A quasi polynomial algorithm for discrete logarithm in small characteristic

Similar documents
A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic

A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic

Discrete logarithms: Recent progress (and open problems)

On the complexity of computing discrete logarithms in the field F

Improving NFS for the discrete logarithm problem in non-prime nite elds

Algorithmes de calcul de logarithme discret dans les corps finis

Traps to the BGJT-Algorithm for Discrete Logarithms

On Generating Coset Representatives of P GL 2 (F q ) in P GL 2 (F q 2)

A brief overwiev of pairings

Discrete Logarithm Problem

Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm)

Elliptic Curve Discrete Logarithm Problem

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Solving a 6120-bit DLP on a Desktop Computer

Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction

The number field sieve in the medium prime case

Basic Algorithms in Number Theory

Discrete Logarithm Computation in Hyperelliptic Function Fields

Basic Algorithms in Number Theory

Non-generic attacks on elliptic curve DLPs

Lecture 7: ElGamal and Discrete Logarithms

Hyperelliptic curves

Problème du logarithme discret sur courbes elliptiques

Introduction to Elliptic Curve Cryptography. Anupam Datta

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Explicit isogenies and the Discrete Logarithm Problem in genus three

A Generic Algorithm for Small Weight Discrete Logarithms in Composite Groups

Block Wiedemann likes Schirokauer maps

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Signatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven

SM9 identity-based cryptographic algorithms Part 1: General

Definition of a finite group

CS259C, Final Paper: Discrete Log, CDH, and DDH

Improving NFS for the discrete logarithm problem in non-prime finite fields

Aspects of Pairing Inversion

Cover and Decomposition Index Calculus on Elliptic Curves made practical

Calcul d indice et courbes algébriques : de meilleures récoltes

Breaking pairing-based cryptosystems using η T pairing over GF (3 97 )

Fast, twist-secure elliptic curve cryptography from Q-curves

Elliptic Curve Cryptography with Derive

The point decomposition problem in Jacobian varieties

Constructing Abelian Varieties for Pairing-Based Cryptography

REMARKS ON THE NFS COMPLEXITY

A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm

Computing Individual Discrete Logarithms Faster in GF(p n ) with the NFS-DL Algorithm

Fixed points for discrete logarithms

A NEW PERSPECTIVE ON THE POWERS OF TWO DESCENT FOR DISCRETE LOGARITHMS IN FINITE FIELDS THORSTEN KLEINJUNG AND BENJAMIN WESOLOWSKI

The Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem

Public-key Cryptography: Theory and Practice

Computing Discrete Logarithms. Many cryptosystems could be broken if we could compute discrete logarithms quickly.

Cryptography IV: Asymmetric Ciphers

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Lecture 6: Cryptanalysis of public-key algorithms.,

Arithmétique et Cryptographie Asymétrique

A variant of the F4 algorithm

Discrete Logarithm Problem

Continuing discussion of CRC s, especially looking at two-bit errors

The Berlekamp algorithm

PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS

Solving a 6120-bit DLP on a Desktop Computer

Quasi-reducible Polynomials

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2

One can use elliptic curves to factor integers, although probably not RSA moduli.

Lecture Notes, Week 6

The point decomposition problem in Jacobian varieties

A connection between number theory and linear algebra

arxiv: v2 [cs.cc] 23 Dec 2013

MATH 431 PART 2: POLYNOMIAL RINGS AND FACTORIZATION

Industrial Strength Factorization. Lawren Smithline Cornell University

ENHANCING THE PERFORMANCE OF FACTORING ALGORITHMS

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

TC10 / 3. Finite fields S. Xambó

Basic elements of number theory

Counting points on hyperelliptic curves

Finite Fields. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Basic elements of number theory

Constructing Pairing-Friendly Elliptic Curves for Cryptography

GENERATION OF RANDOM PICARD CURVES FOR CRYPTOGRAPHY. 1. Introduction

No.6 Selection of Secure HC of g = divisors D 1, D 2 defined on J(C; F q n) over F q n, to determine the integer m such that D 2 = md 1 (if such

ENEE 457: Computer Systems Security. Lecture 5 Public Key Crypto I: Number Theory Essentials

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

Polynomial Selection. Thorsten Kleinjung École Polytechnique Fédérale de Lausanne

G Solution (10 points) Using elementary row operations, we transform the original generator matrix as follows.

