individual discrete logarithm in gf p k last step of the
play

Individual Discrete Logarithm in GF( p k ) (last step of the Number - PowerPoint PPT Presentation

Jan 18, 2023 •196 likes •711 views

Individual Discrete Logarithm in GF( p k ) (last step of the Number Field Sieve algorithm) Aurore Guillevic INRIA Saclay / GRACE Team Ecole Polytechnique / LIX Asiacrypt 2015 Conference, Auckland, New Zealand, November 30 Aurore Guillevic

  1. Individual Discrete Logarithm in GF( p k ) (last step of the Number Field Sieve algorithm) Aurore Guillevic INRIA Saclay / GRACE Team ´ Ecole Polytechnique / LIX Asiacrypt 2015 Conference, Auckland, New Zealand, November 30 Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 1 / 25

  2. Logjam attack (weakdh.org) Solving actual practical problem: Given a fixed finite field GF( q ), Huge massive precomputation (weeks, months, years) Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 2 / 25

  3. Logjam attack (weakdh.org) Solving actual practical problem: Given a fixed finite field GF( q ), log tab Huge massive precomputation (weeks, months, years) p i < B 0 Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 2 / 25

  4. Logjam attack (weakdh.org) Solving actual practical problem: Given a fixed finite field GF( q ), log tab Huge massive Thousands of precomputation individual log (weeks, months, computation years) < 1 min each p i < B 0 Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 2 / 25

  5. Logjam attack (weakdh.org) Solving actual practical problem: Given a fixed finite field GF( q ), log tab Huge massive Thousands of precomputation individual log (weeks, months, computation years) < 1 min each p i < B 0 Logjam: GF( q ) = GF( p ) (standardized) prime field of 512 bits real-time man-in-the-middle attack on Diffie-Hellman key exchange compute a discrete log in GF( p ) in 70s in average Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 2 / 25

  6. Logjam attack (weakdh.org) Solving actual practical problem: Given a fixed finite field GF( q ), log tab Huge massive Thousands of precomputation individual log (weeks, months, computation years) < 1 min each p i < B 0 Logjam: GF( q ) = GF( p ) (standardized) prime field of 512 bits real-time man-in-the-middle attack on Diffie-Hellman key exchange compute a discrete log in GF( p ) in 70s in average Pairing-based cryptography: GF( q ) = GF( p 2 ), GF( p 6 ), GF( p 12 ) Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 2 / 25

  7. Logjam attack (weakdh.org) Solving actual practical problem: Given a fixed finite field GF( q ), log tab Huge massive Thousands of precomputation individual log (weeks, months, computation years) < 1 min each p i < B 0 Logjam: GF( q ) = GF( p ) (standardized) prime field of 512 bits real-time man-in-the-middle attack on Diffie-Hellman key exchange compute a discrete log in GF( p ) in 70s in average Pairing-based cryptography: GF( q ) = GF( p 2 ), GF( p 6 ), GF( p 12 ) Could we compute individual discrete logs in GF( p 2 ), GF( p 6 ), GF( p 12 ) in less than 1 min ? Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 2 / 25

  8. DLP in the target group of pairing-friendly curves DLP in the target group of pairing-friendly curves Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 3 / 25

  9. DLP in the target group of pairing-friendly curves Why DLP in finite fields F p 2 , F p 3 , . . . ? In a subgroup G = � g � of order ℓ , ( g , x ) �→ g x is easy (polynomial time) ( g , g x ) �→ x is (in well-chosen subgroup) hard: DLP. pairing: × → G 1 G 2 G T ∩ ∩ ∩ F ∗ E ( F p ) E ( F p k ) p k where E / F p is a pairing-friendly curve √ G 1 , G 2 , G T of large prime order ℓ (generic attacks in O ( ℓ ): take e.g. 256-bit ℓ ) 1 ≤ k ≤ 12 embedding degree: very specific property (specific attacks (NFS): take 3072-bit p k ) Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 4 / 25

