DOCSLIB.ORG

Improvements in Computing Discrete Logarithms in Finite Fields

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Improvements in Computing Discrete Logarithms in Finite Fields ISSN (Print): 2476-8316 ISSN (Online): 2635-3490 Dutse Journal of Pure and Applied Sciences (DUJOPAS), Vol. 5 No. 1a June 2019 Improvements in Computing Discrete Logarithms in Finite Fields 1*Ali Maianguwa Shuaibu, 2Sunday Babuba & 3James Andrawus 1, 2,3 Department of Mathematics, Federal University Dutse, Jigawa State Email: [email protected] Abstract The discrete logarithm problem forms the basis of numerous cryptographic systems. The most efficient attack on the discrete logarithm problem in the multiplicative group of a finite field is via the index calculus. In this paper, we examined a non-generic algorithm that uses index calculus. If α is a generator × × for 퐹푝 then the discrete logarithm of 훽 ∈ 퐹푝 with respect to 훼 is also called the index of 훽 (with respect to 훼), whence the term index calculus. This algorithm depends critically on the distribution of smooth numbers (integers with small prime factors), which naturally leads to a discussion of two algorithms for factoring integers that also depend on smooth numbers: the Pollard 푝 − 1method and the elliptic curve method. In conclusion, we suggest improved elliptic curve as well as hyperelliptic curve cryptography methods as fertile ground for further research. Keywords: Elliptic curve, Index calculus, Multiplicative group, Smooth numbers Introduction 푥 It is known that the logarithm 푙표푔푏 푎 is a number x such that 푏 = 푎, for given numbers a and b. Similarly, in any group G, powers 푏푘 can be defined for all integers 푘, and 푘 the discrete logarithm푙표푔푏 푎 is an integer k such that 푏 = 푎. In number theory,푥 = 푥 푖푛푑푟푎(푚표푑 푚) is read as the index of 푎 to the base r modulo m which is equivalent to 푟 = 푎(푚표푑 푚) if r is the primitive root of m and greatest common divisor, 푔푐푑( 푎, 푚) = 1. Discrete logarithms are easily computable in some special cases. However, no efficient method is known for computing them in general. Several important algorithms in public-key cryptography base their security on the assumption that the discrete logarithm problem over carefully chosen groups has no efficient solution. × One of the simplest settings for discrete logarithms is the group(훧푝) . This is the group of multiplication modulo the prime 푝. Its elements are congruence classes modulo p, and the group product of two elements may be obtained by ordinary integer multiplication of the elements followed by reduction modulo p. *Author for Correspondence Shuaibu A. M., Babuba S., Andrawus J., DUJOPAS 5 (1a): 225-234, 2019 225 Improvements in Computing Discrete Logarithms in Finite Fields The 푘th power of one of the numbers in this group may be computed by finding its kth power as an integer and then finding the remainder after division by p. When the numbers involved are large, it is more efficient to reduce modulo p multiple times during the computation. Regardless of the specific algorithm used, this operation is called modular exponentiation. For example, consider (Z17)×. To compute 34 in this group, compute 34 = 81, and then divide 81 by 17, obtaining a remainder of 13. Thus 34 = 13 in the group (Z17)×. The discrete logarithm is just the inverse operation. For example, consider the equation 3k ≡ 13 (mod 17) for k. From the example above, one solution is k = 4, but it is not the only solution. Since by Fermat’s little theorem 316 ≡ 1 (mod 17), it also follows that if n is an integer then 34+16n ≡ 34 × (316)n ≡ 13 × 1n ≡ 13 (mod 17). Hence the equation has infinitely many solutions of the form 4 + 16n. Moreover, because 16 is the smallest positive integer m satisfying 3m ≡ 1 (mod 17), these are the only solutions. Equivalently, the set of all possible solutions can be expressed by the constraint that k ≡ 4 (mod 16). The discrete logarithm problem is considered to be computationally intractable. That is, no efficient classical algorithm is known for computing discrete logarithms in general. A general algorithm for computing 푙표푔푏 푎 in finite groups G is to raise b to larger and larger powers k until the desired 푎 is found. This