## Computation of discrete logarithms in F2607

Venue: | In Advances in Cryptology (AsiaCrypt 2001), Springer LNCS 2248 |

Citations: | 1 - 0 self |

### BibTeX

@INPROCEEDINGS{Thomé_computationof,

author = {Emmanuel Thomé},

title = {Computation of discrete logarithms in F2607},

booktitle = {In Advances in Cryptology (AsiaCrypt 2001), Springer LNCS 2248},

year = {},

pages = {2001}

}

### OpenURL

### Abstract

Abstract. We describe in this article how we have been able to extend the record for computationsof discrete logarithmsin characteristic 2 from the previousrecord over F 2 503 to a newer mark of F 2 607, using Coppersmith’s algorithm. This has been made possible by several practical improvementsto the algorithm. Although the computationshave been carried out on fairly standard hardware, our opinion is that we are nearing the current limitsof the manageable sizesfor thisalgorithm, and that going substantially further will require deeper improvements to the method. 1

### Citations

2703 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...e difficulty of the factorization of large integers (for the RSA cryptosystem), and the difficulty of computing discrete logarithms in appropriate groups (for the Diffie-Hellman key exchange protocol =-=[14]-=-, ElGamal cryptosystem [16], and ElGamal and Schnorr [38] signature schemes). Appropriate groups for discrete logarithm cryptosystems are multiplicative groups of finite fields, the group of points of... |

1110 |
A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
- El-Gamal
- 1985
(Show Context)
Citation Context ...zation of large integers (for the RSA cryptosystem), and the difficulty of computing discrete logarithms in appropriate groups (for the Diffie-Hellman key exchange protocol [14], ElGamal cryptosystem =-=[16]-=-, and ElGamal and Schnorr [38] signature schemes). Appropriate groups for discrete logarithm cryptosystems are multiplicative groups of finite fields, the group of points of elliptic curves [26,33], a... |

692 |
Elliptic curve cryptosystems
- Koblitz
- 1987
(Show Context)
Citation Context ...ystem [16], and ElGamal and Schnorr [38] signature schemes). Appropriate groups for discrete logarithm cryptosystems are multiplicative groups of finite fields, the group of points of elliptic curves =-=[26,33]-=-, and also the jacobians of curves of higher genus [27,4,18]. The level of security reached by the use of these different groups varies a lot. Both the factorization of large numbers [29] and the comp... |

581 |
Efficient signature generation by smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ...the RSA cryptosystem), and the difficulty of computing discrete logarithms in appropriate groups (for the Diffie-Hellman key exchange protocol [14], ElGamal cryptosystem [16], and ElGamal and Schnorr =-=[38]-=- signature schemes). Appropriate groups for discrete logarithm cryptosystems are multiplicative groups of finite fields, the group of points of elliptic curves [26,33], and also the jacobians of curve... |

285 |
Reducing elliptic curve logarithms to logarithms in a finite field
- Menezes, Okamoto, et al.
- 1993
(Show Context)
Citation Context ...ons on the security of some elliptic curves cryptosystems, where the discrete logarithm problem on the curve reduces to the discrete logarithm problem on (an extension of)the curve’s definition field =-=[32,17]-=-. This applies in particular to supersingular elliptic curves, where the MOV reduction [32] makes the discrete logarithm problem subexponential. This being said, the existence of a subexponential atta... |

284 |
Elliptic curve public key cryptosystems
- Menezes
- 1993
(Show Context)
Citation Context ...ystem [16], and ElGamal and Schnorr [38] signature schemes). Appropriate groups for discrete logarithm cryptosystems are multiplicative groups of finite fields, the group of points of elliptic curves =-=[26,33]-=-, and also the jacobians of curves of higher genus [27,4,18]. The level of security reached by the use of these different groups varies a lot. Both the factorization of large numbers [29] and the comp... |

201 |
A subexponential algorithm for discrete logarithms over all finite fields
- Adleman, DeMarrais
- 1993
(Show Context)
Citation Context ...educible polynomials with degree less than a chosen bound b. It is known that B has roughly 2b+1 b elements (see for instance [31]). Up to now, Coppersmith’s algorithm is very resemblant to Adleman’s =-=[1, 5,3]-=-, which computes discrete logarithms in any Galois field, no matter the characteristic (but with poorer complexity than Coppersmith’s). The key difference is in the production of linear relations. To ... |

189 |
A remark concerning m-divisibility and the discrete logarithm problem in the divisor class group of curves
- Frey, Rück
- 1994
(Show Context)
Citation Context ...ons on the security of some elliptic curves cryptosystems, where the discrete logarithm problem on the curve reduces to the discrete logarithm problem on (an extension of)the curve’s definition field =-=[32,17]-=-. This applies in particular to supersingular elliptic curves, where the MOV reduction [32] makes the discrete logarithm problem subexponential. This being said, the existence of a subexponential atta... |

