Abstract
In the past two years there have been several advances in Number Field Sieve (NFS) algorithms for computing discrete logarithms in finite fields \({\mathbb F}_{p^n}\) where p is prime and \(n > 1\) is a small integer. This article presents a concise overview of these algorithms and discusses some of the challenges with assessing their impact on keylengths for pairing-based cryptosystems.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
In this paper, \(\log N\) and \(\lg N\) are the logarithms of N to the base e and 2, respectively.
- 2.
The details are complicated and involve using the homomorphisms \(\alpha \mapsto m\) and \(\beta \mapsto m\) along with the class numbers and the torsion-free ranks of \(\mathcal {O}_f\) and \(\mathcal {O}_g\). We skip these details.
- 3.
For comparisons with other run times, it is useful to note that \((96/9)^{1/3} \approx 2.201\), \((64/9)^{1/3} \approx 1.923\), \((48/9)^{1/3} \approx 1.747\), and \((32/9)^{1/3} \approx 1.526\).
References
Aranha, D.F., Fuentes-Castañeda, L., Knapp, E., Menezes, A., Rodríguez-Henríquez, F.: Implementing pairings at the 192-bit security level. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 177–195. Springer, Heidelberg (2013). doi:10.1007/978-3-642-36334-4_11
Barbulescu, R., Gaudry, P., Guillevic, A., Morain, F.: Improving NFS for the discrete logarithm problem in non-prime finite fields. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 129–155. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_6
Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1–16. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55220-5_1
Barbulescu, R., Gaudry, P., Kleinjung, T.: The tower number field sieve. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 31–55. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48800-3_2
Barbulescu, R., Pierrot, C.: The multiple number field sieve for medium and high characteristic finite fields. LMS J. Comput. Math. 17, 230–246 (2014)
Barker, E.: Recommendation for key management, Part 1: General. NIST Special Publication 800–57, Part 1, Revision 4, January 2016
Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribed embedding degrees. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 257–267. Springer, Heidelberg (2003). doi:10.1007/3-540-36413-7_19
Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006). doi:10.1007/11693383_22
Bistritz, Y., Lifshitz, A.: Bounds for resultants of univariate and bivariate polynomials. Linear Algebra Appl. 432, 1995–2005 (2010)
Boneh, D., Boyen, X.: Strong signatures without random oracles and the SDH assumption in bilinear groups. J. Cryptol. 21, 149–177 (2008)
Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). doi:10.1007/3-540-44647-8_13
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Cryptol. 17, 297–319 (2004)
Boneh, D., Shacham, H.: Group signatures with verifier-local revocation. In: 11th ACM Conference on Computer and Communications Security - CCS 2004, pp. 168–177 (2004)
Chatterjee, S., Menezes, A.: On cryptographic protocols employing asymmetric pairings - the role of \(\psi \) revisited. Discrete Appl. Math. 159, 1311–1322 (2011)
Chatterjee, S., Menezes, A.: Type 2 structure-preserving signature schemes revisited. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 286–310. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_13
Cheon, J.H.: Security analysis of the strong Diffie-Hellman problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006). doi:10.1007/11761679_1
Coron, J.-S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40041-4_26
Diem, C.: On the discrete logarithm problem in elliptic curves. Compositio Math. 147, 75–104 (2011)
Diem, C.: On the discrete logarithm problem in elliptic curves II. Algebra Number Theory 7, 1281–1323 (2013)
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, S., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: IEEE 54th Annual Symposium on Foundations of Computer Science (FOCS), pp. 40–49 (2013)
Gaudry, P., Hess, F., Smart, N.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptol. 15, 19–34 (2002)
Gordon, D.: Discrete logarithms in \(GF(p)\) using the number field sieve. SIAM J. Discrete Math. 6, 124–138 (1993)
Guillevic, A.: Computing individual discrete logarithms faster in \(GF(p^n)\) with the NFS-DL algorithm. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 149–173. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_7
Jao, D., Yoshida, K.: Boneh-Boyen signatures and the strong Diffie-Hellman problem. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 1–16. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03298-1_1
Jeong, J., Kim, T.: Extended tower number field sieve with application to finite fields of arbitrary composite extension degree. Cryptology ePrint Archive: Report 2016/526 (2016)
