13 research outputs found
On the discrete logarithm problem in finite fields of fixed characteristic
For a prime power, the discrete logarithm problem (DLP) in
consists in finding, for any
and , an integer such that . We present
an algorithm for computing discrete logarithms with which we prove that for
each prime there exist infinitely many explicit extension fields
in which the DLP can be solved in expected quasi-polynomial
time. Furthermore, subject to a conjecture on the existence of irreducible
polynomials of a certain form, the algorithm solves the DLP in all extensions
in expected quasi-polynomial time.Comment: 15 pages, 2 figures. To appear in Transactions of the AM
Still Wrong Use of Pairings in Cryptography
Several pairing-based cryptographic protocols are recently proposed with a
wide variety of new novel applications including the ones in emerging
technologies like cloud computing, internet of things (IoT), e-health systems
and wearable technologies. There have been however a wide range of incorrect
use of these primitives. The paper of Galbraith, Paterson, and Smart (2006)
pointed out most of the issues related to the incorrect use of pairing-based
cryptography. However, we noticed that some recently proposed applications
still do not use these primitives correctly. This leads to unrealizable,
insecure or too inefficient designs of pairing-based protocols. We observed
that one reason is not being aware of the recent advancements on solving the
discrete logarithm problems in some groups. The main purpose of this article is
to give an understandable, informative, and the most up-to-date criteria for
the correct use of pairing-based cryptography. We thereby deliberately avoid
most of the technical details and rather give special emphasis on the
importance of the correct use of bilinear maps by realizing secure
cryptographic protocols. We list a collection of some recent papers having
wrong security assumptions or realizability/efficiency issues. Finally, we give
a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page
A simplified approach to rigorous degree 2 elimination in discrete logarithm algorithms
International audienceIn this paper, we revisit the ZigZag strategy of Granger, Kleinjung and ZumbrÀgel. In particular, we provide a new algorithm and proof for the so-called degree 2 elimination step. This allows us to provide a stronger theorem concerning discrete logarithm computations in small characteristic fields F q k 0 k with k close to q and k0 a small integer. As in the aforementioned paper, we rely on the existence of two polynomi-als h0 and h1 of degree 2 providing a convenient representation of the finite field F q k 0 k
Computation of a 30750-Bit Binary Field Discrete Logarithm
This paper reports on the computation of a discrete logarithm in the finite
field , breaking by a large margin the previous record,
which was set in January 2014 by a computation in . The
present computation made essential use of the elimination step of the
quasi-polynomial algorithm due to Granger, Kleinjung and Zumbr\"agel, and is
the first large-scale experiment to truly test and successfully demonstrate its
potential when applied recursively, which is when it leads to the stated
complexity. It required the equivalent of about 2900 core years on a single
core of an Intel Xeon Ivy Bridge processor running at 2.6 GHz, which is
comparable to the approximately 3100 core years expended for the discrete
logarithm record for prime fields, set in a field of bit-length 795, and
demonstrates just how much easier the problem is for this level of
computational effort. In order to make the computation feasible we introduced
several innovative techniques for the elimination of small degree irreducible
elements, which meant that we avoided performing any costly Gr\"obner basis
computations, in contrast to all previous records since early 2013. While such
computations are crucial to the complexity algorithms,
they were simply too slow for our purposes. Finally, this computation should
serve as a serious deterrent to cryptographers who are still proposing to rely
on the discrete logarithm security of such finite fields in applications,
despite the existence of two quasi-polynomial algorithms and the prospect of
even faster algorithms being developed.Comment: 22 page
Indiscreet discrete logarithms
In 2013 and 2014 a revolution took place in the understanding of the discrete logarithm problem (DLP) in finite fields of small characteristic. Consequently, many cryptosystems based on cryptographic pairings were rendered completely insecure, which serves as a valuable reminder that long-studied so-called hard problems may turn out to be far easier than initially believed. In this article, Robert Granger gives an overview of the surprisingly simple ideas behind some of the breakthroughs and the many computational records that have so far resulted from them
Computation of a 30 750-Bit Binary Field Discrete Logarithm
This paper reports on the computation of a discrete logarithm in the finite field , breaking by a large margin the previous record, which was set in January 2014 by a computation in . The present computation made essential use of the elimination step of the quasi-polynomial algorithm due to Granger, Kleinjung and ZumbrÀgel, and is the first large-scale experiment to truly test and successfully demonstrate its potential when applied recursively, which is when it leads to the stated complexity. It required the equivalent of about 2900 core years on a single core of an Intel Xeon Ivy Bridge processor running at 2.6 GHz, which is comparable to the approximately 3100 core years expended for the discrete logarithm record for prime fields, set in a field of bit-length 795, and demonstrates just how much easier the problem is for this level of computational effort. In order to make the computation feasible we introduced several innovative techniques for the elimination of small degree irreducible elements, which meant that we avoided performing any costly Gröbner basis computations, in contrast to all previous records since early 2013. While such computations are crucial to the complexity algorithms, they were simply too slow for our purposes. Finally, this computation should serve as a serious deterrent to cryptographers who are still proposing to rely on the discrete logarithm security of such finite fields in applications, despite the existence of two quasi-polynomial algorithms and the prospect of even faster algorithms being developed
The Discrete Logarithm Problem in Finite Fields of Small Characteristic
Computing discrete logarithms is a long-standing algorithmic problem, whose hardness forms the basis for numerous current public-key cryptosystems. In the case of finite fields of small characteristic, however, there has been tremendous progress recently, by which the complexity of the discrete logarithm problem (DLP) is considerably reduced.
