The discrete log problem in finite fields
The current state of affairs
Pierrick Gaudry
CNRS, Université de Lorraine, Inria – Nancy, France
Math Structures for Cryptography — Leiden, August 2016
1/36
Plan
Introduction
Complexities for various types of fields
Finite field of small characteristic
Large / medium characteristic: NFS
2/36
The discrete logarithm
Def. Let G be a cyclic group generated by g, of order `. The
discrete logarithm problem in G is, given h ∈ G to find an
integer x such that
h = gx.
Rem. Since g ` = 1, the solution x makes sense modulo `.
Rem. In a generic group, it has been proven
√ (Nechaev, Shoup)
that there is no algorithm taking less than ` operations if ` is
prime.
3/36
Generic algorithms
Fact. If the order ` of G is composite, then solve in subgroups of
prime order and recombine with CRT and Hensel
(Pohlig–Hellman).
Algorithms:
√
Baby-step giant-step:
reaches the Ω( `) lower bound but
√
requires also ` memory.
Pollard Rho, kangaroos, and variants: same time complexity,
but no memory, parallelizable. Analysis requires random
oracle.
Rem. It is not obvious to find the best constant. See recent work
by Galbraith–Ruprai.
Rem. These algorithms are often studied in the context of elliptic
curves.
4/36
Finite fields
What is your favorite finite field ?
F2 , F28 , F2127 , F35×97 , F65521 , F1009 , F2255 −19 , . . .
5/36
Finite fields
What is your favorite finite field ?
F2 , F28 , F2127 , F35×97 , F65521 , F1009 , F2255 −19 , . . .
Prime fields; random or special form.
Fields of characteristic 2; prime or composite extension degree.
Medium characteristic; Fp n , once called optimal extension
fields (OEF).
Key feature: are there subfields? (Frobenius, Galois, ...)
5/36
Where do we find them in crypto?
The DLP in finite fields in used:
Prime fields: for key-exchange (called DHE in TLS); for many
other crypto schemes.
Medium characteristic fields: torus-based crypto (XTR,
CEILIDH), pairing-based crypto.
Small characteristic fields: was used mostly for pairing-based
crypto.
6/36
Plan
Introduction
Complexities for various types of fields
Finite field of small characteristic
Large / medium characteristic: NFS
7/36
Three main parameter domains
In complexity, time is studied in terms of input size
For DLP in a finite field Fp n , this is
n log p.
Behaviour of algorithms depends of whether n or log p contributes
most to the input size.
Large characteristic: at least 2/3 of the bits in log p;
Small characteristic: at least 2/3 of the bits in n;
Medium characteristic: between 1/3 and 2/3 of the bits in
log p.
Rem. huge mess at the borders.
8/36
L-notation
Complexities are usually measured with the L-notation:
Lp n (α, c) = exp(c log(p n )α log log(p n )1−α ),
where α ∈ [0, 1] is the most important parameter and c is the
exponent constant.
Examples:
Lp (1, 1/2) = p 1/2 : exponential complexity;
Lp n (0, 2) = (n log p)2 : polynomial complexity;
Lp n (1/3, c + o(1)): in between.
9/36
Best current known complexities (heuristic)
log n
p = LQ (1/3)
Q = pn
Quasi-Poly:
LQ (α + o(1))
when
p = LQ (α)
NFS-HD: LQ (1/3, (96/9)1/3 )
p = LQ (2/3)
NFS: LQ (1/3, (64/9)1/3 )
(Without multiple- or special- number field sieve)
log log p
10/36
Smoothness
Def. A number x is y -smooth if all its prime factors are at most y .
Thm. (CEP, 1983) Let u =
numbers less than x is
log x
log y .
The proportion of y -smooth
Ψ(x , y )/x = exp(−u(log u + log log u − 1 + o(1))),
assuming u not too close to 1. The o(1) is under control.
Rule of thumb: take Probability(smooth) ≈ ρ(u) ≈ u −u .
11/36
Combining congruences
Example in Fp ; let g be a generator of a subgroup of order `.
Find many ei ’s such that g ei is B-smooth:
e
g e0 ≡ 2e0,0 3e0,1 · · · pk0,k
e
g e1 ≡ 2e1,0 3e1,1 · · · pk1,k
e
g e2 ≡ 2e2,0 3e2,1 · · · pk2,k
..
..
.