algorithm is referred to as trial multiplication. It requires running time linear in the size of the group G and thus exponential in the number of digits in the size of the group. Therefore, it is an exponential-time algorithm, practical only for small groups G. More sophisticated algorithms exist, usually inspired by similar algorithms for integer factorization. These algorithms run faster than the naïve algorithm, some of them linear in the square root of the size of the group, and thus exponential in half the number of digits in the size of the group. However, none of them run in polynomial time in consideration of the number of digits in the size of the group. In the following sections, Index calculus, Pollard 푝 − 1 and elliptic curve factorization methods for computing discrete logarithms are critically examined. Index calculus Index calculus is a method for computing discrete logarithms in the multiplicative group of a finite field. It might not seem directly relevant to the elliptic curve discrete logarithm problem, but when we discuss pairing-based cryptography, these two problems are easily unrelated (Sutherland, 2017). Moreover, the same approach can be applied to elliptic curves over nonprime finite fields, as well as abelian varieties of higher dimension (Enge, 2008; Gaudry, 2009). Here, our attention is restricted to the simplest case which involve a finite field of prime order 푝. Let us consider퐹푃 ≃ ℤ/ 푝 ℤ with our usual choice of representatives for ℤ/ 푝 ℤ, integers in the interval [0, 푁], with 푁 = 푝 − 1. This simple statement is precisely what will allow us to do something that a generic algorithm cannot. It enables us lift elements of 퐹푝 ≃ ℤ/ 푝 ℤ to the ring ℤ and consider their prime factorizations, something that makes no sense in a multiplicative group in which every element is a unit, and is not available to a generic algorithm. The reduction map ℤ → ℤ/ 푝 ℤ allows us to use these prime factorizations to obtain × relations between the discrete logarithms of various elements of 퐹푝 . × Let us fix a generator 훼 for 퐹푝 , and let 훽 ∈ ⟨훼⟩ be the element whose discrete logarithm we wish to compute. For any integer 푒, we may consider the prime factorization of the integer 푒 −1 훼 훽 ∈ [1, 푁] ⊆ ℤ. When 푒 = 푙표푔훼 훽 this prime factorization will be trivial, but in general it gives 푒푖 푒 −1 ∏ 푝푖 = 훼 훽 (2) Shuaibu A. M., Babuba S., Andrawus J., DUJOPAS 5 (1a): 225-234 2019 226 Improvements in Computing Discrete Logarithms in Finite Fields where the 푝푖 vary over primes and the exponents 푒푖 are nonnegative integers. Multiplying both sides by β and taking discrete logarithms with respect to α yields ∑ 푒푖 푙표푔훼 푝푖 + 푙표푔훼 훽 = 푒 (3) which determines 푙표푔훼 훽 as a linear expression in the discrete logarithms푙표푔훼 푝푖. Note that × × the푝푖are viewed both as primes in ℤ and elements of 퐹푝 ≃ (ℤ/ 푝 ℤ) ). This does not immediately give us the desired result, since we do not know the values of 푙표푔훼 푝푖. However, if we repeat this procedure using many different values of 푒, we may obtain a system of linear equations that we can then solve for 푙표푔훼 훽. In order to make this feasible, we need to restrict the set of primes 푝푖 that we are going to work with. Thus, we fix a smoothness bound, say B, and define the factor base 푃퐵 = {푝: 푝 ≤ 퐵 푖푠 푝푟푖푚푒 {}{푝1, 푝2, . , 푝푏}}, (4) where 푏 = 휋(퐵) is the number of primes up to B (of which there are approximately 퐵/ 푙표푔 퐵, by the prime number theorem). Not all choices of 푒 will yield an integer 훼푒퐵−1 ∈ [1, 푁] ⊆ ℤ that we can write as a product of primes in our factor base 푃퐵, in fact most would not. But some choices will work, and for those that do we obtain a linear equation of the form 푒1 푙표푔훼 푝1 + 푒2 푙표푔훼 푝2 +. +푒푏 푙표푔훼 푝푏 = 푒, (5) Many of the 푒푖 may be zero. We do not yet know any of the discrete logarithms on the left hand side, but we can view 푒1푥1 + 푒2푥2+. +푒푏푥푏 + 푥푏+1 = 푒 (6) as a linear equation in 푏 + 1variables 푥1, 푥2, . , 푥푏+1 over the ring ℤ/ 푁 ℤ. This equation has a solution, namely,푥푖 = 푙표푔훼 푝푖, for1 ≤ 푖 ≤ 푏, and 푥푏+1 = 푙표푔훼 훽. If we collect 푏 + 1 such equations by choosing random values of 푒and discarding those for which 훼푒훽−1 is not B- smooth, the resulting linear system may determine a unique value 푥푏+1, which represent the discrete logarithm we wish to compute. This system will typically be under-determined; indeed, some variables 푥푖 may not appear in any of our equations. But it is quite likely that the value of 푥푏+1, which is present in every equation, will be uniquely determined. We will not attempt to prove this, because to give a rigorous proof one really needs more than 푏 + 1 equations, say, on the order of 푏 푙표푔 푏, but it is empirically true (Sutherland, 2017). Sutherland (2017) suggests the following algorithm to compute 푙표푔훼 훽. Algorithm 1 (Index calculus in a prime field 퐹푝). 