Advertisement

Computing Discrete Logarithms in \({\mathbb F}_{{p}^{6}}\)

  • Laurent Grémy
  • Aurore Guillevic
  • François Morain
  • Emmanuel Thomé
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10719)

Abstract

The security of torus-based and pairing-based cryptography relies on the difficulty of computing discrete logarithms in small degree extensions of finite fields of large characteristic. It has already been shown that for degrees 2 and 3, the discrete logarithm problem is not as hard as once thought. We address the question of degree 6 and aim at providing real-life timings for such problems. We report on a record DL computation in a 132-bit subgroup of \({\mathbb F}_{{p}^{6}}\) for a 22-decimal digit prime, with \(p^6\) having 422 bits. The previous record was for a 79-bit subgroup in a 240-bit field. We used NFS-DL with a sieving phase over degree 2 polynomials, instead of the more classical degree 1 case. We show how to improve many parts of the NFS-DL algorithm to reach this target.

Notes

Acknowledgments

The authors are grateful to Pierrick Gaudry and Paul Zimmermann for numerous discussions all along this work. Many thanks to the referees whose remarks helped us improve the presentation of our results.

References

  1. 1.
    Adj, G., Canales-Martínez, I., Cruz-Cortés, N., Menezes, A., Oliveira, T., Rivera-Zamarripa, L., Rodríguez-Henríquez, F.: Computing discrete logarithms in cryptographically-interesting characteristic-three finite fields. ePrint report (2016). http://eprint.iacr.org/2016/914, http://ecc2016.yasar.edu.tr/slides/ecc2016-gora.pdf
  2. 2.
    Barbulescu, R., Pierrot, C.: The multiple number field sieve for medium- and high-characteristic finite fields. LMS J. Comput. Math. 17, 230–246 (2014). http://journals.cambridge.org/article_S1461157014000369 MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Barbulescu, R., Duquesne, S.: Updating key size estimations for pairings. ePrint report (2017). http://eprint.iacr.org/2017/334
  4. 4.
    Barbulescu, R., Gaudry, P., Guillevic, A., Morain, F.: Improvements to the number field sieve for non-prime finite fields, November 2014. Working paper, https://hal.inria.fr/hal-01052449
  5. 5.
    Barbulescu, R., Gaudry, P., Guillevic, A., Morain, F.: Improving NFS for the discrete logarithm problem in non-prime finite fields. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 129–155. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_6 Google Scholar
  6. 6.
    Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1–16. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-55220-5_1 CrossRefGoogle Scholar
  7. 7.
    Barbulescu, R., Gaudry, P., Kleinjung, T.: The tower number field sieve. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 31–55. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48800-3_2 CrossRefGoogle Scholar
  8. 8.
    Bistritz, Y., Lifshitz, A.: Bounds for resultants of univariate and bivariate polynomials. Linear Algebra Appl. 432(8), 1995–2005 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44647-8_13 CrossRefGoogle Scholar
  10. 10.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-45682-1_30 CrossRefGoogle Scholar
  11. 11.
    Bouvier, C., Gaudry, P., Imbert, L., Jeljeli, H., Thomé, E.: Discrete logarithms in GF(p) - 180 digits. NMBRTHRY archives, item 004703, June 2014. https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;615d922a.1406
  12. 12.
    Chen, B., Zhao, C.A.: Self-pairings on supersingular elliptic curves with embedding degree three. Finite Fields Appl. 28, 79–93 (2014). sciencedirect.com/science/article/pii/S1071579714000240 MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Cohen, H.: A Course in Algorithmic Algebraic Number Theory. Graduate Texts in Mathematics, vol. 138. Springer, Heidelberg (2000).  https://doi.org/10.1007/978-3-662-02945-9. Fourth printingGoogle Scholar
  14. 14.
