A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic

Similar documents
A quasi polynomial algorithm for discrete logarithm in small characteristic

A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic

Discrete logarithms: Recent progress (and open problems)

On the complexity of computing discrete logarithms in the field F

Traps to the BGJT-Algorithm for Discrete Logarithms

Algorithmes de calcul de logarithme discret dans les corps finis

On Generating Coset Representatives of P GL 2 (F q ) in P GL 2 (F q 2)

Solving a 6120-bit DLP on a Desktop Computer

A brief overwiev of pairings

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Improving NFS for the discrete logarithm problem in non-prime nite elds

A NEW PERSPECTIVE ON THE POWERS OF TWO DESCENT FOR DISCRETE LOGARITHMS IN FINITE FIELDS THORSTEN KLEINJUNG AND BENJAMIN WESOLOWSKI

Elliptic Curve Discrete Logarithm Problem

Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm)

Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction

Discrete Logarithm Problem

Improving NFS for the discrete logarithm problem in non-prime finite fields

Non-generic attacks on elliptic curve DLPs

Breaking pairing-based cryptosystems using η T pairing over GF (3 97 )

Hyperelliptic curves

Arithmétique et Cryptographie Asymétrique

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Block Wiedemann likes Schirokauer maps

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Basic Algorithms in Number Theory

SM9 identity-based cryptographic algorithms Part 1: General

Introduction to Elliptic Curve Cryptography. Anupam Datta

Elliptic Curve Cryptography with Derive

Computing Individual Discrete Logarithms Faster in GF(p n ) with the NFS-DL Algorithm

The number field sieve in the medium prime case

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Mathematics of Cryptography

No.6 Selection of Secure HC of g = divisors D 1, D 2 defined on J(C; F q n) over F q n, to determine the integer m such that D 2 = md 1 (if such

Problème du logarithme discret sur courbes elliptiques

Extended Tower Number Field Sieve with Application to Finite Fields of Arbitrary Composite Extension Degree

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Computing Discrete Logarithms. Many cryptosystems could be broken if we could compute discrete logarithms quickly.

Cover and Decomposition Index Calculus on Elliptic Curves made practical

Basic Algorithms in Number Theory

CPSC 467b: Cryptography and Computer Security

Discrete Logarithm Computation in Hyperelliptic Function Fields

9 Knapsack Cryptography

IEEE P1363 / D9 (Draft Version 9). Standard Specifications for Public Key Cryptography

COMP4109 : Applied Cryptography

8 Elliptic Curve Cryptography

A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties:

Calcul d indice et courbes algébriques : de meilleures récoltes

Lecture Notes, Week 6

An Introduction to Elliptic Curve Cryptography

Faster index calculus for the medium prime case Application to 1175-bit and 1425-bit finite fields

Lecture 6: Cryptanalysis of public-key algorithms.,

GENERATION OF RANDOM PICARD CURVES FOR CRYPTOGRAPHY. 1. Introduction

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

One can use elliptic curves to factor integers, although probably not RSA moduli.

Public-key Cryptography: Theory and Practice

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Lecture 7: ElGamal and Discrete Logarithms

Chapter 4 Finite Fields

CRYPTOGRAPHY AND NUMBER THEORY

A New Attack on RSA with Two or Three Decryption Exponents

A Las Vegas algorithm to solve the elliptic curve discrete logarithm problem

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Algorithms for integer factorization and discrete logarithms computation

Elliptic curves: Theory and Applications. Day 3: Counting points.

Quasi-reducible Polynomials

A variant of the F4 algorithm

The Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem

Mathematics of Public Key Cryptography

Constructing Abelian Varieties for Pairing-Based Cryptography

IEEE P1363 / D13 (Draft Version 13). Standard Specifications for Public Key Cryptography

Rings. EE 387, Notes 7, Handout #10

Polynomials over finite fields. Algorithms and Randomness

MATH 3030, Abstract Algebra Winter 2012 Toby Kenney Sample Midterm Examination Model Solutions

Mathematical Foundations of Cryptography

Counting points on hyperelliptic curves

A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm

ALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers

Selecting polynomials for the Function Field Sieve

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

RSA Cryptosystem and Factorization

Breaking pairing-based cryptosystems using η T pairing over GF (3 97 )

