A General Polynomial Selection Method and New Asymptotic - PowerPoint PPT Presentation

A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm Palash Sarkar, Shashank Singh Indian Statistical Institute INRIA, France Asiacrypt 2016 Sarkar and Singh Improved TNFS 4th December, 2016 1 / 25

Finite Field F Q , Q = p n Sub-exponential expression: � � ( c + o ( 1 ))( log Q ) a ( log log Q ) 1 − a �� L Q ( a , c ) = O exp Classification: Small characteristic: if a ≤ 1 / 3. Medium characteristic: if 1 / 3 < a < 2 / 3. Boundary case: if a = 2 / 3. Large characteristic: if a > 2 / 3. Sarkar and Singh Improved TNFS 4th December, 2016 2 / 25

Recent Progress on DLP over Finite Fields Small characteristic case: Development of the Function Field Sieve (FFS) algorithm has led to a quasi-polynomial time algorithm. Medium characteristic case: Recent interest in the Number Field Sieve (NFS) algorithm. Sarkar and Singh Improved TNFS 4th December, 2016 3 / 25

NFS for DLP Over F Q f ( x ) and g ( x ) are polynomials over Z having a common irreducible factor ϕ ( x ) of degree n over F p . α, β ∈ C are roots of f ( x ) and g ( x ) ; m ∈ F p n is a root of ϕ ( x ) . Z [ x ] x x → � → � β α Z ( α ) Z ( β ) α �→ m β �→ m F p ( m ) Figure : The basic principle of NFS. Sarkar and Singh Improved TNFS 4th December, 2016 4 / 25

Factor Basis Number fields: K 1 = Q [ x ] / ( f ) and K 2 = Q [ x ] / ( g ) ; O 1 and O 2 are the ring of integers of K 1 and K 2 respectively. Factor basis: prime ideals of O 1 and O 2 whose norms are at most some pre-specified bound B . Size of the factor basis: B 1 + o ( 1 ) . Sarkar and Singh Improved TNFS 4th December, 2016 5 / 25

Relation Collection Polynomials φ ( x ) ∈ Z [ x ] of degrees at most t − 1 are considered. If the principal ideals φ ( α ) O 1 and φ ( β ) O 2 are both smooth over the factor basis, then a relation among the factor basis elements is obtained. Formally, a linear relation between the discrete logs of certain elements of F p n is obtained. Such discrete logs are called virtual logarithms. A little more than B relations are collected. Sarkar and Singh Improved TNFS 4th December, 2016 6 / 25

Polynomial Selection and Sizes of Norms Norm of φ ( α ) O 1 is Res ( f , φ ) . For ensuring smoothness of φ ( α ) O 1 it is sufficient that Res ( f , φ ) is B -smooth; similarly, for g ( x ) . �� � t − 1 E 2 ( deg f ) / t � | Res ( f , φ ) | = O � f � ∞ �� � t − 1 E 2 ( deg g ) / t � | Res ( g , φ ) | = O � g � ∞ , E is such that � φ � ∞ ≈ E 2 / t and so E 2 sieving polynomials φ are considered. The lower the norms, the easier it becomes to find a relation. The norms are determined by � f � ∞ , � g � ∞ , deg f and deg g . Sarkar and Singh Improved TNFS 4th December, 2016 7 / 25

Asymptotic Complexity Asymptotic run time of NFS: Medium prime case: L Q ( 1 / 3 , ( 96 / 9 ) 1 / 3 ) . Obtained using the Conjugation method. Boundary case: L Q ( 1 / 3 , ( 48 / 9 ) 1 / 3 ) for c p = 12 1 / 3 . Obtained using the Conjugation method. More complete analysis using the SS method. Large prime case: L Q ( 1 / 3 , ( 64 / 9 ) 1 / 3 ) . Obtained using the GJL method. Sarkar and Singh Improved TNFS 4th December, 2016 8 / 25

Tower Number Field Sieve Algorithm Let n = ηκ and q = p η . Tower field representation: F p n = F q κ . Main idea for TNFS: Suppose p = L Q ( a , c p ) with 1 / 3 < a < 2 / 3 and q = L Q ( 2 / 3 , c p ) . The boundary case complexity is achieved for the medium prime case. exTNFS: variant of TNFS proposed by Kim-Barbulescu (2016). Sarkar and Singh Improved TNFS 4th December, 2016 9 / 25

