Results 1  10
of
20
The function field sieve in the medium prime case
 Advances in Cryptology – EUROCRYPT 2006, LNCS 4004 (2006
"... Abstract. In this paper, we study the application of the function field sieve algorithm for computing discrete logarithms over finite fields of the form Fqn when q is a mediumsized prime power. This approach is an alternative to a recent paper of Granger and Vercauteren for computing discrete logar ..."
Abstract

Cited by 27 (8 self)
 Add to MetaCart
Abstract. In this paper, we study the application of the function field sieve algorithm for computing discrete logarithms over finite fields of the form Fqn when q is a mediumsized prime power. This approach is an alternative to a recent paper of Granger and Vercauteren for computing discrete logarithms in tori, using efficient torus representations. We show that when q is not too large, a very efficient L(1/3) variation of the function field sieve can be used. Surprisingly, using this algorithm, discrete logarithms computations over some of these fields are even easier than computations in the prime field and characteristic two field cases. We also show that this new algorithm has security implications on some existing cryptosystems, such as torus based cryptography in T30, short signature schemes in characteristic 3 and cryptosystems based on supersingular abelian varieties. On the other hand, cryptosystems involving larger basefields and smaller extension degrees, typically of degree at most 6, such as LUC, XTR or T6 torus cryptography, are not affected. 1
Open Problems in Number Theoretic Complexity, II
"... this paper contains a list of 36 open problems in numbertheoretic complexity. We expect that none of these problems are easy; we are sure that many of them are hard. This list of problems reflects our own interests and should not be viewed as definitive. As the field changes and becomes deeper, new ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
this paper contains a list of 36 open problems in numbertheoretic complexity. We expect that none of these problems are easy; we are sure that many of them are hard. This list of problems reflects our own interests and should not be viewed as definitive. As the field changes and becomes deeper, new problems will emerge and old problems will lose favor. Ideally there will be other `open problems' papers in future ANTS proceedings to help guide the field. It is likely that some of the problems presented here will remain open for the forseeable future. However, it is possible in some cases to make progress by solving subproblems, or by establishing reductions between problems, or by settling problems under the assumption of one or more well known hypotheses (e.g. the various extended Riemann hypotheses, NP 6= P; NP 6= coNP). For the sake of clarity we have often chosen to state a specific version of a problem rather than a general one. For example, questions about the integers modulo a prime often have natural generalizations to arbitrary finite fields, to arbitrary cyclic groups, or to problems with a composite modulus. Questions about the integers often have natural generalizations to the ring of integers in an algebraic number field, and questions about elliptic curves often generalize to arbitrary curves or abelian varieties. The problems presented here arose from many different places and times. To those whose research has generated these problems or has contributed to our present understanding of them but to whom inadequate acknowledgement is given here, we apologize. Our list of open problems is derived from an earlier `open problems' paper we wrote in 1986 [AM86]. When we wrote the first version of this paper, we feared that the problems presented were so difficult...
Improving the complexity of index calculus algorithms in elliptic curves over binary fields
 EUROCRYPT2012
, 2012
"... The goal of this paper is to further study the index calculus method that was first introduced by Semaev for solving the ECDLP and later developed by Gaudry and Diem. In particular, we focus on the step which consists in decomposing points of the curve with respect to an appropriately chosen factor ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
The goal of this paper is to further study the index calculus method that was first introduced by Semaev for solving the ECDLP and later developed by Gaudry and Diem. In particular, we focus on the step which consists in decomposing points of the curve with respect to an appropriately chosen factor basis. This part can be nicely reformulated as a purely algebraic problem consisting in finding solutions to a multivariate polynomial f(x1,...,xm) =0 such that x1,...,xm all belong to some vector subspace of F2n/F2. Our main contribution is the identification of particular structures inherent to such polynomial systems and a dedicated method for tackling this problem. We solve it by means of Gröbner basis techniques and analyze its complexity using the multihomogeneous structure of the equations. A direct consequence of our results is an index calculus algorithm solving ECDLP over any binary field F2n in time O(2ω t),with t≈n/2 (provided that a certain heuristic assumption holds). This has to be compared with Diem’s [14]