On Partial Lifting and the Elliptic Curve Discrete Logarithm Problem

Public Key Algorithms

CIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

Cullen Numbers in Binary Recurrent Sequences

Lecture 1: Introduction to Public key cryptography

Elliptic Curves Spring 2013 Lecture #8 03/05/2013

Galois theory (Part II)( ) Example Sheet 1

Attacks on Elliptic Curve Cryptography Discrete Logarithm Problem (EC-DLP)

TC10 / 3. Finite fields S. Xambó

Solving a 6120-bit DLP on a Desktop Computer

14 Ordinary and supersingular elliptic curves

REMARKS ON THE NFS COMPLEXITY

Parshuram Budhathoki FAU October 25, Ph.D. Preliminary Exam, Department of Mathematics, FAU

Cover Page. The handle holds various files of this Leiden University dissertation

CPSC 467: Cryptography and Computer Security

Elliptic Curve Cryptography

CPSC 467b: Cryptography and Computer Security

LECTURE NOTES IN CRYPTOGRAPHY

Transcription:

ECC, Chennai October 8, 2014 A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic Razvan Barbulescu 1 Pierrick Gaudry 2 Antoine Joux 3 Emmanuel Thomé 2 IMJ-PRG, Paris Loria, Nancy LIP6, Paris R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 0 / 28

Context The discrete logarithm problem (DLP) In a cyclic group G, given a generator g and an element g a, FIND a. We can search the smallest positive integer solution a or, more common, the residue of a modulo a prime factor l of #G. Choices for G 1. elliptic curves (estimated of exponential difficulty); 2. multiplicative group of finite fields (subexponential) 2.1 small characteristic, e.g. F 2 n and F 3 n, 2.2 non-small characteristic, e.g. F p and F p 2 Example When G = (F p ), given two integers g and h, if it exists, FIND x in g x h mod p. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 1 / 28

Motivation factorization same complexity discrete log. in F p analogous pairings inversion over F 2 n relies on relies on discrete log. in F 2 n elliptic curves discrete log. over F 2 n F Q is the field of Q elements, Q prime power. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 2 / 28

Shanks baby-step giant-step algorithm Let K N and write the discrete log of x as x = x 0 + K x 1, with 0 x 0 < K and 0 x 1 < N/K. Algorithm 1. Compute Baby Steps: For all i in [0, K 1], compte g i. Store in a hash table the resulting pairs (g i, i). 2. Compute Giant Steps: For all j in [0, N/K ], compute hg Kj. If the resulting element is in the BS table, then get the corresponding i, and return x = i + Kj. Theorem Discrete logarithms in a cyclic group of order N can be computed in less than 2 N operations. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 3 / 28

Shanks baby-step giant-step algorithm Let K N and write the discrete log of x as x = x 0 + K x 1, with 0 x 0 < K and 0 x 1 < N/K. Algorithm 1. Compute Baby Steps: For all i in [0, K 1], compte g i. Store in a hash table the resulting pairs (g i, i). 2. Compute Giant Steps: For all j in [0, N/K ], compute hg Kj. If the resulting element is in the BS table, then get the corresponding i, and return x = i + Kj. Theorem Discrete logarithms in a cyclic group of order N can be computed in less than 2 N operations. Multiplicative group of finite fields is not a generic groups! R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 3 / 28

History For two constatnts α [0, 1] and c > 0, we put ) L Q (α, c) = exp (c + o(1))(log Q) α (log log Q) 1 α Put n = log Q. L Q (0) = n O(1) i.e. polynomial; L Q (1) = 2 O(n) i.e. exponential; L Q (1/2) 2 n ; DLP algorithms invented in 1979 1994. L Q (1/3) 2 3 n ; DLP algorithms invented in 1984 2006. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 4 / 28

Smoothness Definition A polynomial in F q [t] is m-smooth if it factors into polynomials of degree less than or equal to m. Computation One can test if a polynomial is smooth by factoring it (probabilistic polynomial). Theorem (Panario Gourdon Flajolet) The probability that a degree-n polynomial is m-smooth is 1/u u(1+o(1)) where u = n m. Cases: n = D, m = D/6 gives a constant probability; n = D, m = 1 gives a probability 1/D! 1/D D. n = log q L x (α, ), m = log q L x (β, ) gives a probability of 1/L x (α β, ); R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 5 / 28

Obtaining relations The finite field F q k is represented as F q [t]/ϕ for an irreducible polynomial ϕ F q [t] of degree k. Example Take q = 3, k = 5, ϕ = t 5 + t 4 + 2t 3 + 1, g = t F 3 5. We have t 5 2(t + 1)(t 3 + t 2 + 2t + 1) mod ϕ R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 6 / 28