    Coppersmith, D.: Modifications to the number field sieve. J. Cryptology 6(3), 169–180 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Elkenbracht-Huizing, R.M.: An implementation of the number field sieve. Experiment. Math. 5(3), 231–253 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. J. Cryptology 23(2), 224–280 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Fried, J., Gaudry, P., Heninger, N., Thomé, E.: A Kilobit Hidden SNFS discrete logarithm computation. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 202–231. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56620-7_8 CrossRefGoogle Scholar
  18. 18.
    Gaudry, P., Grémy, L., Videau, M.: Collecting relations for the number field sieve in \(GF(p^6)\). LMS J. Comput. Math. 19, 332–350 (2016). https://hal.inria.fr/hal-01273045 MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Gordon, D.M.: Discrete logarithms in GF\((p)\) using the number field sieve. SIAM J. Discrete Math. 6(1), 124–138 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Granger, R., Kleinjung, T., Zumbrägel, J.: Breaking ‘128-bit Secure’ supersingular binary curves. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 126–145. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44381-1_8 CrossRefGoogle Scholar
  21. 21.
    Granger, R., Vercauteren, F.: On the discrete logarithm problem on algebraic tori. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 66–85. Springer, Heidelberg (2005).  https://doi.org/10.1007/11535218_5 CrossRefGoogle Scholar
  22. 22.
    Gras, M.N.: Special units in real cyclic sextic fields. Math. Comp. 48(177), 179–182 (1987).  https://doi.org/10.2307/2007882 MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Grémy, L.: Algorithmes de crible pour le logarithme discret dans les corps finis de moyenne caractéristique. Doctorat, Université de Lorraine, Nancy, France, September 2017, to appear. http://tel.archives-ouvertes.fr/
  24. 24.
    Guillevic, A.: Computing individual discrete logarithms faster in \({{\rm GF}}(p^n)\) with the NFS-DL algorithm. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 149–173. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48797-6_7 CrossRefGoogle Scholar
  25. 25.
    Guillevic, A.: Faster individual discrete logarithms with the QPA and NFS variants. HAL archive, August 2017. 2nd version, https://hal.inria.fr/hal-01341849
  26. 26.
    Hayasaka, K., Aoki, K., Kobayashi, T., Takagi, T.: An experiment of number field sieve for discrete logarithm problem over GF(p 12). In: Fischlin, M., Katzenbeisser, S. (eds.) Number Theory and Cryptography. LNCS, vol. 8260, pp. 108–120. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-42001-6_8 Google Scholar
  27. 27.
    Hayasaka, K., Aoki, K., Kobayashi, T., Takagi, T.: A construction of 3-Dimensional lattice sieve for number field sieve over \(\mathbb{F}_{p^n}\). Cryptology ePrint Archive, Report 2015/1179 (2015). http://eprint.iacr.org/2015/1179
  28. 28.
    Joux, A.: A one round protocol for tripartite Diffie–Hellman. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 385–393. Springer, Heidelberg (2000).  https://doi.org/10.1007/10722028_23 CrossRefGoogle Scholar
  29. 29.
    Joux, A., Lercier, R.: Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the Gaussian integer method. Math. Comp. 72(242), 953–967 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    Joux, A., Lercier, R., Smart, N., Vercauteren, F.: The number field sieve in the medium prime case. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 326–344. Springer, Heidelberg (2006).  https://doi.org/10.1007/11818175_19 CrossRefGoogle Scholar
  31. 31.
    Kasahara, M., Ohgishi, K., Sakai, R.: Cryptosystems based on pairing. In: The 2000 Symposium on Cryptography and Information Security. vol. SCIS2000-C20, January 2000Google Scholar
  32. 32.
    Kim, T., Barbulescu, R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 543–571. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53018-4_20 CrossRefGoogle Scholar
  33. 33.
    Kim, T., Jeong, J.: Extended tower number field sieve with application to finite fields of arbitrary composite extension degree. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 388–408. Springer, Heidelberg (2017).  https://doi.org/10.1007/978-3-662-54365-8_16 CrossRefGoogle Scholar