This habilitation thesis on the DLP in such fields deals with two principal aspects. On one hand, we develop and investigate novel efficient algorithms for computing discrete logarithms, where the complexity analysis relies on heuristic assumptions. In particular, we show that logarithms of factor base elements can be computed in polynomial time, and we discuss practical impacts of the new methods on the security of pairing-based cryptosystems.
While a heuristic running time analysis of algorithms is common practice for concrete security estimations, this approach is insufficient from a mathematical perspective. Therefore, on the other hand, we focus on provable complexity results, for which we modify the algorithms so that any heuristics are avoided and a rigorous analysis becomes possible. We prove that for any prime field there exist infinitely many extension fields in which the DLP can be solved in quasi-polynomial time.
Despite the two aspects looking rather independent from each other, it turns out, as illustrated in this thesis, that progress regarding practical algorithms and record computations can lead to advances on the theoretical running time analysis -- and the other way around.Die Berechnung von diskreten Logarithmen ist ein eingehend untersuchtes algorithmisches Problem, dessen Schwierigkeit zahlreiche Anwendungen in der heutigen Public-Key-Kryptographie besitzt. FĂŒr endliche Körper kleiner Charakteristik sind jedoch kĂŒrzlich erhebliche Fortschritte erzielt worden, welche die KomplexitĂ€t des diskreten Logarithmusproblems (DLP) in diesem Szenario drastisch reduzieren.
Diese Habilitationsschrift erörtert zwei grundsÀtzliche Aspekte beim DLP in Körpern kleiner Charakteristik. Es werden einerseits neuartige, erheblich effizientere Algorithmen zur Berechnung von diskreten Logarithmen entwickelt und untersucht, wobei die Laufzeitanalyse auf heuristischen Annahmen beruht. Unter anderem wird gezeigt, dass Logarithmen von Elementen der Faktorbasis in polynomieller Zeit berechnet werden können, und welche praktischen Auswirkungen die neuen Verfahren auf die Sicherheit paarungsbasierter Kryptosysteme haben.
WĂ€hrend heuristische LaufzeitabschĂ€tzungen von Algorithmen fĂŒr die konkrete Sicherheitsanalyse ĂŒblich sind, so erscheint diese Vorgehensweise aus mathematischer Sicht unzulĂ€nglich. Der Aspekt der beweisbaren KomplexitĂ€t fĂŒr DLP-Algorithmen konzentriert sich deshalb darauf, modifizierte Algorithmen zu entwickeln, die jegliche heuristische Annahme vermeiden und dessen Laufzeit rigoros gezeigt werden kann. Es wird bewiesen, dass fĂŒr jeden Primkörper unendlich viele Erweiterungskörper existieren, fĂŒr die das DLP in quasi-polynomieller Zeit gelöst werden kann.
Obwohl die beiden Aspekte weitgehend unabhĂ€ngig voneinander erscheinen mögen, so zeigt sich, wie in dieser Schrift illustriert wird, dass Fortschritte bei praktischen Algorithmen und Rekordberechnungen auch zu Fortentwicklungen bei theoretischen LaufzeitabschĂ€tzungen fĂŒhren -- und umgekehrt