Computing Discrete Logarithms

Let G be a multiplicatively-written finite cyclic group, let g ∈ G be a generator and let h ∈ G. The discrete logarithm problem (DLP) for (G, g, h) is the computational problem of determining an integer x such that h = gx. Note that the integer x is uniquely determined modulo the group order. Just as for the continuous logarithm function, one also writes x = logg h and refers to x as the discrete logarithm of h to the base g. The DLP has been central to public key cryptography ever since its inception by Diffie and Hellman in 1976 [15], and its study can be traced at least as far back as 1801, when discrete logarithms featured in Gauß’ Disquisitiones Arithmeticae, referred to there as indices with respect to a primitive root modulo a prime [23, art. 57– 60]. Indeed, the multiplicative group Fp of the field Fp of integers modulo a prime p is perhaps the most natural example of a group in which the DLP can be posed – which is presumably why Diffie and Hellman used this setting for their famous key agreement protocol – and it is still believed to be hard for well-chosen primes. In general, if the DLP is hard in a particular group then one can instantiate numerous important cryptographic protocols. So the issue at hand is: how hard is it to compute discrete logarithms in various groups? In this chapter we shall describe some cryptographically relevant DLPs and present some of the key ideas and constructions behind the most efficient algorithms known that solve them. Since the topic encompasses such a large volume of literature, for the finite field DLP we limit ourselves to a selection of results reflecting recent advances in fixed characteristic finite fields. We start by briefly recalling the so-called generic algorithms, which do not exploit any representational properties of group elements and may thus be applied to any finite cyclic group, and then recall the more sophisticated approach known as the index calculus method, which may be applied whenever the representation of elements of a group can be imbued with a suitable notion of smoothness. In §2 we introduce elliptic curves and pairings over finite fields and consider various discrete logarithm algorithms. Then in §3 we consider some groups in which the DLP is easier than for the strongest elliptic curves, including some families of weak curves. In §4 we focus on discrete logarithm algorithms for XTR and algebraic tori when defined over extension fields, and finally in §5 we present some of the key insights behind the breakthroughs between 2012 and 2014 that led to the downfall of finite fields of fixed characteristic in cryptography. First, we introduce some useful notation for describing the running time of discrete logarithm algorithms (or equivalently the complexity or hardness of the DLP),

[1]  V. Varadharajan,et al.  Public Key distribution in matrix rings , 1984 .

[2]  C. Cobeli,et al.  ON THE DISCRETE LOGARITHM PROBLEM , 2008, 0811.4182.

[3]  É. Lucas,et al.  Théorie des nombres , 1961 .

[4]  Arjen K. Lenstra,et al.  Mersenne Factorization Factory , 2014, ASIACRYPT.

[5]  Arjen K. Lenstra,et al.  Computation of a 768-Bit Prime Field Discrete Logarithm , 2017, EUROCRYPT.

[6]  Antoine Joux,et al.  A New Index Calculus Algorithm with Complexity $$L(1/4+o(1))$$ in Small Characteristic , 2013, Selected Areas in Cryptography.

[7]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[8]  Tsuyoshi Takagi,et al.  Breaking Pairing-Based Cryptosystems Using η T Pairing over GF(397) , 2012, ASIACRYPT.

[9]  Razvan Barbulescu,et al.  The Tower Number Field Sieve , 2015, ASIACRYPT.

[10]  Thorsten Kleinjung,et al.  On the discrete logarithm problem in finite fields of fixed characteristic , 2015, IACR Cryptol. ePrint Arch..

[11]  Arjen K. Lenstra,et al.  Factorization of a 768-Bit RSA Modulus , 2010, CRYPTO.

[12]  Ramarathnam Venkatesan,et al.  Random Cayley Digraphs and the Discrete Logarithm , 2002, ANTS.

[13]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[14]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[15]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[16]  Victor S. Miller,et al.  The Weil Pairing, and Its Efficient Calculation , 2004, Journal of Cryptology.

