796 research outputs found
New Complexity Trade-Offs for the (Multiple) Number Field Sieve Algorithm in Non-Prime Fields
The selection of polynomials to represent number fields crucially determines the efficiency of the Number Field Sieve
(NFS) algorithm for solving the discrete logarithm in a finite field. An important recent work due to Barbulescu et al. builds upon
existing works to propose two new methods for polynomial selection when the target field is a non-prime field. These methods are
called the generalised Joux-Lercier (GJL) and the Conjugation methods. In this work, we propose a new method (which we denote
as ) for polynomial selection for the NFS algorithm in fields , with and .
The new method both subsumes and generalises the GJL and the Conjugation methods and provides new trade-offs for both composite
and prime. Let us denote the variant of the (multiple) NFS algorithm using the polynomial selection method ``{X} by (M)NFS-{X}.
Asymptotic analysis is performed for both the NFS- and the MNFS- algorithms.
In particular, when , for , the complexity of NFS- is better than the complexities
of all previous algorithms whether classical or MNFS. The MNFS- algorithm provides lower complexity compared to
NFS- algorithm; for , the complexity of MNFS-
is the same as that of the MNFS-Conjugation and for , the complexity of MNFS-
is lower than that of all previous methods
Solving discrete logarithms on a 170-bit MNT curve by pairing reduction
Pairing based cryptography is in a dangerous position following the
breakthroughs on discrete logarithms computations in finite fields of small
characteristic. Remaining instances are built over finite fields of large
characteristic and their security relies on the fact that the embedding field
of the underlying curve is relatively large. How large is debatable. The aim of
our work is to sustain the claim that the combination of degree 3 embedding and
too small finite fields obviously does not provide enough security. As a
computational example, we solve the DLP on a 170-bit MNT curve, by exploiting
the pairing embedding to a 508-bit, degree-3 extension of the base field.Comment: to appear in the Lecture Notes in Computer Science (LNCS
Security Analysis of Pairing-based Cryptography
Recent progress in number field sieve (NFS) has shaken the security of
Pairing-based Cryptography. For the discrete logarithm problem (DLP) in finite
field, we present the first systematic review of the NFS algorithms from three
perspectives: the degree , constant , and hidden constant in
the asymptotic complexity and indicate that further
research is required to optimize the hidden constant. Using the special
extended tower NFS algorithm, we conduct a thorough security evaluation for all
the existing standardized PF curves as well as several commonly utilized
curves, which reveals that the BN256 curves recommended by the SM9 and the
previous ISO/IEC standard exhibit only 99.92 bits of security, significantly
lower than the intended 128-bit level. In addition, we comprehensively analyze
the security and efficiency of BN, BLS, and KSS curves for different security
levels. Our analysis suggests that the BN curve exhibits superior efficiency
for security strength below approximately 105 bit. For a 128-bit security
level, BLS12 and BLS24 curves are the optimal choices, while the BLS24 curve
offers the best efficiency for security levels of 160bit, 192bit, and 256bit.Comment: 8 figures, 8 tables, 5121 word
A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm
In a recent work, Kim and Barbulescu had extended the tower number field sieve algorithm to obtain improved asymptotic complexities in
the medium prime case for the discrete logarithm problem on where is not a prime power. Their method does not work
when is a composite prime power. For this case, we obtain new asymptotic complexities, e.g., (resp.
for the multiple number field variation) when is composite and a power of 2; the previously best known complexity for this
case is (resp. ). These complexities may have consequences to the selection of key sizes for
pairing based cryptography. The new complexities are achieved through a general polynomial selection method.
This method, which we call Algorithm-, extends a previous polynomial selection method proposed at Eurocrypt 2016 to the
tower number field case. As special cases, it is possible to obtain the generalised Joux-Lercier and the Conjugation method of
polynomial selection proposed at Eurocrypt 2015 and the extension of these methods to the tower number field scenario by Kim and Barbulescu.