Setting of exTNFS Choose h ( z ) such that: deg h = η ; � h � ∞ is small; h ( z ) is irreducible over F p . Define F p η = F p [ z ] / ( h ) and R = Z [ z ] / ( h ) . Choose f ( x ) and g ( x ) in Z [ x ] such that: Both are irreducible over R and over F p η . ϕ ( x ) = gcd ( f ( x ) , g ( x )) is of degree κ and is irreducible over F p η . F p n = F p η [ x ] / ( ϕ ) = ( R / pR )[ x ] / ( ϕ ) . Sarkar and Singh Improved TNFS 4th December, 2016 10 / 25

Kim-Barbulescu (2016) Requires ϕ ( x ) over F p having degree κ to be irreducible over F p η . This condition requires gcd ( η, κ ) = 1. Applies to composite non prime-power n such as n = 6 , 12 , 15 , 18 , 21 , . . . Cannot be applied to composite prime power n such as n = 4 , 8 , 9 , 16 , . . . Medium prime case: complexity L Q ( 1 / 3 , ( 48 / 9 ) 1 / 3 ) . Previously known complexity L Q ( 1 / 3 , ( 96 / 9 ) 1 / 3 ) . Sarkar and Singh Improved TNFS 4th December, 2016 11 / 25

A New Polynomial Selection Method Input: p ; n = ηκ ; d a factor of κ ; r ≥ k = κ/ d ; λ ∈ { 1 , η } . Random trials to find suitable f ( x ) , g ( x ) and ϕ ( x ) . f ( x ) and g ( x ) are in R [ x ] and are irreducible over R . ϕ ( x ) ∈ F p η [ x ] ; has degree κ and is irreducible over F p η . Sarkar and Singh Improved TNFS 4th December, 2016 12 / 25

Using LLL: Notation Given a ( x ) ∈ R [ x ] of degree k and positive integer r ≥ k , we define a matrix M a , r and a polynomial LLL ( M a , r ) . Suppose x k + a k − 1 ( z ) x k − 1 + · · · + a 1 ( z ) x + a 0 ( z ) a ( x ) = where each a i has degree less than λ ∈ { 1 , η } . Write = ( a i , 0 , . . . , a i ,λ − 1 ); a i = ( a 0 , 0 , . . . , a 0 ,λ − 1 , . . . , a k − 1 , 0 , . . . , a k − 1 ,λ − 1 ) . a Sarkar and Singh Improved TNFS 4th December, 2016 13 / 25

The Matrix M a , r diag λ k ( p )   1 a   0 λ − 1 , 1 + λ k diag λ − 1 ( p )     shift λ ( a )  1    0 λ − 1 , 1 + λ ( k + 1 ) diag λ − 1 ( p )     shift 2 λ ( a ) 1       ... ...       0 λ − 1 , 1 + λ ( r − 1 ) diag λ − 1 ( p )   shift ( r − k ) λ ( a ) 1 ( r λ + 1 ) × ( r λ + 1 ) Determinant of M a , r is p r ( λ − 1 )+ k . Sarkar and Singh Improved TNFS 4th December, 2016 14 / 25

The Polynomial LLL ( M a , r ) Apply the LLL algorithm to M a , r and write the first row as: [ b 0 , 0 , . . . , b 0 ,λ − 1 , b 1 , 0 , . . . , b 1 ,λ − 1 , . . . , b r − 1 , 0 , . . . , b r − 1 ,λ − 1 , b r ] . This represents a polynomial b ( x ) ∈ R [ x ] of degree r where b 0 ( z ) + b 1 ( z ) x + · · · + b r − 1 ( z ) x r − 1 + b r x r ; b ( x ) = b i , 0 + b i , 1 z + · · · + b i ,λ − 1 z λ − 1 ; b i ( z ) = Q ε/ n with ε = r ( λ − 1 ) + k � b � ∞ = . r λ + 1 The polynomial b ( x ) is written as LLL ( M a , r ) . Sarkar and Singh Improved TNFS 4th December, 2016 15 / 25

