Discrete logarithm records

Discrete logarithm records are the best results achieved to date in solving the discrete logarithm problem, which is the problem of finding solutions ''x'' to the equation $g^x=h$ given elements ''g'' and ''h'' of a finite cyclic group ''G''. The difficulty of this problem is the basis for the security of several cryptographic systems, including Diffie–Hellman key agreement, ElGamal encryption, the ElGamal signature scheme, the Digital Signature Algorithm, and the elliptic curve cryptography analogs of these. Common choices for ''G'' used in these algorithms include the multiplicative group of integers modulo ''p'', the multiplicative group of a finite field, and the group of points on an elliptic curve over a finite field.

The current record for integers modulo prime numbers, set in December 2019, is a discrete logarithm computation modulo a prime with 240 digits. For characteristic 2, the current record for finite fields, set in July 2019, is a discrete logarithm over $GF(2^)$. When restricted to prime degree, the current record, set in October 2014, is over $GF(2^)$. For characteristic 3, the current record, set in July 2016, is over $GF(3^)$. For fields of "moderate" characteristic, the current record, set in January 2013, is over $GF(33341353^)$.

Integers modulo ''p''

* On 2 Dec 2019, Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thomé, and Paul Zimmermann announced the computation of a discrete logarithm modulo the 240-digit (795 bit) prime RSA-240 + 49204 (the first safe prime above RSA-240). This computation was performed simultaneously with the factorization of RSA-240, using the Number Field Sieve algorithm and the open-source CADO-NFS software. The discrete logarithm part of the computation took approximately 3100 core-years, using Intel Xeon Gold 6130 CPUs as a reference (2.1GHz). The researchers estimate that improvements in the algorithms and software made this computation three times faster than would be expected from previous records after accounting for improvements in hardware.

Previous records for integers modulo ''p'' include:

* On 16 June 2016, Thorsten Kleinjung, Claus Diem, Arjen K. Lenstra, Christine Priplata, and Colin Stahlke announced the computation of a discrete logarithm modulo a 232-digit (768-bit) safe prime, using the number field sieve. The computation was started in February 2015 and took approximately 6600 core years scaled to an Intel Xeon E5-2660 at 2.2 GHz.

* On 18 June 2005, Antoine Joux and Reynald Lercier announced the computation of a discrete logarithm modulo a 130-digit (431-bit) strong prime in three weeks, using a 1.15 GHz 16-processor HP AlphaServer GS1280 computer and a number field sieve algorithm.
* On 5 February 2007 this was superseded by the announcement by Thorsten Kleinjung of the computation of a discrete logarithm modulo a 160-digit (530-bit) safe prime, again using the number field sieve. Most of the computation was done using idle time on various PCs and on a parallel computing cluster.
* On 11 June 2014, Cyril Bouvier, Pierrick Gaudry, Laurent Imbert, Hamza Jeljeli and Emmanuel Thomé announced the computation of a discrete logarithm modulo a 180 digit (596-bit) safe prime using the number field sieve algorithm.

Also of note, in July 2016, Joshua Fried, Pierrick Gaudry, Nadia Heninger, Emmanuel Thome published their discrete logarithm computation on a 1024-bit prime. They generated a prime susceptible to the special number field sieve, using the specialized algorithm on a comparatively small subgroup (160-bits). While this is a small subgroup, it was the standardized subgroup size used with the 1024-bit digital signature algorithm (DSA).

Finite fields

The current record () in a finite field of characteristic 2 was announced by Robert Granger, Thorsten Kleinjung, Arjen Lenstra, Benjamin Wesolowski, and Jens Zumbrägel on 10 July 2019. This team was able to compute discrete logarithms in GF(2³⁰⁷⁵⁰) using 25,481,219 core hours on clusters based on the Intel Xeon architecture. This computation was the first large-scale example using the elimination step of the quasi-polynomial algorithm.

