Computing Individual Discrete Logarithms Faster in GF(pn)GF(p^n)

The Number Field Sieve (NFS) algorithm is the best known method to compute discrete logarithms (DL) in finite fields $\mathbb{F}_{p^n}$, with $p$ medium to large and $n \geq 1$ small. This algorithm comprises four steps: polynomial selection, relation collection, linear algebra and finally, individual logarithm computation. The first step outputs two polynomials defining two number fields, and a map from the polynomial ring over the integers modulo each of these polynomials to $\mathbb{F}_{p^n}$. After the relation collection and linear algebra phases, the (virtual) logarithm of a subset of elements in each number field is known. Given the target element in $\mathbb{F}_{p^n}$, the fourth step computes a preimage in one number field. If one can write the target preimage as a product of elements of known (virtual) logarithm, then one can deduce the discrete logarithm of the target. As recently shown by the Logjam attack, this final step can be critical when it can be computed very quickly. But we realized that computing an individual DL is much slower in medium- and large-characteristic non-prime fields $\mathbb{F}_{p^n}$ with $n \geq 3$, compared to prime fields and quadratic fields $\mathbb{F}_{p^2}$. We optimize the first part of individual DL: the \emph{booting step}, by reducing dramatically the size of the preimage norm. Its smoothness probability is higher, hence the running-time of the booting step is much improved. Our method is very efficient for small extension fields with $2 \leq n \leq 6$ and applies to any $n > 1$, in medium and large characteristic

Faster individual discrete logarithms in finite fields of composite extension degree

International audienceComputing discrete logarithms in finite fields is a main concern in cryptography. The best algorithms in large and medium characteristic fields (e.g., {GF}$(p^2)$, {GF}$(p^{12})$) are the Number Field Sieve and its variants (special, high-degree, tower). The best algorithms in small characteristic finite fields (e.g., {GF}$(3^{6 \cdot 509})$) are the Function Field Sieve, Joux's algorithm, and the quasipolynomial-time algorithm. The last step of this family of algorithms is the individual logarithm computation. It computes a smooth decomposition of a given target in two phases: an initial splitting, then a descent tree. While new improvements have been made to reduce the complexity of the dominating relation collection and linear algebra steps, resulting in a smaller factor basis (database of known logarithms of small elements), the last step remains at the same level of difficulty. Indeed, we have to find a smooth decomposition of a typically large element in the finite field. This work improves the initial splitting phase and applies to any nonprime finite field. It is very efficient when the extension degree is composite. It exploits the proper subfields, resulting in a much more smooth decomposition of the target. This leads to a new trade-off between the initial splitting step and the descent step in small characteristic. Moreover it reduces the width and the height of the subsequent descent tree

Algorithmes de délégation de calcul de couplage

International audienceWe address the question of how a computationally limited device may outsource pairing computation in cryptography to another, potentially malicious, but much more computationally powerful device. We introduce two new efficient protocols for securely outsourcing pairing computations to an untrusted helper. The first generic scheme is proven computationally secure (and can be proven statistically secure at the expense of worse performance). It allows various communication-efficiency trade-offs. The second specific scheme -- for optimal Ate pairing on a Barreto-Naehrig curve -- is unconditionally secure, and do not rely on any hardness assumptions. Both protocols are more efficient than the actual computation of the pairing by the restricted device and in particular they are more efficient than all previous proposals

On the Alpha Value of Polynomials in the Tower Number Field Sieve Algorithm

International audienceIn this paper, we provide a notable step towards filling the gap between theory (estimates of running-time) and practice (a discrete logarithm record computation) for the Tower Number Field Sieve (TNFS) algorithm. We propose a generalisation of ranking formula for selecting the polynomials used in the very first step of TNFS algorithm. For this we provide a definition and an exact implementation (Magma and SageMath) of the alpha function. This function measures the bias in the smoothness probability of norms in number fields compared to random integers of the same size. We use it to estimate the yield of polynomials, that is the expected number of relations, as a generalisation of Murphy's E function, and finally the total amount of operations needed to compute a discrete logarithm with TNFS algorithm in the targeted fields. This is an improvement of the earlier work of Barbulescu and Duquesne on estimating the running-time of the algorithm. We apply our estimates to a wide size range of finite fields GF(pn), for small composite n = 12, 16, 18, 24, that are target fields of pairing-friendly curves

