The number field sieve in the medium prime case

Similar documents
The Number Field Sieve in the Medium Prime Case

Discrete logarithms: Recent progress (and open problems)

A brief overwiev of pairings

REMARKS ON THE NFS COMPLEXITY

A quasi polynomial algorithm for discrete logarithm in small characteristic

Good algebraic reading. MPRI Cours III. Integer factorization NFS. A) Definitions and properties

The Number Field Sieve for Barreto-Naehrig Curves: Smoothness of Norms

Discrete Logarithm Computation in Hyperelliptic Function Fields

Improving NFS for the discrete logarithm problem in non-prime finite fields

Elliptic Curve Discrete Logarithm Problem

Traps to the BGJT-Algorithm for Discrete Logarithms

Computing Individual Discrete Logarithms Faster in GF(p n ) with the NFS-DL Algorithm

Computational algebraic number theory tackles lattice-based cryptography

ON THE USE OF THE LATTICE SIEVE IN THE 3D NFS

Problème du logarithme discret sur courbes elliptiques

GRE Subject test preparation Spring 2016 Topic: Abstract Algebra, Linear Algebra, Number Theory.

Solving a 6120-bit DLP on a Desktop Computer

Ramification Theory. 3.1 Discriminant. Chapter 3

FIELD THEORY. Contents

Improving NFS for the discrete logarithm problem in non-prime nite elds

Cover and Decomposition Index Calculus on Elliptic Curves made practical

Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction

Algebraic number theory Solutions to exercise sheet for chapter 4

Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm)

A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic

Dirichlet Characters. Chapter 4

Nearly Sparse Linear Algebra

Discrete Logarithm Problem

Improvements to the number field sieve for non-prime finite fields

IMPROVEMENTS TO THE GENERAL NUMBER FIELD SIEVE FOR DISCRETE LOGARITHMS IN PRIME FIELDS.

Prime Decomposition. Adam Gamzon. 1 Introduction

Counting Points on Curves using Monsky-Washnitzer Cohomology

Math 4400, Spring 08, Sample problems Final Exam.

FACTORIZATION OF IDEALS

Short generators without quantum computers: the case of multiquadratics

MODEL ANSWERS TO HWK #10

Chapter 3. Rings. The basic commutative rings in mathematics are the integers Z, the. Examples

Math 547, Exam 1 Information.

A Course in Computational Algebraic Number Theory

On metacyclic extensions

Thus, the integral closure A i of A in F i is a finitely generated (and torsion-free) A-module. It is not a priori clear if the A i s are locally

MATH 3030, Abstract Algebra FALL 2012 Toby Kenney Midyear Examination Friday 7th December: 7:00-10:00 PM

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Decomposed Attack for the Jacobian of a Hyperelliptic Curve over an Extension Field

Algebraic number theory

Computational algebraic number theory tackles lattice-based cryptography

Mathematics for Cryptography

A construction of 3-dimensional lattice sieve for number field sieve over GF(p n )

CLASS FIELD THEORY WEEK Motivation

Challenges with Assessing the Impact of NFS Advances on the Security of Pairing-based Cryptography

Integer factorization, part 1: the Q sieve. D. J. Bernstein

A Las Vegas algorithm to solve the elliptic curve discrete logarithm problem

Selected exercises from Abstract Algebra by Dummit and Foote (3rd edition).

Rings in Coding Theory

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Cryptography IV: Asymmetric Ciphers

Relation collection for the Function Field Sieve

Breaking pairing-based cryptosystems using η T pairing over GF (3 97 )

Name: Solutions Final Exam

Sample algebra qualifying exam

A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm

part 2: detecting smoothness part 3: the number-field sieve

Math 120 HW 9 Solutions

Algebraic number theory Revision exercises

Page Points Possible Points. Total 200

Lemma 1.1. The field K embeds as a subfield of Q(ζ D ).

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

Section 18 Rings and fields

Algorithms for ray class groups and Hilbert class fields

Finite Fields and Elliptic Curves in Cryptography

Finite Fields. [Parts from Chapter 16. Also applications of FTGT]

A BRIEF INTRODUCTION TO LOCAL FIELDS

Finding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago

Part II Galois Theory

GEOMETRIC CLASS FIELD THEORY I

Computing coefficients of modular forms

Factorization of Integers Notes for talks given at London South Bank University 20 February, 19 March, 2008 Tony Forbes

Cover Page. The handle holds various files of this Leiden University dissertation.