1. Pick a smoothness bound B and construct the factor base 푃퐵 = {푝1, 푝2, . , 푝푏}. 2. Generate 푏 + 1 random relations 푅푖 = (푒푖,1, 푒푖,2, . , 푒푖,푏, 1, 푒푖) by picking 푒 ∈ [1, 푁] at 푒 −1 random and attempting to factor 훼 훽 ∈ [1, 푁] over the factor base 푃퐵.
Load more

Recommended publications
  • The Index Calculus Method Using Non-Smooth Polynomials
    MATHEMATICS OF COMPUTATION Volume 70, Number 235, Pages 1253{1264 S 0025-5718(01)01298-4 Article electronically published on March 7, 2001 THE INDEX CALCULUS METHOD USING NON-SMOOTH POLYNOMIALS THEODOULOS GAREFALAKIS AND DANIEL PANARIO Abstract. We study a generalized version of the index calculus method for n the discrete logarithm problem in Fq ,whenq = p , p is a small prime and n !1. The database consists of the logarithms of all irreducible polynomials of degree between given bounds; the original version of the algorithm uses lower bound equal to one. We show theoretically that the algorithm has the same asymptotic running time as the original version. The analysis shows that the best upper limit for the interval coincides with the one for the original version. The lower limit for the interval remains a free variable of the process. We provide experimental results that indicate practical values for that bound. We also give heuristic arguments for the running time of the Waterloo variant and of the Coppersmith method with our generalized database. 1. Introduction Let G denote a group written multiplicatively and hgi the cyclic subgroup gen- erated by g 2 G.Giveng and y 2hgi,thediscrete logarithm problem for G is to find the smallest integer x such that y = gx.Theintegerx is called the discrete logarithm of y in the base g, and is written x =logg y. The main reason for the intense current interest on the discrete logarithm prob- lem (apart from being interesting on a purely mathematical level) is that the se- curity of many public-key cryptosystems depends on the assumption that finding discrete logarithms is hard, at least for certain groups.
    [Show full text]
  • Index Calculus in the Trace Zero Variety 3
    INDEX CALCULUS IN THE TRACE ZERO VARIETY ELISA GORLA AND MAIKE MASSIERER Abstract. We discuss how to apply Gaudry’s index calculus algorithm for abelian varieties to solve the discrete logarithm problem in the trace zero variety of an elliptic curve. We treat in particular the practically relevant cases of field extensions of degree 3 or 5. Our theoretical analysis is compared to other algorithms present in the literature, and is complemented by results from a prototype implementation. 1. Introduction Given an elliptic curve E defined over a finite field Fq, consider the group E(Fqn ) of rational points over a field extension of prime degree n. Since E is defined over Fq, the group E(Fqn ) contains the subgroup E(Fq) of Fq-rational points of E. Moreover, it contains the subgroup Tn of − points P E(F n ) whose trace P + ϕ(P )+ ... + ϕn 1(P ) is zero, where ϕ denotes the Frobenius ∈ q homomorphism on E. The group Tn is called the trace zero subgroup of E(Fqn ), and it is the group of Fq-rational points of the trace zero variety relative to the field extension Fqn Fq. In this paper, we study the hardness of the DLP in the trace zero variety. Our| interest in this question has several motivations. First of all, supersingular trace zero varieties can achieve higher security per bit than supersingular elliptic curves, as shown by Rubin and Silverberg in [RS02, RS09] and by Avanzi and Cesena in [AC07, Ces10]. Ideally, in pairing-based proto- F∗ cols the embedding degree k is such that the DLP in Tn and in qkn have the same complexity.
