Results 1  10
of
28
The function field sieve in the medium prime case
 Advances in Cryptology – EUROCRYPT 2006, LNCS 4004 (2006
"... Abstract. In this paper, we study the application of the function field sieve algorithm for computing discrete logarithms over finite fields of the form Fqn when q is a mediumsized prime power. This approach is an alternative to a recent paper of Granger and Vercauteren for computing discrete logar ..."
Abstract

Cited by 33 (9 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we study the application of the function field sieve algorithm for computing discrete logarithms over finite fields of the form Fqn when q is a mediumsized prime power. This approach is an alternative to a recent paper of Granger and Vercauteren for computing discrete logarithms in tori, using efficient torus representations. We show that when q is not too large, a very efficient L(1/3) variation of the function field sieve can be used. Surprisingly, using this algorithm, discrete logarithms computations over some of these fields are even easier than computations in the prime field and characteristic two field cases. We also show that this new algorithm has security implications on some existing cryptosystems, such as torus based cryptography in T30, short signature schemes in characteristic 3 and cryptosystems based on supersingular abelian varieties. On the other hand, cryptosystems involving larger basefields and smaller extension degrees, typically of degree at most 6, such as LUC, XTR or T6 torus cryptography, are not affected. 1
Open Problems in Number Theoretic Complexity, II
"... this paper contains a list of 36 open problems in numbertheoretic complexity. We expect that none of these problems are easy; we are sure that many of them are hard. This list of problems reflects our own interests and should not be viewed as definitive. As the field changes and becomes deeper, new ..."
Abstract

Cited by 27 (0 self)
 Add to MetaCart
this paper contains a list of 36 open problems in numbertheoretic complexity. We expect that none of these problems are easy; we are sure that many of them are hard. This list of problems reflects our own interests and should not be viewed as definitive. As the field changes and becomes deeper, new problems will emerge and old problems will lose favor. Ideally there will be other `open problems' papers in future ANTS proceedings to help guide the field. It is likely that some of the problems presented here will remain open for the forseeable future. However, it is possible in some cases to make progress by solving subproblems, or by establishing reductions between problems, or by settling problems under the assumption of one or more well known hypotheses (e.g. the various extended Riemann hypotheses, NP 6= P; NP 6= coNP). For the sake of clarity we have often chosen to state a specific version of a problem rather than a general one. For example, questions about the integers modulo a prime often have natural generalizations to arbitrary finite fields, to arbitrary cyclic groups, or to problems with a composite modulus. Questions about the integers often have natural generalizations to the ring of integers in an algebraic number field, and questions about elliptic curves often generalize to arbitrary curves or abelian varieties. The problems presented here arose from many different places and times. To those whose research has generated these problems or has contributed to our present understanding of them but to whom inadequate acknowledgement is given here, we apologize. Our list of open problems is derived from an earlier `open problems' paper we wrote in 1986 [AM86]. When we wrote the first version of this paper, we feared that the problems presented were so difficult...
