6,397 research outputs found
A kilobit hidden SNFS discrete logarithm computation
We perform a special number field sieve discrete logarithm computation in a
1024-bit prime field. To our knowledge, this is the first kilobit-sized
discrete logarithm computation ever reported for prime fields. This computation
took a little over two months of calendar time on an academic cluster using the
open-source CADO-NFS software. Our chosen prime looks random, and
has a 160-bit prime factor, in line with recommended parameters for the Digital
Signature Algorithm. However, our p has been trapdoored in such a way that the
special number field sieve can be used to compute discrete logarithms in
, yet detecting that p has this trapdoor seems out of reach.
Twenty-five years ago, there was considerable controversy around the
possibility of back-doored parameters for DSA. Our computations show that
trapdoored primes are entirely feasible with current computing technology. We
also describe special number field sieve discrete log computations carried out
for multiple weak primes found in use in the wild. As can be expected from a
trapdoor mechanism which we say is hard to detect, our research did not reveal
any trapdoored prime in wide use. The only way for a user to defend against a
hypothetical trapdoor of this kind is to require verifiably random primes
On the computation of discrete logarithms in finite prime fields
In this thesis we write about practical experience when solving congruences of the form a^x = b mod p, a,b,p,x Element Z, p prime. This is referred to as the discrete logarithm problem in (Z/pZ)*. Many cryptographic protocols such as signature schemes, message encryption, key exchange and identification depend on the difficulty of this problem. We are concerned with the practicability of different index calculus variants, which are the asymtotically fastest known algorithms at present to solve this problem. We present computations for p having up to 85 decimal digits. We include a partial solution to McCurley\u27s challenge with a 129-digit p, which has a special form.In dieser Arbeit berichten wir über praktische Erfahrungen mit der Lösung von Kongruenzen der Form a^x = b mod p, a,b,p,x Element Z, p Primzahl. Dies ist das Problem der Diskreten Logarithmen in (Z/pZ)*. Zahlreiche kryptographische Protokolle wie digitale Unterschriften, Verschlüsselung von Nachrichten, Schlüsselaustausch und Identifikation basieren auf der Schwierigkeit dieses Problems. In dieser Arbeit befassen wir uns mit der Praktikabilität verschiedener Index-Calculus Verfahren, die zur Zeit die asymptotisch schnellsten Algorithmen liefern, um dieses Problem zu lösen. Wir präsentieren Berechnungen mit bis zu 85-stelligem p und legen eine partielle Lösung zu McCurley\u27s Challenge vor, die ein 129-stelliges p von spezieller Form benutzt
Improving NFS for the Discrete Logarithm Problem in Non-prime Finite Fields
International audienceThe aim of this work is to investigate the hardness of the discrete logarithm problem in fields GF where is a small integer greater than 1. Though less studied than the small characteristic case or the prime field case, the difficulty of this problem is at the heart of security evaluations for torus-based and pairing-based cryptography. The best known method for solving this problem is the Number Field Sieve (NFS). A key ingredient in this algorithm is the ability to find good polynomials that define the extension fields used in NFS. We design two new methods for this task, modifying the asymptotic complexity and paving the way for record-breaking computations. We exemplify these results with the computation of discrete logarithms over a field GF whose cardinality is 180 digits (595 bits) long
Discrete logarithms in curves over finite fields
A survey on algorithms for computing discrete logarithms in Jacobians of
curves over finite fields
Solving discrete logarithms on a 170-bit MNT curve by pairing reduction
Pairing based cryptography is in a dangerous position following the
breakthroughs on discrete logarithms computations in finite fields of small
characteristic. Remaining instances are built over finite fields of large
characteristic and their security relies on the fact that the embedding field
of the underlying curve is relatively large. How large is debatable. The aim of
our work is to sustain the claim that the combination of degree 3 embedding and
too small finite fields obviously does not provide enough security. As a
computational example, we solve the DLP on a 170-bit MNT curve, by exploiting
the pairing embedding to a 508-bit, degree-3 extension of the base field.Comment: to appear in the Lecture Notes in Computer Science (LNCS
Computing discrete logarithms in subfields of residue class rings
Recent breakthrough methods \cite{gggz,joux,bgjt} on computing discrete
logarithms in small characteristic finite fields share an interesting feature
in common with the earlier medium prime function field sieve method \cite{jl}.
To solve discrete logarithms in a finite extension of a finite field \F, a
polynomial h(x) \in \F[x] of a special form is constructed with an
irreducible factor g(x) \in \F[x] of the desired degree. The special form of
is then exploited in generating multiplicative relations that hold in
the residue class ring \F[x]/h(x)\F[x] hence also in the target residue class
field \F[x]/g(x)\F[x]. An interesting question in this context and addressed
in this paper is: when and how does a set of relations on the residue class
ring determine the discrete logarithms in the finite fields contained in it? We
give necessary and sufficient conditions for a set of relations on the residue
class ring to determine discrete logarithms in the finite fields contained in
it. We also present efficient algorithms to derive discrete logarithms from the
relations when the conditions are met. The derived necessary conditions allow
us to clearly identify structural obstructions intrinsic to the special
polynomial in each of the aforementioned methods, and propose
modifications to the selection of so as to avoid obstructions.Comment: arXiv admin note: substantial text overlap with arXiv:1312.167
Security Estimates for Quadratic Field Based Cryptosystems
We describe implementations for solving the discrete logarithm problem in the
class group of an imaginary quadratic field and in the infrastructure of a real
quadratic field. The algorithms used incorporate improvements over
previously-used algorithms, and extensive numerical results are presented
demonstrating their efficiency. This data is used as the basis for
extrapolations, used to provide recommendations for parameter sizes providing
approximately the same level of security as block ciphers with
and -bit symmetric keys
- …