    [Show full text]
  • Integer Factorization and Computing Discrete Logarithms in Maple
    Integer Factorization and Computing Discrete Logarithms in Maple Aaron Bradford∗, Michael Monagan∗, Colin Percival∗ [email protected], [email protected], [email protected] Department of Mathematics, Simon Fraser University, Burnaby, B.C., V5A 1S6, Canada. 1 Introduction As part of our MITACS research project at Simon Fraser University, we have investigated algorithms for integer factorization and computing discrete logarithms. We have implemented a quadratic sieve algorithm for integer factorization in Maple to replace Maple's implementation of the Morrison- Brillhart continued fraction algorithm which was done by Gaston Gonnet in the early 1980's. We have also implemented an indexed calculus algorithm for discrete logarithms in GF(q) to replace Maple's implementation of Shanks' baby-step giant-step algorithm, also done by Gaston Gonnet in the early 1980's. In this paper we describe the algorithms and our optimizations made to them. We give some details of our Maple implementations and present some initial timings. Since Maple is an interpreted language, see [7], there is room for improvement of both implementations by coding critical parts of the algorithms in C. For example, one of the bottle-necks of the indexed calculus algorithm is finding and integers which are B-smooth. Let B be a set of primes. A positive integer y is said to be B-smooth if its prime divisors are all in B. Typically B might be the first 200 primes and y might be a 50 bit integer. ∗This work was supported by the MITACS NCE of Canada. 1 2 Integer Factorization Starting from some very simple instructions | \make integer factorization faster in Maple" | we have implemented the Quadratic Sieve factoring al- gorithm in a combination of Maple and C (which is accessed via Maple's capabilities for external linking).
    [Show full text]
  • INDEX CALCULUS in the TRACE ZERO VARIETY 1. Introduction
    INDEX CALCULUS IN THE TRACE ZERO VARIETY ELISA GORLA AND MAIKE MASSIERER Abstract. We discuss how to apply Gaudry's index calculus algorithm for abelian varieties to solve the discrete logarithm problem in the trace zero variety of an elliptic curve. We treat in particular the practically relevant cases of field extensions of degree 3 or 5. Our theoretical analysis is compared to other algorithms present in the literature, and is complemented by results from a prototype implementation. 1. Introduction Given an elliptic curve E defined over a finite field Fq, consider the group E(Fqn ) of rational points over a field extension of prime degree n. Since E is defined over Fq, the group E(Fqn ) contains the subgroup E(Fq) of Fq-rational points of E. Moreover, it contains the subgroup Tn of n−1 points P 2 E(Fqn ) whose trace P + '(P ) + ::: + ' (P ) is zero, where ' denotes the Frobenius homomorphism on E. The group Tn is called the trace zero subgroup of E(Fqn ), and it is the group of Fq-rational points of the trace zero variety relative to the field extension Fqn jFq. In this paper, we study the hardness of the DLP in the trace zero variety. Our interest in this question has several motivations. First of all, supersingular trace zero varieties can achieve higher security per bit than supersingular elliptic curves, as shown by Rubin and Silverberg in [RS02, RS09] and by Avanzi and Cesena in [AC07, Ces10]. Ideally, in pairing-based proto- ∗ cols the embedding degree k is such that the DLP in Tn and in Fqkn have the same complexity.
