristic fields Variants of NFS, generic fields MNFS [Coppersmith 89]: F p, [Barbulescu Pierrot 14], [Pierrot 15]: F p k Specific to pairing target groups, when p = P(x 0 ), with deg P 2 [Joux Pierrot 13] [Barbulescu Gaudry Kleinjung 15] Tower NFS Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 7 / 32

DLP in the target group of pairing-friendly curves Theoretical attacks in non-small characteristic fields Variants of NFS, generic fields MNFS [Coppersmith 89]: F p, [Barbulescu Pierrot 14], [Pierrot 15]: F p k Specific to pairing target groups, when p = P(x 0 ), with deg P 2 [Joux Pierrot 13] [Barbulescu Gaudry Kleinjung 15] Tower NFS These attacks were not taken into account in the 3072-bit target field recommendation. Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 7 / 32

DLP in the target group of pairing-friendly curves Last DL records, with the NFS-DL algorithm GF(p) GF(p 2 ), p 2 = q [BGGM15] Massive precomputation (d=core-day, y=core-year) [Logjam] 512-bit p: 10y 530-bit q: 0.2y + 1.25 GPU d [BGIJT14] 596-bit p: 131y 598-bit q: 0.75y + 18 GPU-d 175 faster Individual Discrete Log 512-bit p: 70s median 530-bit q : few d slow 768-bit p: 2d 600-bit q : few d slow [Logjam]: see weakdh.org [BGGM15]: Barbulescu, Gaudry, G., Morain [BGIJT14]: Bouvier, Gaudry, Imbert, Jeljeli, Thomé Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 8 / 32

DLP in the target group of pairing-friendly curves This talk: Faster individual discrete logarithm in F p k, especially k = 2, 3, 4, 6 Apply to pairing target group G T source code: part of http://cado-nfs.gforge.inria.fr/ Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 9 / 32

NFS Number Field Sieve algorithm NFS Number Field Sieve algorithm Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 10 / 32

NFS Number Field Sieve algorithm Number Field Sieve algorithm for DL in F p k 1. Polynomial selection: compute f (x), g(x) with ϕ = gcd(f, g) (mod p) and F p k = F p [x]/(ϕ(x)) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 11 / 32

NFS Number Field Sieve algorithm Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f (x), g(x) with 1. ϕ = gcd(f, g) (mod p) and F p k = F p [x]/(ϕ(x)) 2. Relation collection Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 11 / 32

NFS Number Field Sieve algorithm Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f (x), g(x) with 1. ϕ = gcd(f, g) (mod p) and F p k = F p [x]/(ϕ(x)) 2. Relation collection 3. Linear algebra modulo l p k 1. here we know the discrete log of a subset of elements. log DB p i < B 0 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 11 / 32

NFS Number Field Sieve algorithm Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f (x), g(x) with 1. ϕ = gcd(f, g) (mod p) and massive precomputation F p k = F p [x]/(ϕ(x)) 2. Relation collection 3. Linear algebra modulo l p k 1 here we know the discrete log of a subset of elements. log DB p i < B 0 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 11 / 32

NFS Number Field Sieve algorithm Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f (x), g(x) with 1. ϕ = gcd(f, g) (mod p) and massive precomputation F p k = F p [x]/(ϕ(x)) 2. Relation collection 3. Linear algebra modulo l p k 1 here we know the discrete log of a subset of elements. log DB 1. Individual target discrete logarithm p i < B 0 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 11 / 32

NFS Number Field Sieve algorithm Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f (x), g(x) with 1. ϕ = gcd(f, g) (mod p) and massive precomputation F p k = F p [x]/(ϕ(x)) 2. Relation collection 3. Linear algebra modulo l p k 1 here we know the discrete log of a subset of elements. log DB p i < B 0 1. Individual target discrete logarithm for each given DLP instance not so trivial this talk: pratical improvements very efficient for small k Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 11 / 32

NFS Number Field Sieve algorithm Example: [MNT01] parameters (explicitly advised to NOT use them) Polynomial selection: Conjugation method [BGGM15] k = 3, p = 12y 2 0 + 1, t = 6y 0 1, l p + 1 t = 12y 2 0 + 6y 0 + 2, with y 0 = 8702303353090049898316902 f = 12x 6 24x 5 85x 4 + 70x 3 + 215x 2 + 96x + 12 ϕ y = g = x 3 yx 2 (y + 3)x 1, where y = y 0 + 1 (ϕ y0 not irr.) = x 3 + 8702303353090049898316901x 2 + 8702303353090049898316898x 1 f (mod p) = 12ϕ y ϕ y = Res y (ϕ y, 12y 2 + 1) G = X + 6 F p 3 = F p [X ]/(ϕ(x )) randomized target T = t 0 + t 1 X + t 2 X 2 F p 3 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 12 / 32

