Discrete Logarithm in GF(2809) with FFS

International audienceThe year 2013 has seen several major complexity advances for the discrete logarithm problem in multiplicative groups of small- characteristic finite fields. These outmatch, asymptotically, the Function Field Sieve (FFS) approach, which was so far the most efficient algorithm known for this task. Yet, on the practical side, it is not clear whether the new algorithms are uniformly better than FFS. This article presents the state of the art with regard to the FFS algorithm, and reports data from a record-sized discrete logarithm computation in a prime-degree extension field

Resolution of Linear Algebra for the Discrete Logarithm Problem Using GPU and Multi-core Architectures

In cryptanalysis, solving the discrete logarithm problem (DLP) is key to assessing the security of many public-key cryptosystems. The index-calculus methods, that attack the DLP in multiplicative subgroups of finite fields, require solving large sparse systems of linear equations modulo large primes. This article deals with how we can run this computation on GPU- and multi-core-based clusters, featuring InfiniBand networking. More specifically, we present the sparse linear algebra algorithms that are proposed in the literature, in particular the block Wiedemann algorithm. We discuss the parallelization of the central matrix--vector product operation from both algorithmic and practical points of view, and illustrate how our approach has contributed to the recent record-sized DLP computation in GF($2^{809}$).Comment: Euro-Par 2014 Parallel Processing, Aug 2014, Porto, Portugal. \<http://europar2014.dcc.fc.up.pt/\&gt

The filtering step of discrete logarithm and integer factorization algorithms

The security of most current public-key cryptosystems is based on the difficulty of finding discrete logarithms in large finite fields or factoring large integers. Most discrete logarithm and integer factoring algorithms, such as the Number Field Sieve (NFS) or the Function Field Sieve (FFS), can be described in 3 main steps: data collection, filtering and linear algebra. The goal of the filtering step is to generate a small, sparse matrix over a finite field, for which one will compute the kernel during the linear algebra step. The filtering step is mainly a structured Gaussian elimination (SGE). For the current factorization records, billions of data are collected in the first step and have to be processed in the filtering step. One part of the filtering step is to remove heavy rows of the matrix. The choice of the weight function to select heavy rows is critical in order to obtain the smallest matrix possible. In this paper, several weight functions are studied in order to determine which one is more suited in the context of discrete logarithm and factorization algorithms

FFS Factory: Adapting Coppersmith\u27s Factorization Factory to the Function Field Sieve

In 1993, Coppersmith introduced the factorization factory approach as a means to speed up the Number Field Sieve algorithm (NFS) when factoring batches of integers of similar size: at the expense of a large precomputation whose cost is amortized when considering sufficiently many integers to factor, the complexity of each individual factorization can then be lowered. We suggest here to extend this idea to the computation of discrete logarithms in finite fields of small characteristic using the Function Field Sieve (FFS), thus referring to this approach as the FFS factory . In this paper, the benefits of the proposed technique are established thanks to both a theoretical complexity analysis along with a practical experiment in which we solved the discrete logarithm problem in fifty different binary fields of sizes ranging from 601 to 699 bits

FFS Factory: Adapting Coppersmith's "Factorization Factory" to the Function Field Sieve

In 1993, Coppersmith introduced the "factorization factory" approach as a means to speed up the Number Field Sieve algorithm (NFS) when factoring batches of integers of similar size: at the expense of a large precomputation whose cost is amortized when considering sufficiently many integers to factor, the complexity of each individual factorization can then be lowered. We suggest here to extend this idea to the computation of discrete logarithms in finite fields of small characteristic using the Function Field Sieve (FFS), thus referring to this approach as the "FFS factory". In this paper, the benefits of the proposed technique are established thanks to both a theoretical complexity analysis along with a practical experiment in which we solved the discrete logarithm problem in fifty different binary fields of sizes ranging from 601 to 699 bits

