Advertisement

Designs, Codes and Cryptography

, Volume 1, Issue 1, pp 47–62 | Cite as

Computation of discrete logarithms in prime fields

  • B. A. LaMacchia
  • A. M. Odlyzko
Article

Abstract

The presumed difficulty of computing discrete logarithms in finite fields is the basis of several popular public key cryptosystems. The secure identification option of the Sun Network File System, for example, uses discrete logarithms in a field GF(p) with p a prime of 192 bits. This paper describes an implementation of a discrete logarithm algorithm which shows that primes of under 200 bits, such as that in the Sun system, are very insecure. Some enhancements to this system are suggested.

Keywords

Data Structure Information Theory Discrete Geometry Finite Field File System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Adleman, L.M. (forthcoming). Factoring numbers using singular integers. Proc. 23rd ACM Symp. Theory of Computing.Google Scholar
  2. Barrett, P. 1987. Implementing the Rivest Shamir and Adleman public key encryption algorithm on a standard digital signal processor. Advances in Cryptology: Proceedings of Crypto '86, (A.M. Odlyzko, ed.), Lecture Notes in Computer Science 263, New York: Springer-Verlag, pp. 311–323.Google Scholar
  3. Bauspiess, F., and Knobloch, H.-J. 1990. How to keep authenticity alive in a computer network. Advances in Cryptology: Proceedings of Eurocrypt '89, (J.-J. Quisquater, J. Vandewalle, eds.), Lecture Notes in Computer Science 434, New York: Springer-Verlag, pp. 38–46.Google Scholar
  4. Beth, T. 1988. Efficient zero-knowledge identification scheme for smart cards. Advances in Cryptology: Proceedings of Eurocrypt '88, (C.G. Günther, ed.), Lecture Notes in Computer Science 330, New York: Springer-Verlag, pp. 77–84.Google Scholar
  5. Blake, I.F., Fuji-Hara, R., Mullin, R.C., and Vanstone, S.A. 1984. Computing logarithms in fields of characteristic two. SIAM J. Alg. Disc. Methods 5: 276–285.Google Scholar
  6. Bos, J., and Coster, M. 1990. Addition chain heuristics. Advances in Cryptology: Proceedings of Crypto '89, (G. Brassard, ed.), Lecture Notes in Computer Science 435, New York: Springer-Verlag, pp. 400–407.Google Scholar
  7. Brandt, J., Damgard, I., Landrock, P., and Pedersen, T. 1989. Zero-knowledge authentication scheme with secret key exchange. Advances in Cryptology: Proceedings of Crypto '88, (S. Goldwasser, ed.), Lecture Notes in Computer Science 403, New York: Springer-Verlag, pp. 583–588.Google Scholar
  8. Brickell, E.F. 1990. A survey of hardware implementations of RSA (Abstract). Advances in Cryptology: Proceedings of Crypto '89, (G. Brassard, ed.), Lecture Notes in Computer Science 435, New York: Springer-Verlag, pp. 368–370.Google Scholar
  9. Brickell, E.F., and McCurley, K.S. (forthcoming). An interactive identification scheme based on discrete logarithms and factoring. Advances in Cryptology: Proceedings of Eurocrypt '90, (I. Damgard, ed.), Lecture Notes in Computer Science, New York: Springer-Verlag.Google Scholar
  10. Coppersmith, D. 1984. Fast evaluation of discrete logarithms in fields of characteristic two. IEEE Transactions on Information Theory 30: 587–594.Google Scholar
  11. Coppersmith, D. (forthcoming). Modifications to the number field sieve. J. Cryptology.Google Scholar
  12. Coppersmith, D., Odlyzko, A., and Schroeppel, R. 1986. Discrete logarithms in GF(p). Algorithmica 1: 1–15.Google Scholar
  13. Denning, D., and Sacco, G. 1981. Timestamps in key distribution protocols. Communications of the ACM 24: 533–536.Google Scholar
  14. Diffie, W., and Hellman, M. 1976. New directions in cryptography. IEEE Transactions on Information Theory 22: 472–492.Google Scholar
  15. ElGamal, T. 1985. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory 31: 469–472.Google Scholar
  16. ElGamal, T. 1985. A subexponential-time algorithm for computing discrete logarithms over GF(p 2). IEEE Transactions on Information Theory 31: 473–481.Google Scholar
  17. Fiat, A., and Shamir, A. 1987. How to prove yourself: practical solution to identification and signature problems. Advances in Cryptology: Proceedings of Crypto '86, (A.M. Odlyzko, ed.), Lecture Notes in Computer Science 263, New York: Springer-Verlag, pp. 186–199.Google Scholar
  18. Gordon, D.M. (forthcoming). Discrete logarithms in GF(p) using the number field sieve.Google Scholar
  19. Guillou, L.C., and Quisquater, J.-J., 1989. A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. Advances in Cryptology: Proceedings of Eurocrypt '88, (C. Günther, ed.), Lecture Notes in Computer Science 330, New York: Springer-Verlag, pp. 127–141.Google Scholar