NFS Number Field Sieve algorithm Preimage in Z[x]/(f (x)) and ρ map randomized target T = t 0 + t 1 X + t 2 X 2 F p = F 3 p [X ]/(ϕ(x )) Most simple preimage T choice: T = t 0 + t 1 x + t 2 x 2 Z[x]/(f (x)), with t i t i (mod p). We can always choose T s.t. t i < p deg T < deg f Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 13 / 32

NFS Number Field Sieve algorithm Preimage in Z[x]/(f (x)) and ρ map randomized target T = t 0 + t 1 X + t 2 X 2 F p = F 3 p [X ]/(ϕ(x )) Most simple preimage T choice: T = t 0 + t 1 x + t 2 x 2 Z[x]/(f (x)), with t i t i (mod p). We can always choose T s.t. t i < p deg T < deg f We need ρ(t) = T (where ρ is simply a reduction modulo (ϕ, p)) when f (resp. g) is monic Z[x] Z[x]/(f (x)) ρ f : x z F p k = F p [z]/(ϕ(z)) Z[y]/(g(y)) ρ g : y z Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 13 / 32

NFS Number Field Sieve algorithm Individual DL of random target T 0 F p k log DB Given G and a log database s.t. for all p i < B, log p i p i < B 0 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 14 / 32

NFS Number Field Sieve algorithm Individual DL of random target T 0 F p k log DB Given G and a log database s.t. for all p i < B, log p i p i < B 0 1. booting step (a.k.a. smoothing step): DO 1.1 take t at random in {1,..., l 1} and set T = G t T 0 (hence log G (T 0 ) = log G (T ) t) 1.2 factorize Norm(T) = q 1 q }{{} i (elements in DL database), too large: B 0<q i B 1 UNTIL q i B 1 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 14 / 32

NFS Number Field Sieve algorithm Individual DL of random target T 0 F p k log DB Given G and a log database s.t. for all p i < B, log p i p i < B 0 1. booting step (a.k.a. smoothing step): DO 1.1 take t at random in {1,..., l 1} and set T = G t T 0 (hence log G (T 0 ) = log G (T ) t) 1.2 factorize Norm(T) = q 1 q }{{} i (elements in DL database), too large: B 0<q i B 1 UNTIL q i B 1 2. dedicated recursive procedure for each new q i : q i = r 1 r j (elements in the DL database) with r 1,..., r j < B j < q i < B i. Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 14 / 32

NFS Number Field Sieve algorithm Individual DL of random target T 0 F p k log DB Given G and a log database s.t. for all p i < B, log p i p i < B 0 1. booting step (a.k.a. smoothing step): DO 1.1 take t at random in {1,..., l 1} and set T = G t T 0 (hence log G (T 0 ) = log G (T ) t) 1.2 factorize Norm(T) = q 1 q }{{} i (elements in DL database), too large: B 0<q i B 1 UNTIL q i B 1 2. dedicated recursive procedure for each new q i : q i = r 1 r j (elements in the DL database) with r 1,..., r j < B j < q i < B i. 3. log combination to find the individual target DL Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 14 / 32

NFS Number Field Sieve algorithm Individual DL of random target T 0 F p k log DB Given G and a log database s.t. for all p i < B, log p i p i < B 0 1. booting step (a.k.a. smoothing step): DO 1.1 take t at random in {1,..., l 1} and set T = G t T 0 (hence log G (T 0 ) = log G (T ) t) 1.2 factorize Norm(T) }{{} reduce this = q 1 q i }{{} too large: B 0<q i B 1 (elements in DL database), UNTIL q i B 1 2. dedicated recursive procedure for each new q i : q i = r 1 r j (elements in the DL database) with r 1,..., r j < B j < q i < B i. 3. log combination to find the individual target DL Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 14 / 32

Booting Step Booting Step Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 15 / 32

