Setting a World Record for the Discrete Logarithm Problem ...fq11/talks/McGuire.pdf · Setting a World Record for the Discrete Logarithm Problem in Finite ... 3/13 Joux announced

Introduction Index Calculus methods Special Polynomials Practical Results

Setting a World Record for the DiscreteLogarithm Problem in Finite Fields

Gary McGuire

joint work with Faruk Gologlu, Robert Granger, and Jens Zumbragel

Claude Shannon InstituteComplex & Adaptive Systems Laboratory

School of Mathematical SciencesUniversity College Dublin, Ireland

Fq 11 · 23 July 2013


Introduction

Index Calculus methods

Special Polynomials

Practical Results

To appear in two papers, at SAC 2013 (August 14-16) andCRYPTO 2013 (August 18-22)Available at https://eprint.iacr.org/2013/306 andhttps://eprint.iacr.org/2013/074


What is The Discrete Logarithm Problem?

In a cyclic group G , with given generator g , the DLP is thefollowing problem:

Given h ∈ G , find i such that h = g i .

In other words, find logg (h).

In cryptography, the following groups are of interest:

1. The multiplicative group of a finite field Fq

2. The group of Fq -rational points on an elliptic curve, E (Fq)

3. The Jacobian of a hyperelliptic curve over Fq .


One-Way Functions

In 1976 Diffie and Hellman showed that the DLP would solve thekey distribution problem.Gave it as an example of a one-way function (conjecturally):It’s fast to compute g i , using “square and multiply”.It’s slow to go the other way – this is the DLP.Intuitive idea: The behaviour of g i is random.e.g. The powers of 2 modulo 11 are

2 4 8 5 10 9 7 3 6 1

In 1977 Rivest-Shamir-Adleman constructed a cryptosystem basedon multiplying/factoring as a (conjectured) one-way function.

No proved examples of one-way functions are known.The existence of one-way functions implies P 6=NP.


Applications of the DLP

Discrete Logarithm Problem

��

Diffie-Hellman, ElGamal, DSA

��

Authenticated Diffie-Hellman

��

TLS, SSH, PGP, GnuPG

��

web browsing, e-mail, e-banking, VoIP

Security based on un-solvability of DLP.


Running Time of Algorithms

Running time is usually given as a function in the input length,using the O -notation.In a group of size n the input length of an element is log n bits.World records for DLP in Fq are measured by log q .

Basic running time classification has three types:

• Polynomial-time Algorithms:

O((log n)c

).

Considered very fast/efficient. Examples: Multiplication andexponentiation in a group have O

((log n)2

)resp. O

((log n)3

).


Subexponential Running Time

• Exponential-time Algorithms:

O(nc).

Considered extremely slow/inefficient. Examples: GenericAlgorithms to solve the DLP in any group have O

(√n)

.

• Subexponential-time Algorithms:

Ln(α, c) := O(

exp((c + o(1)) (log n)α (log log n)1−α

))for some 0 < α < 1. Write Ln(α) for Ln(α, c), some c .Examples: Index Calculus methods to solve the DLP usuallyhave complexities Ln(1/2) or Ln(1/3).


DLP and Factoring

Algorithms for the DLP have often been progressed in accordancewith algorithms for the Integer Factoring Problem.

Quadratic Sieve [Pomerance ’84]:

Similar ideas for DLP [Coppersmith, Odlyzko, Schroeppel ’86].

Running time: L(1/2 , 1).

Number Field Sieve [Pollard ’90] Use smoothness results.

Applied for DLP [Gordon ’93; Schirokauer ’93].

Running time: L(1/3 , 1.923).


Principle of the Index Calculus Method

This is a subexponential-time algorithm to solve the DLP thatapplies only to some groups, like F∗q .

The computation of logg h by this method consists of three steps.

1. Relation Generation.Choose a subset S of the group, called factor base, and findmultiplicative relations between factor base elements, whichcorrespond to linear relations among their discrete logarithms.

2. Linear Algebra.After sufficiently many relations have been generated, obtainthe DLP for all factor base elements by solving a linear system.

