Discrete Logarithm Problem
Discrete Logarithm Problem
Discrete Logarithm Problem
Discrete Logarithms 1
Aurore Guillevic
INRIA-Saclay and École Polytechnique/LIX
François Morain
École Polytechnique/LIX and CNRS and INRIA-Saclay
Contents
9.1 Setting and First Properties . . . . . . . . . . . . . . . . . . . . 3
9.1.1 General Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
9.1.2 The Pohlig-Hellman Reduction . . . . . . . . . . . . . . . . . . 3
9.1.3 A Tour of Possible Groups . . . . . . . . . . . . . . . . . . . . . 4
9.2 Generic Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . 5
9.2.1 Shanks’s Baby-Steps Giant-Steps Algorithm . . . . . . . . . . . 5
9.2.2 The RHO Method . . . . . . . . . . . . . . . . . . . . . . . . . 9
9.2.3 The Kangaroo Method . . . . . . . . . . . . . . . . . . . . . . . 15
9.2.4 Solving Batch-DLP . . . . . . . . . . . . . . . . . . . . . . . . . 16
9.3 Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
9.3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
9.3.2 Index-Calculus Methods . . . . . . . . . . . . . . . . . . . . . . 20
9.3.3 Linear Algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
9.3.4 The Number Field Sieve (NFS) . . . . . . . . . . . . . . . . . . 25
9.3.5 Number Field Sieve: Refinements . . . . . . . . . . . . . . . . . 28
9.3.6 Large Characteristic Non-Prime Fields . . . . . . . . . . . . . . 29
9.3.7 Medium Characteristic Fields . . . . . . . . . . . . . . . . . . . 30
9.3.8 Small Characteristic: From the Function Field Sieve (FFS) to
the Quasi-Polynomial-Time Algorithm (QPA) . . . . . . . . . 32
9.3.9 How to Choose Real-Size Finite Field Parameters . . . . . . . . 36
9.3.10 Discrete logarithm algorithms in pairing-friendly target finite
fields Fpn : August 2016 state-of-the-art . . . . . . . . . . . . . 38
The Discrete Logarithm Problem (DLP) is one of the most used mathematical problems
in asymmetric cryptography design, the other one being the integer factorization. It is
intrinsically related to the Diffie-Hellman problem (DHP). DLP can be stated in various
1 This chapter is the 9-th chapter of the book Guide to Pairing-Based Cryptography, edited by Nadia
El Mrabet and Marc Joye, and published by CRC Press, ISBN 9781498729505. This document is the
authors’ version archived on HAL (hal.inria.fr) on December 20, 2016. The publisher’s official webpage
of the book is: https://www.crcpress.com/Guide-to-Pairing-Based-Cryptography/El-Mrabet-Joye/p/
book/9781498729505
1
CHAPTER 9. DISCRETE LOGARITHMS 2
In some cases, partial or heuristic reciprocals have been given, most notably in [86, 87].
With more and more applications and implementations available of different DH bases
protocols, more problems arose, notably related to static variants. We refer to [77] for a
survey.
i=1
where the pi ’s are all distinct. Then DLP in G can be solved using the DLPson all subgroups
of order pα
i .
i
hy1 = hy10
or α−2
c2 h−y
1
0p
= hy11 .
In this way, we recover y1 by computing the discrete logarithm of the left hand side w.r.t.
h1 again.
We have shown that DLP in a cyclic group of order pα can be replaced by α solutions of
DLP in a cyclic group of order p and some group operations. If p is small, all these steps
will be easily solved by table lookup. Otherwise, the methods presented in the next section
will apply and give a good complexity.
A direct cryptographic consequence is that for cryptographic use, N must have at least
one large prime factor.
Not-so-easy groups
Relatively easy groups are those for which subexponential methods exist: finite fields (of
medium or large characteristic), algebraic curves of very large genus, class groups of number
fields.
Probably difficult groups, for which we know of nothing but exponential methods,
include elliptic curves (see [50] for a recent survey) and curves of genus 2.
The chosen setting is that of a group G = hgi of prime order N , following the use of
the Pohlig-Hellman reduction. Enumerating all possible powers of g is an O(N ) process,
and this is enough
√ when N is small. Other methods include Shanks’s and Pollard’s, each
achieving a O( N ) time complexity, but different properties as determinism or space. We
summarize this in Table 9.1. The baby-steps giant-steps (BSGS) method and its variants
are deterministic, whereas the other methods are probabilistic. It is interesting to note that
Nechaev and Shoup have proven that √ a lower bound on generic DLP (algorithms that use
group operations only) is precisely O( N ) (see for instance [111]).
Due to the large time complexity, it is desirable to design distributed versions with a
gain of p in time when p processors are used. This will be described method by method.
√
Table 9.2: Table of constants C such that the complexity is C N .
Algorithm Average-case time Worst-case time
BSGS 1.5 2.0
BSGS optimized for av. case 1.414 2.121
IBSGS 1.333 2.0
Grumpy giants 1.25? ≤3
RHO with dist. pts 1.253(1 + o(1)) ∞
The goal of this subsection is to present the original algorithm together with some of its
more recent variants. We refer to the literature for more material and analyses.
First of all, remark that any integer n in [0, N [ may be written as cu + d where
0 ≤ c, d < u. Algorithm 9.2 performs 2 max(c, d) group operations. We need to evaluate the
average value of this quantity over the domain [0, u[×[0, u[, which is equivalent to computing
Z 1 Z 1
max(x, y) d x d y.
x=0 y=0
Fixing x, we see that max(x, y) = x for y ≤ x and y otherwise. Therefore the double
integral is Z 1 Z x Z 1
2
xd y + yd y d x = .
x=0 y=0 y=x 3
√
We have proven
√ that the mean time for this algorithm is 4/3 N , hence a constant that is
smaller than 2 for the original algorithm.
CHAPTER 9. DISCRETE LOGARITHMS 7
Grumpy giants
In [23], the authors designed a new variant of BSGS to decrease the average case running
time again. They gave a heuristic analysis of it. This was precised and generalized to
other √variants (such as using negation) in [53]. We follow the presentation therein. For
u = d N /2e, the algorithm computes the three sets of cardinality L that will be found
later:
B = {g i for 0 ≤ i < L},
G1 = {h ◦ (g ju ) for 0 ≤ j < L},
G2 = {: h2 ◦ g −k(u+1) for 0 ≤ k < L},
and waits for a collision between any of the two sets, in an interleaved manner. The
algorithm succeeds when one of the following sets contains the discrete logarithm we are
looking for:
LL = {i − ju (mod N ), 0 ≤ i, j < L}
−1
∪ {2 (i + k(u + 1)) (mod N ), 0 ≤ i, k < L}
∪ {ju + k(u + 1) (mod N ), 0 ≤ j, k < L}.
For ease of exposition of Algorithm 9.3, we define Expo(u, j) to be the exponent of g in
case of Gj for j = 1..2. Precisely, a member of Gj is
hj ◦ fj = hj ◦ g Expo(u,j) ,
with Expo(u, j) = (−1)j−1 (u + j − 1). √
It is conjectured that u is optimal and that L can be taken as O( N ). Experiments
were carried out to support√this claim in [23, 53]. Moreover [53] contains an analysis of the
algorithm, leading to 1.25 N as total group operations.
A basic model
Let E be a finite set of cardinality m and suppose we draw uniformly n elements from E
with replacement. The probability that all n elements are distinct is
Theorem 9.3.
n−1
1 Y k
Proba = 1− .
m m
k=1
Taking logarithms, and assuming n m, we get
n(n − 1)
log Proba ≈ log(n/m) − .
2m
√
This means that taking n = O( m) will give a somewhat large value for this probability.
We can derive from this a very simple algorithm for computing
√ discrete logarithms,
presented as Algorithm
√ 9.4. Its time complexity would be O( m log m) on average, together
with a space O( m), which is no better than BSGS.
If we assume that N is prime, the only case where v − v 0 is non-invertible is that of
v = v 0 . In that case, we hit a useless relation between g and h that is discarded.
Our basic model is highly distributable. Unfortunately, the memory problem is still
there. It does not solve the space problem, so that we have to replace this by deterministic
random walks, as explained now.
CHAPTER 9. DISCRETE LOGARITHMS 8
Functional digraphs
Consider E of cardinality m as above and let f : E → E be a function on E. Consider the
sequence Xn+1 = f (Xn ) for some starting point X0 ∈ E. The functional digraph of X is
built with vertices Xi ’s; an edge is put between Xi and Xj if f (Xi ) = Xj . Since E is finite,
the graph has two parts, as indicated in Figure 9.1.
Xµ+1
'$
•
Xµ
• • • • • •
X0 X1 X2 Xµ−1 &%
•
Xµ+λ−1
Since E is finite, the sequence X must end up looping. The first part of the sequence is
the set of Xi ’s that are reached only once and there are µ of them; the second part forms a
loop containing λ distinct elements.
Examples. 1) E = G is a finite group, we use f (x) = ax, and x0 = a, (xn ) purely is
periodic, i.e., µ = 0, and λ = ordG (a).
2) Take Em = Z/11Z and f : x 7→ x2 + 1 mod 11: We give the complete graph for all
possible starting points in Figure 9.2. The shape of it is quite typical: a cycle and trees
plugged on the structure.
