-
Comparing the difficulty of factorization and discrete logarithm: a 240-digit experiment
Authors:
Fabrice Boudot,
Pierrick Gaudry,
Aurore Guillevic,
Nadia Heninger,
Emmanuel Thomé,
Paul Zimmermann
Abstract:
We report on two new records: the factorization of RSA-240, a 795-bit number, and a discrete logarithm computation over a 795-bit prime field. Previous records were the factorization of RSA-768 in 2009 and a 768-bit discrete logarithm computation in 2016. Our two computations at the 795-bit level were done using the same hardware and software, and show that computing a discrete logarithm is not mu…
▽ More
We report on two new records: the factorization of RSA-240, a 795-bit number, and a discrete logarithm computation over a 795-bit prime field. Previous records were the factorization of RSA-768 in 2009 and a 768-bit discrete logarithm computation in 2016. Our two computations at the 795-bit level were done using the same hardware and software, and show that computing a discrete logarithm is not much harder than a factorization of the same size. Moreover, thanks to algorithmic variants and well-chosen parameters, our computations were significantly less expensive than anticipated based on previous records.The last page of this paper also reports on the factorization of RSA-250.
△ Less
Submitted 11 June, 2020;
originally announced June 2020.
-
Breaking the encryption scheme of the Moscow Internet voting system
Authors:
Pierrick Gaudry,
Alexander Golovnev
Abstract:
In September 2019, voters for the election at the Parliament of the city of Moscow were allowed to use an Internet voting system. The source code of it had been made available for public testing. In this paper we show two successful attacks on the encryption scheme implemented in the voting system. Both attacks were sent to the developers of the system, and both issues had been fixed after that.Th…
▽ More
In September 2019, voters for the election at the Parliament of the city of Moscow were allowed to use an Internet voting system. The source code of it had been made available for public testing. In this paper we show two successful attacks on the encryption scheme implemented in the voting system. Both attacks were sent to the developers of the system, and both issues had been fixed after that.The encryption used in this system is a variant of ElGamal over finite fields. In the first attack we show that the used key sizes are too small. We explain how to retrieve the private keys from the public keys in a matter of minutes with easily available resources.When this issue had been fixed and the new system had become available for testing, we discovered that the new implementation was not semantically secure. We demonstrate how this newly found security vulnerability can be used for counting the number of votes cast for a candidate.
△ Less
Submitted 15 November, 2019; v1 submitted 14 August, 2019;
originally announced August 2019.
-
Counting points on genus-3 hyperelliptic curves with explicit real multiplication
Authors:
Simon Abelard,
Pierrick Gaudry,
Pierre-Jean Spaenlehauer
Abstract:
We propose a Las Vegas probabilistic algorithm to compute the zeta function of a genus-3 hyperelliptic curve defined over a finite field $\mathbb F_q$, with explicit real multiplication by an order $\mathbb Z[η]$ in a totally real cubic field. Our main result states that this algorithm requires an expected number of $\widetilde O((\log q)^6)$ bit-operations, where the constant in the…
▽ More
We propose a Las Vegas probabilistic algorithm to compute the zeta function of a genus-3 hyperelliptic curve defined over a finite field $\mathbb F_q$, with explicit real multiplication by an order $\mathbb Z[η]$ in a totally real cubic field. Our main result states that this algorithm requires an expected number of $\widetilde O((\log q)^6)$ bit-operations, where the constant in the $\widetilde O()$ depends on the ring $\mathbb Z[η]$ and on the degrees of polynomials representing the endomorphism $η$. As a proof-of-concept, we compute the zeta function of a curve defined over a 64-bit prime field, with explicit real multiplication by $\mathbb Z[2\cos(2π/7)]$.
△ Less
Submitted 20 September, 2018; v1 submitted 15 June, 2018;
originally announced June 2018.
-
Improved Complexity Bounds for Counting Points on Hyperelliptic Curves
Authors:
Simon Abelard,
Pierrick Gaudry,
Pierre-Jean Spaenlehauer
Abstract:
We present a probabilistic Las Vegas algorithm for computing the local zeta function of a hyperelliptic curve of genus $g$ defined over $\mathbb{F}_q$. It is based on the approaches by Schoof and Pila combined with a modeling of the $\ell$-torsion by structured polynomial systems. Our main result improves on previously known complexity bounds by showing that there exists a constant $c>0$ such that…
▽ More
We present a probabilistic Las Vegas algorithm for computing the local zeta function of a hyperelliptic curve of genus $g$ defined over $\mathbb{F}_q$. It is based on the approaches by Schoof and Pila combined with a modeling of the $\ell$-torsion by structured polynomial systems. Our main result improves on previously known complexity bounds by showing that there exists a constant $c>0$ such that, for any fixed $g$, this algorithm has expected time and space complexity $O((\log q)^{cg})$ as $q$ grows and the characteristic is large enough.
