Discrete logarithm records
Discrete logarithm records are the best results achieved to date in solving the discrete logarithm problem, which is the problem of finding solutions x to the equation gx = h given elements g and h of a finite cyclic group G. The difficulty of this problem is the basis for the security of several cryptographic systems, including Diffie–Hellman key agreement, ElGamal encryption, the ElGamal signature scheme, the Digital Signature Algorithm, and the elliptic curve cryptography analogs of these. Common choices for G used in these algorithms include the multiplicative group of integers modulo p, the multiplicative group of a finite field, and the group of points on an elliptic curve over a finite field.
Integers modulo ''p''
- On 2 Dec 2019, Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thomé, and Paul Zimmermann announced the computation of a discrete logarithm modulo the 240-digit prime RSA-240 + 49204. This computation was performed simultaneously with the factorization of RSA-240, using the Number Field Sieve algorithm and the open-source CADO-NFS software. The discrete logarithm part of the computation took approximately 3100 core-years, using Intel Xeon Gold 6130 CPUs as a reference. The researchers estimate that improvements in the algorithms and software made this computation three times faster than would be expected from previous records after accounting for improvements in hardware.
- On 16 June 2016, Thorsten Kleinjung, Claus Diem, Arjen K. Lenstra, Christine Priplata, and Colin Stahlke announced the computation of a discrete logarithm modulo a 232-digit safe prime, using the number field sieve. The computation was started in February 2015 and took approximately 6600 core years scaled to an Intel Xeon E5-2660 at 2.2 GHz.
- On 18 June 2005, Antoine Joux and Reynald Lercier announced the computation of a discrete logarithm modulo a 130-digit strong prime in three weeks, using a 1.15 GHz 16-processor HP AlphaServer GS1280 computer and a number field sieve algorithm.
- On 5 February 2007 this was superseded by the announcement by Thorsten Kleinjung of the computation of a discrete logarithm modulo a 160-digit safe prime, again using the number field sieve. Most of the computation was done using idle time on various PCs and on a parallel computing cluster.
- On 11 June 2014, Cyril Bouvier, Pierrick Gaudry, Laurent Imbert, Hamza Jeljeli and Emmanuel Thomé announced the computation of a discrete logarithm modulo a 180 digit safe prime using the number field sieve algorithm.
Finite fields
The current record in a finite field of characteristic 2 was announced by Robert Granger, Thorsten Kleinjung, Arjen Lenstra, Benjamin Wesolowski, and Jens Zumbrägel on 10 July 2019. This team was able to compute discrete logarithms in GF using 25,481,219 core hours on clusters based on the Intel Xeon architecture. This computation was the first large-scale example using the elimination step of the quasi-polynomial algorithm.Previous records in a finite field of characteristic 2 were announced by:
- Robert Granger, Thorsten Kleinjung, and Jens Zumbrägel on 31 January 2014. This team was able to compute discrete logarithms in GF using about 400,000 core hours. New features of this computation include a modified method for obtaining the logarithms of degree two elements and a systematically optimized descent strategy.
- Antoine Joux on 21 May 2013. His team was able to compute discrete logarithms in the field with 26168 = 24 elements using less than 550 CPU-hours. This computation was performed using the same index calculus algorithm as in the recent computation in the field with 24080 elements.
- Robert Granger, Faruk Göloğlu, Gary McGuire, and Jens Zumbrägel on 11 Apr 2013. The new computation concerned the field with 26120 elements and took 749.5 core-hours.
- Antoine Joux on Mar 22nd, 2013. This used the same algorithm for small characteristic fields as the previous computation in the field with 21778 elements. The new computation concerned the field with 24080 elements, represented as a degree 255 extension of the field with 216 elements. The computation took less than 14100 core hours.
- Robert Granger, Faruk Göloğlu, Gary McGuire, and Jens Zumbrägel on 19 Feb 2013. They used a new variant of the medium-sized base field function field sieve, for binary fields, to compute a discrete logarithm in a field of 21971 elements. In order to use a medium-sized base field, they represented the field as a degree 73 extension of the field of 227 elements. The computation took 3132 core hours on an SGI Altix ICE 8200EX cluster using Intel Xeon E5650 hex-core processors.
- Antoine Joux on 11 Feb 2013. This used a new algorithm for small characteristic fields. The computation concerned a field of 21778 elements, represented as a degree 127 extension of the field with 214 elements. The computation took less than 220 core hours.
The current record for a field of characteristic 3 was announced by
Gora Adj, Isaac Canales-Martinez, Nareli Cruz-Cortés, Alfred Menezes, Thomaz Oliveira, Francisco Rodriguez-Henriquez, and Luis Rivera-Zamarripa on. The calculation was done in the 4841-bit finite field with 36 · 509 elements and was performed on several computers at CINVESTAV and
the University of Waterloo. In total, about 200 core years of computing time was expended on the computation.
