Discrete logarithms in ®nite ®elds and their cryptographic signi®cance A. M. Odlyzko AT&T Bell Laboratories Murray Hill, New Jersey 07974 ABSTRACT Given a primitive element g of a ®nite ®eld GF(q), the discrete logarithm of a nonzero element u ∈ GF(q) is that integer k, 1 ≤ k ≤ q − 1, for which u = g k. The well-known problem of computing discrete logarithms in ®nite ®elds has acquired additional importance in recent years due to its applicability in cryptography. Several cryptographic systems would become insecure if an ef®cient discrete logarithm algorithm were discovered. This paper surveys and analyzes known algorithms in this area, with special attention devoted to algorithms for the ®elds GF( 2n ). It appears that in order to be safe from attacks using these algorithms, the value of n for which GF( 2n ) is used in a cryptosystem has to be very large and carefully chosen. Due in large part to recent discoveries, discrete logarithms in ®elds GF( 2n ) are much easier to compute than in ®elds GF(p) with p prime. Hence the ®elds GF( 2n ) ought to be avoided in all cryptographic applications. On the other hand, the ®elds GF(p) with p prime appear to offer relatively high levels of security. Discrete logarithms in ®nite ®elds and their cryptographic signi®cance A. M. Odlyzko AT&T Bell Laboratories Murray Hill, New Jersey 07974 1. Introduction The multiplicative subgroup of any ®nite ®eld GF(q), q a prime power, is cyclic, and the elements g ∈ GF(q) that generate this subgroup are referred to as primitive elements. Given a primitive element g ∈ GF(q) and any u ∈ GF(q) * = GF(q) − {0}, the discrete logarithm of u with respect to g is that integer k, 0 ≤ k ≤ q − 1, for which u = g k . = We will write k log g u. The discrete logarithm of u is sometimes referred to as the index of u. Aside from the intrinsic interest that the problem of computing discrete logarithms has, it is of considerable importance in cryptography. An ef®cient algorithm for discrete logarithms would make several authentication and key-exchange systems insecure. This paper brie¯y surveys (in Section 2) these cryptosystems, and then analyzes the known algorithms for computing discrete logarithms. As it turns out, some of them, including the most powerful general purpose algorithm in this area, have not been analyzed in complete detail before. Moreover, some of the analyses in the literature deal only with ®elds GF(p), where p is a prime. In cryptographic applications, on the other hand, attention has been focused on the ®elds GF( 2n ), since arithmetic in them is much easier to implement, with respect to both software and hardware. Therefore we concentrate on the ®elds GF( 2n ). Several proposed algorithms for computing discrete logarithms are known. We brie¯y discuss most of them (including some unsuccessful ones) in Section 3. In Section 4 we present the most powerful general purpose algorithm that is known today, called the index-calculus algorithm, and analyze its asymptotic performance. Recently a dramatic improvement in its performance in ®elds GF( 2n ) was made by Coppersmith [18,19], and we discuss it in detail. In Section 5 we discuss several technical issues that are important to the performance of the index-calculus algorithm, such as rapid methods to solve the systems of - 2 - linear equations that arise in it. In that section we also present several suggested modi®cations to the Coppersmith algorithm which appear to be unimportant asymptotically, but are of substantial importance in practice. We discuss them in order to obtain a reasonable estimate of how fast this algorithm could be made to run in practice. In Section 6 we estimate the running time of that algorithm for ®elds GF( 2n ) that might actually be used in cryptography. In Section 7 we brie¯y discuss the performance of the index- calculus algorithms in ®elds GF(p) for p a prime. Finally, we discuss the implications of these algorithms for cryptography in Section 8. It turns out, for example, that the MITRE scheme [38,59] and the Hewlett- Packard chip [69], both of which use the ®eld GF( 2127 ), are very insecure. Depending on the level of security that is desired, it seems that ®elds GF( 2n ) to be used ought to have n large, no smaller than 800 and preferably at least 1500. Furthermore, these values of n have to be very carefully chosen. On the other hand, it appears at this moment that the ®elds GF(p), where p is a prime, offer a much higher level of security, with p ∼> 2500 adequate for many applications and p ∼> 21000 