Booting Step Norm computation f monic, T = t 0 + t 1 x +... + t d x d Z[x]/(f (x)), d < deg f : with f = max 1 i deg f f i Norm f (T) = Res(f, T) A T deg f f d Example: [MNT01], k = 3, deg g = 3, g = O(p 1/2 ) p = 908761003790427908077548955758380356675829026531247 T = 314159265358979323846264338327950288419716939937510+ 582097494459230781640628620899862803482534211706798x+ 214808651328230664709384460955058223172535940812829x 2 f = 12x 6 24x 5 85x 4 + 70x 3 + 215x 2 + 96x + 12 g = x 3 + 8702303353090049898316901x 2 + 8702303353090049898316898x 1 Norm f (T)( T 6 f 2 ) = 1017bits p 6 Norm g (T)( T 3 g 2 ) = 665bits p 4 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 16 / 32

Booting Step Booting step complexity Given random target T 0 F p k, and G a generator of F p k repeat 1. take t at random in {1,..., l 1} and set T = g t T 0 2. factorize Norm(T) until it is B 1 -smooth: Norm(T) = q i B 1 q i p i B 0 p i L-notation: Q = p k, L Q [1/3, c] = e (c+o(1))(log Q)1/3 (log log Q) 2/3 for c > 0. Norm factorization done with ECM method, in time L B1 [1/2, 2] Lemma (Booting step running-time) if Norm(T) Q e, take B 1 = L Q [2/3, (e 2 /3) 1/3 ], then the running-time is L Q [1/3, (3e) 1/3 ] (and this is optimal). Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 17 / 32

Booting Step Booting step complexity F p : Norm(preimage) p = Q, running-time: L Q [1/3, 1.44] with B 1 = L Q [2/3, 0.69] [Commeine Semaev 06, Barbulescu 13] med. char. F p k, JLSV1 poly. select.: deg f = deg g = k, f = g = O(p 1/2 ), Norm(preimage) Q 3/2, running-time: L Q [1/3, 1.65], with B 1 = L Q [2/3, 0.91] [Joux Lercier Naccache Thomé 09, Barbulescu Pierrot 14] field F p F p k polynomial selec. gjl JLSV 1 Conj NFS dominating, c 1.92 1.92 2.42 2.20 L Q [ 1 3, c], 512-bit Q 264 2 64 2 81 2 73 Norm(T) < Q e = Q Q Q 3/2 Q time L Q [1/3, c], c 1.44 1.44 1.65 1.44 nb of operations, 512-bit Q 2 48 2 48 2 55 2 48 q i bound B 1 2 90 2 90 2 118 2 90 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 18 / 32

Optimizing the Preimage Computation Optimizing the Preimage Computation Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 19 / 32

Optimizing the Preimage Computation Preimage optimization f, deg f, f, g, deg g, g are given by the polynomial selection step (NFS-DL step 1) To reduce the norm, reduce T and/or reduce d = deg T Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 20 / 32

Optimizing the Preimage Computation Previous work F p : Rational Reconstruction. T Z/pZ, T is an integer < p. Rational Reconstruction gives T = u/v (mod p) with u, v < p booting step: we want u,v to be B 1 -smooth at the same time, instead of T to be B 1 -smooth. T is already split in two integers of half size each. [Blake Mullin Vanstone 84] Waterloo algorithm in F 2 [x]: T = U/V = u 0+...+u d/2 x d/2 reduce degree v 0 +...+v d/2 x d/2 [Joux Lercier Smart Vercauteren 06] in F p k : T = U/V = u 0+...+u d x d v 0 +...+v d x d, where u i, v i p 1/2 reduce coefficient size Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 21 / 32

Optimizing the Preimage Computation Previous work F p : Rational Reconstruction. T Z/pZ, T is an integer < p. Rational Reconstruction gives T = u/v (mod p) with u, v < p booting step: we want u,v to be B 1 -smooth at the same time, instead of T to be B 1 -smooth. T is already split in two integers of half size each. [Blake Mullin Vanstone 84] Waterloo algorithm in F 2 [x]: T = U/V = u 0+...+u d/2 x d/2 reduce degree v 0 +...+v d/2 x d/2 [Joux Lercier Smart Vercauteren 06] in F p k : T = U/V = u 0+...+u d x d v 0 +...+v d x d, where u i, v i p 1/2 reduce coefficient size How much is the booting step improved? Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 21 / 32

