Discrete logarithm records

Discrete logarithm records are the best results achieved to date in solving the discrete logarithm problem, which is the problem of finding solutions x to the equation ${\displaystyle g^{x}=h}$ given elements g and h of a finite cyclic group G. The difficulty of this problem is the basis for the security of several cryptographic systems, including Diffie–Hellman key agreement, ElGamal encryption, the ElGamal signature scheme, the Digital Signature Algorithm, and the elliptic curve cryptography analogues of these. Common choices for G used in these algorithms include the multiplicative group of integers modulo p, the multiplicative group of a finite field, and the group of points on an elliptic curve over a finite field.^{[ citation needed ]}

The current^{[ needs update ]} record for integers modulo prime numbers, set in December 2019, is a discrete logarithm computation modulo a prime with 240 digits. For characteristic 2, the current record for finite fields, set in July 2019, is a discrete logarithm over ${\displaystyle \mathrm {GF} (2^{30750})}$. When restricted to prime exponents^{[ clarification needed ]}, the current record, set in October 2014, is over ${\displaystyle \mathrm {GF} (2^{1279})}$. For characteristic 3, the current record, set in July 2016, is over ${\displaystyle \mathrm {GF} (3^{6*509})}$. For Kummer extension fields of "moderate"^{[ clarification needed ]} characteristic, the current record, set in January 2013, is over ${\displaystyle \mathrm {GF} (33341353^{57})}$. For fields of "moderate" characteristic (which are not necessarily Kummer extensions), the current record, published in 2022, is over ${\displaystyle \mathrm {GF} (2111023^{50})}$.^{[ citation needed ]}

Integers modulo p

• On 2 Dec 2019, Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thomé, and Paul Zimmermann announced the computation of a discrete logarithm modulo the 240-digit (795 bit) prime RSA-240 + 49204 (the first safe prime above RSA-240). This computation was performed simultaneously with the factorization of RSA-240, using the Number Field Sieve algorithm and the open-source CADO-NFS software. The discrete logarithm part of the computation took approximately 3100 core-years, using Intel Xeon Gold 6130 CPUs as a reference (2.1 GHz). The researchers estimate that improvements in the algorithms and software made this computation three times faster than would be expected from previous records after accounting for improvements in hardware. ^{[1] [2]}

Previous records for integers modulo p include:

• On 16 June 2016, Thorsten Kleinjung, Claus Diem, Arjen K. Lenstra, Christine Priplata, and Colin Stahlke announced the computation of a discrete logarithm modulo a 232-digit (768-bit) safe prime, using the number field sieve. The computation was started in February 2015 and took approximately 6600 core years scaled to an Intel Xeon E5-2660 at 2.2 GHz. ^[3]
• On 18 June 2005, Antoine Joux and Reynald Lercier announced the computation of a discrete logarithm modulo a 130-digit (431-bit) strong prime in three weeks, using a 1.15 GHz 16-processor HP AlphaServer GS1280 computer and a number field sieve algorithm. ^[4]
• On 5 February 2007 this was superseded by the announcement by Thorsten Kleinjung of the computation of a discrete logarithm modulo a 160-digit (530-bit) safe prime, again using the number field sieve. Most of the computation was done using idle time on various PCs and on a parallel computing cluster. ^[5]
• On 11 June 2014, Cyril Bouvier, Pierrick Gaudry, Laurent Imbert, Hamza Jeljeli and Emmanuel Thomé announced the computation of a discrete logarithm modulo a 180 digit (596-bit) safe prime using the number field sieve algorithm. ^[6]

Also of note, in July 2016, Joshua Fried, Pierrick Gaudry, Nadia Heninger, Emmanuel Thome published their discrete logarithm computation on a 1024-bit prime. ^[7] They generated a prime susceptible to the special number field sieve, using the specialized algorithm on a comparatively small subgroup (160-bits). While this is a small subgroup, it was the standardized subgroup size used with the 1024-bit digital signature algorithm (DSA).

