3

Does anyone know if the discrete log problem of these small prime fields: Goldilocks, Babybear, Mersenne31, has been solved?

If not, is there a small prime field in which the discrete log of any element can be computed in poly-logarithmic time of the order of the field?

Quote from https://blog.icme.io/small-fields-for-zero-knowledge/

  • Polygon's 'Plonky2' uses a field defined as $p = 2^{64} - 2^{32} + 1$, which is called the Goldilocks field.
  • The zkVM Risc0 uses a smaller field called BabyBear defined as: $p = 15 \cdot 2^{27} + 1$.
  • Plonky3: utilizes one even smaller Mersenne31: $p = 2^{31} - 1 .$ (1772, Leonhard Euler)
kelalaka
  • 49,797
  • 12
  • 123
  • 211
Jason
  • 57
  • 8

1 Answers1

3

The DLP in these small prime fields is quite easy. E.g. for $p=2^{64}-2^{32}+1$, the largest prime factor of $p-1$ is $q=65537$, thus the Pohlig–Hellman algorithm applies, and it's cost is dominated by computing the DLP in a subgroup of that order $q$, requiring in the order of $2^{17}$ modular multiplications. That can be done in a fraction of a second by a single PC.

The current record is a 795-bit $p$, and with $(p-1)/2$ prime, which makes the problem much more difficult. See this related question and e.g. this reference an answer gives.

However, solving the DLP in a prime field $\mathbb F_p$ does not imply solving the DLP in field $\mathbb F_{p^k}$ for suitably large $k$, much less in an elliptic curve group over such kind of field, which is what the linked article is about.

fgrieu
  • 149,326
  • 13
  • 324
  • 622