On the discrete logarithm problem in finite fields of fixed characteristic

For $q$ a prime power, the discrete logarithm problem (DLP) in $\mathbb{F}_{q}$ consists in finding, for any $g \in \mathbb{F}_{q}^{\times}$ and $h \in \langle g \rangle$, an integer $x$ such that $g^x = h$. We present an algorithm for computing discrete logarithms with which we prove that for each prime $p$ there exist infinitely many explicit extension fields $\mathbb{F}_{p^n}$ in which the DLP can be solved in expected quasi-polynomial time. Furthermore, subject to a conjecture on the existence of irreducible polynomials of a certain form, the algorithm solves the DLP in all extensions $\mathbb{F}_{p^n}$ in expected quasi-polynomial time.Comment: 15 pages, 2 figures. To appear in Transactions of the AM

Studies on Deep Holes and Discrete Logarithms

Error-correcting codes and cryptography are two important areas related to information communication. Generalized Reed-Solomon codes and cryptosystems based on the discrete logarithm problem are important representatives of these two fields, respectively. For a linear code, deep holes are defined to be vectors that are further away from codewords than all other vectors. The problem of deciding whether a received word is a deep hole for generalized Reed-Solomon codes is co-NP-complete. In the recent breakthrough paper by Barbulescu, Gaudry, Joux and Thome, a quasi-polynomial time algorithm (QPA) was proposed for the discrete logarithm problem over finite fields of small characteristics. The time complexity analysis of the algorithm is based on several heuristics presented in their paper. In this dissertation, we shall study the deep hole problem of generalized Reed-Solomon codes and the discrete logarithm problem over finite fields. On the one hand, we shall classify deep holes for generalized Reed-Solomon codes $RS_q(D,k)$ in a special case. On the other hand, we shall show that some of the heuristics in BGJT-algorithm are problematic in their original forms, in particular, when the field is not a Kummer extension. We propose a solution to the algorithm in non-Kummer cases, without altering the quasi-polynomial time complexity

On the Powers of 2

In 2013 the function field sieve algorithm for computing discrete logarithms in finite fields of small characteristic underwent a series of dramatic improvements, culminating in the first heuristic quasi-polynomial time algorithm, due to Barbulescu, Gaudry, Joux and Thomé. In this article we present an alternative descent method which is built entirely from the on-the-fly degree two elimination method of Göloğlu, Granger, McGuire and Zumbrägel. This also results in a heuristic quasi-polynomial time algorithm, for which the descent does not require any relation gathering or linear algebra eliminations and interestingly, does not require any smoothness assumptions about non-uniformly distributed polynomials. These properties make the new descent method readily applicable at currently viable bitlengths and better suited to theoretical analysis

The Discrete Logarithm Problem in Finite Fields of Small Characteristic

Computing discrete logarithms is a long-standing algorithmic problem, whose hardness forms the basis for numerous current public-key cryptosystems. In the case of finite fields of small characteristic, however, there has been tremendous progress recently, by which the complexity of the discrete logarithm problem (DLP) is considerably reduced. This habilitation thesis on the DLP in such fields deals with two principal aspects. On one hand, we develop and investigate novel efficient algorithms for computing discrete logarithms, where the complexity analysis relies on heuristic assumptions. In particular, we show that logarithms of factor base elements can be computed in polynomial time, and we discuss practical impacts of the new methods on the security of pairing-based cryptosystems. While a heuristic running time analysis of algorithms is common practice for concrete security estimations, this approach is insufficient from a mathematical perspective. Therefore, on the other hand, we focus on provable complexity results, for which we modify the algorithms so that any heuristics are avoided and a rigorous analysis becomes possible. We prove that for any prime field there exist infinitely many extension fields in which the DLP can be solved in quasi-polynomial time. Despite the two aspects looking rather independent from each other, it turns out, as illustrated in this thesis, that progress regarding practical algorithms and record computations can lead to advances on the theoretical running time analysis -- and the other way around.Die Berechnung von diskreten Logarithmen ist ein eingehend untersuchtes algorithmisches Problem, dessen Schwierigkeit zahlreiche Anwendungen in der heutigen Public-Key-Kryptographie besitzt. Für endliche Körper kleiner Charakteristik sind jedoch kürzlich erhebliche Fortschritte erzielt worden, welche die Komplexität des diskreten Logarithmusproblems (DLP) in diesem Szenario drastisch reduzieren. Diese Habilitationsschrift erörtert zwei grundsätzliche Aspekte beim DLP in Körpern kleiner Charakteristik. Es werden einerseits neuartige, erheblich effizientere Algorithmen zur Berechnung von diskreten Logarithmen entwickelt und untersucht, wobei die Laufzeitanalyse auf heuristischen Annahmen beruht. Unter anderem wird gezeigt, dass Logarithmen von Elementen der Faktorbasis in polynomieller Zeit berechnet werden können, und welche praktischen Auswirkungen die neuen Verfahren auf die Sicherheit paarungsbasierter Kryptosysteme haben. Während heuristische Laufzeitabschätzungen von Algorithmen für die konkrete Sicherheitsanalyse üblich sind, so erscheint diese Vorgehensweise aus mathematischer Sicht unzulänglich. Der Aspekt der beweisbaren Komplexität für DLP-Algorithmen konzentriert sich deshalb darauf, modifizierte Algorithmen zu entwickeln, die jegliche heuristische Annahme vermeiden und dessen Laufzeit rigoros gezeigt werden kann. Es wird bewiesen, dass für jeden Primkörper unendlich viele Erweiterungskörper existieren, für die das DLP in quasi-polynomieller Zeit gelöst werden kann. Obwohl die beiden Aspekte weitgehend unabhängig voneinander erscheinen mögen, so zeigt sich, wie in dieser Schrift illustriert wird, dass Fortschritte bei praktischen Algorithmen und Rekordberechnungen auch zu Fortentwicklungen bei theoretischen Laufzeitabschätzungen führen -- und umgekehrt