Previous records in a finite field of characteristic 3 were announced:
- in the full version of the Asiacrypt 2014 paper of Joux and Pierrot. The DLP is solved in the field GF, which is a 3796-bit field. This work did not exploit any "special" aspects of the field such as Kummer or twisted-Kummer properties. The total computation took less than 8600 CPU-hours.
- by Gora Adj, Alfred Menezes, Thomaz Oliveira, and Francisco Rodríguez-Henríquez on 26 February 2014, updating a previous announcement on 27 January 2014. The computation solve DLP in the 1551-bit field GF, taking 1201 CPU hours.
- in 2012 by a joint Fujitsu, NICT, and Kyushu University team, that computed a discrete logarithm in the field of 36 · 97 elements and a size of 923 bits, using a variation on the function field sieve and beating the previous record in a field of 36 · 71 elements and size of 676 bits by a wide margin.
On 25 June 2014, Razvan Barbulescu, Pierrick Gaudry, Aurore Guillevic, and François Morain announced a new computation of a discrete logarithm in a finite field whose order has 160 digits and is a degree 2 extension of a prime field. The algorithm used was the number field sieve, with various modifications. The total computing time was equivalent to 68 days on one core of CPU and 30 hours on a GPU.
Elliptic curves
Corp. has issued a series of Elliptic Curve Cryptography challenges. Level I involves fields of 109-bit and 131-bit sizes. Level II includes 163, 191, 239, 359-bit sizes. All Level II challenges are currently believed to be computationally infeasible.The Level I challenges which have been met are:
- ECC2K-108, involving taking a discrete logarithm on a Koblitz curve over a field of 2108 elements. The prize was awarded on 4 April 2000 to a group of about 1300 people represented by Robert Harley. They used a parallelized Pollard rho method with speedup.
- ECC2-109, involving taking a discrete logarithm on a curve over a field of 2109 elements. The prize was awarded on 8 April 2004 to a group of about 2600 people represented by Chris Monico. They also used a version of a parallelized Pollard rho method, taking 17 months of calendar time.
- ECCp-109, involving taking a discrete logarithm on a curve modulo a 109-bit prime. The prize was awarded on 15 Apr 2002 to a group of about 10308 people represented by Chris Monico. Once again, they used a version of a parallelized Pollard rho method, taking 549 days of calendar time.
In July 2009, Joppe W. Bos, Marcelo E. Kaihara, Thorsten Kleinjung, Arjen K. Lenstra and Peter L. Montgomery announced that they had carried out a discrete logarithm computation on an elliptic curve modulo a 112-bit prime. The computation was done on a cluster of over 200 PlayStation 3 game consoles over about 6 months. They used the common parallelized version of Pollard rho method.
In April 2014, Erich Wenger and Paul Wolfger from Graz University of Technology solved the discrete logarithm of a 113-bit Koblitz curve in extrapolated 24 days using an 18-core Virtex-6 FPGA cluster. In January 2015,the same researchers solved the discrete logarithm of an elliptic curve defined over a 113-bit binary field. The average runtime is around 82 days using a 10-core Kintex-7 FPGA cluster.
On 2 December 2016, Daniel J. Bernstein, Susanne Engels, Tanja Lange, Ruben Niederhagen, Christof Paar, Peter Schwabe, and Ralf Zimmermann announced the solution of a generic 117.35-bit elliptic curve discrete logarithm problem on a binary curve, using an optimized FPGA implementation of a parallel version of Pollard's rho algorithm. The attack ran for about six months on 64 to 576 FPGAs in parallel.
On 23 August 2017, Takuya Kusaka, Sho Joichi, Ken Ikuta, Md. Al-Amin Khandaker, Yasuyuki Nogami, Satoshi Uehara, Nariyoshi Yamai, and Sylvain Duquesne announced that they had solved a discrete logarithm problem on a 114-bit "pairing-friendly" Barreto-Naehrig curve, using the special sextic twist property of the BN curve to efficiently carry out the random walk of Pollard’s rho method. The implementation used 2000 CPU cores and took about 6 months to solve the problem.
On 16 June 2020, Aleksander Zieniewicz and Jean Luc Pons announced the of a 114-bit interval elliptic curve discrete logarithm problem on the secp256k1 curve by solving a 114-bit private key in . To set a new record, they used their own software based on the Pollard Kangaroo on 256x GPU processor and it took them 13 days. Two weeks earlier - They used the same number of graphics cards to solve a 109-bit interval ECDLP in just 3 days.