#### DMCA

## IMPROVEMENTS TO THE NUMBER FIELD SIEVE FOR NON-PRIME FINITE FIELDS (2014)

### Citations

398 | An improved algorithm for computing logarithms over GF(p) and its cryptographic significance,
- Pohlig, Hellman
- 1978
(Show Context)
Citation Context ...In principle, the coefficient ring of the matrix is Z/(pn − 1)Z, but it is enough to solve it modulo each prime divisor ` of pn − 1 and then to recombine the results using the PohligHellman algorithm =-=[PH78]-=-. Since one can use Pollard’s method [Pol78] for small primes `, we can suppose that ` is larger than Lpn(1/3). It allows us then to assume that ` is coprime to Disc(f), Disc(g), the class numbers of ... |

290 |
Monte Carlo Methods for Index Computation (mod p),
- Pollard
- 1978
(Show Context)
Citation Context ...atrix is Z/(pn − 1)Z, but it is enough to solve it modulo each prime divisor ` of pn − 1 and then to recombine the results using the PohligHellman algorithm [PH78]. Since one can use Pollard’s method =-=[Pol78]-=- for small primes `, we can suppose that ` is larger than Lpn(1/3). It allows us then to assume that ` is coprime to Disc(f), Disc(g), the class numbers of Kf and Kg, and the orders of the roots of un... |

218 |
Solving sparse linear equations over finite fields.
- Wiedemann
- 1986
(Show Context)
Citation Context ...ents. We recall this notion in Section 2.2. We make the usual heuristic that this system has a space of solutions of dimension one. Since the system is sparse, an iterative algorithm like Wiedemann’s =-=[Wie86]-=- is used to compute a non-zero solution in quasi-quadratic time. This gives the (virtual) logarithms of all the factor base elements. In principle, the coefficient ring of the matrix is Z/(pn − 1)Z, b... |

152 |
The Development of the Number Field Sieve.
- Lenstra, Lenstra
- 1993
(Show Context)
Citation Context ... to compute a generator for each ideal in the factor base, and therefore the polynomial must have small coefficients (and small class number). A lot of techniques and algorithms are well described in =-=[LL93]-=-. These include generating units and generators in some box or ellipsoid of small lengths, and recovery of units using floating point computations. These are quite easy to implement and are fast in pr... |

88 | Discrete logarithms in GF(p) using the number field sieve”, - Gordon - 1993 |

56 | The number field sieve in the medium prime case
- Joux, Lercier, et al.
- 2006
(Show Context)
Citation Context ...014. This research was partially funded by Agence Nationale de la Recherche grant ANR-12-BS02-001-01. 1 ha l-0 10 52 44 9,sv er sio ns2s- 6sA ugs2 01 4 variant by Joux, Lercier, Smart and Vercauteren =-=[JLSV06]-=- who showed how to get the same complexity in the whole range of fields of large characteristic. The case of medium characteristic was also tackled in the same article, thus getting a complexity of LQ... |

54 | A quasipolynomial algorithm for discrete logarithm in finite fields of small characteristic - Barbulescu, Gaudry, et al. |

41 | The function field sieve - Adleman - 1994 |

39 | A new index calculus algorithm with complexity l(1/4+o(1)) in very small characteristic. IACR Cryptology ePrint Archive - Joux - 2013 |

38 | Function Field Sieve Method for Discrete Logarithms over Finite Fields - Adleman, Huang - 1999 |

32 | On the function field sieve and the impact of higher splitting probabilities: Application to discrete logarithms in F . Cryptology ePrint Archive, Report 2013/074 - Gologlu, Granger, et al. - 2013 |

27 |
Discrete logarithms and local units
- Schirokauer
- 1993
(Show Context)
Citation Context ...orms are coprime to `. A Schirokauer map is an application Λ : (K`)/(K`) ` → (Z/`Z)r such that • Λ(γ1γ2) = Λ(γ1) + Λ(γ2) (Λ is linear); • Λ(Uf ) is surjective (Λ preserves the unit rank). Schirokauer =-=[Sch93]-=- proposed a fast-to-evaluate map satisfying these conditions that we recall now. Let us define first an integer, that is the LCM of the exponents required to apply Fermat’s theorem in each residue fie... |

23 | The function field sieve is quite special - Joux, Lercier - 2002 |

22 | Polynomial selection for the number field sieve integer factorisation algorithm
- Murphy
- 1999
(Show Context)
Citation Context ...at f and g have coefficients of size Q1/8. For comparison, we compute the norms’ product: Ed+nQ2/(d+1). However, one might obtain a better norms product using the skewness notion introduced by Murphy =-=[Mur99]-=-. Without entering into details, we use as a lower bound for the norms product the quantity Ed+nQ3/2(d+1). Indeed, the coefficients of f have size Q1/(d+1) and the coefficients of g have size Q1/(d+1)... |

21 | Faster index calculus for the medium prime case application to 1175-bit and 1425-bit finite fields - Joux - 2013 |

16 | Breaking 128-bit secure supersingular binary curves (or how to solve discrete logarithms in F24·1223 and F212·367), 2014. arXiv report 1402.3668 - Granger, Kleinjung, et al. |

