3,954 research outputs found
Solving discrete logarithms on a 170-bit MNT curve by pairing reduction
Pairing based cryptography is in a dangerous position following the
breakthroughs on discrete logarithms computations in finite fields of small
characteristic. Remaining instances are built over finite fields of large
characteristic and their security relies on the fact that the embedding field
of the underlying curve is relatively large. How large is debatable. The aim of
our work is to sustain the claim that the combination of degree 3 embedding and
too small finite fields obviously does not provide enough security. As a
computational example, we solve the DLP on a 170-bit MNT curve, by exploiting
the pairing embedding to a 508-bit, degree-3 extension of the base field.Comment: to appear in the Lecture Notes in Computer Science (LNCS
Still Wrong Use of Pairings in Cryptography
Several pairing-based cryptographic protocols are recently proposed with a
wide variety of new novel applications including the ones in emerging
technologies like cloud computing, internet of things (IoT), e-health systems
and wearable technologies. There have been however a wide range of incorrect
use of these primitives. The paper of Galbraith, Paterson, and Smart (2006)
pointed out most of the issues related to the incorrect use of pairing-based
cryptography. However, we noticed that some recently proposed applications
still do not use these primitives correctly. This leads to unrealizable,
insecure or too inefficient designs of pairing-based protocols. We observed
that one reason is not being aware of the recent advancements on solving the
discrete logarithm problems in some groups. The main purpose of this article is
to give an understandable, informative, and the most up-to-date criteria for
the correct use of pairing-based cryptography. We thereby deliberately avoid
most of the technical details and rather give special emphasis on the
importance of the correct use of bilinear maps by realizing secure
cryptographic protocols. We list a collection of some recent papers having
wrong security assumptions or realizability/efficiency issues. Finally, we give
a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page
Computing discrete logarithms in subfields of residue class rings
Recent breakthrough methods \cite{gggz,joux,bgjt} on computing discrete
logarithms in small characteristic finite fields share an interesting feature
in common with the earlier medium prime function field sieve method \cite{jl}.
To solve discrete logarithms in a finite extension of a finite field \F, a
polynomial h(x) \in \F[x] of a special form is constructed with an
irreducible factor g(x) \in \F[x] of the desired degree. The special form of
is then exploited in generating multiplicative relations that hold in
the residue class ring \F[x]/h(x)\F[x] hence also in the target residue class
field \F[x]/g(x)\F[x]. An interesting question in this context and addressed
in this paper is: when and how does a set of relations on the residue class
ring determine the discrete logarithms in the finite fields contained in it? We
give necessary and sufficient conditions for a set of relations on the residue
class ring to determine discrete logarithms in the finite fields contained in
it. We also present efficient algorithms to derive discrete logarithms from the
relations when the conditions are met. The derived necessary conditions allow
us to clearly identify structural obstructions intrinsic to the special
polynomial in each of the aforementioned methods, and propose
modifications to the selection of so as to avoid obstructions.Comment: arXiv admin note: substantial text overlap with arXiv:1312.167
Discrete logarithms in curves over finite fields
A survey on algorithms for computing discrete logarithms in Jacobians of
curves over finite fields
Collision Times in Multicolor Urn Models and Sequential Graph Coloring With Applications to Discrete Logarithms
Consider an urn model where at each step one of colors is sampled
according to some probability distribution and a ball of that color is placed
in an urn. The distribution of assigning balls to urns may depend on the color
of the ball. Collisions occur when a ball is placed in an urn which already
contains a ball of different color. Equivalently, this can be viewed as
sequentially coloring a complete -partite graph wherein a collision
corresponds to the appearance of a monochromatic edge. Using a Poisson
embedding technique, the limiting distribution of the first collision time is
determined and the possible limits are explicitly described. Joint distribution
of successive collision times and multi-fold collision times are also derived.
The results can be used to obtain the limiting distributions of running times
in various birthday problem based algorithms for solving the discrete logarithm
problem, generalizing previous results which only consider expected running
times. Asymptotic distributions of the time of appearance of a monochromatic
edge are also obtained for other graphs.Comment: Minor revision. 35 pages, 2 figures. To appear in Annals of Applied
Probabilit
- …