Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [number-field-sieve]

The number field sieve is an index calculus algorithm suitable both for factoring large numbers and computing discrete logarithms in prime fields. It is currently the most effective, general, classical algorithm for solving these problems.

The number field sieve is an index calculus algorithm suitable both for factoring large numbers and computing discrete logarithms in prime fields. It is currently the most effective, general, classical algorithm for solving these problems. In particular the records for the largest RSA challenge and large discrete logarithm challenge were both solved with the number fields sieve. There is a also a special form of the algorithm that is particularly effective against numbers with structure, in particular numbers with sparse binary representations may admit a special number field sieve attack.

13 questions
6
votes
0 answers

Precomputation attacks against ECDH

Diffie-Hellman groups are vulnerable to sieving precomputation attacks. These attacks allow a one-time computation against a given DH modulus that makes it practical to attack all subsequent key negotiation operations using the same group. It is…
forest
  • 15,626
  • 2
  • 49
  • 103
6
votes
0 answers

What are the theoretical memory requirements for these factoring algotihms?

Given an $n$ bit integer quadratic sieve takes $L(\frac12,1+o(1))$ time and number field sieve takes $L(\frac13,1.922)$ time where $L$ notation is given in https://en.wikipedia.org/wiki/L-notation. What are the theoretical memory requirements for…
Turbo
  • 1,045
  • 6
  • 15
4
votes
0 answers

Is the matrix step of GNFS still the hardest part?

When the factorization of RSA-768 was announced in December 2009: the sieving took about 24 months and the matrix step took 119 days (4 months). So sieving took about 6 times as long. This is despite them over-sieving, meaning they spent longer on…
Nike Dattani
  • 201
  • 3
  • 15
4
votes
1 answer

How did they factor RSA 240?

Since NFS runs in essentially $n^{1/3}$ time, and RSA-240 is a composite of two 120-digit primes, shouldn't this have taken at least $10^{40}$ operations, not including any overhead? Even if you could do say $10^{20}$ ops / s as modern…
The Yomster
  • 43
  • 5
3
votes
2 answers

In which case number field sieve/index calculus is faster for solving discrete logarithm?

Given the normal discrete logarithm problem: $$a = b^c \mod{P}$$ with prime $P$ and numbers $a,b,c$ For which kind of $P,b$ the NFS/IC algorithm is faster than Baby-Step/Giant-Step+ Pollard's Rho ($\approx \mathcal{O}(\sqrt{q}) $)? (with $q$ the…
J. Doe
  • 463
  • 4
  • 15
3
votes
0 answers

Subexponential algorithms that apply only one of factoring and discrete logarithm?

Shor (quantum polynomial), Number Field Sieve (subexponential), Pollard rho (square root) all have both factoring and discrete logarithm over $\mathbb F_p^*$ variants. What are the subexponential techniques that only applies to balanced semiprime…
Turbo
  • 1,045
  • 6
  • 15
3
votes
1 answer

Combining Hellman Pohlig with Sieve

Suppose integer $m$ has $\phi(m)=2pq^5r^2$ where $p,q,r$ are primes. Hellman-Pohlig says that finding discrete log $z\bmod p$, $z\bmod q^5$, $z\bmod r^2$ and $z\bmod 2$ suffices to find $z\bmod\phi(m)$ in $g^z=h\bmod m$. It could be that $p,q^5,r^2$…
Turbo
  • 1,045
  • 6
  • 15
3
votes
1 answer

SNFS: Quantifying the "small" parameters?

The special number field sieve (SNFS) is an algorithm to calculate discrete logarithms and to factor numbers, given that the target has a special structure. Now, all ressources always say something like The special number field sieve is efficient…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
2
votes
1 answer

Quadratic sieve for DLOG performance - theory vs actual?

Is there any report on comparing quadratic and number field sieve performance in theory vs actual data for discrete logarithm over primes? Is actual data better than theory in any way unexplained (I think I read this somewhere and cannot…
Turbo
  • 1,045
  • 6
  • 15
2
votes
0 answers

Is there any concrete working example for Function Field Sieve method?

I'm new to Function Field Sieve(FFS) (Number Field Sieve(NFS) as well) method and I'm finding it is quite difficult to understand it (especially concepts of valuation at infinity, Ca,b curves etc.) I have read these papers: (Leonard Adleman 1994:…
Tanmay Sharma
  • 193
  • 1
  • 1
  • 6
1
vote
2 answers

Complexity of number field sieve theorem does not match with security of elliptic curves

Number field sieve algorithm can is used to break discrete logarithm on field $F_{p^n}$. The algorithm has time complexity $\exp((c+o(1))\cdot(\log p^n)^{1/3}\cdot(\log \log p^n)^{2/3}$. Originally the constant $c$ is $(64/9)^{1/3} = 1.92$. Due to…
satya
  • 1,484
  • 10
  • 32
1
vote
1 answer

Does the ability to factor in polynomial time give you smooth numbers in the number field sieve?

I have read that despite strong connections between prime factorization and DLP an algorithm for the former does not imply the latter directly. But I was reading about the number field sieve and it seemed like the bottleneck was identifying smooth…
Ian Campbell
  • 11
  • 1
0
votes
1 answer

Does the ability to solve modular square roots without factorization would allow factorizing semiprime in a more efficent way than using the gnfs?

The gnfs is a fast sieving method for factorizing integers, but as soon as the integer to factor is more than 900 bits long factoring tends to become too costly. I just read having a modular square root Oracle would allow factorizing any semiprimes,…
user2284570
  • 324
  • 4
  • 19