The only relation between the two problems is that they involve the same type of equation. The underlying number systems are totally different. There is no reason to expect the two problems to be of comparable difficulty.
As an illustrative example, the equation for the RSA problem itself can be defined over prime fields, and it is trivially easy to solve in that setting. The same problem over a composite modulus is believed to be hard, and forms the basis for the RSA cryptosystem. Just because an equation can be solved over prime fields does not mean, at all, that it can be solved over composite moduli.
I suspect we are arguing past each other, and if we were to sit down over coffee (or equivalent) in from of a whiteboard (or equivalent) then we would have a really useful and interesting conversation. Everything you say is right, but I believe there are more connections going on at a deeper level. This is my intuition speaking, and as a PhD in Combinatorics and Graph Theory who has dabbled for decades (literally - I started in 1967) in integer factorization and discrete logs, I've learned to listen to my intuition. It's sometimes wrong, and it may well be in this case, but I feel that the deeper structures in Z_{pq} and Z_p have a cross-fertilization that we may eventually find.
I agree that these aren't the obvious things to be working on, and the more direct attacks - factorization for RSA and discrete logs in Z_p for DHMW - are just that, more direct, and will certainly be more fruitful in the short to medium term.
It would be nice to make that real-life conversation happen. Feel free to email me? Details in my profile.
My experience as someone who is active in research in this exact field (mathematical cryptanalysis) is that generic techniques for discrete logarithms, such as Pollard rho or the number field sieve, do transfer well to integer factorization, but more specific techniques such as Joux's latest function field sieve tend to be harder to transfer from one setting to the other.
Right - that's very useful information. Now I really do want to get together with you to talk about these things. You clearly know more than I about the details, and I'd love to learn more.
Alas, I expect it won't happen, but thanks for the information.
A question. You say:
> ... more specific techniques such as Joux's latest
> function field sieve tend to be harder to transfer
> from one setting to the other.
Do you have any sense that perhaps, as we come to understand it in more detail, we may yet come to find that it becomes more widely applicable? Obviously you feel at the moment that it's too specific, but is that perhaps because we don't understand it properly yet? Or do you feel it's genuinely limited in that regard? I'm just thinking about how Wiles' insights and proofs about the (speaking loosely) limited form of the equivalence of specific Elliptic Curves and Modular Forms opened the field for the full proof of the T-S conjecture (now theorem).
Just looking for a deeper insight into your intuition. Feel free to speculate wildly. If you're right you can appear prescient. If wrong, it was just speculation. 8-)
Added in edit: Supersingular Primes for Rational Points on Modular Curves (?)
Generally speaking, attacks which rely on more structure are hard to adapt to situations where there is less structure. Conversely, attacks which require no structure are easy to generalize to a wide variety of situations.
Something like Pollard rho requires no structure. It works in any group. The number field sieve is an intermediate case. It requires a norm (basically you need some elements to be bigger than others). For arbitrary finite fields, the NFS still represents the fastest known attack. The latest attack is a version of the function field sieve. The FFS uses, in an essential way, the algebraic structure of polynomials over a field. Coppersmith pioneered the use of the FFS in the 80s, when he showed that small characteristic fields (which consist primarily of polynomials) admit faster discrete logarithm solutions. The latest work goes far beyond Coppersmith's work, but tends towards increasing specialization, not generalization, since it adds the new requirement that the field contain an intermediate subfield.
Given that the direction of specialization appears, if anything, to be going in the other direction, there would have to be a substantial further breakthrough in order to apply these results more generally. My own opinion and intuition is that these results are not likely to apply to prime field discrete logs, never mind RSA and/or composite moduli.
As an illustrative example, the equation for the RSA problem itself can be defined over prime fields, and it is trivially easy to solve in that setting. The same problem over a composite modulus is believed to be hard, and forms the basis for the RSA cryptosystem. Just because an equation can be solved over prime fields does not mean, at all, that it can be solved over composite moduli.