Discrete logarithm records

Last updated

Discrete logarithm records are the best results achieved to date in solving the discrete logarithm problem, which is the problem of finding solutions x to the equation given elements g and h of a finite cyclic group G. The difficulty of this problem is the basis for the security of several cryptographic systems, including Diffie–Hellman key agreement, ElGamal encryption, the ElGamal signature scheme, the Digital Signature Algorithm, and the elliptic curve cryptography analogues of these. Common choices for G used in these algorithms include the multiplicative group of integers modulo p, the multiplicative group of a finite field, and the group of points on an elliptic curve over a finite field.

Contents

The current[ needs update ] record for integers modulo prime numbers, set in December 2019, is a discrete logarithm computation modulo a prime with 240 digits. For characteristic 2, the current record for finite fields, set in July 2019, is a discrete logarithm over . When restricted to prime exponents[ clarification needed ], the current record, set in October 2014, is over . For characteristic 3, the current record, set in July 2016, is over . For Kummer extension fields of "moderate"[ clarification needed ] characteristic, the current record, set in January 2013, is over . For fields of "moderate" characteristic (which are not necessarily Kummer extensions), the current record, published in 2022, is over .

Integers modulo p

Previous records for integers modulo p include:

Also of note, in July 2016, Joshua Fried, Pierrick Gaudry, Nadia Heninger, Emmanuel Thome published their discrete logarithm computation on a 1024-bit prime. [7] They generated a prime susceptible to the special number field sieve, using the specialized algorithm on a comparatively small subgroup (160-bits). While this is a small subgroup, it was the standardized subgroup size used with the 1024-bit digital signature algorithm (DSA).

Discrete logarithm records modulo primes
Size of primeType of primeDate announcedAnnounced byAlgorithmHardwareNotes
240-digit (795-bit) safe prime 2 December 2019number field sieveThe prime used was RSA-240 + 49204 (the first safe prime above RSA-240). This computation was performed simultaneously[ how? ] with the factorization of RSA-240, using the Number Field Sieve algorithm and the open-source CADO-NFS software. Improvements in the algorithms and software[ which? ] made this computation about three times faster than would be expected from previous records after accounting for improvements in hardware.
1024-bitJuly 2016
  • Joshua Fried
  • Pierrick Gaudry
  • Nadia Heninger
  • Emmanuel Thome
special number field sieveThe researchers generated a prime susceptible[ why? ] to the special number field sieve[ how? ] using a specialized algorithm[ which? ] on a comparatively small subgroup (160-bits).
232-digit (768-bit)safe prime16 June 2016number field sieveThis computation started in February 2015.
180 digit (596-bit)safe prime11 June 2014
  • Cyril Bouvier
  • Pierrick Gaudry
  • Laurent Imbert
  • Hamza Jeljeli
  • Emmanuel Thomé
number field sieve
160-digit (530-bit)safe prime5 February 2007Thorsten Kleinjungnumber field sievevarious PCs, a parallel computing cluster[ which? ]
130-digit (431-bit) strong prime 18 June 2005number field sieve1.15 GHz 16-processor HP AlphaServer GS1280

Finite fields

The current record (as of July 2019) in a finite field of characteristic 2 was announced by Robert Granger, Thorsten Kleinjung, Arjen Lenstra, Benjamin Wesolowski, and Jens Zumbrägel on 10 July 2019. [8] This team was able to compute discrete logarithms in GF(230750) using 25,481,219 core hours on clusters based on the Intel Xeon architecture. This computation was the first large-scale example using the elimination step of the quasi-polynomial algorithm. [9]

Previous records in a finite field of characteristic 2 were announced by:

The current record (as of 2014) in a finite field of characteristic 2 of prime degree was announced by Thorsten Kleinjung on 17 October 2014. The calculation was done in a field of 21279 elements and followed essentially the path sketched for in [16] with two main exceptions in the linear algebra computation and the descent phase. The total running time was less than four core years. [17] The previous record in a finite field of characteristic 2 of prime degree was announced by the CARAMEL group on April 6, 2013. They used the function field sieve to compute a discrete logarithm in a field of 2809 elements. [18]

