Abstract
The security of pairing-based cryptography is based on the hardness of the discrete logarithm problem (DLP) over finite field GF(p n). For example, the security of the optimal Ate pairing using BN curves, which is one of the most efficient algorithms for computing paring, is based on the hardness of DLP over GF(p 12). Joux et al. proposed the number field sieve over GF(p n) as an extension of the number field sieve that can efficiently solve the DLP over prime field GF(p). Two implementations of the number field sieve over GF(p 3) and GF(p 6) have been proposed, but there is no report on that over GF(p 12) of extension degree 12. In the sieving step of the number field sieve over GF(p) we perform the sieving of two dimensions, but we have to deal with more than two dimensions in the case of number field sieves over GF(p 12). In this paper we construct a lattice sieve of more than two dimensions, and discuss its parameter sizes such as the dimension of sieving and the size of sieving region from some experiments of the multi-dimensional sieving. Using the parameters suitable for efficient implementation of the number field sieve, we have solved the DLP over GF(p 12) of 203 bits in about 43 hours using a PC of 16 CPU cores.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Aoki, K.: Sieving region, and relationship between numbers of required relations and factor bases on the number field sieve, Technical Report of IEICE, ISEC 104(53), 23–28 (2004) (in Japanese)
Aoki, K., Kida, Y., Ueda, H.: A trial of GNFS implementation (Part VI): lattice sieve, Technical Report of IEICE, ISEC 104(315), 9–14 (2004) (in Japanese)
Aoki, K., Ueda, H., Uchiyama, S.: Evaluation report on integer factoring problems. In: Investigation Reports on Cryptographic Techniques in FY 2003, no.0202-1 (2004) (in Japanese), http://www.cryptrec.go.jp/english/estimation.html
Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)
Cohen, H.: A course in computational algebraic number theory. In: Graduate Texts in Math., vol. 138, Springer (1993)
Franke, J., Kleinjung, T.: Continued fractions and lattice sieve. In: Workshop Record of SHARCS (2005), http://www.ruhr-uni-bochum.de/itsc/tanja/SHARCS/talks/FrankeKleinjung.pdf
Joux, A., Lercier, R.: Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the Gaussian integer method. Math. Comp. 72, 953–967 (2003)
Joux, A., Lercier, R., Smart, N.P., Vercauteren, F.: The number field sieve in the medium prime case. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 326–344. Springer, Heidelberg (2006)
Kleinjung, T., et al.: Discrete logarithms in GF(p) - 160 digits, email to the NMBRTHRY mailing list (2007), http://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind0702&L=nmbrthry&T=0&P=194
Kleinjung, T., Aoki, K., Franke, J., Lenstra, A.K., Thomé, E., Bos, J.W., Gaudry, P., Kruppa, A., Montgomery, P.L., Osvik, D.A., te Riele, H., Timofeev, A., Zimmermann, P.: Factorization of a 768-bit RSA modulus. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 333–350. Springer, Heidelberg (2010)
LaMacchia, B.A., Odlyzko, A.M.: Solving large sparse linear systems over finite fields. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 109–133. Springer, Heidelberg (1991)
Lanczos, C.: Solution of systems of linear equations by minimized iterations. J. Res. Nat. Bur. Stand. 49, 33–53 (1952)
Lenstra, A.K., Lenstra, H.W.: The Development of the Number Field Sieve. Lecture Notes in Math., vol. 1554. Springer (1993)
Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)
Murphy, B.: Polynomial selection for the number field sieve integer factorisation algorithm, PhD thesis, The Australian National University (1999)
PARI/GP, version 2.5.3, Bordeaux (2012), http://pari.math.u-bordeaux.fr/
Pollard, J.M.: The lattice sieve. In: [13], pp. 43–49
Pomerance, C., Smith, J.: Reduction of huge, sparse matrices over finite fields via created catastrophes. Experiment. Math. 1, 89–94 (1992)
Schirokauer, O.: Discrete logarithms and local units. Philos. Trans. Roy. Soc. London Ser. A 345, 409–424 (1993)
Schirokauer, O.: Virtual logarithms. J. Algorithms 57, 140–147 (2005)
Vercauteren, F.: Optimal pairings. IEEE Transactions on Information Theory 56, 455–461 (2010)
Zajac, P.: Discrete logarithm problem in degree six finite fields, PhD thesis, Slovak University of Technology (2008), http://www.kaivt.elf.stuba.sk/kaivt/Vyskum/XTRDL
Zajac, P.: On the use of the lattice sieve in the 3D NFS. Tatra Mt. Math. Publ. 45, 161–172 (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Hayasaka, K., Aoki, K., Kobayashi, T., Takagi, T. (2013). An Experiment of Number Field Sieve for Discrete Logarithm Problem over GF(p 12). In: Fischlin, M., Katzenbeisser, S. (eds) Number Theory and Cryptography. Lecture Notes in Computer Science, vol 8260. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-42001-6_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-42001-6_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-42000-9
Online ISBN: 978-3-642-42001-6
eBook Packages: Computer ScienceComputer Science (R0)