6 Ideal norms and the Dedekind-Kummer theorem

RSA Cryptosystem and Factorization

1. a) Let ω = e 2πi/p with p an odd prime. Use that disc(ω p ) = ( 1) p 1

Non-generic attacks on elliptic curve DLPs

Galois theory (Part II)( ) Example Sheet 1

2a 2 4ac), provided there is an element r in our

Level Structures of Drinfeld Modules Closing a Small Gap

1 Fields and vector spaces

SM9 identity-based cryptographic algorithms Part 1: General

1 Number Fields Introduction Algebraic Numbers Algebraic Integers Algebraic Integers Modules over Z...

Chapter 4. Characters and Gauss sums. 4.1 Characters on finite abelian groups

Lecture 7: Etale Fundamental Group - Examples

p-adic fields Chapter 7

Polynomial Selection for Number Field Sieve in Geometric View

1. Algebra 1.7. Prime numbers

Discrete mathematics I - Number theory

On the complexity of computing discrete logarithms in the field F

Algorithms for integer factorization and discrete logarithms computation

Looking back at lattice-based cryptanalysis

Estimates for factoring 1024-bit integers. Thorsten Kleinjung, University of Bonn

Generating Subfields

Solving a 6120-bit DLP on a Desktop Computer

Transcription:

The number field sieve in the medium prime case Frederik Vercauteren ESAT/COSIC - K.U. Leuven Joint work with Antoine Joux, Reynald Lercier, Nigel Smart

Finite Field DLOG Basis finite field is F p = {0,..., p 1}, with p prime Let q = p n, then extension field F q F p [x]/(f (x)) with f (x) F p [x] of degree n and irreducible Multiplicative group F q is cyclic, take generator g Let h F q, then h = g d with d = log g h the DLOG

Number field sieve Index calculus algorithm used for factoring, then DLOGs Let q = p n with p prime, then complexity expressed by L q (α, c) = exp((c + o(1))(log q) α (log log q) 1 α ) Large p: number field sieve with running time as long as log p > n 2+ε L q (1/3, (64/9) 1/3 ) Small p: function field sieve with running time as long as p n o( n) L q (1/3, (32/9) 1/3 ) In the gap, i.e. log p < n 2+ε and p > n o( n), have to resort to Adleman - DeMarrais with complexity L q (1/2)

: setup To compute discrete logarithms in F p Two number fields K 1 = Q and K 2 = Q[X]/(f (X)) with: ) 1/3 ( The degree of f is d 3 1/3 log p log log p Exists m Z with f (m) 0 mod p, i.e. ring homomorphism φ 2 : O 2 F p E.g. f can be obtained by base m p 1/d expansion of p Choose two factor bases F 1 and F 2 F 1 : integer primes p < B for some bound B F2 : degree 1 prime ideals of norm < B

: sieving Sieve over pairs of integers (a, b) with gcd(a, b) = 1 and a, b < S for some bound S a bm is B-smooth No(a θ2 b) is B-smooth with f (θ 2 ) = 0 and No(a θ 2 b) = b d f ( a b ) Since No(a θ 2 b) is B-smooth the ideal a θ 2 b factors over F 2 since only degree 1 (or index divisors) appear a θ 2 b = i p e i i

: relations (a, b) with a bm and a θ 2 b B-smooth gives relation Need to get rid of ideals and work with elements only... Simplicity: assume class number h(k ) = 1 and computable unit group, then a θ 2 b = r i=0 u λ i i i γ e i i with u 1,..., u r fundamental units and p i = γ i Finally, by using φ 2 from O 2 to F p obtain a bm j p e j j r φ 2 (u i ) λ i φ 2 (γ i ) e i i=0 i mod p

: relations Take logs of both sides, obtain relation between DLOGs e j log g p j j r i=0 λ i log g φ 2 (u i )+ i e i log g φ 2 (γ i ) mod (p 1) Need to collect #F 1 + #F 2 + d + ε relations Solve sparse linear system using Lanczos or Wiedemann Individual DLOGs: descent procedure (see more later)

Schirokauer s extension for n > 1 Number field K 1 is chosen such that O 1 /po 1 = Fq, so K 1 has degree at least n Number field K 2 is extension of K 1, i.e. K 2 = K 1 [X]/(f (X)) Collect pairs (a, b) O 1 O 1 with similar properties as before: a bm is B-smooth where m O1 such that f (m) po 1 a θ 2 b is B-smooth with f (θ 2 ) = 0 Leads to L q (1/3)-algorithm for fixed n and p Main disadvantage: not really practical (only n = 2 has been attempted by Weber) Choice of polynomial f depends on input DLOG problem

