# American Institute of Mathematical Sciences

doi: 10.3934/amc.2020119

## New discrete logarithm computation for the medium prime case using the function field sieve

 1 Applied Statistics Unit, Indian Statistical Institute, 203 B. T. Road, Kolkata, India 700108 2 Electrical Engineering & Computer Science, Indian Institute of Science Education and Research Bhopal, Bhopal 462066, Madhya Pradesh, India 3 Université de Lorraine, CNRS, INRIA, Nancy, France

Received  February 2020 Revised  July 2020 Published  December 2020

The present work reports progress in discrete logarithm computation for the general medium prime case using the function field sieve algorithm. A new record discrete logarithm computation over a 1051-bit field having a 22-bit characteristic was performed. This computation builds on and implements previously known techniques. Analysis indicates that the relation collection and descent steps are within reach for fields with 32-bit characteristic and moderate extension degrees. It is the linear algebra step which will dominate the computation time for any discrete logarithm computation over such fields.

Citation: Madhurima Mukhopadhyay, Palash Sarkar, Shashank Singh, Emmanuel Thomé. New discrete logarithm computation for the medium prime case using the function field sieve. Advances in Mathematics of Communications, doi: 10.3934/amc.2020119
##### References:
 [1] G. Adj, A. Menezes, T. Oliveira and Francisco Rodrıguez-Henrıquez, Computing discrete logarithms in F36· 137 and F36· 163 using magma, Arithmetic of Finite Fields (WAIFI 2014) (Çetin Kaya Koç, Sihem Mesnager, and Erkay Savas, eds.), 9061, Springer, Heidelberg, 2014. doi: 10.1007/978-3-319-16277-5_1.  Google Scholar [2] G. Adj, A. Menezes, T. Oliveira and F. Rodríguez-Henríquez, Weakness of $\mathbb{F}_{6^{6\cdot 1429}}$ and $\mathbb{F}_{2^{4\cdot 3041}}$ for discrete logarithm cryptography, Finite Fields and Their Applications, 32 (2015), 148-170.  doi: 10.1016/j.ffa.2014.10.009.  Google Scholar [3] L. M. Adleman, The function field sieve, in (L. M. Adleman and M.-D. A. Huang, eds.), ANTS, Lecture Notes in Computer Science, 877, Springer, 1994,108–121. doi: 10.1007/3-540-58691-1_48.  Google Scholar [4] L. M. Adleman and M.-D. A. Huang, Function field sieve method for discrete logarithms over finite fields, Inf. Comput., 151 (1999), 5-16.  doi: 10.1006/inco.1998.2761.  Google Scholar [5] D. Adrian, et al., Imperfect forward secrecy: How Diffie-Hellman fails in practice, Commun. ACM, 62 (2019), 106–114. Google Scholar [6] R. Barbulescu, P. Gaudry, A. Joux and E. Thomé, A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic, Lecture Notes in Computer Science, 8441 (2014), 1-16.  doi: 10.1007/978-3-642-55220-5_1.  Google Scholar [7] F. Boudot, P. Gaudry, A. Guillevic, N. Heninger, E. Thomé, and P. Zimmermann, Comparing the difficulty of factorization and discrete logarithm: A240-digit experiment, IACR Cryptol. ePrint Arch., 697 (2020). Google Scholar [8] D. Coppersmith, Fast evaluation of logarithms in fields of characteristic two, IEEE Transactions on Information Theory, 30 (1984), 587-594.  doi: 10.1109/TIT.1984.1056941.  Google Scholar [9] J. Detrey, P. Gaudry and M. Videau, Relation collection for the function field sieve, in (A. Nannarelli, P.-M. Seidel, and P. T. P. Tang, eds.) IEEE Symposium on Computer Arithmetic, IEEE Computer Society, 2013,201–210. doi: 10.1109/TC.2014.2331711.  Google Scholar [10] W. Diffie and M. E. Hellman, New directions in cryptography, IEEE Trans. Information Theory, 22 (1976), 644–654. doi: 10.1109/tit.1976.1055638.  