The current record (as of July 2016) for a field of characteristic 3 was announced by Gora Adj, Isaac Canales-Martinez, Nareli Cruz-Cortés, Alfred Menezes, Thomaz Oliveira, Francisco Rodriguez-Henriquez, and Luis Rivera-Zamarripa on 18 July 2016. The calculation was done in the 4841-bit finite field with 36·509 elements and was performed on several computers at CINVESTAV and the University of Waterloo. In total, about 200 core years of computing time was expended on the computation. [19]

Previous records in a finite field of characteristic 3 were announced:

Over fields of "moderate"-sized characteristic, notable computations as of 2005 included those a field of 6553725 elements (401 bits) announced on 24 Oct 2005, and in a field of 37080130 elements (556 bits) announced on 9 Nov 2005. [25] The current record (as of 2013) for a Kummer extension finite field of "moderate" characteristic was announced on 6 January 2013. The team used a new variation of the function field sieve for the medium prime case to compute a discrete logarithm in a Kummer extension field of 3334135357 elements (a 1425-bit finite field). [26] [27] The same technique had been used a few weeks earlier to compute a discrete logarithm in a Kummer extension field of 3355377147 elements (an 1175-bit finite field). [27] [28] The current record (as of 2022) for a finite field of "moderate" characteristic (which is not necessarily a Kummer extension) is the computation of discrete logarithm in a field of 211102350 elements (a 1051-bit finite field); [29] previous record [30] of discrete logarithm computations over such fields was over fields having 29707940 elements (a 728-bit finite field) and 6437337 elements (a 592-bit finite field). These computations were done using new ideas to speed up the function field sieve.

On 25 June 2014, Razvan Barbulescu, Pierrick Gaudry, Aurore Guillevic, and François Morain announced a new computation of a discrete logarithm in a finite field whose order has 160 digits and is a degree 2 extension of a prime field. [31] The algorithm used was the number field sieve (NFS), with various modifications. The total computing time was equivalent to 68 days on one core of CPU (sieving) and 30 hours on a GPU (linear algebra).

Discrete logarithm records over finite fields
Char.Field sizeDate announcedAnnounced byHardwareComputeNotes
223075010 July 2019
  • Robert Granger
  • Thorsten Kleinjung
  • Arjen Lenstra
  • Benjamin Wesolowski
  • Jens Zumbrägel
 Intel Xeon architecture25,481,219 core-hoursThis computation was the first large-scale example using the elimination step of the quasi-polynomial algorithm.[ clarification needed ]
2127917 October 2014Thorsten Kleinjung<4 core-years
2923431 January 2014
  • Robert Granger
  • Thorsten Kleinjung
  • Jens Zumbrägel
~400,000 core-hoursNew features of this computation include a modified method for obtaining the logarithms of degree two elements and a systematically optimized descent strategy.[ clarification needed ]
2616821 May 2013Antoine Joux<550 CPU-hours[ quantify ]
2612011 April 2013
  • Robert Granger
  • Faruk Göloğlu
  • Gary McGuire
  • Jens Zumbrägel
749.5 core-hours
28096 April 2013the CARAMEL group[ who? ]
2408022 March 2013Antoine Joux<14,100 core-hours[ quantify ]
2197119 February 2013
  • Robert Granger
  • Faruk Göloğlu
  • Gary McGuire
  • Jens Zumbrägel
SGI Altix ICE 8200EX cluster