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Introduction to Cryptology. Lecture 20

Elliptic Curves Spring 2015 Lecture #7 02/26/2015

Number Theory in Cryptology

Cyclic Groups in Cryptography

Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes

Math 3 Variable Manipulation Part 3 Polynomials A

Integer Factorization and Computing Discrete Logarithms in Maple

Lecture 1: Introduction to Public key cryptography

COMPRESSION FOR TRACE ZERO SUBGROUPS OF ELLIPTIC CURVES

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Finite fields and cryptology

CS 6260 Some number theory

Constructing genus 2 curves over finite fields

8 Elliptic Curve Cryptography

Transcription:

CCA seminary January 10, 2014 A quasi polynomial algorithm for discrete logarithm in small characteristic Razvan Barbulescu 1 Pierrick Gaudry 2 Antoine Joux 3 Emmanuel Thomé 2 LIX, École Polytechnique Loria, Nancy LIP 6, Paris R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 0 / 34

Motivation For any prime power Q, F Q is the field of Q elements. factorization same complexity dlog. in F p analoguous pairings in small char. rely on dlog. in F 2 n or F 3 n rely on elliptic curve dlog. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 1 / 34

Discrete logarithm Definition Let g and h be two elements in a cyclic group. We call discrete logarithm of g in base h, if it exists, the smallest positive integer x such that g x = h. Example DSA signature relies on the difficulty of solving the equation for a prime p and integers g and h. g x h mod p, Example Pairing based crypto-systems in small characteristic rely, in particular, on the difficulty of solving the equation g(x ) x h(x ) mod ϕ(x ), for an irreducible polynomial ϕ(x ) in F 2 [X ] or F 3 [X ]. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 2 / 34

The Pohlig-Hellman reduction Let N = p e i i Let g i = g N/pe i i Then, g i is of order p e i i be the factorization of the group order. and h i = h N/pe i i. and h i = g x i i, where x i x mod p e i i. Theorem Using the Chinese Remainder Theorem, the DLP in G reduces to DLPs in groups whose orders are prime powers. A similar trick, à la Hensel, allows to reduce the DLP modulo a prime power to several DLPs modulo primes. Theorem (Pohlig-Hellman reduction) The DLP in G cyclic of composite order is not harder than the DLP in the subgroup of G of largest prime order. In the following we compute dlogs modulo a prime divisor l of the group order. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 3 / 34

Shanks baby-step giant-step algorithm Let K be a parameter (in the end, K N). Write the dlog x as x = x 0 + K x 1, with 0 x 0 < K and 0 x 1 < N/K. Algorithm 1. Compute Baby Steps: For all i in [0, K 1], compte g i. Store in a hash table the resulting pairs (g i, i). 2. Compute Giant Steps: For all j in [0, N/K ], compute hg Kj. If the resulting element is in the BS table, then get the corresponding i, and return x = i + Kj. Theorem Discrete logarithms in a cyclic group of order N can be computed in less than 2 N operations. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 4 / 34

Summary of generic algorithms Putting things together, one obtain: Theorem (DLP in generic groups) Let G be a cyclic group of order N, and let p be the largest prime factor of N. The DLP in G can be solved in O( p) operations in G (up to factors that are polynomial in log N). Pollard s Rho method has the same time complexity, but a low memory complexity. Finite fields are not generic groups! R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 5 / 34

Outline of the talk Background Discrete logarithm in small caracteristic The algorithm Some comments R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 6 / 34