Automated fragment identification for electron ionisation mass spectrometry: application to atmospheric measurements of halocarbons

Non-target screening consists in searching a sample for all present substances, suspected or unknown, with very little prior knowledge about the sample. This approach has been introduced more than a decade ago in the field of water analysis, together with dedicated compound identification tools, but is still very scarce for indoor and atmospheric trace gas measurements, despite the clear need for a better understanding of the atmospheric trace gas composition.For a systematic detection of emerging trace gases in the atmosphere, a new and powerful analytical method is gas chromatography (GC) of preconcentrated samples, followed by electron ionisation, high resolution mass spectrometry (EI-HRMS). In this work, we present data analysis tools to enable automated fragment formula annotation for unknown compounds measured by GC-EI-HRMS. Based on co-eluting mass/charge fragments, we developed an innovative data analysis method to reliably reconstruct the chemical formulae of the fragments, using efficient combinatorics and graph theory. The method does not require the presence of the molecular ion, which is absent in ~40% of EI spectra. Our method has been trained and validated on \textgreater50 halocarbons and hydrocarbons, with 3 to 20 atoms and molar masses of 30 to 330 g mol-1, measured with a mass resolution of approx.~3500. For 90% of the compounds, more than 90% of the annotated fragment formulae are correct. Cases of wrong identification can be attributed to the scarcity of detected fragments per compound or the lack of isotopic constraint (no minor isotopocule detected).Our method enables to reconstruct most probable chemical formulae independently from spectral databases. Therefore, it demonstrates the suitability of EI-HRMS data for non-target analysis and paves the way for the identification of substances for which no EI mass spectrum is registered in databases. We illustrate the performances of our method for atmospheric trace gases and suggest that it may be well suited for many other types of samples. The L-GPL licenced Python code is released under the name ALPINAC for ALgorithmic Process for Identification of Non-targeted Atmospheric Compounds.Comment: Journal of Cheminformatics, Chemistry Central Ltd. and BioMed Central, 202

Improvements to the number field sieve for non-prime finite fields

This unpublished version contains some inexact statements. Please refer to the version published at Eurocrypt 2015 also available at https://hal.inria.fr/hal-01112879v2We propose various strategies for improving the computation of discrete logarithms in non-prime fields of medium to large characteristic using the Number Field Sieve. This includes new methods for selecting the polynomials; the use of explicit automorphisms; explicit computations in the number fields; and prediction that some units have a zero virtual logarithm. On the theoretical side, we obtain a new complexity bound of $L_{p^n}(1/3,\sqrt[3]{96/9})$ in the medium characteristic case. On the practical side, we computed discrete logarithms in $F_{p^2}$ for a prime number $p$ with $80$ decimal digits.Warning: This unpublished version contains some inexact statements.Nous décrivons plusieurs stratégies pour accélérer le calcul de logarithmes discrets dans un corps fini non premier de caractéristique moyenne ou grande à l'aide du crible algébrique. Parmi elles, de nouvelles méthodes de sélection polynomiale; l'utilisation explicite d'automorphismes; des calculs explicites dans les corps de nombres; et la prédiction de l'annulation des logarithmes virtuels d'unités bien choisies. D'un point de vue théorique, nous obtenons une complexité nouvelle en $L_{p^n}(1/3,\sqrt[3]{96/9})$ dans le cas de la caractéristique moyenne. Du côté pratique, nous avons mené à bien le calcul de logarithmes discrets dans $F_{p^2}$ avec $p$ premier de $80$ chiffres décimaux.Attention : cette version non-publiée contient des énoncés inexacts

Nouveaux records de factorisation et de calcul de logarithme discret

https://www.techniques-ingenieur.fr/National audienceThis article describes two new records established at the end of 2019 : an integer factorization record for thefactorization of RSA-240, and a discrete logarithm record of the same size. These two records correspond to 795-bit numbers, or 240 decimal digits, and were established with the same open-source CADO-NFS software, onthe same type of processors. These records serve as a reference for key size recommendations for cryptographic protocols.Cet article décrit deux nouveaux records établis fin 2019 : un record de factorisation d'entier avec la factorisation du nombre RSA-240, et un record de calcul de logarithme discret de même taille. Ces deux records correspondent à des nombres de 795 bits, soit 240 chiffres décimaux, et ont été établis avec le même logiciel libre (CADO-NFS), sur le même type de processeurs. Ces records servent de référence pour les recommandations en termes de taille de clé pour les protocoles cryptographiques

Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves

Abstract. We provide software implementation timings for pairings over composite-order and prime-order elliptic curves. Composite orders must be large enough to be infeasible to factor. They are modulus of 2 up to 5 large prime numbers in the literature. There exists size recommendations for two-prime RSA modulus and we extend the results of Lenstra concerning the RSA modulus sizes to multi-prime modulus, for various security levels. We then implement a Tate pairing over a composite order supersingular curve and an optimal ate pairing over a prime-order Barreto-Naehrig curve, both at the 128-bit security level. We use our implementation timings to deduce the total cost of the homomorphic encryption scheme of Boneh, Goh and Nissim and its translation by Freeman in the prime-order setting. We also compare the efficiency of the unbounded Hierarchical Identity Based Encryption protocol of Lewko and Waters and its translation by Lewko in the prime order setting. Our results strengthen the previously observed inefficiency of composite-order bilinear groups and advocate the use of prime-order group whenever possible in protocol design

Étude de l'arithmétique des couplages sur les courbes algébriques pour la cryptographie

Since 2000 pairings became a very useful tool to design new protocols in cryptography. Short signatures and identity-based encryption became also practical thanks to these pairings. This thesis contains two parts. One part is about optimized pairing implementation on different elliptic curves according to the targeted protocol. Pairings are implemented on supersingular elliptic curves in large characteristic and on Barreto-Naehrig curves. The pairing library developed at Thales is used in a broadcast encryption scheme prototype. The prototype implements pairings over Barreto-Naehrig curves. Pairings over supersingular curves are much slower and have larger parameters. However these curves are interesting when implementing protocols which use composite-order elliptic curves (the group order is an RSA modulus). We implement two protocols that use pairings on composite-order groups and compare the benchmarks and the parameter size with their counterpart in a prime-order setting. The composite-order case is 30 up to 250 times much slower according to the considered step in the protocols: the efficiency difference in between the two cases is very important. A second part in this thesis is about two families of genus 2 curves. Their Jacobians are isogenous to the product of two elliptic curves over a small extension field. The properties of elliptic curves can be translated to the Jacobians thanks to this isogeny. Point counting is as easy as for elliptic curves in this case. We also construct two endomorphisms both on the Jacobians and the elliptic curves. These endomorphisms can be used for scalar multiplication improved with a four-dimensional Gallant-Lambert-Vanstone method.Depuis 2000 les couplages sont devenus un très bon outil pour la conception de nouveaux protocoles cryptographiques. Les signatures courtes et le chiffrement basé sur l'identité sont devenus réalisables grâce aux couplages. Les travaux réalisés dans cette thèse comprennent deux aspects complémentaires. Une partie consiste en l'implémentation optimisée de couplages sur différentes courbes elliptiques, en fonction des protocoles visés. Une implémentation sur des courbes supersingulières en grande caractéristique et sur des courbes de Barreto-Naehrig est détaillée. La bibliothèque développée au Laboratoire Chiffre de Thales est utilisée avec des courbes de Barreto-Naehrig dans un protocole de diffusion chiffrée. La seconde application évalue la différence de temps de calcul pour des protocoles utilisant les couplages sur des courbes d'ordre composé (un large module RSA) et la traduction de ces protocoles qui utilise plusieurs couplages sur des courbes plus habituelles. Les résultats montrent une différence d'un facteur de 30 à 250 en fonction des étapes des protocoles, ce qui est très important. Une seconde partie porte sur deux familles de courbes de genre deux. Les jacobiennes de ces courbes sont isogènes au produit de deux courbes elliptiques sur une extension de corps de petit degré. Cette isogénie permet de transférer les propriétés des courbes elliptiques vers les jacobiennes. Le comptage de points est aisé et ne requiert qu'un comptage de points sur une des courbes elliptiques isogènes, plus quelques ajustements. On présente aussi la construction de deux endomorphismes à la fois sur les jacobiennes et sur les courbes elliptiques. Ces deux endomorphismes permettent des multiplications scalaires efficaces en suivant la méthode de Gallant, Lambert et Vanstone, ici en dimension quatre