Discrete logarithm records modulo primes

Size of prime	Type of prime	Date announced	Announced by	Algorithm	Hardware	Notes
240-digit (795-bit)	safe prime	2 December 2019	Fabrice Boudot Pierrick Gaudry Aurore Guillevic Nadia Heninger Emmanuel Thomé Paul Zimmermann	number field sieve		The prime used was RSA-240 + 49204 (the first safe prime above RSA-240). This computation was performed simultaneously[ how? ] with the factorization of RSA-240, using the Number Field Sieve algorithm and the open-source CADO-NFS software. Improvements in the algorithms and software[ which? ] made this computation about three times faster than would be expected from previous records after accounting for improvements in hardware.
1024-bit		July 2016	Joshua Fried Pierrick Gaudry Nadia Heninger Emmanuel Thome	special number field sieve		The researchers generated a prime susceptible[ why? ] to the special number field sieve[ how? ] using a specialized algorithm[ which? ] on a comparatively small subgroup (160-bits).
232-digit (768-bit)	safe prime	16 June 2016	Thorsten Kleinjung Claus Diem Arjen K. Lenstra Christine Priplata Colin Stahlke	number field sieve		This computation started in February 2015.
180 digit (596-bit)	safe prime	11 June 2014	Cyril Bouvier Pierrick Gaudry Laurent Imbert Hamza Jeljeli Emmanuel Thomé	number field sieve
160-digit (530-bit)	safe prime	5 February 2007	Thorsten Kleinjung	number field sieve	various PCs, a parallel computing cluster[ which? ]
130-digit (431-bit)	strong prime	18 June 2005	Antoine Joux Reynald Lercier	number field sieve	1.15 GHz 16-processor HP AlphaServer GS1280

Finite fields

The current record (as of July 2019 ^[update] ) in a finite field of characteristic 2 was announced by Robert Granger, Thorsten Kleinjung, Arjen Lenstra, Benjamin Wesolowski, and Jens Zumbrägel on 10 July 2019. ^[8] This team was able to compute discrete logarithms in GF(2³⁰⁷⁵⁰) using 25,481,219 core hours on clusters based on the Intel Xeon architecture. This computation was the first large-scale example using the elimination step of the quasi-polynomial algorithm. ^[9]

Previous records in a finite field of characteristic 2 were announced by:

• Robert Granger, Thorsten Kleinjung, and Jens Zumbrägel on 31 January 2014. This team was able to compute discrete logarithms in GF(2⁹²³⁴) using about 400,000 core hours. New features of this computation include a modified method for obtaining the logarithms of degree two elements and a systematically optimized descent strategy. ^[10]
• Antoine Joux on 21 May 2013. His team was able to compute discrete logarithms in the field with 2⁶¹⁶⁸ = (2²⁵⁷)²⁴ elements using less than 550 CPU-hours. This computation was performed using the same index calculus algorithm as in the recent computation in the field with 2⁴⁰⁸⁰ elements. ^[11]
• Robert Granger, Faruk Göloğlu, Gary McGuire, and Jens Zumbrägel on 11 Apr 2013. The new computation concerned the field with 2⁶¹²⁰ elements and took 749.5 core-hours.
• Antoine Joux on Mar 22nd, 2013. This used the same algorithm ^[12] for small characteristic fields as the previous computation in the field with 2¹⁷⁷⁸ elements. The new computation concerned the field with 2⁴⁰⁸⁰ elements, represented as a degree 255 extension of the field with 2¹⁶ elements. The computation took less than 14100 core hours. ^[13]
• Robert Granger, Faruk Göloğlu, Gary McGuire, and Jens Zumbrägel on 19 Feb 2013. They used a new variant of the medium-sized base field function field sieve, for binary fields, to compute a discrete logarithm in a field of 2¹⁹⁷¹ elements. In order to use a medium-sized base field, they represented the field as a degree 73 extension of the field of 2²⁷ elements. The computation took 3132 core hours on an SGI Altix ICE 8200EX cluster using Intel (Westmere) Xeon E5650 hex-core processors. ^[14]
• Antoine Joux on 11 Feb 2013. This used a new algorithm for small characteristic fields. The computation concerned a field of 2¹⁷⁷⁸ elements, represented as a degree 127 extension of the field with 2¹⁴ elements. The computation took less than 220 core hours. ^[15]