.
mod p
mod p
mod p
Take the log in base g on each side, makes relations linear:
e0 ≡ e0,0 log 2 + e0,1 log 3 + · · · + e0,k log(pk ) mod `
e1 ≡ e1,0 log 2 + e1,1 log 3 + · · · + e1,k log(pk ) mod `
e2 ≡ e2,0 log 2 + e2,1 log 3 + · · · + e2,k log(pk ) mod `
..
..
.
.
12/36
Combining congruences
Def. Factor base: the set of primes {2, 3, 5, . . . , pk } less than B.
Collecting (many) more relations than the number of factor base
elements, we get a full rank system.
Linear algebra gives the log of all factor base elements.
Final step: (the only one that depends on the target)
Find one additional relation of the form
hg f ≡ 2f0 3f1 · · · pkfk
mod p
in order to deduce the logarithm of h.
Rem. The matrix is very sparse: use appropriate algorithms.
13/36
Combining congruences – analysis
The analysis amounts to tune B:
B too small: very hard to find a relation;
B too large: need many relations to accommodate the large
factor base.
Key of the analysis: smoothness probability estimates (CEP).
Final result:
√
Lp (1/2, 2 + o(1)),
where Lp (α, c) = exp(c log(p)α log log(p)1−α ).
Goal: find algorithms with a smaller α and c.
If α = 0, this is a polynomial-time algorithm.
14/36
Plan
Introduction
Complexities for various types of fields
Finite field of small characteristic
Large / medium characteristic: NFS
15/36
Timeline of DLP in small characteristic
Warning: this is a very personal point of view.
History alternates between “paradigm shifts” and “consolidations”.
DLP in the dark ages (Kraitchick);
70’s: L(1/2) analysis + improvements;
80’s / 90’s: Coppersmith, Adleman, Huang, ... L(1/3) era;
2000’s: Joux-Lercier, Thomé,
Joux-Lercier-Smart-Vercauteren... Consolidate;
2013-2014: Quasi-polynomial in small charac. era;
Now: Consolidate (?)
16/36
How to get a quasi-polynomial complexity?
Note: Version presented here is by Granger–Kleinjung–Zumbrägel.
(and not the historically first QPA by Barbulescu-G.-Joux-Thomé)
Key point: assume the field has a nice subfield representation
Fq4k given as
Fq4k ⊂ Fq4 [X ]/(h1 (X )X q − h0 (X )),
where h0 and h1 have degree ≤ 2 and there exists an irreducible
factor I(X ) of degree k in h1 (X )X q − h0 (X ).
Goal: Rewrite all elements in terms of linear polynomials over Fq4 .
Important remark. If k ≈ q, then q is polynomial because the
input size ≈ q log q.
Quasi-polynomial complexity is q O(log q) .
17/36
Elements of the finite field
Fq4k ⊂ Fq4 [X ]/(h1 (X )X q − h0 (X ))
Elements are represented as polynomials over Fq4 .
18/36
Building block 1: deg 2 to linear
Let Q ∈ Fq4 [X ] be an irreducible polynomial of degree 2.
Consider the set of polynomials, for a, b, c in Fq4 :
Pa,b,c = X q+1 + aX q + bX + c = X q (X + a) + bX + c
that, after mapping X q to h0 /h1 , become divisible by Q.
Then:
The probability that P(X ) splits in linear factors is in 1/q 3 ;
The probability that its becomes divisible by Q after the
transformation is in 1/q 8 .
There are q 12 choices: we should find one in time ≈ q.
Rem. If we start with Fqr instead of Fq4 , we expect ≈ q r −3 winners among q 3r
choices.
19/36
Building block 1: deg 2 to linear (cont’d)
Find a, b, c in Fq4 such that
X q+1 + aX q + bX + c = X q (X + a) + bX + c ≡
h0
(X + a) + bX + c
h1
splits completely on the LHS and is divisible by Q on the RHS.
We get a linear relation between logs of Q and linear elements.
Proving this can be done by studying the number of points on a
(singular) plane curve. Using the action of PGL2 (Fq ), the authors
exhibit an absolutely irreducible piece: apply Weil’s bound.
Rem. Need to replace Fq4 by Fq18 .
20/36
Building block 2: view deg 2d as deg 2
Let Q ∈ Fq4 [X ] be an irreducible polynomial of degree 2d.
Over Fq4d , Q is a product of d polynomials of degree 2.
For each factor Q 0 of degree 2, apply building block 1 to Q 0 :
rewrite it with linear polynomials over Fq4d .
