Advertisement

Asymptotic Complexities of Discrete Logarithm Algorithms in Pairing-Relevant Finite Fields

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12171)

Abstract

We study the discrete logarithm problem at the boundary case between small and medium characteristic finite fields, which is precisely the area where finite fields used in pairing-based cryptosystems live. In order to evaluate the security of pairing-based protocols, we thoroughly analyze the complexity of all the algorithms that coexist at this boundary case: the Quasi-Polynomial algorithms, the Number Field Sieve and its many variants, and the Function Field Sieve. We adapt the latter to the particular case where the extension degree is composite, and show how to lower the complexity by working in a shifted function field. All this study finally allows us to give precise values for the characteristic asymptotically achieving the highest security level for pairings. Surprisingly enough, there exist special characteristics that are as secure as general ones.

References

  1. 1.
    Adleman, L.M.: The function field sieve. In: Adleman, L.M., Huang, M.-D. (eds.) ANTS 1994. LNCS, vol. 877, pp. 108–121. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-58691-1_48CrossRefGoogle Scholar
  2. 2.
    Arute, F., Arya, K., Babbush, R., et al.: Quantum supremacy using a programmable superconducting processor. Nature 574, 505–510 (2019)CrossRefGoogle Scholar
  3. 3.
    Barbulescu, R., Gaudry, P., Guillevic, A., Morain, F.: Improving NFS for the discrete logarithm problem in non-prime finite fields. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 129–155. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_6CrossRefzbMATHGoogle Scholar
  4. 4.
    Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1–16. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-55220-5_1CrossRefzbMATHGoogle Scholar
  5. 5.
    Barbulescu, R., Gaudry, P., Kleinjung, T.: The tower number field sieve. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part II. LNCS, vol. 9453, pp. 31–55. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48800-3_2CrossRefGoogle Scholar
  6. 6.
    Barbulescu, R., Pierrot, C.: The multiple number field sieve for medium and high characteristic finite fields. LMS J. Comput. Math. 17, 230–246 (2014)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Bistritz, Y., Lifshitz, A.: Bounds for resultants of univariate and bivariate polynomials. Linear Algebra Appl. 432, 1995–2005 (2010)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Boneh, D., Franklin, M.K.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44647-8_13CrossRefGoogle Scholar
  9. 9.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-45682-1_30CrossRefGoogle Scholar
  10. 10.
    Canfield, E.R., Erdős, P., Pomerance, C.: On a problem of Oppenheim concerning “factorisatio numerorum”. J. Number Theory 17, 1–28 (1983)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Choon, J.C., Hee Cheon, J.: An identity-based signature from gap Diffie-Hellman groups. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 18–30. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36288-6_2CrossRefGoogle Scholar
  12. 12.
    Coppersmith, D.: Fast evaluation of logarithms in fields of characteristic two. IEEE Trans. Inf. Theory 30, 587–594 (1984)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Coppersmith, D.: Modifications to the number field sieve. J. Cryptol. 6(3), 169–180 (1993).  https://doi.org/10.1007/BF00198464MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Coppersmith, D.: Solving homogeneous linear equations over \({GF(2)}\) via block Wiedemann algorithm. Math. Comput. 62, 333–350 (1994)MathSciNetzbMATHGoogle Scholar
  15. 15.
    De Micheli, G., Gaudry, P., Pierrot, C.: Asymptotic complexities of discrete logarithm algorithms in pairing-relevant finite fields. Cryptology ePrint Archive, Report 2020/329 (2020). https://eprint.iacr.org/2020/329
  16. 16.
    Fried, J., Gaudry, P., Heninger, N., Thomé, E.: A kilobit hidden SNFS discrete logarithm computation. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 202–231. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56620-7_8CrossRefGoogle Scholar
  17. 17.
    Gordon, D.: Discrete logarithms in \({GF(P)}\) using the number field sieve. SIAM J. Discrete Math. 6, 124–138 (1993).  https://doi.org/10.1137/0406010MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Granger, R., Kleinjung, T., Zumbrägel, J.: Breaking ‘128-bit secure’ supersingular binary curves - (or how to solve discrete logarithms in \(\mathbb{F}_{2^{4 \cdot 1223}}\) and \(\mathbb{F}_{2^{12 \cdot 367}}\)). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 126–145. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44381-1_8CrossRefzbMATHGoogle Scholar
  19. 19.