By Theorem 9.3, λ and µ cannot be too large on average, since n = λ + µ. A convenient
source for all asymptotic complexities of various parameters of the graph can be found in
[46]. In particular:
Theorem 9.4. When m → ∞
√
r
πm
λ∼µ∼ ≈ 0.627 m.
8
Finding λ and µ is more easily done using the notion of epact.
CHAPTER 9. DISCRETE LOGARITHMS 10
9
?
0 -1 -2 -5 -4 -6 7
6 6 ?
3 - 10 8
Proposition 9.5. There exists a unique e > 0 (epact) s.t. µ ≤ e < λ + µ and X2e = Xe . It
is the smallest non-zero multiple of λ that is ≥ µ: If µ = 0, e = λ and if µ > 0, e = d µλ eλ.
Proof. The equation Xi = Xj with i < j only if i and j are larger than or equal to µ.
Moreover, λ must divide j − i. If we put i = e and j = 2e, then µ ≤ e and λ | e. There
exists a single multiple of λ in any interval of length λ, which gives unicity for e. When
µ = 0, it is clear that the smallest e > 0 must be λ. When µ > 0, the given candidate
satisfies all the properties.
From [46], we extract
q
5m √
Theorem 9.6. e ∼ π288 ≈ 1.03 m.
√
which means that finding the epact costs O( m) with a constant not too large compared
to the actual values of µ and λ. Note that in most cryptographic applications, the collision
x2e = xe will be enough to solve our problem.
From a practical point of view, a nice and short algorithm by Floyd can be used to recover
the epact and is given as Algorithm 9.5. We need 3e evaluations of f and e comparisons.
Ideas for decreasing the number of evaluations are given in [31] (see also [91] when applied
to integer factorization).
More parameters can be studied and their asymptotic values computed. Again, we refer
to [46], from which we extract the following complements.
Theorem 9.7. The expected values of some of the parameters related to the functional
graph G are
1
• the number of components is 2 log m;
• the component size containing a node ν ∈ G is 2m/3;
• the tree size containing ν is m/3 (maximal tree rooted on a circle containing ν);
CHAPTER 9. DISCRETE LOGARITHMS 11
p
• the number of cyclic nodes is πm/2 (a node is cyclic if it belongs to a cycle).
A way to understand these results is to imagine that there is a giant component that
contains almost all nodes.
Discrete logarithms
The idea of Pollard is to build a√function f from G to G appearing to be random, in
the sense that the epact of f is c N for some small constant c. This can be realized via
multiplications by random points and/or perhaps squarings in G.
Building on [105], Teske [114] has suggested the following: precompute r random
elements zi = g γi ◦ hδi for 1 ≤ i ≤ r for some random exponents. Then use some hash
function H : G → {1, . . . , r}. Finally, define f (y) = y ◦ zH(y) . The advantage of this choice
is that we can represent any iterate xi of f as
xi = g ci ◦ hdi ,
where (ci ) and (di ) are two integer sequences. When e is found:
or
g c2e −ce = hde −d2e ,
i.e.,
n(c2e − ce ) ≡ (de − d2e ) mod N.
With high probability, c2e − ce is invertible modulo N and we get the logarithm of h. When
we hit a collision and it is trivial, it is no use continuing the algorithm.
Experimentally, r = 20 √ is enough to have a large mixing of points. Under a plausible
model, this leads to a O( N ) method (see [114]). We give the algorithm in Algorithm 9.6.
As an example, if G contains integers, we may simply use H(x) = 1 + (x mod r).
Parallel RHO
How would one program a parallel version of RHO? We have to modify the algorithm. First
of all, we cannot use the notion of epact any more. If we start p processors on finding the
epact of their own sequence, we would not gain anything, since all epacts are of the same
(asymptotic) size. We need to share computations.
The idea is to launch p processors on the same graph with the same iteration function and
wait for a collision. Since we cannot store all points, we content ourselves with distinguished
elements, i.e., elements having a special form, uniformly with some probability θ over G.
(For integers, one can simply decide that a distinguished integer is 0 modulo a prescribed
power of 2.) Each processor starts its own path from a random value in hgi and each time
it encounters a distinguished element, it compares it with shared distinguished elements
already found and when a useful collision is found, the program stops. The idea is that two
paths colliding at some point will eventually lead to the same distinguished element, that
will be found a little while later (see Figure 9.3). Typically, if θ < 1 is the proportion of
distinguished elements, the time to reach one of these will be 1/θ.
√ Remembering properties
of functional digraphs, this probability should satisfy 1/θ < c N for some constant c > 0.
In view of Theorem 9.7, the method succeeds since there is a giant component in which
the processors have a large probability to run in. At worst, we would need O(log m) of
these to be sure to have at least two processors in the same component.
There are many fine points that must be dealt with in an actual implementation. For
ease of reading, we first introduce a function that computes a distinguished path, starting
CHAPTER 9. DISCRETE LOGARITHMS 12
from a point and iterating until a distinguished element is reached, at which point is it
returned.
At this point, the master can decide to continue from this distinguished element, or start
a new path. One of the main problems we can encounter is that a processor be trapped in
a (small)
√ cycle. By the properties of random digraph, a typical path should be of length
O( N ); if θ is small enough, the probability to enter a cycle will be small. However, in
some applications, small cycles exist. Therefore, we need some cycle detection algorithm,
best implemented using a bound on the number of elements found. Modifying Algorithm
9.8 can be done easily, for instance, giving
p up on paths with length > 20/θ as suggested in
[118]. The expected running time is πN/2/p + 1/θ group operations.
Note that in many circumstances, we can use an automorphism in G, and we take this
into account for speeding up the parallel RHO process, despite some technical problems
that arise (short cycles). See [44], and more recently [72, 24].
Other improvements are discussed in [36] for prime fields, with the aim of reducing the
cost of the evaluation of the iteration function.
• •
@R•
@
• -• @ R•. . .
@
- - . . .• -◦ •?
•?
Figure 9.3: Paths.
√ √
would like to obtain an algorithm whose running time is O( `) instead of O( N ).
The idea is to have two processes, traditionally called tame kangaroo and wild kangaroo.
The tame kangaroo follows a random path starting from g `/2 and adding random integers to
the exponent, while the wild kangaroo starts from h = g n and uses the same deterministic
random function. We use a sequence of integer increments (δi )1≤i≤r whose mean size is
m. Then, we iterate: f (x) = x ◦ g δH(x) . Both kangaroos can be written T = g dT and
W = h ◦ g dW for two integer sequences dT and dW that are updated when computing f .
When hitting a distinguished element, it is stored in a list depending on its character
(tame or wild). When a collision occurs, the discrete logarithm is found. The analysis is
heuristic along the following way. The original positions of KT and KW can be either
0 n `/2 ` 0 `/2 n `
• • • • or • • • •
In either case, we have a back kangaroo (B) and a front kangaroo (F ) heading right. They
are at mean mutual distance `/4 at the beginning. Since the average distance between two
points is m, B needs `/(4m) jumps to reach the initial position of F . After that, B needs
m jumps to reach a point already reached by√F . The total number √ of jumps is therefore
2(`/(4m) + m), which is minimized for m = `/2, leading to a 2 ` cost. A more precise
analysis is given in [118]. The reader can find details as Algorithm 9.9.
A close algorithm that uses another model of analysis (though still heuristic) is that of
Gaudry-Schost [54], improving on work by Gaudry and Harley. This algorithm is generalized
to any dimension (e.g., solving g x = g a1 n1 +a2 n2 +···+ad nd for given (ai )’s) and improved in
[51] (see also [52] for the use of equivalence classes).
Parallel kangaroos
The idea, as for parallel RHO, is to start p kangaroos that will discover and store distinguished
elements. Following [98], we assume p = 4p0 , and select u = 2p0 + 1, v = 2p0 − 1, so that
p = u + v. Increments
p of the jumps will be (uvs1 , . . . , uvsk ) for small si ’s, insisting on the
mean to be ≈ `/(uv). The i-th tame kangaroo will start at g `/2+iv for 0 ≤ i < u; wild
kangaroo Wi will start from h ◦ g iu , 0 ≤ i < v. A collision will be `/2 + iv = n + ju mod (uv)
and the solution is unique. This prevents kangaroos of the same herd from colliding. The
final running time is effectively divided by p.
CHAPTER 9. DISCRETE LOGARITHMS 14
Parallel methods
The work of [45] was analyzed in [80]: A batch of k discrete logarithms in a group of order
N reduces to an average Θ(k −1/2 N 1/2 ) group operations for k N 1/4 ; each DL costs
Θ(N 3/8 ). [80] also defines some problems related to DLP. The method was further studied
in [60].
A more systematic way to consider the problem is the following; see [23] and its follow-up
[22], where interval-batch-DLP is also considered and solved with the same ideas. We
consider again a table of random steps not involving any target in its definition. The idea
is to build a table T of distinguished elements found by random walks starting at random
elements g x . If T is the table size and W the length of the walk, then T W elements will be
encountered. When given a target h, a random walk of length W will encounter one of the
elements in T , solving DLP for h. The probability that none of the points in the new walk
encounters any of the first is
T W 2
1
1− .