3. Individual Logarithms.Find an expression of the target element h as a product offactor base elements, e.g., by a descent method.


The Function Field Sieve, Relation Generation

Introduced as an analogue for the NFS in small characteristic[Adleman ’94, Adleman-Huang ’99, Joux-Lercier ’06]

Choose g1, g2 ∈ Fq[X ] of degrees d1, d2 ≈√n such that

X − g1(g2(X )) has a degree n irreducible factor f (X ) over Fq ,and represent Fqn as Fq[x ] ∼= Fq[X ]/〈f (X )〉 .For y := g2(x) we then have g1(y) = x in Fqn .

Want to find g1(x), g2(x) and a, b, c ∈ Fq to obtain twoexpressions for an element of Fqn

xg2(x) + ag2(x) + bx + c = yg1(y) + ay + bg1(y) + c .

The factor base is S = {x + a | a ∈ Fq} ∪ {y + b | b ∈ Fq} .For every (a, b, c) for which both sides split one obtains a relation.


Nice Polynomials

A random degree d polynomial over Fq has probability ≈ 1/d! ofsplitting over Fq (as q →∞), i.e., having all d roots in Fq .

HOWEVER, for q = 2` , under certain conditions the followingfamily of polynomials has probability ≈ 1/23k of splitting:

x2k+1 + ax2

k+ bx + c , a, b, c ∈ Fq .

• This is exponentially higher than 1/(2k + 1)!, and leads toour polynomial time relation generation.

• Observation is also applied in the descent phase of indexcalculus for degree 2 elements.

• So, why not try g2(X ) = X 2k .


Bluher polynomials

Let q = 2` , ` = kk ′ and let g2(X ) = X 2k , i.e., y = x2k

.

Consider the l.h.s. polynomial X 2k+1 + aX 2k + bX + c .

If ab 6= c and ba2k 6= b , this may be transformed into

FB(T ) = T 2k+1 + BT + B ,

via X = ab+c

a2k+bT + a .

Theorem (Bluher; Helleseth-Kholosha)

The number of elements B ∈ F∗q such that the polynomial FB(X )splits completely over Fq equals

2`−k − 1

22k − 1if k ′ is odd ,

2`−k − 2d

22k − 1if k ′ is even .


Our Theoretical Results

CRYPTO paper

• An Lqn(1/3 , (2/3)2/3) algorithm for suitably balanced q, n .

• The first polynomial time algorithm for relation generation.

Before this year, relation generation was the bottleneck.


Linear Algebra Step

Given a huge sparse matrix A over an integer ring Zm ,find a nonzero solution vector x such that Ax = 0.

We use iterative methods, in particular Lanczos’ method, whichmainly require only a repeated application of matrix-vector product.

Example

(CRYPTO paper) Field of order 21971 .We obtain an (N + ε)× N matrix of constant row-weight 19,where N = 612 872 – over Zm , where m is a 1633-bit modulus.

By a preprocessing stage called Structured Gaussian Elimination,the number of variables is reduced to N ′ = 527 766.


Algorithmic optimisations

• Matrix-Vector multiplication• Matrix of huge dimensions, each entry 1000s of bits. Sparse

matrix representation.• If entries are powers of 2 – shift instead of multiplication.

• Use extra automorphisms that preserve the factor base

• Optimising Add and Mod operations – bitsize vs complexity

• GMP - GNU Multi-Precision Library

• Lanzos’ algorithm is not embarassingly parallel – parallelisationperformance (cost of communication depends on parameters)

• OpenMP and MPI on cluster machine at ICHEC

• Interleaving:• compute(1,2,3)-send(1,2,3)

• compute(1)-send(1)-compute(2)-send(2)-compute(3)-send(3)

• Dedicated thread for communications


The Descent Step

Idea is to try to write an element, given by its polynomialrepresentation in the degree n extension of Fqk , as a product ofelements represented by lower degree polynomials.

By applying this principle recursively a descent tree is constructed.

Eventually the factor base (degree 1 polynomials) is reached.

