**The number field sieve for integers of low weight**

*Oliver Schirokauer*

**Abstract: **We define the weight of an integer $N$ to be the smallest $w$ such that $N$ can be represented as $\sum_{i=1}^w \epsilon_i 2^{c_i}$, with $\epsilon_1,\ldots,\epsilon_w\in\{1,-1\}$. Since arithmetic modulo a prime of low weight is particularly efficient, it is tempting to use such primes in cryptographic protocols. In this paper we consider the difficulty of the discrete logarithm problem modulo a prime $N$ of low weight, as well as the difficulty of factoring an integer $N$ of low weight. We describe a
version of the number field sieve which handles both problems. Our analysis leads to the conjecture that, for $N\to\infty$ with $w$ fixed, the worst-case running time of the method is bounded above by
${\rm exp}((c+o(1))(\log\,N)^{1/3}(\log\log\,N)^{2/3})$ with
$c<((32/9)(2w-3)/(w-1))^{1/3}$ and below by the same expression with $c=(32/9)^{1/3}((\sqrt{2}w-2\sqrt{2}+1)/(w-1))^{2/3}.$
It also reveals that on average the method performs significantly better than it does in the worst case. We consider all the examples given in a recent paper of Koblitz and Menezes and demonstrate that in every case but one, our algorithm runs faster than the standard versions of the number field sieve.

**Category / Keywords: **public-key cryptography / discrete logarithm, integer factorization, number field sieve

**Date: **received 17 Mar 2006, last revised 18 Mar 2006

**Contact author: **oliver schirokauer at oberlin edu

**Available format(s): **PDF | BibTeX Citation

**Version: **20060319:211157 (All versions of this report)

**Short URL: **ia.cr/2006/107

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]