[17]  Arjen K. Lenstra,et al.  Using Cyclotomic Polynomials to Construct Efficient Discrete Logarithm Cryptosystems Over Finite Fields , 1997, ACISP.

[18]  Paul C. van Oorschot,et al.  Parallel Collision Search with Cryptanalytic Applications , 2013, Journal of Cryptology.

[19]  Antoine Joux,et al.  The Past, Evolving Present, and Future of the Discrete Logarithm , 2014, Open Problems in Mathematics and Computational Science.

[20]  Antoine Joux,et al.  Improving the Polynomial time Precomputation of Frobenius Representation Discrete Logarithm Algorithms - Simplified Setting for Small Characteristic Finite Fields , 2014, IACR Cryptol. ePrint Arch..

[21]  Antoine Joux,et al.  A Simplified Approach to Rigorous Degree 2 Elimination in Discrete Logarithm Algorithms , 2018, IACR Cryptol. ePrint Arch..

[22]  Thorsten Kleinjung,et al.  Indiscreet logarithms in finite fields of small characteristic , 2016, Adv. Math. Commun..

[23]  Frederik Vercauteren,et al.  On the Discrete Logarithm Problem on Algebraic Tori , 2005, CRYPTO.

[24]  Martin E. Hellman,et al.  An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[25]  Antoine Joux,et al.  A Heuristic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic , 2014, EUROCRYPT.

[26]  Masaaki Shirase,et al.  Solving a 676-bit Discrete Logarithm Problem in GF(36n) , 2010, IACR Cryptol. ePrint Arch..

[27]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[28]  Valentin Evgenʹevich Voskresenskiĭ,et al.  Algebraic Groups and Their Birational Invariants , 1998 .

[29]  Andries E. Brouwer,et al.  Doing More with Fewer Bits , 1999, ASIACRYPT.

[30]  Don Coppersmith,et al.  Fast evaluation of logarithms in fields of characteristic two , 1984, IEEE Trans. Inf. Theory.

[31]  Razvan Barbulescu,et al.  The Multiple Number Field Sieve for Medium and High Characteristic Finite Fields , 2014, IACR Cryptol. ePrint Arch..

[32]  Arjen K. Lenstra,et al.  Algorithms in Number Theory , 1991, Handbook of Theoretical Computer Science, Volume A: Algorithms and Complexity.

[33]  C. Diem On the discrete logarithm problem in elliptic curves , 2010, Compositio Mathematica.

[34]  Andrew M. Odlyzko,et al.  Discrete Logarithms in Finite Fields and Their Cryptographic Significance , 1985, EUROCRYPT.

[35]  Steven D. Galbraith,et al.  Extending the GHS Weil Descent Attack , 2002, EUROCRYPT.

[36]  Carl Pomerance,et al.  Rigorous, subexponential algorithms for discrete logarithms over finite fields , 1992 .

[37]  Reynald Lercier,et al.  Elliptic periods for finite fields , 2008, Finite Fields Their Appl..

[38]  Razvan Barbulescu,et al.  Updating Key Size Estimations for Pairings , 2018, Journal of Cryptology.

[39]  By J. M. Pollard Monte Carlo Methods for Index Computation (mod p) , 2010 .

[40]  Nigel P. Smart,et al.  Constructive and destructive facets of Weil descent on elliptic curves , 2002, Journal of Cryptology.

[41]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[42]  Antoine Joux,et al.  Cover and Decomposition Index Calculus on Elliptic Curves Made Practical - Application to a Previously Unreachable Curve over $\mathbb{F}_{p^6}$ , 2012, EUROCRYPT.

[43]  Nigel P. Smart,et al.  The Discrete Logarithm Problem on Elliptic Curves of Trace One , 1999, Journal of Cryptology.

[44]  Don Coppersmith Evaluating logarithms in GF(2n) , 1984, STOC '84.

