We study an index calculus algorithm to solve the discrete logarithm problem (DLP) in degree 0 class groups of non-hyperelliptic curves of genus 3 over finite fields. We present a heuristic analysis of the algorithm which indicates that the DLP in degree 0 class groups of non-hyperelliptic curves of genus 3 can be solved in an expected time of Õ(q). This heuristic result relies on one heuristic assumption which is studied experimentally. We also present experimental data which show that a variant of the algorithm is faster than the Rho method even for small group sizes, and we address practical limitations of the algorithm.

Abstract. In this paper, we describe many improvements to the number field sieve. Our main contribution consists of a new way to compute individual logarithms with the number field sieve without solving a very large linear system for each logarithm. We show that, with these improvements, the number field sieve outperforms the gaussian integer method in the hundred digit range. We also illustrate our results by successfully computing discrete logarithms with GNFS in a large prime field. 1.

We describe how we reached a new factoring milestone by completing the first special number field sieve factorization of a number having more than 1024 bits, namely the Mersenne number 2 1039 − 1. Although this factorization is orders of magnitude ‘easier ’ than a factorization of a 1024-bit RSA modulus is believed to be, the methods we used to obtain our result shed new light on the feasibility of the latter computation.

This paper reports on the factorization of the 768-bit number RSA-768 by the number field sieve factoring method and discusses some implications for RSA.

Abstract not found

Abstract. We describe in this article how we have been able to extend the record for computationsof discrete logarithmsin characteristic 2 from the previousrecord over F 2 503 to a newer mark of F 2 607, using Coppersmith’s algorithm. This has been made possible by several practical improvementsto the algorithm. Although the computationshave been carried out on fairly standard hardware, our opinion is that we are nearing the current limitsof the manageable sizesfor thisalgorithm, and that going substantially further will require deeper improvements to the method. 1

Abstract. There are many useful cryptographic schemes, such as ID-based encryption, short signature, keyword searchable encryption, attribute-based encryption, functional encryption, that use a bilinear pairing. It is important to estimate the security of such pairing-based cryptosystems in cryptography. The most essential number-theoretic problem in pairing-based cryptosystems is the discrete logarithm problem (DLP) because pairing-based cryptosystems are no longer secure once the underlining DLP is broken. One efficient bilinear pairing is the ηT pairing defined over a supersingular elliptic curve E on the finite field GF (3 n) for a positive integer n. The embedding degree of the ηT pairing is 6; thus, we can reduce the DLP over E on GF (3 n) to that over the finite field GF (3 6n). In this paper, for breaking the ηT pairing over GF (3 n), we discuss solving the DLP over GF (3 6n) by using the function field sieve (FFS), which is the asymptotically fastest algorithm for solving a DLP over finite fields of small characteristics. We chose the extension degree n = 97 because it has been intensively used in benchmarking tests for the implementation of the ηT pairing, and the order (923-bit) of GF (3 6·97) is substantially larger than the previous world record (676-bit) of solving the DLP by using the FFS. We implemented the FFS for the medium prime case (JL06-FFS), and propose several improvements of the FFS, for example, the lattice sieve for JL06-FFS and the filtering adjusted to the Galois action. Finally, we succeeded in solving the DLP over GF (3 6·97). The entire computational time of our improved FFS requires about 148.2 days using 252 CPU cores. Our computational results contribute to the secure use of pairing-based cryptosystems with the ηT pairing.