Special prime numbers and discrete logs in finite prime fields

Abstract: ) 1/3 = 1.9229 · · · . Using p ∈ A rather than general p does not enhance the performance of Schirokauer's algorithm. The definition of the set A and the algorithm suggested in this paper are based on a more general congruence than that of the Number Field Sieve. The congruence is related to the resultant of integer polynomials. We also give a number of useful identities for resultants that allow us to specify this congruence for some p.Let F p be a finite field of prime order p, and a ∈ F p its primitive elem… Show more

“…However, for some degrees k the NFS algorithm can be parameterised differently, yielding a better complexity with a smaller c. The size of the finite field must then be increased so as to maintain the same security as previously thought, that is with c = 1.923. In the context of finite fields (unrelated to pairings), so-called special primes p are subject to the special NFS (SNFS) variant with c = 1.526: in these cases, the size of p gives a false sense of security [28,53,49,47,27]. The most efficient pairings were obtained with specific families of pairing-friendly curves, where the prime p is special (see Table 2).…”

Cocks–Pinch curves of embedding degrees five to eight and optimal ate pairing computation

“…However, for some degrees k the NFS algorithm can be parameterised differently, yielding a better complexity with a smaller c. The size of the finite field must then be increased so as to maintain the same security as previously thought, that is with c = 1.923. In the context of finite fields (unrelated to pairings), so-called special primes p are subject to the special NFS (SNFS) variant with c = 1.526: in these cases, the size of p gives a false sense of security [28,53,49,47,27]. The most efficient pairings were obtained with specific families of pairing-friendly curves, where the prime p is special (see Table 2).…”

Cocks–Pinch curves of embedding degrees five to eight and optimal ate pairing computation

“…To achieve a separate individual logarithm stage, we adapt the method in [6] for the pre-computation part and modify the individual logarithm algorithm of [21]. Instead of working with real numbers, we choose to work with a 'logarithmic map' as in [19], though an approach developed in [21] apparently gives the same asymptotic results.…”

“…Instead of working with real numbers, we choose to work with a 'logarithmic map' as in [19], though an approach developed in [21] apparently gives the same asymptotic results. The improvements of Coppersmith in [3] are taken into account, to achieve a global running time of L p [ [6] with ours, we give a precise theoretical description of the algorithm as we've understood and built it out of the ideas given in [6].…”

An Algorithm to Solve the Discrete Logarithm Problem with the Number Field Sieve

“…Their algorithm has complexity L Q (1/3, 3 32/9), which is the same as that of Semaev's SNFS algorithm for prime fields [35]. It shows that the pairing-based crypto-systems which use primes of a special form are more vulnerable to NFS attacks than the general ones.…”

“…Following the analysis of Semaev [35], we obtain that if the degree d can be chosen to grow precisely as d = Using multiple number fields (MNFS) Given a choice of polynomials f and g selected as in the first step of TNFS, one can construct a large number of polynomials f i which share with f and g the root m modulo p. The idea goes back to Coppersmith's variant of NFS for factorization [16] and has been used again in [28], [8] and [31]. Let V be a parameter of size L Q (1/3, c v ) for some constant c v > 0.…”

The Tower Number Field Sieve