591 research outputs found
A construction of 3-dimensional lattice sieve for number field sieve over F_{p^n}
The security of pairing-based cryptography is based on the hardness of solving the discrete logarithm problem (DLP) over extension field F_{p^n} of characteristic p and degree n. Joux et al. proposed an asymptotically fastest algorithm for solving DLP over F_{p^n} (JLSV06-NFS) as the extension of the number field sieve over prime field F
_p (JL03-NFS). The lattice sieve is often used for a large-scaled experiment of solving DLP over F_p by the number field sieve. Franke and Kleinjung proposed a 2-dimensional lattice sieve which efficiently enumerates all the points in a given sieve region of the lattice. However, we have to consider a sieve region of more than 2 dimensions in the lattice sieve of JLSV06-NFS.
In this paper, we extend the Franke-Kleinjung method to 3-dimensional sieve region. We construct an appropriate basis using the Hermite normal form, which can enumerate the points in a given sieve region of the 3-dimensional lattice. From our experiment on F_{p^{12}} of 303 bits, we are able to enumerate more than 90\% of the points in a sieve region in the lattice generated by special-q. Moreover, we implement the number field sieve using the proposed 3-dimensional lattice sieve. Our implementation of the JLSV06 over F_{p^6} of 240 bits is about as efficient as that of the current record over F_{p^6} using 3-dimensional line sieve by Zajac
Solving discrete logarithms on a 170-bit MNT curve by pairing reduction
Pairing based cryptography is in a dangerous position following the
breakthroughs on discrete logarithms computations in finite fields of small
characteristic. Remaining instances are built over finite fields of large
characteristic and their security relies on the fact that the embedding field
of the underlying curve is relatively large. How large is debatable. The aim of
our work is to sustain the claim that the combination of degree 3 embedding and
too small finite fields obviously does not provide enough security. As a
computational example, we solve the DLP on a 170-bit MNT curve, by exploiting
the pairing embedding to a 508-bit, degree-3 extension of the base field.Comment: to appear in the Lecture Notes in Computer Science (LNCS
Still Wrong Use of Pairings in Cryptography
Several pairing-based cryptographic protocols are recently proposed with a
wide variety of new novel applications including the ones in emerging
technologies like cloud computing, internet of things (IoT), e-health systems
and wearable technologies. There have been however a wide range of incorrect
use of these primitives. The paper of Galbraith, Paterson, and Smart (2006)
pointed out most of the issues related to the incorrect use of pairing-based
cryptography. However, we noticed that some recently proposed applications
still do not use these primitives correctly. This leads to unrealizable,
insecure or too inefficient designs of pairing-based protocols. We observed
that one reason is not being aware of the recent advancements on solving the
discrete logarithm problems in some groups. The main purpose of this article is
to give an understandable, informative, and the most up-to-date criteria for
the correct use of pairing-based cryptography. We thereby deliberately avoid
most of the technical details and rather give special emphasis on the
importance of the correct use of bilinear maps by realizing secure
cryptographic protocols. We list a collection of some recent papers having
wrong security assumptions or realizability/efficiency issues. Finally, we give
a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page
Breaking pairing-based cryptosystems using pairing over
There are many useful cryptographic schemes, such as ID-based encryption,
short signature, keyword searchable encryption, attribute-based encryption,
functional encryption, that use a bilinear pairing.
It is important to estimate the security of such pairing-based cryptosystems in cryptography.
The most essential number-theoretic problem in pairing-based cryptosystems is
the discrete logarithm problem (DLP)
because pairing-based cryptosystems are no longer secure once the underlining DLP is broken.
One efficient bilinear pairing is the pairing defined over a supersingular
elliptic curve on the finite field for a positive integer .
The embedding degree of the pairing is ;
thus, we can reduce the DLP over on to that over the finite field .
In this paper, for breaking the pairing over , we discuss
solving the DLP over by using the function field sieve (FFS),
which is the asymptotically fastest algorithm for solving a DLP
over finite fields of small characteristics.
We chose the extension degree because it has been intensively used in benchmarking
tests for the implementation of the pairing,
and the order (923-bit) of is substantially larger than
the previous world record (676-bit) of solving the DLP by using the FFS.
We implemented the FFS for the medium prime case (JL06-FFS),
and propose several improvements of the FFS,
for example, the lattice sieve for JL06-FFS and the filtering adjusted to the Galois action.
Finally, we succeeded in solving the DLP over .
The entire computational time of our improved FFS requires about 148.2 days using 252 CPU cores.
Our computational results contribute to the secure use of pairing-based cryptosystems with the pairing
Discrete logarithms in curves over finite fields
A survey on algorithms for computing discrete logarithms in Jacobians of
curves over finite fields
Resolution of Linear Algebra for the Discrete Logarithm Problem Using GPU and Multi-core Architectures
In cryptanalysis, solving the discrete logarithm problem (DLP) is key to
assessing the security of many public-key cryptosystems. The index-calculus
methods, that attack the DLP in multiplicative subgroups of finite fields,
require solving large sparse systems of linear equations modulo large primes.
This article deals with how we can run this computation on GPU- and
multi-core-based clusters, featuring InfiniBand networking. More specifically,
we present the sparse linear algebra algorithms that are proposed in the
literature, in particular the block Wiedemann algorithm. We discuss the
parallelization of the central matrix--vector product operation from both
algorithmic and practical points of view, and illustrate how our approach has
contributed to the recent record-sized DLP computation in GF().Comment: Euro-Par 2014 Parallel Processing, Aug 2014, Porto, Portugal.
\<http://europar2014.dcc.fc.up.pt/\>
- …