Obtaining relations The finite field F q k is represented as F q [t]/ϕ for an irreducible polynomial ϕ F q [t] of degree k. Example Take q = 3, k = 5, ϕ = t 5 + t 4 + 2t 3 + 1, g = t F 3 5. We have t 5 2(t + 1)(t 3 + t 2 + 2t + 1) mod ϕ t 6 2(t 2 + 1)(t 2 + t + 2) mod ϕ R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 6 / 28

Obtaining relations The finite field F q k is represented as F q [t]/ϕ for an irreducible polynomial ϕ F q [t] of degree k. Example Take q = 3, k = 5, ϕ = t 5 + t 4 + 2t 3 + 1, g = t F 3 5. We have t 5 2(t + 1)(t 3 + t 2 + 2t + 1) mod ϕ t 6 2(t 2 + 1)(t 2 + t + 2) mod ϕ t 7 2(t + 2)(t + 1)(t + 1) mod ϕ R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 6 / 28

Obtaining relations The finite field F q k is represented as F q [t]/ϕ for an irreducible polynomial ϕ F q [t] of degree k. Example Take q = 3, k = 5, ϕ = t 5 + t 4 + 2t 3 + 1, g = t F 3 5. We have t 5 2(t + 1)(t 3 + t 2 + 2t + 1) mod ϕ t 6 2(t 2 + 1)(t 2 + t + 2) mod ϕ t 7 2(t + 2)(t + 1)(t + 1) mod ϕ The last relation gives: 7 log g t log g 2 + 1 log g (t + 2) + 2 log g (t + 1) mod 11 R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 6 / 28

Obtaining relations The finite field F q k is represented as F q [t]/ϕ for an irreducible polynomial ϕ F q [t] of degree k. Example Take q = 3, k = 5, ϕ = t 5 + t 4 + 2t 3 + 1, g = t F 3 5. We have t 5 2(t + 1)(t 3 + t 2 + 2t + 1) mod ϕ t 6 2(t 2 + 1)(t 2 + t + 2) mod ϕ t 7 2(t + 2)(t + 1)(t + 1) mod ϕ The last relation gives: 7 log g t 1 log g (t + 2) + 2 log g (t + 1) mod 11 Proposition If a F q and l is a factor of q k 1 coprime to (q 1), then log a 0 mod l. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 6 / 28

Obtaining relations The finite field F q k is represented as F q [t]/ϕ for an irreducible polynomial ϕ F q [t] of degree k. Example Take q = 3, k = 5, ϕ = t 5 + t 4 + 2t 3 + 1, g = t F 3 5. We have t 5 2(t + 1)(t 3 + t 2 + 2t + 1) mod ϕ t 6 2(t 2 + 1)(t 2 + t + 2) mod ϕ The last relation gives: t 8... 7 log g t 1 log g (t + 2) + 2 log g (t + 1) mod 11 8 log g (t + 1) = 1 log g (t + 2) mod 11 9 log g (t + 2) = 2 log g t mod 11 We find log g (t + 1) 158 mod 11 and log g (t + 2) 54 mod 11. Proposition If a F q and l is a factor of q k 1 coprime to (q 1), then log a 0 mod l. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 6 / 28

Descent Example (cont d) Let us compute log g P for an arbitrary polynomial, say P = t 4 + t + 2. We have P 2 t 4 + t 3 + 2t 2 + 2t + 2 mod ϕ P 3 2(t + 1)(t + 2)(t 2 + 1) mod ϕ P 4 (t + 1)(t + 2)t 2 mod ϕ. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 7 / 28

Descent Example (cont d) Let us compute log g P for an arbitrary polynomial, say P = t 4 + t + 2. We have P 2 t 4 + t 3 + 2t 2 + 2t + 2 mod ϕ P 3 2(t + 1)(t + 2)(t 2 + 1) mod ϕ P 4 (t + 1)(t + 2)t 2 mod ϕ. By taking discrete logarithms we obtain So log g P = 114. 4 log g P = 1 log g (t + 1) + 1 log g (t + 2) + 2 log g t. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 7 / 28

Discrete logarithms of constants Here l is a prime factor of the group order q k 1, larger than q 1. Elements of F q Elements of F q F q k a q 1 = 1, so we have Hence, are represented in F q [t]/ ϕ by constants a. They satisfy log g (a q 1 ) log g (1) 0 mod l. Since l is prime and larger than q 1, (q 1) log g a 0 mod l. log g a 0 mod l. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 8 / 28

