A Kilobit Hidden SNFS Discrete Logarithm Computation

  • Joshua Fried
  • Pierrick Gaudry
  • Nadia Heninger
  • Emmanuel Thomé
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10210)


We perform a special number field sieve discrete logarithm computation in a 1024-bit prime field. To our knowledge, this is the first kilobit-sized discrete logarithm computation ever reported for prime fields. This computation took a little over two months of calendar time on an academic cluster using the open-source CADO-NFS software.

Our chosen prime p looks random, and \(p-1\) has a 160-bit prime factor, in line with recommended parameters for the Digital Signature Algorithm. However, our p has been trapdoored in such a way that the special number field sieve can be used to compute discrete logarithms in \(\mathbb {F}_p^*\), yet detecting that p has this trapdoor seems out of reach. Twenty-five years ago, there was considerable controversy around the possibility of backdoored parameters for DSA. Our computations show that trapdoored primes are entirely feasible with current computing technology. We also describe special number field sieve discrete log computations carried out for multiple conspicuously weak primes found in use in the wild.

As can be expected from a trapdoor mechanism which we say is hard to detect, our research did not reveal any trapdoored prime in wide use. The only way for a user to defend against a hypothetical trapdoor of this kind is to require verifiably random primes.


Prime Ideal Discrete Logarithm Descent Step Individual Logarithm Digital Signature Algorithm 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We are grateful to Paul Zimmermann for numerous discussions all along this work. Rafi Rubin performed invaluable system administration for the University of Pennsylvania cluster. Shaanan Cohney and Luke Valenta contributed to sieving for the 784-bit SNFS-DL computation. Part of the experiments presented in this paper were carried out using the Grid’5000 testbed, supported by a scientific interest group hosted by Inria and including CNRS, RENATER and several Universities as well as other organizations. We are grateful to Cisco for donating the Cisco UCS hardware that makes up most of the University of Pennsylvania cluster. Ian Goldberg donated time on the CrySP RIPPLE Facility at the University of Waterloo and Daniel J. Bernstein donated time on the Saber cluster at TU Eindhoven for the 784-bit SNFS-DL computation. This work was supported by the U.S. National Science foundation under grants CNS-1513671, CNS-1505799, and CNS-1408734, and a gift from Cisco.