Intel (Westmere) Xeon E5650 hex-core processors

3,132 core-hours
2177811 February 2013Antoine Joux<220 core-hours[ quantify ]
336 · 50918 July 2016
  • Gora Adj
  • Isaac Canales-Martinez
  • Nareli Cruz-Cortés
  • Alfred Menezes
  • Thomaz Oliveira
  • Francisco Rodriguez-Henriquez
  • Luis Rivera-Zamarripa
several computers[ which? ] at CINVESTAV and the University of Waterloo ~200 core-years
35 · 479December 2014
  • Antoine Joux
  • Cécile Pierrot
<8600 CPU-hours[ quantify ]
36 · 16327 January 2014
  • Gora Adj
  • Alfred Menezes
  • Thomaz Oliveira
  • Francisco Rodríguez-Henríquez
1201 CPU-hours
36 · 972012a joint Fujitsu, NICT, and Kyushu University team[ who? ]
36 · 71
"moderate"p225 June 2014
  • Razvan Barbulescu
  • Pierrick Gaudry
  • Aurore Guillevic
  • François Morain
68 CPU-days + 30 GPU-hoursThis field is a degree-2 extension of a prime field, where p is a prime with 80 digits. [31]
33341353576 January 2013
3355377147
370801309 November 2005
655372524 October 2005

Elliptic curves

Certicom Corp. has issued a series of Elliptic Curve Cryptography challenges. Level I involves fields of 109-bit and 131-bit sizes. Level II includes 163, 191, 239, 359-bit sizes. All Level II challenges are currently believed to be computationally infeasible. [32]

The Level I challenges which have been met are: [33]

None of the 131-bit (or larger) challenges have been met as of 2019.

In July 2009, Joppe W. Bos, Marcelo E. Kaihara, Thorsten Kleinjung, Arjen K. Lenstra and Peter L. Montgomery announced that they had carried out a discrete logarithm computation on an elliptic curve (known as secp112r1 [34] ) modulo a 112-bit prime. The computation was done on a cluster of over 200 PlayStation 3 game consoles over about 6 months. They used the common parallelized version of Pollard rho method. [35]

In April 2014, Erich Wenger and Paul Wolfger from Graz University of Technology solved the discrete logarithm of a 113-bit Koblitz curve in extrapolated [note 1] 24 days using an 18-core Virtex-6 FPGA cluster. [36] In January 2015, the same researchers solved the discrete logarithm of an elliptic curve defined over a 113-bit binary field. The average runtime is around 82 days using a 10-core Kintex-7 FPGA cluster. [37]

On 2 December 2016, Daniel J. Bernstein, Susanne Engels, Tanja Lange, Ruben Niederhagen, Christof Paar, Peter Schwabe, and Ralf Zimmermann announced the solution of a generic 117.35-bit elliptic curve discrete logarithm problem on a binary curve, using an optimized FPGA implementation of a parallel version of Pollard's rho method. The attack ran for about six months on 64 to 576 FPGAs in parallel. [38]

On 23 August 2017, Takuya Kusaka, Sho Joichi, Ken Ikuta, Md. Al-Amin Khandaker, Yasuyuki Nogami, Satoshi Uehara, Nariyoshi Yamai, and Sylvain Duquesne announced that they had solved a discrete logarithm problem on a 114-bit "pairing-friendly" Barreto–Naehrig (BN) curve, [39] using the special sextic twist property of the BN curve to efficiently carry out the random walk of Pollard's rho method. The implementation used 2000 CPU cores and took about 6 months to solve the problem. [40]

On 16 June 2020, Aleksander Zieniewicz (zielar) and Jean Luc Pons (JeanLucPons) announced the solution of a 114-bit interval elliptic curve discrete logarithm problem on the secp256k1 curve by solving a 114-bit private key in Bitcoin Puzzle Transactions Challenge. To set a new record, they used their own software [41] based on the Pollard Kangaroo on 256x NVIDIA Tesla V100 GPU processor and it took them 13 days. Two weeks earlier - They used the same number of graphics cards to solve a 109-bit interval ECDLP in just 3 days.

