204 research outputs found
Improving NFS for the Discrete Logarithm Problem in Non-prime Finite Fields
International audienceThe aim of this work is to investigate the hardness of the discrete logarithm problem in fields GF where is a small integer greater than 1. Though less studied than the small characteristic case or the prime field case, the difficulty of this problem is at the heart of security evaluations for torus-based and pairing-based cryptography. The best known method for solving this problem is the Number Field Sieve (NFS). A key ingredient in this algorithm is the ability to find good polynomials that define the extension fields used in NFS. We design two new methods for this task, modifying the asymptotic complexity and paving the way for record-breaking computations. We exemplify these results with the computation of discrete logarithms over a field GF whose cardinality is 180 digits (595 bits) long
Solving discrete logarithms on a 170-bit MNT curve by pairing reduction
Pairing based cryptography is in a dangerous position following the
breakthroughs on discrete logarithms computations in finite fields of small
characteristic. Remaining instances are built over finite fields of large
characteristic and their security relies on the fact that the embedding field
of the underlying curve is relatively large. How large is debatable. The aim of
our work is to sustain the claim that the combination of degree 3 embedding and
too small finite fields obviously does not provide enough security. As a
computational example, we solve the DLP on a 170-bit MNT curve, by exploiting
the pairing embedding to a 508-bit, degree-3 extension of the base field.Comment: to appear in the Lecture Notes in Computer Science (LNCS
Security Analysis of Pairing-based Cryptography
Recent progress in number field sieve (NFS) has shaken the security of
Pairing-based Cryptography. For the discrete logarithm problem (DLP) in finite
field, we present the first systematic review of the NFS algorithms from three
perspectives: the degree , constant , and hidden constant in
the asymptotic complexity and indicate that further
research is required to optimize the hidden constant. Using the special
extended tower NFS algorithm, we conduct a thorough security evaluation for all
the existing standardized PF curves as well as several commonly utilized
curves, which reveals that the BN256 curves recommended by the SM9 and the
previous ISO/IEC standard exhibit only 99.92 bits of security, significantly
lower than the intended 128-bit level. In addition, we comprehensively analyze
the security and efficiency of BN, BLS, and KSS curves for different security
levels. Our analysis suggests that the BN curve exhibits superior efficiency
for security strength below approximately 105 bit. For a 128-bit security
level, BLS12 and BLS24 curves are the optimal choices, while the BLS24 curve
offers the best efficiency for security levels of 160bit, 192bit, and 256bit.Comment: 8 figures, 8 tables, 5121 word
Faster individual discrete logarithms in finite fields of composite extension degree
International audienceComputing discrete logarithms in finite fields is a main concern in cryptography. The best algorithms in large and medium characteristic fields (e.g., {GF}, {GF}) are the Number Field Sieve and its variants (special, high-degree, tower). The best algorithms in small characteristic finite fields (e.g., {GF}) are the Function Field Sieve, Joux's algorithm, and the quasipolynomial-time algorithm. The last step of this family of algorithms is the individual logarithm computation. It computes a smooth decomposition of a given target in two phases: an initial splitting, then a descent tree. While new improvements have been made to reduce the complexity of the dominating relation collection and linear algebra steps, resulting in a smaller factor basis (database of known logarithms of small elements), the last step remains at the same level of difficulty. Indeed, we have to find a smooth decomposition of a typically large element in the finite field. This work improves the initial splitting phase and applies to any nonprime finite field. It is very efficient when the extension degree is composite. It exploits the proper subfields, resulting in a much more smooth decomposition of the target. This leads to a new trade-off between the initial splitting step and the descent step in small characteristic. Moreover it reduces the width and the height of the subsequent descent tree
Discrete logarithm computations over finite fields using Reed-Solomon codes
Cheng and Wan have related the decoding of Reed-Solomon codes to the
computation of discrete logarithms over finite fields, with the aim of proving
the hardness of their decoding. In this work, we experiment with solving the
discrete logarithm over GF(q^h) using Reed-Solomon decoding. For fixed h and q
going to infinity, we introduce an algorithm (RSDL) needing O (h! q^2)
operations over GF(q), operating on a q x q matrix with (h+2) q non-zero
coefficients. We give faster variants including an incremental version and
another one that uses auxiliary finite fields that need not be subfields of
GF(q^h); this variant is very practical for moderate values of q and h. We
include some numerical results of our first implementations
Asymptotic complexities of discrete logarithm algorithms in pairing-relevant finite fields
International audienceWe study the discrete logarithm problem at the boundary case between small and medium characteristic finite fields, which is precisely the area where finite fields used in pairing-based cryptosystems live. In order to evaluate the security of pairing-based protocols, we thoroughly analyze the complexity of all the algorithms that coexist at this boundary case: the Quasi-Polynomial algorithms, the Number Field Sieve and its many variants, and the Function Field Sieve. We adapt the latter to the particular case where the extension degree is composite, and show how to lower the complexity by working in a shifted function field. All this study finally allows us to give precise values for the characteristic asymptotically achieving the highest security level for pairings. Surprisingly enough, there exist special characteristics that are as secure as general ones
Pairings in Cryptology: efficiency, security and applications
Abstract
The study of pairings can be considered in so many di�erent ways that it
may not be useless to state in a few words the plan which has been adopted,
and the chief objects at which it has aimed. This is not an attempt to write
the whole history of the pairings in cryptology, or to detail every discovery,
but rather a general presentation motivated by the two main requirements
in cryptology; e�ciency and security.
Starting from the basic underlying mathematics, pairing maps are con-
structed and a major security issue related to the question of the minimal
embedding �eld [12]1 is resolved. This is followed by an exposition on how
to compute e�ciently the �nal exponentiation occurring in the calculation
of a pairing [124]2 and a thorough survey on the security of the discrete log-
arithm problem from both theoretical and implementational perspectives.
These two crucial cryptologic requirements being ful�lled an identity based
encryption scheme taking advantage of pairings [24]3 is introduced. Then,
perceiving the need to hash identities to points on a pairing-friendly elliptic
curve in the more general context of identity based cryptography, a new
technique to efficiently solve this practical issue is exhibited.
Unveiling pairings in cryptology involves a good understanding of both
mathematical and cryptologic principles. Therefore, although �rst pre-
sented from an abstract mathematical viewpoint, pairings are then studied
from a more practical perspective, slowly drifting away toward cryptologic
applications
Challenges with Assessing the Impact of NFS Advances on the Security of Pairing-based Cryptography
In the past two years there have been several advances in Number Field Sieve (NFS) algorithms for computing discrete logarithms in finite fields where is prime and is a small integer. This article presents a concise overview of these algorithms and discusses some of the challenges with assessing their impact on keylengths for pairing-based cryptosystems
- …