Function field sieve

Abstract: This paper reports on the factorization of the 768-bit number RSA-768 by the number field sieve factoring method and discusses some implications for RSA.

Abstract: Given a primitive element g of a finite field GF(q), the discrete logarithm of a nonzero element u ? GF(q) is that integer k, 1 ? k ? q-1, for which u = gk. The well-known problem of computing discrete logarithms in finite fields has acquired additional importance in recent years due to its applicability in cryptography. Several cryptographic systems would become insecure if an efficient discrete logarithm algorithm were discovered. This paper surveys and analyzes known algorithms in this area, with special attention devoted to algorithms for the fields GF(2n). It appears that in order to be safe from attacks using these algorithms, the value of n for which GF(2n) is used in a cryptosystem has to be very large and carefully chosen. Due in large part to recent discoveries, discrete logarithms in fields GF(2n) are much easier to compute than in fields GF(p) with p prime. Hence the fields GF(2n) ought to be avoided in all cryptographic applications. On the other hand, the fields GF(p) with p prime appear to offer relatively high levels of security.

Abstract: A method for determining logarithms in GF (2^{n}) is presented. Its asymptotic running time is O(\exp (cn^{1/3} \log^{2/3} n)) for a small constant c , while, by comparison, Adleman's scheme runs in time O(\exp (c^{'}n^{1/2} \log^{1/2} n )) . The ideas give a dramatic improvement even for moderate-sized fields such as GF (2^{127}) , and make (barely) possible computations in fields of size around 2^{400} . The method is not applicable to GF (q) for a large prime q .

Abstract: The number field sieve is an algorithm to factor integers of the form re − s for small positive r and |s|. The algorithm depends on arithmetic in an algebraic number field. We describe the algorithm, discuss several aspects of its implementation, and present some of the factorizations obtained. A heuristic run time analysis indicates that the number field sieve is asymptotically substantially faster than any other known factoring method, for the integers that it applies to. The number field sieve can be modified to handle arbitrary integers. This variant is slower, but asymptotically it is still expected to beat all older factoring methods.