Top

Designs, Codes and Cryptography

Published in:

02-09-2023

Individual discrete logarithm with sublattice reduction

Authors: Haetham Al Aswad, Cécile Pierrot

Published in: Designs, Codes and Cryptography | Issue 12/2023

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The Number Field Sieve and its numerous variants is the best algorithm to compute discrete logarithms in medium and large characteristic finite fields. When the extension degree n is composite and the characteristic p is of medium size, the Tower variant (TNFS) is asymptotically the most efficient one. Our work deals with the last main step, namely the individual logarithm step, that computes a smooth decomposition of a given target T in the finite field thanks to two distinct phases: an initial splitting step, and a descent tree. In this article, we improve on the current state-of-the-art Guillevic’s algorithm dedicated to the initial splitting step for composite n. While still exploiting the proper subfields of the target finite field, we modify the lattice reduction subroutine that creates a lift in a number field of the target T. Our algorithm returns lifted elements with lower degrees and coefficients, resulting in lower norms in the number field. The lifted elements are not only much likely to be smooth because they have smaller norms, but it permits to set a smaller smoothness bound for the descent tree. Asymptotically, our algorithm is faster and works for a larger area of finite fields than Guillevic’s algorithm, being now relevant even when the medium characteristic p is such that \(L_{p^n}(1/3) \le p< L_{p^n}(1/2)\). In practice, we conduct experiments on 500-bit to 2048-bit composite finite fields: Our method becomes more efficient as the largest non trivial divisor of n grows, being thus particularly adapted to even extension degrees.

previous article Coding and bounds for partially defective memory cells

next article Scheduling to reduce close contacts: resolvable grid graph decomposition and packing

Available only for authorised users

We use \(L_Q(\alpha )\) instead of \(L_Q(\alpha , c)\) when the value of c is not important.

In medium characteristics, NFS has a complexity of \(L_{p^n}(1/3, (96/9)^{1/3})\).

This is the asymptotic complexity for the initial splitting step of NFS, given by Waterloo algorithm.

The counter part of this enumeration algorithm is its exponential space complexity.

Waterloo algorithm is designed for smoothing in small characteristic finite fields but is usable in this area too.

This is the value chosen in the 521-bit TNFS record on \({\mathbb F}_{p^6}\) [13]

Al Aswad, H., Pierrot, C.: Smoothness step in NFS for composite extenion finite fields. https://gitlab.inria.fr/halaswad/smoothing-step-in-nfs-for-composite-extension-degree-finite-fields. GitLab (2022).

Boneh, D., Franklin, M.K.: Identity-based encryption from the Weil pairing. In: Kilian J. (ed.) CRYPTO 2001, vol. 2139, pp. 213–229. LNCS. Springer, Heidelberg (2001).

Blake I., Fuji-Hara R., Mullin R., Vanstone S.: Computing logarithms in finite fields of characteristic two. Siam J. Algebraic Discret. Methods 6, 5 (1984).MathSciNetMATH

Boudot, F., Gaudry, P., Guillevic, A., Heninger, N., Thomé, E., Zimmermann, P.: Comparing the difficulty of factorization and discrete logarithm: a 240-digit experiment. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2020, pp. 62–91. Part II, LNCS. Springer, Heidelberg (2020).

Barbulescu, R., Gaudry, P., Guillevic, A., Morain, F.: DL record computation in \(\mathbb{F}_{p^4}\) of \(392\) bits. http://www.lix.polytechnique.fr/~guillevic/docs/guillevic-catrel15-talk.pdf (2015).

Barbulescu, R., Gaudry, P., Guillevic, A., Morain, F.: Improving NFS for the discrete logarithm problem in non-prime finite fields. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, pp. 129–155. Part I, volume 9056 of LNCS. Springer, Heidelberg (2015).

Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014, vol. 8441, pp. 1–16. LNCS. Springer, Heidelberg (2014).