The L notation Sub-exponential algorithms have complexities of the order of n O(1) 2 nα with 0 < α < 1, where n is the bit-size of the input. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 7 / 34

The L notation Sub-exponential algorithms have complexities of the order of n O(1) 2 nα with 0 < α < 1, where n is the bit-size of the input. A more precise function is: where n = log x. ) L x (α, c) = exp (cn α (log n) 1 α, R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 7 / 34

The L notation Sub-exponential algorithms have complexities of the order of n O(1) 2 nα with 0 < α < 1, where n is the bit-size of the input. A more precise function is: where n = log x. ) L x (α, c) = exp (cn α (log n) 1 α, The most common values of α are 0 for polynomial-time algorithms; 1 for exponential ones; 1/2 for older DL algorithms; 1/3 for algorithms used in today s records of factorization, dlog in large, medium and small caracteristic. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 7 / 34

Smoothness Definition A polynomial in F q [t] is m-smooth if all its irreducible factors have degree less than m. Theorem (Panario Gourdon Flajolet) The probability that a degree-n polynomial is m-smooth is 1/u u(1+o(1)) where u = n m. Cases: n = log q L x (α, ), m = log q L x (β, ) gives a probability of 1/L x (α β, ); n = D, m = D/6 gives a constant probability; n = D, m = 1 gives a probability 1/D! 1/D D. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 8 / 34

Obtaining relations The finite field F q k is represented as F q [t]/ϕ for an irreducible degree k polynomial ϕ F q [t]. Example Take q = 3, k = 5, ϕ = x 5 + x 4 + 2x 3 + 1 and l = 11 (divisor of 3 5 1). We have x 5 x 6 2(x + 1)(x 3 + x 2 + 2x + 1) mod ϕ 2(x 2 + 1)(x 2 + x + 2) mod ϕ x 7 2(x + 2)(x + 1) 2 mod ϕ. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 9 / 34

Obtaining relations The finite field F q k is represented as F q [t]/ϕ for an irreducible degree k polynomial ϕ F q [t]. Example Take q = 3, k = 5, ϕ = x 5 + x 4 + 2x 3 + 1 and l = 11 (divisor of 3 5 1). We have x 5 x 6 2(x + 1)(x 3 + x 2 + 2x + 1) mod ϕ 2(x 2 + 1)(x 2 + x + 2) mod ϕ x 7 2(x + 2)(x + 1) 2 mod ϕ. The last relation gives: 7 log x x 1 log x (x + 2) + 2 log x (x + 1) R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 9 / 34

Obtaining relations The finite field F q k is represented as F q [t]/ϕ for an irreducible degree k polynomial ϕ F q [t]. Example Take q = 3, k = 5, ϕ = x 5 + x 4 + 2x 3 + 1 and l = 11 (divisor of 3 5 1). We have x 5 x 6 2(x + 1)(x 3 + x 2 + 2x + 1) mod ϕ 2(x 2 + 1)(x 2 + x + 2) mod ϕ x 7 2(x + 2)(x + 1) 2 mod ϕ. The last relation gives: 7 log x x 1 log x (x + 2) + 2 log x (x + 1) 8 log x (x + 1) 1 log x (x + 2) 9 log x (x + 2) 2 log x x. We find log x (x + 1) 4 mod 11 and log x (x + 2) 10 mod 11. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 9 / 34

L(1/2) index calculus in F 2 n = F 2 [x]/ϕ(x) Algorithm To compute the log of h in base g: 0. Fix a smoothness bound B, and construct the factor base F = {p i irreducible and monic; deg p i B}. 1. Collect relations. Repeat the following until #F relations have been found: 1.1 Pick a at random and compute z = g a mod ϕ. 1.2 check if z is smooth. 1.3 If yes, write z as a product of elements of F and store the corresponding relation as a row of a matrix. 2. Linear algebra. Find a vector v in the right-kernel of the matrix, modulo 2 n 1. Normalizing to get log g = 1, this gives the log of all factor base elements. 3. Individual logs. Pick b at random until h b is smooth. Deduce the log of h. Note B = log 2 L(α, ). Then #F = L(α); the cost of the relation collection stage is L(α)L(1 α) while the linear algebra has a cost of L(α) 2 = L(α). We optimize the complexity for α = 1/2. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 10 / 34

