computation of a 768 bit prime field discrete logarithm
play

Computation of a 768-bit prime field discrete logarithm C. Diem, T. - PowerPoint PPT Presentation

Jan 29, 2023 •383 likes •694 views

Computation of a 768-bit prime field discrete logarithm C. Diem, T. Kleinjung, A. K. Lenstra, C. Priplata, C. Stahlke EPF Lausanne (Switzerland), Universit at Leipzig (Germany) 1 / 11 Paris, 1st April 1776 2 / 11 Paris, 1st April 1776

  1. Computation of a 768-bit prime field discrete logarithm C. Diem, T. Kleinjung, A. K. Lenstra, C. Priplata, C. Stahlke EPF Lausanne (Switzerland), Universit¨ at Leipzig (Germany) 1 / 11

  2. Paris, 1st April 1776 2 / 11

  3. Paris, 1st April 1776 Marie-Sophie Germain Germain primes q , p = 2 q + 1 2 / 11

  4. Paris, 1st April 1776 Marie-Sophie Germain Germain primes q , p = 2 q + 1 Example: q = [2 765 π ] + 31380, p = [2 766 π ] + 62762 2 / 11

  5. Two centuries later Diffie-Hellman key exchange Public data: prime p and generator g of F × p Alice chooses private random a and computes A = g a . 1 Bob chooses private random b and computes B = g b . 2 3 Alice sends A to Bob; Bob sends B to Alice. Alice computes common secret S = g ab as S = B a . 4 Bob computes common secret S = g ab as S = A b . 5 3 / 11

  6. Two centuries later Diffie-Hellman key exchange Public data: prime p and generator g of F × p Alice chooses private random a and computes A = g a . 1 Bob chooses private random b and computes B = g b . 2 Alice sends A to Bob; Bob sends B to Alice. 3 Alice computes common secret S = g ab as S = B a . 4 Bob computes common secret S = g ab as S = A b . 5 Discrete logarithm problem (DLP) Given a prime p , a generator g of F × p and a target h ∈ F × p find an integer x (denoted by log g h ) such that g x = h . 3 / 11

  7. Two centuries later Diffie-Hellman key exchange Public data: prime p and generator g of F × p Alice chooses private random a and computes A = g a . 1 Bob chooses private random b and computes B = g b . 2 Alice sends A to Bob; Bob sends B to Alice. 3 Alice computes common secret S = g ab as S = B a . 4 Bob computes common secret S = g ab as S = A b . 5 Discrete logarithm problem (DLP) Given a prime p , a generator g of F × p and a target h ∈ F × p find an integer x (denoted by log g h ) such that g x = h . Investigate how secure this is for, say, 768-bit prime fields: Our challenge Solve the DLP for p = [2 766 π ] + 62762, g = 11, h = [2 766 e ], i.e., find x such that 11 x ≡ h (mod p ) . 3 / 11

  8. Factoring Number field sieve (NFS): 1 Polynomial selection: Find two polynomials f 1 , f 2 ∈ Z [ x ] with a common zero m modulo N (and some conditions). Denote by F 1 , F 2 the corresponding homogeneous polynomials. 2 Sieving: Choose L and find sufficiently many pairs a , b ∈ Z (relations) such that F 1 ( a , b ) and F 2 ( a , b ) factor into primes ≤ L . 3 Matrix step: Construct a matrix from these relations. Solve this system of linear equations modulo 2. Each solution gives rise to a congruence c 2 ≡ d 2 (mod N ), and gcd( c + d , N ) is a proper divisor of N with probability ≥ 1 2 . 4 / 11

  9. Discrete logarithms Number field sieve (NFS): 1 Polynomial selection: Find two polynomials f 1 , f 2 ∈ Z [ x ] with a common zero m modulo p (and some conditions). Denote by F 1 , F 2 the corresponding homogeneous polynomials. 2 Sieving: Choose L and find sufficiently many pairs a , b ∈ Z (relations) such that F 1 ( a , b ) and F 2 ( a , b ) factor into primes ≤ L . 3 Matrix step: Construct a matrix from these relations. Solve this system of linear equations modulo q . The solution vector of the matrix step gives (virtual) logarithms of (some of) the prime ideals ≤ L modulo q . Using these logarithms g x ≡ h (mod p ) can be solved via descent (later). 4 / 11

