Given a primitive element g of a finite field GF(q), the discrete logarithm of a nonzero element u GF(q) is that integer k, 1 k q - 1, for which u = g k . The well-known problem of computing discrete logarithms in finite fields has acquired additional importance in recent years due to its applicability in cryptography. Several cryptographic systems would become insecure if an efficient discrete logarithm algorithm were discovered. This paper surveys and analyzes known algorithms in this area, with special attention devoted to algorithms for the fields GF(2 n ). It appears that in order to be safe from attacks using these algorithms, the value of n for which GF(2 n ) is used in a cryptosystem has to be very large and carefully chosen. Due in large part to recent discoveries, discrete logarithms in fields GF(2 n ) are much easier to compute than in fields GF(p) with p prime. Hence the fields GF(2 n ) ought to be avoided in all cryptographic applications. On the other hand, ...

{ A new knapsack type public key cryptosystem is introduced. The system is based on a novel application of arithmetic in nite elds, following a construction by Bose and Chowla. By appropriately choosing the parameters, one can control the density of the resulting knapsack, which is the ratio between the number of elements in the knapsack and their size in bits. In particular, the density can be made high enough to foil \low density" attacks against our system. At the moment, no attacks capable of \breaking" this system in a reasonable amount of time are known. Research supported by NSF grant MCS{8006938. Part of this research was done while the rst author was visiting Bell Laboratories, Murray Hill, NJ. A preliminary version of this work was presented in Crypto 84 and has appeared in [8]. 1 1.

Abstract. Recently an efficient solution to the discrete logarithm prob-lem on elliptic curves over F, with p points (p: prime), so-called anorna-lous curues, was independently discovered by Semaev [14], Smart [17], and Satoh and Araki [12]. Since the solution is very efficient, i.e., 0(lpl3), the Semaev-Smart-Satoh-Araki (SSSA) algorithm implies the possibil-ity of realizing a trapdoor for the discrete logarithm problem, and we have tried to utilize the SSSA algorithm for constructing a cryptographic scheme. One of our trials was to realize an identity-based cryptosystem (key-distribution) which has been proven to be as secure as a prim-itive problem, called the Diffie-Hellman problem on an elliptic curve over Z/nZ (n = pq, p and q are primes) where Ep and E, are anoma-lous curves (anomalous En-Diffie-Hellman problem). Unfortunately we have found that the anomalous En-Diffie-Hellman problem is not secure (namely, our scheme is not secure). First, this paper introduces our trial of realizing an identity-based cryptosystem based on the SSSA algorithm, and then shows why the anomalous En-Diffie-Hellman problem is not se-cure. In addition, we generalize the observation of our breaking algorithm and present reductions of factoring n to computing the order ’ of an el-liptic curve over Z/nZ. (These reductions roughly imply the equivalence of intractability between factoring and computing elliptic curve’s order.) The algorithm of breaking our identity-based cryptosystem is considered to be a special case of these reductions, and the essential reason why our system was broken can be clarified through these reductions: En in our system is a very specific curve such that the order of En (i.e., n) is trivially known.