  1. 1.
    (author redacted): Eurocrypt ’92 reviewed. Cryptolog, March 1994.
  2. 2.
    Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J.A., Heninger, N., Springall, D., Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E., Béguelin, S.Z., Zimmermann, P.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015: 22nd Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015, pp. 5–17. ACM Press (2015)Google Scholar
  3. 3.
    Aoki, K., Franke, J., Kleinjung, T., Lenstra, A.K., Osvik, D.A.: A kilobit special number field sieve factorization. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 1–12. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-76900-2_1 CrossRefGoogle Scholar
  4. 4.
    Ball, J., Borger, J., Greenwald, G.: Revealed: how US and UK spy agencies defeat internet privacy and security. The Guardian, 5 September 2013.
  5. 5.
    Barbulescu, R.: Algorithmes de logarithmes discrets dans les corps finis. Ph.D. thesis, Université de Lorraine, France (2013)Google Scholar
  6. 6.
    Barker, E., Roginsky, A.: Transitions: recommendation for transitioning the use of cryptographic algorithms and key lengths. Technical report, National Institute of Standards and Technology (2011).
  7. 7.
    Beckerman, B., Labahn, G.: A uniform approach for the fast computation of matrix-type Padé approximants. SIAM J. Matrix Anal. Appl. 15(3), 804–823 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Bernstein, D.J., Chou, T., Chuengsatiansup, C., Hülsing, A., Lambooij, E., Lange, T., Niederhagen, R., van Vredendaal, C.: How to manipulate curve standards: a white paper for the black hat In: Chen, L., Matsuo, S. (eds.) SSR 2015. LNCS, vol. 9497, pp. 109–139. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-27152-1_6 CrossRefGoogle Scholar
  9. 9.
    Checkoway, S., Fredrikson, M., Niederhagen, R., Everspaugh, A., Green, M., Lange, T., Ristenpart, T., Bernstein, D.J., Maskiewicz, J., Shacham, H.: On the practical exploitability of Dual EC in TLS implementations. In: Fu, K. (ed.) Proceedings of USENIX Security 2014, pp. 319–335. USENIX, August 2014Google Scholar
  10. 10.
    Checkoway, S., Maskiewicz, J., Garman, C., Fried, J., Cohney, S., Green, M., Heninger, N., Weinmann, R.-P., Rescorla, E., Shacham, H.: A systematic analysis of the juniper dual EC incident. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016: 23rd Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 468–479. ACM Press (2016)Google Scholar
  11. 11.
    Commeine, A., Semaev, I.: An algorithm to solve the discrete logarithm problem with the number field sieve. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 174–190. Springer, Heidelberg (2006). doi: 10.1007/11745853_12 CrossRefGoogle Scholar
  12. 12.
    Coppersmith, D.: Modifications to the number field sieve. J. Cryptol. 6(3), 169–180 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Coppersmith, D.: Solving linear equations over GF(2) via block Wiedemann algorithm. Math. Comp. 62(205), 333–350 (1994)MathSciNetzbMATHGoogle Scholar
  14. 14.
    Denis, T.S.: LibTomCrypt.
  15. 15.
    Desmedt, Y., Landrock, P., Lenstra, A.K., McCurley, K.S., Odlyzko, A.M., Rueppel, R.A., Smid, M.E.: The Eurocrypt’92 controversial issue trapdoor primes and moduli. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 194–199. Springer, Heidelberg (1993). doi: 10.1007/3-540-47555-9_17 Google Scholar
  16. 16.
    Durumeric, Z., Adrian, D., Mirian, A., Bailey, M., Halderman, J.A.: A search engine backed by internet-wide scanning. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015: 22nd Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015, pp. 542–553. ACM Press (2015)Google Scholar
  17. 17.
    Enge, A., Gaudry, P., Thomé, E.: An \({L}(1/3)\) discrete logarithm algorithm for low degree curves. J. Cryptol. 24(1), 24–41 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Friedl, M., Provos, N., de Raadt, T., Steves, K., Miller, D., Tucker, D., McIntyre, J., Rice, T., Lindstrom, B.: Announce: OpenSSH 7.0 released, August 2015.
  19. 19.
    Gillmor, D.K.: Negotiated FFDHE for TLS, August 2016.
  20. 20.
    Giorgi, P., Lebreton, R.: Online order basis algorithm and its impact on the block Wiedemann algorithm. In: ISSAC 2014, pp. 202–209. ACM (2014)Google Scholar
  21. 21.
    Gordon, D.M.: Designing and detecting trapdoors for discrete log cryptosystems. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 66–75. Springer, Heidelberg (1993). doi: 10.1007/3-540-48071-4_5 CrossRefGoogle Scholar
  22. 22.
    Gordon, D.M.: Discrete logarithms in GF\((p)\) using the number field sieve. SIAM J. Discret. Math. 6(1), 124–138 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Joux, A., Lercier, R.: Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the gaussian integer method. Math. Comp. 72(242), 953–967 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Joux, A., Pierrot, C.: Nearly sparse linear algebra and application to discrete logarithms computations. In: Canteaut, A., Effinger, G., Huczynska, S., Panario, D., Storme, L. (eds.) Contemporary Developments in Finite Fields and Applications, pp. 119–144. World Scientific Publishing Company, Singapore (2016)CrossRefGoogle Scholar
