Advertisement

Cryptanalysis of Pairing-Based Cryptosystems Over Small Characteristic Fields

  • Takuya Hayashi
Conference paper
Part of the Mathematics for Industry book series (MFI, volume 1)

Abstract

There are many useful cryptographic schemes which use bilinear pairings. In particular, \(\eta _T\) pairing over small characteristic fields, such as GF \((2^n)\) and GF \((3^n)\), is one of the most efficient algorithms from the implementation point of view. The security of pairing-based cryptosystems using \(\eta _T\) pairing over GF \((2^n)\) (resp. GF \((3^n)\)) relies on the hardness of the discrete logarithm problem over GF \((2^{4n})\) (resp. GF \((3^{6n})\)). However, new index calculus methods proposed by Joux and Barbulescu et al. allow us to solve these problems in quasi-polynomial time. Recent experimental results show that these methods are quite practical, implying that the \(\eta _T\) pairing over GF \((2^n)\) and GF \((3^n)\) is unsuitable for pairing-based cryptosystems. In this paper, we survey the recent progress on index calculus methods and related experimental results.

Keywords

Cryptanalysis Discrete logarithm problem Pairing-basedcryptosystem 

References

  1. 1.
    Adj, G., Menezes, A., Oliveira, T., Rodríguez-Henríquez, F.: Computing discrete logarithms in \(F_{3^{6 \cdot 137}}\) using magma. IACR Cryptology ePrint Archive, Report 2014/057 (2014)Google Scholar
  2. 2.
    Adj, G., Menezes, A., Oliveira, T., Rodríguez-Henríquez, F.: Weakness of \(F_{3^{6\cdot 509}}\) for discrete logarithm cryptography. In: Cao Z., Zhang F. (eds.) Proceedings of 6th International Conference on Pairing-based Cryptography (Pairing 2013). Lecture Notes in Computer Science, vol. 8365, pp. 20–44. Springer, Berlin (2013)Google Scholar
  3. 3.
    Adleman, L.M.: The function field sieve. In: Adleman L.M., Huang M.D.A. (eds.) Proceedings of 1st Algorithmic Number Theory Symposium (ANTS-I). Lecture Notes in Computer Science, vol. 877, pp. 108–121. Springer, Berlin (1994)Google Scholar
  4. 4.
    Ahmadi, O., Hankerson, D., Menezes, A.: Software implementation of arithmetic in \(F_{3^m}\). In: Carlet C., Sunar B. (eds.) Proceedings of 1st International Workshop on the Arithmetic of Finite Fields (WAIFI 2007). Lecture Notes in Computer Science, vol. 4547, pp. 85–102. Springer, Berlin (2007)Google Scholar
  5. 5.
    Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. IACR Cryptology ePrint Archive, Report 2013/400 (2013)Google Scholar
  6. 6.
    Barreto, P.S.L.M., Galbraith, S.D., O’Eigeartaigh, C., Scott, M.: Efficient pairing computation on supersingular abelian varieties. Des., Codes Crypt. 42(3), 239–271 (2007)CrossRefMATHGoogle Scholar
  7. 7.
    Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairing-based cryptosystems. In: Yung M. (ed.) Proceedings of Advances in Cryptology: CRYPTO 2002, 22nd Annual International Cryptology Conference. Lecture Notes in Computer Science, vol. 2442, pp. 354–368. Springer, Berlin (2002)Google Scholar
  8. 8.
    Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel B., Tavares S.E. (eds.) Proceedings of Selected Areas in Cryptography 2005 (SAC 2005). Lecture Notes in Computer Science, vol. 3897, pp. 319–331. Springer, Berlin (2005)Google Scholar
  9. 9.
    Beuchat, J.L., Brisebarre, N., Detrey, J., Okamoto, E.: Arithmetic operators for pairing-based cryptography. In: Paillier P., Verbauwhede I. (eds.) Proceedings of 9th International Workshop on Cryptographic Hardware and Embedded Systems (CHES 2007). Lecture Notes in Computer Science, vol. 4727, pp. 239–255. Springer, Berlin (2007)Google Scholar
  10. 10.
