Updating Key Size Estimations for Pairings

Recent progress on NFS imposed a new estimation of the security of pairings. In this work we study the best attacks against some of the most popular pairings and propose new key sizes using an analysis which is more precise than the analysis in a recent article of Menezes, Sarkar and Singh. We also select pairing-friendly curves for standard security levels.

[1]  Leonard M. Adleman,et al.  The function field sieve , 1994, ANTS.

[2]  Dongdai Lin,et al.  Analysis of Optimum Pairing Products at High Security Levels , 2012, INDOCRYPT.

[3]  Arjen K. Lenstra,et al.  Unbelievable Security. Matching AES Security Using Public Key Systems , 2001, ASIACRYPT.

[4]  D. Coppersmith Solving linear equations over GF(2): block Lanczos algorithm , 1993 .

[5]  Antoine Joux,et al.  A New Index Calculus Algorithm with Complexity $$L(1/4+o(1))$$ in Small Characteristic , 2013, Selected Areas in Cryptography.

[6]  Daniel M. Gordon,et al.  Discrete Logarithms in GF(P) Using the Number Field Sieve , 1993, SIAM J. Discret. Math..

[7]  P. Erdös,et al.  On a problem of Oppenheim concerning “factorisatio numerorum” , 1983 .

[8]  Masaaki Shirase,et al.  Solving a 676-Bit Discrete Logarithm Problem in GF(3 6 n ) , 2010 .

[9]  Oliver Schirokauer The number field sieve for integers of low weight , 2010, Math. Comput..

[10]  Arjen K. Lenstra,et al.  On the Security of 1024-bit RSA and 160-bit Elliptic Curve Cryptography , 2009, IACR Cryptol. ePrint Arch..

[11]  Tsuyoshi Takagi,et al.  Breaking Pairing-Based Cryptosystems Using η T Pairing over GF(397) , 2012, ASIACRYPT.

[12]  Allen Roginsky,et al.  Report on Pairing-based Cryptography , 2015, Journal of research of the National Institute of Standards and Technology.

[13]  Frederik Vercauteren,et al.  The Number Field Sieve in the Medium Prime Case , 2006, CRYPTO.

[14]  Frederik Vercauteren,et al.  Optimal Pairings , 2010, IEEE Transactions on Information Theory.

[15]  Peter L. Montgomery,et al.  A Block Lanczos Algorithm for Finding Dependencies Over GF(2) , 1995, EUROCRYPT.

[16]  Cécile Pierrot The Multiple Number Field Sieve with Conjugation and Generalized Joux-Lercier Methods , 2015, EUROCRYPT.

[17]  Pavol Zajac On the use of the lattice sieve in the 3D NFS , 2010 .

[18]  Faruk Göloglu,et al.  Solving a 6120 -bit DLP on a Desktop Computer , 2013, Selected Areas in Cryptography.

[19]  Chae Hoon Lim,et al.  A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp , 1997, CRYPTO.

[20]  Jinhyuck Jeong,et al.  Extended Tower Number Field Sieve with Application to Finite Fields of Arbitrary Composite Extension Degree , 2016, Public Key Cryptography.

[21]  Razvan Barbulescu,et al.  Some mathematical remarks on the polynomial selection in NFS , 2014, Math. Comput..

[22]  Paulo S. L. M. Barreto,et al.  Constructing Elliptic Curves with Prescribed Embedding Degrees , 2002, SCN.

[23]  Antoine Joux,et al.  Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the gaussian integer method , 2003, Math. Comput..

[24]  Thorsten Kleinjung,et al.  On the discrete logarithm problem in finite fields of fixed characteristic , 2015, IACR Cryptol. ePrint Arch..

[25]  Palash Sarkar,et al.  New Complexity Trade-Offs for the (Multiple) Number Field Sieve Algorithm in Non-Prime Fields , 2015, IACR Cryptol. ePrint Arch..

[26]  Brent Waters,et al.  Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys , 2005, CRYPTO.

[27]  Palash Sarkar,et al.  Fine Tuning the Function Field Sieve Algorithm for the Medium Prime Case , 2016, IEEE Transactions on Information Theory.

[28]  Francisco Rodríguez-Henríquez,et al.  Weakness of F 3 6*1429 and F 2 4*3041 for Discrete Logarithm Cryptography. , 2013 .

[29]  Oliver Schirokauer Discrete logarithms and local units , 1993, Philosophical Transactions of the Royal Society of London. Series A: Physical and Engineering Sciences.

[30]  Arjen K. Lenstra,et al.  The number field sieve , 1990, STOC '90.

[31]  Andrew M. Odlyzko,et al.  Solving Large Sparse Linear Systems over Finite Fields , 1990, CRYPTO.

[32]  C. Lanczos Solution of Systems of Linear Equations by Minimized Iterations1 , 1952 .