Discrete logarithm records for elliptic curves
Curve nameField sizeDate announcedAnnounced byAlgorithmCompute time
ECC2K-10821082000about 1300 people represented by Robert Harley Pollard rho method
ECCp-109a 109-bit prime2002about 10308 people represented by Chris Monicoparallelized Pollard rho method549 days
ECC2-10921092004about 2600 people represented by Chris Monicoparallelized Pollard rho method17 months
secp112r1a 112-bit primeJuly 2009the common parallelized version of Pollard rho method[ which? ]6 months
2113April 201447 days [36] [note 1]
2113January 201582 days[ verification needed ]
2127

Interval search size 2117.35

2 December 2016parallel version of Pollard's rho method6 months of 64 to 576 FPGAs
23 August 2017
  • Takuya Kusaka
  • Sho Joichi
  • Ken Ikuta
  • Md. Al-Amin Khandaker
  • Yasuyuki Nogami
  • Satoshi Uehara
  • Nariyoshi Yamai
  • Sylvain Duquesne
secp256k12256

Interval search size 2114

16 August 2020
  • Aleksander Zieniewicz
  • Jean Luc Pons
parallel version of Pollard's rho method13 Days on 256xTesla V100

Notes

  1. 1 2 The computation ran for 47 days, but not all of the FPGAs used were active all the time, which meant that it was equivalent to an extrapolated time of 24 days.

Related Research Articles

<span class="mw-page-title-main">Diffie–Hellman key exchange</span> Method of exchanging cryptographic keys

Diffie–Hellman (DH) key exchange is a mathematical method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as conceived by Ralph Merkle and named after Whitfield Diffie and Martin Hellman. DH is one of the earliest practical examples of public key exchange implemented within the field of cryptography. Published in 1976 by Diffie and Hellman, this is the earliest publicly known work that proposed the idea of a private key and a corresponding public key.

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys to provide equivalent security, compared to cryptosystems based on modular exponentiation in Galois fields, such as the RSA cryptosystem and ElGamal cryptosystem.

In mathematics, a finite field or Galois field is a field that contains a finite number of elements. As with any field, a finite field is a set on which the operations of multiplication, addition, subtraction and division are defined and satisfy certain basic rules. The most common examples of finite fields are given by the integers mod p when p is a prime number.

In number theory, integer factorization is the decomposition of a positive integer into a product of integers. Every positive integer greater than 1 is either the product of two or more integer factors greater than 1, in which case it is called a composite number, or it is not, in which case it is called a prime number. For example, 15 is a composite number because 15 = 3 · 5, but 7 is a prime number because it cannot be decomposed in this way. If one of the factors is composite, it can in turn be written as a product of smaller factors, for example 60 = 3 · 20 = 3 · (5 · 4). Continuing this process until every factor is prime is called prime factorization; the result is always unique up to the order of the factors by the prime factorization theorem.

In number theory, the general number field sieve (GNFS) is the most efficient classical algorithm known for factoring integers larger than 10100. Heuristically, its complexity for factoring an integer n (consisting of ⌊log2n⌋ + 1 bits) is of the form

In mathematics, for given real numbers a and b, the logarithm logba is a number x such that bx = a. Analogously, in any group G, powers bk can be defined for all integers k, and the discrete logarithm logba is an integer k such that bk = a. In number theory, the more commonly used term is index: we can write x = indra (mod m) (read "the index of a to the base r modulo m") for rxa (mod m) if r is a primitive root of m and gcd(a,m) = 1.

In computer science, a one-way function is a function that is easy to compute on every input, but hard to invert given the image of a random input. Here, "easy" and "hard" are to be understood in the sense of computational complexity theory, specifically the theory of polynomial time problems. Not being one-to-one is not considered sufficient for a function to be called one-way.

In mathematics, the RSA numbers are a set of large semiprimes that were part of the RSA Factoring Challenge. The challenge was to find the prime factors of each number. It was created by RSA Laboratories in March 1991 to encourage research into computational number theory and the practical difficulty of factoring large integers. The challenge was ended in 2007.

In mathematics, finite field arithmetic is arithmetic in a finite field contrary to arithmetic in a field with an infinite number of elements, like the field of rational numbers.