Google Scholar [11] F. Göloglu, R. Granger, G. McGuire and J. Zumbrägel, On the function field sieve and the impact of higher splitting probabilities - application to discrete logarithms in $\mathbb{F}_{2^1971}$ and $\mathbb{F}_{2^3164}$, Lecture Notes in Computer Science, 8043 (2013), 109-128.  doi: 10.1007/978-3-642-40084-1_7.  Google Scholar [12] F. Göloglu, R. Granger, G. McGuire and J. Zumbrägel, Solving a $6120$-bit DLP on a desktop computer, Lecture Notes in Computer Science, 8282 (2013), 136-152.  doi: 10.1007/978-3-662-43414-7.  Google Scholar [13] D. M. Gordon, Discrete logarithms in ${\rm{GF }}(p)$ using the number field sieve, SIAM J. Discrete Math., 6 (1993), 124-138.  doi: 10.1137/0406010.  Google Scholar [14] R. Granger, T. Kleinjung and J. Zumbrägel, Breaking '128-bit secure' supersingular binary curves – (or how to solve discrete logarithms in $\mathbb{F}_{2^{4\cdot 1223}}$ and $\mathbb{F}_{2^{12\cdot 367}}$), Lecture Notes in Computer Science, 8617 (2014), 126-145.  doi: 10.1007/978-3-662-44381-1_8.  Google Scholar [15] R. Granger, T. Kleinjung and J. Zumbrägel, Discrete logarithms in $GF(2^9234)$, NMBRTHRY List, (2014). Google Scholar [16] R. Granger, T. Kleinjung, and J. Zumbrägel, Discrete logarithms in $GF(2^30750)$., NMBRTHRY List, (2019). Google Scholar [17] A. Joux, Algorithmic Cryptanalysis, Cryptography and Network Security, Chapman & Hall/CRC, 2009. doi: 10.1201/9781420070033.  Google Scholar [18] A. Joux, Faster index calculus for the medium prime case application to 1175-bit and 1425-bit finite fields, in Annual International Conference on the Theory and Applications of Cryptographic Techniques, Eurocrypt, Springer, 2013,177–193. doi: 10.1007/978-3-642-38348-9_11.  Google Scholar [19] A. Joux and R. Lercier, The function field sieve is quite special, in (C. Fieker and D. R. Kohel, eds.), ANTS, Lecture Notes in Computer Science, 2369, Springer, 2002,431–445. doi: 10.1007/3-540-45455-1_34.  Google Scholar [20] A. Joux and R. Lercier, The function field sieve in the medium prime case, in Annual International Conference on the Theory and Applications of Cryptographic Techniques, Eurocrypt, Springer, 2006,254–270. doi: 10.1007/11761679_16.  Google Scholar [21] T. Lange, Digital signature: DSA with medium fields, Available from: https://www.mysterytwisterc3.org/images/challenges/mtc3-lange-01-dsasig-en.pdf, 2011. Google Scholar [22] G. De Micheli, P. Gaudry and C. Pierrot, Asymptotic complexities of discrete logarithm algorithms in pairing-relevant finite fields, IACR Cryptol. ePrint Arch., 329, 2020. Google Scholar [23] National Institute of Standards and Technology, Digital Signature Algorithm, https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf, 2013. Google Scholar [24] P. Sarkar and S. Singh, Fine tuning the function field sieve algorithm for the medium prime case, IEEE Transactions on Information Theory, 62 (2016), 2233-2253.  doi: 10.1109/TIT.2016.2528996.  Google Scholar [25] P. Sarkar and S. Singh, Fine tuning the function field sieve algorithm for the medium prime case, IACR Cryptol. ePrint Arch., 2014: 65 (2020). http://eprint.iacr.org/2014/065. doi: 10.1109/TIT.2016.2528996.  Google Scholar [26] W. A. Stein, et al., Sage Mathematics Software, The Sage Development Team, (2013). http://www.sagemath.org. Google Scholar [27] The CADO-NFS Development Team, CADO-NFS, an implementation of the number field sieve algorithm, Development version, (2019). Google Scholar

