discrete logarithms and galois invariant smoothness basis
play

Discrete Logarithms and Galois Invariant Smoothness Basis (with - PowerPoint PPT Presentation

Aug 12, 2023 •268 likes •650 views

Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Discrete Logarithms and Galois Invariant Smoothness Basis (with J.-M. Couveignes) R. Lercier DGA/CELAR & University of Rennes France Reynald.Lercier (at)

  1. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Discrete Logarithms and Galois Invariant Smoothness Basis (with J.-M. Couveignes) R. Lercier DGA/CELAR & University of Rennes — France Reynald.Lercier (at) m4x.org CADO workshop on integer factorization INRIA Nancy Grand-Est — LORIA October 7-9, 2008

  2. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Motivation Computing discrete logarithms in F q , q = p d , with the function field sieve (FFS) relies mostly on the ability of finding relations between elements of a smoothness basis. In some very particularly cases (Kummer and Artin-Schreier theories), the factor basis can be constructed in such a way that it is left invariant by automorphisms of F q . In this talk, we are going to explain how this nice property can be generalized to a broad class of finite fields. J.-M. Couveignes and R. Lercier. Galois invariant smoothness basis. Series on Number Theory and Its Applications, 5:154-179, World Scientific, May 2008

  3. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Outline Background 1 Function Field Sieve 2 Galois Invariant Smoothness Basis 3 Conclusion 4

  4. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Outline Background 1 Function Field Sieve 2 Galois Invariant Smoothness Basis 3 Conclusion 4

  5. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Index calculus algorithms A family of algorithms to solve: integer factorization problems, discrete logarithm problems in finite fields. Two important sub-cases: Number Field Sieve (factoring and DL in large char.), Function Field Sieve (DL in small char.).

  6. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Index calculus methods Step 1 Step 2 One chooses V = { γ 1 , . . . , γ # V } ⊂ < g > , the As soon as possible, one computes log g γ , solutions “smoothness basis”, and one looks for ( ǫ,γ ) ∈ Z × V γ ǫ = 1 . relations of the type � of a linear system. Step 3 To compute log g y , for any y , one tries random integers ν until g ν y = � ( ǫ,γ ) ∈ Z × V γ ǫ . How to choose V ? How to find relations ?

  7. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Index calculus methods Step 1 Step 2 One chooses V = { γ 1 , . . . , γ # V } ⊂ < g > , the As soon as possible, one computes log g γ , solutions “smoothness basis”, and one looks for ( ǫ,γ ) ∈ Z × V γ ǫ = 1 . relations of the type � of a linear system. Step 3 To compute log g y , for any y , one tries random integers ν until g ν y = � ( ǫ,γ ) ∈ Z × V γ ǫ . How to choose V ? How to find relations ?

  8. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Index calculus methods Step 1 Step 2 One chooses V = { γ 1 , . . . , γ # V } ⊂ < g > , the As soon as possible, one computes log g γ , solutions “smoothness basis”, and one looks for ( ǫ,γ ) ∈ Z × V γ ǫ = 1 . relations of the type � of a linear system. Step 3 To compute log g y , for any y , one tries random integers ν until g ν y = � ( ǫ,γ ) ∈ Z × V γ ǫ . How to choose V ? How to find relations ?

  9. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Index calculus methods Step 1 Step 2 One chooses V = { γ 1 , . . . , γ # V } ⊂ < g > , the As soon as possible, one computes log g γ , solutions “smoothness basis”, and one looks for ( ǫ,γ ) ∈ Z × V γ ǫ = 1 . relations of the type � of a linear system. Step 3 To compute log g y , for any y , one tries random integers ν until g ν y = � ( ǫ,γ ) ∈ Z × V γ ǫ . How to choose V ? How to find relations ?