  10. DLP in the target group of pairing-friendly curves DL records in small characteristic ✗ Small characteristic: supersingular curves E / F 2 n : G T ⊂ F 2 4 n , E / F 3 m : G T ⊂ F 3 6 m Practical attacks (first one and most recent): Hayashi, Shimoyama, Shinohara, Takagi: GF(3 6 · 97 ) ( 923 bit field) (2012) Granger, Kleinjung, Zumbragel: GF(2 9234 ), GF(2 4404 ) (2014) ıquez: GF(3 822 ), GF(3 978 ) Adj, Menezes, Oliveira, Rodr´ ıguez-Henr´ (2014) Joux: GF(3 2395 ) (with Pierrot, 2014), GF(2 6168 ) (2013) Theoretical attacks: Quasi-Polynomial-time Algorithm (QPA) [Barbulescu Gaudry Joux Thom´ e 14] [Granger Kleinjung Zumbragel 14] Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 5 / 25

  11. DLP in the target group of pairing-friendly curves Common used pairing-friendly curves ✓ Curves over prime fields E / F p where QPA does NOT apply (with log p ≥ log ℓ ≈ 256 bits, s.t. k log p ≥ 3072) supersingular: G T ⊂ F p 2 (log p = 1536) [Miyaji Nakabayashi Takano 01] (MNT): G T ⊂ F p 3 (log p = 1024), F p 4 (log p = 768), F p 6 (log p = 512) [Freeman 06] G T ⊂ F p 10 [Barreto Naehrig 05] (BN): G T ⊂ F p 12 (log p = 256, optimal) [Kachisa Schaefer Scott 08] (KSS): G T ⊂ F p 18 (used for 192-bit security level: 384-bit ℓ , log p = 512, k log p = 9216) Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 6 / 25

  12. DLP in the target group of pairing-friendly curves Last DL records, with the NFS-DL algorithm GF( p ′ 2 ), p ′ 2 = q [BGGM15] GF( p ) Massive precomputation (d=core-day, y=core-year) [Logjam] 512-bit p : 10y 598-bit q : 0.75y + 18 GPU-d 175 × faster [BGIJT14] 596-bit p : 131y Individual Discrete Log 512-bit p : 70s median ✓ 596-bit p : 2d 600-bit q : few d slow [Logjam]: see weakdh.org [BGGM15]: Barbulescu, Gaudry, G., Morain [BGIJT14]: Bouvier, Gaudry, Imbert, Jeljeli, Thom´ e Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 7 / 25

  13. DLP in the target group of pairing-friendly curves This work: Faster individual discrete logarithm in F p k , especially k = 2 , 3 , 4 , 6 Apply to pairing target group G T large characteristic F p 2 , F p 3 medium characteristic F p 4 , F p 6 , . . . source code: written in Magma + part of http://cado-nfs.gforge.inria.fr/ Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 8 / 25

  14. DLP in the target group of pairing-friendly curves Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f ( x ) , g ( x ) with 1. ϕ = gcd( f , g ) (mod p ) and F p k = F p [ x ] / ( ϕ ( x )) Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 9 / 25

  15. DLP in the target group of pairing-friendly curves Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f ( x ) , g ( x ) with 1. ϕ = gcd( f , g ) (mod p ) and F p k = F p [ x ] / ( ϕ ( x )) 2. Relation collection Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 9 / 25

  16. DLP in the target group of pairing-friendly curves Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f ( x ) , g ( x ) with 1. ϕ = gcd( f , g ) (mod p ) and F p k = F p [ x ] / ( ϕ ( x )) 2. Relation collection 3. Linear algebra modulo ℓ | p k − 1 . ➙ here we know the discrete log of a subset of elements. log DB p i < B 0 Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 9 / 25

  17. DLP in the target group of pairing-friendly curves Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f ( x ) , g ( x ) with 1. ϕ = gcd( f , g ) (mod p ) and massive precomputation F p k = F p [ x ] / ( ϕ ( x )) 2. Relation collection 3. Linear algebra modulo ℓ | p k − 1 ➙ here we know the discrete log of a subset of elements. log DB p i < B 0 Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 9 / 25