show all references

##### References:
 [1] G. Adj, A. Menezes, T. Oliveira and Francisco Rodrıguez-Henrıquez, Computing discrete logarithms in F36· 137 and F36· 163 using magma, Arithmetic of Finite Fields (WAIFI 2014) (Çetin Kaya Koç, Sihem Mesnager, and Erkay Savas, eds.), 9061, Springer, Heidelberg, 2014. doi: 10.1007/978-3-319-16277-5_1.  Google Scholar [2] G. Adj, A. Menezes, T. Oliveira and F. Rodríguez-Henríquez, Weakness of $\mathbb{F}_{6^{6\cdot 1429}}$ and $\mathbb{F}_{2^{4\cdot 3041}}$ for discrete logarithm cryptography, Finite Fields and Their Applications, 32 (2015), 148-170.  doi: 10.1016/j.ffa.2014.10.009.  Google Scholar [3] L. M. Adleman, The function field sieve, in (L. M. Adleman and M.-D. A. Huang, eds.), ANTS, Lecture Notes in Computer Science, 877, Springer, 1994,108–121. doi: 10.1007/3-540-58691-1_48.  Google Scholar [4] L. M. Adleman and M.-D. A. Huang, Function field sieve method for discrete logarithms over finite fields, Inf. Comput., 151 (1999), 5-16.  doi: 10.1006/inco.1998.2761.  Google Scholar [5] D. Adrian, et al., Imperfect forward secrecy: How Diffie-Hellman fails in practice, Commun. ACM, 62 (2019), 106–114. Google Scholar [6] R. Barbulescu, P. Gaudry, A. Joux and E. Thomé, A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic, Lecture Notes in Computer Science, 8441 (2014), 1-16.  doi: 10.1007/978-3-642-55220-5_1.  Google Scholar [7] F. Boudot, P. Gaudry, A. Guillevic, N. Heninger, E. Thomé, and P. Zimmermann, Comparing the difficulty of factorization and discrete logarithm: A240-digit experiment, IACR Cryptol. ePrint Arch., 697 (2020). Google Scholar [8] D. Coppersmith, Fast evaluation of logarithms in fields of characteristic two, IEEE Transactions on Information Theory, 30 (1984), 587-594.  doi: 10.1109/TIT.1984.1056941.  Google Scholar [9] J. Detrey, P. Gaudry and M. Videau, Relation collection for the function field sieve, in (A. Nannarelli, P.-M. Seidel, and P. T. P. Tang, eds.) IEEE Symposium on Computer Arithmetic, IEEE Computer Society, 2013,201–210. doi: 10.1109/TC.2014.2331711.  Google Scholar [10] W. Diffie and M. E. Hellman, New directions in cryptography, IEEE Trans. Information Theory, 22 (1976), 644–654. doi: 10.1109/tit.1976.1055638.  Google Scholar [11] F. Göloglu, R. Granger, G. McGuire and J. Zumbrägel, On the function field sieve and the impact of higher splitting probabilities - application to discrete logarithms in $\mathbb{F}_{2^1971}$ and $\mathbb{F}_{2^3164}$, Lecture Notes in Computer Science, 8043 (2013), 109-128.  doi: 10.1007/978-3-642-40084-1_7.  Google Scholar [12] F. Göloglu, R. Granger, G. McGuire and J. Zumbrägel, Solving a $6120$-bit DLP on a desktop computer, Lecture Notes in Computer Science, 8282 (2013), 136-152.  doi: 10.1007/978-3-662-43414-7.  Google Scholar [13] D. M. Gordon, Discrete logarithms in ${\rm{GF }}(p)$ using the number field sieve, SIAM J. Discrete Math., 6 (1993), 124-138.  doi: 10.1137/0406010.  Google Scholar [14] R. Granger, T. Kleinjung and J. Zumbrägel, Breaking '128-bit secure' supersingular binary curves – (or how to solve discrete logarithms in $\mathbb{F}_{2^{4\cdot 1223}}$ and $\mathbb{F}_{2^{12\cdot 367}}$), Lecture Notes in Computer Science, 8617 (2014), 126-145.  doi: 10.1007/978-3-662-44381-1_8.  Google Scholar [15] R. Granger, T. Kleinjung and J. Zumbrägel, Discrete logarithms in $GF(2^9234)$, NMBRTHRY List, (2014). Google Scholar [16] R. Granger, T. Kleinjung, and J. Zumbrägel, Discrete logarithms in $GF(2^30750)$., NMBRTHRY List, (2019). Google Scholar [17] A. Joux, Algorithmic Cryptanalysis, Cryptography and Network Security, Chapman & Hall/CRC, 2009. doi: 10.1201/9781420070033.  