The current record (as of 2014 ^[update] ) in a finite field of characteristic 2 of prime degree was announced by Thorsten Kleinjung on 17 October 2014. The calculation was done in a field of 2¹²⁷⁹ elements and followed essentially the path sketched for ${\displaystyle \mathrm {GF} (2^{4\cdot 1223})}$ in ^[16] with two main exceptions in the linear algebra computation and the descent phase. The total running time was less than four core years. ^[17] The previous record in a finite field of characteristic 2 of prime degree was announced by the CARAMEL group on April 6, 2013. They used the function field sieve to compute a discrete logarithm in a field of 2⁸⁰⁹ elements. ^[18]

The current record (as of July 2016 ^[update] ) for a field of characteristic 3 was announced by Gora Adj, Isaac Canales-Martinez, Nareli Cruz-Cortés, Alfred Menezes, Thomaz Oliveira, Francisco Rodriguez-Henriquez, and Luis Rivera-Zamarripa on 18 July 2016. The calculation was done in the 4841-bit finite field with 3^6 · 509 elements and was performed on several computers at CINVESTAV and the University of Waterloo. In total, about 200 core years of computing time was expended on the computation. ^[19]

Previous records in a finite field of characteristic 3 were announced:

• in the full version of the Asiacrypt 2014 paper of Joux and Pierrot (December 2014). ^[20] The DLP is solved in the field GF(3^5 · 479), which is a 3796-bit field. This work did not exploit any "special" aspects of the field such as Kummer or twisted-Kummer properties. The total computation took less than 8600 CPU-hours.
• by Gora Adj, Alfred Menezes, Thomaz Oliveira, and Francisco Rodríguez-Henríquez on 26 February 2014, updating a previous announcement on 27 January 2014. The computation solve DLP in the 1551-bit field GF(3^6 · 163), taking 1201 CPU hours. ^{[21] [22]}
• in 2012 by a joint Fujitsu, NICT, and Kyushu University team, that computed a discrete logarithm in the field of 3^6 · 97 elements and a size of 923 bits, ^[23] using a variation on the function field sieve and beating the previous record in a field of 3^6 · 71 elements and size of 676 bits by a wide margin. ^[24]

Over fields of "moderate"-sized characteristic, notable computations as of 2005 included those a field of 65537²⁵ elements (401 bits) announced on 24 Oct 2005, and in a field of 370801³⁰ elements (556 bits) announced on 9 Nov 2005. ^[25] The current record (as of 2013) for a Kummer extension finite field of "moderate" characteristic was announced on 6 January 2013. The team used a new variation of the function field sieve for the medium prime case to compute a discrete logarithm in a Kummer extension field of 33341353⁵⁷ elements (a 1425-bit finite field). ^{[26] [27]} The same technique had been used a few weeks earlier to compute a discrete logarithm in a Kummer extension field of 33553771⁴⁷ elements (an 1175-bit finite field). ^{[27] [28]} The current record (as of 2022) for a finite field of "moderate" characteristic (which is not necessarily a Kummer extension) is the computation of discrete logarithm in a field of 2111023⁵⁰ elements (a 1051-bit finite field); ^[29] previous record ^[30] of discrete logarithm computations over such fields was over fields having 297079⁴⁰ elements (a 728-bit finite field) and 64373³⁷ elements (a 592-bit finite field). These computations were done using new ideas to speed up the function field sieve.

On 25 June 2014, Razvan Barbulescu, Pierrick Gaudry, Aurore Guillevic, and François Morain announced a new computation of a discrete logarithm in a finite field whose order has 160 digits and is a degree 2 extension of a prime field. ^[31] The algorithm used was the number field sieve (NFS), with various modifications. The total computing time was equivalent to 68 days on one core of CPU (sieving) and 30 hours on a GPU (linear algebra).

