Professional Documents
Culture Documents
Aurore Guillevic
01/03/2019
Séminaire de cryptographie, Rennes
Joint work with Shashank Singh, IISER Bhopal, India
1/34
Asymmetric cryptography
2/34
Discrete log problem
3/34
Discrete log problem
3/34
Discrete log problem
4/34
Discrete log problem
better way?
4/34
Discrete log problem
better way?
→ Use additional structure of G.
4/34
Discrete log problem when G = (Z/pZ)∗
5/34
Index calculus in (Z/pZ)∗ : example
2909 = 2 · 32 · 5
= 90 1 2 1 909
210 =5 =5 0 0 1 10
→ ·~x = mod 1018
2848 = 135 = 33 · 5 0 3 1 848
2960 = 12 = 22 · 3 2 1 0 960
Target h = 314
g 372 h = 24 · 52 mod p
log2 h = 4 + 2 · 10 − 372 mod 1018 = 670
from [15], F. Morain
6/34
Index calculus in (Z/pZ)∗ : example
Trick
Multiplicative relations over the integers
g1 , g2 , . . . , gi ←→ small prime integers
7/34
Index calculus in (Z/pZ)∗ : example
Trick
Multiplicative relations over the integers
g1 , g2 , . . . , gi ←→ small prime integers
7/34
Coppersmith–Odlyzko–Schroeppel 1986: Z[i]
8/34
Example in Z[i]
9/34
Example in Z[i]
a + bi a2 + b 2 factor in Z[i] aV + bU factor in Z
−17 + 19i 650= 2 · 52 · 13 2
−(1 − i)(2 + i) (2 − 3i) −7 −7
−11 + 2i 125= 53 i(2 + i)3 −231 −3 · 7 · 11
−6 + 17i 325= 52 · 13 (2 + i)2 (2 + 3i) 224 25 · 7
−4 + 7i 65= 5 · 13 i(2 − i)(2 + 3i) 54 2 · 33
−3 + 4i 25= 52 −(2 − i) 2 13 13
−2 + i 5= 5 −(2 − i) −28 −22 · 7
−2 + 3i 13= 13 −(2 − 3i) 16 24
−2 + 11i 125= 53 −(2 − i) 3 192 26 · 3
−1 + i 2= 2 −(1 − i) −3 −3
i 1= 1 i 22 2 · 11
1 + 3i 10= 2 · 5 (1 + i)(2 + i) 91 7 · 13
1 + 5i 26= 2 · 13 −(1 − i)(2 − 3i) 135 33 · 5
2+i 5= 5 (2 + i) 72 23 · 32
5+i 26= 2 · 13 −i(1 + i)(2 + 3i) 147 3 · 72
10/34
Example in Z[i]
−1 i (1 + i)(1 − i)(2 + i)(2 − i)(2 + 3i)(2 − 3i) 2 3 5 7 11 13 1/V
1 2 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 1 2 0 0 1 0 0 0 1 0 0 1
1 1 0 0 3 0 0 0 0 1 0 1 1 0 1
0 0 0 0 2 0 1 0 5 0 0 1 0 0 1
0 1 0 0 0 1 1 0 1 3 0 0 0 0 1
1 0 0 0 0 2 0 0 0 0 0 0 0 1 1
0 0 0 0 0 1 0 0 2 0 0 1 0 0 1
M=
1 0 0 0 0 0 0 1 4 0 0 0 0 0 1
1 0 0 0 0 3 0 0 6 1 0 0 0 0 1
0 0 0 1 0 0 0 0 0 1 0 0 0 0 1
0 1 0 0 0 0 0 0 1 0 0 0 1 0 1
0 0 1 0 1 0 0 0 0 0 0 1 0 1 1
1 0 0 1 0 0 0 1 0 3 1 0 0 0 1
0 0 0 0 1 0 0 0 3 2 0 0 0 0 1
1 1 1 0 0 0 1 0 0 1 0 2 0 0 1
11/34
Example in Z[i]
12/34
Number Field Sieve today
p log db x
slide N. Heninger
13/34
Latest DL record computation: 768-bit Fp
Kleinjung, Diem, A. Lenstra, Priplata, Stahlke, Eurocrypt’2017.