Google Scholar [18] A. Joux, Faster index calculus for the medium prime case application to 1175-bit and 1425-bit finite fields, in Annual International Conference on the Theory and Applications of Cryptographic Techniques, Eurocrypt, Springer, 2013,177–193. doi: 10.1007/978-3-642-38348-9_11.  Google Scholar [19] A. Joux and R. Lercier, The function field sieve is quite special, in (C. Fieker and D. R. Kohel, eds.), ANTS, Lecture Notes in Computer Science, 2369, Springer, 2002,431–445. doi: 10.1007/3-540-45455-1_34.  Google Scholar [20] A. Joux and R. Lercier, The function field sieve in the medium prime case, in Annual International Conference on the Theory and Applications of Cryptographic Techniques, Eurocrypt, Springer, 2006,254–270. doi: 10.1007/11761679_16.  Google Scholar [21] T. Lange, Digital signature: DSA with medium fields, Available from: https://www.mysterytwisterc3.org/images/challenges/mtc3-lange-01-dsasig-en.pdf, 2011. Google Scholar [22] G. De Micheli, P. Gaudry and C. Pierrot, Asymptotic complexities of discrete logarithm algorithms in pairing-relevant finite fields, IACR Cryptol. ePrint Arch., 329, 2020. Google Scholar [23] National Institute of Standards and Technology, Digital Signature Algorithm, https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf, 2013. Google Scholar [24] P. Sarkar and S. Singh, Fine tuning the function field sieve algorithm for the medium prime case, IEEE Transactions on Information Theory, 62 (2016), 2233-2253.  doi: 10.1109/TIT.2016.2528996.  Google Scholar [25] P. Sarkar and S. Singh, Fine tuning the function field sieve algorithm for the medium prime case, IACR Cryptol. ePrint Arch., 2014: 65 (2020). http://eprint.iacr.org/2014/065. doi: 10.1109/TIT.2016.2528996.  Google Scholar [26] W. A. Stein, et al., Sage Mathematics Software, The Sage Development Team, (2013). http://www.sagemath.org. Google Scholar [27] The CADO-NFS Development Team, CADO-NFS, an implementation of the number field sieve algorithm, Development version, (2019). Google Scholar
A comparison of the difficulty of computing discrete logarithms for the medium prime case using the function field sieve algorithm
 Ref $\lceil\log_2 p\rceil$ $n$ $\lceil\log_2 p^n \rceil$ $\lceil \log_2 \#\mathbb{B}\rceil$ $\Lambda$ JL [20] 17 25 401 18 3.79 SS [24] 16 37 592 17 0.11 SS [24] 19 40 728 20 0.08 This work 22 50 1051 23 0.07
 Ref $\lceil\log_2 p\rceil$ $n$ $\lceil\log_2 p^n \rceil$ $\lceil \log_2 \#\mathbb{B}\rceil$ $\Lambda$ JL [20] 17 25 401 18 3.79 SS [24] 16 37 592 17 0.11 SS [24] 19 40 728 20 0.08 This work 22 50 1051 23 0.07
A comparison of the difficulty of computing discrete logarithms for the medium prime case using the function field sieve algorithm for Kummer extensions, i.e., for fields $\mathbb{F}_{p^n}$ satisfying $n\mathrel| (p-1)$
 Ref $\lceil\log_2 p\rceil$ $n$ $\lceil\log_2 p^n \rceil$ $\lceil \log_2 \#\mathbb{B}\rceil$ $\Lambda$ JL[20] 19 30 556 18 4.29 Joux[18] 25 47 1175 20 0.77 Joux[18] 25 57 1425 20 0.13
 Ref $\lceil\log_2 p\rceil$ $n$ $\lceil\log_2 p^n \rceil$ $\lceil \log_2 \#\mathbb{B}\rceil$ $\Lambda$ JL[20] 19 30 556 18 4.29 Joux[18] 25 47 1175 20 0.77 Joux[18] 25 57 1425 20 0.13
 [1] Hakan Özadam, Ferruh Özbudak. A note on negacyclic and cyclic codes of length $p^s$ over a finite field of characteristic $p$. Advances in Mathematics of Communications, 2009, 3 (3) : 265-271. doi: 10.3934/amc.2009.3.265 [2] Michael Grinfeld, Amy Novick-Cohen. Some remarks on stability for a phase field model with memory. Discrete & Continuous Dynamical Systems - A, 2006, 15 (4) : 1089-1117. doi: 10.3934/dcds.2006.15.1089 [3] Seung-Yeal Ha, Jinwook Jung, Jeongho Kim, Jinyeong Park, Xiongtao Zhang. A mean-field limit of the particle swarmalator model. Kinetic & Related Models, , () : -. doi: 10.3934/krm.2021011 [4] Marco