Results 1 
7 of
7
WEAKNESS OF F36·509 FOR DISCRETE LOGARITHM CRYPTOGRAPHY
"... new algorithms for computing discrete logarithms in finite fields of small and medium characteristic. We show that these new algorithms render the finite field F36·509 = F33054 weak for discrete logarithm cryptography in the sense that discrete logarithms in this field can be computed significantly ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
(Show Context)
new algorithms for computing discrete logarithms in finite fields of small and medium characteristic. We show that these new algorithms render the finite field F36·509 = F33054 weak for discrete logarithm cryptography in the sense that discrete logarithms in this field can be computed significantly faster than with the previous fastest algorithms. Our concrete analysis shows that the supersingular elliptic curve over F3509 with embedding degree 6 that had been considered for implementing pairingbased cryptosystems at the 128bit security level in fact provides only a significantly lower level of security. Our work provides a convenient framework and tools for performing a concrete analysis of the new discrete logarithm algorithms and their variants. 1.
Weakness of F36·1429 and F24·3041 for discrete logarithm cryptography”, available at http://eprint.iacr.org/2013/737
"... Abstract. In 2013, Joux and then Barbulescu et al. presented new algorithms for computing discrete logarithms in finite fields of small characteristic. Shortly thereafter, Adj et al. presented a concrete analysis showing that, when combined with some steps from classical algorithms, the new algorith ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In 2013, Joux and then Barbulescu et al. presented new algorithms for computing discrete logarithms in finite fields of small characteristic. Shortly thereafter, Adj et al. presented a concrete analysis showing that, when combined with some steps from classical algorithms, the new algorithms render the finite field F36·509 weak for pairingbased cryptography. Granger and Zumbrägel then presented a modification of the new algorithms that extends their effectiveness to a wider range of fields. In this paper, we study the effectiveness of the new algorithms combined with a carefully crafted descent strategy for the fields F36·1429 and F24·3041. The intractability of the discrete logarithm problem in these fields is necessary for the security of pairings derived from supersingular curves with embedding degree 6 and 4 defined, respectively, over F31429 and F23041; these curves were believed to enjoy a security level of 192 bits against attacks by Coppersmith’s algorithm. Our analysis shows that these pairings offer security levels of at most 96 and 129 bits, respectively, leading us to conclude that they are dead for pairingbased cryptography. 1.
Discrete logarithm in GF(2 809) with FFS The CARAMEL group
, 2013
"... We give details on solving the discrete logarithm problem in the 202bit prime order subgroup ..."
Abstract
 Add to MetaCart
(Show Context)
We give details on solving the discrete logarithm problem in the 202bit prime order subgroup
Resolution of Linear Algebra for the Discrete Logarithm Problem using GPU and Multicore Architectures
"... ar ..."
(Show Context)
Generating Optimized Sparse Matrix Vector Product over Finite Fields
"... Abstract. Sparse Matrix Vector multiplication (SpMV) is one of the most important operation for exact sparse linear algebra. A lot of research has been done by the numerical community to provide efficient sparse matrix formats. However, when computing over finite fields, one need to deal with multi ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Sparse Matrix Vector multiplication (SpMV) is one of the most important operation for exact sparse linear algebra. A lot of research has been done by the numerical community to provide efficient sparse matrix formats. However, when computing over finite fields, one need to deal with multiprecision values and more complex operations. In order to provide highly efficient SpMV kernel over finite field, we propose a code generation tool that uses heuristics to automatically choose the underlying matrix representation and the corresponding arithmetic.
FFS Factory: Adapting Coppersmith’s “Factorization Factory” to the Function Field Sieve
"... Abstract. In 1993, Coppersmith introduced the “factorization factory” approach as a means to speed up the Number Field Sieve algorithm (NFS) when factoring batches of integers of similar size: at the expense of a large precomputation whose cost is amortized when considering sufficiently many intege ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. In 1993, Coppersmith introduced the “factorization factory” approach as a means to speed up the Number Field Sieve algorithm (NFS) when factoring batches of integers of similar size: at the expense of a large precomputation whose cost is amortized when considering sufficiently many integers to factor, the complexity of each individual factorization can then be lowered. We suggest here to extend this idea to the computation of discrete logarithms in finite fields of small characteristic using the Function Field Sieve (FFS), thus referring to this approach as the “FFS factory”. In this paper, the benefits of the proposed technique are established thanks to both a theoretical complexity analysis along with a practical experiment in which we solved the discrete logarithm problem in fifty different binary fields of sizes ranging from 601 to 699 bits.
INDEX CALCULUS IN THE TRACE ZERO VARIETY
"... Abstract. We discuss how to apply Gaudry’s index calculus algorithm for abelian varieties to solve the discrete logarithm problem in the trace zero variety of an elliptic curve. We treat in particular the practically relevant cases of field extensions of degree 3 or 5. Our theoretical analysis is co ..."
Abstract
 Add to MetaCart
Abstract. We discuss how to apply Gaudry’s index calculus algorithm for abelian varieties to solve the discrete logarithm problem in the trace zero variety of an elliptic curve. We treat in particular the practically relevant cases of field extensions of degree 3 or 5. Our theoretical analysis is compared to other algorithms present in the literature, and is complemented by results from a prototype implementation. 1.