Solving a 6120-bit DLP on a Desktop Computer Faruk G olo glu, - PowerPoint PPT Presentation

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Solving a 6120-bit DLP on a Desktop Computer Faruk G¨ olo˘ glu, Robert Granger , Gary McGuire, and Jens Zumbr¨ agel Claude Shannon Institute Complex & Adaptive Systems Laboratory School of Mathematical Sciences University College Dublin, Ireland 15th August, SAC 2013

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Our Contributions Practical Results:

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Our Contributions Practical Results: • Set a DLP record in F 2 6120 = F (2 8 · 3 ) 28 − 1 , in 750 core-hours:

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Our Contributions Practical Results: • Set a DLP record in F 2 6120 = F (2 8 · 3 ) 28 − 1 , in 750 core-hours: • Bitlength is 50% bigger than the previous record, set by Joux in F 2 4080 = F (2 8 · 2 ) 28 − 1 , but required only 5% of the core-hours

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Our Contributions Practical Results: • Set a DLP record in F 2 6120 = F (2 8 · 3 ) 28 − 1 , in 750 core-hours: • Bitlength is 50% bigger than the previous record, set by Joux in F 2 4080 = F (2 8 · 2 ) 28 − 1 , but required only 5% of the core-hours Theoretical Results:

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Our Contributions Practical Results: • Set a DLP record in F 2 6120 = F (2 8 · 3 ) 28 − 1 , in 750 core-hours: • Bitlength is 50% bigger than the previous record, set by Joux in F 2 4080 = F (2 8 · 2 ) 28 − 1 , but required only 5% of the core-hours Theoretical Results: • Optimised Joux’s L Q (1 / 4 + o (1)) algorithm to give an L Q (1 / 4 , ( ω/ 8) 1 / 4 ) algorithm for Q ≈ ( q k ) q , k ≥ 2, q → ∞

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Overview Big Field Hunting Solving the DLP in F 2 6120 Complexity Considerations

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Polynomial Time Relation Generation [GGMZ13] Setup for F ( q k ) n with k ≥ 3, n ≤ qd 1 and d 1 ≥ 1 (cf. [JL06]):

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Polynomial Time Relation Generation [GGMZ13] Setup for F ( q k ) n with k ≥ 3, n ≤ qd 1 and d 1 ≥ 1 (cf. [JL06]): • Search for g 1 ( X ) ∈ F q k [ X ] s.t. X − g 1 ( X q ) ≡ 0 (mod f ( X )) with deg( g 1 ) = d 1 , f irreducible and deg( f ) = n • Let F ( q k ) n = F q k ( x ) with x a root of f ( X ) • Let y = x q , so that one has x = g 1 ( y ) in F ( q k ) n • Factor base is { x − a | a ∈ F q k }

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Polynomial Time Relation Generation [GGMZ13] Setup for F ( q k ) n with k ≥ 3, n ≤ qd 1 and d 1 ≥ 1 (cf. [JL06]): • Search for g 1 ( X ) ∈ F q k [ X ] s.t. X − g 1 ( X q ) ≡ 0 (mod f ( X )) with deg( g 1 ) = d 1 , f irreducible and deg( f ) = n • Let F ( q k ) n = F q k ( x ) with x a root of f ( X ) • Let y = x q , so that one has x = g 1 ( y ) in F ( q k ) n • Factor base is { x − a | a ∈ F q k } Relation generation:

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Polynomial Time Relation Generation [GGMZ13] Setup for F ( q k ) n with k ≥ 3, n ≤ qd 1 and d 1 ≥ 1 (cf. [JL06]): • Search for g 1 ( X ) ∈ F q k [ X ] s.t. X − g 1 ( X q ) ≡ 0 (mod f ( X )) with deg( g 1 ) = d 1 , f irreducible and deg( f ) = n • Let F ( q k ) n = F q k ( x ) with x a root of f ( X ) • Let y = x q , so that one has x = g 1 ( y ) in F ( q k ) n • Factor base is { x − a | a ∈ F q k } Relation generation: • Considering elements xy + ay + bx + c with a , b , c ∈ F q k , one obtains the F ( q k ) n -equality x q +1 + ax q + bx + c = yg 1 ( y ) + ay + bg 1 ( y ) + c • When both sides split over F q k one obtains a relation

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Bluher Polynomials Consider the l.h.s. polynomial x q +1 + ax q + bx + c .

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Bluher Polynomials Consider the l.h.s. polynomial x q +1 + ax q + bx + c . If ab � = c and a q � = b , this may be transformed into B = ( b − a q ) q +1 F B ( x ) = x q +1 + Bx + B , with , ( c − ab ) q via x = c − ab b − a q x − a .

