Solving Discrete Logarithms on a 170-Bit MNT Curve by Pairing Reduction

  • Aurore GuillevicEmail author
  • François Morain
  • Emmanuel Thomé
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10532)


Pairing based cryptography is in a dangerous position following the breakthroughs on discrete logarithms computations in finite fields of small characteristic. Remaining instances are built over finite fields of large characteristic and their security relies on the fact the embedding field of the underlying curve is relatively large. How large is debatable. The aim of our work is to sustain the claim that the combination of degree 3 embedding and too small finite fields obviously does not provide enough security. As a computational example, we solve the DLP on a 170-bit MNT curve, by exploiting the pairing embedding to a 508-bit, degree-3 extension of the base field.


Discrete logarithm Finite field Number Field Sieve MNT elliptic curve 



The authors are grateful to Pierrick Gaudry for his help in running the computations.

Supplementary material


  1. 1.
    Adleman, L.M., Huang, M.-D.: Function field sieve methods for discrete logarithms over finite fields. Inf. Comput. 151(1), 5–16 (1999)CrossRefzbMATHMathSciNetGoogle Scholar
  2. 2.
    Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J.A., Heninger, N., Springall, D., Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E., Béguelin, S.Z., Zimmermann, P.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 15, pp. 5–17. ACM Press, October 2015Google Scholar
  3. 3.
    Barbulescu, R.: Algorithmes de logarithmes discrets dans les corps finis. Ph.D. thesis, Université de Lorraine (2013)Google Scholar
  4. 4.
    Barbulescu, R., Gaudry, P., Guillevic, A., Morain, F.: Discrete logarithms in GF\((p^2)\) – 160 digits. Announcement on the Number Theory List, June 2014.;2ddabd4c.1406
  5. 5.
    Barbulescu, R.,. Gaudry, P., Guillevic, A., Morain, F.: Discrete logarithms in GF\((p^3)\) – 512 bits. Announcement at the CATREL workshop, October 2015.
  6. 6.
    Barbulescu, R., Gaudry, P., Guillevic, A., Morain, F.: Improving NFS for the discrete logarithm problem in non-prime finite fields. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 129–155. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_6 Google Scholar
  7. 7.
    Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic Quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1–16. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-55220-5_1 CrossRefGoogle Scholar
  8. 8.
    Barbulescu, R., Gaudry, P., Kleinjung, T.: The tower number field sieve. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 31–55. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48800-3_2 CrossRefGoogle Scholar
  9. 9.
    Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006). doi: 10.1007/11693383_22 CrossRefGoogle Scholar
  10. 10.
    Beuchat, J., Brisebarre, N., Detrey, J., Okamoto, E., Shirase, M., Takagi, T.: Algorithms and arithmetic operators for computing the \(\eta _{T}\) pairing in characteristic three. IEEE Trans. Comput. 57(11), 1454–1468 (2008)CrossRefzbMATHMathSciNetGoogle Scholar
  11. 11.
    Bistritz, Y., Lifshitz, A.: Bounds for resultants of univariate and bivariate polynomials. Linear Algebra Appl. 432(8), 1995–2005 (2010). Special issue devoted to the 15th ILAS Conference at Cancun, Mexico, June 16–20, 2008CrossRefzbMATHMathSciNetGoogle Scholar
  12. 12.
    Blake, I.F., Seroussi, G., Smart, N.: Advances in Elliptic Curve Cryptography. London Mathematical Society Lecture Note Series, vol. 317. Cambridge University Press, Cambridge (2005)CrossRefzbMATHGoogle Scholar
  13. 13.
    Boneh, D., Franklin, M.K.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). doi: 10.1007/3-540-44647-8_13 CrossRefGoogle Scholar
  14. 14.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). doi: 10.1007/3-540-45682-1_30 CrossRefGoogle Scholar
  15. 15.
    Brezing, F., Weng, A.: Elliptic curves suitable for pairing based cryptography. Des. Codes Cryptogr. 37(1), 133–141 (2005)CrossRefzbMATHMathSciNetGoogle Scholar
