Faster Cofactorization with ECM Using Mixed Representations

Bouvier, Cyril; Imbert, Laurent

doi:10.1007/978-3-030-45388-6_17

Cited by 8 publications

(10 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These algorithms either find and extract smooth parts of the norms, or completely factor them. The family of sieving algorithms [13,26], batch algorithms [6, Algorithm 2.1] and ECM [7,25] are examples of such methods used in factorization and DLP computations. They all have different complexities and properties and thus cannot be used on the same amount of input norms N i .…”

Section: Combining Three Algorithmsmentioning

confidence: 99%

Lattice Enumeration for Tower NFS: A 521-Bit Discrete Logarithm Computation

Micheli

Gaudry

Pierrot

2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The Tower variant of the Number Field Sieve (TNFS) is known to be asymptotically the most efficient algorithm to solve the discrete logarithm problem in finite fields of medium characteristics, when the extension degree is composite. A major obstacle to an efficient implementation of TNFS is the collection of algebraic relations, as it happens in dimension greater than 2. This requires the construction of new sieving algorithms which remain efficient as the dimension grows. In this article, we overcome this difficulty by considering a lattice enumeration algorithm which we adapt to this specific context. We also consider a new sieving area, a high-dimensional sphere, whereas previous sieving algorithms for the classical NFS considered an orthotope. Our new sieving technique leads to a much smaller running time, despite the larger dimension of the search space, and even when considering a larger target, as demonstrated by a record computation we performed in a 521-bit finite field F p 6 . The target finite field is of the same form than finite fields used in recent zero-knowledge proofs in some blockchains. This is the first reported implementation of TNFS.

show abstract

Section: Combining Three Algorithmsmentioning

confidence: 99%

Lattice Enumeration for Tower NFS: A 521-Bit Discrete Logarithm Computation

Micheli

Gaudry

Pierrot

2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In short, the families used in ECM are motivated by the torsion properties and by the average number of full multiplications needed for doubling-and-adding on the elliptic curve. A recent study [BI19] makes a state-of-the-art presentation of the implementation techniques and concludes that it is important that 1) the elliptic curve can be put on a particular form (Montgomery, Edwards, Hessian) and that 2) one can generate many curves of the family which have a rational point of coordinates of less than 32 bits. Of course any family can be put in short Weierstrass form.…”

Section: 2mentioning

confidence: 99%

“…We do not discuss further the case of subfamilies with points of infinite order because they are not known to modify the behaviour of ECM and because they produce curves of large coefficients. Instead, several authors make lists of elliptic curves from families which have small coefficients and compute directly a rational point [BI19,HMR16,BBL10].…”

Section: 2mentioning

confidence: 99%

A classification of ECM-friendly families of elliptic curves using modular curves

Barbulescu

Shinde

2021

Math. Comp.

View full text Add to dashboard Cite

In this work, we establish a link between the classification of ECM-friendly elliptic curves and Mazur’s program B, which consists in parameterizing all the families of elliptic curves with exceptional Galois image. Motivated by Barbulescu et al. [ANTS X–proceedings of the tenth algorithmic number theory symposium, Berkeley, CA, 2013], we say an elliptic curve is ECM-friendly if it does not have complex multiplication and if its Galois image is exceptional for some level. Building upon two recent works which treated the case of congruence subgroups of prime-power level which occur for infinitely many j j -invariants, we prove that there are exactly 1525 families of rational elliptic curves with distinct Galois images which are cartesian products of subgroups of prime-power level. This makes a complete list of rational families of ECM-friendly elliptic curves with cartesian Galois images, out of which less than 23 were known in the literature. We furthermore refine a heuristic of Montgomery to compare these families and conclude that the best 4 families which can be put in a = − 1 a=-1 twisted Edwards’ form are new.

show abstract

“…Based on the cofactor size, one must decide whether it makes sense to seek its complete factorization into elements of F . In this case Cado-NFS uses the Bouvier-Imbert mixed representation [9]. Any prime ideal that appears in this "cofactorization" is called a large prime.…”

Section: Relation Collectionmentioning

confidence: 99%

“…It is possible to mix special-q ideals from both number fields, as done in[17], or even hybrid special-q involving contributions from both sides 9. By factorization, we implicitly mean "numerator of the factorization".…”

mentioning

confidence: 99%

Comparing the difficulty of factorization and discrete logarithm: a 240-digit experiment

Boudot¹,

Gaudry²,

Guillevic³

et al. 2020

Preprint

View full text Add to dashboard Cite

We report on two new records: the factorization of RSA-240, a 795-bit number, and a discrete logarithm computation over a 795-bit prime field. Previous records were the factorization of RSA-768 in 2009 and a 768-bit discrete logarithm computation in 2016. Our two computations at the 795-bit level were done using the same hardware and software, and show that computing a discrete logarithm is not much harder than a factorization of the same size. Moreover, thanks to algorithmic variants and well-chosen parameters, our computations were significantly less expensive than anticipated based on previous records. The last page of this paper also reports on the factorization of RSA-250.

show abstract

Faster Cofactorization with ECM Using Mixed Representations

Cited by 8 publications

References 18 publications

Lattice Enumeration for Tower NFS: A 521-Bit Discrete Logarithm Computation

Lattice Enumeration for Tower NFS: A 521-Bit Discrete Logarithm Computation

A classification of ECM-friendly families of elliptic curves using modular curves

Comparing the difficulty of factorization and discrete logarithm: a 240-digit experiment

Contact Info

Product

Resources

About