Skip to main content
SpringerLink
Log in

Lattice Enumeration and Automorphisms for Tower NFS: A 521-Bit Discrete Logarithm Computation

  • Research Article
  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

The tower variant of the number field sieve (TNFS) is known to be asymptotically the most efficient algorithm to solve the discrete logarithm problem in finite fields of medium characteristics, when the extension degree is composite. A major obstacle to an efficient implementation of TNFS is the collection of algebraic relations, as it happens in dimension greater than 2. This requires the construction of new sieving algorithms which remain efficient as the dimension grows. In this article, we overcome this difficulty by considering a lattice enumeration algorithm which we adapt to this specific context. We also consider a new sieving area, a high-dimensional sphere, whereas previous sieving algorithms for the classical NFS considered an orthotope. Our new sieving technique leads to a much smaller running time, despite the larger dimension of the search space, and even when considering a larger target, as demonstrated by a record computation we performed in a 521-bit finite field \({{{\mathbb {F}}}}_{p^6}\). The target finite field is of the same form as finite fields used in recent zero-knowledge proofs in some blockchains. This is the first reported implementation of TNFS.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Algorithm 1
Algorithm 2
Algorithm 3
Algorithm 4
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. We use the usual notation \(L_Q(\alpha ,c)= \exp ((c+o(1)) (\log Q) ^\alpha (\log \log Q)^{1-\alpha })\), where o(1) tends to 0 when Q tends to infinity. We do not write c when it is not of interest.

  2. We use the same abuse in the abstract and title too.

  3. Indeed, if u is somehow big, then there is a chance that either ua or ub would be outside the sieving region.

  4. A cycle of curves is a pair of pairing-friendly elliptic curves \({\mathcal {E}}_1\), \({\mathcal {E}}_2\) such that \({\mathcal {E}}_1\) is defined over a finite prime field \({{{\mathbb {F}}}}_{p_1}\) with prime order \(p_2\), and \({\mathcal {E}}_2\) is defined over the finite field \({{{\mathbb {F}}}}_{p_2}\) with order \(p_1\).

  5. Here, h is already monic and irreducible modulo p so \(\phi _h = h\).

References

  1. R. Barbulescu, P. Gaudry, A. Guillevic, F. Morain, Improving NFS for the discrete logarithm problem in non-prime finite fields, in E. Oswald, M. Fischlin, editors, EUROCRYPT 2015. Part I. LNCS, vol. 9056 (Springer, Heidelberg, 2015), pp. 129–155

  2. R. Barbulescu, P. Gaudry, A. Joux, E. Thomé, A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic, in P.Q. Nguyen, E. Oswald, editors, EUROCRYPT 2014. LNCS, vol. 8441 (Springer, Heidelberg, 2014), pp. 1–16

  3. R. Barbulescu, P. Gaudry, T. Kleinjung, The tower number field sieve, in T. Iwata, J.H. Cheon, editors, ASIACRYPT 2015, Part II. LNCS, vol. 9453 (Springer, Heidelberg, 2015), pp. 31–55

  4. C. Batut, K. Belabas, D. Benardi, H. Cohen, M. Olivier, User’s Guide to PARI-GP (1998), https://pari.math.u-bordeaux.fr/

  5. E. Ben-Sasson, A. Chiesa, E. Tromer, M. Virza, Scalable zero knowledge via cycles of elliptic curves, in J.A. Garay, R. Gennaro, editors, CRYPTO 2014, Part II. LNCS, vol. 8617 (Springer, Heidelberg, 2014), pp. 276–294

  6. D.J. Bernstein, How to find smooth parts of integers (2004), http://cr.yp.to/factorization/smoothparts-20040510.pdf

  7. W. Bosma, J. Cannon, C. Playoust, The Magma algebra system. I. The user language. J. Symbol. Comput. 24(3–4), 235–265 (1997). https://doi.org/10.1006/jsco.1996.0125

  8. F. Boudot, P. Gaudry, A. Guillevic, N. Heninger, E. Thomé, P. Zimmermann, Comparing the difficulty of factorization and discrete logarithm: a 240-digit experiment, in H. Shacham, A. Boldyreva, editors, CRYPTO 2020, Part II. LNCS (Springer, Heidelberg, 2020), pp. 62–91

  9. C. Bouvier, L. Imbert, Faster cofactorization with ECM using mixed representations, in PKC 2020, Part II. LNCS (Springer, Heidelberg, 2020), pp. 483–504