  16. 16.
    Cocks, C., Pinch, R.G.: ID-based cryptosystems based on the Weil pairing (2001, Unpublished manuscript)Google Scholar
  17. 17.
    Commeine, A., Semaev, I.: An algorithm to solve the discrete logarithm problem with the number field sieve. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 174–190. Springer, Heidelberg (2006). doi: 10.1007/11745853_12 CrossRefGoogle Scholar
  18. 18.
    Coppersmith, D.: Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm. Math. Comput. 62(205), 333–350 (1994)zbMATHMathSciNetGoogle Scholar
  19. 19.
    Dupont, R., Enge, A., Morain, F.: Building curves with arbitrary small MOV degree over finite prime fields. J. Cryptol. 18(2), 79–89 (2005)CrossRefzbMATHMathSciNetGoogle Scholar
  20. 20.
    Elkenbracht-Huizing, R.M.: An implementation of the number field sieve. Exp. Math. 5(3), 231–253 (1996)CrossRefzbMATHMathSciNetGoogle Scholar
  21. 21.
    Foster, K.: HT90 and “simplest” number fields. Illinois J. Math. 55(4), 1621–1655 (2011)zbMATHMathSciNetGoogle Scholar
  22. 22.
    Freeman, D.: Constructing pairing-friendly elliptic curves with embedding degree 10. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 452–465. Springer, Heidelberg (2006). doi: 10.1007/11792086_32 CrossRefGoogle Scholar
  23. 23.
    Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. J. Cryptology 23(2), 224–280 (2010)CrossRefzbMATHMathSciNetGoogle Scholar
  24. 24.
    Frey, G., Rück, H.G.: A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Math. Comput. 62(206), 865–874 (1994)zbMATHMathSciNetGoogle Scholar
  25. 25.
    Galbraith, S.D., McKee, J.F., Valença, P.C.: Ordinary abelian varieties having small embedding degree. Finite Fields Appl. 13(4), 800–814 (2007)CrossRefzbMATHMathSciNetGoogle Scholar
  26. 26.
    Gaudry, P., Grémy, L., Videau, M.: Collecting relations for the number field sieve in GF\((p^6)\). LMS Journal of Computation and Mathematics, Special issue ANTS-XII, August 2016, to appear.
  27. 27.
    Granger, R., Kleinjung, T., Zumbrägel, J.: Breaking ‘128-bit secure’ supersingular binary curves. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 126–145. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-44381-1_8 CrossRefGoogle Scholar
  28. 28.
    Guillevic, A.: Computing individual discrete logarithms faster in \({{\rm GF}}(p^n)\) with the NFS-DL algorithm. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 149–173. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48797-6_7 CrossRefGoogle Scholar
  29. 29.
    Hayashi, T., Shimoyama, T., Shinohara, N., Takagi, T.: Breaking pairing-based cryptosystems using \(\eta ^{T}\) pairing over GF(397). In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 43–60. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34961-4_5 CrossRefGoogle Scholar
  30. 30.
    Jeong, J., Kim, T.: Extended tower number field sieve with application to finite fields of arbitrary composite extension degree. Cryptology ePrint Archive, Report 2016/526 (2016).
  31. 31.
    Joux, A.: A one round protocol for tripartite Diffie–Hellman. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 385–393. Springer, Heidelberg (2000). doi: 10.1007/10722028_23 CrossRefGoogle Scholar
  32. 32.
    Joux, A., Lercier, R., Smart, N., Vercauteren, F.: The number field sieve in the medium prime case. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 326–344. Springer, Heidelberg (2006). doi: 10.1007/11818175_19 CrossRefGoogle Scholar
  33. 33.
    Joux, A., Pierrot, C.: The special number field sieve in \(\mathbb{F}_{p^{n}}\). In: Cao, Z., Zhang, F. (eds.) Pairing 2013. LNCS, vol. 8365, pp. 45–61. Springer, Cham (2014). doi: 10.1007/978-3-319-04873-4_3 CrossRefGoogle Scholar
  34. 34.
    Joux, A., Pierrot, C.: Nearly sparse linear algebra. Cryptology ePrint Archive, Report 2015/930 (2015).
  35. 35.
    Kasahara, M., Ohgishi, K., Sakai, R.: Notes on ID-based key sharing systems on elliptic curve. Technical report, IEICE (1999)Google Scholar
