Discrete logarithm records

Discrete logarithm records are the best results achieved to date in solving the discrete logarithm problem, which is the problem of finding solutions x to the equation gx = h given elements g and h of a finite cyclic group G. The difficulty of this problem is the basis for the security of several cryptographic systems, including Diffie–Hellman key agreement, ElGamal encryption, the ElGamal signature scheme, the Digital Signature Algorithm, and the elliptic curve cryptography analogs of these. Common choices for G used in these algorithms include the multiplicative group of integers modulo p, the multiplicative group of a finite field, and the group of points on an elliptic curve over a finite field.

Integers modulo p

On 18 June 2005, Antoine Joux and Reynald Lercier announced the computation of a discrete logarithm modulo a 130-digit (431-bit) strong prime in three weeks, using a 1.15 GHz 16-processor HP AlphaServer GS1280 computer and a number field sieve algorithm.[1]

On 5 February 2007 this was superseded by the announcement by Thorsten Kleinjung of the computation of a discrete logarithm modulo a 160-digit (530-bit) safe prime, again using the number field sieve. Most of the computation was done using idle time on various PCs and on a parallel computing cluster.[2]

On 11 June 2014, Cyril Bouvier, Pierrick Gaudry, Laurent Imbert, Hamza Jeljeli and Emmanuel Thomé announced the computation of a discrete logarithm modulo a 180 digit (596-bit) safe prime using the number field sieve algorithm.[3]

Finite fields

The current record (as of January 2014) in a finite field of characteristic 2 was announced by Robert Granger, Thorsten Kleinjung, and Jens Zumbrägel on 31 January 2014. This team was able to compute discrete logarithms in GF(29234) using about 400,000 core hours. New features of this computation include a modified method for obtaining the logarithms of degree two elements and a systematically optimized descent strategy.[4]

Previous records in a finite field of characteristic 2 were announced by:

The current record (as of 2014) in a finite field of characteristic 2 of prime degree was announced by Thorsten Kleinjung on 17 October 2014. The calculation was done in a field of 21279 elements and followed essentially the path sketched for \mathbb{F}_{2^{4 \cdot 1223}} in [10] with two main exceptions in the linear algebra computation and the descent phase. The total running time was less than four core years.[11] The previous record in a finite field of characteristic 2 of prime degree was announced by the CARAMEL group on April 6, 2013. They used the function field sieve to compute a discrete logarithm in a field of 2809 elements.[12]

The current record for a field of characteristic 3 is given in the full version of the Asiacrypt 2014 paper of Joux and Pierrot (December 2014).[13] The DLP is solved in the field GF(35 · 479), which is a 3796-bit field. This work did not exploit any "special" aspects of the field such as Kummer or twisted-Kummer properties. The total computation took less than 8600 CPU-hours. The previous record was announced by Gora Adj, Alfred Menezes, Thomaz Oliveira, and Francisco Rodríguez-Henríquez on 26 February 2014, updating a previous announcement on 27 January 2014. The computation solve DLP in the 1551-bit field GF(36 · 163), taking 1201 CPU hours. [14][15] The previous record was announced in 2012 by a joint Fujitsu, NICT, and Kyushu University team, that computed a discrete logarithm in the field of 36 · 97 elements and a size of 923 bits,[16] using a variation on the function field sieve and beating the previous record in a field of 36 · 71 elements and size of 676 bits by a wide margin.[17]

Over fields of "moderate"-sized characteristic, notable computations as of 2005 included those a field of 6553725 elements (401 bits) announced on 24 Oct 2005, and in a field of 37080130 elements (556 bits) announced on 9 Nov 2005.[18] The current record (as of 2013) for a finite field of "moderate" characteristic was announced on 6 January 2013. The team used a new variation of the function field sieve for the medium prime case to compute a discrete logarithm in a field of 3334135357 elements (a 1425-bit finite field).[19][20] The same technique had been used a few weeks earlier to compute a discrete logarithm in a field of 3355377147 elements (an 1175-bit finite field).[20][21]

On 25 June 2014, Razvan Barbulescu, Pierrick Gaudry, Aurore Guillevic, and François Morain announced a new computation of a discrete logarithm in a finite field whose order has 160 digits and is a degree 2 extension of a prime field.[22] The algorithm used was the number field sieve (NFS), with various modifications. The total computing time was equivalent to 68 days on one core of CPU (sieving) and 30 hours on a GPU (linear algebra).

Elliptic curves

Certicom Corp. has issued a series of Elliptic Curve Cryptography challenges. Level I involves fields of 109-bit and 131-bit sizes. Level II includes 163, 191, 239, 359-bit sizes. All Level II challenges are currently believed to be computationally infeasible.[23]

The Level I challenges which have been met are:[24]

None of the 131-bit (or larger) challenges have been met as of 2010.

