A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm (original) (raw)
Related papers
IACR Cryptol. ePrint Arch., 2016
In a recent work, Kim and Barbulescu showed how to combine previous polynomial selection methods with the extended tower number field sieve algorithm to obtain improved complexity for the discrete logarithm problem on finite fields Fpn for the medium prime case and where n is composite and not a prime-power. A follow up work by Sarkar and Singh presented a general polynomial selection method and showed how to lower the complexity in the medium prime case even when n is composite and a prime-power. This complexity, though, was higher than what was reported for the case of n composite and not a prime-power. By suitably combining the Conjugation method of polynomial selection proposed earlier by Barbulescu et al. with the extended tower number field sieve algorithm, Jeong and Kim showed that the same asymptotic complexity is achieved for any composite n. The present work generalises the polynomial selection method of Jeong and Kim for all composite n. Though the best complexity that ca...
2016
The hardness of discrete logarithm problem over finite fields is the foundation of many cryptographic protocols. The state-of-art algorithms for solving the corresponding problem are number field sieve, function field sieve and quasi-polynomial time algorithm when the characteristics of the finite field are medium to large, medium-small and small, respectively. There are mainly three steps in such algorithms: polynomial selection, factor base logarithms computation, and individual logarithm computation. Note that the former two steps can be precomputed for fixed finite field, and the database containing factor base logarithms can be used by the last step for many times. In certain application circumstances, such as Logjam attack, speeding up the individual logarithm step is vital. In this paper, we devise two methods to improve the individual logarithm step by exploring subfield structure when the extension degree n is composite. The first method applies to the case when the charact...
New Discrete Logarithm Computation for the Medium Prime Case Using the Function Field Sieve
Advances in Mathematics of Communications, 2022
The present work reports progress in discrete logarithm computation for the general medium prime case using the function field sieve algorithm. A new record discrete logarithm computation over a 1051-bit field having a 22-bit characteristic was performed. This computation builds on and implements previously known techniques. Analysis indicates that the relation collection and descent steps are within reach for fields with 32-bit characteristic and moderate extension degrees. It is the linear algebra step which will dominate the computation time for any discrete logarithm computation over such fields.
Selecting polynomials for the Function Field Sieve
Mathematics of Computation, 2015
The Function Field Sieve algorithm is dedicated to computing discrete logarithms in a finite field Fqn, where q is a small prime power. The scope of this article is to select good polynomials for this algorithm by defining and measuring the size property and the so-called root and cancellation properties. In particular we present an algorithm for rapidly testing a large set of polynomials. Our study also explains the behaviour of inseparable polynomials, in particular we give an easy way to see that the algorithm encompass the Coppersmith algorithm as a particular case.
Non-linear polynomial selection for the number field sieve
Journal of Symbolic Computation, 2012
We present an algorithm to find two non-linear polynomials for the Number Field Sieve integer factorization method. This algorithm extends Montgomery's "two quadratics" method; for degree 3, it gives two skewed polynomials with resultant O(N 5/4 ), which improves on Williams O(N 4/3 ) result .
Primeless factoring-based cryptography
Factoring-based public-key cryptosystems have an overall complexity which is dominated by the key-production algorithm, which requires the generation of prime numbers. This is most inconvenient in settings where the key-generation is not an one-off process, e.g., secure delegation of computation or EKE password-based key exchange protocols. To this end, we extend the Goldwasser-Micali (GM) cryptosystem to a provably secure system, denoted SIS, where the generation of primes is bypassed. By developing on the correct choice of the parameters of SIS, we align SIS's security guarantees (i.e., resistance to factoring of moduli, etc.) to those of other well-known factoring-based cryptosystems. Taking into consideration different possibilities to implement the fundamental operations, we explicitly compare and contrast the asymptotic complexity of well-known public-key cryptosystems (e.g., GM and/or RSA) with that of SIS's. The latter shows that once we are ready to accept an increase in the size of the moduli, SIS offers a generally lower asymptotic complexity than, e.g., GM or even RSA (when scaling correctly the number of encrypted bits). This would yield most significant speed-ups to applications like the aforementioned secure delegation of computation or protocols where a fresh key needs to be generated with every new session, e.g., EKE password-based key exchange protocols.
Analytical cryptanalysis upon N = p2q utilizing Jochemsz-May strategy
PLOS ONE, 2021
This paper presents a cryptanalytic approach on the variants of the RSA which utilizes the modulus N = p2q where p and q are balanced large primes. Suppose e∈Z+ satisfying gcd(e, ϕ(N)) = 1 where ϕ(N) = p(p − 1)(q − 1) and d < Nδ be its multiplicative inverse. From ed − kϕ(N) = 1, by utilizing the extended strategy of Jochemsz and May, our attack works when the primes share a known amount of Least Significant Bits(LSBs). This is achievable since we obtain the small roots of our specially constructed integer polynomial which leads to the factorization of N. More specifically we show that N can be factored when the bound δ<119−294+18γ. Our attack enhances the bound of some former attacks upon N = p2q.
Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt '99
International Conference on the Theory and Application of Cryptology and Information Security, 2000
At Asiacrypt '99, Sun, Yang and Laih proposed three RSA variants with short secret exponent that resisted all known attacks, including the recent Boneh-Durfee attack from Eurocrypt '99 that improved Wiener's attack on RSA with short secret exponent. The resistance comes from the use of unbalanced primes p and q. In this paper, we extend the Boneh-Durfee attack to break two out of the three proposed variants. While the Boneh-Durfee attack was based on Coppersmith's lattice-based technique for finding small roots to bivariate modular polynomial equations, our attack is based on its generalization to trivariate modular polynomial equations. The attack is heuristic but works well in practice, as the Boneh-Durfee attack. In particular, we were able to break in a few minutes the numerical examples proposed by Sun, Yang and Laih. The results illustrate once again the fact that one should be very cautious when using short secret exponent with RSA.
New cryptanalytic results upon prime power moduli N = prq
PROCEEDINGS OF THE INTERNATIONAL CONFERENCE ON MATHEMATICAL SCIENCES AND TECHNOLOGY 2018 (MATHTECH2018): Innovative Technologies for Mathematics & Mathematics for Technological Innovation
In this paper we propose three attacks on the prime power modulus N = p r q for r ≥ 2. The first attack is based on the equation eX − NY + (q r + p r u)Y = Z for suitable positive integer u. Using continued fraction we show that Y X can be recovered among the convergents of the continued fraction expansion of e N. Also we show that the number of such exponents is at least N 5r−7 6(r+1) −ε where ε ≥ 0 is arbitrarily small for large N. Hence one can factor the prime power modulus N = p r q in polynomial time. For i = 1, ..., k, with k ≥ 2 and r ≥ 2 the second and third attacks works when attacks k RSA public keys (N i , e i) are such that there exist k relations of the form e i x − N i y i + (q r i + p r i u)y i = z i or of the shape e i x i − N i y + (q r i + p r i u)y = z i where the parameters x, x i , y, y i , z i are suitably small in terms of the prime factors of the moduli. Based on LLL algorithm we show that our attack enable us to simultaneously factor the k prime power RSA moduli N i .