Yuqing Zhu,Jincheng Zhuang,Chang Lv,Dongdai Lin

2016-01-01

Abstract:The hardness of discrete logarithm problem over finite fields is the foundation of many cryptographic protocols. When the characteristic of the finite field is medium or large, the state-of-art algorithms for solving the corresponding problem are the number field sieve and its variants. There are mainly three steps in such algorithms: polynomial selection, factor base logarithms computation, and individual logarithm computation. Note that the former two steps can be precomputed for fixed finite field, and the database containing factor base logarithms can be used by the last step for many times. In certain application circumstances, such as Logjam attack, speeding up the individual logarithm step is vital. In this paper, we devise a method to improve the individual logarithm step by exploring subfield structures. Our method is based on the extended tower number field sieve algorithm, and achieves more significant improvement when the extension degree has a large proper factor. We also perform some experiments to illustrate our algorithm and confirm the result.

Yuqing Zhu,Jincheng Zhuang,Chang Lv,Dongdai Lin

2016-01-01

Abstract:The hardness of discrete logarithm problem over finite fields is the foundation of many cryptographic protocols. The state-of-art algorithms for solving the corresponding problem are number field sieve, function field sieve and quasi-polynomial time algorithm when the characteristics of the finite field are medium to large, medium-small and small, respectively. There are mainly three steps in such algorithms: polynomial selection, factor base logarithms computation, and individual logarithm computation. Note that the former two steps can be precomputed for fixed finite field, and the database containing factor base logarithms can be used by the last step for many times. In certain application circumstances, such as Logjam attack, speeding up the individual logarithm step is vital. In this paper, we devise two methods to improve the individual logarithm step by exploring subfield structure when the extension degree n is composite. The first method applies to the case when the characteristic is medium to large. It is based on the extended tower number field sieve (exTNFS) and the improvement is significant when n has a large proper factor. The second one applies to any characteristic case. It is a generalization of the recent technique of Guillevic. It achieves almost optimal result and the improvement is significant when φ(n)/n is relatively small. We also perform some experiments to illustrate our algorithm and confirm the result.

Naomi Benger,Manuel Charlemagne,Kefei Chen

DOI: https://doi.org/10.1007/s12204-018-1919-8

2018-01-01

Journal of Shanghai Jiaotong University (Science)

Abstract:As we examine the behaviour of the number field sieve (NFS) in the medium prime case, we notice various patterns that can be exploited to improve the running time of the sieving stage. The contributions of these observations to the computational mathematics community are twofold. Firstly, we clarify the understanding of the true practical effectiveness of the algorithm. Secondly, we propose a test for a better choice of the polynomials used in the NFS. These results are of particular interest to cryptographers as the run-time of the NFS directly determines the security level of some discrete logarithm problem based protocols.

Haihua Gu,GU Dawu,WenLu Xie,LI Sheng,YAN Jiaju

2012-01-01

Abstract:The mathematical security of the RSA cryptosystem is based on the problem of factoring large integers.At present,the number field sieve is the most efficient algorithm known for factoring integers larger than 365 bits,while its time complexity is still sub-exponential.Integers larger than 1024 bits,which are widely used in RSA cryptosystem,cannot be factored by means of the number field sieve.So it is significant to study the number field sieve.Now,the general number field sieve often uses two number fields,while multiple number fields are seldom considered.The general number field sieve,through adaptation,can use three number fields,i.e.two algebraic number fields and one rational number field.Analysis shows that the time complexity of the modified number field sieve and the general number field sieve are at the same level.However,the modified number field sieve can combine more computation,so it can save more time in practice.Finally,the result is verified by two experiments.

N. Benger,Manuel Charlemagne,Kefei Chen

2013-01-01

Abstract:Abstract. During an ongoing examination of the behaviour, in practice, of the Number Field Sieve (NFS) in the medium prime case we have noticed numerous interesting patterns. In this paper we present findings on run-time observations of an aspect of the sieving stage. The contributions of these observations to the computational mathematics community are twofold: firstly, they bring us a step closer to understanding the true practical effectiveness of the algorithm and secondly, they enabled the development of a test for the effectiveness of the polynomials used in the NFS. The results of this work are of particular interest to cryptographers: the run-time of the NFS determines directly the security level of some discrete logarithm problem based protocols, such as those arising in pairing-based cryptography.