  18. DLP in the target group of pairing-friendly curves Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f ( x ) , g ( x ) with 1. ϕ = gcd( f , g ) (mod p ) and massive precomputation F p k = F p [ x ] / ( ϕ ( x )) 2. Relation collection 3. Linear algebra modulo ℓ | p k − 1 ➙ here we know the discrete log of a subset of elements. log DB p i < B 0 1. Individual target discrete logarithm Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 9 / 25

  19. DLP in the target group of pairing-friendly curves Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f ( x ) , g ( x ) with 1. ϕ = gcd( f , g ) (mod p ) and massive precomputation F p k = F p [ x ] / ( ϕ ( x )) 2. Relation collection 3. Linear algebra modulo ℓ | p k − 1 ➙ here we know the discrete log of a subset of elements. log DB p i < B 0 1. Individual target discrete logarithm for each given DLP instance not so trivial this talk: practical improvements very efficient for small k or even k Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 9 / 25

  20. DLP in the target group of pairing-friendly curves Polynomial Selection for DL in F p k , and norm f , g irreducible over Q , f � = g (define � = number fields) gcd( f mod p , g mod p ) = ϕ irreducible of degree k � f � ∞ , � g � ∞ , deg f , deg g small enough s.t. Norm f ( · ), Norm g ( · ) are as small as possible Norm of degree 1 element a − bx ∈ Z [ x ] / ( f ( x )): Norm f ( a − bx ) = � deg f i =0 a i b deg f − i f i More generally, when f is monic: Norm f ( T ) = Res( T , f ) ≤ A (deg f , deg T ) � T � deg f � f � d ∞ ∞ where � f � ∞ = max 0 ≤ i ≤ deg f | f i | Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 10 / 25

Recommend

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and Paul Wolfger Graz University of Technology WECC 2014, Chennai, India We solved the discrete logarithm of a 113-bit Koblitz Curve.

572 views • 34 slides
Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute

Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute

Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute of Technology Discrete logarithm problem. The discrete logarithm problem (DLP) in a finite cyclic group G : for any pair g , h G find a

673 views • 18 slides
On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the discrete logarithm problem in elliptic curves p.1/37 Some history At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm

897 views • 67 slides
A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 ,

A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 ,

A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 , P. Gaudry 2 , N. Heninger 1 , E. Thom e 2 1 U. Penn ; 2 Caramba/Inria/Loria Nov 13rd, 2017 A kilobit hidden SNFS discrete logarithm computation

441 views • 42 slides
Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work with Pierrick Gaudry and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France Crypto 2020 Virtual Conference 1/29 The discrete

338 views • 29 slides
Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving

Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving

Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving RSA-240, DLP-240, RSA-250 Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thom e, Paul Zimmermann ere de l FB:

466 views • 31 slides
Discrete Logarithm in GF(2 809 ) with FFS Razvan Barbulescu Cyril Bouvier J er emie Detrey

Discrete Logarithm in GF(2 809 ) with FFS Razvan Barbulescu Cyril Bouvier J er emie Detrey

Discrete Logarithm in GF(2 809 ) with FFS Razvan Barbulescu Cyril Bouvier J er emie Detrey Pierrick Gaudry Hamza Jeljeli Emmanuel Thom e Marion Videau Paul Zimmermann CARAMEL project-team, LORIA, INRIA / CNRS / Universit e de

419 views • 22 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de

On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de

On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de Lorraine, Inria Nancy, France joint work with Razvan Barbulescu, Antoine Joux, Emmanuel Thom RICAM Linz, Austria 1/42 Plan Background Recent

598 views • 49 slides
Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J. Bernstein Easy to prove: is prime. University of Illinois at Chicago Can we find an integer 1 2 3

1.24k views • 97 slides
Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly

Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly

Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly joint work with Taechan Kim and Yongsu Song) Department of Mathematical Sciences and ISaC-RIM Seoul National University December 13, 2013 1 / 41

557 views • 41 slides
The Future of the Discrete Logarithm Gerhard Frey Institute for Experimental Mathematics

The Future of the Discrete Logarithm Gerhard Frey Institute for Experimental Mathematics

The Future of the Discrete Logarithm Gerhard Frey Institute for Experimental Mathematics University of Essen frey@exp-math.uni-essen.de 1 1 Abstract DL-Systems We want exchange keys sign authenticate (encrypt and decrypt)

410 views • 38 slides
A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic Razvan

A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic Razvan

ECC, Chennai October 8, 2014 A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic Razvan Barbulescu 1 Pierrick Gaudry 2 Antoine Joux 3 e 2 Emmanuel Thom IMJ-PRG, Paris Loria, Nancy LIP6, Paris R.