  10. CODA: MNT-6 curve with parameter 753 for Snark prover. Webpage at https://coinlist.co/build/coda/pages/MNT6753

  11. H. Cohen, Advanced Topics in Computational Number Theory. Graduate Texts in Mathematics (Springer, New York, 2012), https://books.google.sc/books?id=OFjdBwAAQBAJ

  12. G. De Micheli, Discrete Logarithm Cryptanalyses: Number Field Sieve and Lattice Tools for Side-Channel Attacks. Ph.D. thesis (Université de Lorraine, 2021)

  13. G. De Micheli, P. Gaudry, C. Pierrot, Lattice enumeration for tower NFS: a 521-bit discrete logarithm computation, in Advances in Cryptology–ASIACRYPT 2021: 27th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 6–10, 2021, Proceedings, Part I 27 (Springer, 2021), pp. 67–96

  14. U. Fincke, M. Pohst, Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Math. Comput. 44, 463–471 (1985)

    Article  MathSciNet  Google Scholar 

  15. J. Franke, T. Kleinjung, Continued Fractions and Lattice Sieving. Special-Purpose Hardware for Attacking Cryptographic Systems–SHARCS (2005), p. 40

  16. N. Gama, P.Q. Nguyen, O. Regev, Lattice enumeration using extreme pruning, in H. Gilbert, editor, EUROCRYPT 2010. LNCS, vol. 6110 (Springer, Heidelberg, 2010), pp. 257–278

  17. P. Gaudry, L. Grémy, M. Videau, Collecting relations for the number field sieve in \(GF(p^6)\). LMS J. Comput. Math. 19, 332–350 (2016)

    Article  MathSciNet  Google Scholar 

  18. R. Granger, T. Kleinjung, J. Zumbrägel, On the discrete logarithm problem in finite fields of fixed characteristic. Trans. Am. Math. Soc. 370(5), 3129–3145 (2018)

    Article  MathSciNet  Google Scholar 

  19. L. Grémy, Higher dimensional sieving for the number field sieve algorithms, in ANTS 2018—Thirteenth Algorithmic Number Theory Symposium (2018), pp. 1–16

  20. L. Grémy, A. Guillevic, F. Morain, E. Thomé, Computing discrete logarithms in \({\mathbb{F}}_{p^6}\), in C. Adams, J. Camenisch, editors, SAC 2017. LNCS, vol. 10719 (Springer, Heidelberg, 2017), pp. 85–105

  21. A. Guillevic, Pairing-friendly curves. Blogpost found at https://members.loria.fr/AGuillevic/pairing-friendly-curves

  22. A. Guillevic, Faster individual discrete logarithms in finite fields of composite extension degree. Math. Comput. 88(317), 1273–1301 (2019)

    Article  MathSciNet  Google Scholar 

  23. A. Guillevic, S. Singh, On the alpha value of polynomials in the Tower Number Field Sieve Algorithm. Math. Cryptol. 1(1) (2021)

  24. G. Hanrot, D. Stehlé, Improved analysis of Kannan’s shortest lattice vector algorithm, in A. Menezes, editor, CRYPTO 2007. LNCS, vol. 4622 (Springer, Heidelberg, 2007), pp. 170–186

  25. K. Hayasaka, K. Aoki, T. Kobayashi, T. Takagi, An experiment of number field sieve for discrete logarithm problem over GF(\(p^n\)). JSIAM Lett. 6, 53–56 (2014)

    Article  MathSciNet  Google Scholar 

  26. A. Joux, R. Lercier, Improvements to the general number field sieve for discrete logarithms in prime fields. Math. Comput. 953–967 (2003)

  27. A. Joux, R. Lercier, N. Smart, F. Vercauteren, The number field sieve in the medium prime case, in C. Dwork, editor, CRYPTO 2006. LNCS, vol. 4117 (Springer, Heidelberg, 2006), pp. 326–344

  28. A. Joux, C. Pierrot, Nearly Sparse Linear Algebra and application to discrete logarithms computations, in Contemporary Developments in Finite Fields and Applications (2016)

  29. R. Kannan, Improved algorithms for integer programming and related lattice problems, in Proceedings of the Fifteenth Annual ACM Symposium on Theory of Computing (STOC’83, Association for Computing Machinery, New York, 1983), pp. 193–206

  30. T. Kim, R. Barbulescu, Extended tower number field sieve: a new complexity for the medium prime case, in M. Robshaw, J. Katz, editors, CRYPTO 2016, Part I. LNCS, vol. 9814 (Springer, Heidelberg, 2016), pp. 543–571.