Example: Degree 2 Elimination.Given Q(Y ) = Y 2 + q1Y + q0 we want to write Q(x) as aproduct of linear polynomials in x .We compute (when possible) a, b, c such that Q(x) equals

x2k+1 + ax2

k+ bx + c

where the polynomial X 2k+1 + aX 2k + bX + c splits into linearfactors over Fq .

We developed very fast degree 2 elimination (previously abottleneck). Higher degrees now the bottleneck.


DLP milestones

bitlength who/when method L(1/3, c) with c =

127 Coppersmith 1984 Proto-FFS [1.526, 1.587]

401 Gordon-McCurley 1992 Coppersmith’s [1.526, 1.587]

N/A Adleman 1994 FFS (64/9)1/3 ≈ 1.923

512 Weber-Denny 1998 S-NFS (32/9)1/3 ≈ 1.526

521 Joux-Lercier 2001 FFS (32/9)1/3 ≈ 1.526607 Thome 2001 Coppersmith’s [1.526, 1.587]

613 Joux-Lercier 2005 FFS (32/9)1/3 ≈ 1.526

556 Joux-Lercier 2006 M-FFS 31/3 ≈ 1.442

676 Hayashi et al. 2010 M-FFS (32/9)1/3 ≈ 1.526

923 Hayashi et al. 2012 M-FFS (32/9)1/3 ≈ 1.526

1175 Joux Dec 2012 M-FFS 2/32/3 ≈ 0.961

1425 Joux Jan 2013 M-FFS 2/32/3 ≈ 0.9611778 Joux 11/2/2013 M-FFS ?

1971 GGMZ 19/2/2013 M-FFS (2/3)2/3 ≈ 0.763


Solving the DLP in F21971

Let Fq = F227 = F2[T ]/(T 27 + T 5 + T 2 + T + 1) and letFq73 = Fq[X ]/(X 73 + t) be the finite field of order 21971 .We took as generator α = x + 1 and target

βπ =72∑i=0

τ(bπqi+1c mod q) x i .

The computation took:

• 14 core-hours for relation generation

• 2220 core-hours for the parallelised Lanczos implementation

• 898 core-hours for the descent, giving a total of 3132core-hours.

(in CRYPTO paper, also has 23174 )


Solving the DLP in F21971

On 19/2/13 we announced that logα(βπ) =

11992984215354106866091146371988855845186852755447163352

36895900760902198795745784008181148775933944656038305197

82541742360236535889937362200771117361678269423101163403

13535552228080411390321527355590590108228224824002192878

78207304028565280573096588688279004416835100344085961912

42700060128986433752110002214380289887546061125224587971

19787275080584651962314043764573936293823541736161168108

25627780459657892709561158924173579400674739684346062992

68294291957378226451182620783745349502502960139927453196

48974006524479548958327920827882768332440907342446643941

0976702162039539513377673115483439 .


More recent developments

• On 22/3/13 Joux announced his solution to a DLP in F24080

• On 11/4/13 we announced the solution of the DLP in F26120 ,in 5% of the time (SAC paper, one week on quad-core).

• The computation was performed using a hybrid index calculusalgorithm.

• Three stages of the individual logarithm step (descent).

1. Degree 2 elimination using polynomials in Bluher form.2. Small degree descent using an analog of the Grober basis

descent of Joux.3. Large degree descent using a classical Q -lattice approach and

degree balancing.

• On 21/5/13 Joux announced solution in F26168 .


Conclusion and open problems

• Higher splitting probabilities enable us to compute discretelogarithms of factor base elements in polynomial time.

• Combining multiple ideas, computing discrete logarithms inbinary fields of bitlengths such as 6 120 = 24 · 255 is feasible.

• Supersingular curves defined over F2255 or F2257 cannot beused securely for pairing-based cryptography.

Open problems:

• Under which circumstances can the DLP in a more generalsetting be reduced to an extension field, in which computingdiscrete logarithms becomes easier?

• Do the recent advances for the DLP have some impact on theInteger Factorisation Problem?

Documents

Setting a World Record for the Discrete Logarithm Problem ...fq11/talks/McGuire.pdf · Setting a World Record for the Discrete Logarithm Problem in Finite ... 3/13 Joux announced