Breaking '128-bit Secure' Supersingular Binary Curves (or how to solve discrete logarithms in 𝔽24·1223 and 𝔽212·367)

In late 2012 and early 2013 the discrete logarithm problem (DLP) in finite fields of small characteristic underwent a dramatic series of breakthroughs, culminating in a heuristic quasi-polynomial time algorithm, due to Barbulescu, Gaudry, Joux and Thome. Using these developments, Adj, Menezes, Oliveira and Rodriguez-Henriquez analysed the concrete security of the DLP, as it arises from pairings on (the Jacobians of) various genus one and two supersingular curves in the literature, which were originally thought to be 128-bit secure. In particular, they suggested that the new algorithms have no impact on the security of a genus one curve over \({\mathbb F}_{2^{1223}}\), and reduce the security of a genus two curve over \({\mathbb F}_{2^{367}}\) to 94.6 bits. In this paper we propose a new field representation and efficient general descent principles which together make the new techniques far more practical. Indeed, at the ‘128-bit security level’ our analysis shows that the aforementioned genus one curve has approximately 59 bits of security, and we report a total break of the genus two curve.

[1]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[2]  Francisco Rodríguez-Henríquez,et al.  Weakness of 𝔽36·509 for Discrete Logarithm Cryptography , 2013, Pairing.

[3]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[4]  Sanjit Chatterjee,et al.  On the Efficiency and Security of Pairing-Based Protocols in the Type 1 and Type 4 Settings , 2010, WAIFI.

[5]  Dipanwita Roy Chowdhury,et al.  High Speed Cryptoprocessor for η T Pairing on 128-bit Secure Supersingular Elliptic Curves over Characteristic Two Fields , 2011, CHES.

[6]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[7]  Tsuyoshi Takagi,et al.  Key Length Estimation of Pairing-Based Cryptosystems Using η T Pairing , 2012, ISPEC.

[8]  Francisco Rodríguez-Henríquez,et al.  Multi-core Implementation of the Tate Pairing over Supersingular Elliptic Curves , 2009, CANS.

[9]  Antoine Joux,et al.  Faster Index Calculus for the Medium Prime Case Application to 1175-bit and 1425-bit Finite Fields , 2013, EUROCRYPT.

[10]  Steven D. Galbraith,et al.  Supersingular Curves in Cryptography , 2001, ASIACRYPT.

[11]  Don Coppersmith,et al.  Fast evaluation of logarithms in fields of characteristic two , 1984, IEEE Trans. Inf. Theory.

[12]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[13]  Tal Rabin Advances in Cryptology - CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. Proceedings , 2010, CRYPTO.

[14]  Arjen K. Lenstra,et al.  Factorization of a 768-Bit RSA Modulus , 2010, CRYPTO.

[15]  Masao Kasahara,et al.  Cryptographic Schemes based on Pairing over Elliptic Curve (part2) , 2002 .

[16]  Mark Manulis,et al.  Cryptology and Network Security , 2012, Lecture Notes in Computer Science.

[17]  Thorsten Kleinjung,et al.  Fe b 20 14 Breaking ‘ 128-bit Secure ’ Supersingular Binary Curves ⋆ ( or how to solve discrete logarithms in F , 2014 .

[18]  Jérémie Detrey,et al.  Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves , 2012, CT-RSA.

[19]  Tsuyoshi Takagi,et al.  Cryptographic Hardware and Embedded Systems - CHES 2011 - 13th International Workshop, Nara, Japan, September 28 - October 1, 2011. Proceedings , 2011, CHES.

[20]  Antonia W. Bluher,et al.  On xq+1+ax+b , 2004, Finite Fields Their Appl..

[21]  Jeffrey Shallit,et al.  Algorithmic Number Theory , 1996, Lecture Notes in Computer Science.

[22]  Phong Q. Nguyen,et al.  Advances in Cryptology – EUROCRYPT 2013 , 2013, Lecture Notes in Computer Science.

[23]  Faruk Göloglu,et al.  On the Function Field Sieve and the Impact of Higher Splitting Probabilities: Application to Discrete Logarithms in F21971 , 2013, IACR Cryptol. ePrint Arch..

