Abstract
In 2013, Joux, and then Barbulescu, Gaudry, Joux and Thomé, presented new algorithms for computing discrete logarithms in finite fields of small and medium characteristic. We show that these new algorithms render the finite field \({\mathbb{F}}_{3^{6 \cdot 509}} = {\mathbb{F}}_{3^{3054}}\) weak for discrete logarithm cryptography in the sense that discrete logarithms in this field can be computed significantly faster than with the previous fastest algorithms. Our concrete analysis shows that the supersingular elliptic curve over \({\mathbb{F}}_{3^{509}}\) with embedding degree 6 that had been considered for implementing pairing-based cryptosystems at the 128-bit security level in fact provides only a significantly lower level of security. Our work provides a convenient framework and tools for performing a concrete analysis of the new discrete logarithm algorithms and their variants.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Adikari, J., Anwar Hasan, M., Negre, C.: Towards faster and greener cryptoprocessor for eta pairing on supersingular elliptic curve over \(\mathbb{F}_{2^{1223}}\). In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 166–183. Springer, Heidelberg (2013)
Adleman, L., Huang, M.-D.: Function field sieve method for discrete logarithms over finite fields. Information and Computation 151, 5–16 (1999)
Ahmadi, O., Hankerson, D., Menezes, A.: Software implementation of arithmetic in \(\mathbb{F}_{3^m}\). In: Carlet, C., Sunar, B. (eds.) WAIFI 2007. LNCS, vol. 4547, pp. 85–102. Springer, Heidelberg (2007)
Aranha, D., Beuchat, J., Detrey, J., Estibals, N.: Optimal eta pairing on supersingular genus-2 binary hyperelliptic curves. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 98–115. Springer, Heidelberg (2012)
Barbulescu, R., Bouvier, C., Detrey, J., Gaudry, P., Jeljeli, H., Thomé, E., Videau, M., Zimmermann, P.: Discrete logarithm in GF(2809) with FFS, http://eprint.iacr.org/2013/197
Barbulescu, R., Gaudry, P.: Personal communication (August 12, 2013)
Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic: Improvements over FFS in small to medium characteristic, http://eprint.iacr.org/2013/400
Barreto, P., Galbraith, S., ÓhÉigeartaigh, C., Scott, M.: Efficient pairing computation on supersingular abelian varieties. Designs, Codes and Cryptography 42, 239–271 (2007)
Barreto, P., Kim, H., Lynn, B., Scott, M.: Efficient algorithms for pairing-based cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–368. Springer, Heidelberg (2002)
Barrett, P.: Implementing the Rivest Shamir and Adleman public key encryption algorithm on a standard digital signal processor. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 311–323. Springer, Heidelberg (1987)
Bernstein, D.: How to find small factors of integers (2002) (manuscript), http://cr.yp.to/papers/sf.pdf
Beuchat, J., Detrey, J., Estibals, N., Okamoto, E., Rodríguez-Henríquez, F.: Fast architectures for the η T pairing over small-characteristic supersingular elliptic curves. IEEE Transactions on Computers 60, 266–281 (2011)
Beuchat, J., López-Trejo, E., Martínez-Ramos, L., Mitsunari, S., Rodríguez-Henríquez, F.: Multi-core implementation of the Tate pairing over supersingular elliptic curves. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 413–432. Springer, Heidelberg (2009)
Blake, I., Fuji-Hara, R., Mullin, R., Vanstone, S.: Computing logarithms in finite fields of characteristic two. SIAM Journal on Algebraic and Discrete Methods 5, 276–285 (1984)
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. Journal of Cryptology 17, 297–319 (2004)
Chatterjee, S., Hankerson, D., Menezes, A.: On the efficiency and security of pairing-based protocols in the type 1 and type 4 settings. In: Hasan, M.A., Helleseth, T. (eds.) WAIFI 2010. LNCS, vol. 6087, pp. 114–134. Springer, Heidelberg (2010)
Cheng, Q., Wan, D., Zhuang, J.: Traps to the BGJT-algorithm for discrete logarithms, http://eprint.iacr.org/2013/673
Coppersmith, D.: Fast evaluation of logarithms in fields of characteristic two. IEEE Transactions on Information Theory 30, 587–594 (1984)
Coppersmith, D.: Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm. Mathematics of Computation 62, 333–350 (1994)
Estibals, N.: Compact hardware for computing the Tate pairing over 128-bit-security supersingular curves. In: Joye, M., Miyaji, A., Otsuka, A. (eds.) Pairing 2010. LNCS, vol. 6487, pp. 397–416. Springer, Heidelberg (2010)