Comments Index calculus family All L(1/2) and L(1/3) DLP algorithms follow the same scheme (of Kraitchik 1922): Relation collection; Linear algebra to get logs of factor base elements; Individual log, to handle any element. New algorithms Joux s L(1/4) algorithm still uses this terminology (but very different in nature). Quasi-polynomial time algorithm: it s time to stop speaking about factor base! R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 9 / 28

Records for fields F 2 n with prime n Let us compare to the factoring record: 768 bits in 2009. FFS is the choice in practice, and its variants Coppersmith (inseparable polynomials); Two rational sides FFS (Joux-Lercier). GIPS=giga instructions per second n date GIPS year algo. author 401 1992 0.2 Copp. Gordon,McCurley 512 1 2002 0.4 FFS Joux,Lercier 607 2002 20 Copp. Thomé 607 2005 1.6 FFS Joux,Lercier 613 2005 1.6 FFS Joux,Lercier 619 2012 0 FFS Caramel 809 2013 16 FFS Caramel 1 Using the same algorithm as for prime degrees. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 10 / 28

Records for fields F 2 n with prime n Let us compare to the factoring record: 768 bits in 2009. FFS is the choice in practice, and its variants Coppersmith (inseparable polynomials); Two rational sides FFS (Joux-Lercier). GIPS=giga instructions per second n date GIPS year algo. author 401 1992 0.2 Copp. Gordon,McCurley 512 1 2002 0.4 FFS Joux,Lercier 607 2002 20 Copp. Thomé 607 2005 1.6 FFS Joux,Lercier 613 2005 1.6 FFS Joux,Lercier 619 2012 0 FFS Caramel 809 2013 16 FFS Caramel The Caramel group completed the relation collection stage for n = 1039 with a computation of 384 GIPS years. Linear algebra must be adapted to larger sizes. 1 Using the same algorithm as for prime degrees. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 10 / 28

Composite degrees n Motivation To attack pairing-based cryptosystems, one can solve DLP in fields F p κn constant c 1. The security of pairings is evaluated under the hypothesis for a small DLP in F p n is equally hard when n is prime or composite. Theorem (Joux & Lercier 2006) Under the same assumptions as in the classical variante of FFS, if n has a small factor κ, then one can speed up 1. the relations collection phase by a factor κ; 2. the linear algebra stage by a factor κ 2. Joux-Lercier improvement in practice Two teams computed discrete logs in F 3 6n (pairings): a 2010 record for n = 71 (676 bits) using κ = 6; cost 14 GIPS year. a 2012 record for n = 97 (923 bits) using κ = 3; cost 290 GIPS years. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 11 / 28

Complexity improvements in 2013 for small characteristic Linear polynomials One computes discrete logs. of linear polynomials in polynomial time. Göloğlu, Granger, McGuire and Zumbrägel; Joux. Expressing log P as a sum of logs. of linear polynomials dominates the computations. Any polynomial Joux: L Q (1/4 + o(1)) operations; (this work): quasi-polynomial L Q (o(1)) operations. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 12 / 28

Main result Theorem (based on heuristics) Let K be any finite field F q k. A discrete logarithm in K can be computed in heuristic time max(q, k) O(log k). Cases: K = F 2 n, with prime n. Complexity is n O(log n). Much better than L 2 n(1/4 + o(1)) 2 4 n. K = F q k, with q = k O(1). Complexity is log Q O(log log Q), where Q = #K. Again, this is L Q (o(1)). K = F q k, with q L q k(α). Complexity is L q k(α + o(1)), i.e. better than Joux-Lercier or FFS for α < 1/3. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 13 / 28

A well-chosen model for F q 2k Simple case first We suppose first k q and k q + 2. Choosing ϕ (same as for Joux algorithm) Try random h 0, h 1 F q 2[t] with deg h 0, deg h 1 2 until T (t) := h 1 (t)t q h 0 (t) has an irreducible factor ϕ of degree k. Heuristic The existence of h 0 and h 1 is heuristic, but found in practice in O(k) trials. Properties of ϕ h 1 (t)t q h 0 (t) mod ϕ; ( ) P(t q h ) P 0 h 1 mod ϕ; ( ) h 0 h 1 P q P(t q ) P mod ϕ, where the tilde denotes the conjugation in F q 2. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 14 / 28

A famous identity Recall the identity x q x = α F q (x α). We further have x q y xy q = (α:β) P 1 (F q )(βx αy). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 15 / 28