  10. Differences between factoring and the DLP Fundamental difference: For each integer there is just one factoring problem, whereas for each prime there are many DPLs. DLP instances with the same prime p share the three main NFS steps. Applicable to cryptosystems in which the same prime p is used by all parties (as is often featured in some standards). 5 / 11

  11. Differences between factoring and the DLP Fundamental difference: For each integer there is just one factoring problem, whereas for each prime there are many DPLs. DLP instances with the same prime p share the three main NFS steps. Applicable to cryptosystems in which the same prime p is used by all parties (as is often featured in some standards). Differences between factoring-NFS and DLP-NFS: One has more freedom in polynomial selection for DLP-NFS (Joux-Lercier method). The matrix step modulo q is about log 2 q times more complex than modulo 2. There are some other, minor differences. 5 / 11

  12. Extrapolating from RSA-768 to 768-bit DLP RSA-768 timings: Main steps time wall clock time memory comments Pol. selection 40 years 5 months < 10 MB low priority Sieving 1500 years 2 years 1-2 GB very parallel � Matrix step 75 years 4 months 200 GB only 8 tasks (193M × 193M ) 6 / 11

  13. Extrapolating from RSA-768 to 768-bit DLP RSA-768 timings: Main steps time wall clock time memory comments Pol. selection 40 years 5 months < 10 MB low priority Sieving 1500 years 2 years 1-2 GB very parallel � Matrix step 75 years 4 months 200 GB only 8 tasks (193M × 193M ) Naive extrapolation to 768-bit DLP: Main steps time Pol. selection 40 years Sieving 1500 years Matrix step 50000 years (about 767 times 75 years) 6 / 11

  14. Rebalancing Problem: How can the effort for the matrix step be reduced? 7 / 11

  15. Rebalancing Problem: How can the effort for the matrix step be reduced? Solution: By adapting parameters one looks for better (but rarer) relations, which are supposed to produce a smaller matrix. (smaller factor bases, only two large primes per polynomial) 7 / 11

  16. Rebalancing Problem: How can the effort for the matrix step be reduced? Solution: By adapting parameters one looks for better (but rarer) relations, which are supposed to produce a smaller matrix. (smaller factor bases, only two large primes per polynomial) Consequences: The sieving time increases. The time for the matrix step decreases (smaller matrix). 7 / 11

  17. Rebalancing Problem: How can the effort for the matrix step be reduced? Solution: By adapting parameters one looks for better (but rarer) relations, which are supposed to produce a smaller matrix. (smaller factor bases, only two large primes per polynomial) Consequences: The sieving time increases. The time for the matrix step decreases (smaller matrix). An unexpected side-effect occurred: One can apply tricks to speed up sieving (halving the running time). 7 / 11

  18. Rebalancing Problem: How can the effort for the matrix step be reduced? Solution: By adapting parameters one looks for better (but rarer) relations, which are supposed to produce a smaller matrix. (smaller factor bases, only two large primes per polynomial) Consequences: The sieving time increases. The time for the matrix step decreases (smaller matrix). An unexpected side-effect occurred: One can apply tricks to speed up sieving (halving the running time). Unrelated to the above, one can (and we did) use the Joux-Lercier polynomial selection method. It reduces the complexity of sieving and of the matrix step. 7 / 11

  19. Timeline Early 2015 Experiments with 512-bit and 640-bit DLPs Polynomial selection for 768-bit DLP 8 / 11

  20. Timeline Early 2015 Experiments with 512-bit and 640-bit DLPs Polynomial selection for 768-bit DLP May 2015 Sieving started for 768-bit DLP 8 / 11

  21. Timeline Early 2015 Experiments with 512-bit and 640-bit DLPs Polynomial selection for 768-bit DLP May 2015 Sieving started for 768-bit DLP August 2015 First matrix built (about 80 million, far too big) 8 / 11

  22. Timeline Early 2015 Experiments with 512-bit and 640-bit DLPs Polynomial selection for 768-bit DLP May 2015 Sieving started for 768-bit DLP August 2015 First matrix built (about 80 million, far too big) November 2015 Feasible matrix (about 34 million) 8 / 11

  23. Timeline Early 2015 Experiments with 512-bit and 640-bit DLPs Polynomial selection for 768-bit DLP May 2015 Sieving started for 768-bit DLP August 2015 First matrix built (about 80 million, far too big) November 2015 Feasible matrix (about 34 million) December 2015 End of sieving, matrix size 23 . 5 million Matrix step started 8 / 11

  24. Timeline Early 2015 Experiments with 512-bit and 640-bit DLPs Polynomial selection for 768-bit DLP May 2015 Sieving started for 768-bit DLP August 2015 First matrix built (about 80 million, far too big) November 2015 Feasible matrix (about 34 million) December 2015 End of sieving, matrix size 23 . 5 million Matrix step started May 2016 Matrix step completed 8 / 11

  25. NFS computation Computation: It took about 1 year wall clock time (4th May 2015 - 18th May 2016). It took about 5000 core years. It could be reduced to 3000-4000 core years (perhaps further). 9 / 11

  26. NFS computation Computation: It took about 1 year wall clock time (4th May 2015 - 18th May 2016). It took about 5000 core years. It could be reduced to 3000-4000 core years (perhaps further). Result: We have (virtual) logarithms for about 23 . 5 million prime ideals. This leads to the logarithms for some of the small primes. 9 / 11

  27. Individual logarithms Precomputation (not essential, but useful): 0 Extend 23 . 5 million logarithms to a bigger database, for example: all logarithms for prime ideals of norm < 2 35 . (This took about 200 core years.) 10 / 11

Recommend

A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 ,

A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 ,

A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 , P. Gaudry 2 , N. Heninger 1 , E. Thom e 2 1 U. Penn ; 2 Caramba/Inria/Loria Nov 13rd, 2017 A kilobit hidden SNFS discrete logarithm computation

441 views • 42 slides
Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields

Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields

Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields Christophe Petit, Michiel Kosters, Ange Messeng University of Oxford, University of California Irvine, University of Passau Christophe Petit - PKC2016 -

562 views • 41 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
Discrete Log Problem Discrete Log Problem Given a prime number p Z * x

Discrete Log Problem Discrete Log Problem Given a prime number p Z * x

Discrete Log Problem Discrete Log Problem Given a prime number p Z * x (mod p ) Given a prime number p , Z p , (mod p ) finding x is called the discrete logarithm problem Not every discrete

640 views • 11 slides
Individual Discrete Logarithm in GF( p k ) (last step of the Number Field Sieve algorithm) Aurore

Individual Discrete Logarithm in GF( p k ) (last step of the Number Field Sieve algorithm) Aurore

Individual Discrete Logarithm in GF( p k ) (last step of the Number Field Sieve algorithm) Aurore Guillevic INRIA Saclay / GRACE Team Ecole Polytechnique / LIX Asiacrypt 2015 Conference, Auckland, New Zealand, November 30 Aurore Guillevic

711 views • 51 slides
Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J. Bernstein Easy to prove: is prime. University of Illinois at Chicago Can we find an integer 1 2 3

1.24k views • 97 slides
Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and Paul Wolfger Graz University of Technology WECC 2014, Chennai, India We solved the discrete logarithm of a 113-bit Koblitz Curve.

572 views • 34 slides
Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute

Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute

Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute of Technology Discrete logarithm problem. The discrete logarithm problem (DLP) in a finite cyclic group G : for any pair g , h G find a

673 views • 18 slides
On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the discrete logarithm problem in elliptic curves p.1/37 Some history At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm

897 views • 67 slides
A kilobit hidden SNFS discrete log computation Joshua Fried , Pierrick Gaudry, Nadia Heninger,

A kilobit hidden SNFS discrete log computation Joshua Fried , Pierrick Gaudry, Nadia Heninger,

A kilobit hidden SNFS discrete log computation Joshua Fried , Pierrick Gaudry, Nadia Heninger, Emmanuel Thom e May 1, 2017 Textbook (Finite-Field) Diffie-Hellman Key Exchange [Diffie Hellman 1976] p a prime (so F p is a cyclic group) g

598 views • 30 slides
Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work with Pierrick Gaudry and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France Crypto 2020 Virtual Conference 1/29 The discrete

338 views • 29 slides
Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving

Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving

Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving RSA-240, DLP-240, RSA-250 Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thom e, Paul Zimmermann ere de l FB:

466 views • 31 slides
Discrete Logarithm in GF(2 809 ) with FFS Razvan Barbulescu Cyril Bouvier J er emie Detrey

Discrete Logarithm in GF(2 809 ) with FFS Razvan Barbulescu Cyril Bouvier J er emie Detrey

Discrete Logarithm in GF(2 809 ) with FFS Razvan Barbulescu Cyril Bouvier J er emie Detrey Pierrick Gaudry Hamza Jeljeli Emmanuel Thom e Marion Videau Paul Zimmermann CARAMEL project-team, LORIA, INRIA / CNRS / Universit e de

419 views • 22 slides
Objectives To enhance the understanding of Python by completing a program which tests for prime

Objectives To enhance the understanding of Python by completing a program which tests for prime

Due: 11 th Sept 1 CMPSC 102 Discrete Structures Fall 2018 Lab 1 Assignment: Prime Number Computation Using Python Submit deliverables through your assignment GitHib repository bearing your name. Place source code in src/ and output in output/

208 views • 6 slides
On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de

On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de

On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de Lorraine, Inria Nancy, France joint work with Razvan Barbulescu, Antoine Joux, Emmanuel Thom RICAM Linz, Austria 1/42 Plan Background Recent

598 views • 49 slides
Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly

Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly

Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly joint work with Taechan Kim and Yongsu Song) Department of Mathematical Sciences and ISaC-RIM Seoul National University December 13, 2013 1 / 41

557 views • 41 slides
The Future of the Discrete Logarithm Gerhard Frey Institute for Experimental Mathematics

The Future of the Discrete Logarithm Gerhard Frey Institute for Experimental Mathematics

The Future of the Discrete Logarithm Gerhard Frey Institute for Experimental Mathematics University of Essen frey@exp-math.uni-essen.de 1 1 Abstract DL-Systems We want exchange keys sign authenticate (encrypt and decrypt)

410 views • 38 slides
A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic Razvan

A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic Razvan

ECC, Chennai October 8, 2014 A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic Razvan Barbulescu 1 Pierrick Gaudry 2 Antoine Joux 3 e 2 Emmanuel Thom IMJ-PRG, Paris Loria, Nancy LIP6, Paris R.

606 views • 41 slides
Review - Mathematical Tools &amp; Probability Logarithm Fundamentals of Probability Discrete

Review - Mathematical Tools &amp; Probability Logarithm Fundamentals of Probability Discrete

Mathematical Tools Summation Operator The Natural Review - Mathematical Tools &amp; Probability Logarithm Fundamentals of Probability Discrete &amp; Continuous Random Variable Caio Vigo Features of Probability Distributions Expected

699 views • 50 slides
Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS,

Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS,

Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS, Universit de Lorraine, Inria JNCF CIRM November 2014 1/81 Plan Presentation of the problems Cryptographic background Primality,

919 views • 88 slides
Perspectives of the Discrete Logarithm Systems Gerhard Frey Institute for Experimental

Perspectives of the Discrete Logarithm Systems Gerhard Frey Institute for Experimental

Perspectives of the Discrete Logarithm Systems Gerhard Frey Institute for Experimental Mathematics University of Duisburg-Essen frey@exp-math.uni-essen.de 1 1 Abstract DL-Systems We want exchange keys sign authenticate

841 views • 53 slides
Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work with Pierrick Gaudry and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France February 26th, 2020 Northeastern University, Boston

657 views • 40 slides
PKC 2000 18-20 january 2000 - Melbourne - Australia The Composite Discrete Logarithm and

PKC 2000 18-20 january 2000 - Melbourne - Australia The Composite Discrete Logarithm and

Public Key Cryptography PKC 2000 18-20 january 2000 - Melbourne - Australia The Composite Discrete Logarithm and Secure Authentication David Pointcheval Dpartement d Informatique ENS - CNRS David.Pointcheval@ens.fr

266 views • 13 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides

More recommend