New Complexity Trade-Offs for the (Multiple) Number Field Sieve Algorithm in Non-Prime Fields Palash Sarkar and Shashank Singh Indian Statistical Institute, Kolkata May, 2016 Eurocrypt 2016
N UMBER F IELD S IEVE FOR DLP IN F p n Choose f ( x ) , g ( x ) ∈ Z [ x ] , such that f ( x ) mod p and g ( x ) mod p , have a common irreducible factor ϕ ( x ) of degree n over F p . Q [ x ] Q [ x ] F p [ x ] � g ( x ) � and F p n := Q ( α ) := � f ( x ) � , Q ( β ) := � ϕ ( x ) � = F p ( m ) , m ∈ F p n . Z [ x ] x x → � → � β α Q ( α ) Q ( β ) ¯ β α ¯ α �→ m β → � m F p ( m )
N UMBER F IELD S IEVE FOR DLP IN F p n Choose f ( x ) , g ( x ) ∈ Z [ x ] , such that f ( x ) mod p and g ( x ) mod p , have a common irreducible factor ϕ ( x ) of degree n over F p . Q [ x ] Q [ x ] F p [ x ] � g ( x ) � and F p n := Q ( α ) := � f ( x ) � , Q ( β ) := � ϕ ( x ) � = F p ( m ) , m ∈ F p n . φ ( x ) φ ( x ) Z [ x ] x x → � → � β α ℓ j i b i φ ( β ) O 2 = � i a i ei φ ( α ) O 1 = � Q ( α ) Q ( β ) (Ideal Fact.) (Ideal Fact.) ¯ β α ¯ α �→ m β → � φ ( β ) h 2 = u 2 ℓ i φ ( α ) h 1 = u 1 a iei � � b i m i i F p ( m ) (Ideal to Element) (Ideal to Element)
N UMBER F IELD S IEVE FOR DLP IN F p n Choose f ( x ) , g ( x ) ∈ Z [ x ] , such that f ( x ) mod p and g ( x ) mod p , have a common irreducible factor ϕ ( x ) of degree n over F p . Q [ x ] Q [ x ] F p [ x ] � g ( x ) � and F p n := Q ( α ) := � f ( x ) � , Q ( β ) := � ϕ ( x ) � = F p ( m ) , m ∈ F p n . φ ( x ) φ ( x ) Z [ x ] x x � → → � β α ℓ j i b i φ ( β ) O 2 = � i a i ei φ ( α ) O 1 = � Q ( α ) Q ( β ) (Ideal Fact.) (Ideal Fact.) ¯ β α ¯ α �→ m β → � φ ( β ) h 2 = u 2 ℓ i φ ( α ) h 1 = u 1 a iei � � b i m i i F p ( m ) (Ideal to Element) (Ideal to Element) Since φ ( α ) = φ ( β ) , we get a relation.
N UMBER F IELD S IEVE FOR DLP IN F p n Choose f ( x ) , g ( x ) ∈ Z [ x ] , such that f ( x ) mod p and g ( x ) mod p , have a common irreducible factor ϕ ( x ) of degree n over F p . Q [ x ] Q [ x ] F p [ x ] � g ( x ) � and F p n := Q ( α ) := � f ( x ) � , Q ( β ) := � ϕ ( x ) � = F p ( m ) , m ∈ F p n . φ ( x ) φ ( x ) Z [ x ] x x → � → � β α ℓ j i b i φ ( β ) O 2 = � i a i ei φ ( α ) O 1 = � Q ( α ) Q ( β ) Factor Res ( g , φ ) Factor Res ( f , φ ) (Ideal Fact.) (Ideal Fact.) ¯ β α ¯ α �→ m β → � φ ( β ) h 2 = u 2 ℓ i φ ( α ) h 1 = u 1 a iei � � b i m i i F p ( m ) (Ideal to Element) (Ideal to Element)
