Weakness of 𝔽36·509 for Discrete Logarithm Cryptography

In 2013, Joux, and then Barbulescu, Gaudry, Joux and Thome, presented new algorithms for computing discrete logarithms in finite fields of small and medium characteristic. We show that these new algorithms render the finite field ${\mathbb{F}}_{3^{6 \cdot 509}} = {\mathbb{F}}_{3^{3054}}$ weak for discrete logarithm cryptography in the sense that discrete logarithms in this field can be computed significantly faster than with the previous fastest algorithms. Our concrete analysis shows that the supersingular elliptic curve over ${\mathbb{F}}_{3^{509}}$ with embedding degree 6 that had been considered for implementing pairing-based cryptosystems at the 128-bit security level in fact provides only a significantly lower level of security. Our work provides a convenient framework and tools for performing a concrete analysis of the new discrete logarithm algorithms and their variants.

[1]  Antoine Joux,et al.  The Function Field Sieve Is Quite Special , 2002, ANTS.

[2]  Mark Manulis,et al.  Cryptology and Network Security , 2012, Lecture Notes in Computer Science.

[3]  Steven D. Galbraith,et al.  Implementing the Tate Pairing , 2002, ANTS.

[4]  Jérémie Detrey,et al.  Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves , 2012, CT-RSA.

[5]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[6]  Jean Charles Faugère,et al.  A new efficient algorithm for computing Gröbner bases without reduction to zero (F5) , 2002, ISSAC '02.

[7]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[8]  Martijn Stam,et al.  Hardware and software normal basis arithmetic for pairing-based cryptography in characteristic three , 2005, IEEE Transactions on Computers.

[9]  Antoine Joux,et al.  A New Index Calculus Algorithm with Complexity $$L(1/4+o(1))$$ in Small Characteristic , 2013, Selected Areas in Cryptography.

[10]  A. Miyaji,et al.  Pairing-Based Cryptography - Pairing 2010 , 2011 .

[11]  William P. Marnane,et al.  Identity- Based Cryptography , 2008 .

[12]  Steven D. Galbraith,et al.  Supersingular Curves in Cryptography , 2001, ASIACRYPT.

[13]  Tsuyoshi Takagi,et al.  Breaking Pairing-Based Cryptosystems Using η T Pairing over GF(397) , 2012, ASIACRYPT.

[14]  Colin Boyd,et al.  Advances in Cryptology - ASIACRYPT 2001 , 2001 .

[15]  Faruk Göloglu,et al.  Solving a 6120 -bit DLP on a Desktop Computer , 2013, Selected Areas in Cryptography.

[16]  Adi Shamir,et al.  Analysis of Bernstein's Factorization Circuit , 2002, ASIACRYPT.

[17]  Sanjit Chatterjee,et al.  On the Efficiency and Security of Pairing-Based Protocols in the Type 1 and Type 4 Settings , 2010, WAIFI.

[18]  Arjen K. Lenstra,et al.  Unbelievable Security. Matching AES Security Using Public Key Systems , 2001, ASIACRYPT.

[19]  Francisco Rodríguez-Henríquez,et al.  Fast Architectures for the \eta_T Pairing over Small-Characteristic Supersingular Elliptic Curves , 2011, IEEE Transactions on Computers.

[20]  Qi Cheng,et al.  Traps to the BGJT-Algorithm for Discrete Logarithms , 2013, IACR Cryptol. ePrint Arch..

[21]  Paulo S. L. M. Barreto,et al.  Efficient Algorithms for Pairing-Based Cryptosystems , 2002, CRYPTO.

[22]  Frederik Vercauteren,et al.  A comparison of MNT curves and supersingular curves , 2006, Applicable Algebra in Engineering, Communication and Computing.

[23]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[24]  Antoine Joux,et al.  A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic , 2013, IACR Cryptol. ePrint Arch..

[25]  Ran Canetti,et al.  Advances in Cryptology – CRYPTO 2013 , 2013, Lecture Notes in Computer Science.

[26]  Hamza Jeljeli,et al.  Accelerating Iterative SpMV for the Discrete Logarithm Problem Using GPUs , 2012, WAIFI.

[27]  Antoine Joux,et al.  A Heuristic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic , 2014, EUROCRYPT.

