computation of a 768 bit prime field discrete logarithm
play

Computation of a 768-bit prime field discrete logarithm C. Diem, T. - PowerPoint PPT Presentation

Jan 29, 2023 •383 likes •694 views

Computation of a 768-bit prime field discrete logarithm C. Diem, T. Kleinjung, A. K. Lenstra, C. Priplata, C. Stahlke EPF Lausanne (Switzerland), Universit at Leipzig (Germany) 1 / 11 Paris, 1st April 1776 2 / 11 Paris, 1st April 1776

  1. Computation of a 768-bit prime field discrete logarithm C. Diem, T. Kleinjung, A. K. Lenstra, C. Priplata, C. Stahlke EPF Lausanne (Switzerland), Universit¨ at Leipzig (Germany) 1 / 11

  2. Paris, 1st April 1776 2 / 11

  3. Paris, 1st April 1776 Marie-Sophie Germain Germain primes q , p = 2 q + 1 2 / 11

  4. Paris, 1st April 1776 Marie-Sophie Germain Germain primes q , p = 2 q + 1 Example: q = [2 765 π ] + 31380, p = [2 766 π ] + 62762 2 / 11

  5. Two centuries later Diffie-Hellman key exchange Public data: prime p and generator g of F × p Alice chooses private random a and computes A = g a . 1 Bob chooses private random b and computes B = g b . 2 3 Alice sends A to Bob; Bob sends B to Alice. Alice computes common secret S = g ab as S = B a . 4 Bob computes common secret S = g ab as S = A b . 5 3 / 11

  6. Two centuries later Diffie-Hellman key exchange Public data: prime p and generator g of F × p Alice chooses private random a and computes A = g a . 1 Bob chooses private random b and computes B = g b . 2 Alice sends A to Bob; Bob sends B to Alice. 3 Alice computes common secret S = g ab as S = B a . 4 Bob computes common secret S = g ab as S = A b . 5 Discrete logarithm problem (DLP) Given a prime p , a generator g of F × p and a target h ∈ F × p find an integer x (denoted by log g h ) such that g x = h . 3 / 11

  7. Two centuries later Diffie-Hellman key exchange Public data: prime p and generator g of F × p Alice chooses private random a and computes A = g a . 1 Bob chooses private random b and computes B = g b . 2 Alice sends A to Bob; Bob sends B to Alice. 3 Alice computes common secret S = g ab as S = B a . 4 Bob computes common secret S = g ab as S = A b . 5 Discrete logarithm problem (DLP) Given a prime p , a generator g of F × p and a target h ∈ F × p find an integer x (denoted by log g h ) such that g x = h . Investigate how secure this is for, say, 768-bit prime fields: Our challenge Solve the DLP for p = [2 766 π ] + 62762, g = 11, h = [2 766 e ], i.e., find x such that 11 x ≡ h (mod p ) . 3 / 11

  8. Factoring Number field sieve (NFS): 1 Polynomial selection: Find two polynomials f 1 , f 2 ∈ Z [ x ] with a common zero m modulo N (and some conditions). Denote by F 1 , F 2 the corresponding homogeneous polynomials. 2 Sieving: Choose L and find sufficiently many pairs a , b ∈ Z (relations) such that F 1 ( a , b ) and F 2 ( a , b ) factor into primes ≤ L . 3 Matrix step: Construct a matrix from these relations. Solve this system of linear equations modulo 2. Each solution gives rise to a congruence c 2 ≡ d 2 (mod N ), and gcd( c + d , N ) is a proper divisor of N with probability ≥ 1 2 . 4 / 11

  9. Discrete logarithms Number field sieve (NFS): 1 Polynomial selection: Find two polynomials f 1 , f 2 ∈ Z [ x ] with a common zero m modulo p (and some conditions). Denote by F 1 , F 2 the corresponding homogeneous polynomials. 2 Sieving: Choose L and find sufficiently many pairs a , b ∈ Z (relations) such that F 1 ( a , b ) and F 2 ( a , b ) factor into primes ≤ L . 3 Matrix step: Construct a matrix from these relations. Solve this system of linear equations modulo q . The solution vector of the matrix step gives (virtual) logarithms of (some of) the prime ideals ≤ L modulo q . Using these logarithms g x ≡ h (mod p ) can be solved via descent (later). 4 / 11

  10. Differences between factoring and the DLP Fundamental difference: For each integer there is just one factoring problem, whereas for each prime there are many DPLs. DLP instances with the same prime p share the three main NFS steps. Applicable to cryptosystems in which the same prime p is used by all parties (as is often featured in some standards). 5 / 11