179 |
Solving sparse linear equations over finite fields
- Wiedemann
- 1986
(Show Context)
Citation Context ...tually, this is a well studied subject, since sparse matrices arise in many domains. For the literature about sparse matrices coming from discrete logarithm or factorization problems, one can consult =-=[37,43,12,34, 25,28]-=-. Two particularly annoying points are relevant to our case. Unlike linear system that arise from factorization problems, ours is defined over a big field, Z/(2607 − 1)Z. Second, unlike what happens w... |

145 |
Hyperelliptic cryptosystems
- Koblitz
- 1989
(Show Context)
Citation Context ...). Appropriate groups for discrete logarithm cryptosystems are multiplicative groups of finite fields, the group of points of elliptic curves [26,33], and also the jacobians of curves of higher genus =-=[27,4,18]-=-. The level of security reached by the use of these different groups varies a lot. Both the factorization of large numbers [29] and the computation of discrete logarithms in finite fields [11,19,3] ca... |

126 |
The Development of the Number Field Sieve
- Lenstra, Lenstra
- 1993
(Show Context)
Citation Context ...ic curves [26,33], and also the jacobians of curves of higher genus [27,4,18]. The level of security reached by the use of these different groups varies a lot. Both the factorization of large numbers =-=[29]-=- and the computation of discrete logarithms in finite fields [11,19,3] can be addressed in subexponential time. This in turn has implications on the security of some elliptic curves cryptosystems, whe... |

89 |
Fast evaluation of logarithms in fields of characteristic two
- Coppersmith
- 1984
(Show Context)
Citation Context ...us [27,4,18]. The level of security reached by the use of these different groups varies a lot. Both the factorization of large numbers [29] and the computation of discrete logarithms in finite fields =-=[11,19,3]-=- can be addressed in subexponential time. This in turn has implications on the security of some elliptic curves cryptosystems, where the discrete logarithm problem on the curve reduces to the discrete... |

72 | Solving large sparse linear systems over finite fields
- LaMacchia, Odlyzko
- 1991
(Show Context)
Citation Context ...tually, this is a well studied subject, since sparse matrices arise in many domains. For the literature about sparse matrices coming from discrete logarithm or factorization problems, one can consult =-=[37,43,12,34, 25,28]-=-. Two particularly annoying points are relevant to our case. Unlike linear system that arise from factorization problems, ours is defined over a big field, Z/(2607 − 1)Z. Second, unlike what happens w... |

63 | Discrete Logarithms in GF(p) Using the Number Field Sieve
- Gordon
- 1993
(Show Context)
Citation Context ...us [27,4,18]. The level of security reached by the use of these different groups varies a lot. Both the factorization of large numbers [29] and the computation of discrete logarithms in finite fields =-=[11,19,3]-=- can be addressed in subexponential time. This in turn has implications on the security of some elliptic curves cryptosystems, where the discrete logarithm problem on the curve reduces to the discrete... |

57 |
Analysis of coppersmith’s block wiedemann algorithm for the parallel solution of sparse linear systems
- Kaltofen
- 1995
(Show Context)
Citation Context ...plexity of this task from O(N 2 )to O(N log 2 N), achieving a 50 times speedup for the computation undertaken here. The block Wiedemann algorithm performs well both theoretically and in practice. See =-=[40,41,24,25,39]-=- for several insights on the algorithm. The block Wiedemann algorithm is interesting in the fact that at least for one part of the algorithm, several machines holding a private copys120 E. Thomé of th... |

43 |
Factoring with two large primes
- Lenstra, Manasse
- 1991
(Show Context)
Citation Context ...relations containing an already met large prime. The number of full relations reconstructed this way grows quadratically vs. the number of partial relations. When up to two large primes are used (see =-=[30]-=-), an algorithm resembling “union-find” helps to find cycles: relation after relation, we build a graph whose vertices are the large primes. An edge connects two vertices if a partial relations exists... |

37 | Arithmetic on super-elliptic curves
- Galbraith, Paulus, et al.
- 1998
(Show Context)
Citation Context ...). Appropriate groups for discrete logarithm cryptosystems are multiplicative groups of finite fields, the group of points of elliptic curves [26,33], and also the jacobians of curves of higher genus =-=[27,4,18]-=-. The level of security reached by the use of these different groups varies a lot. Both the factorization of large numbers [29] and the computation of discrete logarithms in finite fields [11,19,3] ca... |