Optimizing the Preimage Computation Booting step: First experiments Commonly assumed: launch at morning coffee... finished for afternoon tea. F p 2 600 bits was easy (BGGM15 record), as fast as for F p (< one day) F p 3 F p 4 What happened? 400 bits and MNT 508 bits were much slower (days, week) 400 bits was even worse (> one week) F p 3: T = p, deg f = 6, [JLSV06] method: Norm(T) Q c = 1.44 (but still much slower) F p 4: f = O(p 1/2 ), Norm(T) Q 3/2 c = 1.65 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 22 / 32

Optimizing the Preimage Computation Booting step: First experiments Commonly assumed: launch at morning coffee... finished for afternoon tea. F p 2 600 bits was easy (BGGM15 record), as fast as for F p (< one day) F p 3 F p 4 What happened? 400 bits and MNT 508 bits were much slower (days, week) 400 bits was even worse (> one week) F p 3: T = p, deg f = 6, [JLSV06] method: Norm(T) Q c = 1.44 (but still much slower) F p 4: f = O(p 1/2 ), Norm(T) Q 3/2 c = 1.65 Because of the constant hidden in the O()? Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 22 / 32

Optimizing the Preimage Computation Our solution Lemma Let T F p k. log(t ) = log(u T ) (mod l) for any u in a proper subfield of F p k. Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 23 / 32

Optimizing the Preimage Computation Our solution Lemma Let T F p k. log(t ) = log(u T ) (mod l) for any u in a proper subfield of F p k. F p is a proper subfield of F p k target T = t 0 + t 1 x +... + t d x d we divide the target by its leading term: log(t ) = log(t /t d ) (mod l) From now we assume that the target is monic. Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 23 / 32

Optimizing the Preimage Computation Our solution Lemma Let T F p k. log(t ) = log(u T ) (mod l) for any u in a proper subfield of F p k. F p is a proper subfield of F p k target T = t 0 + t 1 x +... + t d x d we divide the target by its leading term: log(t ) = log(t /t d ) (mod l) From now we assume that the target is monic. Similar technique in pairing computation: Miller loop denominator elimination [Boneh Kim Lynn Scott 02] Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 23 / 32

Optimizing the Preimage Computation Subfield Simplification + LLL We want to reduce T. Example with F p 3: f = x 6 + 19x 5 + 90x 4 + 95x 3 + 10x 2 13x + 1 ϕ = x 3 yx 2 (y + 3)x 1 y Z T = t 0 + t 1 x + x 2 p 0 0 0 0 0 0 p 0 0 0 0 define L = t 0 t 1 1 0 0 0 ϕ 0 ϕ 1 ϕ 2 1 0 0 0 ϕ 0 ϕ 1 ϕ 2 1 0 0 0 ϕ 0 ϕ 1 ϕ 2 1 LLL(L) outputs a short vector r, linear combination of L s rows. r = λ 0 p + λ 1 px + λ 2 T + λ 3 ϕ + λ 4 xϕ + λ 5 x 2 ϕ. r = r 0 +... + r 5 x 5, r i C det(l) 1/6 = O(p 1/3 ) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 24 / 32

Optimizing the Preimage Computation Subfield Simplification + LLL We want to reduce T. Example with F p 3: f = x 6 + 19x 5 + 90x 4 + 95x 3 + 10x 2 13x + 1 ϕ = x 3 yx 2 (y + 3)x 1 y Z T = t 0 + t 1 x + x 2 p 0 0 0 0 0 0 p 0 0 0 0 define L = t 0 t 1 1 0 0 0 ϕ 0 ϕ 1 ϕ 2 1 0 0 0 ϕ 0 ϕ 1 ϕ 2 1 0 0 0 ϕ 0 ϕ 1 ϕ 2 1 LLL(L) outputs a short vector r, linear combination of L s rows. r = λ 0 p + λ 1 px + λ 2 T + λ 3 ϕ + λ 4 xϕ + λ 5 x 2 ϕ. r = r 0 +... + r 5 x 5, r i C det(l) 1/6 = O(p 1/3 ) log ρ(r) = log(t ) (mod l) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 24 / 32