In number theory, an n-smooth (or n-friable) number is an integer whose prime factors are all less than or equal to n. For example, a 7-smooth number is a number in which every prime factor is at most 7. Therefore, 49 = 72 and 15750 = 2 × 32 × 53 × 7 are both 7-smooth, while 11 and 702 = 2 × 33 × 13 are not 7-smooth. The term seems to have been coined by Leonard Adleman. Smooth numbers are especially important in cryptography, which relies on factorization of integers. 2-smooth numbers are simply the powers of 2, while 5-smooth numbers are also known as regular numbers.

In computational number theory, the index calculus algorithm is a probabilistic algorithm for computing discrete logarithms. Dedicated to the discrete logarithm in where is a prime, index calculus leads to a family of algorithms adapted to finite fields and to some families of elliptic curves. The algorithm collects relations among the discrete logarithms of small primes, computes them by a linear algebra procedure and finally expresses the desired discrete logarithm with respect to the discrete logarithms of small primes.

In mathematics, a strong prime is a prime number with certain special properties. The definitions of strong primes are different in cryptography and number theory.

Alfred Menezes is co-author of several books on cryptography, including the Handbook of Applied Cryptography, and is a professor of mathematics at the University of Waterloo in Canada.

Pairing-based cryptography is the use of a pairing between elements of two cryptographic groups to a third group with a mapping to construct or analyze cryptographic systems.

Integer factorization is the process of determining which prime numbers divide a given positive integer. Doing this quickly has applications in cryptography. The difficulty depends on both the size and form of the number and its prime factors; it is currently very difficult to factorize large semiprimes.

In mathematics the Function Field Sieve is one of the most efficient algorithms to solve the Discrete Logarithm Problem (DLP) in a finite field. It has heuristic subexponential complexity. Leonard Adleman developed it in 1994 and then elaborated it together with M. D. Huang in 1999. Previous work includes the work of D. Coppersmith about the DLP in fields of characteristic two.

Digital signatures are a means to protect digital information from intentional modification and to authenticate the source of digital information. Public key cryptography provides a rich set of different cryptographic algorithms the create digital signatures. However, the primary public key signatures currently in use will become completely insecure if scientists are ever able to build a moderately sized quantum computer. Post quantum cryptography is a class of cryptographic algorithms designed to be resistant to attack by a quantum cryptography. Several post quantum digital signature algorithms based on hard problems in lattices are being created replace the commonly used RSA and elliptic curve signatures. A subset of these lattice based scheme are based on a problem known as Ring learning with errors. Ring learning with errors based digital signatures are among the post quantum signatures with the smallest public key and signature sizes

In cryptography, a public key exchange algorithm is a cryptographic algorithm which allows two parties to create and share a secret key, which they can use to encrypt messages between themselves. The ring learning with errors key exchange (RLWE-KEX) is one of a new class of public key exchange algorithms that are designed to be secure against an adversary that possesses a quantum computer. This is important because some public key algorithms in use today will be easily broken by a quantum computer if such computers are implemented. RLWE-KEX is one of a set of post-quantum cryptographic algorithms which are based on the difficulty of solving certain mathematical problems involving lattices. Unlike older lattice based cryptographic algorithms, the RLWE-KEX is provably reducible to a known hard problem in lattices.

Logjam is a security vulnerability in systems that use Diffie–Hellman key exchange with the same prime number. It was discovered by a team of computer scientists and publicly reported on May 20, 2015. The discoverers were able to demonstrate their attack on 512-bit DH systems. They estimated that a state-level attacker could do so for 1024-bit systems, then widely used, thereby allowing decryption of a significant fraction of Internet traffic. They recommended upgrading to at least 2048 bits for shared prime systems.

BLISS is a digital signature scheme proposed by Léo Ducas, Alain Durmus, Tancrède Lepoint and Vadim Lyubashevsky in their 2013 paper "Lattice Signature and Bimodal Gaussians".