Joux, A.: Algorithmic Cryptanalysis. Chapman & Hall/CRC, Boca Raton (2009)
Joux, A., Lercier, R.: Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the Gaussian integer method. Math. Comput. 72, 953–967 (2003)
Joux, A., Lercier, R., Smart, N., Vercauteren, F.: The number field sieve in the medium prime case. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 326–344. Springer, Heidelberg (2006). doi:10.1007/11818175_19
Joux, A., Pierrot, C.: The special number field sieve in \(\mathbb{F}_{p^{n}}\) – application to pairing-friendly construction. In: Cao, Z., Zhang, F. (eds.) Pairing 2013. LNCS, vol. 8365, pp. 45–61. Springer, Cham (2014). doi:10.1007/978-3-319-04873-4_3
Kachisa, E.J., Schaefer, E.F., Scott, M.: Constructing Brezing-Weng pairing-friendly elliptic curves using elements in the cyclotomic field. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 126–135. Springer, Heidelberg (2008). doi:10.1007/978-3-540-85538-5_9
Kim, T., Barbulescu, R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 543–571. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53018-4_20
Koblitz, N., Menezes, A.: The brave new world of bodacious assumptions in cryptography. Not. AMS 57, 357–365 (2010)
Lenstra, A.K., Lenstra, H.W., Manasse, M.S., Pollard, J.M.: The number field sieve. In: Lenstra, A.K., Lenstra, H.W. (eds.) The Development of the Number Field Sieve. LNM, vol. 1554, pp. 11–42. Springer, Heidelberg (1993). doi:10.1007/BFb0091537
Mayo, K.: A primer on cryptographic multilinear maps and code obfuscation. M.Math. thesis, University of Waterloo (2015). http://hdl.handle.net/10012/9698
Pierrot, C.: The multiple number field sieve with conjugation and generalized Joux-Lercier methods. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 156–170. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_7
Pollard, J.: Monte Carlo methods for index computation mod \(p\). Math. Comput. 32, 918–924 (1978)
Sarkar, P., Singh, S.: New complexity trade-offs for the (multiple) number field sieve algorithm in non-prime fields. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 429–458. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49890-3_17
Sarkar, P., Singh, S.: A general polynomial selection method and new asymptotic complexities for the tower number field sieve algorithm. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 37–62. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53887-6_2
Sarkar, P., Singh, S.: A generalisation of the conjugation method for polynomial selection for the extended tower number field sieve algorithm. IACR Cryptology ePrint Archive: Report 2016/537 (2016)
Schirokauer, O.: Using number fields to compute logarithms in finite fields. Math. Comput. 69, 1267–1283 (2000)
Smart, N. (ed.): ECRYPT II Yearly Report on Algorithms and Keysizes (2011–2012), 30 September 2012
Acknowledgements
We thank the referees for their comments which helped improve the presentation of the paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Calculations of Bounds on Resultants
A Calculations of Bounds on Resultants
Consider the setting of the TNFS with \(Q=p^n\), \(n=\eta \kappa \), h a degree-\(\eta \) irreducible polynomial in \(\mathbb {Z}[z]\), \(R=\mathbb {Z}[z]/(h(z))\), and \(f,\phi \in R[x]\). Note that \(\deg _z f = \deg _z\phi = \eta -1\).
Let \(\mathfrak {f}(z,x)\) be a bivariate polynomial with integer coefficients where \(\mathfrak {f}_{i,j}\) is the coefficient of \(x^iz^j\). Then \(||\mathfrak {f}||_{\infty }=\max |\mathfrak {f}_{i,j}|\). Bounds on resultants of univariate and bivariate polynomials have been given in [9]. We summarize these below.
Let a(u) and b(u) be polynomials with integer coefficients. From [9], we have
Let a(u, v) and b(u, v) be polynomials with integer coefficients. Let \(c(u)=\mathrm{Res}_v(a(u,v),b(u,v))\). Then
Bounds on \(\mathrm{Res}_z(\mathrm{Res}_x(\phi (x),\mathfrak {f}(x)),h(z))\) can be derived by combining the bounds given by (13) and (14). Let \(\mathfrak {c}(z)=\mathrm{Res}_x(\phi (x),\mathfrak {f}(x))\). The degree of \(\mathfrak {c}(z)\) is given in [9] and from (14) we obtain \(||\mathfrak {c}||_{\infty }\). These quantities are as follows:
Using these values we obtain
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Menezes, A., Sarkar, P., Singh, S. (2017). Challenges with Assessing the Impact of NFS Advances on the Security of Pairing-Based Cryptography. In: Phan, RW., Yung, M. (eds) Paradigms in Cryptology – Mycrypt 2016. Malicious and Exploratory Cryptology. Mycrypt 2016. Lecture Notes in Computer Science(), vol 10311. Springer, Cham. https://doi.org/10.1007/978-3-319-61273-7_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-61273-7_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-61272-0
Online ISBN: 978-3-319-61273-7
eBook Packages: Computer ScienceComputer Science (R0)