L(1/2) index calculus: comments All L(1/2) and L(1/3) DLP algorithms follow the same scheme: Relation collection; Linear algebra to get logs of factor base elements; Individual log, to handle any element. Joux s L(1/4) algorithm still uses this terminology (but very different in nature). Quasi-polynomial time algorithm: it s time to stop speaking about factor base! R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 11 / 34

Records for fields F 2 n with prime n The most studied algorithm in small characteristic is the function field sieve (FFS) of complexity L(1/3). Joux and Lercier gave a variant and Coppersmith s algorithm can be seen as a particular case. n date GIPS year algo. author 401 1992 0.2 Copp. Gordon,McCurley 512 1 2002 0.4 FFS Joux,Lercier 607 2002 20 Copp. Thomé 607 2005 1.6 FFS Joux,Lercier 613 2005 1.6 FFS Joux,Lercier 619 2012 0 FFS Caramel 809 2013 16 FFS Caramel 1 Using the same algorithm as for prime degrees. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 12 / 34

Records for fields F 2 n with prime n The most studied algorithm in small characteristic is the function field sieve (FFS) of complexity L(1/3). Joux and Lercier gave a variant and Coppersmith s algorithm can be seen as a particular case. n date GIPS year algo. author 401 1992 0.2 Copp. Gordon,McCurley 512 1 2002 0.4 FFS Joux,Lercier 607 2002 20 Copp. Thomé 607 2005 1.6 FFS Joux,Lercier 613 2005 1.6 FFS Joux,Lercier 619 2012 0 FFS Caramel 809 2013 16 FFS Caramel Caramel completed the relation collection stage for n = 1039 with a computation of 384 GIPS years. Linear algebra must be adapted to larger sizes. 1 Using the same algorithm as for prime degrees. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 12 / 34

Composed degrees n Pairings issued instances of discrete logarithm have composed exponent: 4n, 6n or 12n. Theorem Under the same assumptions as in the classical variante of FFS, if n has a factor κ less than 3 n, then 1. the relations collection phase can be sped up by κ; 2. the linear algebra stage can be sped up by κ 2. Two japanese teams computed discrete logs in F 3 6n (pairings): a 2010 record for n = 71 (676 bits) using κ = 6; cost 14 GIPS year. a 2012 record for n = 97 (923 bits) using κ = 3; cost 290 GIPS years. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 13 / 34

Results of the year 2013 The fields F q 2k and F q 3k with k q are weak; if k {q 1, q, q + 1} they are very weak. (Joux) R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 14 / 34

Results of the year 2013 The fields F q 2k and F q 3k with k q are weak; if k {q 1, q, q + 1} they are very weak. (Joux) Two methods for relation collection and linear algebra in polynomial time. (Joux and Göloğlu et al.) R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 14 / 34

Results of the year 2013 The fields F q 2k and F q 3k with k q are weak; if k {q 1, q, q + 1} they are very weak. (Joux) Two methods for relation collection and linear algebra in polynomial time. (Joux and Göloğlu et al.) Amazing records by Joux (n = 6168) and Göloğlu et al.(n = 6120). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 14 / 34

Results of the year 2013 The fields F q 2k and F q 3k with k q are weak; if k {q 1, q, q + 1} they are very weak. (Joux) Two methods for relation collection and linear algebra in polynomial time. (Joux and Göloğlu et al.) Amazing records by Joux (n = 6168) and Göloğlu et al.(n = 6120). Individual logarithm in time L(1/4 + o(1)) by Joux. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 14 / 34