Discrete logarithm records over finite fields

Char.	Field size	Date announced	Announced by	Hardware	Compute	Notes
2	230750	10 July 2019	Robert Granger Thorsten Kleinjung Arjen Lenstra Benjamin Wesolowski Jens Zumbrägel	Intel Xeon architecture	25,481,219 core-hours	This computation was the first large-scale example using the elimination step of the quasi-polynomial algorithm.[ clarification needed ]
	21279	17 October 2014	Thorsten Kleinjung		<4 core-years
	29234	31 January 2014	Robert Granger Thorsten Kleinjung Jens Zumbrägel		~400,000 core-hours	New features of this computation include a modified method for obtaining the logarithms of degree two elements and a systematically optimized descent strategy.[ clarification needed ]
	26168	21 May 2013	Antoine Joux		<550 CPU-hours[ quantify ]
	26120	11 April 2013	Robert Granger Faruk Göloğlu Gary McGuire Jens Zumbrägel		749.5 core-hours
	2809	6 April 2013	the CARAMEL group[ who? ]
	24080	22 March 2013	Antoine Joux		<14,100 core-hours[ quantify ]
	21971	19 February 2013	Robert Granger Faruk Göloğlu Gary McGuire Jens Zumbrägel	SGI Altix ICE 8200EX cluster Intel (Westmere) Xeon E5650 hex-core processors	3,132 core-hours
	21778	11 February 2013	Antoine Joux		<220 core-hours[ quantify ]
3	36 · 509	18 July 2016	Gora Adj Isaac Canales-Martinez Nareli Cruz-Cortés Alfred Menezes Thomaz Oliveira Francisco Rodriguez-Henriquez Luis Rivera-Zamarripa	several computers[ which? ] at CINVESTAV and the University of Waterloo	~200 core-years
	35 · 479	December 2014	Antoine Joux Cécile Pierrot		<8600 CPU-hours[ quantify ]
	36 · 163	27 January 2014	Gora Adj Alfred Menezes Thomaz Oliveira Francisco Rodríguez-Henríquez		1201 CPU-hours
	36 · 97	2012	a joint Fujitsu, NICT, and Kyushu University team[ who? ]
	36 · 71
"moderate"	p2	25 June 2014	Razvan Barbulescu Pierrick Gaudry Aurore Guillevic François Morain		68 CPU-days + 30 GPU-hours	This field is a degree-2 extension of a prime field, where p is a prime with 80 digits. [31]
	3334135357	6 January 2013
	3355377147
	37080130	9 November 2005
	6553725	24 October 2005

Elliptic curves

Certicom Corp. has issued a series of Elliptic Curve Cryptography challenges. Level I involves fields of 109-bit and 131-bit sizes. Level II includes 163, 191, 239, 359-bit sizes. All Level II challenges are currently believed to be computationally infeasible. ^[32]

The Level I challenges which have been met are: ^[33]

• ECC2K-108, involving taking a discrete logarithm on a Koblitz curve over a field of 2¹⁰⁸ elements. The prize was awarded on 4 April 2000 to a group of about 1300 people represented by Robert Harley. They used a parallelized Pollard rho method with speedup.
• ECC2-109, involving taking a discrete logarithm on a curve over a field of 2¹⁰⁹ elements. The prize was awarded on 8 April 2004 to a group of about 2600 people represented by Chris Monico. They also used a version of a parallelized Pollard rho method, taking 17 months of calendar time.
• ECCp-109, involving taking a discrete logarithm on a curve modulo a 109-bit prime. The prize was awarded on 15 Apr 2002 to a group of about 10308 people represented by Chris Monico. Once again, they used a version of a parallelized Pollard rho method, taking 549 days of calendar time.

None of the 131-bit (or larger) challenges have been met as of 2019 ^[update] .