Faugère, J.: A new efficient algorithm for computing Gröbner bases (F 4). Journal of Pure and Applied Algebra 139, 61–88 (1999)
Faugère, J.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F 5). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation (ISSAC 2002), pp. 75–83 (2002)
Galbraith, S.: Supersingular curves in cryptography. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 495–513. Springer, Heidelberg (2001)
Galbraith, S., Harrison, K., Soldera, D.: Implementing the Tate pairing. In: Fieker, C., Kohel, D.R. (eds.) ANTS 2002. LNCS, vol. 2369, pp. 324–337. Springer, Heidelberg (2002)
Galbraith, S., Paterson, K., Smart, N.: Pairings for cryptographers. Discrete Applied Mathematics 156, 3113–3121 (2008)
Geiselmann, W., Shamir, A., Steinwandt, R., Tromer, E.: Scalable hardware for sparse systems of linear equations, with applications to integer factorization. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 131–146. Springer, Heidelberg (2005)
Göloğlu, F., Granger, R., McGuire, G., Zumbrägel, J.: On the function field sieve and the impact of higher splitting probabilities. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 109–128. Springer, Heidelberg (2013)
Göloğlu, F., Granger, R., McGuire, G., Zumbrägel, J.: Solving a 6120-bit DLP on a desktop computer, http://eprint.iacr.org/2013/306
Granger, R., Page, D., Stam, M.: Hardware and software normal basis arithmetic for pairing based cryptography in characteristic three. IEEE Transactions on Computers 54, 852–860 (2005)
Hankerson, D., Menezes, A., Scott, M.: Software implementation of pairings. In: Joye, M., Neven, G. (eds.) Identity-Based Cryptography. IOS Press (2008)
Hayashi, T., et al.: Breaking pairing-based cryptosystems using η T pairing over GF(397). In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 43–60. Springer, Heidelberg (2012)
Jeljeli, H.: Accelerating iterative SpMV for discrete logarithm problem using GPUs, http://arxiv.org/abs/1209.5520
Joux, A.: Faster index calculus for the medium prime case: Application to 1175-bit and 1425-bit finite fields. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 177–193. Springer, Heidelberg (2013)
Joux, A.: A new index calculus algorithm with complexity L(1/4 + o(1)) in very small characteristic, http://eprint.iacr.org/2013/095
Joux, A.: Discrete logarithm in GF(26128). Number Theory List (May 21, 2013)
Joux, A., Lercier, R.: The function field sieve is quite special. In: Fieker, C., Kohel, D.R. (eds.) ANTS 2002. LNCS, vol. 2369, pp. 431–445. Springer, Heidelberg (2002)
Joux, A., Lercier, R.: The function field sieve in the medium prime case. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 254–270. Springer, Heidelberg (2006)
LaMacchia, B., Odlyzko, A.: Solving large sparse linear systems over finite fields. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 109–133. Springer, Heidelberg (1991)
Lenstra, A.K.: Unbelievable security: Matching AES security using public key systems. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 67–86. Springer, Heidelberg (2001)
Lenstra, A.K., Shamir, A., Tomlinson, J., Tromer, E.: Analysis of bernstein’s factorization circuit. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 1–26. Springer, Heidelberg (2002)
Magma v2.19-7, http://magma.maths.usyd.edu.au/magma/
Maple 17, http://www.maplesoft.com/products/maple/
Page, D., Smart, N., Vercauteren, F.: A comparison of MNT curves and supersingular curves. Applicable Algebra in Engineering, Communication and Computing 17, 379–392 (2006)
Shinohara, N., et al.: Key length estimation of pairing-based cryptosystems using η T pairing. In: Ryan, M.D., Smyth, B., Wang, G. (eds.) ISPEC 2012. LNCS, vol. 7232, pp. 228–244. Springer, Heidelberg (2012)
Wiedemann, D.: Solving sparse linear equations over finite fields. IEEE Transactions on Information Theory 32, 54–62 (1986)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Adj, G., Menezes, A., Oliveira, T., Rodríguez-Henríquez, F. (2014). Weakness of \(\mathbb{F}_{3^{6 \cdot 509}}\) for Discrete Logarithm Cryptography. In: Cao, Z., Zhang, F. (eds) Pairing-Based Cryptography – Pairing 2013. Pairing 2013. Lecture Notes in Computer Science, vol 8365. Springer, Cham. https://doi.org/10.1007/978-3-319-04873-4_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-04873-4_2
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-04872-7
Online ISBN: 978-3-319-04873-4
eBook Packages: Computer ScienceComputer Science (R0)