[28]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[29]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[30]  Andrew Odlyzko,et al.  Advances in Cryptology — CRYPTO’ 86 , 2000, Lecture Notes in Computer Science.

[31]  Don Coppersmith,et al.  Fast evaluation of logarithms in fields of characteristic two , 1984, IEEE Trans. Inf. Theory.

[32]  Tsuyoshi Takagi,et al.  Key Length Estimation of Pairing-Based Cryptosystems Using η T Pairing , 2012, ISPEC.

[33]  Douglas H. Wiedemann Solving sparse linear equations over finite fields , 1986, IEEE Trans. Inf. Theory.

[34]  Paulo S. L. M. Barreto,et al.  Efficient pairing computation on supersingular Abelian varieties , 2007, IACR Cryptol. ePrint Arch..

[35]  Alfred Menezes,et al.  Software Implementation of Arithmetic in F3m , 2007, WAIFI.

[36]  Phong Q. Nguyen,et al.  Advances in Cryptology – EUROCRYPT 2013 , 2013, Lecture Notes in Computer Science.

[37]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[38]  Antoine Joux,et al.  The Function Field Sieve in the Medium Prime Case , 2006, EUROCRYPT.

[39]  Berk Sunar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2005, 7th International Workshop, Edinburgh, UK, August 29 - September 1, 2005, Proceedings , 2005, CHES.

[40]  Andrew M. Odlyzko,et al.  Solving Large Sparse Linear Systems over Finite Fields , 1990, CRYPTO.

[41]  Faruk Göloglu,et al.  On the Function Field Sieve and the Impact of Higher Splitting Probabilities: Application to Discrete Logarithms in F21971 , 2013, IACR Cryptol. ePrint Arch..

[42]  D. Coppersmith Solving homogeneous linear equations over GF (2) via block Wiedemann algorithm , 1994 .

[43]  Jithra Adikari,et al.  Towards Faster and Greener Cryptoprocessor for Eta Pairing on Supersingular Elliptic Curve over F_{2^{1223}} , 2012 .

[44]  C. Small Arithmetic of Finite Fields , 1991 .

[45]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[46]  M. Anwar Hasan,et al.  Towards Faster and Greener Cryptoprocessor for Eta Pairing on Supersingular Elliptic Curve over $\mathbb{F}_{2^{1223}}$ , 2012, Selected Areas in Cryptography.

[47]  Yuliang Zheng,et al.  Advances in Cryptology — ASIACRYPT 2002 , 2002, Lecture Notes in Computer Science.

[48]  Paul Barrett,et al.  Implementing the Rivest Shamir and Adleman Public Key Encryption Algorithm on a Standard Digital Signal Processor , 1986, CRYPTO.

[49]  Adi Shamir,et al.  Scalable Hardware for Sparse Systems of Linear Equations, with Applications to Integer Factorization , 2005, CHES.

[50]  Jérémie Detrey,et al.  Discrete Logarithm in GF(2809) with FFS , 2014, Public Key Cryptography.

[51]  Jeffrey Shallit,et al.  Algorithmic Number Theory , 1996, Lecture Notes in Computer Science.

[52]  Francisco Rodríguez-Henríquez,et al.  Multi-core Implementation of the Tate Pairing over Supersingular Elliptic Curves , 2009, CANS.

[53]  Antoine Joux,et al.  Faster Index Calculus for the Medium Prime Case Application to 1175-bit and 1425-bit Finite Fields , 2013, EUROCRYPT.

[54]  S. Vanstone,et al.  Computing Logarithms in Finite Fields of Characteristic Two , 1984 .

[55]  Martijn Stam,et al.  Understanding Adaptivity: Random Systems Revisited , 2012, ASIACRYPT.

[56]  Leonard M. Adleman,et al.  Function Field Sieve Method for Discrete Logarithms over Finite Fields , 1999, Inf. Comput..

[57]  Frederik Vercauteren,et al.  Practical Realisation and Elimination of an ECC-Related Software Bug Attack , 2012, CT-RSA.

[58]  Nicolas Estibals,et al.  Compact Hardware for Computing the Tate Pairing over 128-Bit-Security Supersingular Curves , 2010, Pairing.

[59]  Darrel HANKERSON,et al.  Software Implementation of Pairings , 2009, Identity-Based Cryptography.