individual discrete logarithm in gf p k last step of the
play

Individual Discrete Logarithm in GF( p k ) (last step of the Number - PowerPoint PPT Presentation

Jan 18, 2023 •196 likes •711 views

Individual Discrete Logarithm in GF( p k ) (last step of the Number Field Sieve algorithm) Aurore Guillevic INRIA Saclay / GRACE Team Ecole Polytechnique / LIX Asiacrypt 2015 Conference, Auckland, New Zealand, November 30 Aurore Guillevic

  1. Individual Discrete Logarithm in GF( p k ) (last step of the Number Field Sieve algorithm) Aurore Guillevic INRIA Saclay / GRACE Team ´ Ecole Polytechnique / LIX Asiacrypt 2015 Conference, Auckland, New Zealand, November 30 Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 1 / 25

  2. Logjam attack (weakdh.org) Solving actual practical problem: Given a fixed finite field GF( q ), Huge massive precomputation (weeks, months, years) Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 2 / 25

  3. Logjam attack (weakdh.org) Solving actual practical problem: Given a fixed finite field GF( q ), log tab Huge massive precomputation (weeks, months, years) p i < B 0 Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 2 / 25

  4. Logjam attack (weakdh.org) Solving actual practical problem: Given a fixed finite field GF( q ), log tab Huge massive Thousands of precomputation individual log (weeks, months, computation years) < 1 min each p i < B 0 Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 2 / 25

  5. Logjam attack (weakdh.org) Solving actual practical problem: Given a fixed finite field GF( q ), log tab Huge massive Thousands of precomputation individual log (weeks, months, computation years) < 1 min each p i < B 0 Logjam: GF( q ) = GF( p ) (standardized) prime field of 512 bits real-time man-in-the-middle attack on Diffie-Hellman key exchange compute a discrete log in GF( p ) in 70s in average Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 2 / 25

  6. Logjam attack (weakdh.org) Solving actual practical problem: Given a fixed finite field GF( q ), log tab Huge massive Thousands of precomputation individual log (weeks, months, computation years) < 1 min each p i < B 0 Logjam: GF( q ) = GF( p ) (standardized) prime field of 512 bits real-time man-in-the-middle attack on Diffie-Hellman key exchange compute a discrete log in GF( p ) in 70s in average Pairing-based cryptography: GF( q ) = GF( p 2 ), GF( p 6 ), GF( p 12 ) Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 2 / 25

  7. Logjam attack (weakdh.org) Solving actual practical problem: Given a fixed finite field GF( q ), log tab Huge massive Thousands of precomputation individual log (weeks, months, computation years) < 1 min each p i < B 0 Logjam: GF( q ) = GF( p ) (standardized) prime field of 512 bits real-time man-in-the-middle attack on Diffie-Hellman key exchange compute a discrete log in GF( p ) in 70s in average Pairing-based cryptography: GF( q ) = GF( p 2 ), GF( p 6 ), GF( p 12 ) Could we compute individual discrete logs in GF( p 2 ), GF( p 6 ), GF( p 12 ) in less than 1 min ? Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 2 / 25

  8. DLP in the target group of pairing-friendly curves DLP in the target group of pairing-friendly curves Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 3 / 25

  9. DLP in the target group of pairing-friendly curves Why DLP in finite fields F p 2 , F p 3 , . . . ? In a subgroup G = � g � of order ℓ , ( g , x ) �→ g x is easy (polynomial time) ( g , g x ) �→ x is (in well-chosen subgroup) hard: DLP. pairing: × → G 1 G 2 G T ∩ ∩ ∩ F ∗ E ( F p ) E ( F p k ) p k where E / F p is a pairing-friendly curve √ G 1 , G 2 , G T of large prime order ℓ (generic attacks in O ( ℓ ): take e.g. 256-bit ℓ ) 1 ≤ k ≤ 12 embedding degree: very specific property (specific attacks (NFS): take 3072-bit p k ) Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 4 / 25

  10. DLP in the target group of pairing-friendly curves DL records in small characteristic ✗ Small characteristic: supersingular curves E / F 2 n : G T ⊂ F 2 4 n , E / F 3 m : G T ⊂ F 3 6 m Practical attacks (first one and most recent): Hayashi, Shimoyama, Shinohara, Takagi: GF(3 6 · 97 ) ( 923 bit field) (2012) Granger, Kleinjung, Zumbragel: GF(2 9234 ), GF(2 4404 ) (2014) ıquez: GF(3 822 ), GF(3 978 ) Adj, Menezes, Oliveira, Rodr´ ıguez-Henr´ (2014) Joux: GF(3 2395 ) (with Pierrot, 2014), GF(2 6168 ) (2013) Theoretical attacks: Quasi-Polynomial-time Algorithm (QPA) [Barbulescu Gaudry Joux Thom´ e 14] [Granger Kleinjung Zumbragel 14] Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 5 / 25