Barbulescu, R.G., Pierrick, K.T.: The tower number field sieve. In: Tetsu, I., Jung, H.C. (eds.), ASIACRYPT 2015, Part II, volume 9453 of LNCS, pp. 31–55. Springer, Heidelberg (2015).

Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001, vol. 2248, pp. 514–532. LNCS. Springer, Heidelberg (2001).

10.

Blake, I.F., Mullin, R.C., Vanstone, S.A.: Computing logarithms in \(\text{GF}(2^n)\). In: Blakley, G.R., David C. (eds.) CRYPTO’84, volume 196 of LNCS, pp. 73–82. Springer, Heidelberg (1984).

11.

Barbulescu Razvan, Pierrot Cécile.: The multiple number field sieve for medium and high characteristic finite fields. LMS J. Comput. Math. 17, 230–246 (2014).MathSciNetCrossRefMATH

12.

Canfield E.R., Erdös P., Pomerance C.: On a problem of Oppenheim concerning “factorisatio numerorum’’. J. Number Theory 17(1), 1–28 (1983).MathSciNetCrossRefMATH

13.

De Micheli, G., Gaudry, P., Pierrot, C.: Lattice enumeration for tower NFS: A 521-bit discrete logarithm computation. In Mehdi, T., Huaxiong, W. (ed.) Advances in Cryptology-ASIACRYPT 2021-27th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 6–10, 2021, Proceedings, Part I, volume 13090 ofLecture Notes in Computer Science, pp. 67–96. Springer (2021).

14.

Fincke U., Pohst M.E.: Improved methods for calculating vectors of short length in a lattice. Math. Comput. 8, 463–471 (1985).CrossRefMATH

15.

Granger, R., Kleinjung, T., Zumbrägel J.: Breaking ‘128-bit secure’ supersingular binary curves - (or how to solve discrete logarithms in \(\mathbb{F} _{2^{4 \cdot 1223}}\) and \(\mathbb{F} _{2^{12 \cdot 367}}\)). In: Garay, J.A., Gennaro, R, (eds.) CRYPTO 2014, pp. 126–145. Part II, volume 8617 of LNCS. Springer, Heidelberg (2014).

16.

Grémy, L.: Computations of discrete logarithms sorted by date. https://dldb.loria.fr/.

17.

Guillevic Aurore, Singh Shashank: On the alpha value of polynomials in the tower number field sieve algorithm. Math. Cryptol. 1(1), 39 (2021).

18.

Guillevic, A.: Computing individual discrete logarithms faster in \(\text{ GF }(p^n)\) with the NFS-DL algorithm. In: Tetsu, I., Jung H.C. (eds.) ASIACRYPT 2015, Part I, volume 9452 of LNCS, pp 149–173. Springer, Heidelberg (2015).

19.

Guillevic Aurore: Faster individual discrete logarithms in finite fields of composite extension degree. Math. Comput. 88(317), 1273–1301 (2019).MathSciNetCrossRefMATH

20.

Hanrot, G., Pujol X., Stehlé D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway, P. (ed.) CRYPTO 2011, vol. 6841, pp. 447–464. LNCS. Springer, Heidelberg (2011).

21.

Joux, A., Lercier, R., Smart, N., Vercauteren, F.: The number field sieve in the medium prime case. In: Dwork, C. (ed.) CRYPTO 2006, vol. 4117, pp. 326–344. LNCS. Springer, Heidelberg (2006).

22.

Joux Antoine: A one round protocol for tripartite Diffie–Hellman. J. Cryptol. 17(4), 263–276 (2004).MathSciNetCrossRefMATH

23.

Joux, A., Pierrot, C.: The special number field sieve in \(\mathbb{F} _{p^n}\) - application to pairing-friendly constructions. In: Cao, Z., Zhang, F. (eds.) PAIRING 2013, vol. 8365, pp. 45–61. LNCS. Springer, Heidelberg (2014).

24.

Kannan Ravi: Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 12(3), 415–440 (1987).MathSciNetCrossRefMATH

25.

Kim, T., Barbulescu, R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, pp. 543–571. Part I, volume 9814 of LNCS. Springer, Heidelberg (2016).

26.

Kim, T., Jeong, J.: Extended tower number field sieve with application to finite fields of arbitrary composite extension degree. In: Fehr, S. (ed.) PKC 2017, pp. 388–408. Part I, volume 10174 of LNCS. Springer, Heidelberg (2017).

27.

Thorsten, K., Benjamin, W.: Discrete logarithms in quasi-polynomial time in finite fields of fixed characteristic. Cryptology ePrint Archive, Report 2019/751. https://eprint.iacr.org/2019/751 (2019).

28.

Lenstra A.K., Lenstra H.W., Lovasz L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982).MathSciNetCrossRefMATH

29.

Miller Victor: The weil pairing, and its efficient calculation. J. Cryptol. 17, 235–261 (2004).MathSciNetCrossRefMATH

30.

Mukhopadhyay M., Sarkar P.: Faster initial splitting for small characteristic composite extension degree fields. Finite Fields Their Appl. 62, 101629 (2020).MathSciNetCrossRefMATH

31.

Mukhopadhyay M., Sarkar P., Singh S., Thomé E.: New discrete logarithm computation for the medium prime case using the function field sieve. Adv. Math. Commun. 16(3), 449–464 (2022).MathSciNetCrossRefMATH

32.

Micciancio, D., Voulgaris, P..: A deterministic single exponential time algorithm for most lattice problems based on voronoi cell computations. In: Schulman, L.J. (ed.), 42nd ACM STOC, pp. 351–358. ACM Press (2010).

33.

Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: P. Indyk (ed.), 26th SODA, pp. 276–294. ACM-SIAM (2015).

34.

Micciancio, D.,, Walter, M.,: Practical, predictable lattice basis reduction. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, pp. 820–849. Part I, volume 9665 of LNCS. Springer, Heidelberg (2016).

35.

Pierrot, C.: The multiple number field sieve with conjugation and generalized Joux–Lercier methods. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, pp. 156–170. Part I, volume 9056 of LNCS. Springer, Heidelberg (2015).

36.

Schirokauer O.: Using number fields to compute logarithms in finite fields. Math. Comput. 69, 1267–1283 (2000).MathSciNetCrossRefMATH

37.

Claus-Peter S., Euchner M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994).MathSciNetCrossRefMATH

38.

Sarkar, P., Singh, S.: A general polynomial selection method and new asymptotic complexities for the tower number field sieve algorithm. In: Jung H.C., Tsuyoshi T. (eds.), ASIACRYPT 2016, Part I, volume 10031 of LNCS, pp. 37–62. Springer, Heidelberg (2016).

39.

Sarkar, P., Singh, S.: A unified polynomial selection method for the (tower) number field sieve algorithm (2019).

40.

Trusted platform module. https://trustedcomputinggroup.org/resource/tpm-library-specification/. Latest Version (2019).

41.

Wiedemann D.H.: Solving sparse linear equations over finite fields. IEEE Trans. Inform. Theory 32(1), 54–62 (1986).MathSciNetCrossRefMATH

Title: Individual discrete logarithm with sublattice reduction
Authors: Haetham Al Aswad
Cécile Pierrot
Publication date: 02-09-2023
Publisher: Springer US
Published in: Designs, Codes and Cryptography / Issue 12/2023
Print ISSN: 0925-1022
Electronic ISSN: 1573-7586
DOI: https://doi.org/10.1007/s10623-023-01282-w

Springer Professional

Individual discrete logarithm with sublattice reduction

Abstract

Premium Partner

Springer Professional

Abstract

Please log in to get access to your license.

Other articles of this Issue 12/2023

Structural evaluation of AES-like ciphers against mixture differential cryptanalysis

Practical attacks on small private exponent RSA: new records and new insights

Scheduling to reduce close contacts: resolvable grid graph decomposition and packing

Private simultaneous messages based on quadratic residues

Coding and bounds for partially defective memory cells

Optimal Ferrers diagram rank-metric codes from MRD codes

Premium Partner