Then go down with the norm map: linear over Fq4d becomes
degree d over Fq4 .
(and irreducible factors divide d.)
21/36
Putting things together
First, randomize the target element to see it as an irreducible
polynomial of degree a power of 2 (anti-smoothing!).
Then, apply building block 2 recursively, since it produces
only polynomials of degree a power of 2.
In the end, get a linear relation between the logs of the
target and the linear polynomials over Fq4 .
Repeat q 4 times to be able to eliminate the logs of the linear
polynomials and conclude!
22/36
With a picture
[ picture from On the powers of 2, by Granger, Kleinjung, Zumbrägel ]
23/36
Last piece of non-proven step
Everything can be made rigorously proven except for the
existence of the nice field representation.
Furthermore, this works incredibly well in practice!
Still, we already have:
Thm. (Granger, Kleinjung, Zumbrägel) For every fixed
p, there exist infinitely many extension fields Fp n for
which the DLP in Fp n can be solved in expected
quasi-polynomial time.
Removing this last heuristic does not seem out of reach with
current knowledge.
Rem. Even when the extension degree n is prime, no practical problem to find
an appropriate extension with the nice representation.
24/36
Plan
Introduction
Complexities for various types of fields
Finite field of small characteristic
Large / medium characteristic: NFS
25/36
The NFS diagram for DLP in F∗p
Let f (x ) a polynomial and m integer, such that f (m) ≡ 0 mod p.
Z[x ]
Z[x ]/(x − m)
Z[x ]/f (x )
Z/pZ
26/36
The NFS diagram for DLP in F∗p
Let f (x ) a polynomial and m integer, such that f (m) ≡ 0 mod p.
Z[x ]
x 7→ m
x 7→ α
Z[x ]/(x − m)
Z[x ]/f (x )
α 7→ m mod p
mod p
Z/pZ
26/36
The NFS diagram for DLP in F∗p
Let f (x ) a polynomial and m integer, such that f (m) ≡ 0 mod p.
a − bx ∈ Z[x ]
a − bm ∈ Z[x ]/(x − m)
Z[x ]/f (x ) 3 a − bα
a − bm ∈ Z/pZ
26/36
The NFS diagram for DLP in F∗p
Let f (x ) a polynomial and m integer, such that f (m) ≡ 0 mod p.
a − bx ∈ Z[x ]
a − bm ∈ Z[x ]/(x − m)
smooth?
Z[x ]/f (x ) 3 a − bα
smooth?
a − bm ∈ Z/pZ
If both sides are smooth, linear relation between logs in Z/pZ∗ .
Rem. Enough to have smooth “norms”: f (a/b)b deg f and a − bm.
26/36
NFS: main steps
1. Polynomial selection: choice of f and m.
2. Collecting relations: find (a, b)-pairs such that both sides
are smooth.
3. Prepare the matrix (ugly details hidden).
4. Linear algebra: get a kernel vector modulo `|p − 1.
5. Individual log: rewrite the log of the target in terms of logs
of factor base elements.
In practice: Steps 2. and 4. are the most time-consuming.
In the next few slides, we concentrate on Step 1., which is
crucial for complexity improvements.
27/36
Polynomial selection for F∗p
Goal: Find f , g s.t. p|Res(f , g) and resulting norms f (a/b)b deg f
and g(a/b)b deg g are as small as possible.
Base-m construction: take m ≈ p 1/(d+1) , where d ≈ ( logloglogp p )1/3 .
Write p = f0 + f1 m + f2 m2 + · · · + fd md , with 0 ≤ fi < m.
Take g = x − m and f = f0 + f1 x + f2 x 2 + · · · + fd x d .
Both norms are ≈ Lp (2/3, . . .).
Note: many practical improvements. See Kleinjung (2006), and more recently
Bai, Bouvier, Kruppa, Zimmermann (2016). Usually in the context of
factorization.
Joux-Lercier construction: Use the fact that p is prime.
Consider the lattice of polynomials with a given root modulo p and
use lattice reduction.
Same complexity in the end, but better in practice.
28/36
Polynomial selection for F∗p (Cont’d)
base-m
Joux-Lercier
where d 0 ≈
||f ||∞
large
O(1)
deg f
d
1 + d0
||g||∞
large
larger
deg g
1
d’
d+1
2 .
It is not at all obvious to decide what is the best way to “spread
the bits of p” in the various columns.