Basic variation p = L p n(2/3, c): setup Finite fields F p n with p = L p n(2/3, c) and c near 2 (1/3) 1/3 Choose polynomial f 1 of degree n irreducible over F p very small coefficients (e.g. use poly to define F q ) Choose polynomial f 2 = f 1 + p K 1 Q[X]/(f 1 (X)) = Q[θ 1 ] and K 2 = Q[X]/(f2 (X)) = Q[θ 2 ] Note: f 1 f 2 mod p, so have compatible homomorphisms φ i : O i F q, for i = 1, 2 with φ 1 (θ 1 ) = φ 2 (θ 2 ) No relative extensions necessary and f i independent of input DLOG

Basic variation p = L p n(2/3, c): sieving/linear algebra Factor bases F 1 and F 2 of degree 1 ideals of small norm Choose smoothness bound B and a sieve limit S Pairs (a, b) of coprime integers, a S and b S No(a bθ 1 ) and No(a bθ 2 ) B-smooth Add logarithmic maps to take into account h(k i ) 1 and unit groups Obtain linear equation between logarithms of ideals in the smoothness bases Solve using SGE and Lanczos or Wiedemann

Basic variation p = L p n(2/3, c): individual DLOG Recursive special q-descent procedure similar to F p Represent F p n as F p [t]/(f 1 (t)) Assume we want to compute log t y with y F p n Search for element z = y i t j for some i, j N with 1. lifting z K 1, norm factors into primes smaller than some bound B 1 L p n(2/3, 1/3 1/3 ), 2. only degree one prime ideals in the factorisation of (z) 3. E.g.: the norm of the lift of z should be squarefree Remark: probability of squarefree smoothness is about 6/π 2 probability of smoothness

Basic variation p = L p n(2/3, c): individual DLOG Factor principal ideal generated by z as (z) = p ei i p i F 1 Ideals q j not contained in F 1, so need to compute DLOGs For each q j, perform special-q j descent: 1. Sieve over pairs (a, b) such that q j (a bθ 1 ) and j q e j j No(a bθ 1 )/No(q j ) and No(a bθ 2 ) B 2 -smooth B 2 < B 1 2. Factor (a bθ 1 ) and (a bθ 2 ) to obtain new special q j s 3. Repeat until bound B k < B DLOGs of all q j known Remark: special q j in both number fields K 1 and K 2

Definition 120-digit challenge Adaptation of Joux & Lercier s implementation for F p Finite field F p 3 with p = 10 39 π + 2622 p = 3141592653589793238462643383279502886819 Group order p 3 1 has 110-bit factor l Definition of number fields K 1 and K 2 by f 1 (X) = X 3 + X 2 2X 1 and f 2 (X) = f 1 (X) + p, where we have F p 3 F p [t]/(f 1 (t))

Number fields K 1 and K 2 Q[θ 1 ] is a cubic cyclic number field with Galois group Aut(Q[θ 1 ]) = {θ 1 θ 1, θ 1 θ 2 1 2, θ 1 θ 2 1 θ 1 + 1} K 1 has class number 1 and System of fundamental units u 1 = θ 1 + 1 and u 2 = θ 2 1 + θ 1 1 Q[θ 2 ] has signature (1, 1), so only need single Schirokauer logarithmic map λ

Factor bases and sieving Smoothness bases with 1 000 000 prime ideals in the Q[θ1 ] side, we include 899 999 prime ideals, but only 300 000 are meaningful due to the Galois action, in the Q[θ 2 ] side, we include 700 000 prime ideals. Lattice sieving: only algebraic integers a + bθ 2 divisible by prime ideal in Q[θ 2 ] Norms to be smoothed in Q[θ 2 ] are 150 bit integers Norms in Q[θ 1 ] are 110 bit integers Sieving took 12 days on a 1.15 GHz 16-processors HP AlphaServer GS1280

Linear algebra Compute the kernel of a 1 163 482 793 188 matrix Coefficients mostly equal modulo l to ±1, ±p or ±p 2 SGE: 450 246 445 097 matrix with 44 544 016 non null entries Lanczos s algorithm: about one week h(k 1 ) = 1, check DLOGs of generators of ideals in F 1 (t 2 + t + 1) (p3 1)/l = G 294066886450155961127467122432171, (t 3) (p3 1)/l = G 364224563635095380733340123490719, (3 t 1) (p3 1)/l = G 468876587747396380675723502928257, where G = g (p3 1)/1159268202574177739715462155841484 l and g = 2t + 1.