  11. DLP in the target group of pairing-friendly curves Common used pairing-friendly curves ✓ Curves over prime fields E / F p where QPA does NOT apply (with log p ≥ log ℓ ≈ 256 bits, s.t. k log p ≥ 3072) supersingular: G T ⊂ F p 2 (log p = 1536) [Miyaji Nakabayashi Takano 01] (MNT): G T ⊂ F p 3 (log p = 1024), F p 4 (log p = 768), F p 6 (log p = 512) [Freeman 06] G T ⊂ F p 10 [Barreto Naehrig 05] (BN): G T ⊂ F p 12 (log p = 256, optimal) [Kachisa Schaefer Scott 08] (KSS): G T ⊂ F p 18 (used for 192-bit security level: 384-bit ℓ , log p = 512, k log p = 9216) Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 6 / 25

  12. DLP in the target group of pairing-friendly curves Last DL records, with the NFS-DL algorithm GF( p ′ 2 ), p ′ 2 = q [BGGM15] GF( p ) Massive precomputation (d=core-day, y=core-year) [Logjam] 512-bit p : 10y 598-bit q : 0.75y + 18 GPU-d 175 × faster [BGIJT14] 596-bit p : 131y Individual Discrete Log 512-bit p : 70s median ✓ 596-bit p : 2d 600-bit q : few d slow [Logjam]: see weakdh.org [BGGM15]: Barbulescu, Gaudry, G., Morain [BGIJT14]: Bouvier, Gaudry, Imbert, Jeljeli, Thom´ e Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 7 / 25

  13. DLP in the target group of pairing-friendly curves This work: Faster individual discrete logarithm in F p k , especially k = 2 , 3 , 4 , 6 Apply to pairing target group G T large characteristic F p 2 , F p 3 medium characteristic F p 4 , F p 6 , . . . source code: written in Magma + part of http://cado-nfs.gforge.inria.fr/ Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 8 / 25

  14. DLP in the target group of pairing-friendly curves Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f ( x ) , g ( x ) with 1. ϕ = gcd( f , g ) (mod p ) and F p k = F p [ x ] / ( ϕ ( x )) Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 9 / 25

  15. DLP in the target group of pairing-friendly curves Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f ( x ) , g ( x ) with 1. ϕ = gcd( f , g ) (mod p ) and F p k = F p [ x ] / ( ϕ ( x )) 2. Relation collection Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 9 / 25

  16. DLP in the target group of pairing-friendly curves Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f ( x ) , g ( x ) with 1. ϕ = gcd( f , g ) (mod p ) and F p k = F p [ x ] / ( ϕ ( x )) 2. Relation collection 3. Linear algebra modulo ℓ | p k − 1 . ➙ here we know the discrete log of a subset of elements. log DB p i < B 0 Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 9 / 25

  17. DLP in the target group of pairing-friendly curves Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f ( x ) , g ( x ) with 1. ϕ = gcd( f , g ) (mod p ) and massive precomputation F p k = F p [ x ] / ( ϕ ( x )) 2. Relation collection 3. Linear algebra modulo ℓ | p k − 1 ➙ here we know the discrete log of a subset of elements. log DB p i < B 0 Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 9 / 25

  18. DLP in the target group of pairing-friendly curves Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f ( x ) , g ( x ) with 1. ϕ = gcd( f , g ) (mod p ) and massive precomputation F p k = F p [ x ] / ( ϕ ( x )) 2. Relation collection 3. Linear algebra modulo ℓ | p k − 1 ➙ here we know the discrete log of a subset of elements. log DB p i < B 0 1. Individual target discrete logarithm Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 9 / 25

  19. DLP in the target group of pairing-friendly curves Number Field Sieve algorithm for DL in F p k Polynomial selection: compute f ( x ) , g ( x ) with 1. ϕ = gcd( f , g ) (mod p ) and massive precomputation F p k = F p [ x ] / ( ϕ ( x )) 2. Relation collection 3. Linear algebra modulo ℓ | p k − 1 ➙ here we know the discrete log of a subset of elements. log DB p i < B 0 1. Individual target discrete logarithm for each given DLP instance not so trivial this talk: practical improvements very efficient for small k or even k Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 9 / 25