N
Taking plogarithms, this is close to T W 2 /N , so that a reasonable chance of success is for
W ≈ α N/T for some constant α. Using this, the probability can be written exp(−α2 ),
favoring rather large αs, therefore enabling (and favoring) parallel work too.
CHAPTER 9. DISCRETE LOGARITHMS 15
and this is dominated by kW for k > T . If we want to optimize the cost as a function
of k, we see that T = k is minimal. For T = N 1/3 , we get W = N 1/3 for each walk and
T W = N 2/3 for the precomputation phase.
For a real implementation, we can choose t = dlog2 N/3e. If G contains integers, define
x to be distinguished if x ≡ 0 mod 2t . With this choice, we need to store 2t elements; 22t
operations are needed for the precomputation phase and 2t for each of the 2t target.
• small characteristic: One uses the function field sieve algorithm, and the quasi-
polynomial-time algorithm when the extension degree is suitable for that (i.e., smooth
enough);
• Medium characteristic: one uses the NFS-HD algorithm. This is the High Degree
variant of the Number Field Sieve (NFS) algorithm. The elements involved in the
relation collection are of higher degree compared to the regular NFS algorithm.
• Large characteristic: one uses the Number Field Sieve algorithm.
Each variant (QPA, FFS, NFS-HD, and NFS) has a different asymptotic complexity. The
asymptotic complexities are stated with the L-notation. This comes from the smoothness
probability of integers. The explanation will be provided in Section 9.3.2. The L-notation
is defined as follows.
Definition 9.8. Let Q be a positive integer. The L-notation is defined by
LQ [α, c] = exp c + o(1) (log Q)α (log log Q)1−α
with α ∈ [0, 1] and c > 0 .
The α parameter measures the gap between polynomial time: LQ [α = 0, c] = (log Q)c ,
and exponential time: LQ [α = 1, c] = Qc . When c is implicit, or obvious from the context,
one simply writes LQ [α]. When the complexity relates to an algorithm for a prime field Fp ,
one writes Lp [α, c].
• a complexity of LQ [1/3, ( 64
9 )
1/3
≈ 1.923] for large characteristic finite fields with the
Number Field Sieve algorithm [106, 67, 85].
It was not known until recently whether small characteristic fields could be a gap
weaker than prime fields. However, computing power was regularly increasing and in 2012,
Hayashi, Shimoyama, Shinohara, and Takagi were able to compute a discrete logarithm
record in F36·97 , corresponding to a 923-bit field [58], with the Function Field Sieve. Then
in December 2012 and January 2013, Joux released two preprints later published in [63]
with a LQ [1/4] algorithm, together with record-breaking discrete logarithms in F24080 and
F26168 . This was improved by various researchers. In 2014, Barbulescu, Gaudry, Joux, and
Thomé [17] on one side and Granger, Kleinjung, and Zumbrägel [56] on the other side
proposed two versions of a quasi polynomial-time algorithm (QPA) to solve the DLP in
small characteristic finite fields. All the techniques that allowed this breakdown are not
applicable to medium and large characteristic so far.
Phase 2: When enough relations are collected, solve the system to get
{logg pb }1≤b≤#B .
Phase 3: Compute the individual discrete logarithm of h in base g.
Look for t s.t. hg t mod p as an integer factors into small primes of B:
#B
Y #B
X
hg t mod p = pα
b ⇔x+t≡
b
αb logg pb mod (p − 1)
b=1 b=1
return x.
CHAPTER 9. DISCRETE LOGARITHMS 18
Solving modulo 2 and 509 separately and recombining by the Chinese remainder theorem,
we find
log2 2 = 1, log2 3 = 958, log2 5 = 10.
Note that solving modulo 2 can be replaced by computations of Legendre symbols.
Consider computing log2 314. We find that
h · g 372 ≡ 24 · 52 mod p
from which logg h = 4 + 2 · 10 − 372 mod 1018 or log2 (314) = 670. Had we used rational
reconstruction (a classical trick for DL target solution), we would have found
Lp [1/2, 2β + 1/(2β)] .
The linear algebra phase finds the kernel of a matrix of dimension B. It has running-time
of B ω ≈ Lp [1/2, ωβ] (ω is a constant, equal to 3 for classical Gauss, and nowadays we use
iterative methods, of complexity B 2+o(1) ; see Section 9.3.3). The total running time of the
first two steps is
Lp [1/2, 2β + 1/(2β)] + Lp [1/2, 3β] .
1
The minimum of β 7→ 2β + 2β is 2, for β = 1/2 (take the derivative of the function
1
x 7→ 2x + 2x to obtain its minimum, for x > 0). We conclude that the total cost of the first
two phases is dominated by Lp [1/2, 2]: the relation collection phase.
The last phase uses the same process as finding one relation in Phase 1. It needs
1
1/Pr[r = g t (mod p) is B-smooth] tries of cost B each, hence B/Pr = Lp [1/2, β + 2β ]=
Lp [1/2, 3/2].
In this version, another iteration is made. The idea is to produce elements r much smaller
than p, to improve their smoothness probability. In the previous index calculus, we made
relations between integers (we lifted g ti mod p to r ∈ Z). Here one side will consider integers,
the second side will treat algebraic integers. Let A be a small negative integer which is a
quadratic √residue modulo p. Preferably, A ∈ {−1, −2, −3, −7, −11, −19, −43, −67, −163}
so that Q[ A] is a unique factorization domain. For ease of presentation, we assume that
p ≡ 1 mod 4 and take A = −1. Our algebraic side will be the Gaussian integer ring Z[i].
√
Now let 0 < U, V < p such that p = U 2 + V 2 (computed via the rational reconstruction
method, for example). The element U/V is a root of x2 + 1 modulo p. For an analogy
with the number field sieve, one can define f = x2 + 1 for the first (algebraic) side and
g = U − xV for the second (rational) side. The two polynomials have a common root U/V
modulo p. We define a map from Z[i] to Fp :
ρ: Z[i] → Fp
i 7→ U V −1 mod p (9.4)
hence a − bi 7→ V −1 (aV − bU ) mod p .
Now we sieve over pairs (a, b) on the rational side, looking for a B-smooth decomposition of
the integer aV − bU , as in Algorithm 9.10. What will be the second member of a relation?
Here comes the algebraic side. We consider the elements a − bi ∈ Z[i] (with the same
pairs (a, b)) and iterate over them such that a − bi, as an ideal of Z[i], factors into prime
ideals p of Z[i] of norm NZ[i]/Z (p) smaller than B. (For example: 1 + 3i = (1 + i)(2 + i)
with N (1 + 3i) = 12 + 32 = 10 = 2 · 5 = N (1 + i)N (2 + i)). Here is the magic: Since
NZ[i]/Z (a − bi) = a2 + b2 and we sieve over small 0 < a < E, − E < b < E, the norm of
a − bi will be bounded by E 2 and the product of the norms of the prime ideals p in the
factorization, which is equal to a2 + b2 , will be bounded by E 2 as well. At this point, we
end up with pairs (a, b) such that
Y s Y t
aV − bU = pbj , and a − bi = pbj0 .
pb ≤B N (pb0 )≤B
Then we use the map ρ to show up an equality, then get a relation. We have ρ(a − bi) =
a − bU V −1 = V −1 (aV − bU ) so up to a factor V (which is constant along the pairs (a, b)),
we have: Y s Y
aV − bU = pbj = V ρ(pb0 )tj . (9.5)
pb ≤B N (pb0 )≤B
Here we don’t need to know explicitly the value of ρ(pb0 ) in Fp . We simply consider it as an
element of the basis B of small elements: B = {V } ∪ {pb ≤ B} ∪ {ρ(pb0 ) : NZ[i]/Z (pb0 ) ≤ B}.
In the COS algorithm, the matrix is indeed two times larger than in the basic version of
Algorithm 9.10 (2B instead of B), but with norms a2 + b2 and V a − bU much smaller; we
can decrease the smoothness bound B. Taking the logarithm of Equation (9.5), we obtain
an equation between logarithms of elements in B:
X X
sj log pb = log V + tj log ρ(pb0 ) . (9.6)
pb ≤B NZ[i]/Z (pb0 )≤B
The optimal choice of parameters is E = B = Lp [1/2, 1/2], so that both sieving and
linear algebra cost Lp [1/2, 1], better than the previous Lp [1/2, 2] thanks to the much better
smoothness probabilities of the elements considered. Phase 2 of the algorithm computes the
kernel of a large sparse matrix of more than 2B rows. Its expected running time is (2B)2 ,
hence again Lp [1/2, 1]. The expected running time of the individual logarithm computation
(Phase 3) is Lp [1/2, 1/2] ([42, §7]).
CHAPTER 9. DISCRETE LOGARITHMS 21
In Gordon’s algorithm, Phase 1 and Phase 3 are modified. The Phase 2 is still a large
sparse matrix kernel computation. We explain the polynomial selection method and the
sieving phase. We also explain why the Phase 3 (individual logarithm computation) needs
important modifications. The hurried reader can skip the proof of Theorem 9.12.
p = cd md + cd−1 md−1 + . . . + c0 ,
Relation collection
The new technicalities concern factorization of ideals a − bαf into prime ideals of Z[αf ].