Random Trials: Step 1 Choose a monic polynomial A 1 ( x ) ∈ R [ x ] such that: deg A 1 = r + 1; A 1 ( x ) is irreducible over R ; A 1 ( x ) has coefficient polynomials of size O ( ln p ) ; over F p η , A 1 ( x ) has an irreducible factor A 2 ( x ) of degree k such that all coefficient polynomials of A 2 ( x ) have degrees at most λ − 1. Sarkar and Singh Improved TNFS 4th December, 2016 16 / 25

Random Trials: Step 2 Choose monic polynomials C 0 ( x ) and C 1 ( x ) with small integer coefficients such that deg C 1 < deg C 0 = d . Define: f ( x ) = Res y ( A 1 ( y ) , C 0 ( x ) + y C 1 ( x )) ; ϕ ( x ) = Res y ( A 2 ( y ) , C 0 ( x ) + y C 1 ( x )) mod p ; ψ ( x ) = LLL ( M A 2 , r ); g ( x ) = Res y ( ψ ( y ) , C 0 ( x ) + y C 1 ( x )) . Sarkar and Singh Improved TNFS 4th December, 2016 17 / 25

Degrees and Norms deg ( f ) = d ( r + 1 ) ; deg ( g ) = rd and deg ( ϕ ) = κ ; over F p η , both f ( x ) and g ( x ) have ϕ ( x ) as a factor; � f � ∞ = O ( ln ( p )) and � g � ∞ = O ( Q ε/ n ) . For a sieving polynomial φ E 2 d ( r + 1 ) / t × L Q ( 2 / 3 , o ( 1 )); N ( f , φ ) = E 2 dr / t × Q ( t − 1 ) ε/κ × L Q ( 2 / 3 , o ( 1 )) . N ( g , φ ) = Sarkar and Singh Improved TNFS 4th December, 2016 18 / 25

Relation to Previous Works Case η = 1: reduces to NFS. λ must be 1; yields Algorithm- A (EC 2016). Case η > 1 and λ = 1: ϕ ( x ) ∈ F p ; deg ϕ = κ ; irreducibility of ϕ ( x ) over F p η requires gcd ( η, κ ) = 1. Kim-Barbulescu (Crypto 2016) exTNFS methods are special cases: d = 1, k = κ yields exTNFS-GJL method; d = κ , r = k = 1 yields exTNFS-Conjugation. New Case: λ = η > 1: ϕ ( x ) is in F p n \ F p . The condition gcd ( η, κ ) = 1 is not necessary for the irreducibility of ϕ ( x ) . Sarkar and Singh Improved TNFS 4th December, 2016 19 / 25

Medium Prime Case: Asymptotic Complexity Theorem Let n = ηκ ; κ = kd; r ≥ k; t ≥ 2 ; p = L Q ( a , c p ) with 1 / 3 < a ≤ 2 / 3 ; η = c η ( ln Q / ln ln Q ) 2 / 3 − a ; c θ = c p c η . Runtime of the TNFS algorithm with polynomials chosen by Algorithm C is L Q ( 1 / 3 , 2 c b ) where �� 2 r + 1 � 2 2 ( 2 r + 1 ) + ( t − 1 ) c θ ε c b = + . 6 c θ kt 3 c θ kt 3 Sarkar and Singh Improved TNFS 4th December, 2016 20 / 25

Medium Prime Case: Asymptotic Complexity Minimise c b with respect to c θ : minimum achieved for t = 2. Case λ = 1: minimum value is � 1 / 3 � 32 ( 2 r + 1 ) 9 ( r + 1 ) which takes the minimum value of ( 48 / 9 ) 1 / 3 for r = 1. Either η = 1, a = 2 / 3 (boundary case), or, η > 1, 1 / 3 < a < 2 / 3 (medium prime case). λ = 1 implies that the condition gcd ( η, κ ) = 1 is required. The minimum complexity is not achieved for all values of c θ . Sarkar and Singh Improved TNFS 4th December, 2016 21 / 25