Function Field Sieve in Characteristic Three
, 2004
"... In this paper we investigate the e#ciency of the function field sieve to compute discrete logarithms in the finite fields F3 n . Motivated by attacks on identity based encryption systems using supersingular elliptic curves, we pay special attention to the case where n is composite. This allows ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
In this paper we investigate the e#ciency of the function field sieve to compute discrete logarithms in the finite fields F3 n . Motivated by attacks on identity based encryption systems using supersingular elliptic curves, we pay special attention to the case where n is composite. This allows
Mathematical Background of Public Key Cryptography
 AGCT 2003), Sémin. Congr
, 2005
"... Abstract. — The two main systems used for public key cryptography are RSA and protocols based on the discrete logarithm problem in some cyclic group. We focus on the latter problem and state cryptographic protocols and mathematical background material. Résumé (Éléments mathématiques de la cryptograp ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
Abstract. — The two main systems used for public key cryptography are RSA and protocols based on the discrete logarithm problem in some cyclic group. We focus on the latter problem and state cryptographic protocols and mathematical background material. Résumé (Éléments mathématiques de la cryptographie à clef publique). — Les deux systèmes principaux de cryptographie à clef publique sont RSA et le calcul de logarithmes discrets dans un groupe cyclique. Nous nous intéressons aux logarithmes discrets et présentons les faits mathématiques qu’il faut connaître pour apprendre la cryptographie mathématique. 1. Data Security and Arithmetic Cryptography is, in the true sense of the word, a classic discipline: we find it in Mesopotamia and Caesar used it. Typically, the historical examples involve secret services and military. Information is exchanged amongst a limited community in which each member is to be trusted. Like Caesar’s chiffre these systems were entirely symmetric. Thus, the communicating parties needed to have a common key which is used to de and encrypt. The key exchange posed a problem (and gives a marvellous plot for spynovels) but the number of people involved was rather bounded. This has changed dramatically because of electronic communication in public networks. Since 2000 Mathematics Subject Classification. — 11T71. Key words and phrases. — Elliptic curve cryptography, mathematics of public key cryptography, hyperelliptic curves. The authors would like to thank the organizers of the conference for generous support, an interesting program and last but not least for a very inspiring and pleasant atmosphere. The second author acknowledges financial support by STORK
On polynomial systems arising from a Weil Descent
"... In the last two decades, many computational problems arising in cryptography have been successfully reduced to various systems of polynomial equations. In this paper, we revisit a class of polynomial systems introduced by Faugère, Perret, Petit and Renault. After arguing that these systems are nat ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
In the last two decades, many computational problems arising in cryptography have been successfully reduced to various systems of polynomial equations. In this paper, we revisit a class of polynomial systems introduced by Faugère, Perret, Petit and Renault. After arguing that these systems are natural generalizations of HFE systems, we provide experimental and theoretical evidence that their degrees of regularity are only slightly larger than the original degres of the equations, resulting in a very low complexity compared to generic systems. We then revisit applications to the elliptic curve discrete logarithm problem (ECDLP) for binary curves, to the factorization problem in SL(2, F2n) and to other discrete logarithm problems. As a main consequence, our heuristic analysis implies that Diem’s variant of index calculus for ECDLP requires a subexponential number of bit operations O(2 c n2/3 log n) over the binary field F2n, where c is a constant smaller than 2. According to our estimations, generic discrete logarithm methods are outperformed for any n> N where N ≈ 2000, but elliptic curves of currently recommended key sizes (n ≈ 160) are not immediately threatened. The analysis can be easily generalized to other extension fields.