Results of the year 2013 The fields F q 2k and F q 3k with k q are weak; if k {q 1, q, q + 1} they are very weak. (Joux) Two methods for relation collection and linear algebra in polynomial time. (Joux and Göloğlu et al.) Amazing records by Joux (n = 6168) and Göloğlu et al.(n = 6120). Individual logarithm in time L(1/4 + o(1)) by Joux. One can embed F 2 n with prime n in a field F q 2k with k q (Joux). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 14 / 34

Results of the year 2013 The fields F q 2k and F q 3k with k q are weak; if k {q 1, q, q + 1} they are very weak. (Joux) Two methods for relation collection and linear algebra in polynomial time. (Joux and Göloğlu et al.) Amazing records by Joux (n = 6168) and Göloğlu et al.(n = 6120). Individual logarithm in time L(1/4 + o(1)) by Joux. One can embed F 2 n with prime n in a field F q 2k with k q (Joux). Quasi-polynomial algorithm of complexity n O(log n) for prime n (this work). Estimation of the weakness of small caracteristic pairings by Adj et al.. for example pairing based crypto-systems over 3 509 have security of 80 bits instead of 128 bits. (BGJT is used in tandem with Joux s algorithm) R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 14 / 34

Outline of the talk Background Discrete logarithm in small caracteristic The algorithm Some comments R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 15 / 34

Main result Theorem (based on heuristics) Let K be any finite field F q k. A discrete logarithm in K can be computed in heuristic time max(q, k) O(log k). Cases: K = F 2 n, with prime n. Complexity is n O(log n). Much better than L 2 n(1/3 + o(1)) 2 3 n. K = F q k, with q k. Complexity is log Q O(log log Q), where Q = #K. Again, this is L Q (o(1)). K = F q k, with q L q k(α). Complexity is L q k(α + o(1)), i.e. better than Joux-Lercier or FFS for α < 1/3. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 16 / 34

We suppose first k q and k q + 2. Representing F q 2k Choosing ϕ: Try random h 0, h 1 F q 2[x] with deg h 0, deg h 1 2 until T (x) := h 1 (x)x q h 0 (x) has an irreducible factor of degree k. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 17 / 34

Representing F q 2k We suppose first k q and k q + 2. Choosing ϕ: Try random h 0, h 1 F q 2[x] with deg h 0, deg h 1 2 until T (x) := h 1 (x)x q h 0 (x) has an irreducible factor of degree k. Remark The existence of h 0 and h 1 is heuristic, but found in practice in time O(k). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 17 / 34

Representing F q 2k We suppose first k q and k q + 2. Choosing ϕ: Try random h 0, h 1 F q 2[x] with deg h 0, deg h 1 2 until T (x) := h 1 (x)x q h 0 (x) has an irreducible factor of degree k. Remark The existence of h 0 and h 1 is heuristic, but found in practice in time O(k). h 1 (x)x q h 0 (x) mod ϕ(x). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 17 / 34

Representing F q 2k We suppose first k q and k q + 2. Choosing ϕ: Try random h 0, h 1 F q 2[x] with deg h 0, deg h 1 2 until T (x) := h 1 (x)x q h 0 (x) has an irreducible factor of degree k. Remark The existence of h 0 and h 1 is heuristic, but found in practice in time O(k). h 1 (x)x q h 0 (x) mod ϕ(x). If P F q 2[x] then h 1 (x) deg P P(x) q = h 1 (x) deg P P(x q ) ( ) h 1 (x) deg P h0 P h 1 mod ϕ(x), where P is the polynomial obtained after conjugating all coefficients. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 17 / 34

Building block Proposition (Under heuristic assumptions) There exists an algorithm whose complexity is polynomial in q and k and which can be used for the following two tasks. 1. Given an element of K represented by a polynomial P F q 2[X ] with 2 deg P k 1, the algorithm returns an expression of log P(X ) as a linear combination of at most O(kq 2 ) logarithms log P i (X ) with deg P i 1 2 deg P and of log h 1 (X ). 2. The algorithm returns the logarithm of h 1 (X ) and the logarithms of all the elements of K of the form X + a, for a in F q 2. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 18 / 34

