|
2013-08-06, 22:41
|
#1 | |
Jan 2005
Caught in a sieve
5·79 Posts |
How hard is Discrete Logarithm, really? (Joux's Algorithm)
Possibly not as hard as we thought!
http://www.technologyreview.com/news...curity-crisis/ Quote:
Does this mean we'll soon have faster sieves? (I'm guessing there's a good chance?) This all seems to stem from Joux's algorithm and a related paper, which I only found reference to in a Soap Box thread. |
|
|
|
|
2013-08-07, 02:10
|
#2 |
Aug 2006
175B16 Posts |
Can any of our crypto experts weigh in here? I would have thought that the restrictions to small characteristics would have been too strong for this algorithm to be used for cryptanalysis. Don't most schemes (ElGamal, Diffie-Hellman, DSA) use
Last fiddled with by CRGreathouse on 2013-08-07 at 02:11 |
|
|
|
|
2013-08-07, 12:32
|
#3 | ||
Nov 2003
22×5×373 Posts |
Quote:
end of DL based crypto is just that: random speculation. Further, even for fields such as (say) GF(2^607), we don't know if the improvement makes attacks on such field(s) practical. The improvement does not seem applicable to NFS at all. Quote:
|
||
|
|
|
|
2013-08-07, 21:57
|
#4 |
|
Aug 2006
3·1,993 Posts |
 This is why I love this forum. |
|
|
|
|
2013-08-07, 23:15
|
#5 | |
|
Nov 2003
22·5·373 Posts |
Quote:
know the subject material. NFS was first developed for the IFP. It was then modified to be applicable to DL over (large!) prime fields. It was not directly applicable to extension fields. Enter the function field sieve (and Coppersmith's algorithm [for p =2]). It handles GF(p^n) for large n and relatively small p. Various improvements have allowed attacks on larger p and somewhat smaller n, but the FFS is not applicable to large prime fields. Historically, the algorithms have been driven by attacks on IFP then adapted to DL. Further, the IFP attacks have applied only to prime fields. The random speculation arises from people who think that somehow an improvement for small characteristic fields will translate to large prime fields (thus making RSA & DH more vulnerable). Historically, it's been the other way around. |
|
|
|
|
|
2013-08-08, 02:33
|
#6 | |
"Kyle"
Feb 2005
Somewhere near M52..
3·5·61 Posts |
Quote:
Last fiddled with by Primeinator on 2013-08-08 at 02:34 |
|
|
|
|
|
2014-05-17, 17:07
|
#7 | ||
|
Jan 2005
Caught in a sieve
5·79 Posts |
It's baaaack!
Quote:
Quote:
 Edit: And if it's any significant improvement over the previous result?
Last fiddled with by Ken_g6 on 2014-05-17 at 17:08 |
||
|
|
|
|
2014-05-17, 19:23
|
#8 | |
|
Nov 2003
22×5×373 Posts |
Quote:
I have already read it. It has almost zero impact on applied cryptography. |
|
|
|
|
|
2014-05-18, 21:55
|
#9 | |
"Phil"
Sep 2002
Tracktown, U.S.A.
3×373 Posts |
Quote:
|
|
|
|
|
|
2014-05-18, 22:12
|
#10 | |
|
Nov 2003
22×5×373 Posts |
Quote:
days ago. Why, I don't know. The implications were already discussed last August. There is virtually no impact on cryptography. DH does not use high-degree low characteristic fields. ECDSA & EL-GAMAL can, but it is not required. The use of these two is rather rare. (especially the latter). Crypto Suite B contains no algorithms that depends on DL over finite fields. I still have not seen a discussion anywhere as to whether the improvement is practical. We all know how implementation overhead can kill an algorithm, even one with reduced asymptotic complexity. |
|
|
|
|
|
2014-05-20, 18:42
|
#11 | |
|
Aug 2006
135338 Posts |
Quote:
http://arxiv.org/abs/1402.3668 |
|
|
|
|
 |
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Help with discrete logarithm | pinnn | Information & Answers | 43 | 2021-03-18 15:40 |
| GDLOG discrete logarithm usage example | xkyve | Information & Answers | 38 | 2014-07-14 15:59 |
| Discrete logarithm software | Unregistered | Information & Answers | 39 | 2012-04-27 20:08 |
| Solving discrete logarithm in 2 variables | Coffenator | Information & Answers | 16 | 2007-10-03 21:01 |
| Discrete logarithm mod Mersenne primes? | Unregistered | Information & Answers | 0 | 2006-08-27 15:32 |