△ Less
Submitted 7 June, 2018; v1 submitted 10 October, 2017;
originally announced October 2017.
-
A kilobit hidden SNFS discrete logarithm computation
Authors:
Joshua Fried,
Pierrick Gaudry,
Nadia Heninger,
Emmanuel Thomé
Abstract:
We perform a special number field sieve discrete logarithm computation in a 1024-bit prime field. To our knowledge, this is the first kilobit-sized discrete logarithm computation ever reported for prime fields. This computation took a little over two months of calendar time on an academic cluster using the open-source CADO-NFS software. Our chosen prime $p$ looks random, and $p--1$ has a 160-bit p…
▽ More
We perform a special number field sieve discrete logarithm computation in a 1024-bit prime field. To our knowledge, this is the first kilobit-sized discrete logarithm computation ever reported for prime fields. This computation took a little over two months of calendar time on an academic cluster using the open-source CADO-NFS software. Our chosen prime $p$ looks random, and $p--1$ has a 160-bit prime factor, in line with recommended parameters for the Digital Signature Algorithm. However, our p has been trapdoored in such a way that the special number field sieve can be used to compute discrete logarithms in $\mathbb{F}\_p^*$ , yet detecting that p has this trapdoor seems out of reach. Twenty-five years ago, there was considerable controversy around the possibility of back-doored parameters for DSA. Our computations show that trapdoored primes are entirely feasible with current computing technology. We also describe special number field sieve discrete log computations carried out for multiple weak primes found in use in the wild. As can be expected from a trapdoor mechanism which we say is hard to detect, our research did not reveal any trapdoored prime in wide use. The only way for a user to defend against a hypothetical trapdoor of this kind is to require verifiably random primes.
△ Less
Submitted 18 July, 2017; v1 submitted 10 October, 2016;
originally announced October 2016.
-
Improvements to the number field sieve for non-prime finite fields
Authors:
Razvan Barbulescu,
Pierrick Gaudry,
Aurore Guillevic,
François Morain
Abstract:
We propose various strategies for improving the computation of discrete logarithms in non-prime fields of medium to large characteristic using the Number Field Sieve. This includes new methods for selecting the polynomials; the use of explicit automorphisms; explicit computations in the number fields; and prediction that some units have a zero virtual logarithm. On the theoretical side, we obtain…
▽ More
We propose various strategies for improving the computation of discrete logarithms in non-prime fields of medium to large characteristic using the Number Field Sieve. This includes new methods for selecting the polynomials; the use of explicit automorphisms; explicit computations in the number fields; and prediction that some units have a zero virtual logarithm. On the theoretical side, we obtain a new complexity bound of $L_{p^n}(1/3,\sqrt[3]{96/9})$ in the medium characteristic case. On the practical side, we computed discrete logarithms in $F_{p^2}$ for a prime number $p$ with $80$ decimal digits.Warning: This unpublished version contains some inexact statements.
△ Less
Submitted 25 August, 2022; v1 submitted 4 August, 2014;
originally announced August 2014.
-
A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic
Authors:
Razvan Barbulescu,
Pierrick Gaudry,
Antoine Joux,
Emmanuel Thomé
Abstract:
In the present work, we present a new discrete logarithm algorithm, in the same vein as in recent works by Joux, using an asymptotically more efficient descent approach. The main result gives a quasi-polynomial heuristic complexity for the discrete logarithm problem in finite field of small characteristic. By quasi-polynomial, we mean a complexity of type $n^{O(\log n)}$ where $n$ is the bit-size…
▽ More
In the present work, we present a new discrete logarithm algorithm, in the same vein as in recent works by Joux, using an asymptotically more efficient descent approach. The main result gives a quasi-polynomial heuristic complexity for the discrete logarithm problem in finite field of small characteristic. By quasi-polynomial, we mean a complexity of type $n^{O(\log n)}$ where $n$ is the bit-size of the cardinality of the finite field. Such a complexity is smaller than any $L(\varepsilon)$ for $ε>0$. It remains super-polynomial in the size of the input, but offers a major asymptotic improvement compared to $L(1/4+o(1))$.