This is not as simple as for Z[i]: Z[αf ] may not be a unique factorization domain, moreover
what is called bad ideals can appear in the factorization. To end up with good relations, one
stores only pairs (a, b) such that a − bαf factors into good prime ideals of degree one, and
whose norm is bounded by B. The sieve on the rational side is as in the COS algorithm.
Asymptotic complexity
We present how to obtain the expected heuristic running-time of Lp [1/3, ( 64
9 )
1/3
] to compute
DL in Fp with the base-m method and a few improvements to the original Gordon algorithm.
The impatient reader can admit the result of Theorem 9.12 and skip this section.
Theorem 9.12. The running-time of the NFS-DL algorithm with base-m method is
" 1/3 #
64
Lp 1/3, ≈ 1.923 ,
9
CHAPTER 9. DISCRETE LOGARITHMS 23
Table 9.3: Optimal value δ( logloglogp p )1/3 with δ = 1.44 for p of 100 to 300 decimal digits. One
takes d = [x] or d = bxc in practice.
log10 p 40 60 80 100 120 140 160 180 200 220 240 260 280 300
dlog2 Be (bits) 18b 21b 24b 27b 29b 31b 33b 35b 36b 38b 39b 41b 42b 43b
1/3
δ logloglogp p 3.93 4.37 4.72 5.02 5.27 5.50 5.71 5.90 6.08 6.24 6.39 6.54 6.68 6.81
obtained for a smoothness bound B = Lp [1/3, β] with β = (8/9)1/3 ≈ 0.96, a sieving bound
E = B (s.t. |a|, |b| < E), and a degree of f to be d = dδ( logloglogp p )1/3 c with δ = 31/3 = 1.44.
We present in Table 9.3 the optimal values of B (in bits) and d with β ≈ 0.96 and
δ ≈ 1.44 for p from 100 to 300 decimal digits (dd).
Proof. (of Theorem 9.12.) One of the key-ingredients is to set an optimal degree d for f .
So let 1/3
log p 1
d=δ so that m = p1/d = Lp 2/3, . (9.8)
log log p δ
1/3
(Compute log m = d1 log p = 1δ logloglogp p log p = 1δ log2/3 p log1/3 log p). We will compute
the optimal value of δ under the given constraints later. The aim is to get a bound on
the norms of the elements a − bαf and a − bm of size Lp [2/3, ·] and a smoothness bound
Lp [1/3, ·], so that the smoothness probability will be Lp [1/3, ·]. A smoothness test is done
with the Elliptic Curve Method (ECM). The cost of the test depends on the smoothness
bound B and the total size of the integer tested. We first show that the cost of an p ECM
B-smoothness test with B = Lp [1/3, β], of an integer of size Lp [2/3, η] is Lp [1/6, 2β/3],
hence is negligible compared to any Lp [1/3, ·]. The cost of this ECM test depends on the
size of the smoothness bound:
√
cost of an ECM test = LB [1/2, 2] .
√ √
Writing log B = β log1/3 p log2/3 log p, we compute log LB [1/2, 2] = 2(log B log log B)1/2 ,
cancel the negligible terms, and get the result.
We denote the infinity norm of a polynomial to be the largest coefficient in absolute
value:
kf k∞ = max |fi | . (9.9)
0≤i≤deg f
We have
2 1
kf k∞ , kgk∞ ≤ m = Lp , .
3 δ
In Phase 1, we sieve over pairs (a, b) satisfying 0 < a < E, −E < b < E and gcd(a, b) = 1,
so the sieving space is of order E 2 . We know that we can sieve over no more than Lp [1/3, ·]
pairs to be able to balance the three phases of the algorithm. So let E = Lp [1/3, ] pairs,
with to be optimized later. The sieving space is E 2 = Lp [1/3, 2]. Since the cost of a
B-smoothness test with ECM is negligible compared to Lp [1/3, ], we conclude that the
running time of the sieving phase is E 2 = Lp [1/3, 2].
We need at least B relations to get a square matrix, and the linear algebra cost will be
B 2 = Lp [1/3, 2β]. To balance the cost of the sieving phase and the linear algebra phase, we
set
E 2 = B 2 , hence = β
and we replace in the following computations.
CHAPTER 9. DISCRETE LOGARITHMS 24
What is the norm bound for a − bαf ? We need it to estimate its probability to be
B-smooth. The norm is computed as the resultant (denoted Res) of the element a − bαf as
a polynomial a − bx in x, and the polynomial f . Then we bound the norm. The norm is
with d + 1 negligible, p1/d = m = Lp [2/3, 1/δ], and E d = B d = Lp [2/3, βδ] (first compute
d log B to get the result).
We want to minimize the linear algebra and sieving phases, hence we minimize β > 0
through finding the minimum of the function x 7→ 13 ( βx 2
+ x) (by computing its derivative):
p p
This is 2/3p 2/β, obtained with δ = x = 2/β. We end up by solving Equation (9.10):
1/3
β = 2/3 2/β ⇔ β = (8/9) . Since the running time of Phase 1 and Phase 2 is
Lp [1/3, 2β], we obtain 2β = (64/9)1/3 as expected. The optimal degree of the polynomial f
is d = δ( logloglogp p )1/3 with δ = 31/3 ≈ 1.44.
When the degree of the involved polynomials is negligible, we can approximate | Res(f, φ)| by
O(kf kn∞ kφkm
∞ ). This simpler bound will be used to bound the norm of elements φ = a − bx
Pt−1
and φ = i=0 ai xi in a number field defined by a polynomial f .
With (η, δ) close to (0.5, 0.999) (as in NTL or Magma), the approximation factor C =
n−1
(δ − η 2 ) 4 is bounded by 1.075n−1 (see [35, §2.4.2])). A very fast software implementation
of the LLL algorithm is available with the fplll library [10].
fields: LQ [1/3, ( 64
9 )
1/3
], with Q = pn . The two polynomials are of degree d + 1 and d ≥ n,
for a parameter d that depends on log Q as for the prime case. Note that the optimal choice
1/3
of d for the gJL method is d = δ logloglogp p with δ = 31/3 /2 ≈ 0.72 instead of δ = 31/3
for the NFS-DL algorithm in prime fields. This is not surprising: In this case the sum of
polynomial degrees deg f + deg g is 2d + 1 instead of d + 1.
The two polynomials defined for the 120dd record computation in [67] were f =
x3 + x2 − 2x − 1 and g = f + p. This method is not designed for scaling well and the
authors propose a variant where the two polynomials have a balanced coefficient size of
p1/2 each. This polynomial selection method, combined with the relation collection over
elements of degree t − 1, provides an asymptotic complexity of LQ [1/3, ( 128
9 )
1/3
' 2.42].
96 1/3
This asymptotic complexity went down in 2015 in [16] to LQ [1/3, ( 9 ) ' 2.201]. These
two asymptotic complexities were improved in [19, 96] to LQ [1/3, 2.39] and LQ [1/3, 2.156],
respectively, by using a multiple number field sieve variant that we explain in the next
paragraph. This variant has not been implemented for any finite field yet.
The idea is to use additional number fields and hope to generate more relations per
polynomial (the a − bx elements in Gordon’s algorithm, for example). There are again two
versions: one asymmetric where one number field is preferred, say f0 , and additional number
fields fi are considered. For each element a − bx, one tests the smoothness of the image of
a − bx first in the number field defined by f0 , and if successful, then in all of the number
fields defined by the fi , to generate relations. This is used with a polynomial selection
that produces the first polynomial much better than the second. This is the case for the
base-m method and was studied by Coppersmith [41]. The same machinery applies to the
generalized Joux-Lercier method [85, 96]. In these two cases, the asymptotic complexity is
LQ [1/3, 1.90] instead of LQ [1/3, 1.923] (where Q = pn ). This MNFS version also applies to
the Conjugation method [96] and the complexity is LQ [1/3, 2.156] instead of LQ [1/3, 2.201].
The second symmetric version tests the smoothness of the image of a − bx in all the pairs
of possible number fields defined by fi , fj (for i < j). It applies to the NFS algorithm used
with the JLSV1 polynomial selection method, in medium characteristic. The complexity is
LQ [1/3, 2.39] instead of LQ [1/3, 2.42].
Unfortunately, none of these methods were ever implemented (yet), even for a reasonable
finite field size, hence we cannot realize how much in practice the smaller c constant improves
the running-time. There was a similar unknown in 1993. The cross-over point between the
Coppersmith-Odlyzko-Schroeppel algorithm in Lp [1/2] and Gordon’s algorithm in Lp [1/3]
was estimated in 1995 at about 150 decimal digits. In the MNFS algorithm, the constant is
slightly reduced but no one knows the size of Q for which “in practice”, a MNFS variant
will be faster than a regular NFS algorithm.
Brief history
Figure 9.4 shows the records in small-characteristic finite fields with the Function Field
Sieve (FFS) and its various improvements, especially from 2012. Most of the records
were announced on the number theory list 2 . Finite fields of characteristic 2 and 3 and
composite extension degree such as target groups of pairing-friendly (hyper-)elliptic curves
must definitively be avoided, since fields of even more than 3072 bits were already reached
in 2014.