  11. Differences between factoring and the DLP Fundamental difference: For each integer there is just one factoring problem, whereas for each prime there are many DPLs. DLP instances with the same prime p share the three main NFS steps. Applicable to cryptosystems in which the same prime p is used by all parties (as is often featured in some standards). Differences between factoring-NFS and DLP-NFS: One has more freedom in polynomial selection for DLP-NFS (Joux-Lercier method). The matrix step modulo q is about log 2 q times more complex than modulo 2. There are some other, minor differences. 5 / 11

  12. Extrapolating from RSA-768 to 768-bit DLP RSA-768 timings: Main steps time wall clock time memory comments Pol. selection 40 years 5 months < 10 MB low priority Sieving 1500 years 2 years 1-2 GB very parallel � Matrix step 75 years 4 months 200 GB only 8 tasks (193M × 193M ) 6 / 11

  13. Extrapolating from RSA-768 to 768-bit DLP RSA-768 timings: Main steps time wall clock time memory comments Pol. selection 40 years 5 months < 10 MB low priority Sieving 1500 years 2 years 1-2 GB very parallel � Matrix step 75 years 4 months 200 GB only 8 tasks (193M × 193M ) Naive extrapolation to 768-bit DLP: Main steps time Pol. selection 40 years Sieving 1500 years Matrix step 50000 years (about 767 times 75 years) 6 / 11

  14. Rebalancing Problem: How can the effort for the matrix step be reduced? 7 / 11

  15. Rebalancing Problem: How can the effort for the matrix step be reduced? Solution: By adapting parameters one looks for better (but rarer) relations, which are supposed to produce a smaller matrix. (smaller factor bases, only two large primes per polynomial) 7 / 11

  16. Rebalancing Problem: How can the effort for the matrix step be reduced? Solution: By adapting parameters one looks for better (but rarer) relations, which are supposed to produce a smaller matrix. (smaller factor bases, only two large primes per polynomial) Consequences: The sieving time increases. The time for the matrix step decreases (smaller matrix). 7 / 11

  17. Rebalancing Problem: How can the effort for the matrix step be reduced? Solution: By adapting parameters one looks for better (but rarer) relations, which are supposed to produce a smaller matrix. (smaller factor bases, only two large primes per polynomial) Consequences: The sieving time increases. The time for the matrix step decreases (smaller matrix). An unexpected side-effect occurred: One can apply tricks to speed up sieving (halving the running time). 7 / 11

  18. Rebalancing Problem: How can the effort for the matrix step be reduced? Solution: By adapting parameters one looks for better (but rarer) relations, which are supposed to produce a smaller matrix. (smaller factor bases, only two large primes per polynomial) Consequences: The sieving time increases. The time for the matrix step decreases (smaller matrix). An unexpected side-effect occurred: One can apply tricks to speed up sieving (halving the running time). Unrelated to the above, one can (and we did) use the Joux-Lercier polynomial selection method. It reduces the complexity of sieving and of the matrix step. 7 / 11

  19. Timeline Early 2015 Experiments with 512-bit and 640-bit DLPs Polynomial selection for 768-bit DLP 8 / 11

  20. Timeline Early 2015 Experiments with 512-bit and 640-bit DLPs Polynomial selection for 768-bit DLP May 2015 Sieving started for 768-bit DLP 8 / 11

  21. Timeline Early 2015 Experiments with 512-bit and 640-bit DLPs Polynomial selection for 768-bit DLP May 2015 Sieving started for 768-bit DLP August 2015 First matrix built (about 80 million, far too big) 8 / 11

  22. Timeline Early 2015 Experiments with 512-bit and 640-bit DLPs Polynomial selection for 768-bit DLP May 2015 Sieving started for 768-bit DLP August 2015 First matrix built (about 80 million, far too big) November 2015 Feasible matrix (about 34 million) 8 / 11

  23. Timeline Early 2015 Experiments with 512-bit and 640-bit DLPs Polynomial selection for 768-bit DLP May 2015 Sieving started for 768-bit DLP August 2015 First matrix built (about 80 million, far too big) November 2015 Feasible matrix (about 34 million) December 2015 End of sieving, matrix size 23 . 5 million Matrix step started 8 / 11

