61 research outputs found
On the discrete logarithm problem in finite fields of fixed characteristic
For a prime power, the discrete logarithm problem (DLP) in
consists in finding, for any
and , an integer such that . We present
an algorithm for computing discrete logarithms with which we prove that for
each prime there exist infinitely many explicit extension fields
in which the DLP can be solved in expected quasi-polynomial
time. Furthermore, subject to a conjecture on the existence of irreducible
polynomials of a certain form, the algorithm solves the DLP in all extensions
in expected quasi-polynomial time.Comment: 15 pages, 2 figures. To appear in Transactions of the AM
Discrete logarithms in quasi-polynomial time in finite fields of fixed characteristic
We prove that the discrete logarithm problem can be solved in quasi-polynomial expected time in the multiplicative group of finite fields of fixed characteristic. More generally, we prove that it can be solved in the field of cardinality pn in expected time (pn)2log2(n)+O(1)
Finding ECM-friendly curves through a study of Galois properties
In this paper we prove some divisibility properties of the cardinality of
elliptic curves modulo primes. These proofs explain the good behavior of
certain parameters when using Montgomery or Edwards curves in the setting of
the elliptic curve method (ECM) for integer factorization. The ideas of the
proofs help us to find new families of elliptic curves with good division
properties which increase the success probability of ECM
A new perspective on the powers of two descent for discrete logarithms in finite fields
A new proof is given for the correctness of the powers of two descent method for computing discrete logarithms. The result is slightly stronger than the original work, but more importantly we provide a unified geometric argument, eliminating the need to analyse all possible subgroups of . Our approach sheds new light on the role of , in the hope to eventually lead to a complete proof that discrete logarithms can be computed in quasi-polynomial time in finite fields of fixed characteristic
Degree of regularity for HFE-
In this paper, we prove a closed formula for the degree of regularity of
the family of HFE- (HFE Minus) multivariate public key cryptosystems over
a finite field of size . The degree of regularity of the polynomial
system derived from an HFE- system is less than or equal to
\begin{eqnarray*}
\frac{(q-1)(\lfloor \log_q(D-1)\rfloor +a)}2 +2 & &
\text{if is even and is odd,}
\\
\frac{(q-1)(\lfloor \log_q(D-1)\rfloor+a+1)}2 +2 & &
\text{otherwise.}
\end{eqnarray*}
Here is the base field size, the degree of the HFE
polynomial, and is the
number of removed equations (Minus number).
This allows us to present an estimate of the complexity of breaking the HFE
Challenge 2:
\vskip .1in
\begin{itemize}
\item the complexity to break the HFE Challenge 2 directly using algebraic
solvers is about .
\end{itemize
ECM at Work
The performance of the elliptic curve method (ECM) for integer factorization plays an important role in the security assessment of RSA-based protocols as a cofactorization tool inside the number field sieve. The efficient arithmetic for Edwards curves found an application by speeding up ECM. We propose techniques based on generating and combining addition-subtracting chains to optimize Edwards ECM in terms of both performance and memory requirements. This makes our approach very suitable for memory-constrained devices such as graphics processing units (GPU). For commonly used ECM parameters we are able to lower the required memory up to a factor 55 compared to the state-of-the-art Edwards ECM approach. Our ECM implementation on a GTX 580 GPU sets a new throughput record, outperforming the best GPU, CPU and FPGA results reported in literature
Computation of a 30750-Bit Binary Field Discrete Logarithm
This paper reports on the computation of a discrete logarithm in the finite
field , breaking by a large margin the previous record,
which was set in January 2014 by a computation in . The
present computation made essential use of the elimination step of the
quasi-polynomial algorithm due to Granger, Kleinjung and Zumbr\"agel, and is
the first large-scale experiment to truly test and successfully demonstrate its
potential when applied recursively, which is when it leads to the stated
complexity. It required the equivalent of about 2900 core years on a single
core of an Intel Xeon Ivy Bridge processor running at 2.6 GHz, which is
comparable to the approximately 3100 core years expended for the discrete
logarithm record for prime fields, set in a field of bit-length 795, and
demonstrates just how much easier the problem is for this level of
computational effort. In order to make the computation feasible we introduced
several innovative techniques for the elimination of small degree irreducible
elements, which meant that we avoided performing any costly Gr\"obner basis
computations, in contrast to all previous records since early 2013. While such
computations are crucial to the complexity algorithms,
they were simply too slow for our purposes. Finally, this computation should
serve as a serious deterrent to cryptographers who are still proposing to rely
on the discrete logarithm security of such finite fields in applications,
despite the existence of two quasi-polynomial algorithms and the prospect of
even faster algorithms being developed.Comment: 22 page
Improved key recovery on the Legendre PRF
We give an algorithm for key recovery of the Legendre pseudorandom function that supersedes the best known algorithms so far.
The expected number of operations is on a -bit word machine, under reasonable heuristic assumptions, and requires only oracle queries.
If the number of queries is smaller, the expected number of operations is . We further show that the algorithm works in many different generalisations -- using a different character instead of the Legendre symbol, using the Jacobi symbol, or using a degree polynomial in the Legendre symbol numerator.
In the latter case we show how to use Möbius transforms to lower the complexity to Legendre symbol computations, and in the case of a reducible polynomial.
We also give an quantum algorithm that does not require a quantum oracle, and comments on the action of the Möbius group in the linear PRF case.
On the practical side we give implementational details of our algorithm.
We give the solutions of the and -bit prime challenges for key recovery with queries posed by Ethereum, out of which only the and -bit were solved earlier
- …