Emmanuel Kowalski

DOI: https://doi.org/10.48550/arXiv.math/0610021

2006-10-29

Abstract:We describe a very general abstract form of sieve based on a large sieve inequality which generalizes both the classical sieve inequality of Montgomery (and its higher-dimensional variants), and our recent sieve for Frobenius over function fields. The general framework suggests new applications. We get some first results on the number of prime divisors of ``most'' elements of an elliptic divisibility sequence, and we develop in some detail ``probabilistic'' sieves for random walks on arithmetic groups, e.g., estimating the probability of finding a reducible characteristic polynomial at some step of a random walk on SL(n,Z). In addition to the sieve principle, the applications depend on bounds for a large sieve constant. To prove such bounds involves a variety of deep results, including Property (T) or expanding properties of Cayley graphs, and the Riemann Hypothesis over finite fields. It seems likely that this sieve can have further applications.

Number Theory,Group Theory,Probability

Xia Liu,Huan Yang,Li Yang

DOI: https://doi.org/10.1186/s42400-023-00181-w

2023-01-01

Abstract:The elliptic curve discrete logarithm problem (ECDLP) is a popular choice for cryptosystems due to its high level of security. However, with the advent of the extended Shor's algorithm, there is concern that ECDLP may soon be vulnerable. While the algorithm does offer hope in solving ECDLP, it is still uncertain whether it can pose a real threat in practice. From the perspective of the quantum circuits of the algorithm, this paper analyzes the feasibility of cracking ECDLP using an ion trap quantum computer with improved quantum circuits for the extended Shor's algorithm. We give precise quantum circuits for extended Shor's algorithm to calculate discrete logarithms on elliptic curves over prime fields, including modular subtraction, three different modular multiplication, and modular inverse. Additionally, we incorporate and improve upon windowed arithmetic in the circuits to reduce the CNOT-counts. Whereas previous studies mostly focused on minimizing the number of qubits or the depth of the circuit, we focus on minimizing the number of CNOT gates in the circuit, which greatly affects the running time of the algorithm on an ion trap quantum computer. Specifically, we begin by presenting implementations of basic arithmetic operations with the lowest known CNOT-counts, along with improved constructions for modular inverse, point addition, and windowed arithmetic. Next, we precisely estimate that, to execute the extended Shor's algorithm with the improved circuits to factor an n-bit integer, the CNOT-count required is 1237n(3)/ log n + 2n(2) + n. Finally, we analyze the running time and feasibility of the extended Shor's algorithm on an ion trap quantum computer.

Wen Huang,Zhishuo Zhang,Weixin Zhao,Jian Peng,Yongjian Liao,Yuyu Wang

2024-09-13

Abstract:Solving the discrete logarithm problem in a finite prime field is an extremely important computing problem in modern cryptography. The hardness of solving the discrete logarithm problem in a finite prime field is the security foundation of numerous cryptography schemes. In this paper, we propose the double index calculus algorithm to solve the discrete logarithm problem in a finite prime field. Our algorithm is faster than the index calculus algorithm, which is the state-of-the-art algorithm for solving the discrete logarithm problem in a finite prime field. Empirical experiment results indicate that our algorithm could be more than a 30-fold increase in computing speed than the index calculus algorithm when the bit length of the order of prime field is 70 bits. In addition, our algorithm is more general than the index calculus algorithm. Specifically, when the base of the target discrete logarithm problem is not the multiplication generator, the index calculus algorithm may fail to solve the discrete logarithm problem while our algorithm still can work.

Cryptography and Security

LIU Pei,TENG Ling-ying,SHE Kun,ZHOU Ming-tian

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.16.010

2006-01-01

Abstract:The security basis of the elliptic curve crypto system is analyzed. It is found that there is no efficient method to solve the discrete logarithm problem of non-supersingular with big prime factor over finite field. The high security elliptic curve cryptosystem is constructed by select the appropriate selection of high security elliptic curve over finite field.