[33]  Thomas Unterluggauer,et al.  Efficient Pairings and ECC for Embedded Systems , 2014, IACR Cryptol. ePrint Arch..

[34]  Loubna Ghammam,et al.  Adequate Elliptic Curves for Computing the Product of n Pairings , 2016, WAIFI.

[35]  Tanja Lange,et al.  Faster Pairing Computations on Curves with High-Degree Twists , 2010, Public Key Cryptography.

[36]  Jérémie Detrey FFS Factory: Adapting Coppersmith's "Factorization Factory" to the Function Field Sieve , 2014, IACR Cryptol. ePrint Arch..

[37]  Laurent Grémy,et al.  Computing Discrete Logarithms in 𝔽p6 , 2017, SAC.

[38]  Francisco Rodríguez-Henríquez,et al.  Implementing Pairings at the 192-bit Security Level , 2012, IACR Cryptol. ePrint Arch..

[39]  Marc Joye,et al.  Guide to Pairing-Based Cryptography , 2016 .

[40]  H. Lenstra,et al.  Factoring integers with the number field sieve , 1993 .

[41]  Palash Sarkar,et al.  Tower Number Field Sieve Variant of a Recent Polynomial Selection Method , 2016, IACR Cryptol. ePrint Arch..

[42]  Faruk Göloglu,et al.  On the Function Field Sieve and the Impact of Higher Splitting Probabilities: Application to Discrete Logarithms in F21971 , 2013, IACR Cryptol. ePrint Arch..

[43]  Masaaki Shirase,et al.  Solving a 676-bit Discrete Logarithm Problem in GF(36n) , 2010, IACR Cryptol. ePrint Arch..

[44]  Brian Murphy,et al.  Modelling the Yield of Number Field Sieve Polynominals , 1998, ANTS.

[45]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[46]  Thorsten Kleinjung,et al.  Breaking '128-bit Secure' Supersingular Binary Curves (or how to solve discrete logarithms in 𝔽24·1223 and 𝔽212·367) , 2014, IACR Cryptol. ePrint Arch..

[47]  Harald Niederreiter,et al.  Finite fields: Author Index , 1996 .

[48]  Thorsten Kleinjung,et al.  On the Powers of 2 , 2014, IACR Cryptol. ePrint Arch..

[49]  D. Coppersmith Solving homogeneous linear equations over GF (2) via block Wiedemann algorithm , 1994 .

[50]  Denis Réal,et al.  Fault Attack on Elliptic Curve Montgomery Ladder Implementation , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[51]  Koray Karabina Squaring in cyclotomic subgroups , 2013, Math. Comput..

[52]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[53]  Matthew J. B. Robshaw,et al.  Cryptographic Hardware and Embedded Systems – CHES 2014 , 2014, Lecture Notes in Computer Science.

[54]  Francisco Rodríguez-Henríquez,et al.  Weakness of 𝔽66·1429 and 𝔽24·3041 for discrete logarithm cryptography , 2013, Finite Fields Their Appl..

[55]  Peter Schwabe,et al.  New Software Speed Records for Cryptographic Pairings , 2010, LATINCRYPT.

[56]  Francisco Rodríguez-Henríquez,et al.  Faster Hashing to ${\mathbb G}_2$ , 2011, Selected Areas in Cryptography.

[57]  Alfred Menezes,et al.  Challenges with Assessing the Impact of NFS Advances on the Security of Pairing-Based Cryptography , 2016, Mycrypt.

[58]  Leonard M. Adleman,et al.  Function Field Sieve Method for Discrete Logarithms over Finite Fields , 1999, Inf. Comput..

[59]  Tsuyoshi Takagi,et al.  A construction of 3-dimensional lattice sieve for number field sieve over F_{p^n} , 2015, IACR Cryptol. ePrint Arch..

[60]  Antoine Joux,et al.  The Function Field Sieve Is Quite Special , 2002, ANTS.

[61]  Razvan Barbulescu,et al.  The Tower Number Field Sieve , 2015, ASIACRYPT.

[62]  Emmanuel Thomé,et al.  Solving Discrete Logarithms on a 170-Bit MNT Curve by Pairing Reduction , 2016, SAC.

[63]  Paulo S. L. M. Barreto,et al.  Subgroup Security in Pairing-Based Cryptography , 2015, LATINCRYPT.

[64]  Victor S. Miller,et al.  The Weil Pairing, and Its Efficient Calculation , 2004, Journal of Cryptology.

[65]  Nadia El Mrabet,et al.  Choosing and generating parameters for low level pairing implementation on BN curves , 2015, IACR Cryptol. ePrint Arch..

[66]  Ricardo Dahab,et al.  Implementing Cryptographic Pairings over Barreto-Naehrig Curves , 2007, Pairing.