A thorough analysis of the new algorithm is carried out in both concrete and asymptotic terms
A Generalisation of the Conjugation Method for Polynomial Selection for the Extended Tower Number Field Sieve Algorithm
In a recent work, Kim and Barbulescu showed how to combine previous polynomial selection methods with the extended tower
number field sieve algorithm to obtain improved complexity for the discrete logarithm problem on finite fields
for the medium prime case and where is composite and not a prime-power. A follow up work by Sarkar and Singh presented a
general polynomial selection method and showed how to lower the complexity in the medium prime case even when is composite
and a prime-power. This complexity, though, was higher than what was reported for the case of composite and not a prime-power.
By suitably combining the Conjugation method of polynomial selection proposed earlier by Barbulescu et al. with the extended tower
number field sieve algorithm, Jeong and Kim showed that the same asymptotic complexity is achieved for any composite .
The present work generalises the polynomial selection method of Jeong and Kim for all composite . Though the best complexity that can
be achieved is not lowered, there is a significant range of finite fields for which the new algorithm achieves complexity which
is lower than all previously proposed methods
Tower Number Field Sieve Variant of a Recent Polynomial Selection Method
At Asiacrypt 2015, Barbulescu et al. performed a thorough analysis of the tower number field sieve (TNFS) variant of the number
field sieve algorithm. More recently, Kim and Barbulescu combined the TNFS variant with several polynomial selection methods
including the Generalised Joux-Lercier method and the Conjugation method proposed by Barbulescu et al. at Eurocrypt 2015.
Sarkar and Singh (Eurocrypt 2016) proposed
a polynomial selection method which subsumes both the GJL and the Conjugation methods. This study was done in the context of
the NFS and the multiple NFS (MNFS). The purpose of the present note is to show that the polynomial selection method of Sarkar
and Singh subsumes the GJL and the Conjugation methods also in the context of the TNFS and the multiple TNFS variants. This was not
clear from the recent work by Kim and Barbulescu. Applying the new polynomial selection method to the TNFS variants results in
new asymptotic complexities for certain ranges of primes
Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer
A digital computer is generally believed to be an efficient universal
computing device; that is, it is believed able to simulate any physical
computing device with an increase in computation time of at most a polynomial
factor. This may not be true when quantum mechanics is taken into
consideration. This paper considers factoring integers and finding discrete
logarithms, two problems which are generally thought to be hard on a classical
computer and have been used as the basis of several proposed cryptosystems.
Efficient randomized algorithms are given for these two problems on a
hypothetical quantum computer. These algorithms take a number of steps
polynomial in the input size, e.g., the number of digits of the integer to be
factored.Comment: 28 pages, LaTeX. This is an expanded version of a paper that appeared
in the Proceedings of the 35th Annual Symposium on Foundations of Computer
Science, Santa Fe, NM, Nov. 20--22, 1994. Minor revisions made January, 199
Challenges with Assessing the Impact of NFS Advances on the Security of Pairing-based Cryptography
In the past two years there have been several advances in Number Field Sieve (NFS) algorithms for computing discrete logarithms in finite fields where is prime and is a small integer. This article presents a concise overview of these algorithms and discusses some of the challenges with assessing their impact on keylengths for pairing-based cryptosystems
Improvements on the Individual Logarithm Step in Extended Tower Number Field Sieve
The hardness of discrete logarithm problem over finite fields is the foundation of many cryptographic protocols. When the characteristic of the finite field is medium or large, the state-of-art algorithms for solving the corresponding problem are the number field sieve and its variants. There are mainly three steps in such algorithms: polynomial selection, factor base logarithms computation, and individual logarithm computation. Note that the former two steps can be precomputed for fixed finite field,
and the database containing factor base logarithms can be used by the last step for many times. In certain application circumstances, such as Logjam attack, speeding up the individual logarithm step is vital.
In this paper, we devise a method to improve the individual logarithm step by exploring subfield structures. Our method is based on the extended tower number field sieve algorithm,
and achieves more significant improvement when the extension degree has a large proper factor. We also perform some experiments to illustrate our algorithm and confirm the result
- …