The Waterloo algorithm In 1984, Blake, Fuji-Hara, Mullin, and Vanstone proposed a
dedicated implementation of Adleman’s algorithm to F2127 [27, 28]. They introduced the
idea of systematic equations (using the Frobenius map) and initial splitting (this name was
introduced later). Their idea works for finite fields of characteristic two and extension degree
close to a power of 2 (e.g., 127). The asymptotic complexity of their method was LQ [1/2].
In the same year, Blake, Mullin, and Vanstone [28] proposed an improved algorithm known
as the Waterloo algorithm. Odlyzko computed the asymptotic complexity of this algorithm
in [94]. The asymptotic complexity needs the estimation of the probability that a random
polynomial over Fq of degree m factors entirely into polynomials of degree at most b, i.e., is
b-smooth. Odlyzko in [94, Equation (4.5), p. 14] gave the following estimation.
n m
p(m, n) = exp (1 + o(1)) loge for n1/100 ≤ m ≤ n99/100 . (9.13)
m n
The initial splitting idea is still used nowadays, combined with the QPA algorithm. Given
a random element a(x) of GF(2n ) represented by a degree n − 1 polynomial over GF(2)
2 https://listserv.nodak.edu/cgi-bin/wa.exe?A0=NMBRTHRY
CHAPTER 9. DISCRETE LOGARITHMS 29
Q (dd)
9216 n
DL in GF(2 ), n composite
8192 DL in GF(2n ), n prime 2500
Finite field size log2 Q in bits
DL in GF(3n ), n composite
7168
DL in GF(rn ), n composite 2000
6144
5120 1500
4096
3072 1000
2048
500
1024
Figure 9.4: Records of DL computation in fields F2n , F3n , Frn of small characteristic, with n
1
prime or composite. All the fields F2n , F3n with n composite are target fields of supersingular
pairing-friendly (hyper-)elliptic curves.
modulo an irreducible degree n polynomial f (x), the algorithm computes the extended
Euclidean algorithm to compute the GCD of f (x) and a(x). At each iteration, the following
equation holds [27, §2]:
si (x)a(x) + ti (x)f (x) = ri (x) . (9.14)
Reducing this equation modulo f (x), one obtains a(x) ≡ ri (x)/si (x) mod f (x). The degree
of ri (x) decreases while the degree of si (x) increases. By stopping the extended Euclidean
algorithm at the state i where deg ri (x), deg si (x) ≤ bn/2c, one obtains the initial splitting
of a(x) of degree n − 1 into two polynomials ri (x), si (x) of degree at most bn/2c.
Odlyzko computed the asymptotic complexity of the Waterloo algorithm to be [94,
Equation (4.17), p. 19] LQ [1/2, (2 loge (2))1/2 ≈ 1.1774].
Coppersmith’s LQ [1/3] algorithm and FFS algorithm Building on the idea of sys-
tematic equations, Coppersmith [40] gave the first LQ [1/3, c] algorithm for DL computations
over F2n (with Q = 2n ). He found (32/9)1/3 ≤ c ≤ 41/3 and did a record computation for
F∗2127 . In 1994, Adleman [7] generalized this work to the case of any small characteristic,
1
and this is now called the Function Field Sieve (FFS). This gave a LQ [1/3, ( 64 9 ) ] for Q of
3
small characteristic, with function field (in place of number field for prime fields). Later,
1
Adleman-Huang improved that to LQ [1/3, ( 32 9 ) ] for Q of small characteristic [8], however,
3
Outside of the pairing-based cryptography context, the research and the records are
focused on prime extensions degrees. In 2002 Thomé increased the Coppersmith record up to
GF(2607 ) [115, 116]. During the same time, Joux and Lercier implemented FFS for GF(2521 )
in [64]. Continuing the record series, in 2005, Joux and Lercier recomputed a record in
GF(2607 ) and went slightly further with a record in GF(2613 ). They also investigated the
use of FFS for larger characteristic finite fields in [66]. In 2013, a record of the CARAMEL
group in GF(2089 ) with FFS was announced by Bouvier on the NMBRTHRY list [14] and
published in [15]. The actual record is held by Kleinjung, in GF(21279 ) [76].
Since 2000, examples of supersingular pairing-friendly elliptic curves of cryptographic
size arise. Two curves are well studied in characteristic 2 and 3 for the various speed-up they
CHAPTER 9. DISCRETE LOGARITHMS 30
2. Lpn [1/3, (32/9)1/3 ≈ 1.526] when n is composite and p has a special form.
The generic case where n is prime is not affected by these new improvements. We summarize
in Table 9.4 the new theoretical security of a pairing-friendly curve where (1) n is composite
and (2) n is composite and p of special form, for pn of 3072 bits.
Note: The numbers should be read as follows: a 3072-bit finite field, which is the
embedding field of a BN curve whose p is of special form and n is composite will provide
approximately a security level of 2110−δBN , where δBN depends on the curve and on the
implementation of the special extended NFS variant.
We explain here where these key sizes come from. The running-time complexity of the
most efficient attacks on discrete logarithm computation and factorization are considered
CHAPTER 9. DISCRETE LOGARITHMS 32
and balanced to fit the last records. In practice, we calibrate the asymptotic complexity
(we set the constant hidden in the O() notation) so that it matches the largest DL record
computations. For prime fields Fp with no special form of the prime p, the asymptotic
formula of NFS-DL is Lp [1/3, ( 64
9 )
1/3
], and we consider its logarithm in base 2:
with n = log2 N . The last record was a DL computation in a prime field of 180dd
or 596 bits, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind1406&L=NMBRTHRY&
F=&S=&P=3161.
Figure 9.5 presents the records of DL computation in prime fields, the records of RSA
modulus factorization and an interpolation according to [81, §3] by a Moore law doubling
every nine months.
pn (dd)
1024 RSA modulus factorization
Interpolation: Moore law 300
896 DL GF(p)
GF(p2 )
Finite field size log2 pn in bits
DL 250
768 DL GF(p3 )
DL GF(p4 )
DL GF(p5 ) 200
640
DL GF(p6 )
DL GF(p12 )
512 150
384
100
256
50
128
1995 2000 2005 2010 2015
Year
Figure 9.5: Records of DL computation in prime fields and RSA modulus factorization
1
To estimate the required modulus size, we compute the logarithm in base 2 of the L-
notation (9.15) and translate it such that log2 L[c, α](598) ≈ 60 (with 180dd=598bits). We
obtain log2 L[c, α](598) = 68.5 so we set a = −8.5. We obtain log2 L[c, α](3072) − 8.5 = 130
so we can safely deduce that a 3072-bit prime field with a generic safe prime is enough to
provide a 128-bit security level.
• Use a curve in a family with a non-special form seed, i.e., the prime p = P (x0 ) is such
that x0 has no special form (e.g., x0 6= 263 + 1);
CHAPTER 9. DISCRETE LOGARITHMS 33
• Use a curve with low-degree polynomials defining the parameters, e.g., degree 2 (MNT
and Galbraith-McKee-Valença curves) or degree 4 (Freeman curves);
• Use a curve whose discriminant D is large (e.g., constructed with the Cocks-Pinch or
Dupont-Enge-Morain method, or an MNT, a Galbraith-McKee-Valença, or a Freeman
curve);
• Use a prime embedding degree.
1. If n is prime,
(a) and p has no special form (e.g., supersingular curves where k = 2, MNT curves
where n = 3, and any curves constructed with the Cocks-Pinch or Dupont-Enge-
Morain methods), then only the generic NFS algorithms apply.
i. In a large-characteristic finite field, the generalized Joux–Lercier method of
asymptotic complexity LQ [1/3, 1.923] (and LQ [1/3, 1.90] in the multiple-NFS
version) applies.
ii. In a medium-characteristic finite field, the conjugation method of asymp-
totic complexity LQ [1/3, 2.20] applies. The multiple-NFS version has an
asymptotic complexity of LQ [1/3, 2.15]. The finite field size does not need
to be enlarged for now.
In practice for large sizes of finite fields, the Sarkar-Singh method that interpolates
between the GJL and the Conjugation methods provides smaller norms. In this
case, the key size should be enlarged by maybe 10% but not significantly since
the asymptotic complexity is not lower than the complexity of NFS in a prime
field: LQ [1/3, 1.923].
(b) If p is given by a polynomial of degree at least three, i.e., p = P (u) where
deg(P ) ≥ 3, then the Joux–Pierrot method applies. In the medium-characteristic
case, the asymptotic complexity tends to LQ [1/3, 1.923] for large deg(P ). In
large characteristic, the pairing-friendly curves (k = 2, 3, 4, 6 for instance) are
such that deg(P ) = 2 only.
[1] D.SPA.20. ECRYPT2 Yearly Report on Algorithms and Keysizes (2011-2012). Euro-
pean Network of Excellence in Cryptology II, September 2012.
[2] NSA Suite B. Fact Sheet Suite B Cryptography. National Security Agency, U.S.A.,
September 2014.
[3] RGS-B1. Mécanismes cryptographiques - Règles et recommandations concernant le
choix et le dimensionnement des mécanismes cryptographiques. Agence Nationale de
la Sécurité des Systèmes d’Information, France, February 2014. version 2.03.
[4] SP-800-57. Recommendation for Key Management – Part 1: General. National
Institute of Standards and Technology, U.S. Department of Commerce, July 2012.