  10. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Index calculus methods Step 1 Step 2 One chooses V = { γ 1 , . . . , γ # V } ⊂ < g > , the As soon as possible, one computes log g γ , solutions “smoothness basis”, and one looks for ( ǫ,γ ) ∈ Z × V γ ǫ = 1 . relations of the type � of a linear system. Step 3 To compute log g y , for any y , one tries random integers ν until g ν y = � ( ǫ,γ ) ∈ Z × V γ ǫ . How to choose V ? How to find relations ?

  11. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion A school case A DL problem in the cyclic subgroup < 1193 > ⊂ F p , p = 10007. Let V = { 2 , 3 , 5 , 7 , 11 , 13 , 17 } , then 1193 15 mod p = 2 · 3 · 7 · 11 , 1193 36 mod p = 7 2 · 11 2 , 1193 41 mod p = 17 3 , 1193 47 mod p = 2 · 11 · 13 · 17 , 1193 73 mod p = 3 · 5 · 11 · 13 , 1193 74 mod p = 2 5 · 3 2 · 5 2 , 1193 78 mod p = 2 6 · 3 · 7 2 , 1193 80 mod p = 2 3 · 5 2 . It remains to combine these equations, 2 = 1193 4764 , 3 = 1193 236 , 5 = 1193 7903 , 7 = 1193 638 , 11 = 1193 4383 , 13 = 1193 2560 , 17 = 1193 3349 . Let now, for instance, y = 8964, then ( y · 1193 12 ) mod p = 2 2 · 3 3 · 5 · 17 , and thus y = 1193 1464 .

  12. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Known complexity results Complexity usually expressed as L q ( λ, c ) = exp (( c + o ( 1 ))( log q ) λ ( log log q ) 1 − λ ) . Two extreme cases: F q , with fixed (small) d . NFS [Gor93, Sch93, JL03] yields � 1 L q ( 1 � 64 3 3 , ) . 9 F q , with fixed (small) p . FFS [Cop84, Adl94, AH99, JL02] yields � 1 � 32 L q ( 1 3 3 , ) . 9

  13. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Known complexity results ([JL06, JLSV06]) When d and p both tend to ∞ . ln p 2 1 3 q ln 3 ln q ) O (ln � 64 ��������������������� NFS in L q ( 1 3 , 3 9 ) � 128 ��������������������� NFS in L q ( 1 3 , 3 9 ) 1 2 3 ln q ) O (ln 3 q ln � 32 ��������������������� FFS in L q ( 1 3 , 3 9 ) ln q

  14. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Outline Background 1 Function Field Sieve 2 Galois Invariant Smoothness Basis 3 Conclusion 4

  15. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Basic setup An algorithm, parameterized by a degree D (which increases with d ). Choose two univariate polynomials f 1 and f 2 over F p with degrees d 1 and d 2 (as small as possible) such that d 1 ≈ Dd 2 , Resultant ( β − f 1 ( α ) , α − f 2 ( β )) in α or β has an irreducible factor of degree n modulo p , √ � ( d 1 d 2 ≥ n , that is d 1 ≈ Dn and d 2 ≈ n / D ). This means that there exist α, β ∈ F q such that β = f 1 ( α ) and α = f 2 ( β ) .

  16. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion The sieving Take p 2 D + 1 polynomials of the form a ( α ) β + b ( α ) where a and b are polynomials of degree D ( a unitary). In this expression, replace β by f 1 ( α ) and α by f 2 ( β ) , this yields equations h 1 ( α ) = h 2 ( β ) √ where h 1 (resp. h 2 ) has degree d 1 + D ≈ Dn (resp. √ d 2 D + 1 ≈ Dn ). In good cases, h 1 and h 2 split into irreducible factors of degree at most D .