  25. 25.
    Juniper Networks: 2015–12 Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with ScreenOS (CVE-2015-7755, CVE-2015-7756), December 2015Google Scholar
  26. 26.
    Kaltofen, E.: Analysis of Coppersmith’s block Wiedemann algorithm for the parallel solution of sparse linear systems. Math. Comp. 64(210), 777–806 (1995)MathSciNetzbMATHGoogle Scholar
  27. 27.
    Kleinjung, T., et al.: Factorization of a 768-bit RSA modulus. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 333–350. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14623-7_18 CrossRefGoogle Scholar
  28. 28.
    Kleinjung, T., Diem, C., Lenstra, A.K., Priplata, C., Stahlke, C.: Discrete logarithms in GF(p) - 768 bits. E-mail on the NMBRTHRY mailing list, 16 June 2016Google Scholar
  29. 29.
    Kolkman, O.M., Mekking, W.M., Gieben, R.M.: DNSSEC Operational Practices, Version 2. RFC 6781, Internet Society, December 2012Google Scholar
  30. 30.
    Larson, J., Perlroth, N., Shane, S.: Revealed: the NSA’s secret campaign to crack, undermine internet security. ProPublica, 5 September 2013.
  31. 31.
    Lenstra, A.K.: Constructing trapdoor primes for the proposed DSS. Technical report (1991).
  32. 32.
    Lenstra, A.K., Lenstra Jr., H.W. (eds.): The Development of the Number Field Sieve. LNM, vol. 1554. Springer, Heidelberg (1993)zbMATHGoogle Scholar
  33. 33.
    Lepinski, M., Kent, S.: Additional Diffie-Hellman groups for use with IETF standards (2010).
  34. 34.
    Lim, C.H., Lee, P.J.: Generating efficient primes for discrete log cryptosystems (2006).
  35. 35.
    Matyukhin, D.V.: On asymptotic complexity of computing discrete logarithms over \({GF}(p)\). Discret. Math. Appl. 13(1), 27–50 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
  37. 37.
    Murphy, B.A.: Polynomial selection for the number field sieve integer factorisation algorithm. Ph.D. thesis, Australian National University (1999)Google Scholar
  38. 38.
    National Institute of Standards and Technology: Supplemental ITL bulletin for september 2013:NIST opens draft special publication 800–90A, recommendation for random number generation using deterministic random bit generators, for review and comment.
  39. 39.
    National Institute of Standards and Technology: Examples for NIST 800–56A (2006).
  40. 40.
    National Institute of Standards and Technology: Digital signature standard (DSS, FIPS-186-4). Fourth revision (2013)Google Scholar
  41. 41.
    National Institute of Standards and Technology: Recommendation for pair-wise key establishment schemes using discrete logarithm cryptography, SP 800–56A, Second revision (2013)Google Scholar
  42. 42.
    Orman, H.: The Oakley key determination protocol. RFC 2412, November 1998Google Scholar
  43. 43.
    Perlroth, N., Larson, J., Shane, S.: N.S.A. able to foil basic safeguards of privacy on Web. The New York Times, 5 September 2013.
  44. 44.
    Pomerance, C.: Analysis and comparison of some integer factoring algorithms. In: Lenstra Jr., H.W., Tijdeman, R. (eds.) Computational Methods in Number Theory Mathematical Center Tracts, vol. 154, pp. 89–140. Mathematisch Centrum, Amsterdam (1982)Google Scholar
  45. 45.
    Rivest, R., Hellman, M., Anderson, J.C., Lyons, J.W.: Responses to NIST’s proposal. CACM 35(7), 41–54 (1992)CrossRefGoogle Scholar
  46. 46.
    Schirokauer, O.: Discrete logarithms and local units. Philos. Trans. Roy. Soc. Lond. Ser. A 345(1676), 409–423 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  47. 47.
    Scott, M.: Re: NIST announces set of elliptic curves. sci.crypt newsgroup posting dated 1999/06/17.
  48. 48.
    Semaev, I.A.: Special prime numbers and discrete logs in finite prime fields. Math. Comput. 71(237), 363–377 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  49. 49.
    Smid, M.E., Branstad, D.K.: Response to comments on the NIST proposed digital signature standard. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 76–88. Springer, Heidelberg (1993). doi: 10.1007/3-540-48071-4_6 CrossRefGoogle Scholar
  50. 50.
  51. 51.
    The CADO-NFS Development Team: CADO-NFS, an implementation of the number field sieve algorithm. Development version (prior to release 2.3) (2016).
  52. 52.
    Thomé, E.: Subquadratic computation of vector generating polynomials and improvement of the block Wiedemann algorithm. J. Symb. Comput. 33(5), 757–775 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  53. 53.
    Valenta, L., Adrian, D., Sanso, A., Cohney, S., Fried, J., Hastings, M., Halderman, J.A., Heninger, N.: The most dangerous groups in the world: exploiting DSA groups for Diffie-Hellman (2016)Google Scholar
  54. 54.
    Young, A., Yung, M.: The dark side of “Black-Box” cryptography or: should we trust Capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996). doi: 10.1007/3-540-68697-5_8 Google Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Joshua Fried
    • 1
  • Pierrick Gaudry
    • 2
  • Nadia Heninger
    • 1
  • Emmanuel Thomé
    • 2
  1. 1.University of PennsylvaniaPhiladelphiaUSA
  2. 2.Inria, CNRSUniversité de LorraineNancyFrance

Personalised recommendations