37 |
Further analysis of Coppersmith’s block Wiedemann algorithm for the solution of sparse linear systems
- Villard
- 1997
(Show Context)
Citation Context ...plexity of this task from O(N 2 )to O(N log 2 N), achieving a 50 times speedup for the computation undertaken here. The block Wiedemann algorithm performs well both theoretically and in practice. See =-=[40,41,24,25,39]-=- for several insights on the algorithm. The block Wiedemann algorithm is interesting in the fact that at least for one part of the algorithm, several machines holding a private copys120 E. Thomé of th... |

32 | Factorization of a 512-bit RSA Modulus
- Cavallar, Dodson, et al.
- 2000
(Show Context)
Citation Context ...ile a tremendous amount of work (and CPU time) has been put towards the factorization of larger and larger numbers (S. Cavallar et al. used the Number Field Sieve to factor numbers as big as 512 bits =-=[6, 9]-=-, and even up to 774 bits numbers of a special form [7]), the computation of discrete logarithms in finite fields does C. Boyd (Ed.): ASIACRYPT 2001, LNCS 2248, pp 107–124, 2001. c○ Springer-Verlag Be... |

26 | Massively parallel computation of discrete logarithms
- Gordon, McCurley
- 1993
(Show Context)
Citation Context ... so frequently. For prime fields, a recent work by Joux and Lercier [22] computed logarithms in Fp with p having 120 decimal digits, i.e. 399 bits. For fields of characteristic 2, Gordon and McCurley =-=[20]-=- almost ⋆ computed logarithms in F 2 503, but that was back in 1993. This makes it hard, today, to make a reasonable guess on how difficult a characteristic 2 finite field discrete logarithm problem a... |

26 | Distributed matrix-free solution of large sparse linear systems over finite fields
- Kaltofen, Lobo
- 1996
(Show Context)
Citation Context ...tually, this is a well studied subject, since sparse matrices arise in many domains. For the literature about sparse matrices coming from discrete logarithm or factorization problems, one can consult =-=[37,43,12,34, 25,28]-=-. Two particularly annoying points are relevant to our case. Unlike linear system that arise from factorization problems, ours is defined over a big field, Z/(2607 − 1)Z. Second, unlike what happens w... |

24 |
The solution of McCurley’s discrete log challenge
- Weber, Denny
- 1998
(Show Context)
Citation Context ... (which is extremely sparse)and tries to remove lines and columns without increasing (if at all)the matrix density. We modified the original process described in [37] in the spirit of what is done in =-=[42]-=-: we evaluate, at each step, the influence of each possible operation to the cost of the linear system solving algorithm that follows the SGE. The better steps towards the reduction of the linear alge... |

23 |
The function field sieve
- Adleman
- 1994
(Show Context)
Citation Context ...cted to be finished by the beginning of the autumn 2001. As a very last-minute news, Joux and Lercier [23] appear to have computed logarithms in F2521, using the general function field sieve approach =-=[2]-=-. This approach is fairly different from the one adopted here, and is not addressed in this paper. However, the result presented by [23] is highly encouraging. 2 Coppersmith’s Algorithm Throughout thi... |

23 | NFS with Four Large Primes: An Explosive Experiment," draft manuscript
- Dodson, Lenstra
(Show Context)
Citation Context ...ing a graph with more than 10 8 edges among 2.10 9 vertices can turn out to be quite awkward. More elaborate schemes allow the processing of partial relations with more large primes, see for instance =-=[15]-=-. Recently, in the course of the record-breaking factorization of RSA-155, S. Cavallar proposed in [8] an efficient scheme for this large prime matching task, inspired by structured gaussian eliminati... |

23 | A study of Coppersmith’s block Wiedemann algorithm using matrix polynomials
- Villard
- 1997
(Show Context)
Citation Context ...plexity of this task from O(N 2 )to O(N log 2 N), achieving a 50 times speedup for the computation undertaken here. The block Wiedemann algorithm performs well both theoretically and in practice. See =-=[40,41,24,25,39]-=- for several insights on the algorithm. The block Wiedemann algorithm is interesting in the fact that at least for one part of the algorithm, several machines holding a private copys120 E. Thomé of th... |

22 |
Reduction of huge, sparse matrices over finite fields via created catastrophes
- Pomerance, Smith
- 1992
(Show Context)
Citation Context ... in the course of the record-breaking factorization of RSA-155, S. Cavallar proposed in [8] an efficient scheme for this large prime matching task, inspired by structured gaussian elimination like in =-=[37]-=-. We lacked the required time to investigate the respective efficiency of all of these different strategies when applied to our case. This is a real concern here, because while the multilarge-prime sc... |