being suf®cient even for extreme situations. The ®elds GF(p) appear at this moment to offer security comparable to that of the RSA scheme with modulus of size p. It has to be stressed that this survey presents the current state of the art of computing discrete logarithms. Since the state of the art has been advancing very rapidly recently, this paper has already gone through several revisions. The most important of the new developments has certainly been the Coppersmith breakthrough in ®elds GF( 2n ). Even more recently, there has been much less spectacular but still important progress in ®elds GF(p), which is brie¯y described in Section 7, and in methods for dealing with sparse systems of equations, which are discussed in Section 5, and which are crucial for the index- calculus algorithms. It is quite likely that further progress will take place in discrete logarithm algorithms and so the cryptographic schemes described below will require the use of even larger ®elds than are being recommended right now. 2. Cryptographic systems related to discrete logarithms One of the ®rst published cryptosystems whose security depends on discrete logarithms being dif®cult to compute appears to be an authentication scheme. In many computer systems, users' passwords are stored in a special ®le, which has the disadvantage that anyone who gets access to that ®le is able to freely - 3 - impersonate any legitimate user. Therefore that ®le has to be specially protected by the operating system. It has been known for a long time (cf. [54]) that one can eliminate the need for any secrecy by eliminating the storage of passwords themselves. Instead, one utilizes a function f that is hard to invert (i.e., such that given a y in the range of f, it is hard to ®nd an x in the domain of f such that f (x) = y) and creates a ®le containing pairs (i, f (p i ) ), where i denotes a user's login name and p i the password of that user. This ®le can then be made public. The security of this scheme clearly depends on the function f being hard to invert. One early candidate for such a function was discrete exponentiation; a ®eld GF(q) and a primitive element g ∈ GF(q) are chosen (and made public), and for x an integer, one de®nes f (x) = g x . Anyone trying to get access to a computer while pretending to be user i would have to ®nd p i knowing only p the value of g i ; i.e., he would have to solve the discrete logarithm problem in the ®eld GF(q). Public key cryptography suffers from the defect that the systems that seem safe are rather slow. This disadvantage can be overcome to a large extent by using a public key cryptosystem only to distribute keys for a classical cryptosystem, which can then be used to transmit data at high speeds. Dif®e and Hellman [23] have invented a key-exchange system based on exponentiation in ®nite ®elds. (This apparently was the very ®rst public key cryptosystem that was proposed.) In it, a ®nite ®eld GF(q) and a primitive element g ∈ GF(q) are chosen and made public. Users A and B, who wish to communicate using some standard encryption method, such as DES, but who do not have a common key for that system, choose random integers a and b, respectively, with 2 ≤ a, b ≤ q − 2. Then user A transmits g a to B over a public channel, while user B transmits g b to A. The common key is then taken to be g ab, which A can compute by raising the received g b to the a power (which only he knows), and which B forms by raising g a to the b power. It is clear that an ef®cient discrete logarithm algorithm would make this scheme insecure, since the publicly transmitted g a would enable the cryptanalyst to determine a, and he could then determine the key used by A and B. Dif®e and Hellman [23] have even conjectured that breaking their scheme is equivalent in dif®culty to computing discrete logarithms. This conjecture remains unproved, and so we cannot exclude the possibility that there might be some way to generate g ab from knowledge of g a and g b only, without computing either a or b, although it seems unlikely that such a method exists. - 4 - The Dif®e-Hellman key-exchange scheme seems very attractive, and it has actually been implemented in several systems, such as a MITRE Corp. system [38,59]. Moreover, Hewlett-Packard has built a special purpose VLSI chip which implements this scheme [69]. However, these implementations have turned out to be easily breakable. It appears possible, though, to build a Dif®e - Hellman scheme that is about as secure as an RSA scheme of comparable key size.