p = b2766 × πc + 62762 prime, 768 bits, 232 decimal digits, p =
1219344858334286932696341909195796109526657386154251328029
2736561757668709803065055845773891258608267152015472257940
7293588325886803643328721799472154219914818284150580043314
8410869683590659346847659519108393837414567892730579162319
(p − 1)/2 prime
f (x )=140x 4 + 34x 3 + 86x 2 + 5x − 55
g(x )=370863403886416141150505523919527677231932618184100095924x 3
−1937981312833038778565617469829395544065255938015920309679x 2
−217583293626947899787577441128333027617541095004734736415x
+277260730400349522890422618473498148528706115003337935150
Enumerate (∼ 1012 ) all f (x ) s.t. |fi | 6 165
By construction, |gi | ≈ p 1/4
14/34
Latest DL record computation: 768-bit Fp
gcd(f , g) = 1 in Q[x ]
∃ root m s.t. f (m) = g(m) = 0 (mod p), m =
4290295629231970357488936064013995423387122927373167219112
8794979019508571426956110520280493413148710512618823586632
1484497413188392653246206774027756646444183240629650904112
110269916261074281303302883725258878464313312196475775222
15/34
Complexity and key-sizes for cryptography
16/34
Complexity
I α = 1: exponential
I α = 0: polynomial
I 0 < α < 1: sub-exponential (including NFS)
17/34
L0N (1/3, 1.923)/28.2 (DL-768 ↔ 268.32 )
L0N (1/3, 1.923)/214 (RSA-768 ↔ 267 )
log2 cost
192
176
160
144
128
112
96
80
64
1024 2048 3072 4096 5120 6144 7168 8192
log2 p
18/34
Key length
I keylength.com
I France: ANSSI RGS B
RSA modulus and prime fields for DL: 3072 to 3200 bits
sub-exponential complexity to invert DL in Fp
19/34
Key length
I keylength.com
I France: ANSSI RGS B
RSA modulus and prime fields for DL: 3072 to 3200 bits
sub-exponential complexity to invert DL in Fp
19/34
Cryptographic pairing: black-box properties
(G1 , +), (G2 , +), (GT , ·) three cyclic groups of large prime order r
Bilinear Pairing: map e : G1 × G2 → GT
1. bilinear: e(P1 + P2 , Q) = e(P1 , Q) · e(P2 , Q),
e(P, Q1 + Q2 ) = e(P, Q1 ) · e(P, Q2 )
2. non-degenerate: e(g1 , g2 ) 6= 1 for hg1 i = G1 , hg2 i = G2
3. efficiently computable.
Mostly used in practice:
20/34
Examples of application
I 1984: idea of identity-based encryption formalized by Shamir
I 1999: first practical identity-based cryptosystem of
Sakai-Ohgishi-Kasahara
I 2000: constructive pairings, Joux’s tri-partite key-exchange
I 2001: IBE of Boneh-Franklin, short signatures
Boneh-Lynn-Shacham
Rely on
I Discrete Log Problem (DLP): given g, h ∈ G, compute x s.t.
g x = h Diffie-Hellman Problem (DHP)
I bilinear DLP and DHP
Given G1 , G2 , GT , g1 , g2 , gT and h ∈ GT , compute P ∈ G1
s.t. e(P, g2 ) = h, or Q ∈ G2 s.t. e(g1 , Q) = h
if gTx = h then e(g1x , g2 ) = e(g1 , g2x ) = gTx = h
I pairing inversion problem
21/34
Examples of application
22/34
Pairing-based cryptography
23/34
Pairing-based cryptography
Attacks
23/34
Pairing-based cryptography
Attacks
I inversion of e : hard problem (exponential)
23/34
Pairing-based cryptography
Attacks
I inversion of e : hard problem (exponential)
I discrete logarithm computation in E (Fp ) : hard problem
√
(exponential, in O( r ))
23/34
Pairing-based cryptography
Attacks
I inversion of e : hard problem (exponential)
I discrete logarithm computation in E (Fp ) : hard problem
√
(exponential, in O( r ))
I discrete logarithm computation in F∗p n : easier,
subexponential → take a large enough field
23/34
Pairing-friendly curves are special
MNT, n = 6:
p(x ) = 4x 2 + 1,#E (Fp )x 2 ∓ 2x + 1
BN, n = 12:
p(x ) = 36x 4 + 36x 3 + 24x 2 + 6x + 1,
r (x ) = 36x 4 + 36x 3 + 18x 2 + 6x + 1
24/34
Discrete Log in Fp n
25/34
Special Tower NFS
26/34
Special Tower NFS
Fp 6 , subfield Fp 2 defined by y 2 + 1
g = (g00 + g01 i) + (g10 + g11 i)x + (g20 + g21 i)x 2 ∈ Fp 6
Idea: a0 + a1 x → a = (a00 + a01 i) + (a10 + a11 i)x
Integers to factor are much smaller
I factors integer Normf = Res(Res(a, fy (x )), y 2 + 1)
I factors integer Normg = Res(Res(a, gy (x )), y 2 + 1)
Res = resultant of polynomials
27/34
Complexities
28/34
Estimating key sizes for DL in Fp n
29/34
Largest record computations in Fp n with NFS1
1
Data extracted from DiscreteLogDB by L.Grémy
30/34
Simulation without sieving
Variants:
I compute α(f ), α(g) (w.r.t. subfield)
I select polys f , g with good low α(f ), α(g)
I Monte-Carlo simulation with 106 points in S taken at random.
