In article <Pine.SUN.3.91.951110184600.19312B-100000@eskimo.com> you write:
Most Diffie-Hellman implementations currently use the multiplicative group of prime fields. However, the multiplicative group of finite fields of characteristic 2 (GF(2^n)) can also be used and should be easier to implement. Is there any reason why they should not be used? Does anyone know the asymptotic running time of the best algorithm for calculating discrete logarithms in GF(2^n)?
I remember that the discrete log problem is quite a bit easier in GF(2^n), but I don't remember how much easier. Let me try to look it up... A. Odlyzko has a paper recommending that people should not use GF(2^n) for discrete log applications; in it he states that you will need at the minimum n > 800, and probably n > 1500. (And you also need to choose n carefully.) A quote from the abstract: ``Hence the fields GF(2^n) out to be avoided in all cryptographic applications.'' I don't know enough about number theory to judge for myself; but you can read the (long) paper yourself at ftp://netlib.att.com/netlib/att/math/odlyzko/discrete.logs.ps.Z I hope this helps!