N UMBER F IELD S IEVE FOR DLP IN F p n Choose f ( x ) , g ( x ) ∈ Z [ x ] , such that f ( x ) mod p and g ( x ) mod p , have a common irreducible factor ϕ ( x ) of degree n over F p . Q [ x ] Q [ x ] F p [ x ] � g ( x ) � and F p n := Q ( α ) := � f ( x ) � , Q ( β ) := � ϕ ( x ) � = F p ( m ) , m ∈ F p n . Kalkbrener φ ( x ) φ ( x ) Z [ x ] x x � → → � | Res ( f , φ ) × Res ( g , φ ) | β α ℓ j i b i φ ( β ) O 2 = � i a i ei φ ( α ) O 1 = � � t − 1 E ( deg f + deg g ) 2 / t Q ( α ) Q ( β ) � Factor Res ( g , φ ) Factor Res ( f , φ ) ≈ � f � ∞ � g � ∞ (Ideal Fact.) (Ideal Fact.) ¯ β α ¯ α �→ m β where t = deg ( φ ) + 1 and → � φ ( β ) h 2 = u 2 ℓ i φ ( α ) h 1 = u 1 a iei � � b i m � − E 2 / t , E 2 / t � i i Coefficient ( φ ) ∈ F p ( m ) (Ideal to Element) (Ideal to Element)
N OTATION : Let ϕ ( x ) = x n + ϕ n − 1 x n − 1 + · · · + ϕ 1 x + ϕ 0 and r ≥ deg ( ϕ ) . p px 0 . ... . . . ... . . M ϕ, r = p px n ϕ 0 ϕ 1 · · · ϕ n − 1 1 ϕ ( x ) . ... ... ... . . x r − n ϕ ( x ) ϕ 0 ϕ 1 · · · ϕ n − 1 1 Apply the LLL algorithm to M ϕ, r and let the first row of the resulting LLL-reduced matrix be [ g 0 , g 1 , . . . , g r − 1 , g r ] . Define g 0 + g 1 x + · · · + g r − 1 x r − 1 + g r x r . g ( x ) = (1) Notation: g = LLL ( M ϕ, r )
S OME OF THE P OLYNOMIAL S ELECTION M ETHODS Given n and p , choose f ( x ) , g ( x ) ∈ Z [ x ] , such that f ( x ) mod p and g ( x ) mod p , have a common irreducible factor ϕ ( x ) of degree n over F p .
S OME OF THE P OLYNOMIAL S ELECTION M ETHODS Given n and p , choose f ( x ) , g ( x ) ∈ Z [ x ] , such that f ( x ) mod p and g ( x ) mod p , have a common irreducible factor ϕ ( x ) of degree n over F p . Algorithm: Generalised Joux-Lercier(GJL)[Barbulescu et al., D. Matyukhin] Let r ≥ n ; repeat ◮ Choose f ( x ) irr of deg ( r + 1 ) in Z [ x ] , having small coefficients( = O ( ln p ) ). ◮ Modulo p , f ( x ) has a factor ϕ ( x ) of degree n . ◮ g ( x ) = LLL ( M ϕ, r ) until f ( x ) and g ( x ) are irr over Z and ϕ ( x ) is irr over F p ; Note: deg ( f ) = r + 1 deg ( g ) = r and � p n / ( r + 1 ) � � f � ∞ = O ( ln p ) and � g � ∞ = O
S OME OF THE P OLYNOMIAL S ELECTION M ETHODS Given n and p , choose f ( x ) , g ( x ) ∈ Z [ x ] , such that f ( x ) mod p and g ( x ) mod p , have a common irreducible factor ϕ ( x ) of degree n over F p . Algorithm: Conjugation Method(Conj) [Barbulescu et al.] Let r ≥ n ; repeat ◮ Choose a quadratic monic µ ( x ) irr in Z [ x ] , having small coefficients( = O ( ln p ) ) and has a root t in F p . ◮ Choose g 0 ( x ) and g 1 ( x ) with small coefficients such that deg g 1 < deg g 0 = n . ◮ Let ( u , v ) be such that t ≡ u / v mod p . ◮ g ( x ) = vg 0 ( x ) + ug 1 ( x ) , f ( x ) = Res y � � µ ( y ) , g 0 ( x ) + y g 1 ( x ) . until f ( x ) and g ( x ) are irr over Z and ϕ ( x ) is irr over F p . ;