Descent tree P deg = k deg = k/2............ deg = k/4.......................... deg = 1 Attention: nodes can repeat; in particular the number of leaves is less than q 2, the number of polynomials x + γ. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 19 / 34

The descent tree Each node of the descent tree corresponds to one application of the Proposition, hence its arity is in q 2 D. level deg P i width of tree 0 k 1 1 k/2 q 2 k 2 k/4 q 2 k q 2 k 2 3. k/8. q 2 k q 2 k 2 q2 k 4. log k 1 q 2 log k k log k Total number of nodes = q O(log k). Each node yields a cost that is polynomial in q, hence one can solve discrete logarithms in F q 2k with k q + 2 in time q O(log k). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 20 / 34

Proof idea Recall that the individual log for Index Calculus is done using equations P i = R i, where i is a random integer and R i is the residue of x i P modulo ϕ. We search relations L S = γ S(P + γ) where S is a subset of F q 2 and L S is the residue of γ S (P + γ) modulo ϕ. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 21 / 34

Proof: The left hand side Let log P be the required computation. For every matrix m = have log L m log R m where ( a c ) b GL 2 (F q 2) we d R m := h 1 (x) deg P ( (ap + b) q (cp + d) (ap + b)(cp + d) q) mod ϕ(x ). and L m := R m mod ϕ. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 22 / 34

Proof: The left hand side Let log P be the required computation. For every matrix m = have log L m log R m where ( a c ) b GL 2 (F q 2) we d R m := h 1 (x) deg P ( (ap + b) q (cp + d) (ap + b)(cp + d) q) mod ϕ(x ). and L m := R m mod ϕ. We have deg L m 3 deg P. Indeed, we have L m = h deg P 1 (ã P(x q ) + b)(cp(x) + d) (ap(x) + b)( c P(x q ) + d) ( ( ) ) ( = h deg P h0 (X ) 1 ã P + b (cp(x ) + d) (ap(x ) + b) c P h 1 (X ) ( ) ) h0 (X ) + d. h 1 (X ) R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 22 / 34

The right hand side Recall the identity x q x = α F q (x α). We further have x q y xy q = (α:β) P 1 (F q )(βx αy) and R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 23 / 34

The right hand side Recall the identity x q x = α F q (x α). We further have x q y xy q = (α:β) P 1 (F q )(βx αy) and (ap + b) q (cp + d) (ap + b)(cp + d) q = = = λ (α,β) P 1 (F q) (α,β) P 1 (F q) (α,β) P 1 (F q) β(ap + b) α(cp + d) ( cα + aβ)p (dα bβ) ( P ) dα bβ, aβ cα Here q + 1 out of the q 2 + 1 elements of {1} {P + a : a F q 2} occur. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 23 / 34

Linear algebra step for P If L m is 1 2 deg P-smooth we have γ P 1 (F q 2)(P + γ) vm(γ) = i P e i i, for some polynomials P i with deg P i 1 2 deg P and { 1, if γ = dα bβ aβ cα v m (γ) = with (α : β) P1 (F q ), 0 otherwise. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 24 / 34

Notation P q := PGL(2, q 2 )/PGL(2, q). Linear algebra step for P Since #PGL(2, q) = q 3 q, #P q = q 3 + q. γ P 1 (F q 2) m P q v m (γ) Since L m has degree 3 deg P, its heuristic probability to be 1 2 deg P-smooth is constant. Hence the matrix has Θ(q 3 ) rows and q 2 + 1 columns. We make the heuristic that the matrix has rank q 2 + 1. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 25 / 34