Richard Griffon,Philippe Lebacque,Gaël Rémond

2024-05-22

Abstract:We extend the Brauer-Siegel theorem to new families of number fields, both in the classical setting of asymptotically bad families and in the more general framework due to Tsfasman and Vlăduţ of asymptotically exact families. We introduce a notion of Galois complexity for extensions of number fields, and show that the generalized Brauer-Siegel theorem, as conjectured by Tsfasman and Vlăduţ, holds for families in which the complexity does not grow too fast. This allows to unify and extend all previously known results. The crucial step in our work is the proof of a new version -- stated in terms of our Galois complexity -- of a fundamental principle due to Stark descending exceptional zeroes of zeta functions down to quadratic number fields. Among the hitherto unknown cases we are able to treat are the families of number fields contained in the solvable Galois closure of a given number field.

Number Theory

Yuying Man,Sihem Mesnager,Nian Li,Xiangyong Zeng,Xiaohu Tang

2023-09-05

Abstract:Substitution boxes (S-boxes) play a significant role in ensuring the resistance of block ciphers against various attacks. The Difference Distribution Table (DDT), the Feistel Boomerang Connectivity Table (FBCT), the Feistel Boomerang Difference Table (FBDT) and the Feistel Boomerang Extended Table (FBET) of a given S-box are crucial tools to analyze its security concerning specific attacks. However, the results on them are rare. In this paper, we investigate the properties of the power function $F(x):=x^{2^{m+1}-1}$ over the finite field $\gf_{2^n}$ of order $2^n$ where $n=2m$ or $n=2m+1$ ($m$ stands for a positive integer). As a consequence, by carrying out certain finer manipulations of solving specific equations over $\gf_{2^n}$, we give explicit values of all entries of the DDT, the FBCT, the FBDT and the FBET of the investigated power functions. From the theoretical point of view, our study pushes further former investigations on differential and Feistel boomerang differential uniformities for a novel power function $F$. From a cryptographic point of view, when considering Feistel block cipher involving $F$, our in-depth analysis helps select $F$ resistant to differential attacks, Feistel differential attacks and Feistel boomerang attacks, respectively.

Information Theory

Qichun Wang,Haibin Kan

DOI: https://doi.org/10.1007/s10587-010-0055-x

2010-01-01

Abstract:In this paper we generalize the method used to prove the Prime Number Theorem to deal with finite fields, and prove the following theorem:pi(x) = q/q-1 x/log(q)x + q/(q-1)(2) x/log(q)(2)x + O(x/log(q)(3)x), x = q(n) -> infinitywhere pi(x) denotes the number of monic irreducible polynomials in F(q)[t] with norm <= x.

Fengwei Li,Fanhui Meng,Ziling Heng,Qin Yue

DOI: https://doi.org/10.1007/s12095-024-00706-1

2024-03-08

Cryptography and Communications

Abstract:Let be a finite field with q elements, where q is a power of a prime p . In this paper, we obtain an improvement on Weil bounds for character sums associated to a polynomial f ( x ) over , which extends the results of Wan et al. (Des. Codes Cryptogr. 81 , 459–468, 2016) and Wu et al. (Des. Codes Cryptogr. 90 , 2813–2821, 2022).

computer science, theory & methods,mathematics, applied

Haibo Yu,Guoqiang Bai

DOI: https://doi.org/10.1109/ISCAS.2015.7168573

2015-01-01

Abstract:In this paper, we propose an efficient method for integer factorization and it can be a good solution to sieving part of General Number Field Sieve. The mid-size integer factorization module adopts highly parallel structure to save operation time to a great extent. The algorithm used in the factorization module is another highlight that only involves the basic arithmetic operations, which makes for hardware implementation. The major goal of the proposed method is to optimize performance on the aspects of operation time, implemented hardware algorithm and storage space. Additionally, the proposed implementation has absolute advantage at operation speed based on FPGAs, which is of crucial importance for large integer factorization.