In July 2009, Joppe W. Bos, Marcelo E. Kaihara, Thorsten Kleinjung, Arjen K. Lenstra and Peter L. Montgomery announced that they had carried out a discrete logarithm computation on an elliptic curve modulo a 112-bit prime. The computation was done on a cluster of over 200 PlayStation 3 game consoles over about 6 months. They used the common parallelized version of Pollard rho method.[25]

In April 2014, Erich Wenger and Paul Wolfger from Graz University of Technology solved the discrete logarithm of a 113-bit Koblitz curve in extrapolated 24 days using an 18-core Virtex-6 FPGA cluster.[26]

In January 2015, Erich Wenger and Paul Wolfger from Graz University of Technology solved the discrete logarithm of an ellipic curve defined over a 113-bit binary field. The average runtime is around 82 days using a 10-core Kintex-7 FPGA cluster. [27]

References

  1. Antoine Joux, “Discrete logarithms in GF(p) – 130 digits,” June 18, 2005.
  2. Thorsten Kleinjung, “Discrete logarithms in GF(p) – 160 digits,” February 5, 2007.
  3. Cyril Bouvier, Pierrick Gaudry, Laurent Imbert, Hamza Jeljeli and Emmanuel Thomé, "Discrete logarithms in GF(p) – 180 digits"
  4. Jens Zumbrägel, "Discrete Logarithms in GF(2^9234)", 31 January 2014, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;9aa2b043.1401.
  5. Antoine Joux, "Discrete logarithms in GF(26168) [=GF((2257)24)]", May 21, 2013, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind1305&L=NMBRTHRY&F=&S=&P=3034.
  6. Antoine Joux. A new index calculus algorithm with complexity $L(1/4+o(1))$ in very small characteristic, 2013, http://eprint.iacr.org/2013/095
  7. Antoine Joux, "Discrete logarithms in GF(24080)", Mar 22, 2013, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind1303&L=NMBRTHRY&F=&S=&P=13682.
  8. Faruk Gologlu et al., On the Function Field Sieve and the Impact of Higher Splitting Probabilities: Application to Discrete Logarithms in \mathbb{F}_{2^{1971}}, 2013, http://eprint.iacr.org/2013/074.
  9. Antoine Joux, "Discrete logarithms in GF(21778)", Feb. 11, 2013, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind1302&L=NMBRTHRY&F=&S=&P=2317.
  10. Granger, Robert, Thorsten Kleinjung, and Jens Zumbrägel. “Breaking `128-Bit Secure’ Supersingular Binary Curves (or How to Solve Discrete Logarithms in {\mathbb F}_{2^{4 \cdot 1223}} and {\mathbb F}_{2^{12 \cdot 367}}).” arXiv:1402.3668 [cs, Math], February 15, 2014. http://arxiv.org/abs/1402.3668.
  11. Thorsten Kleinjung, 2014 October 17, "Discrete Logarithms in GF(2^1279)", https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;256db68e.1410.
  12. The CARAMEL group: Razvan Barbulescu and Cyril Bouvier and Jérémie Detrey and Pierrick Gaudry and Hamza Jeljeli and Emmanuel Thomé and Marion Videau and Paul Zimmermann, “Discrete logarithm in GF(2809) with FFS”, April 6, 2013, http://eprint.iacr.org/2013/197.
  13. http://www-polsys.lip6.fr/~pierrot/papers/Simplified%20Frob%20Rep.pdf
  14. Francisco Rodríguez-Henríquez, “Announcement,” 27 January 2014, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;763a9e76.1401.
  15. Gora Adj and Alfred Menezes and Thomaz Oliveira and Francisco Rodríguez-Henríquez, "Computing Discrete Logarithms in F_{3^{6*137}} and F_{3^{6*163}} using Magma", 26 Feb 2014, http://eprint.iacr.org/2014/057.
  16. Kyushu University, NICT and Fujitsu Laboratories Achieve World Record Cryptanalysis of Next-Generation Cryptography, 2012, http://www.nict.go.jp/en/press/2012/06/PDF-att/20120618en.pdf.
  17. Takuya Hayashi et al., Solving a 676-bit Discrete Logarithm Problem in GF(36n), 2010, http://eprint.iacr.org/2010/090.
  18. A. Durand, “New records in computations over large numbers,” The Security Newsletter, January 2005, http://eric-diehl.com/letter/Newsletter1_Final.pdf.
  19. Antoine Joux, “Discrete Logarithms in a 1425-bit Finite Field,” January 6, 2013, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind1301&L=NMBRTHRY&F=&S=&P=2214.
  20. 20.0 20.1 Faster index calculus for the medium prime case. Application to 1175-bit and 1425-bit finite fields, Eprint Archive, http://eprint.iacr.org/2012/720
  21. Antoine Joux, “Discrete Logarithms in a 1175-bit Finite Field,” December 24, 2012, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind1212&L=NMBRTHRY&F=&S=&P=13902.
  22. Razvan Barbulescu, “Discrete logarithms in GF(p^2) --- 160 digits,” June 24, 2014, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;2ddabd4c.1406.
  23. Certicom Corp., “The Certicom ECC Challenge,” http://www.certicom.com/index.php/the-certicom-ecc-challenge.
  24. Certicom Research, Certicom ECC Challenge (Certicom Research, November 10, 2009), http://www.certicom.com/images/pdfs/challenge-2009.pdf.
  25. Joppe W. Bos and Marcelo E. Kaihara, “PlayStation 3 computing breaks 2^60 barrier: 112-bit prime ECDLP solved,” EPFL Laboratory for cryptologic algorithms - LACAL, http://lacal.epfl.ch/112bit_prime
  26. Erich Wenger and Paul Wolfger, “Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster” http://eprint.iacr.org/2014/368
  27. Erich Wenger and Paul Wolfger, “Harder, Better, Faster, Stronger - Elliptic Curve Discrete Logarithm Computations on FPGAs” http://eprint.iacr.org/2015/143/