  20. DLP in the target group of pairing-friendly curves Polynomial Selection for DL in F p k , and norm f , g irreducible over Q , f � = g (define � = number fields) gcd( f mod p , g mod p ) = ϕ irreducible of degree k � f � ∞ , � g � ∞ , deg f , deg g small enough s.t. Norm f ( · ), Norm g ( · ) are as small as possible Norm of degree 1 element a − bx ∈ Z [ x ] / ( f ( x )): Norm f ( a − bx ) = � deg f i =0 a i b deg f − i f i More generally, when f is monic: Norm f ( T ) = Res( T , f ) ≤ A (deg f , deg T ) � T � deg f � f � d ∞ ∞ where � f � ∞ = max 0 ≤ i ≤ deg f | f i | Aurore Guillevic (INRIA/LIX) NFS-DL in F pk November 30, 2015 10 / 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and Paul Wolfger Graz University of Technology WECC 2014, Chennai, India We solved the discrete logarithm of a 113-bit Koblitz Curve.

572 views • 34 slides
Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute

Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute

Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute of Technology Discrete logarithm problem. The discrete logarithm problem (DLP) in a finite cyclic group G : for any pair g , h G find a

673 views • 18 slides
On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the discrete logarithm problem in elliptic curves p.1/37 Some history At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm

897 views • 67 slides
A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 ,

A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 ,

A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 , P. Gaudry 2 , N. Heninger 1 , E. Thom e 2 1 U. Penn ; 2 Caramba/Inria/Loria Nov 13rd, 2017 A kilobit hidden SNFS discrete logarithm computation

441 views • 42 slides
Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work with Pierrick Gaudry and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France Crypto 2020 Virtual Conference 1/29 The discrete

338 views • 29 slides
Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving

Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving

Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving RSA-240, DLP-240, RSA-250 Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thom e, Paul Zimmermann ere de l FB:

466 views • 31 slides
Discrete Logarithm in GF(2 809 ) with FFS Razvan Barbulescu Cyril Bouvier J er emie Detrey

Discrete Logarithm in GF(2 809 ) with FFS Razvan Barbulescu Cyril Bouvier J er emie Detrey

Discrete Logarithm in GF(2 809 ) with FFS Razvan Barbulescu Cyril Bouvier J er emie Detrey Pierrick Gaudry Hamza Jeljeli Emmanuel Thom e Marion Videau Paul Zimmermann CARAMEL project-team, LORIA, INRIA / CNRS / Universit e de

419 views • 22 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de

On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de

On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de Lorraine, Inria Nancy, France joint work with Razvan Barbulescu, Antoine Joux, Emmanuel Thom RICAM Linz, Austria 1/42 Plan Background Recent

598 views • 49 slides
Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J. Bernstein Easy to prove: is prime. University of Illinois at Chicago Can we find an integer 1 2 3

1.24k views • 97 slides
Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly

Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly

Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly joint work with Taechan Kim and Yongsu Song) Department of Mathematical Sciences and ISaC-RIM Seoul National University December 13, 2013 1 / 41

557 views • 41 slides
The Future of the Discrete Logarithm Gerhard Frey Institute for Experimental Mathematics

The Future of the Discrete Logarithm Gerhard Frey Institute for Experimental Mathematics

The Future of the Discrete Logarithm Gerhard Frey Institute for Experimental Mathematics University of Essen frey@exp-math.uni-essen.de 1 1 Abstract DL-Systems We want exchange keys sign authenticate (encrypt and decrypt)

410 views • 38 slides
A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic Razvan

A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic Razvan

ECC, Chennai October 8, 2014 A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic Razvan Barbulescu 1 Pierrick Gaudry 2 Antoine Joux 3 e 2 Emmanuel Thom IMJ-PRG, Paris Loria, Nancy LIP6, Paris R.