  31. T. Kim, J. Jeong, Extended tower number field sieve with application to finite fields of arbitrary composite extension degree, in S. Fehr, editor, PKC 2017, Part I. LNCS, vol. 10174 (Springer, Heidelberg, 2017), pp. 388–408

  32. T. Kleinjung, B. Wesolowski, Discrete logarithms in quasi-polynomial time in finite fields of fixed characteristic (2019), https://eprint.iacr.org/2019/751, cryptology ePrint Archive, Report 2019/751, to appear in Journal of the AMS

  33. H.W. Lenstra, Factoring integers with elliptic curves. Ann. Math. 126(3), 649–673 (1987)

    Article  MathSciNet  Google Scholar 

  34. G. McGuire, O. Robinson, Lattice sieving in three dimensions for discrete log in medium characteristic. J. Math. Cryptol. 15(1), 223–236 (2021)

    Article  MathSciNet  Google Scholar 

  35. A. Miyaji, M. Nakabayashi, S. Nonmembers, New explicit conditions of elliptic curve traces for fr-reduction. IEICE Trans. Fund. Electron. Commun. Comput. Sci. 84 (2001)

  36. P.Q. Nguyen, D. Stehlé, LLL on the average, in Proceedings of the 7th International Conference on Algorithmic Number Theory. ANTS06 (Springer, Berlin, 2006)

  37. J.M. Pollard, The lattice sieve, in A.K. Lenstra, H.W. Lenstra, editors, The Development of the Number Field Sieve (Springer, Berlin, 1993), pp. 43–49

    Chapter  Google Scholar 

  38. O. Robinson, An implementation of the extended tower number field sieve using 4d sieving in a box and a record computation in \({\mathbb{F}}_{p^4}\) (2022), arXiv:2212.04999

  39. P. Sarkar, S. Singh, New complexity trade-offs for the (multiple) number field sieve algorithm in non-prime fields, in M. Fischlin, J.S. Coron, editors, EUROCRYPT 2016, Part I. LNCS, vol. 9665 (Springer, Heidelberg, 2016), pp. 429–458

  40. O. Schirokauer, Using number fields to compute logarithms in finite fields. Math. Comput. 69, 1267–1283 (2000)

    Article  ADS  MathSciNet  Google Scholar 

  41. O. Schirokauer, Virtual logarithms. J. Algorithms 57, 140–147 (2005)

    Article  MathSciNet  Google Scholar 

  42. C.P. Schnorr, M. Euchner, Lattice basis reduction: improved practical algorithms and solving subset sum problems, Math. Program. 66(2) (1994)

  43. The Sage Developers: SageMath, the Sage Mathematics Software System (Version 9.3) (2021), https://www.sagemath.org

  44. The CADO-NFS Development Team. CADO-NFS, An Implementation of the Number Field Sieve Algorithm. https://gitlab.inria.fr/cado-nfs/cado-nfs, development version of January 2021

  45. D.H. Wiedemann, Solving sparse linear equations over finite fields. IEEE Trans. Inf. Theory 32(1), 54–62 (1986)

    Article  MathSciNet  Google Scholar 

Download references

Acknowledgements

We are indebted to Léo Ducas and Wessel van Woerden for insightful discussions about the lattice points enumeration aspect of this work. Many thanks to Aurore Guillevic, for numerous discussions, in particular about polynomial selection and the blockchain ecosystem. Experiments in this paper were carried out using the Grid’5000 testbed, supported by a scientific interest group hosted by Inria and including CNRS, RENATER and several Universities as well as other organizations (see https://www.grid5000.fr).

Author information

Authors and Affiliations

  1. CNRS, Inria, Loria, Université de Lorraine, Nancy, France

    Gabrielle De Micheli, Pierrick Gaudry & Cécile Pierrot

Authors
  1. Gabrielle De Micheli
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Pierrick Gaudry
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Cécile Pierrot
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Cécile Pierrot.

Additional information

Communicated by Damien Stehlé.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This paper was reviewed by Taechan Kim and Benjamin Wesolowski.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

De Micheli, G., Gaudry, P. & Pierrot, C. Lattice Enumeration and Automorphisms for Tower NFS: A 521-Bit Discrete Logarithm Computation. J Cryptol 37, 6 (2024). https://doi.org/10.1007/s00145-023-09487-x

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-023-09487-x

Keywords

Search

Navigation