    Beuchat, J.L., Brisebarre, N., Detrey, J., Okamoto, E., Shirase, M., Takagi, T.: Algorithms and arithmetic operators for computing the \(\eta _T\) pairing in characteristic three. IEEE Trans. Comput. 57(11), 1454–1468 (2008)CrossRefMathSciNetGoogle Scholar
  11. 11.
    Beuchat, J.L., Brisebarre, N., Shirase, M., Takagi, T., Okamoto, E.: A coprocessor for the final exponentiation of the \(\eta _T\) pairing in characteristic three. In: Carlet C., Sunar B. (eds.) Proceedings of 1st International Workshop on the Arithmetic of Finite Fields (WAIFI 2007). Lecture Notes in Computer Science, vol. 4547, pp. 25–39. Springer, Berlin (2007)Google Scholar
  12. 12.
    Boneh, D., Crescenzo, G.D., Ostrovsky, R., Persiano, G.: Public key encryption with keyword search. In: Cachin C., Camenisch J. (eds.) Proceedings of Advances in Cryptology: EUROCRYPT 2004, 23rd Annual International Conference on the Theory and Applications of Cryptographic Techniques. Lecture Notes in Computer Science, vol. 3027, pp. 506–522. Springer, Berlin (2004)Google Scholar
  13. 13.
    Boneh, D., Franklin, M.K.: Identity-based encryption from the Weil pairing. In: Kilian J. (ed.) Proceedings of Advances in Cryptology: CRYPTO 2001, 21st Annual International Cryptology Conference. Lecture Notes in Computer Science, vol. 2139, pp. 213–229. Springer, Berlin (2001)Google Scholar
  14. 14.
    Galbraith, S.D., Hess, F., Vercauteren, F.: Aspects of pairing inversion. IEEE Trans. Inf. Theory 54(12), 5719–5728 (2008)CrossRefMATHMathSciNetGoogle Scholar
  15. 15.
    Göloglu, F., Granger, R., McGuire, G., Zumbrägel, J.: Discrete logarithms in \({GF}(2^{1971})\). Number Theory Mailng List (2013). http://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;f7755cbe.1302
  16. 16.
    Göloglu, F., Granger, R., McGuire, G., Zumbrägel, J.: Discrete logarithms in \({GF}(2^{6120})\). Number Theory Mailng List (2013). http://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;fe9605d9.1304
  17. 17.
    Göloglu, F., Granger, R., McGuire, G., Zumbrägel, J.: On the function field sieve and the impact of higher splitting probabilities—application to discrete logarithms in \(F_{2^{1971}}\) and \(F_{2^{3164}}\). In: Canetti R., Garay J.A. (eds.) Proceedings of Advances in Cryptology:- CRYPTO 2013, 33rd Annual International Cryptology Conference. Lecture Notes in Computer Science, vol. 8043, pp. 109–128. Springer, Berlin (2013)Google Scholar
  18. 18.
    Göloglu, F., Granger, R., McGuire, G., Zumbrägel, J.: Solving a 6120-bit DLP on a desktop computer. IACR Cryptology ePrint Archive, Report 2013/306 (2013)Google Scholar
  19. 19.
    Granger, R., Kleinjung, T., Zumbrägel, J.: Discrete logarithms in \({GF}(2^{9234})\). Number Theory Mailng List (2014). http://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;49bb494e.1305
  20. 20.
    Granger, R., Kleinjung, T., Zumbrägel, J.: Discrete logarithms in the jacobian of genus 2 supersingular curve over \({GF}(2^{367})\). Number Theory Mailng List (2014). http://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;23651c2.1401
  21. 21.
    Granger, R., Page, D., Stam, M.: Hardware and software normal basis arithmetic for pairing-based cryptography in characteristic three. IEEE Trans. Comput. 54(7), 852–860 (2005)CrossRefGoogle Scholar
  22. 22.
    Hayashi, T., Shimoyama, T., Shinohara, N., Takagi, T.: Breaking pairing-based cryptosystems using \(\eta _T\) pairing over \({GF}(3^{97})\). In: Wang X., Sako K. (eds.) Proceedings of 18th Annual International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT 2012). Lecture Notes in Computer Science, vol. 7658, pp. 43–60. Springer, Berlin (2012)Google Scholar
  23. 23.