[5] Gora Adj, Alfred Menezes, Thomaz Oliveira, and Francisco Rodrı́guez-Henrı́quez.
Computing discrete logarithms in F36·137 and F36·163 using Magma. In Ç. K. Koç,
S. Mesnager, and E. Savas, editors, Arithmetic of Finite Fields (WAIFI 2014), volume
9061 of Lecture Notes in Computer Science, pp. 3–22. Springer, 2014.
[6] Leonard Adleman. A subexponential algorithm for the discrete logarithm problem
with applications to cryptography. In 20th Annual Symposium on Foundations of
Computer Science, pp. 55–60. IEEE Computer Society Press, 1979.
[7] Leonard Adleman. The function field sieve. In L. M. Adleman and M.-D. Huang,
editors, Algorithmic Number Theory (ANTS-I), volume 877 of Lecture Notes in
Computer Science, pp. 141–154. Springer, 1994.
[8] Leonard M. Adleman and Ming-Deh A. Huang. Function field sieve method for
discrete logarithms over finite fields. Information and Computation, 151(1/2):5–16,
1999.
[9] David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew
Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke
Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, and Paul
Zimmermann. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In
I. Ray, N. Li, and C. Kruegel, editors, 22nd ACM Conference on Computer and
Communications Security, pp. 5–17. ACM Press, 2015.
[10] M. Albrecht, S. Bai, D. Cadé, X. Pujol, and D. Stehlé. fplll-4.0, a floating-point LLL
implementation. Available at http://perso.ens-lyon.fr/damien.stehle.
[11] Shi Bai. Polynomial Selection for the Number Field Sieve. PhD thesis, Australian Na-
tional University, 2011. http://maths.anu.edu.au/~brent/pd/Bai-thesis.pdf.
[12] Shi Bai, Richard Brent, and Emmanuel Thomé. Root optimization of polynomials in
the number field sieve. Mathematics of Computation, 84(295):2447–2457, 2015.
34
BIBLIOGRAPHY 35
[13] Razvan Barbulescu. Algorithmes de logarithmes discrets dans les corps finis.
PhD thesis, Université de Lorraine, 2013. https://tel.archives-ouvertes.fr/
tel-00925228.
[14] Razvan Barbulescu, Cyril Bouvier, Jérémie Detrey, Pierrick Gaudry, Hamza Jeljeli,
Emmanuel Thomé, Marion Videau, and Paul Zimmermann. Discrete logarithm in
GF(2809 ) with ffs, April 2013. Announcement available at the NMBRTHRY archives,
item 004534.
[15] Razvan Barbulescu, Cyril Bouvier, Jérémie Detrey, Pierrick Gaudry, Hamza Jeljeli,
Emmanuel Thomé, Marion Videau, and Paul Zimmermann. Discrete logarithm in
GF(2809 ) with FFS. In H. Krawczyk, editor, PKC 2014: 17th International Conference
on Theory and Practice of Public Key Cryptography, volume 8383 of Lecture Notes in
Computer Science, pp. 221–238. Springer, Heidelberg, 2014.
[16] Razvan Barbulescu, Pierrick Gaudry, Aurore Guillevic, and François Morain. Improv-
ing NFS for the discrete logarithm problem in non-prime finite fields. In E. Oswald and
M. Fischlin, editors, Advances in Cryptology – EUROCRYPT 2015, Part I, volume
9056 of Lecture Notes in Computer Science, pp. 129–155. Springer, Heidelberg, 2015.
[17] Razvan Barbulescu, Pierrick Gaudry, Antoine Joux, and Emmanuel Thomé. A
heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small
characteristic. In P. Q. Nguyen and E. Oswald, editors, Advances in Cryptology –
EUROCRYPT 2014, volume 8441 of Lecture Notes in Computer Science, pp. 1–16.
Springer, Heidelberg, 2014.
[18] Razvan Barbulescu, Pierrick Gaudry, and Thorsten Kleinjung. The tower number
field sieve. In T. Iwata and J. H. Cheon, editors, Advances in Cryptology – ASI-
ACRYPT 2015, Part II, volume 9453 of Lecture Notes in Computer Science, pp.
31–55. Springer, Heidelberg, 2015.
[19] Razvan Barbulescu and Cécile Pierrot. The Multiple Number Field Sieve for Medium
and High Characteristic Finite Fields. LMS Journal of Computation and Mathematics,
17:230–246, 2014.
[20] Paulo S. L. M. Barreto, Ben Lynn, and Michael Scott. Constructing elliptic curves
with prescribed embedding degrees. In S. Cimato, C. Galdi, and G. Persiano, editors,
Security in Communication Networks (SCN 2002), volume 2576 of Lecture Notes in
Computer Science, pp. 257–267. Springer, Heidelberg, 2003.
[21] Paulo S. L. M. Barreto and Michael Naehrig. Pairing-friendly elliptic curves of prime
order. In B. Preneel and S. Tavares, editors, Selected Areas in Cryptography (SAC
2005), volume 3897 of Lecture Notes in Computer Science, pp. 319–331. Springer,
Heidelberg, 2006.
[22] Daniel J. Bernstein and Tanja Lange. Computing small discrete logarithms faster. In
S. D. Galbraith and M. Nandi, editors, Progress in Cryptology – INDOCRYPT 2012,
volume 7668 of Lecture Notes in Computer Science, pp. 317–338. Springer, Heidelberg,
2012.
[23] Daniel J. Bernstein and Tanja Lange. Non-uniform cracks in the concrete: The power
of free precomputation. In K. Sako and P. Sarkar, editors, Advances in Cryptology –
ASIACRYPT 2013, Part II, volume 8270 of Lecture Notes in Computer Science, pp.
321–340. Springer, Heidelberg, 2013.
[24] Daniel J. Bernstein, Tanja Lange, and Peter Schwabe. On the correct use of the
negation map in the Pollard rho method. In D. Catalano et al., editors, Public Key
BIBLIOGRAPHY 36
Cryptography – PKC 2011, volume 6571 of Lecture Notes in Computer Science, pp.
128–146. Springer, Heidelberg, 2011.
[25] Yuval Bistritz and Alexander Lifshitz. Bounds for resultants of univariate and bivariate
polynomials. Linear Algebra and its Applications, 432(8):1995–2005, 2009.
[26] Simon R. Blackburn and Edlyn Teske. Baby-step giant-step algorithms for non-
uniform distributions. In W. Bosma, editor, Algorithmic Number Theory (ANTS-IV),
volume 1838 of Lecture Notes in Computer Science, pp. 153–168. Springer, 2000.
[27] Ian F. Blake, Ryoh Fuji-Hara, Ronald C. Mullin, and Scott A. Vanstone. Computing
logarithms in finite fields of characteristic two. SIAM Journal on Algebraic Discrete
Methods, 5(2):276–285, 1984.
[28] Ian F. Blake, Ronald C. Mullin, and Scott A. Vanstone. Computing logarithms in
GF(2n ). In G. R. Blakley and D. Chaum, editors, Advances in Cryptology, Proceedings
of CRYPTO ’84, volume 196 of Lecture Notes in Computer Science, pp. 73–82. Springer,
Heidelberg, 1984.
[29] Dan Boneh, Ben Lynn, and Hovav Shacham. Short signatures from the Weil pairing.
In C. Boyd, editor, Advances in Cryptology – ASIACRYPT 2001, volume 2248 of
Lecture Notes in Computer Science, pp. 514–532. Springer, Heidelberg, 2001.
[30] Cyril Bouvier. Algorithmes pour la factorisation d’entiers et le calcul de logarithme
discret. PhD thesis, Université de Lorraine, 2015. https://tel.archives-ouvertes.
fr/tel-01167281.
[31] Richard P. Brent. An improved Monte Carlo factorization algorithm. BIT, 20:176–184,
1980.
[32] Friederike Brezing and Annegret Weng. Elliptic curves suitable for pairing based
cryptography. Designs, Codes and Cryptography, 37(1):133–141, 2005.
[33] Joe P. Buhler, Hendrik W. Lenstra Jr., and Carl Pomerance. Factoring integers
with the number field sieve. In A. K. Lenstra and H. W. Lenstra Jr., editors, The
Development of the Number Field Sieve, volume 1554 of Lecture Notes in Mathematics,
pp. 50–94. Springer, 1993.
[34] Earl R. Canfield, Paul Erdős, and Carl Pomerance. On a problem of Oppenheim
concerning ”factorisatio numerorum”. Journal of Number Theory, 17(1):1–28, 1983.
[38] An Commeine and Igor Semaev. An algorithm to solve the discrete logarithm problem
with the number field sieve. In M. Yung, Y. Dodis, A. Kiayias, and T. Malkin, editors,
Public Key Cryptography – PKC 2006, volume 3958 of Lecture Notes in Computer
Science, pp. 174–190. Springer, Heidelberg, 2006.
BIBLIOGRAPHY 37
[39] D. Coppersmith. Solving linear equations over GF(2) via block Wiedemann algorithm.
Mathematics of Computation, 62(205):333–350, 1994.
[40] Don Coppersmith. Fast evaluation of logarithms in fields of characteristic two. IEEE
Transactions on Information Theory, 30(4):587–594, 1984.