Huan Zhou,Xiaoni Du,Xingbin Qiao,Wenping Yuan

2024-09-19

Abstract:Feistel Boomerang Connectivity Table (FBCT) is an important cryptanalytic technique on analysing the resistance of the Feistel network-based ciphers to power attacks such as differential and boomerang attacks. Moreover, the coefficients of FBCT are closely related to the second-order zero differential spectra of the function $F(x)$ over the finite fields with even characteristic and the Feistel boomerang uniformity is the second-order zero differential uniformity of $F(x)$. In this paper, by computing the number of solutions of specific equations over finite fields, we determine explicitly the second-order zero differential spectra of power functions $x^{2^m+3}$ and $x^{2^m+5}$ with $m>2$ being a positive integer over finite field with even characteristic, and $x^{p^k+1}$ with integer $k\geq1$ over finite field with odd characteristic $p$. It is worth noting that $x^{2^m+3}$ is a permutation over $\mathbb{F}_{2^n}$ and only when $m$ is odd, $x^{2^m+5}$ is a permutation over $\mathbb{F}_{2^n}$, where integer $n=2m$. As a byproduct, we find $F(x)=x^4$ is a PN and second-order zero differentially $0$-uniform function over $\mathbb{F}_{3^n}$ with odd $n$. The computation of these entries and the cardinalities in each table aimed to facilitate the analysis of differential and boomerang cryptanalysis of S-boxes when studying distinguishers and trails.

Cryptography and Security,Information Theory

Dante Bonolis,Lillian B. Pierce

2024-09-10

Abstract:Let a polynomial $f \in \mathbb{Z}[X_1,\ldots,X_n]$ be given. The square sieve can provide an upper bound for the number of integral $\mathbf{x} \in [-B,B]^n$ such that $f(\mathbf{x})$ is a perfect square. Recently this has been generalized substantially: first to a power sieve, counting $\mathbf{x} \in [-B,B]^n$ for which $f(\mathbf{x})=y^r$ is solvable for $y \in \mathbb{Z}$; then to a polynomial sieve, counting $\mathbf{x} \in [-B,B]^n$ for which $f(\mathbf{x})=g(y)$ is solvable, for a given polynomial $g$. Formally, a polynomial sieve lemma can encompass the more general problem of counting $\mathbf{x} \in [-B,B]^n$ for which $F(y,\mathbf{x})=0$ is solvable, for a given polynomial $F$. Previous applications, however, have only succeeded in the case that $F(y,\mathbf{x})$ exhibits separation of variables, that is, $F(y,\mathbf{x})$ takes the form $f(\mathbf{x}) - g(y)$. In the present work, we present the first application of a polynomial sieve to count $\mathbf{x} \in [-B,B]^n$ such that $F(y,\mathbf{x})=0$ is solvable, in a case for which $F$ does not exhibit separation of variables. Consequently, we obtain a new result toward a question of Serre, pertaining to counting points in thin sets.

Number Theory

Weitao Xie,Jiayu Zhang,Wei Cao

DOI: https://doi.org/10.3934/math.20241141

2024-01-01

AIMS Mathematics

Abstract:Let $ \mathbb{F}_q $ be the finite field of $ q $ elements, and $ \mathbb{F}_{q^{n}} $ its extension of degree $ n $. A normal basis of $ \mathbb{F}_{q^{n}} $ over $ \mathbb{F}_q $ is a basis of the form $ \{\alpha, \alpha^{q}, \cdots, \alpha^{q^{n-1}}\} $. Some problems on normal bases can be finally reduced to the determination of the irreducible factors of the polynomial $ x^{n}-1 $ in $ \mathbb{F}_q $, while the latter is closely related to the cyclotomic polynomials. Denote by $ \mathfrak{F}(x^{n}-1) $ the set of all distinct monic irreducible factors of $ x^{n}-1 $ in $ \mathbb{F}_q $. The criteria for \begin{document}$ |\mathfrak{F}(x^{n}-1)|\leq 2 $\end{document} have been studied in the literature. In this paper, we provide the sufficient and necessary conditions for \begin{document}$ |\mathfrak{F}(x^{n}-1)| = s, $\end{document} where $ s $ is a positive integer by using the properties of cyclotomic polynomials and results from the Diophantine equations. As an application, we obtain the sufficient and necessary conditions for \begin{document}$ |\mathfrak{F}(x^{n}-1)| = 3, 4, 5. $\end{document}

