Challenges with Assessing the Impact of NFS Advances on the Security of Pairing-Based Cryptography

  • Alfred MenezesEmail author
  • Palash Sarkar
  • Shashank Singh
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10311)


In the past two years there have been several advances in Number Field Sieve (NFS) algorithms for computing discrete logarithms in finite fields \({\mathbb F}_{p^n}\) where p is prime and \(n > 1\) is a small integer. This article presents a concise overview of these algorithms and discusses some of the challenges with assessing their impact on keylengths for pairing-based cryptosystems.



We thank the referees for their comments which helped improve the presentation of the paper.


  1. 1.
    Aranha, D.F., Fuentes-Castañeda, L., Knapp, E., Menezes, A., Rodríguez-Henríquez, F.: Implementing pairings at the 192-bit security level. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 177–195. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-36334-4_11 CrossRefGoogle Scholar
  2. 2.
    Barbulescu, R., Gaudry, P., Guillevic, A., Morain, F.: Improving NFS for the discrete logarithm problem in non-prime finite fields. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 129–155. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_6 Google Scholar
  3. 3.
    Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1–16. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-55220-5_1 CrossRefGoogle Scholar
  4. 4.
    Barbulescu, R., Gaudry, P., Kleinjung, T.: The tower number field sieve. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 31–55. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48800-3_2 CrossRefGoogle Scholar
  5. 5.
    Barbulescu, R., Pierrot, C.: The multiple number field sieve for medium and high characteristic finite fields. LMS J. Comput. Math. 17, 230–246 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Barker, E.: Recommendation for key management, Part 1: General. NIST Special Publication 800–57, Part 1, Revision 4, January 2016Google Scholar
  7. 7.
    Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribed embedding degrees. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 257–267. Springer, Heidelberg (2003). doi: 10.1007/3-540-36413-7_19 CrossRefGoogle Scholar
  8. 8.
    Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006). doi: 10.1007/11693383_22 CrossRefGoogle Scholar
  9. 9.
    Bistritz, Y., Lifshitz, A.: Bounds for resultants of univariate and bivariate polynomials. Linear Algebra Appl. 432, 1995–2005 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Boneh, D., Boyen, X.: Strong signatures without random oracles and the SDH assumption in bilinear groups. J. Cryptol. 21, 149–177 (2008)CrossRefzbMATHGoogle Scholar
  11. 11.
    Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). doi: 10.1007/3-540-44647-8_13 CrossRefGoogle Scholar
  12. 12.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Cryptol. 17, 297–319 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Boneh, D., Shacham, H.: Group signatures with verifier-local revocation. In: 11th ACM Conference on Computer and Communications Security - CCS 2004, pp. 168–177 (2004)Google Scholar
  14. 14.
    Chatterjee, S., Menezes, A.: On cryptographic protocols employing asymmetric pairings - the role of \(\psi \) revisited. Discrete Appl. Math. 159, 1311–1322 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Chatterjee, S., Menezes, A.: Type 2 structure-preserving signature schemes revisited. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 286–310. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48797-6_13 CrossRefGoogle Scholar
  16. 16.
    Cheon, J.H.: Security analysis of the strong Diffie-Hellman problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006). doi: 10.1007/11761679_1 CrossRefGoogle Scholar
  17. 17.
    Coron, J.-S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40041-4_26 CrossRefGoogle Scholar
  18. 18.
    Diem, C.: On the discrete logarithm problem in elliptic curves. Compositio Math. 147, 75–104 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Diem, C.: On the discrete logarithm problem in elliptic curves II. Algebra Number Theory 7, 1281–1323 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, S., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: IEEE 54th Annual Symposium on Foundations of Computer Science (FOCS), pp. 40–49 (2013)Google Scholar
  21. 21.