[41] Don Coppersmith. Modifications to the number field sieve. Journal of Cryptology,
6(3):169–180, 1993.
[42] Don Coppersmith, Andrew M. Odlyzko, and Richard Schroeppel. Discrete logarithms
in GF(p). Algorithmica, 1(1):1–15, 1986.
[43] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE
Transactions on Information Theory, 22(6):644–654, 1976.
[44] Iwan M. Duursma, Pierrick Gaudry, and François Morain. Speeding up the discrete
log computation on curves with automorphisms. In K.-Y. Lam, E. Okamoto, and
C. Xing, editors, Advances in Cryptology – ASIACRYPT ’99, volume 1716 of Lecture
Notes in Computer Science, pp. 103–121. Springer, Heidelberg, 1999.
[45] A. E. Escott, J. C. Sager, A. P. L. Selkirk, and D. Tsapakidis. Attacking elliptic curve
cryptosystems using the parallel Pollard rho method. CryptoBytes, 4, 1999.
[46] Philippe Flajolet and Andrew M. Odlyzko. Random mapping statistics. In J.-J.
Quisquater and J. Vandewalle, editors, Advances in Cryptology – EUROCRYPT ’89,
volume 434 of Lecture Notes in Computer Science, pp. 329–354. Springer, Heidelberg,
1990.
[47] Fujitsu Laboratories, NICT, and Kyushu University. DL record in F36·97 of 923 bits
(278 dd). NICT press release, June 18, 2012. http://www.nict.go.jp/en/press/
2012/06/18en-1.html.
[48] Steven Galbraith. Quasi-polynomial-time algorithm for discrete logarithm in finite
fields of small/medium characteristic. The Elliptic Curve Cryptography blog, June
2013. https://ellipticnews.wordpress.com/2013/06/21.
[49] Steven D. Galbraith. Supersingular curves in cryptography. In C. Boyd, editor,
Advances in Cryptology – ASIACRYPT 2001, volume 2248 of Lecture Notes in
Computer Science, pp. 495–513. Springer, Heidelberg, 2001.
[50] Steven D. Galbraith and Pierrick Gaudry. Recent progress on the elliptic curve
discrete logarithm problem. Cryptology ePrint Archive, Report 2015/1022, 2015.
http://eprint.iacr.org/2015/1022.
[51] Steven D. Galbraith and Raminder S. Ruprai. An improvement to the Gaudry-Schost
algorithm for multidimensional discrete logarithm problems. In M. G. Parker, editor,
Cryptography and Coding, volume 5921 of Lecture Notes in Computer Science, pp.
368–382. Springer, Heidelberg, 2009.
[52] Steven D. Galbraith and Raminder S. Ruprai. Using equivalence classes to accelerate
solving the discrete logarithm problem in a short interval. In P. Q. Nguyen and
D. Pointcheval, editors, Public Key Cryptography – PKC 2010, volume 6056 of Lecture
Notes in Computer Science, pp. 368–383. Springer, Heidelberg, 2010.
[53] Steven D. Galbraith, Ping Wang, and Fangguo Zhang. Computing elliptic curve
discrete logarithms with improved baby-step giant-step algorithm. Cryptology ePrint
Archive, Report 2015/605, 2015. http://eprint.iacr.org/2015/605.
BIBLIOGRAPHY 38
[54] Pierrick Gaudry and Éric Schost. A low-memory parallel version of Matsuo, Chao, and
Tsujii’s algorithm. In D. A. Buell, editor, Algorithmic Number Theory (ANTS-VI),
volume 3076 of Lecture Notes in Computer Science, pp. 208–222. Springer, 2004.
[55] Daniel M. Gordon. Discrete logarithms in GF(p) using the number field sieve. SIAM
Journal on Discrete Mathematics, 6(1):124–138, 1993.
[56] Robert Granger, Thorsten Kleinjung, and Jens Zumbrägel. Breaking ’128-bit se-
cure’ supersingular binary curves - (or how to solve discrete logarithms in F24·1223
and F212·367 ). In J. A. Garay and R. Gennaro, editors, Advances in Cryptology –
CRYPTO 2014, Part II, volume 8617 of Lecture Notes in Computer Science, pp.
126–145. Springer, Heidelberg, 2014.
[57] Robert Granger, Thorsten Kleinjung, and Jens Zumbragel. Discrete logarithms in
GF(29234 ), 2014. Announcement available at the NMBRTHRY archives, item 004666.
[58] Takuya Hayashi, Takeshi Shimoyama, Naoyuki Shinohara, and Tsuyoshi Takagi.
Breaking pairing-based cryptosystems using ηT pairing over GF(397 ). In X. Wang
and K. Sako, editors, Advances in Cryptology – ASIACRYPT 2012, volume 7658 of
Lecture Notes in Computer Science, pp. 43–60. Springer, Heidelberg, 2012.
[59] Takuya Hayashi, Naoyuki Shinohara, Lihua Wang, Shin’ichiro Matsuo, Masaaki
Shirase, and Tsuyoshi Takagi. Solving a 676-bit discrete logarithm problem in
GF(36n ). In P. Q. Nguyen and D. Pointcheval, editors, Public Key Cryptography –
PKC 2010, volume 6056 of Lecture Notes in Computer Science, pp. 351–367. Springer,
Heidelberg, 2010.
[60] Yvonne Hitchcock, Paul Montague, Gary Carter, and Ed Dawson. The efficiency of
solving multiple discrete logarithm problems and the implications for the security of
fixed elliptic curves. International Journal of Information Security, 3(2):86–98, 2004.
[61] Jinhyuck Jeong and Taechan Kim. Extended tower number field sieve with application
to finite fields of arbitrary composite extension degree. Cryptology ePrint Archive,
Report 2016/526, 2016. http://eprint.iacr.org/.
[62] Antoine Joux. Faster index calculus for the medium prime case application to 1175-bit
and 1425-bit finite fields. In T. Johansson and P. Q. Nguyen, editors, Advances in
Cryptology – EUROCRYPT 2013, volume 7881 of Lecture Notes in Computer Science,
pp. 177–193. Springer, Heidelberg, 2013.
[63] Antoine Joux. A new index calculus algorithm with complexity L(1/4 + o(1)) in small
characteristic. In T. Lange, K. Lauter, and P. Lisonek, editors, Selected Areas in
Cryptography – SAC 2013, volume 8282 of Lecture Notes in Computer Science, pp.
355–379. Springer, Heidelberg, 2014.
[64] Antoine Joux and Reynald Lercier. The function field sieve is quite special. In
C. Fieker and D. R. Kohel, editors, Algorithmic Number Theory (ANTS-V), volume
2369 of Lecture Notes in Computer Science, pp. 431–445. Springer, 2002.
[65] Antoine Joux and Reynald Lercier. Improvements to the general number field sieve for
discrete logarithms in prime fields. A comparison with the Gaussian integer method.
Mathematics of Computation, 72(242):953–967, 2003.
[66] Antoine Joux and Reynald Lercier. The function field sieve in the medium prime
case. In S. Vaudenay, editor, Advances in Cryptology – EUROCRYPT 2006, volume
4004 of Lecture Notes in Computer Science, pp. 254–270. Springer, Heidelberg, 2006.
BIBLIOGRAPHY 39
[67] Antoine Joux, Reynald Lercier, Nigel Smart, and Frederik Vercauteren. The number
field sieve in the medium prime case. In C. Dwork, editor, Advances in Cryptology
– CRYPTO 2006, volume 4117 of Lecture Notes in Computer Science, pp. 326–344.
Springer, Heidelberg, 2006.
[68] Antoine Joux and Cécile Pierrot. Improving the polynomial time precomputation of
frobenius representation discrete logarithm algorithms - simplified setting for small
characteristic finite fields. In P. Sarkar and T. Iwata, editors, Advances in Cryptology
– ASIACRYPT 2014, Part I, volume 8873 of Lecture Notes in Computer Science, pp.
378–397. Springer, Heidelberg, 2014.
[69] Antoine Joux and Cécile Pierrot. The special number field sieve in Fpn - application
to pairing-friendly constructions. In Z. Cao and F. Zhang, editors, Pairing-Based
Cryptography – Pairing 2013, volume 8365 of Lecture Notes in Computer Science, pp.
45–61. Springer, Heidelberg, 2014.
[70] Antoine Joux and Cécile Pierrot. Nearly sparse linear algebra. Cryptology ePrint
Archive, Report 2015/930, 2015. http://eprint.iacr.org/.
[71] Michael Kalkbrener. An upper bound on the number of monomials in determinants
of sparse matrices with symbolic entries. Mathematica Pannonica, 8:73–82, 1997.
[72] Minkyu Kim, Jung Hee Cheon, and Jin Hong. Subset-restricted random walks
for Pollard rho method on Fpm . In S. Jarecki and G. Tsudik, editors, Public Key
Cryptography – PKC 2009, volume 5443 of Lecture Notes in Computer Science, pp.
54–67. Springer, Heidelberg, 2009.
[73] Taechan Kim and Razvan Barbulescu. Extended tower number field sieve: A new
complexity for the medium prime case. In Advances in Cryptology – CRYPTO 2016,
Part I, Lecture Notes in Computer Science, pp. 543–571. Springer, Heidelberg, 2016.
