363 research outputs found
Tower Number Field Sieve Variant of a Recent Polynomial Selection Method
At Asiacrypt 2015, Barbulescu et al. performed a thorough analysis of the tower number field sieve (TNFS) variant of the number
field sieve algorithm. More recently, Kim and Barbulescu combined the TNFS variant with several polynomial selection methods
including the Generalised Joux-Lercier method and the Conjugation method proposed by Barbulescu et al. at Eurocrypt 2015.
Sarkar and Singh (Eurocrypt 2016) proposed
a polynomial selection method which subsumes both the GJL and the Conjugation methods. This study was done in the context of
the NFS and the multiple NFS (MNFS). The purpose of the present note is to show that the polynomial selection method of Sarkar
and Singh subsumes the GJL and the Conjugation methods also in the context of the TNFS and the multiple TNFS variants. This was not
clear from the recent work by Kim and Barbulescu. Applying the new polynomial selection method to the TNFS variants results in
new asymptotic complexities for certain ranges of primes
Solving discrete logarithms on a 170-bit MNT curve by pairing reduction
Pairing based cryptography is in a dangerous position following the
breakthroughs on discrete logarithms computations in finite fields of small
characteristic. Remaining instances are built over finite fields of large
characteristic and their security relies on the fact that the embedding field
of the underlying curve is relatively large. How large is debatable. The aim of
our work is to sustain the claim that the combination of degree 3 embedding and
too small finite fields obviously does not provide enough security. As a
computational example, we solve the DLP on a 170-bit MNT curve, by exploiting
the pairing embedding to a 508-bit, degree-3 extension of the base field.Comment: to appear in the Lecture Notes in Computer Science (LNCS
Security Analysis of Pairing-based Cryptography
Recent progress in number field sieve (NFS) has shaken the security of
Pairing-based Cryptography. For the discrete logarithm problem (DLP) in finite
field, we present the first systematic review of the NFS algorithms from three
perspectives: the degree , constant , and hidden constant in
the asymptotic complexity and indicate that further
research is required to optimize the hidden constant. Using the special
extended tower NFS algorithm, we conduct a thorough security evaluation for all
the existing standardized PF curves as well as several commonly utilized
curves, which reveals that the BN256 curves recommended by the SM9 and the
previous ISO/IEC standard exhibit only 99.92 bits of security, significantly
lower than the intended 128-bit level. In addition, we comprehensively analyze
the security and efficiency of BN, BLS, and KSS curves for different security
levels. Our analysis suggests that the BN curve exhibits superior efficiency
for security strength below approximately 105 bit. For a 128-bit security
level, BLS12 and BLS24 curves are the optimal choices, while the BLS24 curve
offers the best efficiency for security levels of 160bit, 192bit, and 256bit.Comment: 8 figures, 8 tables, 5121 word
Still Wrong Use of Pairings in Cryptography
Several pairing-based cryptographic protocols are recently proposed with a
wide variety of new novel applications including the ones in emerging
technologies like cloud computing, internet of things (IoT), e-health systems
and wearable technologies. There have been however a wide range of incorrect
use of these primitives. The paper of Galbraith, Paterson, and Smart (2006)
pointed out most of the issues related to the incorrect use of pairing-based
cryptography. However, we noticed that some recently proposed applications
still do not use these primitives correctly. This leads to unrealizable,
insecure or too inefficient designs of pairing-based protocols. We observed
that one reason is not being aware of the recent advancements on solving the
discrete logarithm problems in some groups. The main purpose of this article is
to give an understandable, informative, and the most up-to-date criteria for
the correct use of pairing-based cryptography. We thereby deliberately avoid
most of the technical details and rather give special emphasis on the
importance of the correct use of bilinear maps by realizing secure
cryptographic protocols. We list a collection of some recent papers having
wrong security assumptions or realizability/efficiency issues. Finally, we give
a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page
An Implementation of the Extended Tower Number Field Sieve using 4d Sieving in a Box and a Record Computation in Fp4
We report on an implementation of the Extended Tower Number Field Sieve
(ExTNFS) and record computation in a medium characteristic finite field Fp4 of
512 bits size. We show that sieving in a box (orthotope) for collecting
relations for ExTNFS is still fast in 4 dimensions
A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm
In a recent work, Kim and Barbulescu had extended the tower number field sieve algorithm to obtain improved asymptotic complexities in
the medium prime case for the discrete logarithm problem on where is not a prime power. Their method does not work
when is a composite prime power. For this case, we obtain new asymptotic complexities, e.g., (resp.
for the multiple number field variation) when is composite and a power of 2; the previously best known complexity for this
case is (resp. ). These complexities may have consequences to the selection of key sizes for
pairing based cryptography. The new complexities are achieved through a general polynomial selection method.