606 views • 41 slides
Review - Mathematical Tools &amp; Probability Logarithm Fundamentals of Probability Discrete

Review - Mathematical Tools &amp; Probability Logarithm Fundamentals of Probability Discrete

Mathematical Tools Summation Operator The Natural Review - Mathematical Tools &amp; Probability Logarithm Fundamentals of Probability Discrete &amp; Continuous Random Variable Caio Vigo Features of Probability Distributions Expected

699 views • 50 slides
Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS,

Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS,

Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS, Universit de Lorraine, Inria JNCF CIRM November 2014 1/81 Plan Presentation of the problems Cryptographic background Primality,

919 views • 88 slides
Perspectives of the Discrete Logarithm Systems Gerhard Frey Institute for Experimental

Perspectives of the Discrete Logarithm Systems Gerhard Frey Institute for Experimental

Perspectives of the Discrete Logarithm Systems Gerhard Frey Institute for Experimental Mathematics University of Duisburg-Essen frey@exp-math.uni-essen.de 1 1 Abstract DL-Systems We want exchange keys sign authenticate

841 views • 53 slides
Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work with Pierrick Gaudry and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France February 26th, 2020 Northeastern University, Boston

657 views • 40 slides
PKC 2000 18-20 january 2000 - Melbourne - Australia The Composite Discrete Logarithm and

PKC 2000 18-20 january 2000 - Melbourne - Australia The Composite Discrete Logarithm and

Public Key Cryptography PKC 2000 18-20 january 2000 - Melbourne - Australia The Composite Discrete Logarithm and Secure Authentication David Pointcheval Dpartement d Informatique ENS - CNRS David.Pointcheval@ens.fr

266 views • 13 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Computation of a 768-bit prime field discrete logarithm C. Diem, T. Kleinjung, A. K. Lenstra, C.

Computation of a 768-bit prime field discrete logarithm C. Diem, T. Kleinjung, A. K. Lenstra, C.

Computation of a 768-bit prime field discrete logarithm C. Diem, T. Kleinjung, A. K. Lenstra, C. Priplata, C. Stahlke EPF Lausanne (Switzerland), Universit at Leipzig (Germany) 1 / 11 Paris, 1st April 1776 2 / 11 Paris, 1st April 1776

694 views • 30 slides
RNS Arithmetic for Linear Algebra of Discrete Logarithm Computations Using Parallel Architectures

RNS Arithmetic for Linear Algebra of Discrete Logarithm Computations Using Parallel Architectures

RNS Arithmetic for Linear Algebra of Discrete Logarithm Computations Using Parallel Architectures Hamza Jeljeli CARAMEL project-team, LORIA, INRIA / CNRS / Universit e de Lorraine, Hamza.Jeljeli@loria.fr RAIM 2015, Rennes, April 8 th , 2015

227 views • 22 slides
Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields

Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields

Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields Christophe Petit, Michiel Kosters, Ange Messeng University of Oxford, University of California Irvine, University of Passau Christophe Petit - PKC2016 -

562 views • 41 slides
The Discrete Logarithm Problem with Preprocessing Henry Corrigan-Gibbs and Dmitry Kogan Stanford

The Discrete Logarithm Problem with Preprocessing Henry Corrigan-Gibbs and Dmitry Kogan Stanford

The Discrete Logarithm Problem with Preprocessing Henry Corrigan-Gibbs and Dmitry Kogan Stanford University Eurocrypt 1 May 2018 Tel Aviv, Israel 38 Signatures (DSA and Schnorr) 39 DH key Signatures exchange (DSA and Schnorr) 40

1.63k views • 134 slides
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud cole normale suprieure CHES September, 15th 2015 (with Aurlie Bauer) Damien Vergnaud (ENS) Key Recovery from Random

766 views • 48 slides

More recommend