Wikipedia:Reference desk/Archives/Mathematics/2024 November 29
Mathematics desk | ||
---|---|---|
< November 28 | << Oct | November | Dec >> | November 30 > |
Welcome to the Wikipedia Mathematics Reference Desk Archives |
---|
The page you are currently viewing is a transcluded archive page. While you can leave answers for any questions shown below, please ask new questions on one of the current reference desk pages. |
November 29
[edit]In finite fields of large characteristics, what does prevent shrinking the modulus field size down to their larger order in order to solve discrete logarithms ?
[edit]In the recent years, several algorithms were proposed to leverage elliptic curves for lowering the degree of a finite field and thus allow to solve discrete logairthm modulo their largest suborder/subgroup instead of the original far larger finite field. https://arxiv.org/pdf/2206.10327 in part conduct a survey about those methods. Espescially since I don’t see why a large chararcteristics would be prone to fall in the trap being listed by the paper.
I do get the whole small characteristics alogrithms complexity makes those papers unsuitable for computing discrete logarithms in finite fields of large charateristics, but what does prevent applying the descent/degree shrinking part to large characteristics ? 2A01:E0A:401:A7C0:68A8:D520:8456:B895 (talk) 11:00, 29 November 2024 (UTC)
- Try web search for Lim-Lee small subgroup attack. 2601:644:8581:75B0:0:0:0:C426 (talk) 23:09, 1 December 2024 (UTC)
- First the paper apply when no other information is known beside the 2 finite field’s elements and then this is different from https://arxiv.org/pdf/2206.10327. While Pollard rho can remain more efficient, if the subgroup is too large, then it’s still not enough fast. I’m talking about shrinking modulus size directly. 2A01:E0A:401:A7C0:69D2:554C:93AF:D6AC (talk) 15:17, 2 December 2024 (UTC)
The problem with descent methods like the one described in large characteristic is that the complexity is . This is explained more clearly in [1]. If the characteristic is small, then the problem is O(k) bits, and the complexity id pseudo-polynomial in the number of bits. If the characteristic is large, then the compexity is which is exponential in the number of bits of q. Tito Omburo (talk) 16:36, 2 December 2024 (UTC)
- Are you sure ? I’m not talking about the complexity of the index calculus part like chosing the factor base or computing individual discrete logarithms or the linear algebra phase. Only about the part consisting of shrinking the modulus through lowering it’s degree… 82.66.26.199 (talk) 10:26, 3 December 2024 (UTC)
- The paper I cited above finds the intermediate polynomials by a brute force search in small degree, which is thus polynomial in q. The general heuristic is that the search for intermediate polynomials takes about as long as the index calculus phase. But it looks like no one has a really good way to do it. Tito Omburo (talk) 10:45, 3 December 2024 (UTC)
- And in my case, elliptic curves are used to lower the degree and thus the modulus instead of brutefore. The person who wrote the paper told me in fact the idea was developed initially for medium characteristics but refused to give details for large characteristics. 82.66.26.199 (talk) 11:06, 3 December 2024 (UTC)
- I'm not really convinced that the approach actually works. How are the elliptic curves constructed? The construction given is very implicit. I'm betting that if one actually writes out the details, it involves lifting something from the prime field. Tito Omburo (talk) 16:02, 3 December 2024 (UTC)
- Yes. My request to have more details wasn’t well received. https://sympa.inria.fr/sympa/arc/cado-nfs/2024-12/msg00002.html 2A01:E0A:401:A7C0:5985:1F5D:4595:AA09 (talk) 01:48, 4 December 2024 (UTC)
- I'm not really convinced that the approach actually works. How are the elliptic curves constructed? The construction given is very implicit. I'm betting that if one actually writes out the details, it involves lifting something from the prime field. Tito Omburo (talk) 16:02, 3 December 2024 (UTC)
- And in my case, elliptic curves are used to lower the degree and thus the modulus instead of brutefore. The person who wrote the paper told me in fact the idea was developed initially for medium characteristics but refused to give details for large characteristics. 82.66.26.199 (talk) 11:06, 3 December 2024 (UTC)
- The paper I cited above finds the intermediate polynomials by a brute force search in small degree, which is thus polynomial in q. The general heuristic is that the search for intermediate polynomials takes about as long as the index calculus phase. But it looks like no one has a really good way to do it. Tito Omburo (talk) 10:45, 3 December 2024 (UTC)