This method, which we call Algorithm-, extends a previous polynomial selection method proposed at Eurocrypt 2016 to the
tower number field case. As special cases, it is possible to obtain the generalised Joux-Lercier and the Conjugation method of
polynomial selection proposed at Eurocrypt 2015 and the extension of these methods to the tower number field scenario by Kim and Barbulescu.
A thorough analysis of the new algorithm is carried out in both concrete and asymptotic terms
Extended Tower Number Field Sieve with Application to Finite Fields of Arbitrary Composite Extension Degree
We propose a generalization of exTNFS algorithm recently introduced by Kim and Barbulescu (CRYPTO 2016). The algorithm, exTNFS, is a state-of-the-art algorithm for discrete logarithm in in the medium prime case, but it only applies when is a composite with nontrivial factors and such that . Our generalization, however, shows that exTNFS algorithm can be also adapted to the setting with an arbitrary composite maintaining its best asymptotic complexity. We show that one can solve discrete logarithm in medium case in the running time of (resp. if multiple number fields are used), where is an \textit{arbitrary composite}. This should be compared with a recent variant by Sarkar and Singh (Asiacrypt 2016) that has the fastest running time of (resp. ) when is a power of prime 2. When is of special form, the complexity is further reduced to . On the practical side, we emphasize that the keysize of pairing-based cryptosystems should be updated following to our algorithm if the embedding degree remains composite
Asymptotic complexities of discrete logarithm algorithms in pairing-relevant finite fields
International audienceWe study the discrete logarithm problem at the boundary case between small and medium characteristic finite fields, which is precisely the area where finite fields used in pairing-based cryptosystems live. In order to evaluate the security of pairing-based protocols, we thoroughly analyze the complexity of all the algorithms that coexist at this boundary case: the Quasi-Polynomial algorithms, the Number Field Sieve and its many variants, and the Function Field Sieve. We adapt the latter to the particular case where the extension degree is composite, and show how to lower the complexity by working in a shifted function field. All this study finally allows us to give precise values for the characteristic asymptotically achieving the highest security level for pairings. Surprisingly enough, there exist special characteristics that are as secure as general ones
A Generalisation of the Conjugation Method for Polynomial Selection for the Extended Tower Number Field Sieve Algorithm
In a recent work, Kim and Barbulescu showed how to combine previous polynomial selection methods with the extended tower
number field sieve algorithm to obtain improved complexity for the discrete logarithm problem on finite fields
for the medium prime case and where is composite and not a prime-power. A follow up work by Sarkar and Singh presented a
general polynomial selection method and showed how to lower the complexity in the medium prime case even when is composite
and a prime-power. This complexity, though, was higher than what was reported for the case of composite and not a prime-power.
By suitably combining the Conjugation method of polynomial selection proposed earlier by Barbulescu et al. with the extended tower
number field sieve algorithm, Jeong and Kim showed that the same asymptotic complexity is achieved for any composite .
The present work generalises the polynomial selection method of Jeong and Kim for all composite . Though the best complexity that can
be achieved is not lowered, there is a significant range of finite fields for which the new algorithm achieves complexity which
is lower than all previously proposed methods
Faster individual discrete logarithms in finite fields of composite extension degree
International audienceComputing discrete logarithms in finite fields is a main concern in cryptography. The best algorithms in large and medium characteristic fields (e.g., {GF}, {GF}) are the Number Field Sieve and its variants (special, high-degree, tower). The best algorithms in small characteristic finite fields (e.g., {GF}) are the Function Field Sieve, Joux's algorithm, and the quasipolynomial-time algorithm. The last step of this family of algorithms is the individual logarithm computation. It computes a smooth decomposition of a given target in two phases: an initial splitting, then a descent tree. While new improvements have been made to reduce the complexity of the dominating relation collection and linear algebra steps, resulting in a smaller factor basis (database of known logarithms of small elements), the last step remains at the same level of difficulty. Indeed, we have to find a smooth decomposition of a typically large element in the finite field. This work improves the initial splitting phase and applies to any nonprime finite field. It is very efficient when the extension degree is composite. It exploits the proper subfields, resulting in a much more smooth decomposition of the target. This leads to a new trade-off between the initial splitting step and the descent step in small characteristic. Moreover it reduces the width and the height of the subsequent descent tree
- …