21 |
The GNU multiple precision arithmetic library. /http: //gmplib.org
- GMP
(Show Context)
Citation Context ...n successfully attacked using computational means comparable to ours.s122 E. Thomé Acknowledgements. Our program has been written in C, using the ZEN computer algebra package [10] and the GMP package =-=[21]-=- for multiprecision integer arithmetic. CPU time has been (and is being)provided by several institutions. Three units at École polytechnique, Palaiseau, France, provided most of the sieving time: the ... |

19 | Computing logarithms in finite fields of characteristic two - Blake, Fuji-Hara, et al. - 1984 |

15 | Computation of linear generators for matrix sequences and application to the block Wiedemann algorithm
- Thom'e
(Show Context)
Citation Context ...ck Lanczos algorithm [34], is often preferred to the block Wiedemann algorithm. We used the latter because it gave us an opportunity to successfully experiment the accelerating procedure described in =-=[39]-=-: the crux of the block Wiedemann algorithm is the computation of a linear generator for a matrix sequence (a matrix analogue to the Berlekamp-Massey algorithm), and [39] uses FFT to reduce the comple... |

13 | Strategies in Filtering in the Number Field Sieve
- Cavallar
(Show Context)
Citation Context ...orate schemes allow the processing of partial relations with more large primes, see for instance [15]. Recently, in the course of the record-breaking factorization of RSA-155, S. Cavallar proposed in =-=[8]-=- an efficient scheme for this large prime matching task, inspired by structured gaussian elimination like in [37]. We lacked the required time to investigate the respective efficiency of all of these ... |

12 |
A new efficient factorization algorithm for polynomials over small finite fields
- Niederreiter
- 1993
(Show Context)
Citation Context ...ctorization algorithm (in any case, if we did remove some of the factors by trial division, the cofactor would have still had to be factorized via such an algorithm). We used Niederreiter’s algorithm =-=[35]-=-, which proved four times faster than a classical distinct degree factorization procedure. The explanation of this lies of course in the small degree of our polynomials, and in the fact that we work o... |

11 |
et al, Factorization of a 512-bit RSA modulus
- Cavallar
(Show Context)
Citation Context ...hile a tremendous amount of work (and CPU time)has been put towards the factorization of larger and larger numbers (S. Cavallar et al. used the Number Field Sieve to factor numbers as big as 512 bits =-=[6,9]-=-, and even up to 774 bits numbers of a special form [7]), the computation of discrete logarithms in finite fields does C. Boyd (Ed.): ASIACRYPT 2001, LNCS 2248, pp. 107–124, 2001. c○ Springer-Verlag B... |

10 |
Solving linear equations over GF(2) via block Wiedemann algorithm
- COPPERSMITH
- 1994
(Show Context)
Citation Context |

8 |
Finite Fields. Number 20 in Encyclopedia of Mathematics and its Applications
- Lidl, Niederreiter
- 1997
(Show Context)
Citation Context ...original article [11] for reference. The factor base B consists of all irreducible polynomials with degree less than a chosen bound b. It is known that B has roughly 2b+1 b elements (see for instance =-=[31]-=-). Up to now, Coppersmith’s algorithm is very resemblant to Adleman’s [1, 5,3], which computes discrete logarithms in any Galois field, no matter the characteristic (but with poorer complexity than Co... |

7 | On the reduction of composed relations from the number field sieve. Extended Abstract - Denny, Müller - 1995 |

7 | Algorithms for computations in Jacobians of Cab curve and their application to discrete-log-based public key cryptosystems - Arita |

5 |
ZEN: A toolbox for fast computation in finite extension over finite rings,” http://zenfact. sourceforge.net
- Chabaud, Lercier
(Show Context)
Citation Context ... RSA-512 schemes have been successfully attacked using computational means comparable to ours.s122 E. Thomé Acknowledgements. Our program has been written in C, using the ZEN computer algebra package =-=[10]-=- and the GMP package [21] for multiprecision integer arithmetic. CPU time has been (and is being)provided by several institutions. Three units at École polytechnique, Palaiseau, France, provided most ... |

3 |
233-digit SNFS factorization. Available online at ftp://ftp.cwi.nl/pub/ herman/SNFSrecords/SNFS-233
- CABAL
- 2000
(Show Context)
Citation Context ...ut towards the factorization of larger and larger numbers (S. Cavallar et al. used the Number Field Sieve to factor numbers as big as 512 bits [6,9], and even up to 774 bits numbers of a special form =-=[7]-=-), the computation of discrete logarithms in finite fields does C. Boyd (Ed.): ASIACRYPT 2001, LNCS 2248, pp. 107–124, 2001. c○ Springer-Verlag Berlin Heidelberg 2001s108 E. Thomé not seem to looked a... |

