A kilobit hidden SNFS discrete logarithm computation

We perform a special number field sieve discrete logarithm computation in a 1024-bit prime field. To our knowledge, this is the first kilobit-sized discrete logarithm computation ever reported for prime fields. This computation took a little over two months of calendar time on an academic cluster using the open-source CADO-NFS software. Our chosen prime $p$ looks random, and $p--1$ has a 160-bit prime factor, in line with recommended parameters for the Digital Signature Algorithm. However, our p has been trapdoored in such a way that the special number field sieve can be used to compute discrete logarithms in $\mathbb{F}\_p^*$ , yet detecting that p has this trapdoor seems out of reach. Twenty-five years ago, there was considerable controversy around the possibility of back-doored parameters for DSA. Our computations show that trapdoored primes are entirely feasible with current computing technology. We also describe special number field sieve discrete log computations carried out for multiple weak primes found in use in the wild. As can be expected from a trapdoor mechanism which we say is hard to detect, our research did not reveal any trapdoored prime in wide use. The only way for a user to defend against a hypothetical trapdoor of this kind is to require verifiably random primes

On the computation of discrete logarithms in finite prime fields

In this thesis we write about practical experience when solving congruences of the form a^x = b mod p, a,b,p,x Element Z, p prime. This is referred to as the discrete logarithm problem in (Z/pZ)*. Many cryptographic protocols such as signature schemes, message encryption, key exchange and identification depend on the difficulty of this problem. We are concerned with the practicability of different index calculus variants, which are the asymtotically fastest known algorithms at present to solve this problem. We present computations for p having up to 85 decimal digits. We include a partial solution to McCurley\u27s challenge with a 129-digit p, which has a special form.In dieser Arbeit berichten wir über praktische Erfahrungen mit der Lösung von Kongruenzen der Form a^x = b mod p, a,b,p,x Element Z, p Primzahl. Dies ist das Problem der Diskreten Logarithmen in (Z/pZ)*. Zahlreiche kryptographische Protokolle wie digitale Unterschriften, Verschlüsselung von Nachrichten, Schlüsselaustausch und Identifikation basieren auf der Schwierigkeit dieses Problems. In dieser Arbeit befassen wir uns mit der Praktikabilität verschiedener Index-Calculus Verfahren, die zur Zeit die asymptotisch schnellsten Algorithmen liefern, um dieses Problem zu lösen. Wir präsentieren Berechnungen mit bis zu 85-stelligem p und legen eine partielle Lösung zu McCurley\u27s Challenge vor, die ein 129-stelliges p von spezieller Form benutzt

Improving NFS for the Discrete Logarithm Problem in Non-prime Finite Fields

International audienceThe aim of this work is to investigate the hardness of the discrete logarithm problem in fields GF$(p^n)$ where $n$ is a small integer greater than 1. Though less studied than the small characteristic case or the prime field case, the difficulty of this problem is at the heart of security evaluations for torus-based and pairing-based cryptography. The best known method for solving this problem is the Number Field Sieve (NFS). A key ingredient in this algorithm is the ability to find good polynomials that define the extension fields used in NFS. We design two new methods for this task, modifying the asymptotic complexity and paving the way for record-breaking computations. We exemplify these results with the computation of discrete logarithms over a field GF$(p^2)$ whose cardinality is 180 digits (595 bits) long

Discrete logarithms in curves over finite fields

A survey on algorithms for computing discrete logarithms in Jacobians of curves over finite fields

Solving discrete logarithms on a 170-bit MNT curve by pairing reduction

Pairing based cryptography is in a dangerous position following the breakthroughs on discrete logarithms computations in finite fields of small characteristic. Remaining instances are built over finite fields of large characteristic and their security relies on the fact that the embedding field of the underlying curve is relatively large. How large is debatable. The aim of our work is to sustain the claim that the combination of degree 3 embedding and too small finite fields obviously does not provide enough security. As a computational example, we solve the DLP on a 170-bit MNT curve, by exploiting the pairing embedding to a 508-bit, degree-3 extension of the base field.Comment: to appear in the Lecture Notes in Computer Science (LNCS

Computing discrete logarithms in subfields of residue class rings

Recent breakthrough methods \cite{gggz,joux,bgjt} on computing discrete logarithms in small characteristic finite fields share an interesting feature in common with the earlier medium prime function field sieve method \cite{jl}. To solve discrete logarithms in a finite extension of a finite field \F, a polynomial h(x) \in \F[x] of a special form is constructed with an irreducible factor g(x) \in \F[x] of the desired degree. The special form of $h(x)$ is then exploited in generating multiplicative relations that hold in the residue class ring \F[x]/h(x)\F[x] hence also in the target residue class field \F[x]/g(x)\F[x]. An interesting question in this context and addressed in this paper is: when and how does a set of relations on the residue class ring determine the discrete logarithms in the finite fields contained in it? We give necessary and sufficient conditions for a set of relations on the residue class ring to determine discrete logarithms in the finite fields contained in it. We also present efficient algorithms to derive discrete logarithms from the relations when the conditions are met. The derived necessary conditions allow us to clearly identify structural obstructions intrinsic to the special polynomial $h(x)$ in each of the aforementioned methods, and propose modifications to the selection of $h(x)$ so as to avoid obstructions.Comment: arXiv admin note: substantial text overlap with arXiv:1312.167

Security Estimates for Quadratic Field Based Cryptosystems

We describe implementations for solving the discrete logarithm problem in the class group of an imaginary quadratic field and in the infrastructure of a real quadratic field. The algorithms used incorporate improvements over previously-used algorithms, and extensive numerical results are presented demonstrating their efficiency. This data is used as the basis for extrapolations, used to provide recommendations for parameter sizes providing approximately the same level of security as block ciphers with $80,$ $112,$ $128,$ $192,$ and $256$-bit symmetric keys