In July 2009, Joppe W. Bos, Marcelo E. Kaihara, Thorsten Kleinjung, Arjen K. Lenstra and Peter L. Montgomery announced that they had carried out a discrete logarithm computation on an elliptic curve (known as secp112r1 ^[34] ) modulo a 112-bit prime. The computation was done on a cluster of over 200 PlayStation 3 game consoles over about 6 months. They used the common parallelized version of Pollard rho method. ^[35]

In April 2014, Erich Wenger and Paul Wolfger from Graz University of Technology solved the discrete logarithm of a 113-bit Koblitz curve in extrapolated ^{[note 1]} 24 days using an 18-core Virtex-6 FPGA cluster. ^[36] In January 2015, the same researchers solved the discrete logarithm of an elliptic curve defined over a 113-bit binary field. The average runtime is around 82 days using a 10-core Kintex-7 FPGA cluster. ^[37]

On 2 December 2016, Daniel J. Bernstein, Susanne Engels, Tanja Lange, Ruben Niederhagen, Christof Paar, Peter Schwabe, and Ralf Zimmermann announced the solution of a generic 117.35-bit elliptic curve discrete logarithm problem on a binary curve, using an optimized FPGA implementation of a parallel version of Pollard's rho method. The attack ran for about six months on 64 to 576 FPGAs in parallel. ^[38]

On 23 August 2017, Takuya Kusaka, Sho Joichi, Ken Ikuta, Md. Al-Amin Khandaker, Yasuyuki Nogami, Satoshi Uehara, Nariyoshi Yamai, and Sylvain Duquesne announced that they had solved a discrete logarithm problem on a 114-bit "pairing-friendly" Barreto–Naehrig (BN) curve, ^[39] using the special sextic twist property of the BN curve to efficiently carry out the random walk of Pollard's rho method. The implementation used 2000 CPU cores and took about 6 months to solve the problem. ^[40]

On 16 June 2020, Aleksander Zieniewicz (zielar) and Jean Luc Pons (JeanLucPons) announced the solution of a 114-bit interval elliptic curve discrete logarithm problem on the secp256k1 curve by solving a 114-bit private key in Bitcoin Puzzle Transactions Challenge. To set a new record, they used their own software ^[41] based on the Pollard Kangaroo on 256x NVIDIA Tesla V100 GPU processor and it took them 13 days. Two weeks earlier - They used the same number of graphics cards to solve a 109-bit interval ECDLP in just 3 days.

Discrete logarithm records for elliptic curves

Curve name	Field size	Date announced	Announced by	Algorithm	Compute time
ECC2K-108	2108	2000	about 1300 people represented by Robert Harley	Pollard rho method
ECCp-109	a 109-bit prime	2002	about 10308 people represented by Chris Monico	parallelized Pollard rho method	549 days
ECC2-109	2109	2004	about 2600 people represented by Chris Monico	parallelized Pollard rho method	17 months
secp112r1	a 112-bit prime	July 2009	Joppe W. Bos Marcelo E. Kaihara Thorsten Kleinjung Arjen K. Lenstra Peter L. Montgomery	the common parallelized version of Pollard rho method[ which? ]	6 months
	2113	April 2014	Erich Wenger Paul Wolfger		47 days [36] [note 1]
	2113	January 2015	Erich Wenger Paul Wolfger		82 days[ verification needed ]
	2127 Interval search size 2117.35	2 December 2016	Daniel J. Bernstein Susanne Engels Tanja Lange Ruben Niederhagen Christof Paar Peter Schwabe Ralf Zimmermann	parallel version of Pollard's rho method	6 months of 64 to 576 FPGAs
Barreto–Naehrig Pairing friendly curve	2114	23 August 2017	Takuya Kusaka Sho Joichi Ken Ikuta Md. Al-Amin Khandaker Yasuyuki Nogami Satoshi Uehara Nariyoshi Yamai Sylvain Duquesne	parallel version of Pollard's rho method on twisted BN curve	6 months using 2000 CPU
secp256k1	2256 Interval search size 2114	16 August 2020	Aleksander Zieniewicz Jean Luc Pons	parallel version of Pollard's rho method	13 Days on 256xTesla V100

Notes

1. The computation ran for 47 days, but not all of the FPGAs used were active all the time, which meant that it was equivalent to an extrapolated time of 24 days.

