5,876 research outputs found
Square root algorithms for the number field sieve
The original publication is available at www.springerlink.comInternational audienceWe review several methods for the square root step of the Number Field Sieve, and present an original one, based on the Chinese Remainder Theorem
Computing -th roots in number fields
We describe several algorithms for computing -th roots of elements in a
number field , where is an odd prime-power integer. In particular we
generalize Couveignes' and Thom\'e's algorithms originally designed to compute
square-roots in the Number Field Sieve algorithm for integer factorization. Our
algorithms cover most cases of and and allow to obtain reasonable
timings even for large degree number fields and large exponents . The
complexity of our algorithms is better than general root finding algorithms and
our implementation compared well in performance to these algorithms implemented
in well-known computer algebra softwares. One important application of our
algorithms is to compute the saturation phase in the Twisted-PHS algorithm for
computing the Ideal-SVP problem over cyclotomic fields in post-quantum
cryptography.Comment: 9 pages, 4 figures. Associated experimental code provided at
https://github.com/ob3rnard/eth-root
Root optimization of polynomials in the number field sieve
The general number field sieve (GNFS) is the most efficient algorithm known
for factoring large integers. It consists of several stages, the first one
being polynomial selection. The quality of the chosen polynomials in polynomial
selection can be modelled in terms of size and root properties. In this paper,
we describe some algorithms for selecting polynomials with very good root
properties.Comment: 16 pages, 18 reference
Galois invariant smoothness basis
This text answers a question raised by Joux and the second author about the
computation of discrete logarithms in the multiplicative group of finite
fields. Given a finite residue field \bK, one looks for a smoothness basis
for \bK^* that is left invariant by automorphisms of \bK. For a broad class
of finite fields, we manage to construct models that allow such a smoothness
basis. This work aims at accelerating discrete logarithm computations in such
fields. We treat the cases of codimension one (the linear sieve) and
codimension two (the function field sieve)
Solving discrete logarithms on a 170-bit MNT curve by pairing reduction
Pairing based cryptography is in a dangerous position following the
breakthroughs on discrete logarithms computations in finite fields of small
characteristic. Remaining instances are built over finite fields of large
characteristic and their security relies on the fact that the embedding field
of the underlying curve is relatively large. How large is debatable. The aim of
our work is to sustain the claim that the combination of degree 3 embedding and
too small finite fields obviously does not provide enough security. As a
computational example, we solve the DLP on a 170-bit MNT curve, by exploiting
the pairing embedding to a 508-bit, degree-3 extension of the base field.Comment: to appear in the Lecture Notes in Computer Science (LNCS
A kilobit hidden SNFS discrete logarithm computation
We perform a special number field sieve discrete logarithm computation in a
1024-bit prime field. To our knowledge, this is the first kilobit-sized
discrete logarithm computation ever reported for prime fields. This computation
took a little over two months of calendar time on an academic cluster using the
open-source CADO-NFS software. Our chosen prime looks random, and
has a 160-bit prime factor, in line with recommended parameters for the Digital
Signature Algorithm. However, our p has been trapdoored in such a way that the
special number field sieve can be used to compute discrete logarithms in
, yet detecting that p has this trapdoor seems out of reach.
Twenty-five years ago, there was considerable controversy around the
possibility of back-doored parameters for DSA. Our computations show that
trapdoored primes are entirely feasible with current computing technology. We
also describe special number field sieve discrete log computations carried out
for multiple weak primes found in use in the wild. As can be expected from a
trapdoor mechanism which we say is hard to detect, our research did not reveal
any trapdoored prime in wide use. The only way for a user to defend against a
hypothetical trapdoor of this kind is to require verifiably random primes
- …