A famous identity Recall the identity x q x = α F q (x α). We further have x q y xy q = (α:β) P 1 (F q )(βx αy). A machine to make relations x = t and y = 1: h 0 /h 1 t t q t α F q (t α). If the numerator of the left hand side is smooth, we obtain relations among linear polynomials. x = t + a, a F q, and y = 1: same relation. x = t + a, a F q 2, and y = 1: new relations. Joux algorithm uses this idea. Let P be the polynomial whose logarithm is requested. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 15 / 28

A famous identity Recall the identity x q x = α F q (x α). We further have x q y xy q = (α:β) P 1 (F q )(βx αy). A machine to make relations x = t and y = 1: h 0 /h 1 t t q t α F q (t α). If the numerator of the left hand side is smooth, we obtain relations among linear polynomials. x = t + a, a F q, and y = 1: same relation. x = t + a, a F q 2, and y = 1: new relations. Joux algorithm uses this idea. Let P be the polynomial whose logarithm is requested. x = ap + b and y = cp + d, a, b, c, d F q 2: let us show that the left side is congruent to a small degree polynomial, whereas the right hand side is smooth in some new sense. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 15 / 28

The right hand side is smooth (ap + b) q (cp + d) (ap + b)(cp + d) q = = = λ (α,β) P 1 (F q) (α,β) P 1 (F q) (α,β) P 1 (F q) β(ap + b) α(cp + d) ( cα + aβ)p (dα bβ) ( P ) dα bβ, aβ cα Here q + 1 out of the q 2 + 1 elements of {1} {P + γ : γ F q 2} occur. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 16 / 28

The left hand side is small For m GL 2 (F q 2), let L m be the residue L m := h deg P 1 ( (ap + b) q (cp + d) (ap + b)(cp + d) q) mod ϕ(t). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 17 / 28

The left hand side is small For m GL 2 (F q 2), let L m be the residue L m := h deg P 1 ( (ap + b) q (cp + d) (ap + b)(cp + d) q) mod ϕ(t). We have deg L m 3 deg P. Indeed, we have L m = h deg P 1 (ã P(t q ) + b)(cp + d) (ap(t) + b)( c P(t q ) + d) ( ( ) ) ( ( ) ) = h deg P h0 h0 1 ã P + b (cp + d) (ap + b) c P + d. h 1 h 1 For a constant proportion of matrices m, L m is (deg P)/2-smooth. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 17 / 28

Procedure to break a polynomial P Each matrix m in the quotient set P q := PGL 2 (F q 2)/PGL 2 (F q ) such that L m is (deg P)/2-smooth leads to a different equation P e i,m i,m = λ (P + γ) vm(γ), where deg P i (deg P)/2; v m (γ) are integer exponents; λ is a costant in F q 2. i γ P 1 (F q 2) By taking discrete logarithm we find e i,m log P i,m γ i v m (γ) log(p + γ) mod l. Heuristic We have enough equations and we can combine them to obtain e i,m log P i,m log P mod l. i,m R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 18 / 28

Linear algebra step for P Since #PGL 2 (F q i) = q 3i q i, #P q = q 3 + q. A constant fraction give linear equations among logarithms, so the matrix below has more rows than columns. γ F q 2 m P q v m (γ) The heuristic states that we can combine the rows to obtain row (1, 0,..., 0). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 19 / 28

Arguments in favor of the heuristic Experiments The discriminant of matrices obtained for various polynomials P have no systematic common factor other than the divisors of q 3 q. The heuristic is used in the algorithm of Joux for degree two polynomials. For random instances of P, every randomly chosen matrix formed of q 2 + 1 rows has maximal rank. Theory The full matrix of q 3 + q rows has maximal rank. We use the fact that there are a fixed number c 1 of blocks passing by each point of F q 2; there are a fixed number c 2 of blocks passing by two points. Does the matrix formed of a constant fraction of rows have maximal rank? R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 20 / 28

Building block of the quasi-polynomial algorithm We have just proved: Proposition (Under heuristic assumptions) There exists an algorithm whose complexity is polynomial in q and k and which can be used for the following two tasks. 1. Given an element of F q 2k represented by a polynomial P F q 2[t] with 2 deg P k 1, the algorithm returns an expression of log P as a linear combination of at most O(kq 2 ) logarithms log P i with deg P i 1 2 deg P and of log h 1. 2. The algorithm returns the logarithm of h 1 and the logarithms of all the elements of F q 2k of the form t + a, for a in F q 2. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 21 / 28

