33 research outputs found
Computing Individual Discrete Logarithms Faster in
The Number Field Sieve (NFS) algorithm is the best known method to
compute discrete logarithms (DL) in finite fields
, with medium to large and small. This algorithm
comprises four steps: polynomial selection, relation collection,
linear algebra and finally, individual logarithm computation. The
first step outputs two polynomials defining two number fields, and a
map from the polynomial ring over the integers modulo each of these
polynomials to .
After the relation collection and linear algebra
phases, the (virtual) logarithm of a subset of elements in each number
field is known. Given the target element in , the fourth
step computes a preimage in one number field. If one can write the
target preimage as a product of elements of known (virtual) logarithm,
then one can deduce the discrete logarithm of the target.
As recently shown by the Logjam attack, this final step can be
critical when it can be computed very quickly.
But we realized that computing an individual DL is much slower in medium-
and large-characteristic non-prime fields with ,
compared to prime fields and quadratic fields . We optimize
the first part of individual DL: the \emph{booting step}, by reducing
dramatically the size of the preimage norm.
Its smoothness probability is higher, hence the running-time of the
booting step is much improved.
Our method is very efficient for small extension fields with and applies to any , in medium and large characteristic
Faster individual discrete logarithms in finite fields of composite extension degree
International audienceComputing discrete logarithms in finite fields is a main concern in cryptography. The best algorithms in large and medium characteristic fields (e.g., {GF}, {GF}) are the Number Field Sieve and its variants (special, high-degree, tower). The best algorithms in small characteristic finite fields (e.g., {GF}) are the Function Field Sieve, Joux's algorithm, and the quasipolynomial-time algorithm. The last step of this family of algorithms is the individual logarithm computation. It computes a smooth decomposition of a given target in two phases: an initial splitting, then a descent tree. While new improvements have been made to reduce the complexity of the dominating relation collection and linear algebra steps, resulting in a smaller factor basis (database of known logarithms of small elements), the last step remains at the same level of difficulty. Indeed, we have to find a smooth decomposition of a typically large element in the finite field. This work improves the initial splitting phase and applies to any nonprime finite field. It is very efficient when the extension degree is composite. It exploits the proper subfields, resulting in a much more smooth decomposition of the target. This leads to a new trade-off between the initial splitting step and the descent step in small characteristic. Moreover it reduces the width and the height of the subsequent descent tree
Algorithmes de délégation de calcul de couplage
International audienceWe address the question of how a computationally limited device may outsource pairing computation in cryptography to another, potentially malicious, but much more computationally powerful device. We introduce two new efficient protocols for securely outsourcing pairing computations to an untrusted helper. The first generic scheme is proven computationally secure (and can be proven statistically secure at the expense of worse performance). It allows various communication-efficiency trade-offs. The second specific scheme -- for optimal Ate pairing on a Barreto-Naehrig curve -- is unconditionally secure, and do not rely on any hardness assumptions. Both protocols are more efficient than the actual computation of the pairing by the restricted device and in particular they are more efficient than all previous proposals
On the Alpha Value of Polynomials in the Tower Number Field Sieve Algorithm
International audienceIn this paper, we provide a notable step towards filling the gap between theory (estimates of running-time) and practice (a discrete logarithm record computation) for the Tower Number Field Sieve (TNFS) algorithm. We propose a generalisation of ranking formula for selecting the polynomials used in the very first step of TNFS algorithm. For this we provide a definition and an exact implementation (Magma and SageMath) of the alpha function. This function measures the bias in the smoothness probability of norms in number fields compared to random integers of the same size. We use it to estimate the yield of polynomials, that is the expected number of relations, as a generalisation of Murphy's E function, and finally the total amount of operations needed to compute a discrete logarithm with TNFS algorithm in the targeted fields. This is an improvement of the earlier work of Barbulescu and Duquesne on estimating the running-time of the algorithm. We apply our estimates to a wide size range of finite fields GF(pn), for small composite n = 12, 16, 18, 24, that are target fields of pairing-friendly curves
