Indiscreet logarithms in finite fields of small characteristic

Recently, several striking advances have taken place regarding the discrete logarithm problem (DLP) in finite fields of small characteristic, despite progress having remained essentially static for nearly thirty years, with the best known algorithms being of subexponential complexity. In this expository article we describe the key insights and constructions which culminated in two independent quasi-polynomial algorithms. To put these developments into both a historical and a mathematical context, as well as to provide a comparison with the cases of so-called large and medium characteristic fields, we give an overview of the state-of-the-art algorithms for computing discrete logarithms in all finite fields. Our presentation aims to guide the reader through the algorithms and their complexity analyses ab initio.

[1]  Thorsten Kleinjung,et al.  Breaking '128-bit Secure' Supersingular Binary Curves (or how to solve discrete logarithms in 𝔽24·1223 and 𝔽212·367) , 2014, IACR Cryptol. ePrint Arch..

[2]  P. Erdös,et al.  On a problem of Oppenheim concerning “factorisatio numerorum” , 1983 .

[3]  Don Coppersmith,et al.  Fast evaluation of logarithms in fields of characteristic two , 1984, IEEE Trans. Inf. Theory.

[4]  Martin E. Hellman,et al.  An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[5]  Razvan Barbulescu,et al.  Improving NFS for the Discrete Logarithm Problem in Non-prime Finite Fields , 2015, EUROCRYPT.

[6]  Oliver Schirokauer,et al.  Using number fields to compute logarithms in finite fields , 2000, Math. Comput..

[7]  Andrew M. Odlyzko,et al.  Discrete Logarithms: The Past and the Future , 2000, Des. Codes Cryptogr..

[8]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[9]  Antoine Joux,et al.  Improving the Polynomial time Precomputation of Frobenius Representation Discrete Logarithm Algorithms - Simplified Setting for Small Characteristic Finite Fields , 2014, IACR Cryptol. ePrint Arch..

[10]  Igor A. Semaev Special prime numbers and discrete logs in finite prime fields , 2002, Math. Comput..

[11]  Francisco Rodríguez-Henríquez,et al.  Weakness of 𝔽36·509 for Discrete Logarithm Cryptography , 2013, Pairing.

[12]  Antoine Joux,et al.  The Past, Evolving Present, and Future of the Discrete Logarithm , 2014, Open Problems in Mathematics and Computational Science.

[13]  T. Helleseth,et al.  and related affine polynomials over GF (2 k ) , 2010 .

[14]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[15]  C. Lanczos An iteration method for the solution of the eigenvalue problem of linear differential and integral operators , 1950 .

[16]  Leonard M. Adleman,et al.  Function Field Sieve Method for Discrete Logarithms over Finite Fields , 1999, Inf. Comput..

[17]  Carl Pomerance,et al.  Rigorous, subexponential algorithms for discrete logarithms over finite fields , 1992 .

[18]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[19]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[20]  Leonard M. Adleman,et al.  A subexponential algorithm for the discrete logarithm problem with applications to cryptography , 1979, 20th Annual Symposium on Foundations of Computer Science (sfcs 1979).

[21]  Kevin S. McCurley,et al.  Massively Parallel Computation of Discrete Logarithms , 1992, CRYPTO.

[22]  M. Kalkbrener An upper bound on the number of monomials in determinants of sparse matrices with symbolic entries , 2010 .

[23]  Masaaki Shirase,et al.  Solving a 676-bit Discrete Logarithm Problem in GF(36n) , 2010, IACR Cryptol. ePrint Arch..

[24]  Thorsten Kleinjung,et al.  On the discrete logarithm problem in finite fields of fixed characteristic , 2015, IACR Cryptol. ePrint Arch..

[25]  Frederik Vercauteren,et al.  The Number Field Sieve in the Medium Prime Case , 2006, CRYPTO.

[26]  H. Lenstra Finding isomorphisms between finite fields , 1991 .

[27]  C. Pomerance Fast, Rigorous Factorization and Discrete Logarithm Algorithms , 1987 .

[28]  Daqing Wan,et al.  Generators and irreducible polynomials over finite fields , 1997, Math. Comput..

[29]  Antoine Joux,et al.  The Function Field Sieve Is Quite Special , 2002, ANTS.

[30]  Razvan Barbulescu,et al.  The Tower Number Field Sieve , 2015, ASIACRYPT.

[31]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[32]  Antoine Joux,et al.  A Heuristic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic , 2014, EUROCRYPT.

[33]  Thorsten Kleinjung,et al.  On the Powers of 2 , 2014, IACR Cryptol. ePrint Arch..

[34]  Faruk Göloglu,et al.  Solving a 6120 -bit DLP on a Desktop Computer , 2013, Selected Areas in Cryptography.

[35]  Antoine Joux,et al.  Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the gaussian integer method , 2003, Math. Comput..

[36]  Steven D. Galbraith,et al.  Supersingular Curves in Cryptography , 2001, ASIACRYPT.

[37]  Masaaki Shirase,et al.  Solving a 676-Bit Discrete Logarithm Problem in GF(3 6 n ) , 2010 .

[38]  Oliver Schirokauer Discrete logarithms and local units , 1993, Philosophical Transactions of the Royal Society of London. Series A: Physical and Engineering Sciences.

[39]  Andrew M. Odlyzko,et al.  Solving Large Sparse Linear Systems over Finite Fields , 1990, CRYPTO.

[40]  Andrew M. Odlyzko,et al.  Discrete Logarithms in Finite Fields and Their Cryptographic Significance , 1985, EUROCRYPT.

[41]  Antoine Joux,et al.  A New Index Calculus Algorithm with Complexity $$L(1/4+o(1))$$ in Small Characteristic , 2013, Selected Areas in Cryptography.

[42]  Daniel M. Gordon,et al.  Discrete Logarithms in GF(P) Using the Number Field Sieve , 1993, SIAM J. Discret. Math..

[43]  Oliver Schirokauer Virtual logarithms , 2005, J. Algorithms.

[44]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[45]  Antoine Joux,et al.  Faster Index Calculus for the Medium Prime Case Application to 1175-bit and 1425-bit Finite Fields , 2013, EUROCRYPT.

[46]  Antoine Joux,et al.  A One Round Protocol for Tripartite Diffie–Hellman , 2000, Journal of Cryptology.

[47]  Igor A. Semaev,et al.  An Algorithm to Solve the Discrete Logarithm Problem with the Number Field Sieve , 2006, Public Key Cryptography.

[48]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[49]  Douglas H. Wiedemann Solving sparse linear equations over finite fields , 1986, IEEE Trans. Inf. Theory.

[50]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[51]  Antoine Joux,et al.  The Function Field Sieve in the Medium Prime Case , 2006, EUROCRYPT.

[52]  Arjen K. Lenstra,et al.  Algorithms in Number Theory , 1991, Handbook of Theoretical Computer Science, Volume A: Algorithms and Complexity.

[53]  Leonard M. Adleman,et al.  The function field sieve , 1994, ANTS.

[54]  C. Diem On the discrete logarithm problem in elliptic curves , 2010, Compositio Mathematica.

[55]  PalaiseauDeutschland Franceenge A General Framework for Subexponential Discrete Logarithm Algorithms , 2000 .

[56]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.