For each point:
1. compute its algebraic norm Nf , Ng in each number field
2. smoothness probability with Dickman-ρ
I Average smoothness probability over the subset of points
→ estimation of the total number of possible relations in S
I dichotomy to approach the best balanced parameters:
smoothness bound B, coefficient bound A.
31/34
L0p (1/3, 1.923)/28.2 DL-768 ↔ 268.32
Simul. in Fp6 , MNT, STNFS deg h = 2
Simul. in Fp16 , KSS16, STNFS deg h = 16
Simul. in Fp12 , BN, STNFS deg h = 6
Simul. in Fp12 , BLS12, STNFS deg h = 12, 6
log2 cost
192
176
160
144
128
112
96
80
64
1024 3072 6144 9216 12288
log2 pn
32/34
Key size for pairings
33/34
Future work
34/34
Bibliography I
L. Adleman.
A subexponential algorithm for the discrete logarithm problem with applications
to cryptography.
In 20th FOCS, pages 55–60. IEEE Computer Society Press, Oct. 1979.
https://doi.org/10.1109/SFCS.1979.2.
R. Barbulescu, P. Gaudry, A. Guillevic, and F. Morain.
DL record computation in GF(p 4 ) of 392 bits (120dd).
Announcement at the CATREL workshop, October 2nd 2015.
http://www.lix.polytechnique.fr/ guillevic/docs/guillevic-catrel15-talk.pdf.
R. Barbulescu, P. Gaudry, A. Guillevic, and F. Morain.
Improving NFS for the discrete logarithm problem in non-prime finite fields.
In E. Oswald and M. Fischlin, editors, EUROCRYPT 2015, Part I, volume 9056
of LNCS, pages 129–155. Springer, Heidelberg, Apr. 2015.
R. Barbulescu, P. Gaudry, and T. Kleinjung.
The tower number field sieve.
In T. Iwata and J. H. Cheon, editors, ASIACRYPT 2015, Part II, volume 9453 of
LNCS, pages 31–55. Springer, Heidelberg, Nov. / Dec. 2015.
1/8
Bibliography II
2/8
Bibliography III
3/8
Bibliography IV
L. Grémy, A. Guillevic, and F. Morain.
Discrete logarithm record computation in GF(p 5 ) of 100 decimal digits using
NFS with 3-dimensional sieving.
Number Theory list, item 004981, August 1st 2017.
https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;68019370.1708.
L. Grémy, A. Guillevic, F. Morain, and E. Thomé.
Computing discrete logarithms in Fp 6 .
In C. Adams and J. Camenisch, editors, SAC 2017, volume 10719 of LNCS,
pages 85–105. Springer, Heidelberg, Aug. 2017.
A. Guillevic and F. Morain.
Pairings for Engineers, chapter 9 – Discrete Logarithms, pages 203–242.
CRC Press Taylor and Francis group, Spring 2016.
N. ElMrabet and M. Joye (eds),
https://www.crcpress.com/Guide-to-Pairing-Based-Cryptography/
El-Mrabet-Joye/p/book/9781498729505,
https://hal.inria.fr/hal-01420485v2.
A. Guillevic, F. Morain, and E. Thomé.
Solving discrete logarithms on a 170-bit MNT curve by pairing reduction.
In R. Avanzi and H. M. Heys, editors, SAC 2016, volume 10532 of LNCS, pages
559–578. Springer, Heidelberg, Aug. 2016.
4/8
Bibliography V
5/8
Bibliography VI
6/8
Bibliography VII
K. S. McCurley.
The discrete logarithm problem.
In C. Pomerance, editor, Cryptology and Computational Number Theory,
volume 42 of Proceedings of Symposia in Applied Mathematics, pages 49–74.
AMS, 1990.
http://www.mccurley.org/papers/dlog.pdf.
A. Menezes, P. Sarkar, and S. Singh.
Challenges with assessing the impact of NFS advances on the security of
pairing-based cryptography.
In R. C. Phan and M. Yung, editors, Mycrypt Conference, Revised Selected
Papers, volume 10311 of LNCS, pages 83–108, Kuala Lumpur, Malaysia,
December 1-2 2016. Springer.
C. Pomerance.
Fast, rigorous factorization and discrete logarithm algorithms.
In D. S. Johnson, T. Nishizeki, A. Nozaki, and H. S. Wilf, editors, Discrete
algorithms and complexity, pages 119–143, Orlando, Florida, 1987. Academic
Press.
https://math.dartmouth.edu/~carlp/disclog.pdf.
7/8
Bibliography VIII
8/8