Complexity P deg = k deg = k/2............ deg = k/4.......................... deg = 1 Tree characteristics depth=log k because we half the degree at each level; arity=o(q 2 k) because the sons are polynomials in the LHS of the q 2 equations used; number of nodes=q O(log k) because k q + 2. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 22 / 28

Extending to the general case When q < k 2 we embed F q k in F q 2k with q = q log q k. The complexity q O(log k) transforms into max(q, k) O(log k). Note that q qk. The input size n is replaced by n log n. For any constant c ) ) ) exp (c(log n) 2 exp (c(log n + log log n) 2 = exp ((c + o(1))(log n) 2. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 23 / 28

Extending to the general case When q < k 2 we embed F q k in F q 2k with q = q log q k. The complexity q O(log k) transforms into max(q, k) O(log k). Note that q qk. The input size n is replaced by n log n. For any constant c ) ) ) exp (c(log n) 2 exp (c(log n + log log n) 2 = exp ((c + o(1))(log n) 2. Example 1. For F 2 1003 we compute logs in F 1024 2 1003 = F 2 20060. 2. The field F 3 6 509 can be embedded in F q 2k with q = 3 6 and k = 509. Fields of composite degree (specific to pairings) embed in small fields. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 23 / 28

Hardness of DLP with respect to the size of characteristic ( ) The complexity of QPA when q = L q k(α) is L q k α + o(1) RSA 0 1/3 2/3 1 α R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 24 / 28

The traps of Cheng Wan Zhuang Trap In reaction to our preprint, Cheng, Wan and Zhuang noticed that our descent fails on divisors of h 1 t q h 0. Indeed, if P is such a divisor we cannot find relations i P e i,m i,m = λ γ P 1 (F q 2) (P + γ) v m(γ) mod (h 1 t q h 0 ), containing P in the RHS. Indeed, it forces P to occur in the LHS too, so it cannot be (deg P)/2-smooth. Our solution We have h D 1 P q h D 1 P(h 0 /h 1 ) mod x q h 1 h 0. The RHS is always divisible by P (it is problematic). Taking logs, we get D log h 1 + (q 1) log P = log Q, where Q is the RHS divided by P. In general, P Q, and, if deg h 0, h 1 2, then deg Q D. So we have related log P to other logarithms, and the descent can continue. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 25 / 28

Very weak fields Assume that k = q 1 (same is true for q + 1 and q). For many values of q we can take h 1 = 1 and h 0 = Ax for some generator A of F q 2. Then ϕ = x q 1 A. Then, for any a F q 2, we have (x + a) q = x q + ã = x q 1 x + ã = A(x + ã/a), where ã is the Frobenius conjugate of a. We obtain q log(x + a) = log(x + ã/a). Hence we can reduce the factor base by a factor k. For example for 2 6168, the linear algebra time was accelerated by k 2 = 66049. Remark The smoothness probabilities are improved. For example, The proportion of matrices m P q which produce relations for the linear polynomials is 1/6! = 1/620 when max(deg h 0, deg h 1 ) = 2 and it is 1/3! for the weak case (Kummer). R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 26 / 28

Records Algorithms in practice 1. relations collection (degree one and two): variants of GGMZ or Joux algorithm; 2. descent (degree three and more): variants of Joux algorithm. No QPA descent yet. Kummer and twisted Kummer extensions field bitsize date CPU time author GF(2 24 255 ) 6120 Apr 13 0.7k h GGMZ GF((2 24 257 ) 6168 May 13 0.5k h J GF(2 18 513 ) 9234 Jan 14 400k h GKZ General extensions of composite degree field bitsize date CPU time author GF(3 6 137 ) 1303 Jan 14 1k h AMOR GF(2 12 367 ) * 4404 Jan 14 52k h GKZ GF(3 5 479 ) 3796 Aug 14 9k h JP * using a non-general speed-up: target elements in a subfield. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 27 / 28

Consequences and perspectives Consequences DLP in small characteristic finite fields is asymptotically weak. Small characteristic pairings are broken for the sizes proposed for cryptography. Perspectives even more practical improvements and records; eliminating the heuristics (a new quasi-polynomial algorithm was proposed by Granger, Kleinjung and Zumbrägel)(next talk); improvements in non-small characteristic: multiple field variants, new methods of polynomial selection. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé A quasi-polynomial algorithm 28 / 28

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback