discrete logarithms and galois invariant smoothness basis
play

Discrete Logarithms and Galois Invariant Smoothness Basis (with - PowerPoint PPT Presentation

Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Discrete Logarithms and Galois Invariant Smoothness Basis (with J.-M. Couveignes) R. Lercier DGA/CELAR & University of Rennes France Reynald.Lercier (at)


  1. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Discrete Logarithms and Galois Invariant Smoothness Basis (with J.-M. Couveignes) R. Lercier DGA/CELAR & University of Rennes — France Reynald.Lercier (at) m4x.org CADO workshop on integer factorization INRIA Nancy Grand-Est — LORIA October 7-9, 2008

  2. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Motivation Computing discrete logarithms in F q , q = p d , with the function field sieve (FFS) relies mostly on the ability of finding relations between elements of a smoothness basis. In some very particularly cases (Kummer and Artin-Schreier theories), the factor basis can be constructed in such a way that it is left invariant by automorphisms of F q . In this talk, we are going to explain how this nice property can be generalized to a broad class of finite fields. J.-M. Couveignes and R. Lercier. Galois invariant smoothness basis. Series on Number Theory and Its Applications, 5:154-179, World Scientific, May 2008

  3. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Outline Background 1 Function Field Sieve 2 Galois Invariant Smoothness Basis 3 Conclusion 4

  4. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Outline Background 1 Function Field Sieve 2 Galois Invariant Smoothness Basis 3 Conclusion 4

  5. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Index calculus algorithms A family of algorithms to solve: integer factorization problems, discrete logarithm problems in finite fields. Two important sub-cases: Number Field Sieve (factoring and DL in large char.), Function Field Sieve (DL in small char.).

  6. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Index calculus methods Step 1 Step 2 One chooses V = { γ 1 , . . . , γ # V } ⊂ < g > , the As soon as possible, one computes log g γ , solutions “smoothness basis”, and one looks for ( ǫ,γ ) ∈ Z × V γ ǫ = 1 . relations of the type � of a linear system. Step 3 To compute log g y , for any y , one tries random integers ν until g ν y = � ( ǫ,γ ) ∈ Z × V γ ǫ . How to choose V ? How to find relations ?

  7. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Index calculus methods Step 1 Step 2 One chooses V = { γ 1 , . . . , γ # V } ⊂ < g > , the As soon as possible, one computes log g γ , solutions “smoothness basis”, and one looks for ( ǫ,γ ) ∈ Z × V γ ǫ = 1 . relations of the type � of a linear system. Step 3 To compute log g y , for any y , one tries random integers ν until g ν y = � ( ǫ,γ ) ∈ Z × V γ ǫ . How to choose V ? How to find relations ?

  8. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Index calculus methods Step 1 Step 2 One chooses V = { γ 1 , . . . , γ # V } ⊂ < g > , the As soon as possible, one computes log g γ , solutions “smoothness basis”, and one looks for ( ǫ,γ ) ∈ Z × V γ ǫ = 1 . relations of the type � of a linear system. Step 3 To compute log g y , for any y , one tries random integers ν until g ν y = � ( ǫ,γ ) ∈ Z × V γ ǫ . How to choose V ? How to find relations ?

  9. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Index calculus methods Step 1 Step 2 One chooses V = { γ 1 , . . . , γ # V } ⊂ < g > , the As soon as possible, one computes log g γ , solutions “smoothness basis”, and one looks for ( ǫ,γ ) ∈ Z × V γ ǫ = 1 . relations of the type � of a linear system. Step 3 To compute log g y , for any y , one tries random integers ν until g ν y = � ( ǫ,γ ) ∈ Z × V γ ǫ . How to choose V ? How to find relations ?

  10. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Index calculus methods Step 1 Step 2 One chooses V = { γ 1 , . . . , γ # V } ⊂ < g > , the As soon as possible, one computes log g γ , solutions “smoothness basis”, and one looks for ( ǫ,γ ) ∈ Z × V γ ǫ = 1 . relations of the type � of a linear system. Step 3 To compute log g y , for any y , one tries random integers ν until g ν y = � ( ǫ,γ ) ∈ Z × V γ ǫ . How to choose V ? How to find relations ?

  11. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion A school case A DL problem in the cyclic subgroup < 1193 > ⊂ F p , p = 10007. Let V = { 2 , 3 , 5 , 7 , 11 , 13 , 17 } , then 1193 15 mod p = 2 · 3 · 7 · 11 , 1193 36 mod p = 7 2 · 11 2 , 1193 41 mod p = 17 3 , 1193 47 mod p = 2 · 11 · 13 · 17 , 1193 73 mod p = 3 · 5 · 11 · 13 , 1193 74 mod p = 2 5 · 3 2 · 5 2 , 1193 78 mod p = 2 6 · 3 · 7 2 , 1193 80 mod p = 2 3 · 5 2 . It remains to combine these equations, 2 = 1193 4764 , 3 = 1193 236 , 5 = 1193 7903 , 7 = 1193 638 , 11 = 1193 4383 , 13 = 1193 2560 , 17 = 1193 3349 . Let now, for instance, y = 8964, then ( y · 1193 12 ) mod p = 2 2 · 3 3 · 5 · 17 , and thus y = 1193 1464 .

  12. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Known complexity results Complexity usually expressed as L q ( λ, c ) = exp (( c + o ( 1 ))( log q ) λ ( log log q ) 1 − λ ) . Two extreme cases: F q , with fixed (small) d . NFS [Gor93, Sch93, JL03] yields � 1 L q ( 1 � 64 3 3 , ) . 9 F q , with fixed (small) p . FFS [Cop84, Adl94, AH99, JL02] yields � 1 � 32 L q ( 1 3 3 , ) . 9

  13. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Known complexity results ([JL06, JLSV06]) When d and p both tend to ∞ . ln p 2 1 3 q ln 3 ln q ) O (ln � 64 ��������������������� NFS in L q ( 1 3 , 3 9 ) � 128 ��������������������� NFS in L q ( 1 3 , 3 9 ) 1 2 3 ln q ) O (ln 3 q ln � 32 ��������������������� FFS in L q ( 1 3 , 3 9 ) ln q

  14. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Outline Background 1 Function Field Sieve 2 Galois Invariant Smoothness Basis 3 Conclusion 4

  15. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Basic setup An algorithm, parameterized by a degree D (which increases with d ). Choose two univariate polynomials f 1 and f 2 over F p with degrees d 1 and d 2 (as small as possible) such that d 1 ≈ Dd 2 , Resultant ( β − f 1 ( α ) , α − f 2 ( β )) in α or β has an irreducible factor of degree n modulo p , √ � ( d 1 d 2 ≥ n , that is d 1 ≈ Dn and d 2 ≈ n / D ). This means that there exist α, β ∈ F q such that β = f 1 ( α ) and α = f 2 ( β ) .

  16. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion The sieving Take p 2 D + 1 polynomials of the form a ( α ) β + b ( α ) where a and b are polynomials of degree D ( a unitary). In this expression, replace β by f 1 ( α ) and α by f 2 ( β ) , this yields equations h 1 ( α ) = h 2 ( β ) √ where h 1 (resp. h 2 ) has degree d 1 + D ≈ Dn (resp. √ d 2 D + 1 ≈ Dn ). In good cases, h 1 and h 2 split into irreducible factors of degree at most D .

  17. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Example: F 65537 25 Take D = 1, f 1 ( α ) = α 5 + α + 3 and f 2 ( β ) = − β 5 − β − 1 Consider β + 2 α − 20496 It can be written as: α 5 + 3 α − 20493 = ( α + 2445 ) · ( α + 9593 ) · ( α + 31166 ) · ( α + 39260 ) · ( α + 48610 ) Or as: − 2 β 5 − β − 20498 = − 2 ( β + 1946 ) · ( β + 17129 ) · ( β + 18727 ) · ( β + 43449 ) · ( β + 49823 )

  18. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion The end of the computation Linear algebra When enough relations collected, inversion of the system yields DLs of irreducible polynomials of degree at most D modulo ( q − 1 ) / ( p − 1 ) . Discrete logarithms of any y . Basically √ Test random ν until a polynomial g ν · y is d -smooth. For each factor δ , of degree d δ , test for ( d δ − 1 ) -smoothness elements a ( α ) β + b ( α ) chosen such that δ divides h 1 ( α ) .

  19. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Experiments Fields Size When Complexity Method Who (digits) ( gips year) F 2 401 121 1992 0.2 Gordon, McCurley coppersmith F 2 521 157 2002 0.4 Joux, Lercier ffs F 2 607 183 2002 20 Thomé coppersmith F 2 607 183 2005 1.6 Joux, Lercier ffs F 2 613 Fields Size When Complexity Method Who (digits) ( gips year) F 370801 18 101 2005 0.4 Lercier, Vercauteren tori 121 2005 ≃ 0 Joux, Lercier F 65537 25 ffs F 370801 30 168 2005 0.1 Joux, Lercier ffs Joux, Lercier, 120 2006 1.2 F p 3 nfs Smart,Vercauteren

  20. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Outline Background 1 Function Field Sieve 2 Galois Invariant Smoothness Basis 3 Conclusion 4

Recommend


More recommend