    Gaudry, P., Hess, F., Smart, N.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptol. 15, 19–34 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Gordon, D.: Discrete logarithms in \(GF(p)\) using the number field sieve. SIAM J. Discrete Math. 6, 124–138 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Guillevic, A.: Computing individual discrete logarithms faster in \(GF(p^n)\) with the NFS-DL algorithm. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 149–173. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48797-6_7 CrossRefGoogle Scholar
  24. 24.
    Jao, D., Yoshida, K.: Boneh-Boyen signatures and the strong Diffie-Hellman problem. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 1–16. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03298-1_1 CrossRefGoogle Scholar
  25. 25.
    Jeong, J., Kim, T.: Extended tower number field sieve with application to finite fields of arbitrary composite extension degree. Cryptology ePrint Archive: Report 2016/526 (2016)Google Scholar
  26. 26.
    Joux, A.: Algorithmic Cryptanalysis. Chapman & Hall/CRC, Boca Raton (2009)CrossRefzbMATHGoogle Scholar
  27. 27.
    Joux, A., Lercier, R.: Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the Gaussian integer method. Math. Comput. 72, 953–967 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Joux, A., Lercier, R., Smart, N., Vercauteren, F.: The number field sieve in the medium prime case. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 326–344. Springer, Heidelberg (2006). doi: 10.1007/11818175_19 CrossRefGoogle Scholar
  29. 29.
    Joux, A., Pierrot, C.: The special number field sieve in \(\mathbb{F}_{p^{n}}\) – application to pairing-friendly construction. In: Cao, Z., Zhang, F. (eds.) Pairing 2013. LNCS, vol. 8365, pp. 45–61. Springer, Cham (2014). doi: 10.1007/978-3-319-04873-4_3 CrossRefGoogle Scholar
  30. 30.
    Kachisa, E.J., Schaefer, E.F., Scott, M.: Constructing Brezing-Weng pairing-friendly elliptic curves using elements in the cyclotomic field. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 126–135. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-85538-5_9 CrossRefGoogle Scholar
  31. 31.
    Kim, T., Barbulescu, R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 543–571. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53018-4_20 CrossRefGoogle Scholar
  32. 32.
    Koblitz, N., Menezes, A.: The brave new world of bodacious assumptions in cryptography. Not. AMS 57, 357–365 (2010)MathSciNetzbMATHGoogle Scholar
  33. 33.
    Lenstra, A.K., Lenstra, H.W., Manasse, M.S., Pollard, J.M.: The number field sieve. In: Lenstra, A.K., Lenstra, H.W. (eds.) The Development of the Number Field Sieve. LNM, vol. 1554, pp. 11–42. Springer, Heidelberg (1993). doi: 10.1007/BFb0091537 CrossRefGoogle Scholar
  34. 34.
    Mayo, K.: A primer on cryptographic multilinear maps and code obfuscation. M.Math. thesis, University of Waterloo (2015).
  35. 35.
    Pierrot, C.: The multiple number field sieve with conjugation and generalized Joux-Lercier methods. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 156–170. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_7 Google Scholar
  36. 36.
    Pollard, J.: Monte Carlo methods for index computation mod \(p\). Math. Comput. 32, 918–924 (1978)MathSciNetzbMATHGoogle Scholar
  37. 37.
    Sarkar, P., Singh, S.: New complexity trade-offs for the (multiple) number field sieve algorithm in non-prime fields. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 429–458. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49890-3_17 CrossRefGoogle Scholar
  38. 38.
    Sarkar, P., Singh, S.: A general polynomial selection method and new asymptotic complexities for the tower number field sieve algorithm. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 37–62. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53887-6_2 CrossRefGoogle Scholar
  39. 39.
    Sarkar, P., Singh, S.: A generalisation of the conjugation method for polynomial selection for the extended tower number field sieve algorithm. IACR Cryptology ePrint Archive: Report 2016/537 (2016)Google Scholar
  40. 40.
    Schirokauer, O.: Using number fields to compute logarithms in finite fields. Math. Comput. 69, 1267–1283 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  41. 41.
    Smart, N. (ed.): ECRYPT II Yearly Report on Algorithms and Keysizes (2011–2012), 30 September 2012Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Department of Combinatorics and OptimizationUniversity of WaterlooWaterlooCanada
  2. 2.Applied Statistics UnitIndian Statistical InstituteKolkataIndia
  3. 3.InriaNancyFrance

Personalised recommendations