  34. 34.
    Lenstra, A.K., Verheul, E.R.: The XTR public key system. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 1–19. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44598-6_1 CrossRefGoogle Scholar
  35. 35.
    Lewko, A.: Tools for simulating features of composite order bilinear groups in the prime order setting. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 318–335. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_20 CrossRefGoogle Scholar
  36. 36.
    Matyukhin, D.: Effective version of the number field sieve for discrete logarithms in the field GF\((p^k)\). Trudy po Discretnoi Matematike 9, 121–151 (2006). (in Russian), http://m.mathnet.ru/php/archive.phtml?wshow=paper&jrnid=tdm&paperid=144&option_lang=eng
  37. 37.
    Matyukhin, D.V.: On asymptotic complexity of computing discrete logarithms over GF(p). Discrete Math. Appl. 13(1), 27–50 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  38. 38.
    Menezes, A., Sarkar, P., Singh, S.: Challenges with assessing the impact of NFS advances on the security of pairing-based cryptography. In: Phan, R.C.-W., Yung, M. (eds.) Mycrypt 2016. LNCS, vol. 10311, pp. 83–108. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-61273-7_5 CrossRefGoogle Scholar
  39. 39.
    Miyaji, A., Nakabayashi, M., Takano, S.: Characterization of elliptic curve traces under FR-reduction. In: Won, D. (ed.) ICISC 2000. LNCS, vol. 2015, pp. 90–108. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-45247-8_8 CrossRefGoogle Scholar
  40. 40.
    Murphy, B.A.: Polynomial selection for the number field sieve integer factorisation algorithm. Ph.D. thesis, Australian National University (1999). http://maths-people.anu.edu.au/~brent/pd/Murphy-thesis.pdf
  41. 41.
    Pierrot, C.: The multiple number field sieve with conjugation and generalized Joux-Lercier methods. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 156–170. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_7 Google Scholar
  42. 42.
    Pollard, J.M.: The lattice sieve. In: Lenstra, A.K., Lenstra Jr., H.W. (eds.) The Development of the Number Field Sieve. LNM, vol. 1554, pp. 43–49. Springer, Heidelberg (1993).  https://doi.org/10.1007/BFb0091538 CrossRefGoogle Scholar
  43. 43.
    Rubin, K., Silverberg, A.: Torus-based cryptography. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 349–365. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_21 CrossRefGoogle Scholar
  44. 44.
    Sarkar, P., Singh, S.: A general polynomial selection method and new asymptotic complexities for the tower number field sieve algorithm. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 37–62. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_2 CrossRefGoogle Scholar
  45. 45.
    Sarkar, P., Singh, S.: New complexity trade-offs for the (multiple) number field sieve algorithm in non-prime fields. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 429–458. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3_17 CrossRefGoogle Scholar
  46. 46.
    Schirokauer, O.: Discrete logarithms and local units. Philos. Trans. Roy. Soc. London Ser. A 345(1676), 409–423 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  47. 47.
    Schirokauer, O.: Using number fields to compute logarithms in finite fields. Math. Comp. 69(231), 1267–1283 (2000). http://www.ams.org/journals/mcom/2000-69-231/S0025-5718-99-01137-0/ MathSciNetCrossRefzbMATHGoogle Scholar
  48. 48.
    The CADO-NFS development team: CADO-NFS, an implementation of the number field sieve algorithm (2017). Development version, http://cado-nfs.gforge.inria.fr/
  49. 49.
    Zajac, P.: Discrete Logarithm Problem in Degree Six Finite Fields. Ph.D. thesis, Slovak University of Technology (2008). http://www.kaivt.elf.stuba.sk/kaivt/Vyskum/XTRDL

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  • Laurent Grémy
    • 1
  • Aurore Guillevic
    • 1
  • François Morain
    • 2
  • Emmanuel Thomé
    • 1
  1. 1.Université de Lorraine, CNRS, Inria, LORIANancyFrance
  2. 2.École Polytechnique/LIX, CNRS UMR 7161PalaiseauFrance

Personalised recommendations