Cirant, Diogo A. Gomes, Edgard A. Pimentel, Héctor Sánchez-Morgado. On some singular mean-field games. Journal of Dynamics & Games, 2021  doi: 10.3934/jdg.2021006 [5] Tomáš Roubíček. An energy-conserving time-discretisation scheme for poroelastic media with phase-field fracture emitting waves and heat. Discrete & Continuous Dynamical Systems - S, 2017, 10 (4) : 867-893. doi: 10.3934/dcdss.2017044 [6] Sara Munday. On the derivative of the $\alpha$-Farey-Minkowski function. Discrete & Continuous Dynamical Systems - A, 2014, 34 (2) : 709-732. doi: 10.3934/dcds.2014.34.709 [7] Arseny Egorov. Morse coding for a Fuchsian group of finite covolume. Journal of Modern Dynamics, 2009, 3 (4) : 637-646. doi: 10.3934/jmd.2009.3.637 [8] Ralf Hielscher, Michael Quellmalz. Reconstructing a function on the sphere from its means along vertical slices. Inverse Problems & Imaging, 2016, 10 (3) : 711-739. doi: 10.3934/ipi.2016018 [9] Chin-Chin Wu. Existence of traveling wavefront for discrete bistable competition model. Discrete & Continuous Dynamical Systems - B, 2011, 16 (3) : 973-984. doi: 10.3934/dcdsb.2011.16.973 [10] Matthias Erbar, Jan Maas. Gradient flow structures for discrete porous medium equations. Discrete & Continuous Dynamical Systems - A, 2014, 34 (4) : 1355-1374. doi: 10.3934/dcds.2014.34.1355 [11] M. R. S. Kulenović, J. Marcotte, O. Merino. Properties of basins of attraction for planar discrete cooperative maps. Discrete & Continuous Dynamical Systems - B, 2021, 26 (5) : 2721-2737. doi: 10.3934/dcdsb.2020202 [12] Murat Uzunca, Ayşe Sarıaydın-Filibelioǧlu. Adaptive discontinuous galerkin finite elements for advective Allen-Cahn equation. Numerical Algebra, Control & Optimization, 2021, 11 (2) : 269-281. doi: 10.3934/naco.2020025 [13] Paula A. González-Parra, Sunmi Lee, Leticia Velázquez, Carlos Castillo-Chavez. A note on the use of optimal control on a discrete time model of influenza dynamics. Mathematical Biosciences & Engineering, 2011, 8 (1) : 183-197. doi: 10.3934/mbe.2011.8.183 [14] Ronald E. Mickens. Positivity preserving discrete model for the coupled ODE's modeling glycolysis. Conference Publications, 2003, 2003 (Special) : 623-629. doi: 10.3934/proc.2003.2003.623 [15] Charles Fulton, David Pearson, Steven Pruess. Characterization of the spectral density function for a one-sided tridiagonal Jacobi matrix operator. Conference Publications, 2013, 2013 (special) : 247-257. doi: 10.3934/proc.2013.2013.247 [16] Dayalal Suthar, Sunil Dutt Purohit, Haile Habenom, Jagdev Singh. Class of integrals and applications of fractional kinetic equation with the generalized multi-index Bessel function. Discrete & Continuous Dynamical Systems - S, 2021  doi: 10.3934/dcdss.2021019 [17] Saima Rashid, Fahd Jarad, Zakia Hammouch. Some new bounds analogous to generalized proportional fractional integral operator with respect to another function. Discrete & Continuous Dynamical Systems - S, 2021  doi: 10.3934/dcdss.2021020 [18] Lunji Song, Wenya Qi, Kaifang Liu, Qingxian Gu. A new over-penalized weak galerkin finite element method. Part Ⅱ: Elliptic interface problems. Discrete & Continuous Dynamical Systems - B, 2021, 26 (5) : 2581-2598. doi: 10.3934/dcdsb.2020196 [19] Zengyun Wang, Jinde Cao, Zuowei Cai, Lihong Huang. Finite-time stability of impulsive differential inclusion: Applications to discontinuous impulsive neural networks. Discrete & Continuous Dynamical Systems - B, 2021, 26 (5) : 2677-2692. doi: 10.3934/dcdsb.2020200 [20] Alexey Yulin, Alan Champneys. Snake-to-isola transition and moving solitons via symmetry-breaking in discrete optical cavities. Discrete & Continuous Dynamical Systems - S, 2011, 4 (5) : 1341-1357. doi: 10.3934/dcdss.2011.4.1341

2019 Impact Factor: 0.734