    Granger, R., Kleinjung, T., Zumbrägel, J.: Indiscreet logarithms in finite fields of small characteristic. Adv. Math. Commun. 12, 263–286 (2018)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Guillevic, A.: A short-list of pairing-friendly curves resistant to special TNFS at the 128-bit security level. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020, Part II. LNCS, vol. 12111, pp. 535–564. Springer, Cham (2020).  https://doi.org/10.1007/978-3-030-45388-6_19CrossRefGoogle Scholar
  21. 21.
    Joux, A.: Faster index calculus for the medium prime case application to 1175-bit and 1425-bit finite fields. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 177–193. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38348-9_11CrossRefGoogle Scholar
  22. 22.
    Joux, A.: A new index calculus algorithm with complexity \(L(1/4+o(1))\) in small characteristic. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 355–379. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43414-7_18CrossRefGoogle Scholar
  23. 23.
    Joux, A., Lercier, R.: Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the Gaussian integer method. Math. Comput. 72, 953–967 (2003)MathSciNetCrossRefGoogle Scholar
  24. 24.
    Joux, A., Lercier, R.: The function field sieve in the medium prime case. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 254–270. Springer, Heidelberg (2006).  https://doi.org/10.1007/11761679_16CrossRefzbMATHGoogle Scholar
  25. 25.
    Joux, A., Lercier, R., Smart, N., Vercauteren, F.: The number field sieve in the medium prime case. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 326–344. Springer, Heidelberg (2006).  https://doi.org/10.1007/11818175_19CrossRefzbMATHGoogle Scholar
  26. 26.
    Joux, A., Pierrot, C.: Improving the polynomial time precomputation of Frobenius representation discrete logarithm algorithms - simplified setting for small characteristic finite fields. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 378–397. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8_20CrossRefGoogle Scholar
  27. 27.
    Joux, A., Pierrot, C.: The special number field sieve in \(\mathbb{F}_{p^{n}}\) - application to pairing-friendly constructions. In: Cao, Z., Zhang, F. (eds.) Pairing 2013. LNCS, vol. 8365, pp. 45–61. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-04873-4_3CrossRefzbMATHGoogle Scholar
  28. 28.
    Joux, A., Pierrot, C.: Algorithmic aspects of elliptic bases in finite field discrete logarithm algorithms. Cryptology ePrint Archive, Report 2019/782 (2019). https://eprint.iacr.org/2019/782
  29. 29.
    Kalkbrener, M.: An upper bound on the number of monomials in determinants of sparse matrices with symbolic entries. Mathematica Pannonica 8, 73–82 (1997)MathSciNetzbMATHGoogle Scholar
  30. 30.
    Kim, T., Barbulescu, R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 543–571. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53018-4_20CrossRefGoogle Scholar
  31. 31.
    Kim, T., Jeong, J.: Extended tower number field sieve with application to finite fields of arbitrary composite extension degree. In: Fehr, S. (ed.) PKC 2017, Part I. LNCS, vol. 10174, pp. 388–408. Springer, Heidelberg (2017).  https://doi.org/10.1007/978-3-662-54365-8_16CrossRefGoogle Scholar
  32. 32.
    Kleinjung, T., Wesolowski, B.: Discrete logarithms in quasi-polynomial time in finite fields of fixed characteristic. Cryptology ePrint Archive, Report 2019/751 (2019). https://eprint.iacr.org/2019/751
  33. 33.
    Matyukhin, D.V.: On asymptotic complexity of computing discrete logarithms over \({GF}(p)\). Discrete Math. Appl. 13, 27–50 (2003)MathSciNetCrossRefGoogle Scholar
  34. 34.
    Panario, D., Gourdon, X., Flajolet, P.: An analytic approach to smooth polynomials over finite fields. In: Buhler, J.P. (ed.) ANTS 1998, III. LNCS, vol. 1423, pp. 226–236. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0054865CrossRefGoogle Scholar
  35. 35.
    Sarkar, P., Singh, S.: Fine tuning the function field sieve algorithm for the medium prime case. IEEE Trans. Inf. Theory 62, 2233–2253 (2016)MathSciNetCrossRefGoogle Scholar
  36. 36.
    Sarkar, P., Singh, S.: A general polynomial selection method and new asymptotic complexities for the tower number field sieve algorithm. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 37–62. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_2CrossRefGoogle Scholar
  37. 37.
    Sarkar, P., Singh, S.: New complexity trade-offs for the (multiple) number field sieve algorithm in non-prime fields. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 429–458. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3_17CrossRefGoogle Scholar
  38. 38.
    Sarkar, P., Singh, S.: A unified polynomial selection method for the (tower) number field sieve algorithm. Adv. Math. Commun. 13, 435–455 (2019)MathSciNetCrossRefGoogle Scholar
  39. 39.
    Schirokauer, O.: Virtual logarithms. J. Algorithms 57, 140–147 (2005)MathSciNetCrossRefGoogle Scholar
  40. 40.
    Schirokauer, O.: Using number fields to compute logarithms in finite fields. Math. Comput. 69, 1267–1283 (2000)MathSciNetCrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2020

Authors and Affiliations

  1. 1.Université de Lorraine, CNRS, Inria, LORIANancyFrance

Personalised recommendations