  17. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Example: F 65537 25 Take D = 1, f 1 ( α ) = α 5 + α + 3 and f 2 ( β ) = − β 5 − β − 1 Consider β + 2 α − 20496 It can be written as: α 5 + 3 α − 20493 = ( α + 2445 ) · ( α + 9593 ) · ( α + 31166 ) · ( α + 39260 ) · ( α + 48610 ) Or as: − 2 β 5 − β − 20498 = − 2 ( β + 1946 ) · ( β + 17129 ) · ( β + 18727 ) · ( β + 43449 ) · ( β + 49823 )

  18. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion The end of the computation Linear algebra When enough relations collected, inversion of the system yields DLs of irreducible polynomials of degree at most D modulo ( q − 1 ) / ( p − 1 ) . Discrete logarithms of any y . Basically √ Test random ν until a polynomial g ν · y is d -smooth. For each factor δ , of degree d δ , test for ( d δ − 1 ) -smoothness elements a ( α ) β + b ( α ) chosen such that δ divides h 1 ( α ) .

  19. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Experiments Fields Size When Complexity Method Who (digits) ( gips year) F 2 401 121 1992 0.2 Gordon, McCurley coppersmith F 2 521 157 2002 0.4 Joux, Lercier ffs F 2 607 183 2002 20 Thomé coppersmith F 2 607 183 2005 1.6 Joux, Lercier ffs F 2 613 Fields Size When Complexity Method Who (digits) ( gips year) F 370801 18 101 2005 0.4 Lercier, Vercauteren tori 121 2005 ≃ 0 Joux, Lercier F 65537 25 ffs F 370801 30 168 2005 0.1 Joux, Lercier ffs Joux, Lercier, 120 2006 1.2 F p 3 nfs Smart,Vercauteren

  20. Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Outline Background 1 Function Field Sieve 2 Galois Invariant Smoothness Basis 3 Conclusion 4

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Private key versus Public Key Reviews on PKC DH ElGamal Massey Omura Discrete Logarithms

Private key versus Public Key Reviews on PKC DH ElGamal Massey Omura Discrete Logarithms

Elliptic curves over F q Reviews on PKC DH ElGamal Massey Omura Discrete Logarithms DL Attacks BSGS PohlihHellmann DL records Square roots E LLIPTIC CURVES C RYPTOGRAPHY Reminder from Yesterday Points of finite order Important

664 views • 30 slides
Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la

Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la

Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la factorisation dentiers et le calcul de logarithme discret Cyril Bouvier CARAMEL project-team, LORIA Universit de Lorraine / CNRS / Inria

470 views • 42 slides
Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in

Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in

Index Calculus Method Small char Finite Fields 9234 bits Impact on Pairings Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in F 2 4 1223 and F 2 12 367 ) Jens Zumbr agel Institute of

367 views • 32 slides
I-Complexity and Discrete Towards Precise . . . Derivative of Logarithms: Our Result Proof A

I-Complexity and Discrete Towards Precise . . . Derivative of Logarithms: Our Result Proof A

Kolmogorov Complexity Need for Approximate . . . I-Complexity Good Properties of I- . . . I-Complexity and Discrete Towards Precise . . . Derivative of Logarithms: Our Result Proof A Group-Theoretic Acknowledgments References Explanation

481 views • 12 slides
Complexity news: Also somewhat related: discrete logarithms in Im starting to analyze

Complexity news: Also somewhat related: discrete logarithms in Im starting to analyze

Complexity news: Also somewhat related: discrete logarithms in Im starting to analyze multiplicative groups of cost of NFS + CVP small-characteristic finite fields for class groups, unit groups, the algorithm of Barbulescu, short

912 views • 80 slides
Logarithms 2-1 Definition of Logarithms

Logarithms 2-1 Definition of Logarithms

Logarithms 2-1 Definition of Logarithms If x = b y then y = log b x where x and b are positive numbers and b 1 log b x is read as logarithm of x to the base of b . 2 - 2

318 views • 9 slides
Solving Discrete Logarithms in Smooth-Order Groups with CUDA Ryan Henry Ian Goldberg Solving

Solving Discrete Logarithms in Smooth-Order Groups with CUDA Ryan Henry Ian Goldberg Solving