References

  1. Emmanuel Thomé, “795-bit factoring and discrete logarithms,” December 2, 2019.
  2. F. Boudot et al, "Comparing the difficulty of factorization and discrete logarithm: a 240-digit experiment," June 10, 2020.
  3. Thorsten Kleinjung, “Discrete logarithms in GF(p) – 768 bits,” June 16, 2016.
  4. Antoine Joux, “Discrete logarithms in GF(p) – 130 digits,” June 18, 2005.[ dead link ]
  5. Thorsten Kleinjung, “Discrete logarithms in GF(p) – 160 digits,” February 5, 2007.
  6. Cyril Bouvier, Pierrick Gaudry, Laurent Imbert, Hamza Jeljeli and Emmanuel Thomé, "Discrete logarithms in GF(p) – 180 digits"
  7. Joshua Fried, Pierrick Gaudry, Nadia Heninger, Emmanuel Thome, “A kilobit hidden snfs discrete logarithm computation”, IACR spring, July 2016
  8. Jens Zumbrägel, "Discrete Logarithms in GF(2^30750)", 10 July 2019, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;62ab27f0.1907.
  9. R. Granger, T. Kleinjung, J. Zumbragel. On the discrete logarithm problem in finite fields of fixed characteristic [ permanent dead link ]. Trans. Amer. Math. Soc. 370, no. 5 (2018), pp. 3129-3145.
  10. Jens Zumbrägel, "Discrete Logarithms in GF(2^9234)", 31 January 2014, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;9aa2b043.1401.
  11. Antoine Joux, "Discrete logarithms in GF(26168) [=GF((2257)24)]", May 21, 2013, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind1305&L=NMBRTHRY&F=&S=&P=3034.
  12. Antoine Joux. A new index calculus algorithm with complexity $L(1/4+o(1))$ in very small characteristic, 2013, http://eprint.iacr.org/2013/095
  13. Antoine Joux, "Discrete logarithms in GF(24080)", Mar 22, 2013, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind1303&L=NMBRTHRY&F=&S=&P=13682.
  14. Faruk Gologlu et al., On the Function Field Sieve and the Impact of Higher Splitting Probabilities: Application to Discrete Logarithms in , 2013, http://eprint.iacr.org/2013/074.
  15. Antoine Joux, "Discrete logarithms in GF(21778)", Feb. 11, 2013, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind1302&L=NMBRTHRY&F=&S=&P=2317.
  16. Granger, Robert, Thorsten Kleinjung, and Jens Zumbrägel. “Breaking `128-Bit Secure’ Supersingular Binary Curves (or How to Solve Discrete Logarithms in and ).” arXiv:1402.3668 [cs, Math], February 15, 2014. https://arxiv.org/abs/1402.3668.
  17. Thorsten Kleinjung, 2014 October 17, "Discrete Logarithms in GF(2^1279)", https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;256db68e.1410.
  18. The CARAMEL group: Razvan Barbulescu and Cyril Bouvier and Jérémie Detrey and Pierrick Gaudry and Hamza Jeljeli and Emmanuel Thomé and Marion Videau and Paul Zimmermann, “Discrete logarithm in GF(2809) with FFS”, April 6, 2013, http://eprint.iacr.org/2013/197.
  19. Francisco Rodriguez-Henriquez, 18 July 2016, "Discrete Logarithms in GF(3^{6*509})", https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;65bedfc8.1607.
  20. Joux, Antoine; Pierrot, Cécile. "Improving the Polynomial time Precomputation of Frobenius Representation Discrete Logarithm Algorithms" (PDF). Archived from the original (PDF) on 11 December 2014. Retrieved 11 December 2014.
  21. Francisco Rodríguez-Henríquez, “Announcement,” 27 January 2014, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;763a9e76.1401.
  22. Gora Adj and Alfred Menezes and Thomaz Oliveira and Francisco Rodríguez-Henríquez, "Computing Discrete Logarithms in F_{3^{6*137}} and F_{3^{6*163}} using Magma", 26 Feb 2014, http://eprint.iacr.org/2014/057.