    [Show full text]
  • The Past, Evolving Present and Future of Discrete Logarithm
    The Past, evolving Present and Future of Discrete Logarithm Antoine Joux, Andrew Odlyzko and Cécile Pierrot Abstract The first practical public key cryptosystem ever published, the Diffie-Hellman key exchange algorithm, relies for its security on the assumption that discrete logarithms are hard to compute. This intractability hypothesis is also the foundation for the security of a large variety of other public key systems and protocols. Since the introduction of the Diffie-Hellman key exchange more than three decades ago, there have been substantial algorithmic advances in the computation of discrete logarithms. However, in general the discrete logarithm problem is still considered to be hard. In particular, this is the case for the multiplicative group of finite fields with medium to large characteristic and for the additive group of a general elliptic curve. This paper presents a current survey of the state of the art concerning discrete logarithms and their computation. 1 Introduction 1.1 The Discrete Logarithm Problem Many popular public key cryptosystems are based on discrete exponentiation. If G is a multi- plicative group, such as the group of invertible elements in a finite field or the group of points on an elliptic curve, and g is an element of G, then gx is the discrete exponentiation of base g to the power x. This operation shares basic properties with ordinary exponentiation, for example gx+y = gx · gy. The inverse operation is, given h in G, to determine a value of x, if it exists, such that h = gx. Such a number x is called a discrete logarithm of h to the base g, since it shares many properties with the ordinary logarithm.
    [Show full text]
  • Cover and Decomposition Index Calculus on Elliptic Curves Made Practical
    Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a previously unreachable curve over Fp6 Antoine Joux1 and Vanessa Vitse2 1 DGA and Universit´ede Versailles Saint-Quentin, Laboratoire PRISM, 45 avenue des Etats-Unis,´ F-78035 Versailles cedex, France [email protected] 2 Universit´ede Versailles Saint-Quentin, Laboratoire PRISM, 45 avenue des Etats-Unis,´ F-78035 Versailles cedex, France [email protected] Abstract. We present a new \cover and decomposition" attack on the elliptic curve discrete logarithm problem, that combines Weil descent and decomposition-based index calculus into a single discrete logarithm algorithm. This attack applies, at least theoretically, to all composite degree extension fields, and is particularly well-suited for curves defined 3 over Fp6 . We give a real-size example of discrete logarithm computations on a curve over a 151-bit degree 6 extension field, which would not have been practically attackable using previously known algorithms. Key words: elliptic curve, discrete logarithm, index calculus, Weil descent, decomposition attack 1 Introduction Elliptic curves are used in cryptography to provide groups where the discrete logarithm problem is thought to be difficult. We recall that given a finite group G (written additively) and two elements P; Q 2 G, the discrete logarithm problem (DLP) consists in computing, when it exists, an integer x such that Q = xP . When elliptic curves are used in cryptographic applications, the DLP is usually considered to be as difficult as in a generic group of the same size [31]. As a consequence, for a given security level, the key size is much smaller than for other popular cryptosystems based on factorization or discrete logarithms in finite fields.
    [Show full text]
  • RSA, Integer Factorization, Diffie–Hellman, Discrete Logarithm
    RSA, integer factorization, Diffie–Hellman, discrete logarithm computation Aurore Guillevic Inria Nancy, France November 12, 2020 1/71 Aurore Guillevic [email protected] • L1-L2 at Université de Bretagne Sud, Lorient (2005–2007) • L3 Vannes (2007–2008) • M1-M2 maths and cryptography at Université de Rennes 1 (2008–2010) • internship and PhD at Thales Communication, Gennevilliers (92) • post-doc at Inria Saclay (2 years) and Calgary (Canada, 1 year) • researcher in cryptography at Inria Nancy since November 2016 • adjunct assistant professor at Polytechnique (2017–2020) 2/71 Outline Preliminaries RSA, and integer factorization problem Naive methods Quadratic sieve Number Field Sieve Bad randomness: gcd, Coppersmith attacks Diffie-Hellman, and the discrete logarithm problem Generic algorithms of square root complexity Pairings 3/71 Introduction: public-key cryptography Introduced in 1976 (Diffie–Hellman, DH) and 1977 (Rivert–Shamir–Adleman, RSA) Asymmetric means distinct public and private keys • encryption with a public key • decryption with a private key • deducing the private key from the public key is a very hard problem Two hard problems: • Integer factorization (for RSA) • Discrete logarithm computation in a finite group (for Diffie–Hellman) 4/71 Textbooks Alfred Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996. Christof Paar and Jan Pelzl. Understanding Cryptography, a Textbook for Students and Practitioners. Springer, 2010. (Two texbooks [PP10] (Paar and Pelzl) are available at the library at Lorient, code 005.8 PAA). Relvant chapters: 6, 7, 8, and 10. During lockdown, the library is opened: see La BU sur rendez-vous https://www-actus.univ-ubs.fr/fr/index/actualites/scd/ covid-19-la-bu-sur-rdv.html Lecture notes: https://gitlab.inria.fr/guillevi/enseignement/ (Lorient → Master-CSSE.md) 5/71 Textbooks The Handbook is available in PDF for free.