Individual DLOGs Challenge γ = 2 i=0 ( π pi+1 mod p)t i Using Pollard-Rho, computed DLOG modulo (p 3 1)/l, 3889538915890151897584592293694118467753499109961221460457697271386147286910282477328. To obtain a complete result, we expressed γ = 90987980355959529347 t2 114443008248522156910 t + 154493664373341271998 94912764441570771406 t 2 120055569809711861965 t 81959619964446352567, Numerator and denominator are both smooth in Q[θ 1 ] Three level tree with 80 special-q ideals Recovered DLOG modulo l, namely 110781190155780903592153105706975 Each special-q sieving took 10 minutes or a total of 14 hours

Variation I: smaller p Polynomial setup same as in basic case Main problem: sieving space is not large enough, due to larger n cannot collect enough relations Solution: sieve over elements of larger degree than 1 t a i θ1 i i=0 and t a i θ2 i i=0 Bound on norm: (n + t) n+t B a n B f t with Ba is an upper bound on the absolute values of the a i B f a similar bound on the coefficients of f 1 (resp. f 2 )

Variation II: larger p p is too large to simply add to f 1, so need different polynomial construction Only requirement is: f 1 (x) f 2 (x) mod p Idea: construct f 2 (x) of degree > n with small coefficients such that f 1 (x) f 2 (x) over Q Choose constant W and construct f 1 (x) = f 0 (x + W ), coefficient at least W n Use LLL to reduce the lattice L = ( f 1 (x) xf 1 (x) x 2 f 1 (x) x D n f 1 (x) p px px 2 px D ) Need vector with coefficients smaller than W n so 2 (D+1)/4 p n/(d+1) W n

Complexity of variations p can be written as L q (l p, c) with 1/3 < l p < 2/3 L q (1/3, (128/9) 1/3 ) L q (1/3, 2.423...) p can be written as L q (2/3, c) for a constant c L q (1/3, 2c ) with c = 4 ( 3t 3 4(t + 1) ) 1/3 sieve over elements of degree t with 3c 3 t(t + 1) 2 32 = 0 p can be written as L q (2/3, c) for a constant c L q (1/3, 2c ) with 9c 3 6 c c 2 + 1 c 2 c 8 = 0 p can be written as L q (l p, c) with l p > 2/3 L q (1/3, (64/9) 1/3 ) L q (1/3, 1.923...)

JLSV NFS: complexity = L q (1/3, 2c ) 2.4 t -> oo 2.3 t = 3 2.2 2c t = 2 2.1 D > n 2 1.9 t = 1 2 4 6 8 10 c

Conclusions New, simple and practical variations of NFS Can simply adapt existing implementations of NFS for F p More optimisations: large prime variation, multiple number fields,... Combined with work Joux/Lercier on FFS: obtain two families of algorithms such that DLOGs in F p n can be computed in L p n(1/3) time

Optimisation I: Galois extensions p is inert in K 1, so isomorphism Gal(K 1 /Q) Gal(F q /F p ) Thus: K 1 has to be a cyclic number field of degree n Partition factor base F 1 in n parts F 1,k with k = 1,..., n n (a bθ 1 ) = k=1 p i F 1,1 ψ k (p i ) ei,k with Gal(K 1 /Q) = ψ Choose ψ such log g φ 1 (ψ(δ i ))) = p log g φ 1 (δ i ) with p i = δ i Effectively divides factor base size by n

Optimisation II: choice of polynomials Two possible optimisations: Poss I: Maximise automorphism group of K 1 and K 2 simultaneously Example: p 2, 5 mod 9, can take f 1 = x 6 + x 3 + 1 f 2 = x 6 + (p + 1)x 3 + 1 K 1 is Galois and K 2 has non-trivial automorphism order 2 Poss II: balance size of coefficients of f 1 and f 2 Remark: better to adapt sieving region...

Optimisation III: individual logarithms Instead of factoring z, first write z as ai t i bi t i with a i and b i are of the order of p. Use LLL to find short vector in lattice L z tz t 2 z t n 1 z p pt pt 2 pt n 1 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 L = 0 0 1 0 0 0 0 0.............. 0 0 0 1 0 0 0 0 Expect LLL finds short vector of norm p.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback