1,454 research outputs found
On Improving Integer Factorization and Discrete Logarithm Computation using Partial Triangulation
The number field sieve is the best-known algorithm for factoring integers and solving the discrete logarithm problem in prime fields. In this paper, we present some new improvements to various steps of the number field sieve. We apply these improvements on the current 768-bit discrete logarithm record and show that we are able to perform the overall computing time in about 1260 coreyears using these improvements instead of 2350 coreyears using the best known parameters for this problem. Moreover, we show that the pre-computation phase for a 768-bit discrete logarithm problem, that allows for example to build a massive decryption tool of IPsec traffic protected by the Oakley group~1, was feasible in reasonable time using technologies available before the year 2000
A kilobit hidden SNFS discrete logarithm computation
We perform a special number field sieve discrete logarithm computation in a
1024-bit prime field. To our knowledge, this is the first kilobit-sized
discrete logarithm computation ever reported for prime fields. This computation
took a little over two months of calendar time on an academic cluster using the
open-source CADO-NFS software. Our chosen prime looks random, and
has a 160-bit prime factor, in line with recommended parameters for the Digital
Signature Algorithm. However, our p has been trapdoored in such a way that the
special number field sieve can be used to compute discrete logarithms in
, yet detecting that p has this trapdoor seems out of reach.
Twenty-five years ago, there was considerable controversy around the
possibility of back-doored parameters for DSA. Our computations show that
trapdoored primes are entirely feasible with current computing technology. We
also describe special number field sieve discrete log computations carried out
for multiple weak primes found in use in the wild. As can be expected from a
trapdoor mechanism which we say is hard to detect, our research did not reveal
any trapdoored prime in wide use. The only way for a user to defend against a
hypothetical trapdoor of this kind is to require verifiably random primes
Security Estimates for Quadratic Field Based Cryptosystems
We describe implementations for solving the discrete logarithm problem in the
class group of an imaginary quadratic field and in the infrastructure of a real
quadratic field. The algorithms used incorporate improvements over
previously-used algorithms, and extensive numerical results are presented
demonstrating their efficiency. This data is used as the basis for
extrapolations, used to provide recommendations for parameter sizes providing
approximately the same level of security as block ciphers with
and -bit symmetric keys
Resolution of Linear Algebra for the Discrete Logarithm Problem Using GPU and Multi-core Architectures
In cryptanalysis, solving the discrete logarithm problem (DLP) is key to
assessing the security of many public-key cryptosystems. The index-calculus
methods, that attack the DLP in multiplicative subgroups of finite fields,
require solving large sparse systems of linear equations modulo large primes.
This article deals with how we can run this computation on GPU- and
multi-core-based clusters, featuring InfiniBand networking. More specifically,
we present the sparse linear algebra algorithms that are proposed in the
literature, in particular the block Wiedemann algorithm. We discuss the
parallelization of the central matrix--vector product operation from both
algorithmic and practical points of view, and illustrate how our approach has
contributed to the recent record-sized DLP computation in GF().Comment: Euro-Par 2014 Parallel Processing, Aug 2014, Porto, Portugal.
\<http://europar2014.dcc.fc.up.pt/\>
Computation of a 30750-Bit Binary Field Discrete Logarithm
This paper reports on the computation of a discrete logarithm in the finite
field , breaking by a large margin the previous record,
which was set in January 2014 by a computation in . The
present computation made essential use of the elimination step of the
quasi-polynomial algorithm due to Granger, Kleinjung and Zumbr\"agel, and is
the first large-scale experiment to truly test and successfully demonstrate its
potential when applied recursively, which is when it leads to the stated
complexity. It required the equivalent of about 2900 core years on a single
core of an Intel Xeon Ivy Bridge processor running at 2.6 GHz, which is
comparable to the approximately 3100 core years expended for the discrete
logarithm record for prime fields, set in a field of bit-length 795, and
demonstrates just how much easier the problem is for this level of
computational effort. In order to make the computation feasible we introduced
several innovative techniques for the elimination of small degree irreducible
elements, which meant that we avoided performing any costly Gr\"obner basis
computations, in contrast to all previous records since early 2013. While such
computations are crucial to the complexity algorithms,
they were simply too slow for our purposes. Finally, this computation should
serve as a serious deterrent to cryptographers who are still proposing to rely
on the discrete logarithm security of such finite fields in applications,
despite the existence of two quasi-polynomial algorithms and the prospect of
even faster algorithms being developed.Comment: 22 page
Optimal TNFS-secure pairings on elliptic curves with composite embedding degree
In this paper we present a comprehensive comparison between pairing-friendly elliptic curves, considering di erent curve forms and twists where possible. We de ne an additional measure of the e- ciency of a parametrized pairing-friendly family that takes into account the number eld sieve (NFS) attacks (unlike the -value). This measure includes an approximation of the security of the discrete logarithm problem in F pk , computed via the method of Barbulescu and Duquesne [4]. We compute the security of the families presented by Fotiadis and Konstantinou in [14], compute some new families, and compare the eciency of both of these with the (adjusted) BLS, KSS, and BN families, and with the new families of [20]. Finally, we recommend pairing-friendly elliptic curves for security levels 128 and 192
- …