Solving a 676-Bit Discrete Logarithm Problem in GF(36n ) [chapter]

Takuya Hayashi, Naoyuki Shinohara, Lihua Wang, Shin'ichiro Matsuo, Masaaki Shirase, Tsuyoshi Takagi
2010 Lecture Notes in Computer Science  
Pairings on elliptic curves over finite fields are crucial for constructing various cryptographic schemes. The ηT pairing on supersingular curves over GF(3 n ) is particularly popular since it is efficiently implementable. Taking into account the Menezes-Okamoto-Vanstone (MOV) attack, the discrete logarithm problem (DLP) in GF(3 6n ) becomes a concern for the security of cryptosystems using ηT pairings in this case. In 2006, Joux and Lercier proposed a new variant of the function field sieve in
more » ... the medium prime case, named JL06-FFS. We have, however, not yet found any practical implementations on JL06-FFS over GF(3 6n ). Therefore, we first fulfill such an implementation and we successfully set a new record for solving the DLP in GF(3 6n ), the DLP in GF(3 6·71 ) of 676bit size. In addition, we also compare JL06-FFS and an earlier version, named JL02-FFS, with practical experiments. Our results confirm that the former is several times faster than the latter under certain conditions. Key words: function field sieve, discrete logarithm problem, pairingbased cryptosystems Introduction Based on pairings, many novel cryptographic protocols have been successively constructed, such as identity-based encryptions [8], forward-secure cryptosystems, proxy cryptosystems, keyword searchable PKEs [7] . As a result, two requirements arose: efficient pairing computation and security parameter selection. The η T pairing [5] on supersingular curves over GF(3 n ) has been efficiently implemented both in software and hardware [6, 13, 14] 1 . Along with the increase ⋆ This work was done when authors belonged to Future University Hakodate. 1 Here, n is a prime number such as n = 97, 163 and 193 [25].
doi:10.1007/978-3-642-13013-7_21 fatcat:lxybufswe5hnfbayukaxndjl7i