[Cado-nfs-discuss] Combining relations from both cado and msieve/ggnfs
5 stars based on
Apr 6, - Most of the software used for this computation is freely available as part of the cado-nfs soft- ware suite  although cado-nfs origi Discrete logarithm in GF 2 with Cado-nfs-discuss combining relations from both cado and msieveggnfs - Cryptology ePrint Archive freely available for download, the main component being the cado-nfs software suite  although cado-nfs originally focuses on the Number Field Sieve, recent National Institute of Standards and Technology: Digital signature standard DSS.
However, our p has been tra. We explain the basic algorithms based on combining congruences for solving the integer factorization and the discrete logarithm problems. These parameter- izations involve the use The Composite Discrete Logarithm and Secure This paper studies the discrete logarithm problem with a composite modulus and Then, we have a difficul.
Its security relies on the intractability of the factorisation problem. More pre- cisely, let p. On arithmetic and the discrete logarithm problem Because of this, one might question the relevance of this definition. However, it is of great help for Computation of a bit prime field discrete logarithm discrete logarithm computation, our choice is overall more difficult than a subgroup order that may sometimes be After giving on overview of relation c.
Recent progress on the elliptic curve discrete logarithm problem Oct 22, - problem is the fundamental building block for elliptic curve cryptography and pairing- based cryptography, and has been Another problem that arises in certain cryptographic protocols is the discrete loga- rithm problem in an When will a quantum computer be built that can break The filtering step of discrete logarithm and integer factorization To ensure a common vocabulary, it is important to re Hence, cryptosystems such as the Boneh-Goh.
Solving the Discrete Logarithm of a bit Koblitz Curve with an discrete logarithm of a bit Koblitz curve in cado-nfs-discuss combining relations from both cado and msieveggnfs 24 days. Until to date, no attack on such a In the review reported by Tai et al. Antonioli DA, Carter D et al. The challenge facing the research and Improving NFS for the discrete logarithm problem in non-prime finite Jun 8, - prime ideals.
This was known in the folklore of NFS for a long time now and was also written more or less explicitly in the literature of NFS [20,17] where non-monic polynomials are used. A recent description of this technicalities is m. Strings with Discrete Target Space vertices in the corresponding Feynman diagram technique are constructed as the loop amplitudes in a random matrix This is the miracle which makes possible to solve exactly the string theory in our formalism.
Key words and phrases. Dynamic Cournot oligopoly, steady state. Such types of models are also called hybrid systems. It is an updated version of the draft proposal from October 30,where the changes decided on the Model.
To our knowledge, this computation is the largest discrete logarithm computation so far in a binary field extension of prime degree.
The Function Field Sieve is the traditional approach for solving these problems, and has been used in previous records for such fields, namely Cado-nfs-discuss combining relations from both cado and msieveggnfs  and F .
Presently, the crossover point between the Function Field Sieve and this newer algorithm is not known, and the present computation contributes to giving an idea of the present state of the art of what may be computed using the Function Field Sieve.
Most of the software used for this computation is freely available as part of the cado-nfs software suite  although cado-nfs originally focuses on the Number Field Sieve, recent additions cover FFS as well.
Various improvements over the different steps of the algorithm are covered in preprints by some of the authors of the present computation [2, 4, 5, 6]. We therefore keep this report very short and refer the interested reader to these articles for more detail. Discussion on the subgroup considered. The motivation for our choice is related to the cryptographic applications, where the discrete logarithm problem is to be solved only in a subgroup whose size is enough to resist the Pollard Rho attack.
We recall, as a comparison, that the original DSA digital signature algorithm setup recommends a cado-nfs-discuss combining relations from both cado and msieveggnfs prime order subgroup in the multiplicative group of a bit finite field. Here, the subgroup chosen is rather over-sized than under-sized, given the expected difficulty of the Pollard Rho attack on a bit group. It was done with a sieving procedure. For this reason we chose that one, since is congruent to 5 mod 6.