Previous records in a finite field of characteristic 2 were announced by:

* Robert Granger, Thorsten Kleinjung, and Jens Zumbrägel on 31 January 2014. This team was able to compute discrete logarithms in GF(2⁹²³⁴) using about 400,000 core hours. New features of this computation include a modified method for obtaining the logarithms of degree two elements and a systematically optimized descent strategy.
* Antoine Joux on 21 May 2013. His team was able to compute discrete logarithms in the field with 2⁶¹⁶⁸ = (2²⁵⁷)²⁴ elements using less than 550 CPU-hours. This computation was performed using the same index calculus algorithm as in the recent computation in the field with 2⁴⁰⁸⁰ elements.
* Robert Granger, Faruk Göloğlu, Gary McGuire, and Jens Zumbrägel on 11 Apr 2013. The new computation concerned the field with 2⁶¹²⁰ elements and took 749.5 core-hours.
* Antoine Joux on Mar 22nd, 2013. This used the same algorithm for small characteristic fields as the previous computation in the field with 2¹⁷⁷⁸ elements. The new computation concerned the field with 2⁴⁰⁸⁰ elements, represented as a degree 255 extension of the field with 2¹⁶ elements. The computation took less than 14100 core hours.
* Robert Granger, Faruk Göloğlu, Gary McGuire, and Jens Zumbrägel on 19 Feb 2013. They used a new variant of the medium-sized base field function field sieve, for binary fields, to compute a discrete logarithm in a field of 2¹⁹⁷¹ elements. In order to use a medium-sized base field, they represented the field as a degree 73 extension of the field of 2²⁷ elements. The computation took 3132 core hours on an SGI Altix ICE 8200EX cluster using Intel (Westmere) Xeon E5650 hex-core processors.
* Antoine Joux on 11 Feb 2013. This used a new algorithm for small characteristic fields. The computation concerned a field of 2¹⁷⁷⁸ elements, represented as a degree 127 extension of the field with 2¹⁴ elements. The computation took less than 220 core hours.

The current record () in a finite field of characteristic 2 of prime degree was announced by Thorsten Kleinjung on 17 October 2014. The calculation was done in a field of 2¹²⁷⁹ elements and followed essentially the path sketched for $\mathbb_$ in with two main exceptions in the linear algebra computation and the descent phase. The total running time was less than four core years. The previous record in a finite field of characteristic 2 of prime degree was announced by the CARAMEL group on April 6, 2013. They used the function field sieve to compute a discrete logarithm in a field of 2⁸⁰⁹ elements.

The current record () for a field of characteristic 3 was announced by
Gora Adj, Isaac Canales-Martinez, Nareli Cruz-Cortés, Alfred Menezes, Thomaz Oliveira, Francisco Rodriguez-Henriquez, and Luis Rivera-Zamarripa on 18 July 2016. The calculation was done in the 4841-bit finite field with 3^6 · 509 elements and was performed on several computers at CINVESTAV and
the University of Waterloo. In total, about 200 core years of computing time was expended on the computation.

Previous records in a finite field of characteristic 3 were announced:

* in the full version of the Asiacrypt 2014 paper of Joux and Pierrot (December 2014). The DLP is solved in the field GF(3^5 · 479), which is a 3796-bit field. This work did not exploit any "special" aspects of the field such as Kummer or twisted-Kummer properties. The total computation took less than 8600 CPU-hours.
* by Gora Adj, Alfred Menezes, Thomaz Oliveira, and Francisco Rodríguez-Henríquez on 26 February 2014, updating a previous announcement on 27 January 2014. The computation solve DLP in the 1551-bit field GF(3^6 · 163), taking 1201 CPU hours.
* in 2012 by a joint Fujitsu, NICT, and Kyushu University team, that computed a discrete logarithm in the field of 3^6 · 97 elements and a size of 923 bits, using a variation on the function field sieve and beating the previous record in a field of 3^6 · 71 elements and size of 676 bits by a wide margin.

Over fields of "moderate"-sized characteristic, notable computations as of 2005 included those a field of 65537²⁵ elements (401 bits) announced on 24 Oct 2005, and in a field of 370801³⁰ elements (556 bits) announced on 9 Nov 2005. The current record (as of 2013) for a finite field of "moderate" characteristic was announced on 6 January 2013. The team used a new variation of the function field sieve for the medium prime case to compute a discrete logarithm in a field of 33341353⁵⁷ elements (a 1425-bit finite field).Faster index calculus for the medium prime case. Application to 1175-bit and 1425-bit finite fields, Eprint Archive, http://eprint.iacr.org/2012/720 The same technique had been used a few weeks earlier to compute a discrete logarithm in a field of 33553771⁴⁷ elements (an 1175-bit finite field).

