New Discrete Logarithm Computation for the Medium Prime Case Using the Function Field Sieve

International audienceThe present work reports progress in discrete logarithm computation for the general medium prime case using the function field sieve algorithm. A new record discrete logarithm computation over a 1051-bit field having a 22-bit characteristic was performed. This computation builds on and implements previously known techniques. Analysis indicates that the relation collection and descent steps are within reach for fields with 32-bit characteristic and moderate extension degrees. It is the linear algebra step which will dominate the computation time for any discrete logarithm computation over such fields

Solving discrete logarithms on a 170-bit MNT curve by pairing reduction

Pairing based cryptography is in a dangerous position following the breakthroughs on discrete logarithms computations in finite fields of small characteristic. Remaining instances are built over finite fields of large characteristic and their security relies on the fact that the embedding field of the underlying curve is relatively large. How large is debatable. The aim of our work is to sustain the claim that the combination of degree 3 embedding and too small finite fields obviously does not provide enough security. As a computational example, we solve the DLP on a 170-bit MNT curve, by exploiting the pairing embedding to a 508-bit, degree-3 extension of the base field.Comment: to appear in the Lecture Notes in Computer Science (LNCS

Discrete logarithm computations over finite fields using Reed-Solomon codes

Cheng and Wan have related the decoding of Reed-Solomon codes to the computation of discrete logarithms over finite fields, with the aim of proving the hardness of their decoding. In this work, we experiment with solving the discrete logarithm over GF(q^h) using Reed-Solomon decoding. For fixed h and q going to infinity, we introduce an algorithm (RSDL) needing O (h! q^2) operations over GF(q), operating on a q x q matrix with (h+2) q non-zero coefficients. We give faster variants including an incremental version and another one that uses auxiliary finite fields that need not be subfields of GF(q^h); this variant is very practical for moderate values of q and h. We include some numerical results of our first implementations

Computing discrete logarithms in subfields of residue class rings

Recent breakthrough methods \cite{gggz,joux,bgjt} on computing discrete logarithms in small characteristic finite fields share an interesting feature in common with the earlier medium prime function field sieve method \cite{jl}. To solve discrete logarithms in a finite extension of a finite field \F, a polynomial h(x) \in \F[x] of a special form is constructed with an irreducible factor g(x) \in \F[x] of the desired degree. The special form of $h(x)$ is then exploited in generating multiplicative relations that hold in the residue class ring \F[x]/h(x)\F[x] hence also in the target residue class field \F[x]/g(x)\F[x]. An interesting question in this context and addressed in this paper is: when and how does a set of relations on the residue class ring determine the discrete logarithms in the finite fields contained in it? We give necessary and sufficient conditions for a set of relations on the residue class ring to determine discrete logarithms in the finite fields contained in it. We also present efficient algorithms to derive discrete logarithms from the relations when the conditions are met. The derived necessary conditions allow us to clearly identify structural obstructions intrinsic to the special polynomial $h(x)$ in each of the aforementioned methods, and propose modifications to the selection of $h(x)$ so as to avoid obstructions.Comment: arXiv admin note: substantial text overlap with arXiv:1312.167

Still Wrong Use of Pairings in Cryptography

Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too inefficient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/efficiency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page