Solving Discrete Logarithms on a 170-Bit MNT Curve by Pairing Reduction
Lecture Notes in Computer Science
Pairing based cryptography is in a dangerous position following the breakthroughs on discrete logarithms computations in finite fields of small characteristic. Remaining instances are built over finite fields of large characteristic and their security relies on the fact the embedding field of the underlying curve is relatively large. How large is debatable. The aim of our work is to sustain the claim that the combination of degree 3 embedding and too small finite fields obviously does not
... e enough security. As a computational example, we solve the DLP on a 170-bit MNT curve, by exploiting the pairing embedding to a 508-bit, degree-3 extension of the base field. problems such as the discrete logarithm with auxiliary inputs are much easier to handle, as shown by  . Attacking pairings via the embedding field is a strategy known as the Menezes-Okamoto-Vanstone  or Frey-Rück  attack, depending on which pairing is considered. Successful cryptanalyses that follow this strategy have been described in small characteristic. In  , for a supersingular curve over F 3 97 , the small characteristic allowed the use of the Function Field Sieve algorithm , and the composite extension degree was also a very useful property. More recently, following recent breakthroughs for discrete logarithm computation in small characteristic finite fields [6,26], a successful attack has been reported on a supersingular curve over F 2 1223 , with degree-4 embedding  . The outcome of these more recent works is that curves in small characteristic are now definitively avoided for pairing-based cryptography. As far as we know, there is no major record computation of discrete logarithms over pairingfriendly curves in large characteristic using a pairing reduction in the finite field. The pairing-friendly curves used in practice have a large embedding field of more than 1024 bits, where computing a discrete logarithm is still very challenging. A few curves in large characteristic have comparatively small embedding fields, and were identified as weak to this regard, although no practical computation to date demonstrated the criticality of this weakness. This includes the so-called MNT curves defined by Miyaji-Nakabayashi-Takano, e.g. [40, Example 1], an elliptic curve defined over a 170-bit prime p, and of 508-bit embedding field F p 3 . Despite the academic agreement on the fact that the pairing embedding fields for 170-bit MNT curves in general, and the one just mentioned in particular, are too small for cryptographic use, recent work like  has shown how cryptography relying on overly optimistic hardness assumptions can linger almost indefinitely in the wild. Demonstrating a practical break is key to really phasing out such outdated cryptographic choices. As far as we know, an MNT curve of low embedding degree 3 was never used in pairing-based cryptography, but was never attacked by a pairing reduction either. In this article, we present our attack over the weak 6 MNT curve [40, Example 1], with p of 170 bits and n = 3. We report a discrete logarithm computation in the group of points of this curve by a pairing reduction, using only a moderate amount of computing power.