Optimizing the Preimage Computation Subfield Simplification + LLL We want to reduce T. Example with F p 3: f = x 6 + 19x 5 + 90x 4 + 95x 3 + 10x 2 13x + 1 ϕ = x 3 yx 2 (y + 3)x 1 y Z T = t 0 + t 1 x + x 2 p 0 0 0 0 0 0 p 0 0 0 0 define L = t 0 t 1 1 0 0 0 ϕ 0 ϕ 1 ϕ 2 1 0 0 0 ϕ 0 ϕ 1 ϕ 2 1 0 0 0 ϕ 0 ϕ 1 ϕ 2 1 ρ(p) = 0 F p k T ρ(ϕ) = 0 F p k LLL(L) outputs a short vector r, linear combination of L s rows. r = λ 0 p + λ 1 px + λ 2 T + λ 3 ϕ + λ 4 xϕ + λ 5 x 2 ϕ. r = r 0 +... + r 5 x 5, r i C det(l) 1/6 = O(p 1/3 ) log ρ(r) = log(t ) (mod l) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 24 / 32

Optimizing the Preimage Computation Subfield Simplification + LLL We want to reduce T. Example with F p 3: f = x 6 + 19x 5 + 90x 4 + 95x 3 + 10x 2 13x + 1 ϕ = x 3 yx 2 (y + 3)x 1 y Z T = t 0 + t 1 x + x 2 p 0 0 0 0 0 0 p 0 0 0 0 define L = t 0 t 1 1 0 0 0 ϕ 0 ϕ 1 ϕ 2 1 0 0 0 ϕ 0 ϕ 1 ϕ 2 1 0 0 0 ϕ 0 ϕ 1 ϕ 2 1 ρ(p) = 0 F p k T ρ(ϕ) = 0 F p k LLL(L) outputs a short vector r, linear combination of L s rows. r = λ 0 p + λ 1 px + λ 2 T + λ 3 ϕ + λ 4 xϕ + λ 5 x 2 ϕ. r = r 0 +... + r 5 x 5, r i C det(l) 1/6 = O(p 1/3 ) log ρ(r) = log(t ) (mod l) because ρ(r) = λ 2 T with λ 2 F p Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 24 / 32

Optimizing the Preimage Computation Subfield Simplification + LLL Norm f (T) = Res(f, T) A T deg f f d Norm f (r) r 6 f 5 = O(p 2 ) = O(Q 2/3 ) < O(Q) MNT example: log Q = 508 bits Norm f (T) Norm g (T) L Q [1/3, c] q i B 1 = Q e bits Q e bits c time L Q [ 2 3, c] Nothing Q 2 1010 Q 4/3 667 1.58 2 53 2 109 [JLSV06] Q 508 Q 5/3 847 1.44 2 48 2 90 This work Q 2/3 340 Q 508 1.26 2 42 2 69 Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 25 / 32

F p 4 F p 4: JLSV 1 polynomial selection and booting step improvement Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 26 / 32

F p 4 F p 4 of 400 bits [JLSV06] first method: choose f of degree 4 and very small coefficients, and set g = f + p. Booting step on f side, with the T = U/V method. Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 27 / 32

F p 4 F p 4 of 400 bits [JLSV06] first method: choose f of degree 4 and very small coefficients, and set g = f + p. Booting step on f side, with the T = U/V method. Relation collection and Linear algebra do not scale well for large p Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 27 / 32

F p 4 F p 4 of 400 bits [JLSV06] first method: choose f of degree 4 and very small coefficients, and set g = f + p. Booting step on f side, with the T = U/V method. Relation collection and Linear algebra do not scale well for large p We use JLSV06 other method: deg f = deg g = k, f = g = p 1/2 p = 314159265358979323846270891033 of 98 bits (30 dd) l = 9869604401089358618834902718477057428144064232778775980709 of 192 bits f = x 4 560499121640472x 3 6x 2 + 560499121640472x + 1 g = 560499121639105x 4 + 4898685125033473x 3 3362994729834630x 2 4898685125033473x + 560499121639105 ϕ = g Terribly slow booting step (more than one week) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 27 / 32

F p 4 Terribly slow booting step T = t 0 + t 1 x + t 2 x 2 + x 3 define p 0 0 0 L = 0 p 0 0 0 0 p 0 t 0 t 1 t 2 1 dim 4 because max(deg f, deg g) = 4 compute LLL(L), get r, r p 3/4, Norm f (r) r 4 f 3 p 9/2 = Q 9/8 of 450 bits! Booting step, nb of operations: 2 44 Large prime bound B 1 of 82 bits Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 28 / 32