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Bluher Polynomials Consider the l.h.s. polynomial x q +1 + ax q + bx + c . If ab � = c and a q � = b , this may be transformed into B = ( b − a q ) q +1 F B ( x ) = x q +1 + Bx + B , with , ( c − ab ) q via x = c − ab b − a q x − a . Theorem ( Bluher 2004, Helleseth-Kholosha 2010 ) The number of elements B ∈ F × q k such that the polynomial F B ( X ) ∈ F q k [ X ] splits completely over F q k equals q k − 1 − 1 q k − 1 − q if k is odd , if k is even . q 2 − 1 q 2 − 1

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Polynomial Time Relation Generation [GGMZ13] q k | X q +1 + BX + B splits over F q k } • Let S B = { B ∈ F ×

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Polynomial Time Relation Generation [GGMZ13] q k | X q +1 + BX + B splits over F q k } • Let S B = { B ∈ F × • Since B = ( b − a q ) q +1 / ( c − ab ) q , for any a , b ∈ F q k s.t. b � = a q , and B ∈ S B , there exists a unique c ∈ F q k s.t. x q +1 + ax q + bx + c splits over F q k

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Polynomial Time Relation Generation [GGMZ13] q k | X q +1 + BX + B splits over F q k } • Let S B = { B ∈ F × • Since B = ( b − a q ) q +1 / ( c − ab ) q , for any a , b ∈ F q k s.t. b � = a q , and B ∈ S B , there exists a unique c ∈ F q k s.t. x q +1 + ax q + bx + c splits over F q k • For each such ( a , b , c ), test if r.h.s. yg 1 ( y ) + ay + bg 1 ( y ) + c splits; if so then have a relation

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Polynomial Time Relation Generation [GGMZ13] q k | X q +1 + BX + B splits over F q k } • Let S B = { B ∈ F × • Since B = ( b − a q ) q +1 / ( c − ab ) q , for any a , b ∈ F q k s.t. b � = a q , and B ∈ S B , there exists a unique c ∈ F q k s.t. x q +1 + ax q + bx + c splits over F q k • For each such ( a , b , c ), test if r.h.s. yg 1 ( y ) + ay + bg 1 ( y ) + c splits; if so then have a relation • If q 3 k − 3 > q k ( d 1 + 1)! then expect to compute logs of degree 1 elements in time O ( q 2 k +1 ) �

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Kummer Extensions = ⇒ More Efficient Attacks The solution of DLPs in F p 47 , F p 57 , F 2 1778 , F 2 1971 , F 2 3164 and F 2 4080 all used Kummer extensions.

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Kummer Extensions = ⇒ More Efficient Attacks The solution of DLPs in F p 47 , F p 57 , F 2 1778 , F 2 1971 , F 2 3164 and F 2 4080 all used Kummer extensions. Why? Factor base-preserving automorphisms reduce effective size of factor base = ⇒ relation finding & linear algebra become faster.

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Kummer Extensions = ⇒ More Efficient Attacks The solution of DLPs in F p 47 , F p 57 , F 2 1778 , F 2 1971 , F 2 3164 and F 2 4080 all used Kummer extensions. Why? Factor base-preserving automorphisms reduce effective size of factor base = ⇒ relation finding & linear algebra become faster. Observe that F 2 1778 and F 2 4080 are of the form F ( q 2 ) q − 1 , for which:

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Kummer Extensions = ⇒ More Efficient Attacks The solution of DLPs in F p 47 , F p 57 , F 2 1778 , F 2 1971 , F 2 3164 and F 2 4080 all used Kummer extensions. Why? Factor base-preserving automorphisms reduce effective size of factor base = ⇒ relation finding & linear algebra become faster. Observe that F 2 1778 and F 2 4080 are of the form F ( q 2 ) q − 1 , for which: • Degree 1 logs cost � O ( q 3 ) for K.E., or � O ( q 5 ) otherwise • Degree 2 logs cost � O ( q 6 ) for K.E., or � O ( q 7 ) otherwise

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations Kummer Extensions = ⇒ More Efficient Attacks The solution of DLPs in F p 47 , F p 57 , F 2 1778 , F 2 1971 , F 2 3164 and F 2 4080 all used Kummer extensions. Why? Factor base-preserving automorphisms reduce effective size of factor base = ⇒ relation finding & linear algebra become faster. Observe that F 2 1778 and F 2 4080 are of the form F ( q 2 ) q − 1 , for which: • Degree 1 logs cost � O ( q 3 ) for K.E., or � O ( q 5 ) otherwise • Degree 2 logs cost � O ( q 6 ) for K.E., or � O ( q 7 ) otherwise However, for F ( q k ) q ± 1 with k ≥ 4 one can compute logs of degree two elements on the fly [GGMZ13].

Big Field Hunting Solving the DLP in F 26120 Complexity Considerations New Degree 2 elimination for K.E.’s and k ≥ 3 Let q ( x ) := x 2 + q 1 x + q 0 ∈ F ( q k ) q − 1 be an element to be written as a product of linear elements.