  24. Timeline Early 2015 Experiments with 512-bit and 640-bit DLPs Polynomial selection for 768-bit DLP May 2015 Sieving started for 768-bit DLP August 2015 First matrix built (about 80 million, far too big) November 2015 Feasible matrix (about 34 million) December 2015 End of sieving, matrix size 23 . 5 million Matrix step started May 2016 Matrix step completed 8 / 11

  25. NFS computation Computation: It took about 1 year wall clock time (4th May 2015 - 18th May 2016). It took about 5000 core years. It could be reduced to 3000-4000 core years (perhaps further). 9 / 11

  26. NFS computation Computation: It took about 1 year wall clock time (4th May 2015 - 18th May 2016). It took about 5000 core years. It could be reduced to 3000-4000 core years (perhaps further). Result: We have (virtual) logarithms for about 23 . 5 million prime ideals. This leads to the logarithms for some of the small primes. 9 / 11

  27. Individual logarithms Precomputation (not essential, but useful): 0 Extend 23 . 5 million logarithms to a bigger database, for example: all logarithms for prime ideals of norm < 2 35 . (This took about 200 core years.) 10 / 11

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 ,

A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 ,

A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 , P. Gaudry 2 , N. Heninger 1 , E. Thom e 2 1 U. Penn ; 2 Caramba/Inria/Loria Nov 13rd, 2017 A kilobit hidden SNFS discrete logarithm computation

441 views • 42 slides
Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields

Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields

Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields Christophe Petit, Michiel Kosters, Ange Messeng University of Oxford, University of California Irvine, University of Passau Christophe Petit - PKC2016 -

562 views • 41 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
Discrete Log Problem Discrete Log Problem Given a prime number p Z * x

Discrete Log Problem Discrete Log Problem Given a prime number p Z * x

Discrete Log Problem Discrete Log Problem Given a prime number p Z * x (mod p ) Given a prime number p , Z p , (mod p ) finding x is called the discrete logarithm problem Not every discrete

640 views • 11 slides
Individual Discrete Logarithm in GF( p k ) (last step of the Number Field Sieve algorithm) Aurore

Individual Discrete Logarithm in GF( p k ) (last step of the Number Field Sieve algorithm) Aurore

Individual Discrete Logarithm in GF( p k ) (last step of the Number Field Sieve algorithm) Aurore Guillevic INRIA Saclay / GRACE Team Ecole Polytechnique / LIX Asiacrypt 2015 Conference, Auckland, New Zealand, November 30 Aurore Guillevic

711 views • 51 slides
Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J. Bernstein Easy to prove: is prime. University of Illinois at Chicago Can we find an integer 1 2 3

1.24k views • 97 slides
Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and Paul Wolfger Graz University of Technology WECC 2014, Chennai, India We solved the discrete logarithm of a 113-bit Koblitz Curve.

572 views • 34 slides
Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute

Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute

Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute of Technology Discrete logarithm problem. The discrete logarithm problem (DLP) in a finite cyclic group G : for any pair g , h G find a

673 views • 18 slides
On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the discrete logarithm problem in elliptic curves p.1/37 Some history At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm

897 views • 67 slides
A kilobit hidden SNFS discrete log computation Joshua Fried , Pierrick Gaudry, Nadia Heninger,

A kilobit hidden SNFS discrete log computation Joshua Fried , Pierrick Gaudry, Nadia Heninger,

A kilobit hidden SNFS discrete log computation Joshua Fried , Pierrick Gaudry, Nadia Heninger, Emmanuel Thom e May 1, 2017 Textbook (Finite-Field) Diffie-Hellman Key Exchange [Diffie Hellman 1976] p a prime (so F p is a cyclic group) g

598 views • 30 slides
Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work with Pierrick Gaudry and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France Crypto 2020 Virtual Conference 1/29 The discrete

338 views • 29 slides
Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving

Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving

Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving RSA-240, DLP-240, RSA-250 Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thom e, Paul Zimmermann ere de l FB:

466 views • 31 slides
Discrete Logarithm in GF(2 809 ) with FFS Razvan Barbulescu Cyril Bouvier J er emie Detrey

Discrete Logarithm in GF(2 809 ) with FFS Razvan Barbulescu Cyril Bouvier J er emie Detrey

Discrete Logarithm in GF(2 809 ) with FFS Razvan Barbulescu Cyril Bouvier J er emie Detrey Pierrick Gaudry Hamza Jeljeli Emmanuel Thom e Marion Videau Paul Zimmermann CARAMEL project-team, LORIA, INRIA / CNRS / Universit e de

419 views • 22 slides
Objectives To enhance the understanding of Python by completing a program which tests for prime

Objectives To enhance the understanding of Python by completing a program which tests for prime