Factor Base Discrete Logarithms in Kummer Extensions

The discrete logarithm over finite fields of small characteristic can be solved much more efficiently than previously thought. This algorithmic breakthrough is based on pinpointing relations among the factor base discrete logarithms. In this paper, we concentrate on the Kummer extension \F_{q^{2(q-1)}}=\F_{q^2}[x]/(x^{q-1}-A). It has been suggested that in this case, a small number of degenerate relations (from the Borel subgroup) are enough to solve the factor base discrete logarithms. We disprove the conjecture, and design a new heuristic algorithm with an improved bit complexity $\tilde{O}(q^{1+ \theta} )$ (or algebraic complexity $\tilde{O}(q^{\theta} )$) to compute discrete logarithms of all the elements in the factor base \{ x+\alpha | \alpha \in \F_{q^2} \} , where $\theta<2.38$ is the matrix multiplication exponent over rings. Given additional time $\tilde{O} (q^4),$ we can compute discrete logarithms of at least $\Omega(q^3)$ many monic irreducible quadratic polynomials. We reduce the correctness of the algorithm to a conjecture concerning the determinant of a simple $(q+1)$-dimensional lattice, rather than to elusive smoothness assumptions. We verify the conjecture numerically for all prime powers $q$ such that $\log_2(q^{2(q-1)}) \leq 5134$, and provide theoretical supporting evidences

Weakness of F_{3^{6*1429}} and F_{2^{4*3041}} for Discrete Logarithm Cryptography

In 2013, Joux and then Barbulsecu et al. presented new algorithms for computing discrete logarithms in finite fields of small characteristic. Shortly thereafter, Adj et al. presented a concrete analysis showing that, when combined with some steps from classical algorithms, the new algorithms render the finite field F_{3^{6*509}} weak for pairing-based cryptography. Granger and Zumbragel then presented a modification of the new algorithms that extends their effectiveness to a wider range of fields. In this paper, we study the effectiveness of the new algorithms combined with a carefully crafted descent strategy for the fields F_{3^{6*1429}} and F_{2^{4*3041}}. The intractability of the discrete logarithm problem in these fields is necessary for the security of pairings derived from supersingular curves with embedding degree 6 and 4 defined, respectively, over F_{3^{1429}} and F_{2^{3041}}; these curves were believed to enjoy a security level of 192 bits against attacks by Coppersmith\u27s algorithm. Our analysis shows that these pairings offer security levels of at most 96 and 129 bits, respectively, leading us to conclude that they are dead for pairing-based cryptography

Study of Matrices Related to Discrete Logarithm in Kummer Extensions

The discrete logarithm problem has been studied during the past decades for its important application in cryptography and other fields. It is very useful in the public key cryptography, which is widely used for Internet safety. Using current computers to solve general discrete logarithm problem seems still not possible within reasonable time, since no polynomial time algorithms has been found for general cases. However, over finite fields of small characteristic, the factor base discrete logarithm can be solved much faster with heuristic polynomial time algorithms. This thesis is mainly based on the previous study of factor base discrete logarithm in Kummer extension which is published recently by Xiao-Zhuang-Cheng [14] and we focused on further calculation in this study.. The previous research calculated the determinant of the lattice to verify the hypothesis. It showed pretty good results for all q's such that log2(q2(q-1)) < 5000, and in this thesis we pushed the limit to log2(q2(q-1)) <10000. During the calculation, we tried different strategies to improve the efficiency, by transferring the matrices and splitting q's into several groups. We achieved 1000% speed-up for most q's in the range and discovered some possible structures to group q's in calculation. In the thesis, we'll go through the basic backgrounds of the study, and then introduce the main methods and experiments done in the study. We'll discuss the grouping of q's and the efficiency improvement. In the end we'll summarize the progress and the possible future work of this study