  20. Günther, C.G. 1990. An identity-based key-exchange protocol. Advances in Cryptology: Proceedings of Eurocrypt '89, (J.-J. Quisquater, J. Vandewalle, eds.), Lecture Notes in Computer Science 434, New York: Springer-Verlag, pp. 29–37.Google Scholar
  21. Knuth, D.E. 1981. The Art of Computer Programming, Vol. 2: Seminumerical Algorithms. (2nd ed.), Reading, MA: Addison-Wesley.Google Scholar
  22. Koblitz, N. 1987. Elliptic curve cryptosystems. Math. Comp. 48: 203–209.Google Scholar
  23. Koyama, K., and Ohta, K. 1988. Identity-based conference key distribution systems. Advances in Cryptology: Proceedings of Crypto '87, (C. Pomerance, ed.), Lecture Notes in Computer Science 293, New York: Springer-Verlag, pp. 175–194.Google Scholar
  24. LaMacchia, B.A., and Odlyzko, A.M. (forthcoming). Solving large sparse linear systems over finite fields, Advances in Cryptology: Proceedings of Crypto '90, (A. Menezes, S. Vanstone, eds.), Lecture Notes in Computer Science, New York: Springer-Verlag.Google Scholar
  25. Lenstra, A.K., Lenstra, H.W. Jr., Manasse, M.S., and Pollard, J.M. 1990. The number field sieve. Proc. 22nd ACM Symp. Theory of Computing, 564–572.Google Scholar
  26. Lenstra, A.K., and Manasse, M.S. 1990. Factoring by electronic mail. Advances in Cryptology: Proceedings of Eurocrypt '89, (J.-J. Quisquater, J. Vandewalle, eds.), Lecture Notes in Computer Science 434, New York: Springer-Verlag, pp. 355–371.Google Scholar
  27. Lenstra, A.K., and Manasse, M.S. (forthcoming). Factoring with two large primes. Advances in Cryptology: Proceedings of Eurocrypt '90, (I. Damgard, ed.), Lecture Notes in Computer Science, New York: Springer-Verlag.Google Scholar
  28. McCurley, K.S. (forthcoming). The discrete logarithm problem. In Cryptography and Computational Number Theory, (C. Pomerance, ed.), Proc. Symp. tAppl. Math. 42, Amer. Math. Soc., 1990, pp. 49–74.Google Scholar
  29. Menezes, A., Vanstone, S., and Okamoto, T. (forthcoming). Reducing elliptic curve logarithms to logarithms in a finite field. Proc. 23rd ACM Symp. Theory of Computing.Google Scholar
  30. Micali, S., and Shamir, A. 1989. An improvement of the Fiat-Shamir identification and signature scheme. Advances in Cryptology: Proceedings of Crypto '88, (S. Goldwasser, ed.), Lecture Notes in Computer Science 403, New York: Springer-Verlag, pp. 244–247.Google Scholar
  31. Miller, V. 1986. Use of elliptic curves in cryptography. Advances in Cryptology: Proceedings of Crypto '85, (H.C. Williams, ed.), Lecture Notes in Computer Science 218, New York: Springer-Verlag.Google Scholar
  32. Montgomery, P.L. 1985. Modular multiplication without trial division. Math. Comp. 44: 519–521.Google Scholar
  33. Needham, R., and Schroeder, M. 1978. Using encryption for authentication in large networks of computers. Comm. ACM 21: 993–999.Google Scholar
  34. Odlyzko, A.M. 1985. Discrete logarithms in finite fields and their cryptographic significance. Advances in Cryptology: Proceedings of Eurocrypt '84, (T. Beth, N. Cot, I. Ingemarsson, eds.), Lecture Notes in Computer Science 209, New York: Springer-Verlag, pp. 224–314.Google Scholar
  35. Okamoto, E. 1988. Key distribution systems based on identification information. Advances in Cryptology: Proceedings of Crypto '87, (C. Pomerance, ed.), Lecture Notes in Computer Science 293, New York: Springer-Verlag, pp. 194–202.Google Scholar
  36. Okamoto, E., and Tanaka, K. 1989. Key distribution system based on identification information. IEEE J. Selected Areas Commun. SAC-7: 481–485.Google Scholar
  37. Pollard, J.M. 1988. Factoring with cubic integers (parts I and II). Unpublished manuscripts, August 1988 and December 1988.Google Scholar
  38. Schnorr, C.P. 1990. Efficient identification and signatures for smart cards. Advances in Cryptology: Proceedings of Crypto '89, (G. Brassard, ed.), Lecture Notes in Computer Science 435, New York: Springer-Verlag, pp. 239–251.Google Scholar
  39. Taylor, B., and Goldberg, D. 1986. Secure networking in the Sun environment. Proc. USENIX Assoc. Summer Conference, Atlanta, pp. 28–37.Google Scholar
  40. Tsujii, S., and Itoh, T. 1989. An ID-based cryptosystem based on the discrete logarithm problem. IEEE J. Selected Areas Comm. SAC-8: 467–473.Google Scholar

Copyright information

© Kluwer Academic Publishers 1991

Authors and Affiliations

  • B. A. LaMacchia
    • 1
  • A. M. Odlyzko
    • 2
  1. 1.Massachusetts Institute of TechnologyCambridgeUSA
  2. 2.AT&T Bell LaboratoriesMurray HillUSA

Personalised recommendations