    [Show full text]
  • Faster Index Calculus for the Medium Prime Case Application to 1175-Bit and 1425-Bit finite fields
    Faster index calculus for the medium prime case Application to 1175-bit and 1425-bit finite fields Antoine Joux CryptoExperts and Universit´ede Versailles Saint-Quentin-en-Yvelines, Laboratoire PRISM, 45 avenue des Etats-Unis,´ F-78035 Versailles Cedex, France [email protected] Abstract. Many index calculus algorithms generate multiplicative rela- tions between smoothness basis elements by using a process called Siev- ing. This process allows us to quickly filter potential candidate relations, without spending too much time to consider bad candidates. However, from an asymptotic point of view, there is not much difference between sieving and straightforward testing of candidates. The reason is that even when sieving, some small amount of time is spent for each bad candidate. Thus, asymptotically, the total number of candidates contributes to the complexity. In this paper, we introduce a new technique: Pinpointing, which al- lows us to construct multiplicative relations much faster, thus reducing the asymptotic complexity of relations' construction. Unfortunately, we only know how to implement this technique for finite fields which con- tain a medium-sized subfield. When applicable, this method improves the asymptotic complexity of the index calculus algorithm in the cases where the sieving phase dominates. In practice, it gives a very inter- esting boost to the performance of state-of-the-art algorithms. We illus- trate the feasability of the method with discrete logarithm records in two medium prime finite fields, the first of size 1175 bits and the second of size 1425 bits. 1 Introduction Index calculus algorithms form a large class of algorithms for solving hard num- ber theoretic problems which are often used as a basis for public key cryp- tosystems.
    [Show full text]
  • Elementary Thoughts on Discrete Logarithms
    Algorithmic Number Theory MSRI Publications Volume 44, 2008 Elementary thoughts on discrete logarithms CARL POMERANCE ABSTRACT. We give an introduction to the discrete logarithm problem in cyclic groups and treat the most important methods for solving them. These include the index calculus method, the rho and lambda methods, and the baby steps, giant steps method. Given a cyclic group G with generator g, and given an element t in G, the discrete logarithm problem is that of computing an integer l with gl t. The D problem of computing discrete logarithms is fundamental in computational alge- bra, and of great importance in cryptography. In this lecture we shall examine how sometimes the problem may be reduced to the computation of discrete logarithms in smaller groups (though this reduction may not always lead to an easier problem). We give an example of how the reduction may be used profitably in taking “square roots” in cyclic groups of even order. We shall look at several exponential-time algorithms that work in a quite general setting, and we shall discuss the index calculus algorithm for taking discrete logarithms in the multiplicative group of integers modulo a prime. 1. “The” cyclic group of order n I should begin by saying that the discrete logarithm (dl) problem is not always hard. Obviously it is easy if the target element t is the group identity, or in general, some small power of g. Less obviously, there are entire families of cyclic groups for which the dl problem is easy. Take, for example, the additive group G Z=nZ.