11 |
Virtual logarithms
- Schirokauer
- 2005
(Show Context)
Citation Context ... Taking the coordinates of the image of this map in the basis 1, X, . . . ,Xdeg f−1, we can expect to find r independent linear combinations of these coordinates. They then form a Schirokauer map. In =-=[Sch05]-=-, Schirokauer gave heuristic arguments for the existence of such independent linear combinations; and in practice, in most of the cases, taking the r first coordinates is enough. From now on, we work ... |

7 | An algorithm to solve the discrete logarithm problem with the number field sieve - Commeine, Semaev - 2006 |

7 | Special units in real cyclic sextic fields - Gras - 1977 |

7 | Arithmetische Bestimmung von Grundeinheit und Klassenzahl in zyklischen kubischen und biquadratischen Zahlkörpern - Hasse |

6 |
The multiple number field sieve for medium and high characteristic finite fields. Cryptology ePrint Archive, Report 2014/147, 2014. preprint available at http://eprint. iacr.org/,accepted for publication at ANTS
- Barbulescu, Pierrot
(Show Context)
Citation Context ... however known that using more number fields can improve the complexity. For prime fields it has been done in [Mat03, CS06], while for large and medium characteristic, it has been recently studied in =-=[BP14]-=-. In all cases, the complexity remains of the form LQ(1/3, c), but the exponent constant c is improved: in the large characteristic case we have c = 3 √ (92 + 26 √ 13)/27, like for prime fields, while... |

5 | Crible algébrique: Distribution, optimisation - number field sieve. http://cado-nfs.gforge.inria.fr - Bai, Filbois, et al. |

3 | Discrete logarithm problem in degree six finite fields - Zajac - 2008 |

2 | Discrete logarithms - Bouvier, Gaudry, et al. - 2014 |

2 | HT90 and “simplest” number fields
- Foster
(Show Context)
Citation Context ...ible choices for gu and gv in degree 2, 3, 4 and 6, such that for any integer λ, gv + λgu as a simple explicit cyclic automorphism. The families for 3, 4 and 6 are taken from [Gra79, Gra87] (see also =-=[Fos11]-=- references for larger degrees). 20 ha l-0 10 52 44 9,sv er sio ns2s- 6sA ugs2 01 4 Table 4. Families of polynomials of degree 2, 3, 4 and 6 with cyclic Galois group. n coeffs of gv + agu gv gu automo... |

2 | Classes et unités des extensions cycliques réelles de degré 4 de Q - Gras - 1979 |

2 | An experiment of Number Field Sieve for discrete logarithm problem over GF (p12 - Hayasaka, Aoki, et al. - 2013 |

2 |
Improvements to the general number field for discrete logarithms in prime fields
- Joux, Lercier
(Show Context)
Citation Context ...rd computation in a finite field of the form Fp2 . Key tools for these results are two new methods for selecting the number fields; the first one is a generalization of the method by Joux and Lercier =-=[JL03]-=- and we call the second one the conjugation method. It turned out that both of them have practical and theoretical advantages. On the theoretical side, the norms that must be tested for smoothness dur... |

2 | On asymptotic complexity of computing discrete logarithms over GF(p - Matyukhin |

1 |
Yet another variant for DLP in the upper medium-prime case. Talk given during the DLP Workshop
- Barbulescu, Gaudry, et al.
- 2014
(Show Context)
Citation Context ...exity given in [BP14] is also of the form LQ(1/3, c), where c varies between 16/9 and 3 √ 213/36 in a way that is non-monotonic with cp. We also mention another variant of NFS that has been announced =-=[BGK14]-=- that seems to be better in some range of cp, when using multiple number fields. In terms of practical record computations, the case of prime fields has been well studied, with frequent announcements ... |

1 | On the powers of 2, 2014. IACR Eprint report 2014/300 - Granger, Kleinjung, et al. |

1 |
An implementation of the Block-Wiedemann algorithm on NVIDIA-GPUs using the Residue Number System (RNS) arithmetic., 2014. Available from http://www.loria.fr/~hjeljeli
- Jeljeli
(Show Context)
Citation Context ...age 83.6 non-zero entries per row. Thanks to our choice of f and g, it was not necessary to add columns with Schirokauer maps. We used Jeljeli’s implementation of Block Wiedemann’s algorithm for GPUs =-=[Jel14]-=-. In fact, this was a small enough computation so that we did not distribute it on several cards: we used a non-blocked version. The total running time for this step was around 30.3 hours on an NVidia... |

1 | Discrete logarithms in GF(p) — 130 digits, 2005. Announcement available at the NMBRTHRY archives, item 002869 - Joux, Lercier |

1 | et al. Algorithmes pour résoudre le problème du logarithme discret dans les corps finis. Nouvelles Méthodes Mathématiques en Cryptographie, volume Fascicule Journées Annuelles - Joux, Lercier - 2007 |

1 | Discrete logarithms in GF(2ˆ6168) [=GF((2ˆ257)ˆ24)], 2013. Announcement available at the NMBRTHRY archives, item 004544 - Joux |

1 | Discrete logarithms in GF(p) — 160 digits, 2007. Announcement available at the NMBRTHRY archives, item 003269 - Kleinjung |