606 views • 41 slides
Review - Mathematical Tools &amp; Probability Logarithm Fundamentals of Probability Discrete

Review - Mathematical Tools &amp; Probability Logarithm Fundamentals of Probability Discrete

Mathematical Tools Summation Operator The Natural Review - Mathematical Tools &amp; Probability Logarithm Fundamentals of Probability Discrete &amp; Continuous Random Variable Caio Vigo Features of Probability Distributions Expected

699 views • 50 slides
Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS,

Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS,

Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS, Universit de Lorraine, Inria JNCF CIRM November 2014 1/81 Plan Presentation of the problems Cryptographic background Primality,

919 views • 88 slides
Perspectives of the Discrete Logarithm Systems Gerhard Frey Institute for Experimental

Perspectives of the Discrete Logarithm Systems Gerhard Frey Institute for Experimental

Perspectives of the Discrete Logarithm Systems Gerhard Frey Institute for Experimental Mathematics University of Duisburg-Essen frey@exp-math.uni-essen.de 1 1 Abstract DL-Systems We want exchange keys sign authenticate

841 views • 53 slides
Robust Optimization Approaches for PDE-Constrained Problems under Uncertainty Stefan Ulbrich

Robust Optimization Approaches for PDE-Constrained Problems under Uncertainty Stefan Ulbrich

Robust Optimization Approaches for PDE-Constrained Problems under Uncertainty Stefan Ulbrich Department of Mathematics TU Darmstadt, Germany Joint work with Philip Kolvenbach, Oliver Lass, and Adrian Sichau and in parts with Alessandro Alla,

857 views • 56 slides
Semantic Web Reasoning using a Blackboard System Craig McKenzie, Alun Preece, Peter Gray

Semantic Web Reasoning using a Blackboard System Craig McKenzie, Alun Preece, Peter Gray

Semantic Web Reasoning using a Blackboard System Craig McKenzie, Alun Preece, Peter Gray University of Aberdeen 4th Workshop on Principles and Practice of Semantic Web Reasoning Budva, Montenegro, June 10-11, 2006 Overview Introduction

645 views • 25 slides
Complexity of Teaching by a Restricted Number of Examples Hayato Kobayashi and Ayumi Shinohara

Complexity of Teaching by a Restricted Number of Examples Hayato Kobayashi and Ayumi Shinohara

Complexity of Teaching by a Restricted Number of Examples Hayato Kobayashi and Ayumi Shinohara Tohoku University, Japan COLT2009. Montreal, Canada. 21 June. 1 / 18 Background Computational teaching theory Aims to bring out the nature

616 views • 49 slides
Reasoning and Derivation of Monadic Programs Shin-Cheng Mu Tom Schrijvers Koen Pauwels Content

Reasoning and Derivation of Monadic Programs Shin-Cheng Mu Tom Schrijvers Koen Pauwels Content

Reasoning and Derivation of Monadic Programs Shin-Cheng Mu Tom Schrijvers Koen Pauwels Content Equational reasoning Reasoning with monads Goal of the paper Our contribution (a + b) * (a - b) [distr: forall x y z. x * (y + z) =

493 views • 25 slides
Iterated Function Systems = { h : S 1 S 1 : h = i n i 1 , i j { 1 ,

Iterated Function Systems = { h : S 1 S 1 : h = i n i 1 , i j { 1 ,

A semigroup with identity generated (w.r.t. the composition) by a family of diffeomorphisms = { 1 , . . . , k } on S 1 , Iterated Function Systems = { h : S 1 S 1 : h = i n i 1 , i j { 1 , . . . , k }} {

380 views • 6 slides
M-theory and exact results in SUSY gauge theories Kazuo Hosomichi (YITP) 7 Feb 2012, Kyoto

M-theory and exact results in SUSY gauge theories Kazuo Hosomichi (YITP) 7 Feb 2012, Kyoto

M-theory and exact results in SUSY gauge theories Kazuo Hosomichi (YITP) 7 Feb 2012, Kyoto @YIPQS symposium 16 years after the 2 nd superstring revolution Superstring Revolution II ('95) Quantum equivalence relations among Dualities :

721 views • 35 slides
Asymptotic Conformal Symmetry and Gravity Localisation in Brane Worlds K.S. Stelle Imperial

Asymptotic Conformal Symmetry and Gravity Localisation in Brane Worlds K.S. Stelle Imperial

Asymptotic Conformal Symmetry and Gravity Localisation in Brane Worlds K.S. Stelle Imperial College London Stringy Geometry Workshop Johannes Gutenberg-Universit at, Mainz September 16, 2015 A. Salam &amp; E. Sezgin, Phys.Lett. B147 (1984)

483 views • 29 slides
An approach to Separation of Duties validation for MILS security configurations Semen Kort,

An approach to Separation of Duties validation for MILS security configurations Semen Kort,

An approach to Separation of Duties validation for MILS security configurations Semen Kort, Dmitry Kulagin, Ekaterina Rudina Future Technologies Kaspersky Lab The objectives Discover the Describe how the Describe the

445 views • 28 slides

More recommend