Chapter

Public Key Cryptography – PKC 2010

Volume 6056 of the series Lecture Notes in Computer Science pp 351-367

Solving a 676-Bit Discrete Logarithm Problem in GF(36n )

  • Takuya HayashiAffiliated withGraduate School of Mathematics, Kyushu University
  • , Naoyuki ShinoharaAffiliated withInformation Security Research Center, National Institute of Information and Communications Technology
  • , Lihua WangAffiliated withInformation Security Research Center, National Institute of Information and Communications Technology
  • , Shin’ichiro MatsuoAffiliated withInformation Security Research Center, National Institute of Information and Communications Technology
  • , Masaaki ShiraseAffiliated withSchool of Systems Information Science, Future University Hakodate
  • , Tsuyoshi TakagiAffiliated withGraduate School of Mathematics, Kyushu University

Abstract

Pairings on elliptic curves over finite fields are crucial for constructing various cryptographic schemes. The η T pairing on supersingular curves over GF(3 n ) is particularly popular since it is efficiently implementable. Taking into account the Menezes-Okamoto-Vanstone (MOV) attack, the discrete logarithm problem (DLP) in GF(36n ) becomes a concern for the security of cryptosystems using η T pairings in this case. In 2006, Joux and Lercier proposed a new variant of the function field sieve in the medium prime case, named JL06-FFS. We have, however, not yet found any practical implementations on JL06-FFS over GF(36n ). Therefore, we first fulfill such an implementation and we successfully set a new record for solving the DLP in GF(36n ), the DLP in GF(36·71) of 676-bit size. In addition, we also compare JL06-FFS and an earlier version, named JL02-FFS, with practical experiments. Our results confirm that the former is several times faster than the latter under certain conditions.

Keywords

function field sieve discrete logarithm problem pairing-based cryptosystems