Using C_ab Curves in the Function Field Sieve
, 1999
"... F6.97> j # IF p [x, y] satisfying the following 8 conditions: 1. H is absolutely irreducible. 2. H(x,m) is divisible by f . 3. h d,d # 1 = 1. 4. # d i=0 h i,d # 1 y i # IF p [y] is squarefree. 5. h 0,d # 1  = 0. 6. # d # 1 j=0 h d,j x j # IF p [x] is squarefree. 7 ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
F6.97> j # IF p [x, y] satisfying the following 8 conditions: 1. H is absolutely irreducible. 2. H(x,m) is divisible by f . 3. h d,d # 1 = 1. 4. # d i=0 h i,d # 1 y i # IF p [y] is squarefree. 5. h 0,d # 1  = 0. 6. # d # 1 j=0 h d,j x j # IF p [x] is squarefree. 7. h d,0  = 0. 8. The order of the Jacobian of the curve defined by H(x, y) is relatively prime to (p n  1)/(p <
Breaking pairingbased cryptosystems using ηT pairing over GF (3 97)
"... Abstract. There are many useful cryptographic schemes, such as IDbased encryption, short signature, keyword searchable encryption, attributebased encryption, functional encryption, that use a bilinear pairing. It is important to estimate the security of such pairingbased cryptosystems in cryptogr ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. There are many useful cryptographic schemes, such as IDbased encryption, short signature, keyword searchable encryption, attributebased encryption, functional encryption, that use a bilinear pairing. It is important to estimate the security of such pairingbased cryptosystems in cryptography. The most essential numbertheoretic problem in pairingbased cryptosystems is the discrete logarithm problem (DLP) because pairingbased cryptosystems are no longer secure once the underlining DLP is broken. One efficient bilinear pairing is the ηT pairing defined over a supersingular elliptic curve E on the finite field GF (3 n) for a positive integer n. The embedding degree of the ηT pairing is 6; thus, we can reduce the DLP over E on GF (3 n) to that over the finite field GF (3 6n). In this paper, for breaking the ηT pairing over GF (3 n), we discuss solving the DLP over GF (3 6n) by using the function field sieve (FFS), which is the asymptotically fastest algorithm for solving a DLP over finite fields of small characteristics. We chose the extension degree n = 97 because it has been intensively used in benchmarking tests for the implementation of the ηT pairing, and the order (923bit) of GF (3 6·97) is substantially larger than the previous world record (676bit) of solving the DLP by using the FFS. We implemented the FFS for the medium prime case (JL06FFS), and propose several improvements of the FFS, for example, the lattice sieve for JL06FFS and the filtering adjusted to the Galois action. Finally, we succeeded in solving the DLP over GF (3 6·97). The entire computational time of our improved FFS requires about 148.2 days using 252 CPU cores. Our computational results contribute to the secure use of pairingbased cryptosystems with the ηT pairing.
Relation collection for the Function Field Sieve
"... Abstract—In this paper, we focus on the relation collection step of the Function Field Sieve (FFS), which is to date the best algorithm known for computing discrete logarithms in smallcharacteristic finite fields of cryptographic sizes. Denoting such a finite field by Fpn, where p is much smaller th ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract—In this paper, we focus on the relation collection step of the Function Field Sieve (FFS), which is to date the best algorithm known for computing discrete logarithms in smallcharacteristic finite fields of cryptographic sizes. Denoting such a finite field by Fpn, where p is much smaller than n, the main idea behind this step is to find polynomials of the form a(t) − b(t)x in Fp[t][x] which, when considered as principal ideals in carefully selected function fields, can be factored into products of lowdegree prime ideals. Such polynomials are called “relations”, and current recordsized discretelogarithm computations need billions of those. Collecting relations is therefore a crucial and extremely expensive step in FFS, and a practical implementation thereof requires heavy use of cacheaware sieving algorithms, along with efficient polynomial arithmetic over Fp[t]. This paper presents the algorithmic and arithmetic techniques which were put together as part of a new public implementation of FFS, aimed at medium to recordsized computations. Keywordsfunction field sieve; discrete logarithm; polynomial arithmetic; finitefield arithmetic. I.
Computation of discrete logarithms in F2607
 In Advances in Cryptology (AsiaCrypt 2001), Springer LNCS 2248
"... Abstract. We describe in this article how we have been able to extend the record for computationsof discrete logarithmsin characteristic 2 from the previousrecord over F 2 503 to a newer mark of F 2 607, using Coppersmith’s algorithm. This has been made possible by several practical improvementsto t ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We describe in this article how we have been able to extend the record for computationsof discrete logarithmsin characteristic 2 from the previousrecord over F 2 503 to a newer mark of F 2 607, using Coppersmith’s algorithm. This has been made possible by several practical improvementsto the algorithm. Although the computationshave been carried out on fairly standard hardware, our opinion is that we are nearing the current limitsof the manageable sizesfor thisalgorithm, and that going substantially further will require deeper improvements to the method. 1