Solving discrete logarithms on a 170-bit MNT curve by pairing reduction

A Commeine; A Guillevic; A Joux; A Joux; A Joux; A Menezes; A Miyaji; D Boneh; D Boneh; D Coppersmith; D Freeman; D Freeman; F Brezing; G Frey; IF Blake; J Beuchat; K Foster; LM Adleman; O Schirokauer; O Schirokauer; P Sarkar; P Sarkar; PSLM Barreto; R Barbulescu; R Barbulescu; R Barbulescu; R Dupont; R Granger; RM Elkenbracht-Huizing; SD Galbraith; T Hayashi; T Kim; Y Bistritz; Y Sakemi

research

Solving discrete logarithms on a 170-bit MNT curve by pairing reduction

Authors: A Commeine
A Guillevic
A Joux
A Joux
A Joux
A Menezes
A Miyaji
D Boneh
D Boneh
D Coppersmith
D Freeman
D Freeman
F Brezing
G Frey
IF Blake
J Beuchat
K Foster
LM Adleman
O Schirokauer
O Schirokauer
P Sarkar
P Sarkar
PSLM Barreto
R Barbulescu
R Barbulescu
R Barbulescu
R Dupont
R Granger
RM Elkenbracht-Huizing
SD Galbraith
T Hayashi
T Kim
Y Bistritz
Y Sakemi
Publication date: 23 May 2016
Publisher
Doi

Abstract

Pairing based cryptography is in a dangerous position following the breakthroughs on discrete logarithms computations in finite fields of small characteristic. Remaining instances are built over finite fields of large characteristic and their security relies on the fact that the embedding field of the underlying curve is relatively large. How large is debatable. The aim of our work is to sustain the claim that the combination of degree 3 embedding and too small finite fields obviously does not provide enough security. As a computational example, we solve the DLP on a 170-bit MNT curve, by exploiting the pairing embedding to a 508-bit, degree-3 extension of the base field.Comment: to appear in the Lecture Notes in Computer Science (LNCS