    [Show full text]
  • T-Multiple Discrete Logarithm Problem and Solving Difficulty
    t-multiple discrete logarithm problem and solving difficulty Xiangqun Fu 1,2,*, Wansu Bao 1,2, Jianhong Shi 1,2, Xiang Wang 1,2 1 Information Engineering University, Zhengzhou, 450004, China 2 Synergetic Innovation Center of Quantum Information and Quantum Physics, University of Science and Technology of China, Hefei, Anhui 230026, China Abstract: Considering the difficult problem under classical computing model can be solved by the quantum algorithm in polynomial time, t-multiple discrete logarithm problem is presented. The problem is non-degeneracy and unique solution. We talk about what the parameter effects the problem solving difficulty. Then we pointed out that the index-calculus algorithm is not suitable for the problem, and two sufficient conditions of resisting to the quantum algorithm for the hidden subgroup problem are given. Keywords: quantum algorithm, discrete logarithm problem, t -multiple discrete logarithm problem, hidden subgroup problem, cryptography 1 Introduction Quantum computation is an entirely new mode. Deutsch algorithm is the first quantum algorithm [1], which shows the power of parallelism computation. And the research on the quantum computation has been attracted widespread attention. Shor’s quantum algorithm [2] and Grover’s quantum search algorithm [3] have been presented, especially Shor’s algorithm which can solve integer factorization and discrete logarithm problem in polynomial time. Then the public-key crypto is under serious threat. Shor’s algorithm can be reduced to the quantum algorithm for the hidden subgroup problem [4], which is a pervasive quantum algorithm with polynomial time. Thus the problem can be solved in polynomial time, which can be reduced to hidden subgroup problem.
    [Show full text]
  • Index Calculus, Smooth Numbers, and Factoring Integers
    18.783 Elliptic Curves Spring 2019 Lecture #11 03/13/2019 11 Index calculus, smooth numbers, and factoring integers Having explored generic algorithms for the discrete logarithm problem in some detail, we now consider a non-generic algorithm based on index calculus. 1 This algorithm depends critically on the distribution of smooth numbers (integers with small prime factors), which naturally leads to a discussion of two algorithms for factoring integers that also depend on smooth numbers: the Pollard p − 1 method and the elliptic curve method (ECM). 11.1 Index calculus Index calculus is a method for computing discrete logarithms in the multiplicative group of a finite field. This might not seem directly relevant to the elliptic curve discrete logarithm problem, but as we shall see when we discuss pairing-based cryptography, these two problems are not completely unrelated. Moreover, index calculus based methods can be applied to the discrete logarithm problem on elliptic curves over non-prime finite fields, as well as abelian varieties of higher dimension (even over prime fields); see [7, 8, 9].2 We will restrict our attention to the simplest case, a finite field of prime order Fp ' Z=pZ, and let us fix the set of integers in [0;N] with N = p − 1 as a set of coset representatives for Z=pZ. Index calculus exploits the fact that we “lift” elements of Z=pZ to their representatives in [0;N] \ Z. ! Z ! Z=pZ ' Fq The map Z ! Z=pZ is the canonical quotient map given by reduction modulo p, and it is a ring homomorphism.
    [Show full text]
  • Improving the Complexity of Index Calculus Algorithms in Elliptic Curves Over Binary Fields Jean-Charles Faugère, Ludovic Perret, Christophe Petit, Guénaël Renault
    Improving the Complexity of Index Calculus Algorithms in Elliptic Curves over Binary Fields Jean-Charles Faugère, Ludovic Perret, Christophe Petit, Guénaël Renault To cite this version: Jean-Charles Faugère, Ludovic Perret, Christophe Petit, Guénaël Renault. Improving the Complexity of Index Calculus Algorithms in Elliptic Curves over Binary Fields. Eurocrypt 2012 - 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Apr 2012, Cambridge, United Kingdom. pp.27-44, 10.1007/978-3-642-29011-4_4. hal-00776066 HAL Id: hal-00776066 https://hal.inria.fr/hal-00776066 Submitted on 14 Jan 2013 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Improving the Complexity of Index Calculus Algorithms in Elliptic Curves over Binary Fields Jean-Charles Faugère1,, Ludovic Perret1,, Christophe Petit2,, and Guénaël Renault1, 1 UPMC, Université Paris 06, LIP6 INRIA, Centre Paris-Rocquencourt, PolSys Project-team CNRS, UMR 7606, LIP6 4 place Jussieu, 75252 Paris, Cedex 5, France {Jean-Charles.Faugere,Ludovic.Perret,Guenael.Renault}@lip6.fr 2 UCL Crypto Group, Université catholique de Louvain Place du levant 3, 1348 Louvain-la-Neuve, Belgium [email protected] Abstract. The goal of this paper is to further study the index calcu- lus method that was first introduced by Semaev for solving the ECDLP and later developed by Gaudry and Diem.
    [Show full text]