|
|
|
| e-Pub |
Previous | 
Home
Section: New Results
A Kilobit Hidden SNFS Discrete Logarithm Computation
Participants : Pierrick Gaudry, Emmanuel Thomé [contact] .
In collaboration with Josh Fried and Nadia Heninger from University of Pennsylvania, we worked on discrete logarithm computation modulo primes of a special form, amenable to computation with the Special Number Field Sieve (SNFS). Our original interest in this question came from the observation that primes which are conspicuous SNFS targets are found in the wild, as we observed in the context of the LogJam attack in 2015. We first ran a test computation on such a prime in March (, found in the LibTomcrypt library. For modern cryptographic uses, such a prime qualifies undoubtedly as “not good'). Based on the computational data obtained, and on further work, we expanded to larger sizes. We crafted a prime which was chosen as a “best case” for SNFS, yet with the property that this SNFS-optimality cannot be detected. We call such primes “trapdoored primes”. We showed that computing discrete logarithms modulo trapdoored primes is entirely feasible for 1024-bit primes. In the article [18], we also showed that there are primes which are found in the wild (e.g., in RFC 5114) which could plausibly be trapdoored primes, given that no justification of their origin is provided. In fact, while cryptographic best practice is to provide “rigid” choices whenever random choices are to be set publicly, the sad truth is that random data lacking a justification is found quite often.
In the context of [18], we also put into practice an improvement of the implementation of the block Wiedemann algorithm in Cado-NFS, that allowed to reduce the time for the linear algebra computation significantly.