[45]  Alfred Menezes,et al.  Analysis of the Weil Descent Attack of Gaudry, Hess and Smart , 2001, CT-RSA.

[46]  Steven D. Galbraith,et al.  Summation Polynomial Algorithms for Elliptic Curves in Characteristic Two , 2014, INDOCRYPT.

[47]  Faruk Göloglu,et al.  On the Function Field Sieve and the Impact of Higher Splitting Probabilities: Application to Discrete Logarithms in F21971 , 2013, IACR Cryptol. ePrint Arch..

[48]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[49]  Thorsten Kleinjung,et al.  Discrete logarithms in quasi-polynomial time in finite fields of fixed characteristic , 2019, IACR Cryptol. ePrint Arch..

[50]  Antoine Joux,et al.  Faster Index Calculus for the Medium Prime Case Application to 1175-bit and 1425-bit Finite Fields , 2013, EUROCRYPT.

[51]  Igor A. Semaev Summation polynomials and the discrete logarithm problem on elliptic curves , 2004, IACR Cryptol. ePrint Arch..

[52]  Pierrick Gaudry,et al.  Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem , 2009, J. Symb. Comput..

[53]  OURNAL DE T HÉORIE DES N OMBRES DE B ORDEAUX R ENÉ S CHOOF,et al.  Journal de Theorie des Nombres de Bordeaux 7 (1995), 219{254 , 2022 .

[54]  T. Kuhn The structure of scientific revolutions, 3rd ed. , 1996 .

[55]  Nvmerorvm Congrventia,et al.  Disquisitiones Arithmeticae , 2017 .

[56]  Antoine Joux,et al.  The Function Field Sieve in the Medium Prime Case , 2006, EUROCRYPT.

[57]  Antoine Joux,et al.  Algorithmic aspects of elliptic bases in finite field discrete logarithm algorithms , 2019, IACR Cryptol. ePrint Arch..

[58]  Thorsten Kleinjung,et al.  Breaking '128-bit Secure' Supersingular Binary Curves (or how to solve discrete logarithms in 𝔽24·1223 and 𝔽212·367) , 2014, IACR Cryptol. ePrint Arch..

[59]  Alice Silverberg,et al.  Torus-Based Cryptography , 2003, CRYPTO.

[60]  Faruk Göloglu,et al.  Solving a 6120 -bit DLP on a Desktop Computer , 2013, Selected Areas in Cryptography.

[61]  Arjen K. Lenstra,et al.  An overview of the XTR public key system , 2001 .

[62]  Alfred Menezes,et al.  The Discrete Logarithm Problem in GL(n, q) , 1997, Ars Comb..

[63]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[64]  Maurice Kraitchik,et al.  Recherches sur la théorie des nombres , 1924 .

[65]  David P. Woodruff,et al.  Practical Cryptography in High Dimensional Tori , 2005, EUROCRYPT.

[66]  Kevin S. McCurley,et al.  Massively Parallel Computation of Discrete Logarithms , 1992, CRYPTO.

[67]  Florian Hess,et al.  The GHS Attack Revisited , 2003, EUROCRYPT.

[68]  Antoine Joux,et al.  Technical history of discrete logarithms in small characteristic finite fields , 2016, Des. Codes Cryptogr..

[69]  Arjen K. Lenstra,et al.  The XTR Public Key System , 2000, CRYPTO.

[70]  Chris J. Skinner,et al.  A Public-Key Cryptosystem and a Digital Signature System BAsed on the Lucas Function Analogue to Discrete Logarithms , 1994, ASIACRYPT.

[71]  Razvan Barbulescu,et al.  Extended Tower Number Field Sieve: A New Complexity for the Medium Prime Case , 2016, CRYPTO.

[72]  Igor A. Semaev,et al.  Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p , 1998, Math. Comput..

[73]  C. Diem On the discrete logarithm problem in elliptic curves II , 2013 .