References

1. Emmanuel Thomé, “795-bit factoring and discrete logarithms,” December 2, 2019.
2. F. Boudot et al, "Comparing the difficulty of factorization and discrete logarithm: a 240-digit experiment," June 10, 2020.
3. Thorsten Kleinjung, “Discrete logarithms in GF(p) – 768 bits,” June 16, 2016.
4. Antoine Joux, “Discrete logarithms in GF(p) – 130 digits,” June 18, 2005.^{[ dead link ‍]}
5. Thorsten Kleinjung, “Discrete logarithms in GF(p) – 160 digits,” February 5, 2007.
6. Cyril Bouvier, Pierrick Gaudry, Laurent Imbert, Hamza Jeljeli and Emmanuel Thomé, "Discrete logarithms in GF(p) – 180 digits"
7. Joshua Fried, Pierrick Gaudry, Nadia Heninger, Emmanuel Thome, “A kilobit hidden snfs discrete logarithm computation”, IACR spring, July 2016
8. Jens Zumbrägel, "Discrete Logarithms in GF(2^30750)", 10 July 2019, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;62ab27f0.1907.
9. R. Granger, T. Kleinjung, J. Zumbragel. On the discrete logarithm problem in finite fields of fixed characteristic. Trans. Amer. Math. Soc. 370, no. 5 (2018), pp. 3129-3145.
10. Jens Zumbrägel, "Discrete Logarithms in GF(2^9234)", 31 January 2014, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;9aa2b043.1401.
11. Antoine Joux, "Discrete logarithms in GF(2⁶¹⁶⁸) [=GF((2²⁵⁷)²⁴)]", May 21, 2013, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind1305&L=NMBRTHRY&F=&S=&P=3034.
12. Antoine Joux. A new index calculus algorithm with complexity $L(1/4+o(1))$ in very small characteristic, 2013, http://eprint.iacr.org/2013/095
13. Antoine Joux, "Discrete logarithms in GF(2⁴⁰⁸⁰)", Mar 22, 2013, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind1303&L=NMBRTHRY&F=&S=&P=13682.
14. Faruk Gologlu et al., On the Function Field Sieve and the Impact of Higher Splitting Probabilities: Application to Discrete Logarithms in ${\displaystyle \mathbb {F} _{2^{1971}}}$, 2013, http://eprint.iacr.org/2013/074.
15. Antoine Joux, "Discrete logarithms in GF(2¹⁷⁷⁸)", Feb. 11, 2013, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind1302&L=NMBRTHRY&F=&S=&P=2317.
16. Granger, Robert, Thorsten Kleinjung, and Jens Zumbrägel. “Breaking `128-Bit Secure’ Supersingular Binary Curves (or How to Solve Discrete Logarithms in ${\displaystyle {\mathbb {F} }_{2^{4\cdot 1223}}}$ and ${\displaystyle {\mathbb {F} }_{2^{12\cdot 367}}}$).” arXiv:1402.3668 [cs, Math], February 15, 2014. https://arxiv.org/abs/1402.3668.
17. Thorsten Kleinjung, 2014 October 17, "Discrete Logarithms in GF(2^1279)", https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;256db68e.1410.
18. The CARAMEL group: Razvan Barbulescu and Cyril Bouvier and Jérémie Detrey and Pierrick Gaudry and Hamza Jeljeli and Emmanuel Thomé and Marion Videau and Paul Zimmermann, “Discrete logarithm in GF(2⁸⁰⁹) with FFS”, April 6, 2013, http://eprint.iacr.org/2013/197.
19. Francisco Rodriguez-Henriquez, 18 July 2016, "Discrete Logarithms in GF(3^{6*509})", https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;65bedfc8.1607.
20. Joux, Antoine; Pierrot, Cécile. "Improving the Polynomial time Precomputation of Frobenius Representation Discrete Logarithm Algorithms" (PDF). Archived from the original (PDF) on 11 December 2014. Retrieved 11 December 2014.
21. Francisco Rodríguez-Henríquez, “Announcement,” 27 January 2014, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;763a9e76.1401.
22. Gora Adj and Alfred Menezes and Thomaz Oliveira and Francisco Rodríguez-Henríquez, "Computing Discrete Logarithms in F_{3^{6*137}} and F_{3^{6*163}} using Magma", 26 Feb 2014, http://eprint.iacr.org/2014/057.
