|
2020-03-02, 07:34
|
#1 |
Nov 2003
22·5·373 Posts |
Query on DL
Does anyone know how long the new Bos et.al. discrete log algorithm would take to solve
a single DL problem over (say) GF(2^1277)??? There is a reason for this query which I will reveal shortly. |
|
|
|
2020-03-02, 08:01
|
#2 | |
|
Nov 2003
22·5·373 Posts |
Criticisms, Please!
Quote:
Suppose we want to factor N = p^n-1, with p prime and n large. Consider F = GF(p^n). Take a square S = s^2 in this field, and an integer b coprime to p^n-1. Compute the DL t of s^2 to the base b and hope that it is even. We designate this as t = DL_b(s^2) We have b^t = s^2 mod p^n-1 whence GCD(b^(t/2) - s, N) splits N. To factor p^n+1,, work over GF(p^(2n)). We "expect" that half the time the GCD will split p^n+1 and half the time it will split p^n-1. ?????? Questions. (1) What is the probability that s^2 is in the orbit of b, so that the DL actually exists? Note that once we compute DL_b(s^2) changing base is easy. The probability is bounded above by 1/(2n). Its value is 1/(2n * pi^2/6) This follows from the Carmichael function Lambda(N): (Lambda = LCM(r-1, s-1), r-1, s-1 both divisible by 2n) Therefore we should need to solve pi^2 n/3 = O(log N) separate DL problems to find a value of S that works. This yields a run time of O(log N L(N, 1/4)) where N is the standard L function. This may be practical if the Bos algorithm is fast enough. It is asymptotically faster than NFS. (2) What is the probability that t is even? If it is odd the method fails. However, if t is odd it is possible to trivially change to a different base. See below. (3) For N = p^n+1, what is the probability that the GCD splits p^n+1, rather than p^n-1? Note that we can not take s^2 = 1. If N = rs with r,s prime, there is only one Sylow subgroup of order r and one of order s. The odds that b will lie in one of these subgoups is 1/r + 1/s. If b does not lie in one of these subgroups the DL will maximal, i.e. p^n-1 and the factorization will be trivial. Finding an element whose order is less than maximal will be nigh-to-impossible; one might as well try trial division by randomly chose integers. Note that the Bos algorithm makes computing the DL for such fields rather easy. L(N, 1/4) IIRC. In case t is odd we can change the base b very easily. Log_B(A) = log_b(A)/log_b(B) , therefore Given log_b(s^2), we want log_c(s^2) so we copute log_b(s^2)/log_b(c) The DL algorithm yields the log of all the factor base primes as one of its outputs so there are lots of choices for the base change. Comments? Please note that I do not have any DL software or I would try this myself. Does Pari have a DL function and can it handle kilobit sized fields? |
|
|
|
|
|
2020-03-02, 17:02
|
#3 | |
"Marv"
May 2009
near the Tannhäuser Gate
2·3·109 Posts |
Quote:
elllog, fflog, and znlog My experience with Pari is that the main ( only? ) limitation on field size is your physical ram. For instance, I have computed some megabyte-sized numbers. Commands will need to be entered before computations begin to increase its allowed maximum ram usage. Last fiddled with by tServo on 2020-03-02 at 17:03 |
|
|
|
|
|
2020-03-02, 18:34
|
#4 | |
|
Nov 2003
22×5×373 Posts |
Quote:
characteristic of the field! This doesn't work very well for characteristic 2. Idiot. Last fiddled with by R.D. Silverman on 2020-03-02 at 18:47 |
|
|
|
|
|
2020-03-10, 00:30
|
#5 | |
Aug 2017
100112 Posts |
Quote:
We want to factorize 7^3-1. 7^3-1 factorizes in Mersenne Prime exponents 2.3^2.19. What do we learn from this? 342 is in the Mersenne-field. When you have checked this, you are ready to go further. |
|
|
|
|
|
2020-03-10, 00:37
|
#6 | |
|
Aug 2017
1910 Posts |
Quote:
19936 = 2^5.7.89 do you see the connections now? |
|
|
|
|
|
2020-03-10, 01:11
|
#7 | |||
|
Nov 2003
22·5·373 Posts |
Quote:
Quote:
Quote:
|
|||
|
|
|
|
2020-03-10, 01:25
|
#8 | |
|
Nov 2003
746010 Posts |
Quote:
What I suggested does work. Sort of. If one can find discrete logs quickly in Z/NZ one can indeed factor N quite quickly. One mistake that I made is that the fast DL algorithm of Bos et.al. does not work in Z/NZ. The Bos method works in GF(p^q). Indeed, The only integers that exist in GF(p^q) must be less than p. I.E. they must lie in the ground field. For GF(2^p) the only integers are 0 & 1. One can't compute the DL of s^2 to the base b as I suggested because neither s^2 nor b exist. As I put my presentation together I started by working in GF(p^q), but then [confusion on my part; Idiot] started working in Z/(p^q-1)Z. There is no isomorphism between the ring and the field. If one can find DL quickly in the ring one can indeed factor p^q-1. One should not do an ad hoc presentation in the manner that I did. |
|
|
|
|
 |
| Thread Tools | |
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Query: Notation | R.D. Silverman | FactorDB | 7 | 2021-06-02 09:47 |
| Query about age of assignment | GARYP166 | Information & Answers | 11 | 2010-08-27 18:46 |
| Current Work & A Query | R.D. Silverman | Cunningham Tables | 30 | 2008-09-17 17:08 |
| Query: Point Addition | R.D. Silverman | GMP-ECM | 1 | 2007-12-04 16:41 |
| Query for George about ERROR 3 | garo | PrimeNet | 17 | 2005-10-18 21:01 |