Computing Discrete Logarithms in F_{3^{6*137}} and F_{3^{6*163}} using Magma

We show that a Magma implementation of Joux\u27s L[1/4+o(1)] algorithm can be used to compute discrete logarithms in the 1303-bit finite field F_{3^{6*137}} and the 1551-bit finite field F_{3^{6*163}} with very modest computational resources. Our F_{3^{6*137}} implementation was the first to illustrate the effectiveness of Joux\u27s algorithm for computing discrete logarithms in small-characteristic finite fields that are not Kummer or twisted-Kummer extensions

Point compression for the trace zero subgroup over a small degree extension field

Using Semaev's summation polynomials, we derive a new equation for the $\mathbb{F}_q$-rational points of the trace zero variety of an elliptic curve defined over $\mathbb{F}_q$. Using this equation, we produce an optimal-size representation for such points. Our representation is compatible with scalar multiplication. We give a point compression algorithm to compute the representation and a decompression algorithm to recover the original point (up to some small ambiguity). The algorithms are efficient for trace zero varieties coming from small degree extension fields. We give explicit equations and discuss in detail the practically relevant cases of cubic and quintic field extensions.Comment: 23 pages, to appear in Designs, Codes and Cryptograph

Fine Tuning the Function Field Sieve Algorithm for the Medium Prime Case

This work builds on the variant of the function field sieve (FFS) algorithm for the medium prime case introduced by Joux and Lercier in 2006. We make several contributions. The first contribution uses a divisibility and smoothness technique and goes on to develop a sieving method based on the technique. This leads to significant practical efficiency improvements in the descent phase and also provides improvement to Joux\u27s pinpointing technique. The second contribution is a detailed analysis of the degree of freedom and the use of a walk technique in the descent phase of the algorithm. Such analysis shows that it is possible to compute discrete logarithms over certain fields which are excluded by the earlier analyses performed by Joux and Lercier (2006) and Joux (2013). In concrete terms, we present computations of discrete logs for fields with 16 and 19-bit prime characteristic. We also provide concrete analysis of the effectiveness of the FFS algorithm for certain fields of characteristic ranging from 16-bit to 32-bit primes. The final contribution is to perform a complete asymptotic analysis of the FFS algorithm for fields $\mathbb{F}_Q$ with $p=L_Q(1/3,c)$. This closes gaps and corrects errors in the analysis earlier performed by Joux-Lercier and Joux and also provides new insights into the asymptotic behaviour of the algorithm

Popping “R-propping”: breaking hardness assumptions for matrix groups over F_{2^8}

A recent series of works (Hecht, IACR ePrint, 2020–2021) propose to build post-quantum public-key encapsulation, digital signatures, group key agreement and oblivious transfer from R-propped variants of the Symmetrical Decomposition and Discrete Logarithm problems for matrix groups over $\mathbb{F}_{2^8}$. We break all four proposals by presenting a linearisation attack on the Symmetrical Decomposition platform, a forgery attack on the signature scheme, and a demonstration of the insecurity of the instances of the Discrete Logarithm Problem used for signatures, group key agreement and oblivious transfer, showing that none of the schemes provides adequate security

Weakness of F_{3^{6*1429}} and F_{2^{4*3041}} for Discrete Logarithm Cryptography

In 2013, Joux and then Barbulsecu et al. presented new algorithms for computing discrete logarithms in finite fields of small characteristic. Shortly thereafter, Adj et al. presented a concrete analysis showing that, when combined with some steps from classical algorithms, the new algorithms render the finite field F_{3^{6*509}} weak for pairing-based cryptography. Granger and Zumbragel then presented a modification of the new algorithms that extends their effectiveness to a wider range of fields. In this paper, we study the effectiveness of the new algorithms combined with a carefully crafted descent strategy for the fields F_{3^{6*1429}} and F_{2^{4*3041}}. The intractability of the discrete logarithm problem in these fields is necessary for the security of pairings derived from supersingular curves with embedding degree 6 and 4 defined, respectively, over F_{3^{1429}} and F_{2^{3041}}; these curves were believed to enjoy a security level of 192 bits against attacks by Coppersmith\u27s algorithm. Our analysis shows that these pairings offer security levels of at most 96 and 129 bits, respectively, leading us to conclude that they are dead for pairing-based cryptography