  36. 36.
    Kasahara, M., Ohgishi, K., Sakai, R.: Cryptosystems based on pairing. In: The 2000 Symposium on Cryptography and Information Security, volume SCIS2000-C20, January 2000Google Scholar
  37. 37.
    Kim, T.: Extended tower number field sieve: a new complexity for medium prime case. Cryptology ePrint Archive, Report 2015/1027, version 1, October 2015.
  38. 38.
    Kim, T., Barbulescu, R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 543–571. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53018-4_20 CrossRefGoogle Scholar
  39. 39.
    Kleinjung, T.: Discrete logarithms in GF\((p)\) – 160 digits. Announcement on the Number Theory List, February 2007.;1c737cf8.0702
  40. 40.
    Matyukhin, D.: Effective version of the number field sieve for discrete logarithms in the field GF\((p^k)\) (in Russian). Tr. Diskr. Mat. 9, 121–151 (2006).
  41. 41.
    Menezes, A., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39(5), 1639–1646 (1993)CrossRefzbMATHMathSciNetGoogle Scholar
  42. 42.
    Miyaji, A., Nakabayashi, M., Takano, S.: Characterization of elliptic curve traces under FR-reduction. In: Won, D. (ed.) ICISC 2000. LNCS, vol. 2015, pp. 90–108. Springer, Heidelberg (2001). doi: 10.1007/3-540-45247-8_8 CrossRefGoogle Scholar
  43. 43.
    Montgomery, P.L.: Square roots of products of algebraic numbers (1997). Unpublished draft, dated 16 May 1997Google Scholar
  44. 44.
    Murphy, B.A.: Polynomial selection for the number field sieve integer factorisation algorithm . Ph.D. thesis, Australian National University (1999).
  45. 45.
    Pomerance, C.: Analysis and comparison of some integer factoring algorithms. In: Lenstra, H.W.J., Tijdeman, R. (eds.) Computational methods in number theory, part I. Mathematical Centre Tracts, vol. 154, pp. 89–139. Mathematisch Centrum, Amsterdam (1982).
  46. 46.
    Sakemi, Y., Hanaoka, G., Izu, T., Takenaka, M., Yasuda, M.: Solving a discrete logarithm problem with auxiliary input on a 160-bit elliptic curve. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 595–608. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-30057-8_35 CrossRefGoogle Scholar
  47. 47.
    Sarkar, P., Singh, S.: A general polynomial selection method and new asymptotic complexities for the tower number field sieve algorithm. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 37–62. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53887-6_2 CrossRefGoogle Scholar
  48. 48.
    Sarkar, P., Singh, S.: A generalisation of the conjugation method for polynomial selection for the extended tower number field sieve algorithm. Cryptology ePrint Archive, Report 2016/537 (2016).
  49. 49.
    Sarkar, P., Singh, S.: New complexity trade-offs for the (multiple) number field sieve algorithm in non-prime fields. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 429–458. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49890-3_17 CrossRefGoogle Scholar
  50. 50.
    Sarkar, P., Singh, S.: Tower number field sieve variant of a recent polynomial selection method. Cryptology ePrint Archive, Report 2016/401 (2016).
  51. 51.
    Schirokauer, O.: Discrete logarithms and local units. Philos. Trans. Roy. Soc. London Ser. A 345(1676), 409–423 (1993)CrossRefzbMATHMathSciNetGoogle Scholar
  52. 52.
    Schirokauer, O.: Virtual logarithms. J. Algorithms 57(2), 140–147 (2005)CrossRefzbMATHMathSciNetGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Aurore Guillevic
    • 5
    • 6
    Email author
  • François Morain
    • 1
    • 4
  • Emmanuel Thomé
    • 1
    • 2
    • 3
  1. 1.Institut National de Recherche en Informatique et en Automatique (INRIA)Villers-lès-Nancy and SaclayFrance
  2. 2.Université de Lorraine, Loria, UMR 7503Vandoeuvre-lès-NancyFrance
  3. 3.CNRS, Loria, UMR 7503Vandoeuvre-lès-NancyFrance
  4. 4.École Polytechnique/LIX, CNRS UMR 7161PalaiseauFrance
  5. 5.University of CalgaryAlbertaCanada
  6. 6.Pacific Institute for the Mathematical Sciences, CNRS UMI 3069VancouverCanada

Personalised recommendations