[74] Thorsten Kleinjung. On polynomial selection for the general number field sieve.
Mathematics of Computation, 75(256):2037–2047, 2006.
[75] Thorsten Kleinjung. Polynomial selection. Invited talk at the CADO-NFS workshop,
Nancy, France, October 2008. slides available at http://cado.gforge.inria.fr/
workshop/slides/kleinjung.pdf.
[76] Thorsten Kleinjung. Discrete logarithms in GF(21279 ), October 2014. Announcement
available at the NMBRTHRY archives, item 004751.
[77] Neal Koblitz and Alfred Menezes. Another look at non-standard discrete log and
Diffie-Hellman problems. Journal of Mathematical Cryptology, 2(4):311–326, 2008.
[78] Maurice Kraitchik. Théorie des Nombres. Gauthier–Villars, 1922.
[79] Maurice Kraitchik. Recherches sur la Théorie des Nombres. Gauthier–Villars, 1924.
[80] Fabian Kuhn and René Struik. Random walks revisited: Extensions of Pollard’s rho
algorithm for computing multiple discrete logarithms. In S. Vaudenay and A. M.
Youssef, editors, Selected Areas in Cryptography (SAC 2001), volume 2259 of Lecture
Notes in Computer Science, pp. 212–229. Springer, Heidelberg, 2001.
[81] Arjen K. Lenstra. Unbelievable security: Matching AES security using public key sys-
tems (invited talk). In C. Boyd, editor, Advances in Cryptology – ASIACRYPT 2001,
volume 2248 of Lecture Notes in Computer Science, pp. 67–86. Springer, Heidelberg,
2001.
BIBLIOGRAPHY 40
[83] Arjen K. Lenstra, Hendrik W. Lenstra Jr., and László Lovász. Factoring polynomials
with rational coefficients. Mathematische Annalen, 261(4):515–534, 1982.
[84] Arjen K. Lenstra and Eric R. Verheul. Selecting cryptographic key sizes. Journal of
Cryptology, 14(4):255–293, 2001.
[85] D. V. Matyukhin. Effective version of the number field sieve for discrete logarithms
in the field GF(pk ) (in Russian). Trudy po Discretnoi Matematike, 9:121–151, 2006.
[86] Ueli M. Maurer and Stefan Wolf. The relationship between breaking the Diffie-
Hellman protocol and computing discrete logarithms. SIAM Journal on Computing,
28(5):1689–1721, 1999.
[87] Ueli M. Maurer and Stefan Wolf. The Diffie-Hellman protocol. Designs, Codes and
Cryptography, 19(2/3):147–171, 2000.
[88] Kevin S. McCurley. The discrete logarithm problem. In C. Pomerance, editor,
Cryptology and Computational Number Theory, volume 42 of Proceedings of Symposia
in Applied Mathematics, pp. 49–74. AMS, 1990.
[89] Alfred J. Menezes, Tatsuaki Okamoto, and Scott A. Vanstone. Reducing elliptic
curves logarithms to logarithms in a finite field. IEEE Transactions on Information
Theory, 39(5):1639–1646, 1993.
[90] Atsuko Miyaji, Masaki Nakabayashi, and Shunzo Takano. Characterization of elliptic
curve traces under FR-reduction. In D. Won, editor, Information Security and
Cryptology – ICISC 2000, volume 2015 of Lecture Notes in Computer Science, pp.
90–108. Springer, Heidelberg, 2001.
[91] Peter L. Montgomery. Speeding the Pollard and elliptic curve methods of factorization.
Mathematics of Computation, 48(177):243–264, 1987.
[92] B. A. Murphy. Polynomial Selection for the Number Field Sieve Integer Factorisation
Algorithm. PhD thesis, Australian National University, 1999. http://maths-people.
anu.edu.au/~brent/pd/Murphy-thesis.pdf.
[93] Brian A. Murphy. Modelling the yield of number field sieve polynomials. In J. P.
Buhler, editor, Algorithmic Number Theory: Third International Symposiun, ANTS-
III Portland, Oregon, USA, June 21–25, 1998 Proceedings, Lecture Notes in Computer
Science, pp. 137–150. Springer Berlin Heidelberg, 1998.
[94] Andrew M. Odlyzko. Discrete logarithms in finite fields and their cryptographic
significance. In T. Beth, N. Cot, and I. Ingemarsson, editors, Advances in Cryptology
– EUROCRYPT ’84, volume 209 of Lecture Notes in Computer Science, pp. 224–314.
Springer, Heidelberg, 1985.
[95] Hilarie Orman and Paul Hoffman. Determining strengths for public keys used for
exchanging symmetric keys. Request for Comments RFC 3766, Internet Engineering
Task Force (IETF), 2004.
[96] Cécile Pierrot. The multiple number field sieve with conjugation and generalized
joux-lercier methods. In E. Oswald and M. Fischlin, editors, Advances in Cryptology –
EUROCRYPT 2015, Part I, volume 9056 of Lecture Notes in Computer Science, pp.
156–170. Springer, Heidelberg, 2015.
BIBLIOGRAPHY 41
[97] John M. Pollard. Monte Carlo methods for index computation (mod p). Mathematics
of Computation, 32(143):918–924, 1978.
[98] John M. Pollard. Kangaroos, monopoly and discrete logarithms. Journal of Cryptology,
13(4):437–447, 2000.
[99] Hans-Georg Rück. On the discrete logarithm in the divisor class group of curves.
Mathematics of Computation, 68(226):805–806, 1999.
[100] Palash Sarkar and Shashank Singh. New complexity trade-offs for the (multiple)
number field sieve algorithm in non-prime fields. Cryptology ePrint Archive, Report
2015/944, 2015. http://eprint.iacr.org/2015/944.
[101] Palash Sarkar and Shashank Singh. A general polynomial selection method and new
asymptotic complexities for the tower number field sieve algorithm. Cryptology ePrint
Archive, Report 2016/485, 2016. http://eprint.iacr.org/.
[102] Palash Sarkar and Shashank Singh. A generalisation of the conjugation method for
polynomial selection for the extended tower number field sieve algorithm. Cryptology
ePrint Archive, Report 2016/537, 2016. http://eprint.iacr.org/.
[103] Palash Sarkar and Shashank Singh. Tower number field sieve variant of a recent
polynomial selection method. Cryptology ePrint Archive, Report 2016/401, 2016.
http://eprint.iacr.org/.
[104] Takakazu Satoh and Kiyomichi Araki. Fermat quotients and the polynomial time
discrete log algorithm for anomalous elliptic curves. Commentarii Math. Univ. St.
Pauli, 47(1):81–92, 1998.
[105] Jürgen Sattler and Claus-Peter Schnorr. Generating random walks in groups. Ann.
Univ. Sci. Budapest. Sect. Comput., 6:65–79, 1985.
[106] Oliver Schirokauer. Discrete logarithms and local units. Philosophical Transactions
of the Royal Society, 345(1676):409–423, 1993.
[107] Daniel Shanks. Class number, a theory of factorization, and genera. In D. J. Lewis,
editor, 1969 Number Theory Institute, volume 20 of Proceedings of Symposia in
Applied Mathematics, pp. 415–440. AMS, 1971.
[108] Peter W. Shor. Polynomial-time algorithms for prime factorization and discrete
logarithms on a quantum computer. SIAM Journal on Computing, 26(5):1484–1509,
1997.
[109] Nigel P. Smart. The discrete logarithm problem on elliptic curves of trace one. Journal
of Cryptology, 12(3):193–196, 1999.
[110] Andreas Stein and Edlyn Teske. Optimized baby step–giant step methods. J.
Ramanujan Math. Soc., 20(1):27–58, 2005.
[111] Douglas R. Stinson. Cryptography: Theory and Practice. Discrete Mathematics and
Its Applications. Chapman and Hall/CRC, 3rd edition, 2006.
[112] The CADO-NFS Development Team. CADO-NFS, an implementation of the number
field sieve algorithm, 2015. Release 2.2.0.
[114] Edlyn Teske. Speeding up Pollard’s rho method for computing discrete logarithms. In
J. P. Buhler, editor, Algorithmic Number Theory (ANTS-III), volume 1423 of Lecture
Notes in Computer Science, pp. 541–554. Springer, 1998.
[115] Emmanuel Thomé. Computation of discrete logarithms in F2607 . In C. Boyd, editor,
Advances in Cryptology – ASIACRYPT 2001, volume 2248 of Lecture Notes in
Computer Science, pp. 107–124. Springer, Heidelberg, 2001.
[118] Paul C. van Oorschot and Michael J. Wiener. Parallel collision search with cryptana-
lytic applications. Journal of Cryptology, 12(1):1–28, 1999.
[119] A. E. Western and J. C. P. Miller. Tables of Indices and Primitive Roots, volume 9 of
Royal Society Mathematical Tables. Cambridge University Press, 1968.
[120] D. H. Wiedemann. Solving sparse linear equations over finite fields. IEEE Transactions
on Information Theory, IT–32(1):54–62, 1986.
[121] Pavol Zajac. Discrete Logarithm Problem in Degree Six Finite Fields. PhD thesis,
Slovak University of Technology, 2008. http://www.kaivt.elf.stuba.sk/kaivt/
Vyskum/XTRDL.