On 25 June 2014, Razvan Barbulescu, Pierrick Gaudry, Aurore Guillevic, and François Morain announced a new computation of a discrete logarithm in a finite field whose order has 160 digits and is a degree 2 extension of a prime field.Razvan Barbulescu, “Discrete logarithms in GF(p^2) --- 160 digits,” June 24, 2014, https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;2ddabd4c.1406. The algorithm used was the number field sieve (NFS), with various modifications. The total computing time was equivalent to 68 days on one core of CPU (sieving) and 30 hours on a GPU (linear algebra).

Elliptic curves

Certicom Corp. has issued a series of Elliptic Curve Cryptography challenges. Level I involves fields of 109-bit and 131-bit sizes. Level II includes 163, 191, 239, 359-bit sizes. All Level II challenges are currently believed to be computationally infeasible.

The Level I challenges which have been met are:

* ECC2K-108, involving taking a discrete logarithm on a Koblitz curve over a field of 2¹⁰⁸ elements. The prize was awarded on 4 April 2000 to a group of about 1300 people represented by Robert Harley. They used a parallelized Pollard rho method with speedup.
* ECC2-109, involving taking a discrete logarithm on a curve over a field of 2¹⁰⁹ elements. The prize was awarded on 8 April 2004 to a group of about 2600 people represented by Chris Monico. They also used a version of a parallelized Pollard rho method, taking 17 months of calendar time.
* ECCp-109, involving taking a discrete logarithm on a curve modulo a 109-bit prime. The prize was awarded on 15 Apr 2002 to a group of about 10308 people represented by Chris Monico. Once again, they used a version of a parallelized Pollard rho method, taking 549 days of calendar time.

None of the 131-bit (or larger) challenges have been met .

In July 2009, Joppe W. Bos, Marcelo E. Kaihara, Thorsten Kleinjung, Arjen K. Lenstra and Peter L. Montgomery announced that they had carried out a discrete logarithm computation on an elliptic curve (known as secp112r1) modulo a 112-bit prime. The computation was done on a cluster of over 200 PlayStation 3 game consoles over about 6 months. They used the common parallelized version of Pollard rho method.

In April 2014, Erich Wenger and Paul Wolfger from Graz University of Technology solved the discrete logarithm of a 113-bit Koblitz curve in extrapolated 24 days using an 18-core Virtex-6 FPGA cluster.Erich Wenger and Paul Wolfger, “Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster” http://eprint.iacr.org/2014/368 In January 2015, the same researchers solved the discrete logarithm of an elliptic curve defined over a 113-bit binary field. The average runtime is around 82 days using a 10-core Kintex-7 FPGA cluster.

On 2 December 2016, Daniel J. Bernstein, Susanne Engels, Tanja Lange, Ruben Niederhagen, Christof Paar, Peter Schwabe, and Ralf Zimmermann announced the solution of a generic 117.35-bit elliptic curve discrete logarithm problem on a binary curve, using an optimized FPGA implementation of a parallel version of Pollard's rho algorithm. The attack ran for about six months on 64 to 576 FPGAs in parallel.

On 23 August 2017, Takuya Kusaka, Sho Joichi, Ken Ikuta, Md. Al-Amin Khandaker, Yasuyuki Nogami, Satoshi Uehara, Nariyoshi Yamai, and Sylvain Duquesne announced that they had solved a discrete logarithm problem on a 114-bit "pairing-friendly" Barreto–Naehrig (BN) curve, using the special sextic twist property of the BN curve to efficiently carry out the random walk of Pollard’s rho method. The implementation used 2000 CPU cores and took about 6 months to solve the problem.

On 16 June 2020, Aleksander Zieniewicz (zielar) and Jean Luc Pons
JeanLucPons
announced the solution of a 114-bit interval elliptic curve discrete logarithm problem on the secp256k1 curve by solving a 114-bit private key in Bitcoin Puzzle Transactions Challenge. To set a new record, they used their own software based on the Pollard Kangaroo on 256
NVIDIA Tesla V100
GPU processor and it took them 13 days. Two weeks earlier - They used the same number of graphics cards to solve a 109-bit interval ECDLP in just 3 days.

Notes

References

{{reflist

External links

Computations of discrete logarithms sorted by date

Asymmetric-key algorithms
Modular arithmetic
Logarithms
Computational hardness assumptions
World records