[67]  Laura Fuentes-Castañeda,et al.  Faster Hashing to G 2 , 2011 .

[68]  Michael Scott,et al.  A Taxonomy of Pairing-Friendly Elliptic Curves , 2010, Journal of Cryptology.

[69]  Patrick Longa,et al.  Faster Explicit Formulas for Computing Pairings over Ordinary Curves , 2011, EUROCRYPT.

[70]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[71]  Ingrid Verbauwhede,et al.  FPGA Implementation of Pairings Using Residue Number System and Lazy Reduction , 2011, CHES.

[72]  Nadia Heninger,et al.  A Kilobit Hidden SNFS Discrete Logarithm Computation , 2017, EUROCRYPT.

[73]  Antoine Joux,et al.  A Heuristic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic , 2014, EUROCRYPT.

[74]  Razvan Barbulescu,et al.  The Multiple Number Field Sieve for Medium and High Characteristic Finite Fields , 2014, IACR Cryptol. ePrint Arch..

[75]  Michael Scott,et al.  Faster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions , 2009, IACR Cryptol. ePrint Arch..

[76]  Oliver Schirokauer,et al.  Using number fields to compute logarithms in finite fields , 2000, Math. Comput..

[77]  Arjen K. Lenstra,et al.  Mersenne Factorization Factory , 2014, ASIACRYPT.

[78]  Pierrick Gaudry,et al.  Collecting relations for the Number Field Sieve in GF(p6) , 2016, IACR Cryptol. ePrint Arch..

[79]  Arjen K. Lenstra,et al.  A Kilobit Special Number Field Sieve Factorization , 2007, ASIACRYPT.

[80]  Frederik Vercauteren,et al.  The Eta Pairing Revisited , 2006, IEEE Transactions on Information Theory.

[81]  Douglas H. Wiedemann Solving sparse linear equations over finite fields , 1986, IEEE Trans. Inf. Theory.

[82]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[83]  Antoine Joux,et al.  The Function Field Sieve in the Medium Prime Case , 2006, EUROCRYPT.

[85]  Paulo S. L. M. Barreto,et al.  A family of implementation-friendly BN elliptic curves , 2011, J. Syst. Softw..

[86]  Antoine Joux,et al.  Faster Index Calculus for the Medium Prime Case Application to 1175-bit and 1425-bit Finite Fields , 2013, EUROCRYPT.

[87]  Razvan Barbulescu,et al.  Extended Tower Number Field Sieve: A New Complexity for the Medium Prime Case , 2016, CRYPTO.

[88]  Reza Azarderakhsh,et al.  Efficient Implementation of Bilinear Pairings on ARM Processors , 2012, Selected Areas in Cryptography.

[89]  K. Conrad,et al.  Finite Fields , 2018, Series and Products in the Development of Mathematics.

[90]  Igor A. Semaev,et al.  An Algorithm to Solve the Discrete Logarithm Problem with the Number Field Sieve , 2006, Public Key Cryptography.

[91]  Antoine Joux,et al.  The Special Number Field Sieve in 𝔽pn - Application to Pairing-Friendly Constructions , 2013, Pairing.

[92]  Per Reidar Bøhler,et al.  Special number field sieve , 2008 .

[93]  Michael Scott,et al.  On the Final Exponentiation for Calculating Pairings on Ordinary Elliptic Curves , 2009, Pairing.

[94]  Don Coppersmith,et al.  Fast evaluation of logarithms in fields of characteristic two , 1984, IEEE Trans. Inf. Theory.

[95]  Palash Sarkar,et al.  A Generalisation of the Conjugation Method for Polynomial Selection for the Extended Tower Number Field Sieve Algorithm , 2016, IACR Cryptol. ePrint Arch..

[96]  S. Wagstaff Computing Discrete Logarithms , 2019, Cryptanalysis of Number Theoretic Ciphers.

[97]  Rudolf Lide,et al.  Finite fields , 1983 .

[98]  Francisco Rodríguez-Henríquez,et al.  Computing discrete logarithms in cryptographically-interesting characteristic-three finite fields , 2018, IACR Cryptol. ePrint Arch..

[99]  Razvan Barbulescu,et al.  Improving NFS for the Discrete Logarithm Problem in Non-prime Finite Fields , 2015, EUROCRYPT.

[100]  Antoine Joux,et al.  Improving the Polynomial time Precomputation of Frobenius Representation Discrete Logarithm Algorithms - Simplified Setting for Small Characteristic Finite Fields , 2014, IACR Cryptol. ePrint Arch..

[101]  Igor A. Semaev Special prime numbers and discrete logs in finite prime fields , 2002, Math. Comput..

[102]  Michael Scott,et al.  Constructing Brezing-Weng Pairing-Friendly Elliptic Curves Using Elements in the Cyclotomic Field , 2008, Pairing.