  23. Kyushu University, NICT and Fujitsu Laboratories Achieve World Record Cryptanalysis of Next-Generation Cryptography, 2012, http://www.nict.go.jp/en/press/2012/06/PDF-att/20120618en.pdf.
  24. Takuya Hayashi et al., Solving a 676-bit Discrete Logarithm Problem in GF(36n), 2010, http://eprint.iacr.org/2010/090.
  25. A. Durand, “New records in computations over large numbers,” The Security Newsletter, January 2005, http://eric-diehl.com/letter/Newsletter1_Final.pdf Archived 2011-07-10 at the Wayback Machine .
  26. Antoine Joux, “Discrete Logarithms in a 1425-bit Finite Field,” January 6, 2013, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind1301&L=NMBRTHRY&F=&S=&P=2214.
  27. 1 2 Faster index calculus for the medium prime case. Application to 1175-bit and 1425-bit finite fields, Eprint Archive, http://eprint.iacr.org/2012/720
  28. Antoine Joux, “Discrete Logarithms in a 1175-bit Finite Field,” December 24, 2012, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind1212&L=NMBRTHRY&F=&S=&P=13902.[ dead link ]
  29. Mukhopadhyay, Madhurima; Sarkar, Palash; Singh, Shashank; Thomé, Emmanuel (2022). "New discrete logarithm computation for the medium prime case using the function field sieve". Advances in Mathematics of Communications. 16 (3): 449. doi:10.3934/amc.2020119.
  30. Sarkar, Palash; Singh, Shashank (2016). "Fine Tuning the Function Field Sieve Algorithm for the Medium Prime Case". IEEE Transactions on Information Theory. 62 (4): 2233–2253. doi:10.1109/TIT.2016.2528996.
  31. 1 2 Razvan Barbulescu, “Discrete logarithms in GF(p^2) --- 160 digits,” June 24, 2014, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;2ddabd4c.1406.
  32. Certicom Corp., “The Certicom ECC Challenge,” https://www.certicom.com/content/certicom/en/the-certicom-ecc-challenge.html
  33. Certicom Research, Certicom ECC Challenge (Certicom Research, November 10, 2009), "Archived copy" (PDF). Archived from the original (PDF) on 22 October 2015. Retrieved 30 December 2010.{{cite web}}: CS1 maint: archived copy as title (link) .
  34. Certicom Research, "SEC 2: Recommended Elliptic Curve Domain Parameters" https://www.secg.org/SEC2-Ver-1.0.pdf
  35. Joppe W. Bos and Marcelo E. Kaihara, “PlayStation 3 computing breaks 2^60 barrier: 112-bit prime ECDLP solved,” EPFL Laboratory for cryptologic algorithms - LACAL, http://lacal.epfl.ch/112bit_prime
  36. 1 2 Erich Wenger and Paul Wolfger, “Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster” http://eprint.iacr.org/2014/368
  37. Erich Wenger and Paul Wolfger, “Harder, Better, Faster, Stronger - Elliptic Curve Discrete Logarithm Computations on FPGAs” http://eprint.iacr.org/2015/143/
  38. Ruben Niederhagen, “117.35-Bit ECDLP on Binary Curve,” https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;628a3b51.1612
  39. "114-bit ECDLP on a BN curve has been solved". isec.ec.okayama-u.ac.jp. 23 August 2017. Archived from the original on 27 May 2018. Retrieved 3 May 2018.
  40. Kusaka, Takuya; Joichi, Sho; Ikuta, Ken; Khandaker, Md. Al-Amin; Nogami, Yasuyuki; Uehara, Satoshi; Yamai, Nariyoshi; Duquesne, Sylvain (2018). "Solving 114-Bit ECDLP for a Barreto–Naehrig Curve" (PDF). Information Security and Cryptology – ICISC 2017. Lecture Notes in Computer Science. Vol. 10779. Springer. pp. 231–244. doi:10.1007/978-3-319-78556-1_13. ISBN   978-3-319-78555-4.
  41. Pons, Jean-Luc; Zieniewicz, Aleksander (17 January 2022). "Pollard's kangaroo for SECPK1". GitHub .
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.