Due: 11 th Sept 1 CMPSC 102 Discrete Structures Fall 2018 Lab 1 Assignment: Prime Number Computation Using Python Submit deliverables through your assignment GitHib repository bearing your name. Place source code in src/ and output in output/

208 views • 6 slides
On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de

On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de

On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de Lorraine, Inria Nancy, France joint work with Razvan Barbulescu, Antoine Joux, Emmanuel Thom RICAM Linz, Austria 1/42 Plan Background Recent

598 views • 49 slides
Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly

Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly

Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly joint work with Taechan Kim and Yongsu Song) Department of Mathematical Sciences and ISaC-RIM Seoul National University December 13, 2013 1 / 41

557 views • 41 slides
Factoring the Characteristic Polynomial Joshua Hallam and Bruce Sagan Department of Mathematics

Factoring the Characteristic Polynomial Joshua Hallam and Bruce Sagan Department of Mathematics

Factoring the Characteristic Polynomial Joshua Hallam and Bruce Sagan Department of Mathematics Michigan State University East Lansing, MI 48824-1027 www.math.msu.edu/ sagan June 21, 2014 Motivating Example Quotient Posets The Standard

1.73k views • 147 slides
Eigenvalues, Eigenvectors, Matrix Factoring, and Principal Components The eigenvalues and

Eigenvalues, Eigenvectors, Matrix Factoring, and Principal Components The eigenvalues and

Eigenvalues, Eigenvectors, Matrix Factoring, and Principal Components The eigenvalues and eigenvectors of a square matrix play a key role in some important operations in statistics. In particular, they are intimately connected with the

376 views • 25 slides
Sparse Tensor Factorization: Algorithms, Data Structures, and Challenges Shaden Smith &amp;

Sparse Tensor Factorization: Algorithms, Data Structures, and Challenges Shaden Smith &amp;

Sparse Tensor Factorization: Algorithms, Data Structures, and Challenges Shaden Smith &amp; George Karypis University of Minnesota Department of Computer Science &amp; Engineering shaden@cs.umn.edu Sparse Tensor Factorization: Algorithms,

844 views • 80 slides
Factoring Polynomials over Local Fields II Sebastian Pauli Department of Mathematics and

Factoring Polynomials over Local Fields II Sebastian Pauli Department of Mathematics and

Factoring Polynomials over Local Fields II Sebastian Pauli Department of Mathematics and Statistics University of North Carolina at Greensboro Sebastian Pauli (UNC Greensboro) Factoring Polynomials over Local Fields II 1 / 20 Polynomial

765 views • 44 slides
A. Operations with algebraic Algebra practice part 1 expressions 3 4 A. Operations with

A. Operations with algebraic Algebra practice part 1 expressions 3 4 A. Operations with

1 2 A. Operations with algebraic Algebra practice part 1 expressions 3 4 A. Operations with algebraic expressions A. Operations with algebraic expressions What is an algebraic expression? What is an algebraic expression? Example: An

459 views • 5 slides
Factoring a Quadratic Peter Chi Assistant Professor of Statistics Villanova University DataCamp

Factoring a Quadratic Peter Chi Assistant Professor of Statistics Villanova University DataCamp

DataCamp Probability Puzzles in R PROBABILITY PUZZLES IN R Factoring a Quadratic Peter Chi Assistant Professor of Statistics Villanova University DataCamp Probability Puzzles in R What's the probability that a quadratic will factor?

566 views • 23 slides
Factoring Elements in G -Algebras with ncfactor.lib ICMS 2016 Berlin Germany Albert

Factoring Elements in G -Algebras with ncfactor.lib ICMS 2016 Berlin Germany Albert

Factoring Elements in G -Algebras with ncfactor.lib ICMS 2016 Berlin Germany Albert Heinle Symbolic Computation Group David R. Cheriton School of Computer Science University of Waterloo Canada 20160712 1 / 26 Introduction The

416 views • 37 slides
Factors 2 12 Factors Factors 3 13 and Unique Unique 14 4 to 10 to 15 Greatest Common

Factors 2 12 Factors Factors 3 13 and Unique Unique 14 4 to 10 to 15 Greatest Common

Slide 1 / 128 Slide 2 / 128 Table of Contents Factors and GCF Factoring out GCF's Polynomials Factoring Trinomials x 2 + bx + c Factoring Using Special Patterns Factoring Trinomials ax 2 + bx + c Factoring 4 Term Polynomials

472 views • 22 slides

More recommend