Improving the complexity of index calculus algorithms in elliptic curves over binary fields
 EUROCRYPT2012
, 2012
"... The goal of this paper is to further study the index calculus method that was first introduced by Semaev for solving the ECDLP and later developed by Gaudry and Diem. In particular, we focus on the step which consists in decomposing points of the curve with respect to an appropriately chosen factor ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
(Show Context)
The goal of this paper is to further study the index calculus method that was first introduced by Semaev for solving the ECDLP and later developed by Gaudry and Diem. In particular, we focus on the step which consists in decomposing points of the curve with respect to an appropriately chosen factor basis. This part can be nicely reformulated as a purely algebraic problem consisting in finding solutions to a multivariate polynomial f(x1,...,xm) =0 such that x1,...,xm all belong to some vector subspace of F2n/F2. Our main contribution is the identification of particular structures inherent to such polynomial systems and a dedicated method for tackling this problem. We solve it by means of Gröbner basis techniques and analyze its complexity using the multihomogeneous structure of the equations. A direct consequence of our results is an index calculus algorithm solving ECDLP over any binary field F2n in time O(2ω t),with t≈n/2 (provided that a certain heuristic assumption holds). This has to be compared with Diem’s [14]
On polynomial systems arising from a Weil Descent
"... In the last two decades, many computational problems arising in cryptography have been successfully reduced to various systems of polynomial equations. In this paper, we revisit a class of polynomial systems introduced by Faugère, Perret, Petit and Renault. After arguing that these systems are nat ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
In the last two decades, many computational problems arising in cryptography have been successfully reduced to various systems of polynomial equations. In this paper, we revisit a class of polynomial systems introduced by Faugère, Perret, Petit and Renault. After arguing that these systems are natural generalizations of HFE systems, we provide experimental and theoretical evidence that their degrees of regularity are only slightly larger than the original degres of the equations, resulting in a very low complexity compared to generic systems. We then revisit applications to the elliptic curve discrete logarithm problem (ECDLP) for binary curves, to the factorization problem in SL(2, F2n) and to other discrete logarithm problems. As a main consequence, our heuristic analysis implies that Diem’s variant of index calculus for ECDLP requires a subexponential number of bit operations O(2 c n2/3 log n) over the binary field F2n, where c is a constant smaller than 2. According to our estimations, generic discrete logarithm methods are outperformed for any n> N where N ≈ 2000, but elliptic curves of currently recommended key sizes (n ≈ 160) are not immediately threatened. The analysis can be easily generalized to other extension fields.
Function Field Sieve in Characteristic Three
, 2004
"... In this paper we investigate the e#ciency of the function field sieve to compute discrete logarithms in the finite fields F3 n . Motivated by attacks on identity based encryption systems using supersingular elliptic curves, we pay special attention to the case where n is composite. This allows ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
In this paper we investigate the e#ciency of the function field sieve to compute discrete logarithms in the finite fields F3 n . Motivated by attacks on identity based encryption systems using supersingular elliptic curves, we pay special attention to the case where n is composite. This allows
Mathematical Background of Public Key Cryptography
 AGCT 2003), Sémin. Congr
, 2005
"... Abstract. — The two main systems used for public key cryptography are RSA and protocols based on the discrete logarithm problem in some cyclic group. We focus on the latter problem and state cryptographic protocols and mathematical background material. Résumé (Éléments mathématiques de la cryptograp ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
(Show Context)
Abstract. — The two main systems used for public key cryptography are RSA and protocols based on the discrete logarithm problem in some cyclic group. We focus on the latter problem and state cryptographic protocols and mathematical background material. Résumé (Éléments mathématiques de la cryptographie à clef publique). — Les deux systèmes principaux de cryptographie à clef publique sont RSA et le calcul de logarithmes discrets dans un groupe cyclique. Nous nous intéressons aux logarithmes discrets et présentons les faits mathématiques qu’il faut connaître pour apprendre la cryptographie mathématique. 1. Data Security and Arithmetic Cryptography is, in the true sense of the word, a classic discipline: we find it in Mesopotamia and Caesar used it. Typically, the historical examples involve secret services and military. Information is exchanged amongst a limited community in which each member is to be trusted. Like Caesar’s chiffre these systems were entirely symmetric. Thus, the communicating parties needed to have a common key which is used to de and encrypt. The key exchange posed a problem (and gives a marvellous plot for spynovels) but the number of people involved was rather bounded. This has changed dramatically because of electronic communication in public networks. Since 2000 Mathematics Subject Classification. — 11T71. Key words and phrases. — Elliptic curve cryptography, mathematics of public key cryptography, hyperelliptic curves. The authors would like to thank the organizers of the conference for generous support, an interesting program and last but not least for a very inspiring and pleasant atmosphere. The second author acknowledges financial support by STORK