Automated fragment identification for electron ionisation mass spectrometry: application to atmospheric measurements of halocarbons
Non-target screening consists in searching a sample for all present
substances, suspected or unknown, with very little prior knowledge about the
sample. This approach has been introduced more than a decade ago in the field
of water analysis, together with dedicated compound identification tools, but
is still very scarce for indoor and atmospheric trace gas measurements, despite
the clear need for a better understanding of the atmospheric trace gas
composition.For a systematic detection of emerging trace gases in the
atmosphere, a new and powerful analytical method is gas chromatography (GC) of
preconcentrated samples, followed by electron ionisation, high resolution mass
spectrometry (EI-HRMS). In this work, we present data analysis tools to enable
automated fragment formula annotation for unknown compounds measured by
GC-EI-HRMS. Based on co-eluting mass/charge fragments, we developed an
innovative data analysis method to reliably reconstruct the chemical formulae
of the fragments, using efficient combinatorics and graph theory. The method
does not require the presence of the molecular ion, which is absent in ~40% of
EI spectra. Our method has been trained and validated on \textgreater50
halocarbons and hydrocarbons, with 3 to 20 atoms and molar masses of 30 to 330
g mol-1, measured with a mass resolution of approx.~3500. For 90% of the
compounds, more than 90% of the annotated fragment formulae are correct. Cases
of wrong identification can be attributed to the scarcity of detected fragments
per compound or the lack of isotopic constraint (no minor isotopocule
detected).Our method enables to reconstruct most probable chemical formulae
independently from spectral databases. Therefore, it demonstrates the
suitability of EI-HRMS data for non-target analysis and paves the way for the
identification of substances for which no EI mass spectrum is registered in
databases. We illustrate the performances of our method for atmospheric trace
gases and suggest that it may be well suited for many other types of samples.
The L-GPL licenced Python code is released under the name ALPINAC for
ALgorithmic Process for Identification of Non-targeted Atmospheric Compounds.Comment: Journal of Cheminformatics, Chemistry Central Ltd. and BioMed
Central, 202
Improvements to the number field sieve for non-prime finite fields
This unpublished version contains some inexact statements. Please refer to the version published at Eurocrypt 2015 also available at https://hal.inria.fr/hal-01112879v2We propose various strategies for improving the computation of discrete logarithms in non-prime fields of medium to large characteristic using the Number Field Sieve. This includes new methods for selecting the polynomials; the use of explicit automorphisms; explicit computations in the number fields; and prediction that some units have a zero virtual logarithm. On the theoretical side, we obtain a new complexity bound of in the medium characteristic case. On the practical side, we computed discrete logarithms in for a prime number with decimal digits.Warning: This unpublished version contains some inexact statements.Nous décrivons plusieurs stratégies pour accélérer le calcul de logarithmes discrets dans un corps fini non premier de caractéristique moyenne ou grande à l'aide du crible algébrique. Parmi elles, de nouvelles méthodes de sélection polynomiale; l'utilisation explicite d'automorphismes; des calculs explicites dans les corps de nombres; et la prédiction de l'annulation des logarithmes virtuels d'unités bien choisies. D'un point de vue théorique, nous obtenons une complexité nouvelle en dans le cas de la caractéristique moyenne. Du côté pratique, nous avons mené à bien le calcul de logarithmes discrets dans avec premier de chiffres décimaux.Attention : cette version non-publiée contient des énoncés inexacts
Nouveaux records de factorisation et de calcul de logarithme discret
https://www.techniques-ingenieur.fr/National audienceThis article describes two new records established at the end of 2019 : an integer factorization record for thefactorization of RSA-240, and a discrete logarithm record of the same size. These two records correspond to 795-bit numbers, or 240 decimal digits, and were established with the same open-source CADO-NFS software, onthe same type of processors. These records serve as a reference for key size recommendations for cryptographic protocols.Cet article décrit deux nouveaux records établis fin 2019 : un record de factorisation d'entier avec la factorisation du nombre RSA-240, et un record de calcul de logarithme discret de même taille. Ces deux records correspondent à des nombres de 795 bits, soit 240 chiffres décimaux, et ont été établis avec le même logiciel libre (CADO-NFS), sur le même type de processeurs. Ces records servent de référence pour les recommandations en termes de taille de clé pour les protocoles cryptographiques
Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves
Abstract. We provide software implementation timings for pairings over composite-order and prime-order elliptic curves. Composite orders must be large enough to be infeasible to factor. They are modulus of 2 up to 5 large prime numbers in the literature. There exists size recommendations for two-prime RSA modulus and we extend the results of Lenstra concerning the RSA modulus sizes to multi-prime modulus, for various security levels. We then implement a Tate pairing over a composite order supersingular curve and an optimal ate pairing over a prime-order Barreto-Naehrig curve, both at the 128-bit security level. We use our implementation timings to deduce the total cost of the homomorphic encryption scheme of Boneh, Goh and Nissim and its translation by Freeman in the prime-order setting. We also compare the efficiency of the unbounded Hierarchical Identity Based Encryption protocol of Lewko and Waters and its translation by Lewko in the prime order setting. Our results strengthen the previously observed inefficiency of composite-order bilinear groups and advocate the use of prime-order group whenever possible in protocol design
Étude de l'arithmétique des couplages sur les courbes algébriques pour la cryptographie
Since 2000 pairings became a very useful tool to design new protocols in cryptography. Short signatures and identity-based encryption became also practical thanks to these pairings. This thesis contains two parts. One part is about optimized pairing implementation on different elliptic curves according to the targeted protocol. Pairings are implemented on supersingular elliptic curves in large characteristic and on Barreto-Naehrig curves. The pairing library developed at Thales is used in a broadcast encryption scheme prototype. The prototype implements pairings over Barreto-Naehrig curves. Pairings over supersingular curves are much slower and have larger parameters. However these curves are interesting when implementing protocols which use composite-order elliptic curves (the group order is an RSA modulus). We implement two protocols that use pairings on composite-order groups and compare the benchmarks and the parameter size with their counterpart in a prime-order setting. The composite-order case is 30 up to 250 times much slower according to the considered step in the protocols: the efficiency difference in between the two cases is very important. A second part in this thesis is about two families of genus 2 curves. Their Jacobians are isogenous to the product of two elliptic curves over a small extension field. The properties of elliptic curves can be translated to the Jacobians thanks to this isogeny. Point counting is as easy as for elliptic curves in this case. We also construct two endomorphisms both on the Jacobians and the elliptic curves. These endomorphisms can be used for scalar multiplication improved with a four-dimensional Gallant-Lambert-Vanstone method.Depuis 2000 les couplages sont devenus un très bon outil pour la conception de nouveaux protocoles cryptographiques. Les signatures courtes et le chiffrement basé sur l'identité sont devenus réalisables grâce aux couplages. Les travaux réalisés dans cette thèse comprennent deux aspects complémentaires. Une partie consiste en l'implémentation optimisée de couplages sur différentes courbes elliptiques, en fonction des protocoles visés. Une implémentation sur des courbes supersingulières en grande caractéristique et sur des courbes de Barreto-Naehrig est détaillée. La bibliothèque développée au Laboratoire Chiffre de Thales est utilisée avec des courbes de Barreto-Naehrig dans un protocole de diffusion chiffrée. La seconde application évalue la différence de temps de calcul pour des protocoles utilisant les couplages sur des courbes d'ordre composé (un large module RSA) et la traduction de ces protocoles qui utilise plusieurs couplages sur des courbes plus habituelles. Les résultats montrent une différence d'un facteur de 30 à 250 en fonction des étapes des protocoles, ce qui est très important. Une seconde partie porte sur deux familles de courbes de genre deux. Les jacobiennes de ces courbes sont isogènes au produit de deux courbes elliptiques sur une extension de corps de petit degré. Cette isogénie permet de transférer les propriétés des courbes elliptiques vers les jacobiennes. Le comptage de points est aisé et ne requiert qu'un comptage de points sur une des courbes elliptiques isogènes, plus quelques ajustements. On présente aussi la construction de deux endomorphismes à la fois sur les jacobiennes et sur les courbes elliptiques. Ces deux endomorphismes permettent des multiplications scalaires efficaces en suivant la méthode de Gallant, Lambert et Vanstone, ici en dimension quatre