[24]  Martijn Stam,et al.  Hardware and software normal basis arithmetic for pairing-based cryptography in characteristic three , 2005, IEEE Transactions on Computers.

[25]  Arjen K. Lenstra,et al.  Unbelievable Security. Matching AES Security Using Public Key Systems , 2001, ASIACRYPT.

[26]  Gary McGuire,et al.  On the Function Field Sieve and the Impact of Higher Splitting Probabilities: Application to Discrete Logarithms in $\mathbb{F}_{2^{1971}}$ and $\mathbb{F}_{2^{3164}}$ , 2013, CRYPTO 2013.

[27]  Paulo S. L. M. Barreto,et al.  Efficient pairing computation on supersingular Abelian varieties , 2007, IACR Cryptol. ePrint Arch..

[28]  Ilya Popovyan,et al.  Efficient Parallelization of Lanczos Type Algorithms , 2011, IACR Cryptol. ePrint Arch..

[29]  Steven D. Galbraith,et al.  Implementing the Tate Pairing , 2002, ANTS.

[30]  Zhenfu Cao,et al.  Pairing-Based Cryptography – Pairing 2013 , 2013, Lecture Notes in Computer Science.

[31]  Ran Canetti,et al.  Advances in Cryptology – CRYPTO 2013 , 2013, Lecture Notes in Computer Science.

[32]  Antoine Joux,et al.  A Heuristic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic , 2014, EUROCRYPT.

[33]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[34]  Antoine Joux,et al.  The Function Field Sieve in the Medium Prime Case , 2006, EUROCRYPT.

[35]  Chi Sung Laih,et al.  Advances in Cryptology - ASIACRYPT 2003 , 2003 .

[36]  Jithra Adikari,et al.  Towards Faster and Greener Cryptoprocessor for Eta Pairing on Supersingular Elliptic Curve over F_{2^{1223}} , 2012 .

[37]  C. Small Arithmetic of Finite Fields , 1991 .

[38]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[39]  M. Anwar Hasan,et al.  Towards Faster and Greener Cryptoprocessor for Eta Pairing on Supersingular Elliptic Curve over $\mathbb{F}_{2^{1223}}$ , 2012, Selected Areas in Cryptography.

[40]  Don Coppersmith,et al.  Discrete logarithms inGF(p) , 2005, Algorithmica.

[41]  Faruk Göloglu,et al.  Solving a 6120 -bit DLP on a Desktop Computer , 2013, Selected Areas in Cryptography.

[42]  Antoine Joux,et al.  A One Round Protocol for Tripartite Diffie–Hellman , 2000, Journal of Cryptology.

[43]  D. Coppersmith Solving homogeneous linear equations over GF (2) via block Wiedemann algorithm , 1994 .

[44]  Martijn Stam,et al.  On Small Characteristic Algebraic Tori in Pairing-Based Cryptography , 2004, IACR Cryptol. ePrint Arch..

[45]  Paulo S. L. M. Barreto,et al.  Efficient Algorithms for Pairing-Based Cryptosystems , 2002, CRYPTO.

[46]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[47]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[48]  Elisabeth Oswald,et al.  Advances in Cryptology – EUROCRYPT 2014 , 2014, Lecture Notes in Computer Science.

[49]  Colin Boyd,et al.  Advances in Cryptology - ASIACRYPT 2001 , 2001 .

[50]  Iwan M. Duursma,et al.  Tate Pairing Implementation for Hyperelliptic Curves y2 = xp-x + d , 2003, ASIACRYPT.

[51]  Frederik Vercauteren,et al.  Practical Realisation and Elimination of an ECC-Related Software Bug Attack , 2012, CT-RSA.

[52]  Darrel HANKERSON,et al.  Software Implementation of Pairings , 2009, Identity-Based Cryptography.

[53]  Antoine Joux,et al.  A New Index Calculus Algorithm with Complexity $$L(1/4+o(1))$$ in Small Characteristic , 2013, Selected Areas in Cryptography.