Evidence in favour of the heuristic We computed the discriminant over Z of some matrices obtained as above; denoted δ i. In our example, the discriminant δ i of q 2 + 1 random rows had the same probability to be divisible by a large prime l as a random integer. q #trials in gcd({δ i }) in gcd(δ i, δ j ) 16 50 17 691 17 50 2, 3 431, 691 19 50 2, 5 none above q 2 23 50 2, 3 none above q 2 25 50 2, 13 none above q 2 27 50 2, 7 1327 29 50 2, 3, 5 none above q 2 31 50 2 1303, 3209 32 50 3, 11 none above q 2 R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 26 / 34

Arity of the descent tree log P is obtained as a sum of at most q 2 linear combinations. Each linear combination has at most 3 deg P terms. So, we have at most O(q 2 deg P) new polynomials. Adj et al. gave a method to compute the average number of divisors for a smooth polynomial. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 27 / 34

Outline of the talk Background Discrete logarithm in small caracteristic The algorithm Some comments R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 28 / 34

The embedding trick log g h has the same value as elements of F q k or as any field F q k where q is a multiple of q. When q < k 2 we embed F q k in F q 2k with q = q log qk. Note that q qk. The input size log Q = k log q is replaced by 2k log q 2k log(qk) 4 log Q log log Q. When replacing log Q by log Q log log Q a polynomial algorithm changes the big-oh by a soft-oh; a sub-exponential L(α) algorithm becomes L(α + o(1)); a quasi-polynomial one changes the constant in the big-oh. Example 1. For F 2 1003 we compute logs in F 1024 2 1003 = F 2 20060. 2. The field F 3 6 509 can be embedded in F q 2k with q = 3 6 and k = 509. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 29 / 34

Very weak fields Assume that k = q 1 (same is true for q + 1 and q). For many values of q we can take h 1 = 1 and h 0 = Ax for some generator A of F q 2. Then ϕ = x q 1 A. Then, for any a F q 2, we have (x + a) q = x q + ã = x q 1 x + ã = A(x + ã/a), where ã is the Frobenius conjugate of a. We obtain q log(x + a) = log(x + ã/a). Hence we can reduce the factor base by a factor k. For example for 2 6168, the linear algebra time was accelerated by k 2 = 66049. Remark The smoothness probabilities are improved. For example, The proportion of matrices m P q which produce relations for the linear polynomials is 1/6! = 1/620 when max(deg h 0, deg h 1 ) = 2 and it is 1/3! for the weak case (Kummer). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 30 / 34

The traps of Cheng Wan Zhuang In a recent preprint, Cheng, Wan and Zhuang noticed that the two last heuristics might fail. Let P(X ) be a divisor of h 1 X q h 0 (not the one used to define F q 2k). It can be checked that P will divide both sides of relations we try to construct. In general, such a P can not be descended in the usual way. And if P is linear, then we will not get its logarithm in the usual way. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 31 / 34

The CWZ traps: solutions CWZ proposed to just avoid these elements: still get a quasi-polynomial time complexity. We propose an alternative solution to descend a problematic P of degree D: We have h D 1 P q h D 1 P(h 0 /h 1 ) mod x q h 1 h 0. The RHS is always divisible by P (it is problematic). Taking logs, we get D log h 1 + (q 1) log P = log Q, where Q is the RHS divided by P. In general, P Q, and, if deg h 0, h 1 2, then deg Q D. So we have related log P to other logarithms, and the descent can continue. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 32 / 34

Conclusion Looking back: 30 years ago, first L(1/3) DL algorithm by Coppersmith; It took more than a decade to get this complexity for a wide range of scenarios; Still recent progress on L(1/3)-algorithms. Interesting times! We are entering a better-than-l(1/3) era; A lot of theoretical and practical improvements are expected in the next few months / years; At the moment, absolutely no clue how to extend the quasi-polynomial complexity to large characteristic, or to remove the quasi. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 33 / 34

RSA 0 1/3 2/3 1 α The complexity of discrete logarithm for a given size log Q with respect to the caracteristic q = L(α) R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi polynomial algorithm 34 / 34

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback