Computing discrete logarithms in cryptographically-interesting characteristic-three finite fields

Adj, Gora; Canales-Martínez, Isaac; Cruz-Cortés, Nareli; Menezes, Alfred; Oliveira, Thomaz; Rivera-Zamarripa, Luis; Rodríguez-Henríquez, Francisco

doi:10.3934/amc.2018044

Cited by 6 publications

(10 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The case of characteristic three finite fields, which held a lot of promise for pairing based cryptography, faired not much better. In the period from 2010 to 2016 the record advanced from a 676-bit field, up to 4841 [1].…”

Section: Pairing Based Cryptographymentioning

confidence: 99%

History of Cryptographic Key Sizes

Smart¹,

Thomé

2021

Computational Cryptography

View full text Add to dashboard Cite

Section: Pairing Based Cryptographymentioning

confidence: 99%

History of Cryptographic Key Sizes

Smart¹,

Thomé

2021

Computational Cryptography

View full text Add to dashboard Cite

“…Remark 4.1. As was pointed out to us by F. Rodríguez-Henríquez [56,3], the elements of the form x i R(x) where R itself is of degree ≤ n 2 − d/n 1 are evenly interesting because the discrete logarithm of x i can be deduced from the discrete logarithm of x, which is known after linear algebra.…”

Section: Application To Small Characteristic Finite Fields and Cryptmentioning

confidence: 99%

“…Remark 4.3. Other improvements are possible [56,3], for instance computing F p gcd(n 1 ,d) -linear combinations over a small number of rows corresponding to polynomials of almost the same degree. The resulting polynomial will have degree increased by one or two, which does not significantly affect its B 1 -smoothness probability in practice for cryptographic sizes.…”

Section: Application To Small Characteristic Finite Fields and Cryptmentioning

confidence: 99%

“…In the FFS setting, n 1 = 1 and usually n 2 is prime and our technique cannot be helpful, but if n is not prime, our algorithm applies, and moreover in favorable cases Joux's L[1/4] algorithm and its variants can be used and our technique can provide a further notable speed-up in the descent. For the implementations in small characteristic, the factor basis is made of the irreducible polynomials of F p n 1 [x] of very small degree, e.g., of degrees 1, 2, 3, and 4 in [3]. Our aim is to improve the smoothness probability of a preimage P ∈ F p n 1 [x] of a given target T ∈ F (p n 1 ) n 2 and for that we want to reduce the degree in x of the preimage P (as a lift of T in F p n 1 [x], P has degree at most n 2 − 1 in x), while keeping the property log(ρ(P )) = log T mod ℓ , where ρ : F p n 1 [x] → F (p n 1 ) n 2 is the reduction modulo ψ.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Faster individual discrete logarithms in finite fields of composite extension degree

Guillevic¹

2018

Math. Comp.

View full text Add to dashboard Cite

Computing discrete logarithms in finite fields is a main concern in cryptography. The best algorithms in large and medium characteristic fields (e.g., GF(p 2 ), GF(p 12 )) are the Number Field Sieve and its variants (special, high-degree, tower). The best algorithms in small characteristic finite fields (e.g., GF(3 6·509 )) are the Function Field Sieve, Joux's algorithm, and the quasipolynomial-time algorithm. The last step of this family of algorithms is the individual logarithm computation. It computes a smooth decomposition of a given target in two phases: an initial splitting, then a descent tree. While new improvements have been made to reduce the complexity of the dominating relation collection and linear algebra steps, resulting in a smaller factor basis (database of known logarithms of small elements), the last step remains at the same level of difficulty. Indeed, we have to find a smooth decomposition of a typically large element in the finite field. This work improves the initial splitting phase and applies to any nonprime finite field. It is very efficient when the extension degree is composite. It exploits the proper subfields, resulting in a much more smooth decomposition of the target. This leads to a new trade-off between the initial splitting step and the descent step in small characteristic. Moreover it reduces the width and the height of the subsequent descent tree.

show abstract

“…However in certain cases this is not possible, so that efficient symmetric pairings are still desired. The earliest "fast" symmetric pairings are now completely broken since they used supersingular curves over fields of characteristic 2 or 3: the target group is then a sugroup of F 2 4n or F 3 6m , and the quasi-polynomial-time algorithm [6] is particularly devastating [20,1]. Since this algorithm does not apply to large characteristic, three constructions of supersingular curves survived.…”

Section: Pairing-friendly Curves Of Small Embedding Degreementioning

confidence: 99%

Computing Discrete Logarithms in $${\mathbb F}_{{p}^{6}}$$

Grémy

Guillevic

Morain

et al. 2017

Selected Areas in Cryptography – SAC 2017

View full text Add to dashboard Cite

The security of torus-based and pairing-based cryptography relies on the difficulty of computing discrete logarithms in small degree extensions of finite fields of large characteristic. It has already been shown that for degrees 2 and 3, the discrete logarithm problem is not as hard as once thought. We address the question of degree 6 and aim at providing real-life timings for such problems. We report on a record DL computation in a 132-bit subgroup of F p 6 for a 22-decimal digit prime, with p 6 having 422 bits. The previous record was for a 79-bit subgroup in a 240-bit field. We used NFS-DL with a sieving phase over degree 2 polynomials, instead of the more classical degree 1 case. We show how to improve many parts of the NFS-DL algorithm to reach this target. Experiments presented in this paper were carried out using the Grid'5000 testbed, supported by a scientific interest group hosted by Inria and including CNRS, RENATER and several Universities as well as other organizations (see https: //www.grid5000.fr).

show abstract

Computing discrete logarithms in cryptographically-interesting characteristic-three finite fields

Cited by 6 publications

References 28 publications

History of Cryptographic Key Sizes

History of Cryptographic Key Sizes

Faster individual discrete logarithms in finite fields of composite extension degree

Computing Discrete Logarithms in $${\mathbb F}_{{p}^{6}}$$

Contact Info

Product

Resources

About