Solving Discrete Logarithms in Smooth-Order Groups with CUDA Ryan Henry Ian Goldberg Solving Discrete Logarithms in Smooth-Order Groups with CUDA Definition Let G be a cyclic group of order q and let g G be a generator. Given G , the

468 views • 44 slides
DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN

DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN

ECC 2019: 23rd Workshop on DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN QUASI-POLYNOMIAL TIME Based on a joint work with Thorsten Kleinjung IN FINITE FIELDS OF SMALL CHARACTERISTIC Benjamin Wesolowski

700 views • 47 slides
Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 ,

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 ,

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 , May 11.-15. 2020 Andre Esser and Alexander May Horst Grtz Institute for IT Security Ruhr University Bochum Subset Sum Subset Sum Problem 0

464 views • 23 slides
Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto

Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto

Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto 2017, 8th International Workshop, Utrecht, June 26-28, 2017 Martin Eker 1 , 2 Johan Hstad 1 1 KTH Royal Institute of Technology, SE-100 44

728 views • 31 slides
Fixed points for discrete logarithms Carl Pomerance , Dartmouth College Suppose that G is a group

Fixed points for discrete logarithms Carl Pomerance , Dartmouth College Suppose that G is a group

ANTS IX, Nancy, France Fixed points for discrete logarithms Carl Pomerance , Dartmouth College Suppose that G is a group and g G has finite order m . Then for each t g the integers n with g n = t form a residue class mod m . Denote

585 views • 40 slides
JUST THE MATHS SLIDES NUMBER 1.4 ALGEBRA 4 (Logarithms) by A.J.Hobson 1.4.1 Common

JUST THE MATHS SLIDES NUMBER 1.4 ALGEBRA 4 (Logarithms) by A.J.Hobson 1.4.1 Common

JUST THE MATHS SLIDES NUMBER 1.4 ALGEBRA 4 (Logarithms) by A.J.Hobson 1.4.1 Common logarithms 1.4.2 Logarithms in general 1.4.3 Useful Results 1.4.4 Properties of logarithms 1.4.5 Natural logarithms 1.4.6 Graphs of logarithmic and

397 views • 13 slides
Invariant measures of discrete interacting particles systems: algebraic aspects Luis Fredes

Invariant measures of discrete interacting particles systems: algebraic aspects Luis Fredes

Invariant measures of discrete interacting particles systems: algebraic aspects Luis Fredes (joint work with J.F. Marckert). cole dt St. Flour 2018 Luis Fredes Invariant measures of discrete IPS 1 / 23 Particle system Define a set

658 views • 62 slides
Hopf-Galois Theory and Galois Module Structure University of Exeter. Induced Hopf Galois

Hopf-Galois Theory and Galois Module Structure University of Exeter. Induced Hopf Galois

Hopf-Galois Theory and Galois Module Structure University of Exeter. Induced Hopf Galois structures Teresa Crespo, Anna Rio and Montserrat Vela June 25th, 2015 Let K/k be a separable field extension of degree n , K its Galois closure, G =

270 views • 14 slides
Number Theory Arithmetic Fermats and Eulers Theorems Discrete Cryptography Logarithms

Number Theory Arithmetic Fermats and Eulers Theorems Discrete Cryptography Logarithms

Cryptography Number Theory Divisibility and Primes Modular Number Theory Arithmetic Fermats and Eulers Theorems Discrete Cryptography Logarithms Computationally Hard Problems School of Engineering and Technology CQUniversity

964 views • 67 slides
Asymmetric cryptography from discrete logarithms Benjamin Smith Summer school on real-world

Asymmetric cryptography from discrete logarithms Benjamin Smith Summer school on real-world

Asymmetric cryptography from discrete logarithms Benjamin Smith Summer school on real-world crypto and privacy Sibenik, Croatia // June 17 2019 Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Asymmetric crypto settings

1.17k views • 86 slides
and their relationship to braces Kayvan Nejabati Zenouz 1 University of Exeter, UK June 23, 2017

and their relationship to braces Kayvan Nejabati Zenouz 1 University of Exeter, UK June 23, 2017