△ Less
Submitted 26 November, 2013; v1 submitted 18 June, 2013;
originally announced June 2013.
-
Polynomial Systems Solving by Fast Linear Algebra
Authors:
Jean-Charles Faugère,
Pierrick Gaudry,
Louise Huot,
Guénaël Renault
Abstract:
Polynomial system solving is a classical problem in mathematics with a wide range of applications. This makes its complexity a fundamental problem in computer science. Depending on the context, solving has different meanings. In order to stick to the most general case, we consider a representation of the solutions from which one can easily recover the exact solutions or a certified approximation o…
▽ More
Polynomial system solving is a classical problem in mathematics with a wide range of applications. This makes its complexity a fundamental problem in computer science. Depending on the context, solving has different meanings. In order to stick to the most general case, we consider a representation of the solutions from which one can easily recover the exact solutions or a certified approximation of them. Under generic assumption, such a representation is given by the lexicographical Gröbner basis of the system and consists of a set of univariate polynomials. The best known algorithm for computing the lexicographical Gröbner basis is in $\widetilde{O}(d^{3n})$ arithmetic operations where $n$ is the number of variables and $d$ is the maximal degree of the equations in the input system. The notation $\widetilde{O}$ means that we neglect polynomial factors in $n$. We show that this complexity can be decreased to $\widetilde{O}(d^{ωn})$ where $2 \leq ω< 2.3727$ is the exponent in the complexity of multiplying two dense matrices. Consequently, when the input polynomial system is either generic or reaches the Bézout bound, the complexity of solving a polynomial system is decreased from $\widetilde{O}(D^3)$ to $\widetilde{O}(D^ω)$ where $D$ is the number of solutions of the system. To achieve this result we propose new algorithms which rely on fast linear algebra. When the degree of the equations are bounded uniformly by a constant we propose a deterministic algorithm. In the unbounded case we present a Las Vegas algorithm.
△ Less
Submitted 12 July, 2013; v1 submitted 22 April, 2013;
originally announced April 2013.
-
An $L (1/3)$ Discrete Logarithm Algorithm for Low Degree Curves
Authors:
Andreas Enge,
Pierrick Gaudry,
Emmanuel Thomé
Abstract:
We present an algorithm for solving the discrete logarithm problem in Jacobians of families of plane curves whose degrees in $X$ and $Y$ are low with respect to their genera. The finite base fields $\FF_q$ are arbitrary, but their sizes should not grow too fast compared to the genus. For such families, the group structure and discrete logarithms can be computed in subexponential time of…
▽ More
We present an algorithm for solving the discrete logarithm problem in Jacobians of families of plane curves whose degrees in $X$ and $Y$ are low with respect to their genera. The finite base fields $\FF_q$ are arbitrary, but their sizes should not grow too fast compared to the genus. For such families, the group structure and discrete logarithms can be computed in subexponential time of $L_{q^g}(1/3, O(1))$. The runtime bounds rely on heuristics similar to the ones used in the number field sieve or the function field sieve.
△ Less
Submitted 20 December, 2009; v1 submitted 13 May, 2009;
originally announced May 2009.
-
An $L (1/3 + ε)$ Algorithm for the Discrete Logarithm Problem for Low Degree Curves
Authors:
Andreas Enge,
Pierrick Gaudry
Abstract:
The discrete logarithm problem in Jacobians of curves of high genus $g$ over finite fields $\FF_q$ is known to be computable with subexponential complexity $L_{q^g}(1/2, O(1))$. We present an algorithm for a family of plane curves whose degrees in $X$ and $Y$ are low with respect to the curve genus, and suitably unbalanced. The finite base fields are arbitrary, but their sizes should not grow to…
▽ More
The discrete logarithm problem in Jacobians of curves of high genus $g$ over finite fields $\FF_q$ is known to be computable with subexponential complexity $L_{q^g}(1/2, O(1))$. We present an algorithm for a family of plane curves whose degrees in $X$ and $Y$ are low with respect to the curve genus, and suitably unbalanced. The finite base fields are arbitrary, but their sizes should not grow too fast compared to the genus. For this family, the group structure can be computed in subexponential time of $L_{q^g}(1/3, O(1))$, and a discrete logarithm computation takes subexponential time of $L_{q^g}(1/3+ε, o(1))$ for any positive $ε$. These runtime bounds rely on heuristics similar to the ones used in the number field sieve or the function field sieve algorithms.
△ Less
Submitted 7 March, 2007;
originally announced March 2007.