mathematics, applied

P.R. Mishra,Yogesh Kumar,Susanta Samanta,Atul Gaur

DOI: https://doi.org/10.1007/978-3-031-71073-5_9

2024-09-23

Abstract:The notion of branch numbers of a linear transformation is crucial for both linear and differential cryptanalysis. The number of non-zero elements in a state difference or linear mask directly correlates with the active S-Boxes. The differential or linear branch number indicates the minimum number of active S-Boxes in two consecutive rounds of an SPN cipher, specifically for differential or linear cryptanalysis, respectively. This paper presents a new algorithm for computing the branch number of non-singular matrices over finite fields. The algorithm is based on the existing classical method but demonstrates improved computational complexity compared to its predecessor. We conduct a comparative study of the proposed algorithm and the classical approach, providing an analytical estimation of the algorithm's complexity. Our analysis reveals that the computational complexity of our algorithm is the square root of that of the classical approach.

Cryptography and Security

Yu-Ao Chen,Xiao-Shan Gao,Chun-Ming Yuan

DOI: https://doi.org/10.48550/arXiv.1802.03856

2018-10-07

Abstract:In this paper, we give quantum algorithms for two fundamental computation problems: solving polynomial systems over finite fields and optimization where the arguments of the objective function and constraints take values from a finite field or a bounded interval of integers. The quantum algorithms can solve these problems with any given success probability and have polynomial runtime complexities in the size of the input, the degree of the inequality constraints, and the condition number of certain matrices derived from the problem. So, we achieved exponential speedup for these problems when their condition numbers are small. As applications, quantum algorithms are given to three basic computational problems in cryptography: the polynomial system with noise problem, the short integer solution problem, the shortest vector problem, as well as the cryptanalysis for the lattice based NTRU cryptosystem. It is shown that these problems and NTRU can against quantum computer attacks only if their condition numbers are large, so the condition number could be used as a new criterion for the lattice based post-quantum cryptosystems.

Symbolic Computation,Computational Complexity,Cryptography and Security,Quantum Physics

Luyao Xu,Zhengyi Dai,Baofeng Wu,Dongdai Lin

DOI: https://doi.org/10.46586/tches.v2023.i2.568-586

2023-01-01

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:Lattice reduction algorithms have been proved to be one of the most powerful and versatile tools in public key cryptanalysis. In this work, we primarily concentrate on lattice attacks against (EC)DSA with nonce leakage via some sidechannel analysis. Previous works relying on lattice reduction algorithms such as LLL and BKZ will finally lead to the “lattice barrier”: lattice algorithms become infeasible when only fewer nonce is known. Recently, Albrecht and Heninger introduced lattice algorithms augmented with a predicate and broke the lattice barrier (Eurocrypt 2021). We improve their work in several aspects. We first propose a more efficient predicate algorithm which aims to search for the target lattice vector in a large database. Then, we combine sieving with predicate algorithm with the “dimensions for free” and “progressive sieving” techniques to further improve the performance of our attacks. Furthermore, we give a theoretic analysis on how to choose the optimal Kannan embedding factor. As a result, our algorithm outperforms the state-of-the-art lattice attacks for existing records such as 3-bit nonce leakage for a 256-bit curve and 2-bit nonce leakage for a 160-bit curve in terms of running time, sample numbers and success probability. We also break the lattice records on the 384-bit curve with 3-bit nonce leakage and the 256-bit curve with 2-bit nonce leakage which are thought infeasible previously. Finally, we give the first lattice attack against ECDSA with a single-bit nonce leakage, which enables us to break a 112-bit curve with 1-bit nonce leakage in practical time.