Solving a 676-Bit Discrete Logarithm Problem in GF(36n)

  • Takuya Hayashi
  • Naoyuki Shinohara
  • Lihua Wang
  • Shin’ichiro Matsuo
  • Masaaki Shirase
  • Tsuyoshi Takagi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6056)


Pairings on elliptic curves over finite fields are crucial for constructing various cryptographic schemes. The ηT pairing on supersingular curves over GF(3n) is particularly popular since it is efficiently implementable. Taking into account the Menezes-Okamoto-Vanstone (MOV) attack, the discrete logarithm problem (DLP) in GF(36n) becomes a concern for the security of cryptosystems using ηT pairings in this case. In 2006, Joux and Lercier proposed a new variant of the function field sieve in the medium prime case, named JL06-FFS. We have, however, not yet found any practical implementations on JL06-FFS over GF(36n). Therefore, we first fulfill such an implementation and we successfully set a new record for solving the DLP in GF(36n), the DLP in GF(36·71) of 676-bit size. In addition, we also compare JL06-FFS and an earlier version, named JL02-FFS, with practical experiments. Our results confirm that the former is several times faster than the latter under certain conditions.


function field sieve discrete logarithm problem pairing-based cryptosystems 


  1. 1.
    Adleman, L.M.: The function field sieve. In: Huang, M.-D.A., Adleman, L.M. (eds.) ANTS 1994. LNCS, vol. 877, pp. 108–121. Springer, Heidelberg (1994)Google Scholar
  2. 2.
    Adleman, L.M., Huang, M.-D.A.: Function field sieve method for discrete logarithms over finite fields. Inform. and Comput. 151, 5–16 (1999)MATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Aoki, K., Shimoyama, T., Ueda, H.: Experiments on the linear algebra step in the number field sieve. In: Miyaji, A., Kikuchi, H., Rannenberg, K. (eds.) IWSEC 2007. LNCS, vol. 4752, pp. 58–73. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  4. 4.
    Aoki, K., Ueda, H.: Sieving using bucket sort. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 92–102. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Barreto, P.S.L.M., Galbraith, S., ÓhÉigeartaigh, C., Scott, M.: Efficient pairing computation on supersingular abelian varieties. Des. Codes Cryptogr. 42(3), 239–271 (2007)MATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Beuchat, J.-L., Brisebarre, N., Detrey, J., Okamoto, E., Shirase, M., Takagi, T.: Algorithms and arithmetic operators for computing the η T pairing in characteristic three. IEEE Trans. Comput. 57(11), 1454–1468 (2008)CrossRefMathSciNetGoogle Scholar
  7. 7.
    Boneh, D., Crescenzo, D., Ostrovsky, R., Persiano, G.: Public key encryption with keyword search. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 506–522. Springer, Heidelberg (2004)Google Scholar
  8. 8.
    Boneh, D., Franklin, M.: Identity based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)MATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Gordon, D.M.: Discrete logarithms in GF(p) using the number field sieve. SIAM J. Discrete Math. 6(1), 124–138 (1993)MATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Gordon, D.M., McCurley, K.S.: Massively parallel computation of discrete logarithms. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 312–323. Springer, Heidelberg (1993)Google Scholar
  11. 11.
    Granger, R.: Estimates for discrete logarithm computations in finite fields of small characteristic. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 190–206. Springer, Heidelberg (2003)Google Scholar
  12. 12.
    Granger, R., Holt, A.J., Page, D., Smart, N.P., Vercauteren, F.: Function field sieve in characteristic three. In: Buell, D.A. (ed.) ANTS 2004. LNCS, vol. 3076, pp. 223–234. Springer, Heidelberg (2004)Google Scholar
  13. 13.
    Granger, R., Page, D., Stam, M.: Hardware and software normal basis arithmetic for pairing-based cryptography in characteristic three. IEEE Trans. Comput. 54(7), 852–860 (2005)CrossRefGoogle Scholar
  14. 14.
    Hankerson, D., Menezes, A., Scott, M.: Software implementation of pairings. In: Identity Based Cryptography, pp. 188–206 (2009)Google Scholar
  15. 15.
    Joux, A., et al.: Discrete logarithms in GF(2607) and GF(2613). Posting to the Number Theory List (2005),
  16. 16.
    Joux, A., Lercier, R.: The function field sieve is quite special. In: Fieker, C., Kohel, D.R. (eds.) ANTS 2002. LNCS, vol. 2369, pp. 431–445. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  17. 17.
    Joux, A., Lercier, R.: Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the Gaussian integer method. Math. Comp. 72(242), 953–967 (2002)CrossRefMathSciNetGoogle Scholar
  18. 18.
    Joux, A., Lercier, R.: The function field sieve in the medium prime case. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 254–270. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  19. 19.
    Joux, A., Lercier, R., Naccache, D., Thome, E.: Oracle-assisted static Diffie-Hellman is easier than discrete logarithms. In: Parker, M.G. (ed.) IMACC 2009. LNCS, vol. 5921, pp. 351–367. Springer, Heidelberg (2009)Google Scholar
  20. 20.
    Joux, A., Lercier, R., Smart, N.P., Vercauteren, F.: The number field sieve in the medium prime case. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 326–344. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    Kleinjung, T., et al.: Discrete logarithms in GF(p) - 160 digits. Posting to the Number Theory List (2007),
  22. 22.
    LaMacchia, B.A., Odlyzko, A.M.: Solving large sparse linear systems over finite fields. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 109–133. Springer, Heidelberg (1991)Google Scholar
  23. 23.
    Matsumoto, R.: Using C ab curves in the function field sieve. IEICE Trans. Fundamentals E82-A, 551–552 (1999)Google Scholar
  24. 24.
    Menezes, A.J., Okamoto, T., Vanstone, S.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inform. Theory 39(5), 1639–1646 (1993)MATHCrossRefMathSciNetGoogle Scholar
  25. 25.
    Page, D., Smart, N.P., Vercauteren, F.: A comparison of MNT curves and supersingular curves. Appl. Algebra Engrg. Comm. Comput. 17(5), 379–392 (2006)MATHCrossRefMathSciNetGoogle Scholar
  26. 26.
    Pollard, J.: The lattice sieve. The Development of the Number Field Sieve, 43–49 (1991)Google Scholar
  27. 27.
    Pomerance, C., Smith, J.W.: Reduction of huge, sparse matrices over finite fields via created catastrophes. Experiment. Math. 1(2), 89–94 (1992)MATHMathSciNetGoogle Scholar
  28. 28.
    Schirokauer, O.: The special function field sieve. SIAM J. Discrete Math. 16(1), 81–98 (2003)CrossRefMathSciNetGoogle Scholar
  29. 29.
    Wambach, G., Wettig, H.: Block sieving algorithms. Technical Report 190, Informatik, Universität zu Köln (1995)Google Scholar
  30. 30.
    Wiedemann, D.H.: Solving sparse linear equations over finite fields. IEEE Trans. Inform. Theory 32(1), 54–62 (1986)MATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Takuya Hayashi
    • 1
  • Naoyuki Shinohara
    • 2
  • Lihua Wang
    • 2
  • Shin’ichiro Matsuo
    • 2
  • Masaaki Shirase
    • 3
  • Tsuyoshi Takagi
    • 1
  1. 1.Graduate School of MathematicsKyushu UniversityFukuokaJapan
  2. 2.Information Security Research CenterNational Institute of Information and Communications TechnologyTokyoJapan
  3. 3.School of Systems Information ScienceFuture University HakodateHokkaidoJapan

Personalised recommendations