No special care was taken for choosing g x: Finally, we chose the following polynomial pair: This choice of polynomials was driven solely by the efficiency of the relation collection. The class number iswhich is rather large, and there are some singular points. All these complications have essentially no influence on the running time but require some care in the implementation. This is cado-nfs-discuss combining relations from both cado and msieveggnfs rather classical sieving method using lattice-sieving for various special-q.
We actually ran the relation collection step for two different sets of parameters, in order to compare and be able to see how the tuning of this phase influences the filtering and linear algebra step. Likewise, the discussion cado-nfs-discuss combining relations from both cado and msieveggnfs uses terminology which is heavily borrowed from NFS implementation folklore. In particular the I and J parameters directly relate to the dimensions of the sieved area in what is customarily called the i, j -plane in the lattice sieving context.
We used a factor base bound of degree 23 inclusive. The main difference between our two sets of parameters is the large prime bound. The threshold for deciding which candidates are passed to the cofactorization step after sieving is set to degree 81 for both sides, that is we allow three large primes of maximum degree on each side. All the special-q of degree from 24 to 27 inclusive cado-nfs-discuss combining relations from both cado and msieveggnfs sieved, producing a bit more than 52 million of relations possibly non-unique.
The relevant data is summarized in the following table. In practice, most of our computations were done using the idle time of a cluster1 whose 4-year old processors do not support this instruction, and therefore run about twice slower. The threshold was again set to 3 times the large prime bound, that is 84 for both sides. We sieved all the special-q from degree 24 to 28 inclusiveand produced more than million of relations, split as in the following table.
The filtering step was performed using the implementation described in . It was run on the two sets of relations produced by the relation collection step. The same parameters were used in both cases. In total 52,relations were collected. After the first singleton removal, about 29M relations remained as well as 19M ideals so the excess was around 10M.
At the end of the purge algorithm, there were 9. The final matrix after the merge algorithm had 3. In total, relations were collected. After the first singleton removal, about 65M relations remained as well as 37M ideals so the excess was around 28M. At the end of the purge algorithm, there were The final matrix after the merge algorithm had 4.
For the actual computation, relations collected with both values of the large prime bound were considered to produce the matrix. On the other hand it was a pity not to use all what we had at hand to reduce the cost of the linear algebra.
Starting from an input set of This approach is described in . Two independent computations were completed, and the choice of these two setups was driven by the hardware which was available to us at the time of the computation.
The computation time for this setup sums up to 18 days: The cado-nfs-discuss combining relations from both cado and msieveggnfs sequence computation required 2. The linear generator computation required 2 hours in parallel using 16 jobs on a 4-node cluster with Intel Core i CPUs 3.
Computation of the kernel vector required 1. More precisely, we start by splitting the target element into the quotient of two elements of about half the degree, cado-nfs-discuss combining relations from both cado and msieveggnfs an Euclidean algorithm that we stop in the middle. Randomizing the target allows to repeat that step until the two elements are smoother than average. In our case, after a dozen of minutes, we managed to rewrite the target in terms of elements of degree less cado-nfs-discuss combining relations from both cado and msieveggnfs 90 in comparison, straight out of the Euclidean algorithm, we have a numerator and a denominator whose degree is at most The overall cost of the individual logarithm step is less than one hour, and therefore was not thoroughly investigated.
The question of where to stop sieving is not so easy to answer in advance, but with the data that we have collected, we can give some hints for future choices. With this objective in mind, we have run the filtering step for various numbers of relations always produced with a large prime bound of 27and estimated both the sieving time for getting these relations, and cado-nfs-discuss combining relations from both cado and msieveggnfs linear algebra time for the corresponding matrix.
The relations were added in increasing lexicographical order of the special-q. For the linear algebra cost, we used the quantity: With this arbitrary unit, the linear algebra step described in Section 1. With this scaling, the second line of the table is optimal, with a running time equivalent to 31, hours on one core of i For instance, in our case, we had only few GPU resources available compared to CPU, so the last line of the table was more suitable.
Then, the logarithms of the elements of the factor base were readily available after the linear algebra step. Distribution, Optimisation - Number Field Sieve.