23. Kyushu University, NICT and Fujitsu Laboratories Achieve World Record Cryptanalysis of Next-Generation Cryptography, 2012, http://www.nict.go.jp/en/press/2012/06/PDF-att/20120618en.pdf.
24. Takuya Hayashi et al., Solving a 676-bit Discrete Logarithm Problem in GF(3⁶ⁿ), 2010, http://eprint.iacr.org/2010/090.
25. A. Durand, “New records in computations over large numbers,” The Security Newsletter, January 2005, http://eric-diehl.com/letter/Newsletter1_Final.pdf Archived 2011-07-10 at the Wayback Machine .
26. Antoine Joux, “Discrete Logarithms in a 1425-bit Finite Field,” January 6, 2013, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind1301&L=NMBRTHRY&F=&S=&P=2214.
27. Faster index calculus for the medium prime case. Application to 1175-bit and 1425-bit finite fields, Eprint Archive, http://eprint.iacr.org/2012/720
28. Antoine Joux, “Discrete Logarithms in a 1175-bit Finite Field,” December 24, 2012, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind1212&L=NMBRTHRY&F=&S=&P=13902.^{[ dead link ‍]}
29. Mukhopadhyay, Madhurima; Sarkar, Palash; Singh, Shashank; Thomé, Emmanuel (2022). "New discrete logarithm computation for the medium prime case using the function field sieve". Advances in Mathematics of Communications. 16 (3): 449. doi: 10.3934/amc.2020119 .
30. Sarkar, Palash; Singh, Shashank (2016). "Fine Tuning the Function Field Sieve Algorithm for the Medium Prime Case". IEEE Transactions on Information Theory. 62 (4): 2233–2253. doi:10.1109/TIT.2016.2528996.
31. Razvan Barbulescu, “Discrete logarithms in GF(p^2) --- 160 digits,” June 24, 2014, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;2ddabd4c.1406.
32. Certicom Corp., “The Certicom ECC Challenge,” https://www.certicom.com/content/certicom/en/the-certicom-ecc-challenge.html
33. Certicom Research, Certicom ECC Challenge (Certicom Research, November 10, 2009), "Archived copy" (PDF). Archived from the original (PDF) on 22 October 2015. Retrieved 30 December 2010. .
34. Certicom Research, "SEC 2: Recommended Elliptic Curve Domain Parameters" https://www.secg.org/SEC2-Ver-1.0.pdf
35. Joppe W. Bos and Marcelo E. Kaihara, “PlayStation 3 computing breaks 2^60 barrier: 112-bit prime ECDLP solved,” EPFL Laboratory for cryptologic algorithms - LACAL, http://lacal.epfl.ch/112bit_prime
36. Erich Wenger and Paul Wolfger, “Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster” http://eprint.iacr.org/2014/368
37. Erich Wenger and Paul Wolfger, “Harder, Better, Faster, Stronger - Elliptic Curve Discrete Logarithm Computations on FPGAs” http://eprint.iacr.org/2015/143/
38. Ruben Niederhagen, “117.35-Bit ECDLP on Binary Curve,” https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;628a3b51.1612
39. "114-bit ECDLP on a BN curve has been solved". isec.ec.okayama-u.ac.jp. 23 August 2017. Archived from the original on 27 May 2018. Retrieved 3 May 2018.
40. Kusaka, Takuya; Joichi, Sho; Ikuta, Ken; Khandaker, Md. Al-Amin; Nogami, Yasuyuki; Uehara, Satoshi; Yamai, Nariyoshi; Duquesne, Sylvain (2018). "Solving 114-Bit ECDLP for a Barreto–Naehrig Curve" (PDF). Information Security and Cryptology – ICISC 2017. Lecture Notes in Computer Science. Vol. 10779. Springer. pp. 231–244. doi:10.1007/978-3-319-78556-1_13. ISBN   978-3-319-78555-4.
41. Pons, Jean-Luc; Zieniewicz, Aleksander (17 January 2022). "Pollard's kangaroo for SECPK1". GitHub .

External links

• Computations of discrete logarithms sorted by date