29/36
Polynomial selection for F∗p n (JLSV)
Goal: Find f , g s.t. there exists an irreducible ϕ ∈ Fp [x ] of deg n,
that divides both f and g in Fp [x ]. Resulting norms must be as
small as possible.
Note: here we have p n |Res(f , g).
Z[x ]
Z[x ]/f (x )
Z[x ]/g(x )
Fp n
Rem. Algorithm is different in large and medium characteristic.
Note: In medium, we need to replace (a, b) pairs by higher degree
polynomials.
30/36
Playing with the diagram: Tower NFS
An idea that comes back to Schirokauer (2000):
To compute DLP in Fp n , replace Z by a number ring of
degree n in the diagram.
Revisited by Barbulescu, G., Kleinjung (2015).
Z[x ]
Z[x ]/f (x )
Z[x ]/g(x )
Z/pZ
31/36
Playing with the diagram: Tower NFS
An idea that comes back to Schirokauer (2000):
To compute DLP in Fp n , replace Z by a number ring of
degree n in the diagram.
Revisited by Barbulescu, G., Kleinjung (2015).
R[x ]
R[x ]/f (x )
R[x ]/g(x )
Fp n
R = Z[t]/h(t), where h is irreducible of degree n.
f and g have a common linear factor modulo p.
31/36
Playing with the diagram (again)
Further idea of Kim (2016), extended by Barbulescu, Sarkar-Singh:
mix everything!
If n = ηκ is composite, we can combine both strategies:
build the η part of the extension with a ring R of degree η
over Z;
build the remaining κ part of the extension with a common
factor of f and g of degree κ.
Rem. A lot of technicalities to analyze the right balance of parameters
that yields the smallest norm sizes, and then the best asymptotical
complexity.
32/36
Variants
Two important (incompatible?) variants:
The Special NFS:
Was invented before NFS!
When p has a special form, there could be some obvious good
polynomials.
Joux-Pierrot for pairing-related cases.
The Multiple NFS:
Invented by Coppersmith in 1993;
Use a more complicated diagram, with more than 2
polynomials sharing a common factor mod p.
Matyukhin, Commeine-Semaev, Barbulescu-Pierrot.
Nowadays, each time a new polynomial selection is proposed, it is
also analyzed in these settings (Sarkar-Singh, Kim, Jeong-Kim).
33/36
Complexities in Lp n (1/3, c + o(1))
DLP in prime fields and large charac (= integer factorization):
Plain NFS: c = (64/9)1/3 = 1.923... (Gordon, Schirokauer, ...)
MNFS: c = 1.902... (Coppersmith 1993, Matyukhin 2003,
Commeine–Semaev 2006)
SNFS: c = (32/9)1/3 = 1.526... (Semaev 2002)
DLP in medium characteristic (was c = (128/9)1/3 , Joux-LercierSmart-Vercauteren 2006)
Plain NFS: c = (96/9)1/3 = 2.201...
(Barbulescu-G.-Guillevic-Morain 2015)
SNFS: c = (64/9)1/3 = 1.923... (Joux-Pierrot 2013)
MNFS: c = 2.156... (Pierrot 2015)
exTNFS (optimal comp. extension): c = (48/9)1/3 = 1.747...
(Kim-Barbulescu; Sarkar-Singh; Jeong-Kim 2016)
SexTNFS (+ special prime form): c = (32/9)1/3 = 1.526...
(Kim-Barbulescu 2016)
34/36
Things not mentioned here
Recent / current work not mentioned here:
Other computational models (circuit; or many finite fields to
be handled simultaneously); see Batch NFS by
Bernstein-Lange.
Practical computations. Many records in the past years in
small, medium and large characteristic.
Sieving in small dimension > 2. This is the key to efficient
medium-characteristic NFS. See our ANTS paper with Grémy
and Videau.
Individual logarithms. Was considered easy, but gets
complicated overs extension fields. See work of Guillevic.
Consequences for pairing-based crypto.
35/36
Conclusion
In small characteristic:
Many improvements still to be discovered here and there;
Big challenge: get a full proof of the quasi-polynomial
complexity;
Bigger challenge: get rid of the “quasi”.
Large/medium characteristic:
Still moving quickly, with big improvements;
Surprise: it can be faster than factorization;
Hard to tell if there are more big improvements to be
expected soon;
Polynomial selection is the key to complexity improvements;
36/36