    Hess, F., Smart, N.P., Vercauteren, F.: The eta pairing revisited. IEEE Trans. Inf. Theory 52(10), 4595–4602 (2006)CrossRefMATHMathSciNetGoogle Scholar
  24. 24.
    Joux, A.: Discrete logarithms in \({GF}(2^{4080})\). Number Theory Mailng List (2013). http://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;71e65785.1303
  25. 25.
    Joux, A.: Discrete logarithms in \(GF(2^{6168}) [=GF((2^{257})^{24})]\). Number Theory Mailng List (2013). http://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;49bb494e.1305
  26. 26.
    Joux, A.: A new index calculus algorithm with complexity \(L(1/4+o(1))\) in very small characteristic. IACR Cryptology ePrint Archive, Report 2013/095 (2013)Google Scholar
  27. 27.
    Joux, A., Lercier, R.: The function field sieve in the medium prime case. In: Vaudenay S. (ed.) Proceedings of Advances in Cryptology: EUROCRYPT 2006, 25th Annual International Conference on the Theory and Applications of Cryptographic Techniques. Lecture Notes in Computer Science, vol. 4004, pp. 254–270. Springer, Berlin (2006)Google Scholar
  28. 28.
    Kachisa, E.J., Schaefer, E.F., Scott, M.: Constructing Brezing-Weng pairing-friendly elliptic curves using elements in the cyclotomic field. In: Galbraith S.D., Paterson K.G. (eds.) Proceedings of 2nd International Conference on Pairing-based Cryptography (Pairing 2008). Lecture Notes in Computer Science, vol. 5209, pp. 126–135. Springer, Berlin (2008)Google Scholar
  29. 29.
    Kawahara, Y., Aoki, K., Takagi, T.: Faster implementation of \(\eta _T\) pairing over \(GF(3^m)\) using minimum number of logical instructions for \({GF}(3)\)-addition. In: Galbraith S.D., Paterson K.G. (eds.) Proceedings of 2nd International Conference on Pairing-based Cryptography (Pairing 2008). Lecture Notes in Computer Science, vol. 5209, pp. 282–296. Springer, Berlin (2008)Google Scholar
  30. 30.
    Menezes, A., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39(5), 1639–1646 (1993)CrossRefMATHMathSciNetGoogle Scholar
  31. 31.
    Okamoto, T., Takashima, K.: Fully secure functional encryption with general relations from the decisional linear assumption. In: Rabin T. (ed.) Proceedings of Advances in Cryptology: CRYPTO 2010, 30th Annual International Cryptology Conference. Lecture Notes in Computer Science, vol. 6223, pp. 191–208. Springer, Berlin (2010)Google Scholar
  32. 32.
    Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer R. (ed.) Proceedings of Advances in Cryptology: EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques. Lecture Notes in Computer Science, vol. 3494, pp. 457–473. Springer, Berlin (2005)Google Scholar
  33. 33.
    Shinohara, N., Shimoyama, T., Hayashi, T., Takagi, T.: Key length estimation of pairing-based cryptosystems using \(\eta _T\) pairing. In: Ryan M.D., Smyth B., Wang G. (eds.) Proceedings of 8th International Conference on Information Security Practice and Experience (ISPEC 2012). Lecture Notes in Computer Science, vol. 7232, pp. 228–244. Springer, Berlin (2012)Google Scholar
  34. 34.
    Vercauteren, F.: The hidden root problem. In: Galbraith S.D., Paterson K.G. (eds.) Proceedings of 2nd International Conference on Pairing-based Cryptography (Pairing 2008). Lecture Notes in Computer Science, vol. 5209, pp. 89–99. Springer, Berlin (2008)Google Scholar
  35. 35.
    Verheul, E.R.: Evidence that XTR is more secure than supersingular elliptic curve cryptosystems. J. Cryptology 17(4), 277–296 (2004)CrossRefMATHMathSciNetGoogle Scholar

Copyright information

© Springer Japan 2014

Authors and Affiliations

  1. 1.Institute of Mathematics for IndustryKyushu UniversityNishi-kuJapan

Personalised recommendations