[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

*To*: [email protected]*Subject*: Re: Diffie-Hellman in GF(2^n)?*From*: David A Wagner <[email protected]>*Date*: Sun, 12 Nov 1995 14:43:53 -0800 (PST)*Cc*: [email protected]*Sender*: [email protected]

```
In article <[email protected]> you write:
> Most Diffie-Hellman implementations currently use the multiplicative group
> of prime fields. However, the multiplicative group of finite fields of
> characteristic 2 (GF(2^n)) can also be used and should be easier to
> implement. Is there any reason why they should not be used? Does anyone
> know the asymptotic running time of the best algorithm for calculating
> discrete logarithms in GF(2^n)?
I remember that the discrete log problem is quite a bit easier
in GF(2^n), but I don't remember how much easier. Let me try
to look it up...
A. Odlyzko has a paper recommending that people should not use
GF(2^n) for discrete log applications; in it he states that you
will need at the minimum n > 800, and probably n > 1500. (And
you also need to choose n carefully.) A quote from the abstract:
``Hence the fields GF(2^n) out to be avoided in all cryptographic
applications.''
I don't know enough about number theory to judge for myself;
but you can read the (long) paper yourself at
ftp://netlib.att.com/netlib/att/math/odlyzko/discrete.logs.ps.Z
I hope this helps!
```

**Follow-Ups**:**Re: Diffie-Hellman in GF(2^n)?***From:*Wei Dai <[email protected]>

- Prev by Date:
**Re: the revolution of microcurrency** - Next by Date:
**WebSTAR security challenge. Make $10,000 breaking in a site.** - Prev by thread:
**Re: Diffie-Hellman in GF(2^n)?** - Next by thread:
**Re: Diffie-Hellman in GF(2^n)?** - Index(es):