Breaking pairingbased cryptosystems using ηT pairing over GF (3 97)
"... Abstract. There are many useful cryptographic schemes, such as IDbased encryption, short signature, keyword searchable encryption, attributebased encryption, functional encryption, that use a bilinear pairing. It is important to estimate the security of such pairingbased cryptosystems in cryptogr ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
Abstract. There are many useful cryptographic schemes, such as IDbased encryption, short signature, keyword searchable encryption, attributebased encryption, functional encryption, that use a bilinear pairing. It is important to estimate the security of such pairingbased cryptosystems in cryptography. The most essential numbertheoretic problem in pairingbased cryptosystems is the discrete logarithm problem (DLP) because pairingbased cryptosystems are no longer secure once the underlining DLP is broken. One efficient bilinear pairing is the ηT pairing defined over a supersingular elliptic curve E on the finite field GF (3 n) for a positive integer n. The embedding degree of the ηT pairing is 6; thus, we can reduce the DLP over E on GF (3 n) to that over the finite field GF (3 6n). In this paper, for breaking the ηT pairing over GF (3 n), we discuss solving the DLP over GF (3 6n) by using the function field sieve (FFS), which is the asymptotically fastest algorithm for solving a DLP over finite fields of small characteristics. We chose the extension degree n = 97 because it has been intensively used in benchmarking tests for the implementation of the ηT pairing, and the order (923bit) of GF (3 6·97) is substantially larger than the previous world record (676bit) of solving the DLP by using the FFS. We implemented the FFS for the medium prime case (JL06FFS), and propose several improvements of the FFS, for example, the lattice sieve for JL06FFS and the filtering adjusted to the Galois action. Finally, we succeeded in solving the DLP over GF (3 6·97). The entire computational time of our improved FFS requires about 148.2 days using 252 CPU cores. Our computational results contribute to the secure use of pairingbased cryptosystems with the ηT pairing.
Traps to the BGJTAlgorithm for Discrete Logarithms
"... In the recent breakthrough paper by Barbulescu, Gaudry, Joux and Thomé, a quasipolynomial time algorithm (QPA) is proposed for the discrete logarithm problem over finite fields of small characteristic. The time complexity analysis of the algorithm is based on several heuristics presented in their p ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
In the recent breakthrough paper by Barbulescu, Gaudry, Joux and Thomé, a quasipolynomial time algorithm (QPA) is proposed for the discrete logarithm problem over finite fields of small characteristic. The time complexity analysis of the algorithm is based on several heuristics presented in their paper. We show that some of the heuristics are problematic in their original forms, in particular, when the field is not a Kummer extension. We believe that the basic idea behind the new approach should still work, and propose a fix to the algorithm in nonKummer cases, without altering the quasipolynomial time complexity. The modified algorithm is also heuristic. Further study is required in order to fully understand the effectiveness of the new approach. 1
Solving a 676bit discrete logarithm problem
 in GF (3 6n ),” in PKC 2010, LNCS 6056
"... Abstract. Pairings on elliptic curves over finite fields are crucial for constructing various cryptographic schemes. The T pairing on supersingular curves over GF(3n) is particularly popular since it is efficiently implementable. Taking into account the MenezesOkamotoVanstone (MOV) attack, the d ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Pairings on elliptic curves over finite fields are crucial for constructing various cryptographic schemes. The T pairing on supersingular curves over GF(3n) is particularly popular since it is efficiently implementable. Taking into account the MenezesOkamotoVanstone (MOV) attack, the discrete logarithm problem (DLP) in GF(36n) becomes a concern for the security of cryptosystems using T pairings in this case. In 2006, Joux and Lercier proposed a new variant of the function field sieve in the medium prime case, named JL06FFS. We have, however, not yet found any practical implementations on JL06FFS over GF(36n). Therefore, we first fulfill such an implementation and we successfully set a new record for solving the DLP in GF(36n), the DLP in GF(3671) of 676bit size. In addition, we also compare JL06FFS and an earlier version, named JL02FFS, with practical experiments. Our results confirm that the former is several times faster than the latter under certain conditions. Key words: function field sieve, discrete logarithm problem, pairingbased cryptosystems 1