Weakness of 𝔽66·1429 and 𝔽24·3041 for discrete logarithm cryptography

In 2013, Joux and then Barbulescu et al. presented new algorithms for computing discrete logarithms in finite fields of small characteristic. Shortly thereafter, Adj et al. presented a concrete analysis showing that, when combined with some steps from classical algorithms, the new algorithms render the finite field F36·509 weak for pairing-based cryptography. Granger and Zumbrägel then presented a modification of the new algorithms that extends their effectiveness to a wider range of fields. In this paper, we study the effectiveness of the new algorithms combined with a carefully crafted descent strategy for the fields F36·1429 and F24·3041 . The intractability of the discrete logarithm problem in these fields is necessary for the security of pairings derived from supersingular curves with embedding degree 6 and 4 defined, respectively, over F31429 and F23041 ; these curves were believed to enjoy a security level of 192 bits against attacks by Coppersmith’s algorithm. Our analysis shows that these pairings offer security levels of at most 96 and 129 bits, respectively, leading us to conclude that they are dead for pairing-based cryptography.