Introduction Method Results References Hopf-Galois structures on Galois field extensions of degree p 3 and their relationship to braces Kayvan Nejabati Zenouz 1 University of Exeter, UK June 23, 2017 1 Kn249@ex.ac.uk Hopf-Galois structures and

209 views • 9 slides
F p 2 -maximal curves with many automorphisms are Galois-covered by the Hermitian curve Daniele

F p 2 -maximal curves with many automorphisms are Galois-covered by the Hermitian curve Daniele

F p 2 -maximal curves with many automorphisms are Galois-covered by the Hermitian curve Daniele Bartoli Universit` a degli Studi di Perugia (Italy) (Joint work with Maria Montanucci and Fernando Torres) Finite Geometries - Fifth Irsee

577 views • 47 slides
Presentation of Normal Bases Mohamadou Sall mohamadou1.sall@ucad.edu.sn University Cheikh Anta

Presentation of Normal Bases Mohamadou Sall mohamadou1.sall@ucad.edu.sn University Cheikh Anta

Presentation of Normal Bases Mohamadou Sall mohamadou1.sall@ucad.edu.sn University Cheikh Anta Diop, Dakar (Senegal) Pole of Research in Mathematics and their Applications in Information Security (PRMAIS) Institut de Mathmatiques de Bordeaux,

3.02k views • 36 slides
Accel Ac celeration of Er eration of Erasur asure e Cod Codin ing Yi Qiao, Xiao Kong,

Accel Ac celeration of Er eration of Erasur asure e Cod Codin ing Yi Qiao, Xiao Kong,

To Towar ards ds In In-networ network k Accel Ac celeration of Er eration of Erasur asure e Cod Codin ing Yi Qiao, Xiao Kong, Menghao Zhang, Yu Zhou, Mingwei Xu, Jun Bi Tsinghua University Eras rasure ure Coding ing (EC) In

505 views • 15 slides
Homomorphic Evaluation of the AES Circuit Craig Gentry, Shai Halevi, Nigel P . Smart IBM

Homomorphic Evaluation of the AES Circuit Craig Gentry, Shai Halevi, Nigel P . Smart IBM

Homomorphic Evaluation of the AES Circuit Craig Gentry, Shai Halevi, Nigel P . Smart IBM Research and University Of Bristol. August 22, 2012 Craig Gentry, Shai Halevi, Nigel P . Smart Homomorphic Evaluation of the AES Circuit Slide 1

592 views • 30 slides
KallistiOS An embedded OS for Video Game Consoles UMBC CMSC 421 - Spring 2012 Tuesday, May 1,

KallistiOS An embedded OS for Video Game Consoles UMBC CMSC 421 - Spring 2012 Tuesday, May 1,

KallistiOS An embedded OS for Video Game Consoles UMBC CMSC 421 - Spring 2012 Tuesday, May 1, 12 Embedded Systems Computers (and OSes, of course) are everywhere! Low-power, low-memory devices make up a large proportion of the market

301 views • 15 slides
Introduction to Game Programming Steven Osman sosman@cs.cmu.edu Introduction to Game

Introduction to Game Programming Steven Osman sosman@cs.cmu.edu Introduction to Game

Introduction to Game Programming Steven Osman sosman@cs.cmu.edu Introduction to Game Programming Introductory stuff Look at a game console: PS2 Some Techniques (Cheats?) What is a Game? Half-Life 2, Valve Designing a Game Computer

1.37k views • 59 slides
Welcome to the workshop! Serverless Architecture by Example Open up your laptop, connect to

Welcome to the workshop! Serverless Architecture by Example Open up your laptop, connect to

Welcome to the workshop! Serverless Architecture by Example Open up your laptop, connect to wifj, and open your (recent) web browser Log in to the Google Cloud console: https://console.cloud.google.com/edu Set up a new Gmail account

1.07k views • 72 slides

More recommend