S OME OF THE P OLYNOMIAL S ELECTION M ETHODS Given n and p , choose f ( x ) , g ( x ) ∈ Z [ x ] , such that f ( x ) mod p and g ( x ) mod p , have a common irreducible factor ϕ ( x ) of degree n over F p . Algorithm: Conjugation Method(Conj) [Barbulescu et al.] Let r ≥ n ; repeat ◮ Choose a quadratic monic µ ( x ) irr in Z [ x ] , having small coefficients( = O ( ln p ) ) and has a root t in F p . ◮ Choose g 0 ( x ) and g 1 ( x ) with small coefficients such that deg g 1 < deg g 0 = n . ◮ Let ( u , v ) be such that t ≡ u / v mod p . ◮ g ( x ) = vg 0 ( x ) + ug 1 ( x ) , f ( x ) = Res y � � µ ( y ) , g 0 ( x ) + y g 1 ( x ) . deg ( g ) = n , � g � ∞ = O ( √ p ) until f ( x ) and g ( x ) are irr over Z and ϕ ( x ) is irr over F p . ; deg ( f ) = 2 n , � f � ∞ = O ( ln p )
S OME OF THE P OLYNOMIAL S ELECTION M ETHODS Given n and p , choose f ( x ) , g ( x ) ∈ Z [ x ] , such that f ( x ) mod p and g ( x ) mod p , have a common irreducible factor ϕ ( x ) of degree n over F p . Algorithm: Conjugation Method(Conj) [Barbulescu et al.] Let r ≥ n ; repeat ◮ Choose a quadratic monic µ ( x ) irr in Z [ x ] , having small coefficients( = O ( ln p ) ) and has a root t in F p . ◮ Choose g 0 ( x ) and g 1 ( x ) with small coefficients such that deg g 1 < deg g 0 = n . ◮ Let ( u , v ) be such that t ≡ u / v mod p . LLL ◮ g ( x ) = vg 0 ( x ) + ug 1 ( x ) , f ( x ) = Res y � � µ ( y ) , g 0 ( x ) + y g 1 ( x ) . deg ( g ) = n , � g � ∞ = O ( √ p ) until f ( x ) and g ( x ) are irr over Z and ϕ ( x ) is irr over F p . ; deg ( f ) = 2 n , � f � ∞ = O ( ln p )
B ASIC I DEA We note the following: ◮ Both GJL and Conjugation methods use LLL, directly or indirectly. ◮ GJL uses all the coefficients of ϕ ( x ) for doing LLL. ◮ Conjugation uses only one coefficient for LLL. ◮ In there anything in between? The answer is YES and is given by a new polynomial selection algorithm which both subsumes and generalises to GJL and Conjugation method. ◮ The new polynomial selection algorithm is parametrised by a divisor d of n and a value r ≥ n / d .
Algorithm: A : A new method of polynomial selection. Input : p , n , d (a factor of n ) and r ≥ n / d . Output : f ( x ) , g ( x ) and ϕ ( x ) . Let k = n / d ; repeat Randomly choose a monic irr A 1 ( x ) with small coeff.: deg A 1 = r + 1; mod p , A 1 ( x ) has an irr factor A 2 ( x ) of deg k . Choose monic C 0 ( x ) and C 1 ( x ) : deg C 0 = d and deg C 1 < d . Define f ( x ) = Res y ( A 1 ( y ) , C 0 ( x ) + y C 1 ( x )) ; ϕ ( x ) = Res y ( A 2 ( y ) , C 0 ( x ) + y C 1 ( x )) mod p ; ψ ( x ) = LLL ( M A 2 , r ); g ( x ) = Res y ( ψ ( y ) , C 0 ( x ) + y C 1 ( x )) . until f ( x ) and g ( x ) are irr over Z and ϕ ( x ) is irr over F p . ; return f ( x ) , g ( x ) and ϕ ( x ) .
Recommend
More recommend