3 |
Discrete logarithms in GF(p) (120 decimal digits), available from http://listserv.nodak.edu/archives/nmbrthry.html
- Joux, Lercier
- 2001
(Show Context)
Citation Context ...yd (Ed.): ASIACRYPT 2001, LNCS 2248, pp. 107–124, 2001. c○ Springer-Verlag Berlin Heidelberg 2001s108 E. Thomé not seem to looked at so frequently. For prime fields, a recent work by Joux and Lercier =-=[22]-=- computed logarithms in Fp with p having 120 decimal digits, i.e. 399 bits. For fields of characteristic 2, Gordon and McCurley [20] almost ⋆ computed logarithms in F 2 503, but that was back in 1993.... |

3 |
233-digit SNFS factorization. Available at ftp://ftp.cwi.nl/pub/herman/ SNFSrecords/SNFS-233
- CABAL
- 2000
(Show Context)
Citation Context ...t towards the factorization of larger and larger numbers (S. Cavallar et al. used the Number Field Sieve to factor numbers as big as 512 bits [6, 9], and even up to 774 bits numbers of a special form =-=[7]-=-), the computation of discrete logarithms in finite fields does C. Boyd (Ed.): ASIACRYPT 2001, LNCS 2248, pp 107–124, 2001. c○ Springer-Verlag Berlin Heidelberg 2001108 Emmanuel Thomé not seem to loo... |

2 | 1st Algorithmic Number Theory Symposium - Proc - 1994 |

2 |
New directionsin cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...e difficulty of the factorization of large integers (for the RSA cryptosystem), and the difficulty of computing discrete logarithms in appropriate groups (for the Diffie-Hellman key exchange protocol =-=[14]-=-, ElGamal cryptosystem [16], and ElGamal and Schnorr [38] signature schemes). Appropriate groups for discrete logarithm cryptosystems are multiplicative groups of finite fields, the group of points of... |

2 |
Discrete logarithms in GF(2 n ) (521 bits). Email to the NMBRTHRY mailing list; available at http://listserv.nodak.edu/archives/ nmbrthry.html
- Joux, Lercier
- 2001
(Show Context)
Citation Context ..., and the linear algebra is underway. The computation of the solution to the linear system is expected to be finished by the beginning of the autumn 2001. As a very last-minute news, Joux and Lercier =-=[23]-=- appear to have computed logarithms in F2521, using the general function field sieve approach [2]. This approach is fairly different from the one adopted here, and is not addressed in this paper. Howe... |

1 |
Algorithmsfor computationsin Jacobiansof Cab curve and their application to discrete-log-based public key cryptosystems
- Arita
- 1999
(Show Context)
Citation Context ...). Appropriate groups for discrete logarithm cryptosystems are multiplicative groups of finite fields, the group of points of elliptic curves [26,33], and also the jacobians of curves of higher genus =-=[27,4,18]-=-. The level of security reached by the use of these different groups varies a lot. Both the factorization of large numbers [29] and the computation of discrete logarithms in finite fields [11,19,3] ca... |

1 |
Computing logarithms in finite fieldsof characteristic two
- Blake, Fuji-Hara, et al.
(Show Context)
Citation Context ...educible polynomials with degree less than a chosen bound b. It is known that B has roughly 2b+1 b elements (see for instance [31]). Up to now, Coppersmith’s algorithm is very resemblant to Adleman’s =-=[1, 5,3]-=-, which computes discrete logarithms in any Galois field, no matter the characteristic (but with poorer complexity than Coppersmith’s). The key difference is in the production of linear relations. To ... |

1 |
Factorization of RSA-140 using the number field sieve. Available online at ftp://ftp.cwi.nl/pub/herman/NFSrecords/RSA-140
- CABAL
- 1999
(Show Context)
Citation Context ...hile a tremendous amount of work (and CPU time)has been put towards the factorization of larger and larger numbers (S. Cavallar et al. used the Number Field Sieve to factor numbers as big as 512 bits =-=[6,9]-=-, and even up to 774 bits numbers of a special form [7]), the computation of discrete logarithms in finite fields does C. Boyd (Ed.): ASIACRYPT 2001, LNCS 2248, pp. 107–124, 2001. c○ Springer-Verlag B... |

1 |
A block Lanczosalgorithm for finding dependenciesover GF(2
- Montgomery
- 1995
(Show Context)
Citation Context |

1 | Discrete logarithmsin finite fieldsand their cryptographic significance - Odlyzko - 1985 |