F p 4 Terribly slow booting step T = t 0 + t 1 x + t 2 x 2 + x 3 define p 0 0 0 L = 0 p 0 0 0 0 p 0 could we find something else, monic? t 0 t 1 t 2 1 dim 4 because max(deg f, deg g) = 4 compute LLL(L), get r, r p 3/4, Norm f (r) r 4 f 3 p 9/2 = Q 9/8 of 450 bits! Booting step, nb of operations: 2 44 Large prime bound B 1 of 82 bits Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 28 / 32

Our solution: quadratic subfield simplification F p 4 Lemma Let T F p k, k even. We can always find u F p k/2 and T F p k, such that T = u T and T is of degree k 2 instead of k 1. Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 29 / 32

Our solution: quadratic subfield simplification Lemma F p 4 Let T F p k, k even. We can always find u F p k/2 and T F p k, such that T = u T and T is of degree k 2 instead of k 1. p 0 0 0 define L = 0 p 0 0 t 0 t 1 1 0 t 0 t 1 t 2 1 LLL(L) short vector r linear combination of L rows r = r 0 +... + r 3 x 3, r i C det(l) 1/4 = O(p 1/2 ) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 29 / 32

Our solution: quadratic subfield simplification Lemma F p 4 Let T F p k, k even. We can always find u F p k/2 and T F p k, such that T = u T and T is of degree k 2 instead of k 1. p 0 0 0 define L = 0 p 0 0 t 0 t 1 1 0 t 0 t 1 t 2 1 ρ(p) = 0 F p k T T LLL(L) short vector r linear combination of L rows r = r 0 +... + r 3 x 3, r i C det(l) 1/4 = O(p 1/2 ) ρ(r) = λ 2 T + λ 3 T = (λ 2 u + λ 3 ) }{{} subfield F p k/2 T Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 29 / 32

Our solution: quadratic subfield simplification Lemma F p 4 Let T F p k, k even. We can always find u F p k/2 and T F p k, such that T = u T and T is of degree k 2 instead of k 1. p 0 0 0 define L = 0 p 0 0 t 0 t 1 1 0 t 0 t 1 t 2 1 ρ(p) = 0 F p k T T LLL(L) short vector r linear combination of L rows r = r 0 +... + r 3 x 3, r i C det(l) 1/4 = O(p 1/2 ) ρ(r) = λ 2 T + λ 3 T = (λ 2 u + λ 3 ) }{{} log ρ(r) = log(t ) (mod l) subfield F p k/2 Norm f (r) = r 4 f 3 = p 7/2 = Q 7/8 < Q Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 29 / 32 T

F p 4 Summary of results G T F p 2 F p 3 F p 4 F p 6 Norm bound prev. Q [JLSV06] Q 3/2 (nothing) this work Q 1/2 Q 2/3 Q 7/8 Q 11/12 Booting step running time in L Q [1/3, c] prev. c (*) 1.44 1.65 new c 1.14 1.26 1.38 1.40** numerical values for a 512-bit Q prev. nb of operations 2 48 2 55 new nb of operations 2 38 2 42 2 46 2 47 q i bound B 1 = L Q [2/3, c ] previous B 1 2 90 2 118 new B 1 2 57 2 69 2 83 2 85 * [CommeineSemaev06, JouxLercierNaccacheThomé09, Barbulescu13, Bar.Pierrot14] ** with cubic subfield simplification Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 30 / 32

F p 4 Summary of results Accepted paper at Asiacrypt 2015, Auckland, New Zealand online version HAL 01157378 guillevic@lix.polytechnique.fr Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 31 / 32

F p 4 DL record computation in F p 4 of 392 bits (120dd) Joint work with R. Barbulescu, P. Gaudry, F. Morain p = 314159265358979323846270891033 of 98 bits (30 dd) l = 9869604401089358618834902718477057428144064232778775980709 of 192 bits f = x 4 560499121640472x 3 6x 2 + 560499121640472x + 1 g = 560499121639105x 4 + 4898685125033473x 3 3362994729834630x 2 4898685125033473x + 560499121639105 ϕ = g G = x + 3 F p 4 T 0 = 31415926535897x 3 + 93238462643383x 2 + 27950288419716x + 93993751058209 log G (T 0 ) = 136439472586839838529440907219583201821950591984194257022 (mod l) Aurore Guillevic (INRIA/LIX) NFS-DL in F k September 28th, 2015 32 / 32

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback